Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
164 tokens/sec
GPT-4o
10 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Hybrid Approach to Semi-automated Rust Verification (2403.15122v3)

Published 22 Mar 2024 in cs.PL

Abstract: We propose a hybrid approach to end-to-end Rust verification where the proof effort is split into powerful automated verification of safe Rust and targeted semi-automated verification of unsafe Rust. To this end, we present Gillian-Rust, a proof-of-concept semi-automated verification tool built on top of the Gillian platform that can reason about type safety and functional correctness of unsafe code. Gillian-Rust automates a rich separation logic for real-world Rust, embedding the lifetime logic of RustBelt and the parametric prophecies of RustHornBelt, and is able to verify real-world Rust standard library code with only minor annotations and with verification times orders of magnitude faster than those of comparable tools. We link Gillian-Rust with Creusot, a state-of-the-art verifier for safe Rust, by providing a systematic encoding of unsafe code specifications that Creusot can use but cannot verify, demonstrating the feasibility of our hybrid approach.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (29)
  1. How do programmers use unsafe rust? Proceedings of the ACM on Programming Languages 4, OOPSLA (Nov. 2020), 136:1–136:27. https://doi.org/10.1145/3428204
  2. Leveraging rust types for modular specification and verification. Proceedings of the ACM on Programming Languages 3, OOPSLA (Oct. 2019), 147:1–147:30. https://doi.org/10.1145/3360573
  3. A Tool for Checking ANSI-C Programs. In Tools and Algorithms for the Construction and Analysis of Systems (Lecture Notes in Computer Science), Kurt Jensen and Andreas Podelski (Eds.). Springer, Berlin, Heidelberg, 168–176. https://doi.org/10.1007/978-3-540-24730-2_15
  4. Kees Cook. 2022. [GIT PULL] Rust introduction for v6.1-rc1. https://lore.kernel.org/lkml/202210010816.1317F2C@keescook. Accessed: Nov. 16th 2023.
  5. Sound Automation of Magic Wands. In Computer Aided Verification (Lecture Notes in Computer Science), Sharon Shoham and Yakir Vizel (Eds.). Springer International Publishing, Cham, 130–151. https://doi.org/10.1007/978-3-031-13188-2_7
  6. Xavier Denis and Jacques-Henri Jourdan. 2023. Specifying and Verifying Higher-order Rust Iterators. In Tools and Algorithms for the Construction and Analysis of Systems (Lecture Notes in Computer Science), Sriram Sankaranarayanan and Natasha Sharygina (Eds.). Springer Nature Switzerland, Cham, 93–110. https://doi.org/10.1007/978-3-031-30820-8_9
  7. Creusot: a Foundry for the Deductive Verification of Rust Programs. Springer Verlag. https://hal.inria.fr/hal-03737878
  8. Nima Rahimi Foroushaani and Bart Jacobs. 2022. Modular Formal Verification of Rust Programs with Unsafe Blocks. https://doi.org/10.48550/arXiv.2212.12976 arXiv:2212.12976 [cs].
  9. Gillian, part i: a multi-language platform for symbolic execution. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA, 927–942. https://doi.org/10.1145/3385412.3386014
  10. Unsafe Code Guidelines Working Group. 2023. Structs and Tuples - Memory Layout - Unsafe Code Guidelines. https://github.com/rust-lang/unsafe-code-guidelines/blob/50f8ff4b6892f98740de3b375e4d4bda10b9da9f/reference/src/layout/structs-and-tuples.md Accessed: Nov. 16 2019.
  11. Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust verification by functional translation. Proceedings of the ACM on Programming Languages 6, ICFP (Aug. 2022), 116:711–116:741. https://doi.org/10.1145/3547647
  12. A Quick Tour of the VeriFast Program Verifier. In Programming Languages and Systems (Lecture Notes in Computer Science), Kazunori Ueda (Ed.). Springer, Berlin, Heidelberg, 304–311. https://doi.org/10.1007/978-3-642-17164-2_21
  13. Ralf Jung. 2018. Two Kinds of Invariants: Safety and Validity. https://www.ralfj.de/blog/2018/08/22/two-kinds-of-invariants.html Accessed: June 19th 2023.
  14. Stacked borrows: an aliasing model for Rust. Proceedings of the ACM on Programming Languages 4, POPL (Dec. 2019), 41:1–41:32. https://doi.org/10.1145/3371109
  15. RustBelt: securing the foundations of the Rust programming language. Proceedings of the ACM on Programming Languages 2, POPL (Dec. 2017), 66:1–66:34. https://doi.org/10.1145/3158154
  16. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming 28 (2018), e20. https://doi.org/10.1017/S0956796818000151
  17. The future is ours: prophecy variables in separation logic. Proceedings of the ACM on Programming Languages 4, POPL (Dec. 2019), 45:1–45:32. https://doi.org/10.1145/3371113
  18. Ralf Jung and Neven Villani. 2023. From Stacks to Trees: A new aliasing model for Rust. https://www.ralfj.de/blog/2023/06/02/tree-borrows.html Accessed: Nov. 16 2019.
  19. Verus: Verifying Rust Programs using Linear Ghost Types. Proceedings of the ACM on Programming Languages 7, OOPSLA1 (April 2023), 85:286–85:315. https://doi.org/10.1145/3586037
  20. Flux: Liquid Types for Rust. https://doi.org/10.48550/arXiv.2207.04034 arXiv:2207.04034 [cs].
  21. The CompCert Memory Model, Version 2. report. INRIA. https://hal.inria.fr/hal-00703441 Pages: 26.
  22. Daniël Louwrink. 2021. A Separation Logic for Stacked Borrows. Report. https://eprints.illc.uva.nl/id/eprint/1790/
  23. Gillian, Part II: Real-World Verification for JavaScript and C. In Computer Aided Verification (Lecture Notes in Computer Science), Alexandra Silva and K. Rustan M. Leino (Eds.). Springer International Publishing, Cham, 827–850. https://doi.org/10.1007/978-3-030-81688-9_38
  24. Nicholas D. Matsakis and Felix S. Klock. 2014. The rust language. ACM SIGAda Ada Letters 34, 3 (Oct. 2014), 103–104. https://doi.org/10.1145/2692956.2663188
  25. RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022). Association for Computing Machinery, New York, NY, USA, 841–856. https://doi.org/10.1145/3519939.3523704
  26. RustHorn: CHC-based Verification for Rust Programs. ACM Transactions on Programming Languages and Systems 43, 4 (Oct. 2021), 15:1–15:54. https://doi.org/10.1145/3462205
  27. The Coq Team. 2023a. The Coq Proof Assistant. https://coq.inria.fr/ Accessed: Nov. 16th 2023.
  28. The Kani Team. 2023b. How Open Source Projects are Using Kani to Write Better Software in Rust | AWS Open Source Blog. https://aws.amazon.com/blogs/opensource/how-open-source-projects-are-using-kani-to-write-better-software-in-rust/ Accessed: Nov. 13th 2023.
  29. The Rust Team. 2023c. Rust Programming Language. https://www.rust-lang.org/ Accessed: Nov. 16th 2023.
Citations (6)
View on Semantic Scholar

