Rust is an emerging programming language designed for the development of
systems software. To facilitate the reuse of Rust code, crates.io, as a central
package registry of the Rust ecosystem, hosts thousands of third-party Rust
packages. The openness of crates.io enables the growth of the Rust ecosystem
but comes with security risks by severe security advisories. Although Rust
guarantees a software program to be safe via programming language features and
strict compile-time checking, the unsafe keyword in Rust allows developers to
bypass compiler safety checks for certain regions of code. Prior studies
empirically investigate the memory safety and concurrency bugs in the Rust
ecosystem, as well as the usage of unsafe keywords in practice. Nonetheless,
the literature lacks a systematic investigation of the security risks in the
Rust ecosystem.
In this paper, we perform a comprehensive investigation into the security
risks present in the Rust ecosystem, asking ``what are the characteristics of
the vulnerabilities, what are the characteristics of the vulnerable packages,
and how are the vulnerabilities fixed in practice?''. To facilitate the study,
we first compile a dataset of 433 vulnerabilities, 300 vulnerable code
repositories, and 218 vulnerability fix commits in the Rust ecosystem, spanning
over 7 years. With the dataset, we characterize the types, life spans, and
evolution of the disclosed vulnerabilities. We then characterize the
popularity, categorization, and vulnerability density of the vulnerable Rust
packages, as well as their versions and code regions affected by the disclosed
vulnerabilities. Finally, we characterize the complexity of vulnerability fixes
and localities of corresponding code changes, and inspect how practitioners fix
vulnerabilities in Rust packages with various localities.Comment: preprint of accepted TOSEM pape