We introduce Cargo Scan, the first interactive program analysis tool designed to help developers audit third-party Rust code. Real systems written in Rust rely on thousands of transitive dependencies. These dependencies are as dangerous in Rust as they are in other languages (e.g., C or JavaScript) -- and auditing these dependencies today means manually inspecting every line of code. Unlike for most industrial languages, though, we can take advantage of Rust's type and module system to minimize the amount of code that developers need to inspect to the code that is potentially dangerous. Cargo Scan models such potentially dangerous code as effects and performs a side-effects analysis, tailored to Rust, to identify effects and track them across crate and module boundaries. In most cases (69.2%) developers can inspect flagged effects and decide whether the code is potentially dangerous locally. In some cases, however, the safety of an effect depends on the calling context -- how a function is called, potentially by a crate the developer imports later. Hence, Cargo Scan tracks context-dependent information using a call-graph, and collects audit results into composable and reusable audit files. In this paper, we describe our experience auditing Rust crates with Cargo Scan. In particular, we audit the popular client and server HTTP crate, hyper, and all of its dependencies; our experience shows that Cargo Scan can reduce the auditing burden of potentially dangerous code to a median of 0.2% of lines of code when compared to auditing whole crates. Looking at the Rust ecosystem more broadly, we find that Cargo Scan can automatically classify ~3.5K of the top 10K crates on crates.io as safe; of the crates that do require manual inspection, we find that most of the potentially dangerous side-effects are concentrated in roughly 3% of these crates.

翻译：本文介绍 Cargo Scan，这是首个旨在帮助开发者审计第三方 Rust 代码的交互式程序分析工具。实际使用 Rust 编写的系统依赖于数千个传递依赖项。这些依赖项在 Rust 中与其他语言（如 C 或 JavaScript）中同样危险——而目前审计这些依赖项意味着需要人工检查每一行代码。然而，与大多数工业语言不同，我们可以利用 Rust 的类型和模块系统，将开发者需要检查的代码量最小化，仅聚焦于潜在危险的代码。Cargo Scan 将此类潜在危险代码建模为效应，并执行针对 Rust 定制的副作用分析，以识别效应并跨代码包和模块边界追踪它们。在大多数情况下（69.2%），开发者可以检查被标记的效应，并在局部判断代码是否潜在危险。然而，在某些情况下，效应的安全性取决于调用上下文——函数如何被调用，可能由开发者后续导入的代码包调用。因此，Cargo Scan 使用调用图追踪上下文相关信息，并将审计结果收集到可组合和可重用的审计文件中。在本文中，我们描述了使用 Cargo Scan 审计 Rust 代码包的经验。特别地，我们审计了流行的客户端和服务器 HTTP 代码包 hyper 及其所有依赖项；我们的经验表明，与审计整个代码包相比，Cargo Scan 可以将潜在危险代码的审计负担降低至中位数 0.2% 的代码行数。更广泛地观察 Rust 生态系统，我们发现 Cargo Scan 可以自动将 crates.io 上排名前 10K 的代码包中的约 3.5K 个分类为安全；对于确实需要手动检查的代码包，我们发现大部分潜在危险的副作用集中在大约 3% 的这些代码包中。