Phase II Amount
$1,486,577
The goal of the ALLSTAR project is to reduce vulnerabilities related to memory safety by migrating legacy C code to Rust. Memory safety bugs cause the majority of the vulnerabilities found in systems software, and Rust prevents memory safety bugs using an advanced type system that thereby eliminates the possibility of memory safety vulnerabilities. In previous work, we have built a tool, C2Rust, that automatically transpiles C code into unsafe Rust, which still contains the same memory safety bugs as the original code. Users can then manually refactor and migrate the resulting unsafe Rust to the safe subset of Rust using the C2Rust refactoring engine to perform a sequence of rewrites of the code. Although we have demonstrated that this approach can produce safe Rust code, the primary barrier to transition of C2Rust is that this requires a high degree of manual work, guided by experts. For the ALLSTAR project, we aim to automate this process as much as possible, thereby greatly reducing the expertise and manual effort required to take advantage of Rusts memory safety guarantees. The key technical difficulty in automating the migration from unsafe C to safe Rust is inferring memory ownership patterns in code. Ownership is a key concept that Rust uses to ensure memory-safety. Every pointer or reference in safe Rust has a type that indicates whether it owns or borrows the object or objects it points to. By tracking ownership explicitly in the type system, and enforcing certain rules about how objects may be borrowed throughout program execution, the Rust compiler ensures that programs obey well-defined ownership patterns that are guaranteed to satisfy memory safety. C code, on the other hand, does not have an explicit notion of ownership, and so ownership patterns are implicit. Migrating C code to safe Rust thus requires inferring the implicit ownership patterns and converting them to explicit ownership patterns expressed in the Rust type system. The ALLSTAR project will solve the problem of inferring ownership patterns in unsafe Rust code using a novel two-part lifting algorithm to lift two different sorts of code into safe Rust. The low-level lifting algorithm lifts code whose ownership patterns map directly to safe Rust by lifting its unsafe pointers to safe Rust types that make their ownership patterns explicit. This algorithm will utilize a novel combination of dynamic analysis and type inference to infer the ownership patterns of pointers that will then be mapped to the corresponding safe Rust types. The high-level lifting algorithm identifies code fragments whose individual operations cannot be lifted to safe Rust but which overall correspond to some API that is known to be safe. The identified code fragments are then replaced by the corresponding safe APIs.