Boqin Qin

Boqin Qin

I received my B.S. and Ph.D. in BUPT, China. I was a visiting scholar in PennState, US, 2018-2019. Interested in program analysis and distributed systems.

A Use-After-Free Bug in Redox

less than 1 minute read

Published:

This is the brief description of CVE-2020-22429. For more details, please refer to Reference.

[Description]

redox-os v0.1.0 was discovered to contain a use-after-free bug via the gethostbyaddr() function at /src/header/netdb/mod.rs.

[VulnerabilityType Other]

Use After Free

[Vendor of Product]

https://gitlab.redox-os.org/redox-os/relibc

[Affected Product Code Base]

redox-os - 0.1.0

Note that the bugs still exist as of writing (2023-04-29).

[Affected Component]

  • netdb::gethostbyaddr
  • netdb::gethostbyname
  • netdb::getprotoent
  • netdb::getservent

[Attack Type]

Local

[Impact Code execution]

true

[Attack Vectors]

To exploit the vulnerability, someone must call the above functions and access the global dangling pointer.

[Reference]

https://gitlab.redox-os.org/redox-os/relibc/issues/159

[Discoverer]

bobbqqin@gmail.com

I found the bugs by using lockbud, a static bug detector for Rust.

You May Also Enjoy

A curated list of awesome Rust checkers

10 minute read

Published:

Migrated to https://github.com/BurtonQin/Awesome-Rust-Checker. Welcome to contribute there. Updated: 2024-11-18

Table of contents

Linters

NameDescriptionWorking onBug typesTechnologyMaintenance
clippyA bunch of lints to catch common mistakes and improve your Rust code. Paper: ICSE-Companion’24HIRVersatilePattern matching★★★★★
dylintRun Rust lints from dynamic librariesHIRVersatilePattern matching★★★★★

Static Checkers

NameDescriptionWorking onBug TypesTechnologyMaintenance
MIRAIRust mid-level IR Abstract InterpreterMIRPanic, Security bugs, CorrectnessAbstract Interpretation★★★★★
lockbudStatically detect common memory and concurrrency bugs in Rust. Paper: Safety Issues in Rust, TSE’24MIRDouble-Lock, Conflicting-Lock-Order, Atomicity-Violation, Use-After-Free, Invalid-Free, Panic LocationsData-flow Analysis★★★★★
RAP (formerly SafeDrop)Rust Analysis Platform. Paper: SafeDrop, TOSEM’22MIRUse-After-Free, Double-FreeData-flow Analysis★★★★★
RCanaryDetecting Memory Leaks Across Semi-automated Memory Management Boundary in Rust. RCanary, TSE’24HIR, MIRMemory LeaksStatic Program Analysis, Model Checking★★★☆☆
RudraRust Memory Safety & Undefined Behavior Detection. Paper: Rudra, SOSP’21HIR, MIRMemory safety when panicked, Higher Order Invariant, Send Sync VarianceData-flow Analysis★★★☆☆
YugaAutomatically Detecting Lifetime Annotation Bugs in the Rust Language. Paper: Yuga, ICSE’24HIR, MIRLifetime Annotation BugsData-flow Analysis★★★★☆
MirCheckerA Simple Static Analysis Tool for Rust. Paper: MirChecker, CCS’21MIRPanic (including numerical), Lifetime Corruption (memory issues)Abstract Interpretation★★☆☆☆
FFICheckerA Static Analysis Tool For Detecting Memory Management Bugs Between Rust and C/C++. Paper: FFIChecker, ESORICS’22LLVM IRMemory issues across the Rust/C FFIAbstract Interpretation★☆☆☆☆
RUPTASupports pointer/alias analysis for Rust, operating on Rust MIR. It currently offers callsite-based pointer analysis. Paper: RUPTA, CC’24MIRNot bugs, for callgraph constructionCallsite-based pointer analysis★★★★★
CharonInterface with the rustc compiler for the purpose of program verification. Paper: CharonMIR, LLBCAn Analysis Framework for RustConvert MIR to LLBC for analysis★★★★★
CocoonStatic Information Flow Control in Rust. Paper: Cocoon, OOPSLA’24Rust Soure CodeSecrecy LeaksRust’s type system and procedural macros★★★★★

