Annotating and Auditing the Safety Properties of Unsafe Rust

Unsafe code is a critical topic in ensuring the security of system software development in Rust. It is the sole source of potential undefined behaviors, assuming the compiler is sound. To avoid the misuse of unsafe code, Rust developers should provide clear safety property annotations for unsafe APIs. However, there is limited official guidance and few best practices for annotating unsafe code. Even the current best practices for safety property annotations in the Rust standard library are ad hoc and informal. In this paper, we design a domain-specific language to describe the safety properties of unsafe APIs, which may serve as a precursor for automated verification in the future. Furthermore, to ensure that the caller of an unsafe API properly delegates the safety property required by the callee, we propose a novel unsafety propagation graph to model the usage and propagation of unsafe code. Based on this graph, we further introduce a method to partition the graph into smaller graphs, such that each graph serves as a self-contained audit unit for examining the soundness of unsafe code encapsulation and safety property annotation. We applied our approach to the Rust standard library, and the experimental results demonstrate that our method is both practical and effective. Additionally, we have fixed safety property description issues in 23 APIs.