Chapter 6.3. Unsafety Code Audit

The unsafety propogation graph(UPG) is a novel method to model the essential usage and encapsulation of unsafe code. UPG combines the traditional call graph with unsafe and dataflow information from Rust to capture the use and propagation of unsafe code across the project.

Within the UPG, there contains four major isolation types and nine structural patterns to split a UPG into several small self-contained subgraphs. These subgraphs called unsafety isolation graphs(UIGs) can serve as useful audit units for examining the soundness of unsafe code encapsulation.

We will continue to explore and investigate more effective applications of UIG in the encapsulation of unsafe code in our subsequent research.

Before using this feature, make sure that graphviz is installed on your device

usage

generate upg

Get into the same directory as cargo.toml and run the cmd below from the teminal. 

cargo rapx -upg

Then 'rapx' will create a directory named 'UPG' in the same level, which contains several connected unsafety propogation graphs.

count uig

This feature is numerically calculated based on the type of all uig in the target crate

cargo rapx -uig

check safety doc

With the following cmd, users can check for unsafe apis that lack an unsafe document annotation

cargo rapx -doc

RAPx will output the corresponding unsafe api information, including its location and visibility level as follows:

Lack of unsafety doc: src/lib.rs:1668:1: 1674:11 (#0), visibility:Restricted(DefId(0:0 ~ smallvec[ecd8])).
Lack of unsafety doc: src/lib.rs:1699:1: 1704:11 (#0), visibility:Restricted(DefId(0:0 ~ smallvec[ecd8])).
Lack of unsafety doc: src/lib.rs:960:5: 960:45 (#0), visibility:Restricted(DefId(0:0 ~ smallvec[ecd8])).

audit unsafe APIs' SP in core and alloc

Specifically, we currently integrate a set of SP labels analysis for core and alloc crate of the Rust standard library.

  1. Create a new helloworld project.
  2. Navigate to the helloworld project directory and run:
cargo rapx -stdsp -- -Z build-std --target x86_64-unknown-linux-gnu > /your/output/log/path/result.log 2>&1

Replace /your/output/log/path with your desired output directory. This will output APIs where the caller and callee have different SPs.

unsafe code annotation and sp analysis

These features are under development.

framework

The overall framework of this feature is consistent with rap's frontend framework. See the picture below for details. Framework of unsafe code propogation analysis.