Academic Papers (source code not found yet)

NameDescriptionWorking onBug TypesTechnology
RupairRupair: Towards Automatic Buffer Overflow Detection and Rectification for Rust. Rupair, ACSAC’21AST, MIRBuffer OverflowData-flow Analysis
CRUSTCRUST: Towards a Unified Cross-Language Program Analysis Framework for Rust. CRUST, QRS’22CRustIR based on MIRSecurity (CFI vilation, Meta Data Leaking, Format String Attack), Memory issues(Out-of-bounds, Use-after-Free, Double-Free, Stack-Overflow, Buffer-Overflow), Arithmetic (Divide-by-zero, Integer-Overflow)Program Analysis Framework
ACORNACORN: Towards a Holistic Cross-Language Program Analysis for Rust. ACORNWasmSecurity (Tainted Variable, Dangerous Function, Format String Attack), Memory issues (Out-of-bounds, Use-after-Free, Double-Free, Stack-Overflow, Buffer-Overflow), Arithmetic (Divide-by-zero, Integer-Overflow)Program Analysis Framework
Yu ZhangStatic Deadlock Detection for Rust Programs. Yu ZhangMIRDeadlockData-flow Analysis
Kaiwen ZhangAutomatically Transform Rust Source to Petri Nets for Checking Deadlocks. Kaiwen ZhangMIRDeadlockPetri Nets
RustC4Leveraging Large Language Model to Assist Detecting Rust Code Comment Inconsistency. ASE’24ASTCode Comment InconsistencyLLM

Dynamic Checkers

NameDescriptionWorking onBug TypesTechnologyMaintenance
miriAn interpreter for Rust’s mid-level intermediate representationMIRUndefined BehaviorAbstract Interpretation★★★★★
cargo-carefulExecute Rust code carefully, with extra checking along the way-Undefined BehaviorEnable Debug Assertion in std★★★★★
cargo-fuzzCommand line helpers for fuzzing--Fuzzing★★★★★
LoomConcurrency permutation testing tool for Rust.Source CodeConcurrency BugsPermutation testing★★★★★
ERASANEfficient Rust Address Sanitizer. Paper: IEEES&P’24-Memory Access BugsFuzzing★★★★★
Automated-FuzzerSimple tool to create broken files and checking them with special apps-PanicFuzzing★★★★★
RULFFuzz Target Generator for Rust libraries. Paper: RULF, ASE’21-Out-of-bound, Panic (including arithmetic)Fuzzing★★★☆☆
RPG1RPG: Rust Library Fuzzing with Pool-based Fuzz Target. Paper: RPG, ICSE’24-Out-of-bound, Panic (including arithmetic)Fuzzing★★☆☆☆
SyRustAutomatic Testing of Rust Libraries with Semantic-Aware Program Synthesis. Paper: SyRust, PLDI’21--Program Synthesis★☆☆☆☆
NADERAutomatic Context-Aware Safety Enhancement for Rust. Paper: OOPSLA’21MIR, Source CodeUnchecked IndexingAPI Replacing★☆☆☆☆
casr2collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity. Paper: Casr-Cluster, ISPRAS’21, Ivannikov Memorial Workshop’24Crash Reports from ASan, UBSan, GDB-Analyze crashes★★★★★
FRIESFuzzing Rust Library Interactions via Efficient Ecosystem-Guided Target Generation. Paper: FRIES, ISSTA’24MIRRust API interactionsFuzzing★★★☆☆
rustsmithA randomized program fuzzer for the Rust programming language. Paper: rustsmith, ISSTA’23 rustsmith, thesisASTRust compiler bugsDifferential testing★★★☆☆
rustlantisUB-free and deterministic rustc fuzzer. Paper: rustlantis, OOPSLA’24MIRRust compiler bugsDifferential testing★★★★★

Academic Papers (source code not found yet)

