• Stars
    star
    1,314
  • Rank 35,801 (Top 0.8 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rust Memory Safety & Undefined Behavior Detection

Rudra

Rudra is a static analyzer to detect common undefined behaviors in Rust programs. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

Rudra and its associated paper received the Distinguished Artifact Award at the 28th ACM Symposium on Operating Systems Principles 2021 (SOSP '21). (PDF, short talk, long talk)

You can find the list of bugs found by Rudra at Rudra-PoC repository.

Usage

The easiest way to use Rudra is to use Docker.

  1. First, make sure your system has Docker and Python 3 installed.
  2. Add rudra:latest image on your system. There are two ways of doing this:
    • docker pull ghcr.io/sslab-gatech/rudra:master && docker tag ghcr.io/sslab-gatech/rudra:master rudra:latest
    • Alternatively, you can build your own image with docker build . -t rudra:latest
  3. Run ./setup_rudra_runner_home.py <directory> and set RUDRA_RUNNER_HOME to that directory. Example: ./setup_rudra_runner_home.py ~/rudra-home && export RUDRA_RUNNER_HOME=$HOME/rudra-home.
    • There are two scripts, ./setup_rudra_runner_home.py and ./setup_rudra_runner_home_fixed.py. In general, ./setup_rudra_runner_home.py should be used unless you want to reproduce the result of the paper with a fixed cargo index.
  4. Add docker-helper in Rudra repository to $PATH. Now you are ready to test Rudra!

For development, you might want to install Rudra on your host system. See DEV.md for advanced usage and development guide.

Run Rudra on a single project

docker-cargo-rudra <directory>

The log and report are printed to stderr by default.

Run Rudra as GitHub Action

Rudra can be run as a GitHub Action allowing the static analyze to be used in an Action workflow.

# Run Rudra
- name: Rudra
  uses: sslab-gatech/Rudra@master

Run Rudra with different compiler version

Rudra is tied to a specific Rust compiler version, and it can only analyze projects that compiles with this version of the compiler. master branch uses nightly-2021-08-20 version of Rust right now. Check the version page for all supported versions.

Known Issues

  • Rudra does not support workspaces (#11). You can install Rudra on your host system (see DEV.md) and run analysis in the subdirectories to sidestep the problem for now.
  • Rudra does not support edition 2021 yet (#19).
  • Rudra does not support suppressing warnings in specific locations. This could cause a usability issue when used in CI/CD due to false positives.

Bug Types Detected by Rudra

Rudra currently detects the following bug types. For the full detail, please check our SOSP 2021 paper.

Panic Safety (Unsafe code that can create memory-safety issues when panicked)

Detects when unsafe code may lead to memory safety issues if a user provided closure or trait panics. For example, consider a function that dereferences a pointer with ptr::read, duplicating its ownership and then calls a user provided function f. This can lead to a double-free if the function f panics.

See this section of the Rustonomicon for more details.

while idx < len {
    let ch = unsafe { self.get_unchecked(idx..len).chars().next().unwrap() };
    let ch_len = ch.len_utf8();

    // Call to user provided predicate function f that can panic.
    if !f(ch) {
        del_bytes += ch_len;
    } else if del_bytes > 0 {
        unsafe {
            ptr::copy(
                self.vec.as_ptr().add(idx),
                self.vec.as_mut_ptr().add(idx - del_bytes),
                ch_len,
            );
        }
    }

    // Point idx to the next char
    idx += ch_len;
}

Example: rust#78498

Higher Order Invariant (Assumed properties about traits)

When code assumes certain properties about trait methods that aren't enforced, such as expecting the Borrow trait to return the same reference on multiple calls to borrow.

let mut g = Guard { len: buf.len(), buf }; 
// ...
  Ok(n) => g.len += n, 

Example: rust#80894

Send Sync Variance (Unrestricted Send or Sync on generic types)

This occurs when a type generic over T implements Send or Sync without having correct bounds on T.

unsafe impl<T: ?Sized + Send, U: ?Sized> Send for MappedMutexGuard<'_, T, U> {} 
unsafe impl<T: ?Sized + Sync, U: ?Sized> Sync for MappedMutexGuard<'_, T, U> {} 

Example: futures#2239

Bugs Found by Rudra

Rudra was ran on the entirety of crates.io state as of July 4th, 2020 as well as the Rust standard library from nightly-2020-08-26. It managed to find 264 new memory safety issues across the Rust ecosystem which resulted in 76 CVEs.

