Files
Abstract
Secure software begins with safe memory management as over 65% of software vulnerabilities in moderncode bases are the result of memory safety problems. Effective memory management is crucial to
preventing vulnerabilities and ensuring robustness. Rust is a promising memory safe language, rapidly
gaining traction as a replacement for C and C++ in systems software.
Despite Rust’s strengths, complete safety cannot be guaranteed, primarily due to the incorporationof unsafe Rust, which allows code to bypass the strict compile time checks. Recent research efforts have focused on statically identifying memory and thread safety bugs in Rust code. This work examines the scope and practicality of five analysis tools: three static analysis tools and two fuzzers. We analyzed the vulnerabilities reported from each static analysis tool. Using this information, we attempted to identify paths to the reported vulnerabilities to determine if we could generate exploits, confirming the presence of actual security-critical bugs. We present the challenges of finding exploits, recommend a system for prioritizing vulnerabilities, and propose a systematic tool for exploit generation using a fuzzer and a fuzzer assistant.
Rust’s novel approach to memory safety presents challenges. A 2023 Stack Overflow survey indicatesthat Rust’s complexity and steep learning curve are significant barriers to adoption. The Rust programming paradigm is focused on the principles of ownership and borrowing. These concepts effectively achieve memory and thread safety but are enforced at compile-time, enabling runtime performance comparable to C but posing significant implementation challenges for programmers.
To reduce the barriers to Rust adoption, this work presents RustLIVE, an innovative visualizationtool that clarifies Rust’s most difficult concepts: ownership and borrowing. RustLIVE is an extension for VSCode, the IDE of choice for over 60% of Rust developers. Seamlessly integrated with the Rust compiler and its borrowchecker, RustLIVE requires no code annotations. Instead, it extracts necessary information directly from the compiler to provide color-coded visual timelines that illustrate the ownership of memory resources and the liveness of borrows. This intuitive visualization is particularly valuable for understanding non-lexical lifetimes, which lack visual cues in the source code. RustLIVE is an independent learning tool that represents a step toward flattening Rust’s learning curve and reducing barriers to adoption of Rust.
In summary, this dissertation presents two works that promote writing memory safe code in Rust,an analysis of Rust vulnerability detection tools to advance methods for generating exploits, and a novel visualization tool to depict Rust memory safety concepts.
Despite Rust’s strengths, complete safety cannot be guaranteed, primarily due to the incorporationof unsafe Rust, which allows code to bypass the strict compile time checks. Recent research efforts have focused on statically identifying memory and thread safety bugs in Rust code. This work examines the scope and practicality of five analysis tools: three static analysis tools and two fuzzers. We analyzed the vulnerabilities reported from each static analysis tool. Using this information, we attempted to identify paths to the reported vulnerabilities to determine if we could generate exploits, confirming the presence of actual security-critical bugs. We present the challenges of finding exploits, recommend a system for prioritizing vulnerabilities, and propose a systematic tool for exploit generation using a fuzzer and a fuzzer assistant.
Rust’s novel approach to memory safety presents challenges. A 2023 Stack Overflow survey indicatesthat Rust’s complexity and steep learning curve are significant barriers to adoption. The Rust programming paradigm is focused on the principles of ownership and borrowing. These concepts effectively achieve memory and thread safety but are enforced at compile-time, enabling runtime performance comparable to C but posing significant implementation challenges for programmers.
To reduce the barriers to Rust adoption, this work presents RustLIVE, an innovative visualizationtool that clarifies Rust’s most difficult concepts: ownership and borrowing. RustLIVE is an extension for VSCode, the IDE of choice for over 60% of Rust developers. Seamlessly integrated with the Rust compiler and its borrowchecker, RustLIVE requires no code annotations. Instead, it extracts necessary information directly from the compiler to provide color-coded visual timelines that illustrate the ownership of memory resources and the liveness of borrows. This intuitive visualization is particularly valuable for understanding non-lexical lifetimes, which lack visual cues in the source code. RustLIVE is an independent learning tool that represents a step toward flattening Rust’s learning curve and reducing barriers to adoption of Rust.
In summary, this dissertation presents two works that promote writing memory safe code in Rust,an analysis of Rust vulnerability detection tools to advance methods for generating exploits, and a novel visualization tool to depict Rust memory safety concepts.