The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure this guarantee by allowing each value to be owned by only one identifier at a time. Additionally, it introduces the concept of borrowing and lifetimes to enable other variables to borrow the values under certain conditions temporarily. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of "unsafe" Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, first, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available for review.

翻译：摘要：Rust编程语言因其高效的性能和强大的内存安全保证，在系统程序员中日益流行。Rust通过所有权模型确保这一保证，该模型规定每个值在同一时刻只能被一个标识符拥有。此外，它还引入了借用和生命周期的概念，使得其他变量能够在特定条件下临时借用这些值。尽管有这些优势，Rust项目中仍报告了安全漏洞，这些漏洞通常归因于“不安全”Rust代码的使用。此类漏洞部分源于函数签名中错误的生命周期标注。然而，现有工具无法检测这些错误，主要原因是此类错误罕见、难以通过动态分析检测，且需要显式的内存模型。为克服这些局限性，我们首先将错误的生命周期标注定性为内存安全错误的来源，并基于这一理解设计了一种新颖的静态分析工具Yuga，用于检测潜在的生命周期标注错误。Yuga采用多阶段分析方法，首先通过快速模式匹配算法识别潜在的错误组件，然后进行流敏感和字段敏感的别名分析以确认错误。我们还整理了一组新的生命周期标注错误数据集。Yuga在这些数据集上以良好的精度成功检测到错误，我们已将代码和数据集公开以供评审。