Summary

  • The paper introduces Gillian-Rust, a novel tool that semi-automatically verifies unsafe Rust code using parametric separation logic.
  • It integrates Creusot’s verification for safe Rust, aligning specifications to prove assertions in mixed-codebases.
  • The approach leverages a hybrid symbolic heap model and automated lifetime tracking to manage mutable borrows and complex memory operations.

A Hybrid Approach to Semi-Automated Rust Verification

The paper "A hybrid approach to semi-automated Rust verification" explores a promising methodology for the verification of Rust programs, particularly focusing on those that include 'unsafe' code segments. Unlike many existing tools that primarily cater to verifying safe Rust, this hybrid approach leverages the unique constructs of the Rust language to facilitate a more thorough and automated verification process for both safe and unsafe code segments.

Rust is increasingly adopted in system programming due to its guarantees of memory safety and performance efficiency, attributes primarily supported by its ownership type system and borrow checker. However, the verification of unsafe Rust code, which is often used for system-level programming and requires careful management due to operations like raw pointer dereferencing and potential undefined behaviors, remains a challenging area that necessitates more robust verification strategies.

Gillian-Rust: A Novel Verification Tool

The paper introduces Gillian-Rust, a semi-automated verification tool built upon the Gillian platform. This tool integrates powerful automated verification technologies, specifically targeting the 'unsafe' segments of Rust code. Gillian-Rust is capable of reasoning about type safety and functional correctness by leveraging a parametric separation logic, which is essential for handling complex unsafe operations. It builds upon the lifetime logic of RustBelt and RustHornBelt's introduction of parametric prophecies, aiming to provide a scalable and user-friendly approach to verifying real-world Rust code.

Through its integration with Creusot, a leading verifier for safe Rust, Gillian-Rust aligns specifications for unsafe code that Creusot may describe but not verify. This connection demonstrates the viability of this hybrid approach, allowing for end-to-end verification of Rust programs.

Key Challenges and Solutions

The paper identifies and addresses critical challenges such as:

  1. Alignment of Safe and Unsafe Code Verification: Rust verification tools like Creusot may efficiently handle safe code but often fall short with unsafe code. Gillian-Rust overcomes this by encoding Creusot specifications into its assertion language and proving those assertions using separation logic.
  2. Real-World Rust Memory Model: Unlike traditional memory models, Rust's needs were met through a hybrid symbolic heap representation, enabling efficient automated reasoning and supporting pointer arithmetic without locking into particular memory layouts.
  3. Combating Lifetimes and Mutable Borrows: Gillian-Rust ingeniously adopts a symbolic execution environment enhanced with lifetime contexts and guarded predicates, facilitating automatic operations on mutable borrows without manual intervention. This automation significantly eases the proof process.

Implications and Future Developments

The Gillian-Rust tool represents a significant move toward scalable verification of Rust programs that use unsafe code blocks. By bridging the gap between the abstract, streamlined verification of safe code and the rigorous, detail-oriented analysis required for unsafe code, it paves the way for more inclusive verification practices in Rust programming.

Future work may focus on extending the current capabilities to encompass more Rust features, sharpening the automation of specification translation, and further integrating concurrency and shared references. Formal verification of these tools ensures foundational accuracy and soundness, especially as Rust's role in critical systems grows.

In conclusion, this hybrid approach to Rust verification embodies a structured, technical methodology, addressing both theoretical and practical challenges faced in the domain. This integration fosters a flexible yet powerful environment for developers to safely and efficiently harness Rust's full potential, particularly in system-level and performance-critical applications.

X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. A hybrid approach to semi-automated Rust verification (41 points, 15 comments)