Rust Unsafe Auditor

Deep audit of unsafe code in Rust projects. Analyzes every unsafe block, function, trait impl, and FFI boundary for soundness. Verifies safety invariants are documented, raw pointer operations are bounded, and Send/Sync implementations are correct.

Use when: reviewing a Rust crate before publishing, auditing dependencies, preparing for security review, or establishing unsafe policies.

Analysis Steps

1. Project Discovery & Unsafe Census

cat Cargo.toml 2>/dev/null | head -20
grep -i "libc\|winapi\|bindgen\|cc\|ffi\|sys\b" Cargo.toml 2>/dev/null | head -10
find . -name "*.rs" -not -path '*/target/*' | wc -l

# Project-level unsafe policy
grep -rn 'forbid(unsafe_code)\|deny(unsafe_code)' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -5

# Census
echo "=== Unsafe Census ==="
echo -n "Blocks: "; grep -rn 'unsafe\s*{' --include="*.rs" . 2>/dev/null | grep -v 'target/' | wc -l
echo -n "Functions: "; grep -rn 'unsafe\s\+fn' --include="*.rs" . 2>/dev/null | grep -v 'target/' | wc -l
echo -n "Trait impls: "; grep -rn 'unsafe\s\+impl' --include="*.rs" . 2>/dev/null | grep -v 'target/' | wc -l

2. Safety Invariant Documentation

# SAFETY comments (Rust convention)
grep -B1 -A3 'unsafe' --include="*.rs" . 2>/dev/null | grep -i 'SAFETY' | head -20

# Unsafe blocks WITHOUT safety comments
for f in $(grep -rl 'unsafe\s*{' --include="*.rs" . 2>/dev/null | grep -v 'target/'); do
  grep -n 'unsafe\s*{' "$f" | while read match; do
    line=$(echo "$match" | cut -d: -f1); prev=$((line - 1))
    if ! sed -n "${prev}p" "$f" | grep -qi 'safety'; then echo "UNDOCUMENTED: $f:$line"; fi
  done
done | head -20

# Unsafe functions without safety docs
for f in $(grep -rl 'unsafe\s\+fn' --include="*.rs" . 2>/dev/null | grep -v 'target/'); do
  grep -n 'unsafe\s\+fn' "$f" | while read match; do
    line=$(echo "$match" | cut -d: -f1); prev=$((line - 1))
    if ! sed -n "${prev}p" "$f" | grep -q '///\|//!'; then echo "UNDOC_FN: $f:$line"; fi
  done
done | head -15

Flag:

• Missing // SAFETY: comment: every unsafe block must explain why invariants hold (Clippy lint: undocumented_unsafe_blocks)
• Vague safety comments: "this is safe" is invalid — must state the specific invariant
• Missing # Safety section on pub unsafe fn: callers need to know the contract

3. Raw Pointer Analysis

grep -rn 'as \*const\|as \*mut' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -20
grep -rn '\.offset(\|\.add(\|\.sub(' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15
grep -rn 'from_raw\|into_raw\|from_raw_parts' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15
grep -rn 'ManuallyDrop\|MaybeUninit\|mem::forget\|mem::transmute' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15

For each raw pointer operation, verify:

• Non-null: pointer was checked or came from a reference
• Aligned: alignment matches target type (especially after casts)
• Valid for reads/writes: memory is initialized and within allocation bounds
• No aliasing violations: no &T and &mut T to same data simultaneously
• Lifetime correctness: data outlives the pointer (no dangling pointers)
• Ownership clarity: from_raw/into_raw pairs must be 1:1 (double-free or leak otherwise)

4. FFI Boundary Review

grep -rn 'extern\s*"C"' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15
grep -rn '#\[no_mangle\]' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -10
grep -rn 'CString\|CStr\|c_char\|c_int\|c_void' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15
find . -name "bindings.rs" -o -name "*_ffi.rs" -not -path '*/target/*' 2>/dev/null | head -5

Check each FFI boundary for:

• Panic across FFI: Rust panics across extern "C" are UB — must use catch_unwind
• String handling: C strings are null-terminated; use CString/CStr, check for interior nulls
• Memory ownership: Rust allocator and C allocator are different — who frees?
• Struct layout: #[repr(C)] required for structs passed to/from C
• Integer sizes: C int is platform-dependent — use c_int, not i32
• Thread safety: C functions may not be thread-safe; document constraints

