Unsafe's Betrayal: Abusing Unsafe Rust in Binary Reverse Engineering via Machine Learning
This addresses a security issue for reverse engineers and software analysts by enabling more efficient bug detection in Rust binaries, though it is incremental as it builds on existing unsafe code analysis methods.
The paper tackled the problem of identifying memory-safety bugs in Rust binaries by using machine learning to locate unsafe code spots, achieving a recall of 92.92% of bugs while covering only 16.79% of the binary code.
Memory-safety bugs introduce critical software-security issues. Rust provides memory-safe mechanisms to avoid memory-safety bugs in programming, while still allowing unsafe escape hatches via unsafe code. However, the unsafe code that enhances the usability of Rust provides clear spots for finding memory-safety bugs in Rust source code. In this paper, we claim that these unsafe spots can still be identifiable in Rust binary code via machine learning and be leveraged for finding memory-safety bugs. To support our claim, we propose the tool textttrustspot, that enables reverse engineering to learn an unsafe classifier that proposes a list of functions in Rust binaries for downstream analysis. We empirically show that the function proposals by textttrustspot can recall $92.92\%$ of memory-safety bugs, while it covers only $16.79\%$ of the entire binary code. As an application, we demonstrate that the function proposals are used in targeted fuzzing on Rust packages, which contribute to reducing the fuzzing time compared to non-targeted fuzzing.