Memory-Safety Challenge Considered Solved? An Empirical Study with All Rust CVEs

Rust is an emerging programing language that aims at preventing memory-safety bugs without sacrificing much efficiency. The property is very attractive to developers, and many projects start using the language. However, can Rust achieve the memory-safety promise? This paper studies the question by surveying the bug reports collected from two public datasets, Advisory-db and Trophy-cases, which contain all existing CVEs (common vulnerability and exposures) of Rust. We manually analyze each bug and extract their memory-safety issues and culprits. Our results show that buffer overflow and dangling pointers are still the major memory-safety issues in Rust, and most culprits are related to unsafe Rust. Such security issues reveal that the security cost of Rust to support unsafe functions is high. To elaborate, the culprits of buffer overflow bugs in Rust are very similar to those in C/C++, which generally involve both logical errors and arbitrary pointer operations that are allowed only by unsafe Rust. However, the culprits of dangling pointers in Rust have unique patterns, especially those related to the vulnerability of Rust's borrow checker and lifetime checker. Based on these findings, we further suggest two directions to improve the resilience of Rust against dangling pointers, including recommending the best practice of some APIs to program developers, as well as approaches to enhancing the borrow checker and lifetime checker. Our work intends to raise more concerns regarding the memory-safety promise of Rust and facilitates the maturity of the language.