The details of these bugs can be found in the Rudra-PoC repo.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

More Repositories

1

qsym

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
C++
627
star
2

winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy
C
528
star
3

pwn2own2020

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
C++
401
star
4

DrK

The DrK Attack - Proof of concept
Python
343
star
5

opensgx

OpenSGX
C
288
star
6

avpass

Tool for leaking and bypassing Android malware detection system
Smali
283
star
7

DIE

Fuzzing JavaScript Engines with Aspect-preserving Mutation
TypeScript
221
star
8

janus

Janus: a state-of-the-art file system fuzzer on Linux
C
206
star
9

hydra

Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems
C
156
star
10

ArcHeap

ArcHeap: Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
C
141
star
11

freedom

A DOM fuzzer
Python
139
star
12

cs3210-rustos-public

Lab assignments for Georgia Tech CS 3210 "Design of Operating Systems"
Rust
111
star
13

perf-fuzz

C
94
star
14

sgx-tutorial-ccs17

SGX Tutorial at CCS17: SGX Security and Privacy
83
star
15

mosaic

C++
78
star
16

autofz

autofz: Automated Fuzzer Composition at Runtime
C
72
star
17

apollo

A toolchain for automatically detecting, reporting, and diagnosing performance bugs in DBMSs.
HCL
68
star
18

kernel-analyzer

C++
65
star
19

fuzzification

We hinder fuzzing
C
64
star
20

apisan

APISan: Sanitizing API Usages through Semantic Cross-Checking
C++
60
star
21

fxmark

FxMark: Filesystem Multicore Scalability Benchmark
Filebench WML
58
star
22

libmpk

C
48
star
23

deadline

C++
45
star
24

unisan

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
C++
43
star
25

shfllock

C
40
star
26

Rudra-PoC

Trophy case for Rudra bugs.
Rust
36
star
27

DIE-corpus

Corpus set used by DIE
Raku
36
star
28

aslr-guard

Preventing code-reuse attacks by stopping code pointer leakages
35
star
29

sgx101-gitbook

Synced with SGX101 gitbook.
30
star
30

kenali-kernel

Modified Nexus 9 kernel for Kenali Project
C
29
star
31

krace

Source code release for the KRace project
Python
27
star
32

hdfi

Hardware-assisted Data-flow Isolation
C
26
star
33

t-sgx

Compiler-based tool that protects Intel SGX applications against controlled-channel attacks
C++
26
star
34

caver

C++
25
star
35

juxta

C++
23
star
36

sgx-bomb

Makefile
15
star
37

RoboFuzz

Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
Python
15
star
38

cst-locks

C
13
star
39

SNAP

C
12
star
40

platpal

C++
12
star
41

blockchain-lab-pwneth

Solidity
11
star
42

ucognito

C
11
star
43

branch-shadowing

The branch shadowing attack: Proof of concept
C++
10
star
44

latr

Latr: Lazy Translation Coherence - ASPLOS'18
C
10
star
45

desensitization

Python
10
star
46

Rudra-Artifacts

Rudra's artifact evaluation submission
Rust
8
star
47

fakeroot-p

Makefile
8
star
48

vbench

VBench: Multicore Scalability Application Benchmark
Python
8
star
49

lkl-hydra

C
7
star
50

Pridwen

Universally Hardening SGX Programs via Load-Time Synthesis
C++
7
star
51

Sense

Code for Sense (NDSS'24)
C++
6
star
52

AndroidCoverageAgent

Coverage gathering JVMTI agent for Android
C++
6
star
53

kup

Prototype for seamlessly updating Linux kernel with application checkpoint-and-restart
5
star
54

eCS

Enlightened Critical Sections
C
4
star
55

bunshin

Python
4
star
56

playcrawl

Crawler for Googleplay
HTML
4
star
57

ordo

C
3
star
58

ACon2

Solidity
3
star
59

lkl

C
2
star
60

sgx101

A place to start designing application with Intel SGX in mind.
HTML
2
star
61

AndroidIntentFuzzer

Greybox fuzzing for Android Intent receivers
Kotlin
1
star