Don't Panic! Finding Bugs Hidden Behind Rust Runtime Safety Checks

Rust has been extensively used in software and system development due to its guarantees for memory and concurrency safety. Fuzzing is a popular bug detection technique for examining the correctness and robustness of programs. However, we identify that current state-of-the-art Rust fuzzers are significantly impeded by the ubiquitous presence of Rust runtime safety checks, resulting in poor effectiveness and efficiency. These checks, which are inserted either implicitly by the compiler or explicitly by the compiler or developers, could cause a high number of panic crashes and early program termination in fuzzing. Consequently, current fuzzers are unable to effectively explore deep code behind the runtime safety checks, leaving potential vulnerabilities undetected. To address these limitations, we propose PanicKiller, a new Rust fuzzing technique to detect bugs hidden in deep and unsafe code. It performs a cross-IR analysis to precisely identify runtime safety checks and unsafe code in Rust programs, and employs a novel dynamic taint analysis to track the critical input bytes associated with the conditions enforced by these checks. PanicKiller further performs novel input prioritization and mutation strategies to achieve effective and efficient fuzzing. Our evaluation shows that PanicKiller significantly outperformed current state-of-the-art Rust fuzzers by achieving average improvements of 22.0× in bug exposure speed, 1.68× in code coverage, and 18.2× in false-positive crash reduction, and up to 129.0×, 2.10×, and 64.8× improvements, respectively. PanicKiller further helped detect 14 and 53 previously unknown vulnerabilities in the benchmark dataset and in the real world, with 11 RustSec IDs assigned. CCS Concepts • Security and privacy → Software security engineering.