NameDescriptionWorking onBug TypesTechnology
CrabSandwichCrabSandwich: Fuzzing Rust with Rust. CrabSandwich, Fuzzing’23LLVM IROut-of-bounds, PanicFuzzing
Zhiyong RenDetect Stack Overflow Bugs in Rust via Improved Fuzzing Technique. Zhiyong Ren, SEKE’21AST, HIR, MIR, LLVM IRStack OverflowFuzzing
RustcheckSafety Enhancement of Unsafe Rust via Dynamic Program Analysis. Rustcheck, QRS-C’23MIRMemory vulnerabilitiesStatic Program Analysis, Instrumentation
RUSTYA Fuzzing Tool for Rust. Poster@ACSAC’20-VulnerabilitiesFuzzing, Concolic Testing, Property-based Testing
Rust-twinsAutomatic Rust Compiler Testing through Program Mutation and Dual Macros Generation. ASE’24AST, HIRRust compiler crashes and differencesDifferential testing, mutation, macroize components, LLM
  1. The link may be incorrect. See here.
  2. casr analyze the results of dynamic checkers instead of performing dynamic analysis itself. Thanks zjp-CN for recommending casr.

Verifiers

NameDescriptionWorking onBug TypesTechnologyMaintenance
kaniThe Kani Rust Verifier is a bit-precise model checker for Rust. Paper: kani, ICSE-SEIP’22MIRMemory safety, User-specified assertions, Panics, Unexpected behavior (e.g., arithmetic overflows)Model Checking★★★★★
prustiA static verifier for Rust, based on the Viper verification infrastructure. Paper: prusti, NFM’22 ViperPanic (inluding arithmetic), User-specified assertionsSymbolic Execution★★★★☆
crux-mirA static simulator for Rust programs. Paper: crux--Symbolic Testing★★★★☆
verusVerified Rust for low-level systems code. Paper: verus, OOPSLA’23, SOSP’24--SMT-based Verification5★★★★★
fluxflux is a refinement type checker for Rust. Paper: flux, PLDI’23---★★★★★
AeneasA verification toolchain for Rust programs. Paper: Aeneas, ICFP’22, ICFP’24LLBC (for safe Rust only)--★★★★★
RustBeltFormal (and machine-checked) safety proof for a language representing a realistic subset of Rust. Paper: RustBelt, POPL’18𝜆Rust--★★★★★
RustHornA CHC-based automated verifier for Rust RustHorn, TOPLAS’21MIR--★★★★☆
CreusotA deductive verifier for Rust code. Creusot, ICFEM’22WhyMLPanics, overflows, Assertion failuresDeductive Verification★★★★★
RustHornBeltA Semantic Foundation for Functional Verification of Rust Programs with Unsafe Code. Paper: RustHornBelt, PLDI’22𝜆Rust--★★☆☆☆
RefinedRust1A Type System for High-Assurance Verification of Rust Programs. Paper: RefinedRust, PLDI’24Radium--★★★★★
VeriFast2Research prototype tool for modular formal verification of C and Java programs. Paper: VeriFast, NFM’11--Symbolic Execution★★★★★
mendel-verifierCapability-based verifier for safe Rust clients of interior mutability. Paper: Poli, ThesisViperInterior MutabilitySymbolic Execution★★★★★

Academic Papers (source code not found yet)

NameDescriptionWorking onBug TypesTechnology
GillianRustA hybrid approach to semi-automated Rust verification. GillianRustUnsafe Code Supported-Separation Logic based Hybrid Verification5
UnsafeCopTowards Memory Safety for Real-World Unsafe Rust Code with Practical Bounded Model checking. UnsafeCop, FM’24-Memory safety issuesBounded Model Checking
SAFEAutomated Proof Generation for Rust Code via Self-Evolution. SAFERust Code With Docstring, Verus-Verus Verifier, LLM
  1. Thanks to jedbrown for recommending RefinedRust and other Rust-related verification tools.
  2. Rust support is WIP in VeriFast. Thanks zjp-CN for recommending VeriFast.

Thanks to the following awesome works:

  1. https://github.com/analysis-tools-dev/static-analysis?tab=readme-ov-file#rust
  2. https://github.com/analysis-tools-dev/dynamic-analysis?tab=readme-ov-file#rust
  3. A Survey of Rust Language Security Research
  4. RefinedRust: A Type System for High-Assurance Verification of Rust Programs
  5. Verifying the Rust Standard Library