Rust ensures memory safety via ownership, borrowing, and the aliasing-exclusivity principle (AXM); however, mixed-code constructs—such as `unsafe` blocks, foreign function interfaces (FFI), and inline assembly—bypass static compiler checks and constitute a major source of vulnerabilities. This paper presents CapsLock, the first hardware-assisted dynamic detection mechanism for mixed Rust code, enforcing ownership and AXM semantics at the machine-code level across language boundaries. CapsLock introduces a novel “use-once” capability abstraction, tightly integrating RISC-V CHERI capabilities with a lightweight runtime monitor within a QEMU-based prototype. The design achieves low-overhead spatial and temporal memory safety while maintaining compatibility with 99.7% of mainstream crate test cases. Evaluation on eight real-world Rust projects uncovers previously unknown memory-safety vulnerabilities.

The Rust programming language enforces three basic Rust principles, namely ownership, borrowing, and AXM (Aliasing Xor Mutability) to prevent security bugs such as memory safety violations and data races. However, Rust projects often have mixed code, i.e., code that also uses unsafe Rust, FFI (Foreign Function Interfaces), and inline assembly for low-level control. The Rust compiler is unable to statically enforce Rust principles in mixed Rust code which can lead to many security vulnerabilities. In this paper, we propose CapsLock, a security enforcement mechanism that can run at the level of machine code and detect Rust principle violations at run-time in mixed code. CapsLock is kept simple enough to be implemented into recent capability-based hardware abstractions that provide low-cost spatial memory safety. CapsLock introduces a novel revoke-on-use abstraction for capability-based designs, wherein accessing a memory object via a capability implicitly invalidates certain other capabilities pointing to it, thereby also providing temporal memory safety automatically, without requiring software to explicitly specify such invalidation. Thus, CapsLock is the first mechanism capable of providing cross-language enforcement of Rust principles. We implemented a prototype of CapsLock on QEMU. Evaluation results show that CapsLock is highly compatible with existing Rust code (passing 99.7% of the built-in test cases of the 100 most popular crates) and flags Rust principle violations in real-world Rust projects that use FFI or inline assembly. We discovered 8 previously unknown bugs in such crates in our experiments.