The unreasonable effectiveness of LLMs for auditing Rust code (shnatsel.medium.com)

A recent exploration into using large language models (LLMs), specifically GPT-5.5, for auditing Rust code has revealed their impressive effectiveness in identifying vulnerabilities. As part of the Rust Secure Code Working Group, the lead gained access to GPT-5.5 through Codex and discovered numerous issues, including memory safety bugs that, despite Rust’s reputation for safety, can still arise when interacting with C libraries or implementing unsafe code. The findings indicate that LLMs can significantly streamline the auditing process, especially when combined with tools like Miri, which verifies memory safety in Rust code by running it in an interpreter to catch errors unambiguously. The significance of this approach lies in its potential to enhance the security of Rust applications, making it easier for developers to identify and address vulnerabilities without overwhelming maintainers with invalid reports. The audit uncovered various types of bugs, including out-of-bounds writes and use-after-free errors, highlighting LLMs' ability to reason about complex Rust-specific concepts. While LLMs excel at spotting issues, the current methodology still does not guarantee the absence of vulnerabilities, emphasizing the need for a multi-layered auditing strategy that combines LLM insights with traditional techniques. This innovative use of AI tools promises to improve software security practices within the Rust community and beyond.