Is rust used safely by software developers?

Evans, Ana Nora; Campbell, Bradford; Soffa, Mary Lou

doi:10.1145/3377811.3380413

Cited by 45 publications

(21 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the meantime, more than 10,000 crates have been added to the repository and, in particular, the percentage of unsafe crates dropped from 29% to 23.6%. This finding differs from Evans et al [2020], who observed that the amount of unsafe code in the most downloaded crates slightly increased over 10 months. One possible explanation for these observations is that the most downloaded crates provide the necessary extensions to the language or standard library (for example, an efficient random number generator) that cannot be implemented in safe code and, therefore, the amount of unsafe in the most popular crates does not change while a significant portion of the newly added crates are application code that does not need to use unsafe.…”

Section: Rq 1 (Frequency)contrasting

confidence: 99%

“…Our methodology distinguishes these codebases, concluding that some developers (those of A) aim to apply commonly advocated guidelines, and some do not (those of B). In contrast, the approach of Evans et al [2020] cannot distinguish them: both codebases are possibly unsafe. Furthermore, our study provides an in-depth analysis of the reasons why programmers employ unsafe code, which was not an apparent primary focus of Evans et al [2020] (where this question was explored via a survey rather than by analysing a codebase).…”

Section: Related Workmentioning

confidence: 99%

“…Closest to our work is a recent study by Evans et al [2020] that performs a quantitative evaluation of unsafe Rust. Since their dataset relies on a 16 months older snapshot of the same repository (crates.io), we can observe a few developments over time: in particular, the percentage of crates containing any unsafe code (a measurement made in both studies) has dropped from 29% to 23.6% (noting though that these comparisons relate figures which were computed by different experimental methods).…”

Section: Related Workmentioning

confidence: 99%

“…Apart from such basic statistics, the two studies are complementary as they take fundamentally opposite perspectives on the usage of unsafe code: we study (intended) compliance with the Rust hypothesis, i.e., commonly advocated best practices for writing unsafe code; in particular, our work takes into account whether programmers aim to shield their unsafe code behind safe abstractions. By contrast, Evans et al [2020] measure how the unsafe keyword permeates call chains and, thus, how many functions transitively depend on unsafe code; they consider all of these functions as tainted, or, in their terminology, łpossibly unsafež. This notion ignores whether a function (1) depends on unsafe code through a safe abstraction that takes responsibility (by declaring exposed functions as safe) for Rust's guarantees, or (2) is explicitly exposed to unsafe code (by declaring all functions in the call chain as unsafe).…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

How do programmers use unsafe rust?

Astrauskas

Matheja

Poli

et al. 2020

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Rust's ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors that frequently occur in conventional imperative programs. However, the restrictions imposed by Rust's type system make it difficult or impossible to implement certain designs, such as data structures that require aliasing (e.g. doubly-linked lists and shared caches). To work around this limitation, Rust allows code blocks to be declared as unsafe and thereby exempted from certain restrictions of the type system, for instance, to manipulate C-style raw pointers. Ensuring the safety of unsafe code is the responsibility of the programmer. However, an important assumption of the Rust language, which we dub the Rust hypothesis, is that programmers use Rust by following three main principles: use unsafe code sparingly, make it easy to review, and hide it behind a safe abstraction such that client code can be written in safe Rust.Understanding how Rust programmers use unsafe code and, in particular, whether the Rust hypothesis holds is essential for Rust developers and testers, language and library designers, as well as tool developers. This paper studies empirically how unsafe code is used in practice by analysing a large corpus of Rust projects to assess the validity of the Rust hypothesis and to classify the purpose of unsafe code. We identify queries that can be answered by automatically inspecting the program's source code, its intermediate representation MIR, as well as type information provided by the Rust compiler; we complement the results by manual code inspection. Our study supports the Rust hypothesis partially: While most unsafe code is simple and well-encapsulated, unsafe features are used extensively, especially for interoperability with other languages. CCS Concepts: • Software and its engineering → Software libraries and repositories; General programming languages; Software organization and properties; • General and reference → Empirical studies.

show abstract

Section: Rq 1 (Frequency)contrasting

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

How do programmers use unsafe rust?

Astrauskas

Matheja

Poli

et al. 2020

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…The library augments the type safety of the original C++ type system by introducing additional static constraints powered by new types and a new static analyzer. The Rust programming language infuses memory safety into its type system and makes sure that code with memory bugs does not compile [57]- [59]. In Java, the plugable type system [60] denoted through Java annotations allows software developers to statically enforce additional security properties in the code.…”

Section: B Language and Api Hardeningmentioning

confidence: 99%

If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening

Wang

Bangert

Kern

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

With tons of efforts spent on its mitigation, Crosssite scripting (XSS) remains one of the most prevalent security threats on the internet. Decades of exploitation and remediation demonstrated that code inspection and testing alone does not eliminate XSS vulnerabilities in complex web applications with a high degree of confidence.This paper introduces Google's secure-by-design engineering paradigm that effectively prevents DOM-based XSS vulnerabilities in large-scale web development. Our approach, named API hardening, enforces a series of company-wide secure coding practices. We provide a set of secure APIs to replace native DOM APIs that are prone to XSS vulnerabilities. Through a combination of type contracts and appropriate validation and escaping, the secure APIs ensure that applications based thereon are free of XSS vulnerabilities. We deploy a simple yet capable compile-time checker to guarantee that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the secure coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in Google's enormous code base over the course of two-year deployment.

show abstract

SafeNet: Towards mitigating replaceable unsafe Rust code via a recommendation‐based approach

Dong,

Zhang,

Cui

et al. 2024

Software Testing Verif & Rel

View full text Add to dashboard Cite

Rust is a system‐level programming language with advantages in memory safety. It ensures that any Rust programs without unsafe code should not incur undefined behaviours. However, unsafe code still plays an essential role in Rust to achieve low‐level control. Therefore, a major design pattern of Rust programs is interior unsafe, which wraps unsafe code as safe APIs and handles all undefined behaviours internally. Rust standard library already provides a rich set of safe APIs to facilitate Rust code development. Nevertheless, due to unfamiliarity with these APIs, developers may misuse unnecessary unsafe code and suffer memory‐safety risks. In this paper, we investigate an approach to mitigate replaceable unsafe code. We first analyse unsafe APIs of the Rust standard library and summarize their common usage patterns. Each pattern corresponds to one or several code samples in our knowledge base. Then, we develop an approach to automatically recognize the usage pattern and recommend corresponding code samples. Our approach leverages dataflow analysis to exclude impossible patterns and employs a BERT‐based machine learning model to find the most similar pattern among the rest. We have conducted evaluation experiments with 472 unsafe code snippets collected from GitHub projects and successfully recognized the pattern of 394 snippets. We hope our approach can assist developers in detecting unnecessary unsafe code and suggesting safe alternatives.

show abstract

Is rust used safely by software developers?

Cited by 45 publications

References 30 publications

How do programmers use unsafe rust?

How do programmers use unsafe rust?

If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening

SafeNet: Towards mitigating replaceable unsafe Rust code via a recommendation‐based approach

Contact Info

Product

Resources

About