[NEW] Try out our (WIP) web demo of Yuga!
[INFO] We have put together a synthetically created database of 27 lifetime annotation bugs, based on patterns obtained from RustSec vulnerability reports.
Yuga is a tool to detect lifetime annotation bugs in Rust [ArXiv]. It is adapted from a fork of Rudra.
To setup the code, clone the repository, cd into it, and run the following command (tested on Mac and Ubuntu):
./install-debug.sh
If you face errors, please refer to the instructions in the main Rudra repository for installing Rudra in debug mode.
Our tool can now be run using the cargo-yuga subcommand. For any Rust package that we want to analyze, run the following command from within the package folder:
cargo yuga
This will print the reported vulnerabilities, if any, to stdout.
Here is a list of bugs in public Rust projects detected by Yuga so far:
| Project | Issue/PR | Public/Private API | Status |
|---|---|---|---|
| alsa | diwic/alsa-rs#117 | Public | Unconfirmed |
| bv | tov/bv-rs#16 | Public | Confirmed with Miri |
| pulse-binding-rust | jnqnfe/pulse-binding-rust#53 | Public | Confirmed with Valgrind |
| cslice | dherman/cslice#5 | Public | Confirmed with Miri |
| json-rust / jzon-rs | maciejhirsz/json-rust#209 | Private | Confirmed by dev |
| sled | spacejam/sled#1442 | Private | Confirmed by dev |
| tokio | tokio-rs/tokio#5113 | Private | Unconfirmed |