5. Send/Sync & Transmute

# Manual Send/Sync implementations
grep -rn 'unsafe impl.*Send\|unsafe impl.*Sync' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -15

# Atomic operations
grep -rn 'AtomicBool\|AtomicUsize\|AtomicPtr\|Ordering::' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -10

# Transmute (most dangerous operation)
grep -rn 'mem::transmute\|transmute(' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -10

# mem::zeroed / mem::uninitialized (UB for many types)
grep -rn 'mem::zeroed\|mem::uninitialized' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -10

# Union types
grep -rn 'union\s\+[A-Z]' --include="*.rs" . 2>/dev/null | grep -v 'target/' | head -5

For Send/Sync, verify:

• Send: no thread-local state, no thread-affine OS handles
• Sync: no interior mutability without synchronization (UnsafeCell makes type !Sync by default)
• Ordering correctness: atomic operations must use correct Ordering (common: Relaxed where Acquire/Release needed)

For transmute, flag:

• Transmute to create invalid values: 0u8 to bool, invalid enum discriminants — instant UB
• mem::zeroed on non-zero types: zeroed NonNull, bool, &T, enum is UB
• mem::uninitialized: deprecated since 1.38, always UB — use MaybeUninit

Output Template

# Rust Unsafe Audit — [Crate Name]

## Summary
- Files: N | Edition: 2021 | Unsafe blocks: N | Functions: N | Trait impls: N
- Undocumented unsafe: N (target: 0)
- Audit verdict: PASS / CONDITIONAL / FAIL

## Unsafe Inventory
| # | File:Line | Category | Documented | Verdict |
|---|-----------|----------|-----------|---------|
| 1 | src/lib.rs:45 | Raw pointer deref | Yes | Sound |
| 2 | src/ffi.rs:23 | extern "C" call | No | REVIEW |
| 3 | src/pool.rs:89 | Send impl | Yes | Sound |
| 4 | src/convert.rs:12 | transmute | No | UNSOUND |

## Critical Findings (Potential UB)
### [C1] Transmute Creates Invalid Enum Value
- **File**: src/convert.rs:12
- **Code**: `unsafe { mem::transmute::<u8, MyEnum>(byte) }` — unchecked byte
- **Fix**: Match on byte value, return `Result<MyEnum, InvalidValue>`

### [C2] Panic in extern "C" Callback
- **File**: src/ffi.rs:67
- **Code**: `.unwrap()` in extern "C" fn
- **Fix**: Replace with match + error code, or wrap in `catch_unwind`

## Documentation Gaps
| File | Line | Type | Missing |
|------|------|------|---------|
| src/lib.rs:45 | unsafe block | `// SAFETY:` comment |
| src/ffi.rs:23 | unsafe fn | `# Safety` doc section |

## Recommendations
1. Add `// SAFETY:` comments to N undocumented unsafe blocks
2. Fix N instances of potential UB
3. Add `catch_unwind` to N extern "C" callbacks
4. Run `cargo +nightly miri test` to detect UB dynamically
5. Add `#![deny(unsafe_op_in_unsafe_fn)]` to require scoped unsafe in unsafe fns
6. Consider `#![forbid(unsafe_code)]` for crates that don't need unsafe

Unsafe Reduction Opportunities

Current Unsafe	Safe Alternative
mem::transmute for enum conversion	TryFrom<u8> implementation
Raw pointer array indexing	slice::get_unchecked (still unsafe but bounds-checkable)
from_raw_parts for buffer views	bytemuck::cast_slice (safe, zero-cost)
Manual Send/Sync impl	Wrap inner type in Arc<Mutex<T>>

Tips

• Run cargo +nightly miri test to dynamically detect undefined behavior
• Run cargo clippy -- -W clippy::undocumented_unsafe_blocks to enforce safety comments
• Use cargo geiger to count unsafe across the dependency tree
• Use cargo audit to check for known vulnerabilities
• Prefer NonNull<T> over *mut T to encode non-null invariant in the type system
• Consider bytemuck for safe type punning of POD types
• Enable #![deny(unsafe_op_in_unsafe_fn)] (Rust 2024 default)