This program is tentative and subject to change.
We introduce Cargo Scan, the first interactive program analysis tool designed to help developers audit third-party Rust code. Real systems written in Rust, like systems written in other safe languages, rely on thousands of transitive dependencies. Unfortunately, third-party code written in Rust is as dangerous as code written in C or JavaScript — and auditing this code today is similarly manual and just as painstaking. To this end, Cargo Scan takes advantage of Rust’s type and module system to automatically analyze third party crates and reduces the manual audit burden to only inspecting the parts of functions that perform potentially dangerous side-effects and (in some cases) those functions’ calling contexts. Using this analysis, we find that over 85% of top 1,000 crates are safe to use with no manual inspection. And, as our evaluation auditing the popular hyper crate and its dependencies shows, Cargo Scan can (1) reduce the auditing burden of potentially dangerous code to a median of 13.2% of lines of code when compared to auditing whole crates and (2) pinpoint dangerous side-effects previously missed by manual audits that led to CVEs.
This program is tentative and subject to change.
Mon 20 JanDisplayed time zone: Mountain Time (US & Canada) change
14:00 - 15:30 | |||
14:00 24mTalk | Auditing Rust Crates Effectively PriSC Lydia Zoghbi University of California, San Diego, David Thien University of California, San Diego, Ranjit Jhala UCSD, Deian Stefan University of California at San Diego, Caleb Stanford University of California, Davis | ||
14:25 24mTalk | Automatic Inference of Enclave Placement in LLVM Compiler PriSC Wesley B Nuzzo University of Massachusetts, Lowell (UML), Mohamed Elwakil U.S. Coast Guard Academy, Anitha Gollamudi University of Massachusetts Lowell | ||
14:50 24mTalk | Counterexamples in Safe Rust PriSC | ||
15:15 15mTalk | Lightning talks PriSC | ||