[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-81484-en":3,"doc-seo-81484-105":29,"detail-sidebar-cat-0-en-105":90},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},81484,1099513958607,"Jiven","https://ap-avatar.wpscdn.com/avatar/100002390cf8733938c?x-image-process=image/resize,m_fixed,w_180,h_180&k=1778829742770036399",6,"Technology","Ruby: Unmasking Unsafe Rust in Stripped Binaries via Machine Learning","Rust introduces unsafe blocks to bypass compile-time safety checks, yet memory-safety bugs concentrate inside unsafe regions. Existing Rust bug-finding tools depend on the unsafe keyword in source code and cannot locate unsafe areas in binaries. RUBY is proposed as a machine-learning tool that detects unsafe regions from subtle instruction differences, identifying 91.75% of unsafe regions with 6.16% false positives. RUBY further accelerates symbolic execution and fuzzing, achieving 57.95% and 21.26% speed-ups, and supports confirming and patching five Android library bugs.","Ruby: Unmasking Unsafe Rust in Stripped Binaries  \nvia Machine Learning  \nXiang Cheng∗ , Sangdon Park∗†, HyungSeok Han‡, Xiaokuan Zhang§ and Taesoo Kim  \nGeorgia Institute of Technology, †Pohang University of Science and Technology, ‡Microsoft, § George Mason University  \narXiv :2211 .00 1 1 1v 3 [ cs .CR] 10 Jul 2026  \nAbstract—Rust, as an emerging system programming language, introduces unsafe to allow developers to bypass safety checks during compilation. As a result, memory safety bugs are typically confined to the unsafe regions, which have been the primary focus of Rust bug-finding tools. However, such tools rely on the presence of the unsafe keyword in Rust source code; there are no tools available that can examine Rust binaries to pinpoint unsafe areas. Therefore, we propose RUBY, the first tool that unmasks unsafe regions in Rust binaries using machine learning. By capturing the subtle differences in the binary instructions, RUBY can identify 91.75% of the total unsafe regions with a false positive rate of 6.16%, beating SOTA LLM models including GPT-5.2, Claude-4.5 and Gemini-3. We further applied RUBY to guide symbolic execution and fuzzing, showing a speed-up of 57.95% and 21.26%, with five bugs confirmed and patched by Google in Android library fuzzing.  \nIndex Terms—Rust, Memory Safety, Machine learning  \nI. INTRODUCTION  \nRust is a rapidly growing systems programming language due to its focus on enhancing memory safety [66] and addressing memory safety vulnerabilities [43, 26] . For example, Rust has been employed in system software such as Mozilla Firefox, Google Chrome [27], Linux kernel modules [58], Windows kernel components [67], and various other device drivers [59] .  \nTo achieve memory safety while providing flexibility, Rust is divided into safe and unsafe code regions. Safe Rust is a strongly typed language that ensures memory safety through compile-time checks. However, its strict rules can limit the ability to implement certain features (e.g., resource sharing, lowlevel assembly) commonly needed in systems programming. To overcome this, unsafe Rust is employed, shifting the responsibility of memory safety checks from the compiler to the developers. In particular, unsafe Rust enables the execution of hazardous operations [65] such as dereferencing pointers or interfacing with external C libraries.  \nRust Memory Safety Bugs: Source Code Analysis. Despite the memory safety mechanism in Rust, more than 360 memory safety bugs have been found in Rust programs in the last five years [28] . The primary reason is that the strict rules of safe Rust often necessitate developers to engage with unsafe Rust, which can lead to memory safety bugs when developers fail to manually verify unsafe regions [4, 24] . For example, cyclic types (e.g., doubly-linked lists) cannot be implemented without resorting to unsafe Rust. Additionally, developers might inadvertently introduce unsafe Rust code when utilizing libraries that contain unsafe regions.  \n*These authors contributed equally to this work.  \nTo find and fix memory-safe bugs in Rust programs, a rich line of prior work (e.g., [6, 80, 44, 39, 13, 40, 32, 11, 83, 17]) has focused on analyzing the unsafe regions in Rust source code. For example, Rudra [6] presented three important patterns of memory safety bugs in unsafe Rust and identified these bugs through static analysis of the unsafe regions; RPG [80] prioritized fuzzing unsafe regions in Rust libraries to more efficiently identify memory safety bugs; ERASAN [44] proposed a more efficient address sanitizer [61] for Rust programs, leveraging the characteristics of unsafe regions.  \nOur Focus: Rust Binary Analysis. While source-level analysis has advanced significantly in detecting memory safety issues, it is fundamentally constrained by the requirement for source code accessibility. This limitation is increasingly acute as Rust is adopted in commercial and security-critical sectors where proprietary codebases are t","cbCaiawNRFp9ENPP","https://ap.wps.com/l/cbCaiawNRFp9ENPP","pdf",911511,1,15,"English","en",105,"# Introduction\n## Rust memory safety and unsafe Rust\n## Rust memory safety bugs: source code analysis\n## Focus: Rust binary analysis","[{\"question\":\"Why are memory-safety bugs in Rust often located in unsafe regions?\",\"answer\":\"unsafe Rust bypasses compile-time memory safety checks, so hazards like pointer dereferencing and C interfacing shift responsibility to developers. Bugs therefore tend to appear within unsafe regions where these checks are not enforced.\"},{\"question\":\"What limitation prevents existing tools from identifying unsafe areas in Rust binaries?\",\"answer\":\"Most tools rely on the presence of the unsafe keyword in Rust source code. After compilation, binaries lack that keyword, so unsafe regions cannot be directly pinpointed.\"},{\"question\":\"How does RUBY identify unsafe regions when only stripped binaries are available?\",\"answer\":\"RUBY learns from subtle differences in binary instructions to recover unsafe regions without source annotations. It reports 91.75% of unsafe regions with a 6.16% false positive rate, outperforming SOTA LLM models.\"}]",1784173738,38,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":85,"head_meta":87,"extra_data":89,"updated_unix":27},"ruby-unmasking-unsafe-rust-in-stripped-binaries-via-machine-learning","",{"@graph":35,"@context":84},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/ruby-unmasking-unsafe-rust-in-stripped-binaries-via-machine-learning/81484/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-16",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70,76,80],{"name":71,"@type":72,"acceptedAnswer":73},"Why are memory-safety bugs in Rust often located in unsafe regions?","Question",{"text":74,"@type":75},"unsafe Rust bypasses compile-time memory safety checks, so hazards like pointer dereferencing and C interfacing shift responsibility to developers. Bugs therefore tend to appear within unsafe regions where these checks are not enforced.","Answer",{"name":77,"@type":72,"acceptedAnswer":78},"What limitation prevents existing tools from identifying unsafe areas in Rust binaries?",{"text":79,"@type":75},"Most tools rely on the presence of the unsafe keyword in Rust source code. After compilation, binaries lack that keyword, so unsafe regions cannot be directly pinpointed.",{"name":81,"@type":72,"acceptedAnswer":82},"How does RUBY identify unsafe regions when only stripped binaries are available?",{"text":83,"@type":75},"RUBY learns from subtle differences in binary instructions to recover unsafe regions without source annotations. It reports 91.75% of unsafe regions with a 6.16% false positive rate, outperforming SOTA LLM models.","https://schema.org",{"og:url":51,"og:type":86,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":88,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":91},[92,96,100,104,109,112,117,122,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":97,"show_sort_weight":98,"slug":99},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":101,"show_sort_weight":102,"slug":103},"Exam",70,"exam",{"id":105,"doc_module":4,"doc_module_name":45,"category_name":106,"show_sort_weight":107,"slug":108},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":110,"slug":111},50,"technology",{"id":113,"doc_module":4,"doc_module_name":45,"category_name":114,"show_sort_weight":115,"slug":116},7,"Healthcare",40,"healthcare",{"id":118,"doc_module":4,"doc_module_name":45,"category_name":119,"show_sort_weight":120,"slug":121},8,"Research & Report",30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":105,"slug":137},19,"General","general"]