DOI QR코드

DOI QR Code

A Study on Securing Rust in Mixed-Language Applications

다중 언어 어플리케이션에서의 러스트 언어 보호에 대한 연구

  • Junseung You (Dept. of Electrical and Computer Engineering and Inter-University Semiconductor Research Center (ISRC), Seoul National University) ;
  • Martin Kayondo (Dept. of Electrical and Computer Engineering and Inter-University Semiconductor Research Center (ISRC), Seoul National University) ;
  • Yunheung Paek (Dept. of Electrical and Computer Engineering and Inter-University Semiconductor Research Center (ISRC), Seoul National University)
  • 유준승 (서울대학교 전기정보공학부, 반도체공동연구소) ;
  • 카욘도마틴 (서울대학교 전기정보공학부, 반도체공동연구소) ;
  • 백윤흥 (서울대학교 전기정보공학부, 반도체공동연구소)
  • Published : 2024.10.31

Abstract

For many decades, memory corruption attacks have posed a significant threat to computer systems, particularly those written in unsafe programming languages such as C/C++. In response, a 'safe' programming language, Rust, was recently developed to prevent memory bugs by using compile-time and runtime checks. Rust's security and efficiency has lead its adoption from multiple popular applications such as Firefox and Tor. Due to the large code base and complexity of legacy software, the adoption generally takes a form of a gradual deployment, where security-critical portion of the program is replaced with Rust, resulting in a mixed-language application. Unfortunately, such adoption strategy introduced a new attack vector that propagates the vulnerabilities residing in the unsafe languages to Rust, undermining the security guarantees provided by Rust. In this paper, we shed light on strategies designed to defend against attacks that target multi-lingual applications to compromise the security of Rust. We study underlying rationale of various defense mechanisms and design decisions taken to improve their performance and effectiveness. Furthermore, we explore the limitations of existing defenses and argue that additional methods are necessary for Rust to fully benefit from its security promises in multi-language environments.

Keywords

Acknowledgement

This research was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government, Minitry of Science and ICT (MSIT) (RS-2023-00277326), the BK21 FOUR program of the Education and Research Program for Future ICT Pioneers, Seoul national University in 2024, and Inter-University Semiconductor Research Center (ISRC); in part by the Institute of Information & Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (RS-2024-00438729, Development of Full Lifecycle Privacy-Preserving Techniques using Anonymized Confidential Computing); and in part by Korea Planning & Evaluation Institute of Industrial Technology(KEIT) grant funded by the Korea governement(MOTIE) (No. RS-2024-00406121, Development of an Automotive Security Vulnerability-based Thread Analysis System (R&D)); and in part by IITP under the artificial intelligence semiconductor support program to nurture the best talents(IITP-2023-RS-2023-00256081) grant funded by the Korea government (MSIT).

References

  1. Bang et. al., TRUST: A CompilationFramework for In-process Isolation to ProtectSafe Rust aginst Untrusted Code, USENIXSecurity Symposium, Anaheim, CA, USA, 2023, pg.6947-6964
  2. Mergendahl et. al., Cross Language Attacks, Network and Distributed Systems SecuritySymposium, San Diego, CA, USA, 2022
  3. Rivera et. al., Keeping Safe Rust Safe withGaleed, Annual Computer Security Applications Conference, Virtual Event, USA, 2021
  4. Kirth et. al., PKRU-Safe: Automatically Locking Down the Heap Between Safe and Unsafe Langauges, European Conference on Computer Systems, Rennes, France, 2022, pg.132 - 148