Exploring the Use of Static Data Flow Analysis for Automatic Vulnerability Audits of Rust Code

  • Software systems are ubiquitous in our society and in everyday life. However, bugs make them insecure and vulnerable to attacks. Rust is a novel programming language that uses static code analysis to prevent memory corruption bugs and thread-safety bugs at compile time. This can reduce certain vulnerabilities, but Rust programs are still insecure when using vulnerable external dependencies. The tool cargo-audit scans Rust projects for external dependencies with known vulnerabilities using the RustSec Database as backend (a Rust-specific vulnerability database). However, cargo-audit does not verify if these vulnerabilities are triggered in the code. Therefore, manual work is still necessary to verify if the code is actually vulnerable. Other tools like MirChecker, Rudra or CRUST perform automated vulnerability audits at the source code level but focus on specific types of bugs and cannot be used to detect all vulnerabilities reported in the RustSec Database. This thesis introduces a hybrid code analysis tool that queries the RustSec Database to identify vulnerabilities in external dependencies on the project level and then verifies if these vulnerable libraries are used in vulnerable ways. The tool checks if vulnerable functions are actually called and, where applicable, if parameters are actually in the vulnerable range of values. This code analysis tool leverages an algorithm for conditional data-flow analysis, which was developed as part of the thesis. The thesis furthermore shows that extending the RustSec Database to include ranges of vulnerable parameter values for applicable vulnerabilities increases the precision of detecting these vulnerabilities. The development of the tool is grounded in a set of requirements that were derived from comparing several program representations for Rust code regarding their applicability for data-flow analysis and from studying real-world vulnerabilities with a high reach in the Rust ecosystem. These vulnerabilities were selected based on their frequency in a data set that was produced in the context of this thesis using a structured dependency Analysis on all 817.417 package versions published in the Rust Package Registry. The feasibility of the hybrid approach is demonstrated in the evaluation, which Shows that the developed tool works as designed and can be used to find real vulnerabilities in real-world applications in a reasonable time frame. Still, exotic code patterns were identified that result in long analysis times and require future work. Furthermore, many characteristics of the Rust language are currently not supported by the tool, as has been identified by a microbenchmark developed in this thesis to test support for analyzing the Rust language.

Download full text files

Export metadata

Metadaten
Author:Ingo BuddeORCiD
URN:urn:nbn:de:hbz:386-kluedo-83219
Advisor:Peter LiggesmeyerORCiD, Eric BoddenORCiD
Document Type:Master's Thesis
Language of publication:English
Date of Publication (online):2024/07/10
Year of first Publication:2024
Publishing Institution:Rheinland-Pfälzische Technische Universität Kaiserslautern-Landau
Granting Institution:Rheinland-Pfälzische Technische Universität Kaiserslautern-Landau
Date of the Publication (Server):2024/07/15
Tag:Automatic Vulnerability Audit; Cargo Audit; Conditional Data Flow; Data Flow Analysis; Exploitability; Rust; Static Analysis
GND Keyword:Statische Analyse
Page Number:VI, 106
Faculties / Organisational entities:Distance and Independent Studies Center (DISC)
CCS-Classification (computer science):D. Software / D.2 SOFTWARE ENGINEERING (K.6.3) / D.2.4 Software/Program Verification (F.3.1) (REVISED) / Validation
DDC-Cassification:0 Allgemeines, Informatik, Informationswissenschaft / 004 Informatik
MSC-Classification (mathematics):68-XX COMPUTER SCIENCE (For papers involving machine computations and programs in a specific mathematical area, see Section {04 in that areag 68-00 General reference works (handbooks, dictionaries, bibliographies, etc.) / 68Qxx Theory of computing / 68Q60 Specification and verification (program logics, model checking, etc.) [See also 03B70]
PACS-Classification (physics):80.00.00 INTERDISCIPLINARY PHYSICS AND RELATED AREAS OF SCIENCE AND TECHNOLOGY / 89.00.00 Other areas of applied and interdisciplinary physics / 89.20.-a Interdisciplinary applications of physics / 89.20.Ff Computer science and technology
Collections:Herausragende Masterarbeiten am DISC
Licence (German):Creative Commons 4.0 - Namensnennung, nicht kommerziell, keine Bearbeitung (CC BY-NC-ND 4.0)