Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

10/21/2020
by   Johannes Lauinger, et al.
0

The Go programming language aims to provide memory and thread safety through measures such as automated memory management with garbage collection and a strict type system. However, it also offers a way of circumventing this safety net through the use of the unsafe package. While there are legitimate use cases for unsafe, developers must exercise caution to avoid introducing vulnerabilities like buffer overflows or memory corruption in general. Using go-geiger, we conducted a study on the usage of unsafe in the top 500 most popular open-source Go projects on GitHub, including a manual analysis of 1,400 code samples on how unsafe is used. From the projects using Go's module system, 38 unsafe usage in the project itself or one of its transitive dependencies. Based on the usage patterns found, we present possible exploit vectors in different scenarios. Finally, we present go-safer, a novel static analysis tool to identify dangerous and common usage patterns that were previously undetected with existing tools.

READ FULL TEXT
research
06/17/2020

Breaking Type-Safety in Go: An Empirical Study on the Usage of the unsafe Package

A decade after its first release, the Go programming language has become...
research
06/01/2023

UNGOML: Automated Classification of unsafe Usages in Go

The Go programming language offers strong protection from memory corrupt...
research
04/09/2021

Memory Error Detection in Security Testing

We study 10 C/C++ projects that have been using a static analysis securi...
research
08/09/2023

rCanary: Detecting Memory Leaks Across Semi-automated Memory Management Boundary in Rust

Rust is an effective system programming language that guarantees memory ...
research
09/05/2020

Teddy: Automatic Recommendation of Pythonic Idiom Usage For Pull-Based Software Projects

Pythonic code is idiomatic code that follows guiding principles and prac...
research
08/21/2019

Scala Implicits are Everywhere: A large-scale study of the use of Implicits in the wild

The Scala programming language offers two distinctive language features ...
research
01/20/2022

npm-filter: Automating the mining of dynamic information from npm packages

The static properties of code repositories, e.g., lines of code, depende...

Please sign up or login with your details

Forgot password? Click here to reset