Fast Summary-based Whole-program Analysis to Identify Unsafe Memory Accesses in Rust

Rust is one of the most promising systems programming languages to fundamentally solve the memory safety issues that have plagued low-level software for over forty years. However, to accommodate the scenarios where Rust's type rules might be too restrictive for certain systems programming and where programmers opt for performance over security checks, Rust opens security escape hatches allowing writing unsafe source code or calling unsafe libraries. Consequently, unsafe Rust code and directly-linked unsafe foreign libraries may not only introduce memory safety violations themselves but also compromise the entire program as they run in the same monolithic address space as the safe Rust. This problem can be mitigated by isolating unsafe memory objects (those accessed by unsafe code) and sandboxing memory accesses to the unsafe memory. One category of prior work utilizes existing program analysis frameworks on LLVM IR to identify unsafe memory objects and accesses. However, they suffer the limitations of prolonged analysis time and low precision. In this paper, we tackled these two challenges using summary-based whole-program analysis on Rust's MIR. The summary-based analysis computes information on demand so as to save analysis time. Performing analysis on Rust's MIR exploits the rich high-level type information inherent to Rust, which is unavailable in LLVM IR. This manuscript is a preliminary study of ongoing research. We have prototyped a whole-program analysis for identifying both unsafe heap allocations and memory accesses to those unsafe heap objects. We reported the overhead and the efficacy of the analysis in this paper

Security preserving program translations.

The analysis of information flow has become a popular technique for ensuring the confidentiality of data. It is in this context that confidentiality policies arise for giving guarantees that private data cannot be inferred by the inspection of public data. Non-interference is an example of a security policy. It is a semantic condition that ensures the absence of illicit information flow during program execution by not allowing to distinguish the results of two computations when they only vary in their confidential inputs. A remarkable feature of non-interference is that it can be enforced statically by the definition of an information flow type system. In such a type system, if a program type-checks, then it means that it meets the security policy. In this thesis we focus on an important usage of the non-interference property: its preservation through program translation. We are interested in analysing techniques that make it possible the development of security preserving program translations in the sense of code conversions that produce non-interfering output programs out of non-interfering input programs. This is a topic with significant practical relevance as can be seen in, for example, the context of program compilation: if for certain applications it is essential that the source code meets the security property, it is even more important that the corresponding compiled, low-level code, which is the one that will be actually executed, is also secure. We pursue a formal methods approach to this topic, performing an analysis of type-based, security-preserving program translations in the context of dependently-typed programming. We use Agda, a functional language with dependent types, as the formalization language. In Agda we represent the (abstract syntax of the) object languages, their security type systems, as well as the translations between them. The importance of using Agda resides in its powerful type system that makes it possible to encode object invariants. In our case this is reflected in the ability to define the security type systems of the involved languages in terms of Agda’s inductive families thus reducing the verification of security preservation by translation to type-checking. We analyse the formalization of two cases. First, we develop a compiler between a simple imperative language and a semi-structured machine code. For each language, we define a sound information flow type system and we prove that the compiler preserves non-interference. The type systems of both languages are flow-insensitive in the sense that the security level of program variables is not allowed to change during program execution. Second, we perform the formalization of Hund & Sands security-preserving translation that transforms programs in a high-level language typable in a flow-sensitive type system into equivalent high-level programs typable in a flow-insensitive type system. Since the source language of the compiler coincides with the target language of Hund & Sands translation, by composing the two components we get as result a security-preserving compiler for a language with a flowsensitive type system

Scalable Context-Sensitive Pointer Analysis for LLVM

Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses for low-level languages that are moderately precise while scalable to large real-world programs. In this thesis, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing – propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TeaDsa, with such an oversharing significantly reduced. We show how to further improve precision and speed of TeaDsa with extra contextual information, such as flow-sensitivity at call- and return-sites, and type information about memory accesses. We evaluate TeaDsa on the verification problem of detecting unsafe memory accesses and compare it against two state-of-the-art pointer analyses: SVF and SeaDsa. We show that TeaDsa is one order of magnitude faster than either SVF or SeaDsa, strictly more precise than SeaDsa, and, surprisingly, sometimes more precise than SVF