The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure these guarantees by allowing each value to be owned by only one identifier at a time. It uses the concept of borrowing and lifetimes to enable other variables to temporarily borrow values. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of “unsafe” Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga , to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available.

中文翻译：

---

Yuga：自动检测 Rust 语言中的生命周期注释错误


Rust 编程语言由于其高效的性能和强大的内存安全保证，在系统程序员中越来越受欢迎。Rust 采用所有权模型来确保这些保证，允许每个值一次只由一个标识符拥有。它使用 borrowing 和 lifetimes 的概念来使其他变量能够临时借用值。尽管有它的好处，但 Rust 项目中也报告了安全漏洞，通常归因于使用“不安全”的 Rust 代码。这些漏洞在一定程度上是由于函数签名上的生命周期注释不正确造成的。但是，现有工具无法检测到这些错误，主要是因为此类错误很少见，难以通过动态分析进行检测，并且需要显式内存模型。为了克服这些限制，我们将不正确的生命周期注释描述为内存安全错误的来源，并利用这种理解设计了一种新颖的静态分析工具 Yuga 来检测潜在的生命周期注释错误。Yuga 使用多阶段分析方法，从快速模式匹配算法开始，以识别潜在的错误组件，然后进行流和字段敏感的别名分析来确认错误。我们还策划了生命周期注释错误的新数据集。Yuga 在这些数据集上成功地准确地检测到了错误，并且我们将代码和数据集公开可用。