Ingo Budde

• Software systems are ubiquitous in our society and in everyday life. However, bugs make them insecure and vulnerable to attacks. Rust is a novel programming language that uses static code analysis to prevent memory corruption bugs and thread-safety bugs at compile time. This can reduce certain vulnerabilities, but Rust programs are still insecure when using vulnerable external dependencies. The tool cargo-audit scans Rust projects for external dependencies with known vulnerabilities using the RustSec Database as backend (a Rust-specific vulnerability database). However, cargo-audit does not verify if these vulnerabilities are triggered in the code. Therefore, manual work is still necessary to verify if the code is actually vulnerable. Other tools like MirChecker, Rudra or CRUST perform automated vulnerability audits at the source code level but focus on specific types of bugs and cannot be used to detect all vulnerabilities reported in the RustSec Database. This thesis introduces a hybrid code analysis tool that queries the RustSec Database to identify vulnerabilities in external dependencies on the project level and then verifies if these vulnerable libraries are used in vulnerable ways. The tool checks if vulnerable functions are actually called and, where applicable, if parameters are actually in the vulnerable range of values. This code analysis tool leverages an algorithm for conditional data-flow analysis, which was developed as part of the thesis. The thesis furthermore shows that extending the RustSec Database to include ranges of vulnerable parameter values for applicable vulnerabilities increases the precision of detecting these vulnerabilities. The development of the tool is grounded in a set of requirements that were derived from comparing several program representations for Rust code regarding their applicability for data-flow analysis and from studying real-world vulnerabilities with a high reach in the Rust ecosystem. These vulnerabilities were selected based on their frequency in a data set that was produced in the context of this thesis using a structured dependency Analysis on all 817.417 package versions published in the Rust Package Registry. The feasibility of the hybrid approach is demonstrated in the evaluation, which Shows that the developed tool works as designed and can be used to find real vulnerabilities in real-world applications in a reasonable time frame. Still, exotic code patterns were identified that result in long analysis times and require future work. Furthermore, many characteristics of the Rust language are currently not supported by the tool, as has been identified by a microbenchmark developed in this thesis to test support for analyzing the Rust language.