The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure this guarantee by allowing each value to be owned by only one identifier at a time. Additionally, it introduces the concept of borrowing and lifetimes to enable other variables to borrow the values under certain conditions temporarily. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of "unsafe" Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, first, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available for review.

翻译：Rust 编程语言因其高效的性能和强大的内存安全保证，在系统程序员中日益受到欢迎。Rust 采用所有权模型来确保这一保证，它规定每个值在同一时刻只能被一个标识符所拥有。此外，它还引入了借用和生命周期的概念，使得其他变量可以在特定条件下临时借用这些值。尽管有这些优点，Rust 项目中仍报告了安全漏洞，这些漏洞通常归因于使用了“不安全”（unsafe）的 Rust 代码。这些漏洞部分源于函数签名上不正确的生命周期标注。然而，现有工具未能检测到这些缺陷，主要是因为此类缺陷较为罕见，难以通过动态分析检测，并且需要显式的内存模型。为了克服这些限制，我们首先将不正确的生命周期标注定性为内存安全漏洞的一个来源，并利用这一理解设计了一种新颖的静态分析工具 Yuga，用于检测潜在的生命周期标注缺陷。Yuga 采用多阶段分析方法，首先使用快速模式匹配算法识别可能存在缺陷的组件，然后进行流敏感和字段敏感的别名分析以确认缺陷。我们还整理了一套新的生命周期标注缺陷数据集。Yuga 在这些数据集上成功地以良好的精度检测到了缺陷，并且我们已将代码和数据集公开供审查。