article

Open Access

RustBelt: securing the foundations of the Rust programming language

Authors:
Ralf Jung

MPI-SWS, Germany

MPI-SWS, Germany
View Profile

,
Jacques-Henri Jourdan

MPI-SWS, Germany

MPI-SWS, Germany
View Profile

,
Robbert Krebbers

Delft University of Technology, Netherlands

Delft University of Technology, Netherlands
View Profile

,
Derek Dreyer

MPI-SWS, Germany

MPI-SWS, Germany
View Profile

Proceedings of the ACM on Programming Languages Volume 2 Issue POPLArticle No.: 66pp 1–34https://doi.org/10.1145/3158154

Published:27 December 2017Publication History

Proceedings of the ACM on Programming Languages

Abstract

Rust is a new systems programming language that promises to overcome the seemingly fundamental tradeoff between high-level safety guarantees and low-level control over resource management. Unfortunately, none of Rust's safety claims have been formally proven, and there is good reason to question whether they actually hold. Specifically, Rust employs a strong, ownership-based type system, but then extends the expressive power of this core type system through libraries that internally use unsafe features. In this paper, we give the first formal (and machine-checked) safety proof for a language representing a realistic subset of Rust. Our proof is extensible in the sense that, for each new Rust library that uses unsafe features, we can say what verification condition it must satisfy in order for it to be deemed a safe extension to the language. We have carried out this verification for some of the most important libraries that are used throughout the Rust ecosystem.

Supplemental Material

rustbelt.webm

webm

121.9 MB

Download

Available for Download

zip

popl18-p202-aux.zip (248.3 KB)

This is the artifact accompanying the paper "RustBelt: Securing the Foundations of the Rust Programming Language". You can find the latest version of this artifact online at <https://gitlab.mpi-sws.org/FP/LambdaRust-coq>. This archive contains the `popl18` tag of the aforementioned repository. A full VM image containing the artifact and all its dependencies is available at <https://doi.org/10.5281/zenodo.1115560>.

References

David Abrahams. 1998. Exception-safety in generic components. In International Seminar on Generic Programming (LNCS). Google ScholarCross Ref
Amal Ahmed, Andrew W. Appel, Christopher D. Richards, Kedar N. Swadi, Gang Tan, and Daniel C. Wang. 2010. Semantic foundations for typed assembly languages. TOPLAS 32, 3 (2010), 1–67. Google ScholarDigital Library
Amal Ahmed, Matthew Fluet, and Greg Morrisett. 2005. A step-indexed model of substructural state. In ICFP. Google ScholarDigital Library
Amal Ahmed, Matthew Fluet, and Greg Morrisett. 2007. L 3 : A linear language with locations. Fundamenta Informaticae 77, 4 (2007), 397–449.Google ScholarDigital Library
Amal Jamil Ahmed. 2004. Semantics of types for mutable state. Ph.D. Dissertation. Princeton University.Google ScholarDigital Library
Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying high-assurance file system implementations. In ASPLOS. Google ScholarDigital Library
Andrew W. Appel. 2001. Foundational proof-carrying code. In LICS. Google ScholarCross Ref
Andrew W. Appel. 2007. Compiling with Continuations. Cambridge University Press.Google ScholarDigital Library
Andrew W. Appel (Ed.). 2014. Program Logics for Certified Compilers. Cambridge University Press. Google ScholarCross Ref
Andrew W. Appel and David McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. TOPLAS 5 (2001). Google ScholarDigital Library
Andrew W. Appel, Paul-André Melliès, Christopher Richards, and Jérôme Vouillon. 2007. A very modal model of a modern, major, general type system. In POPL. Google ScholarDigital Library
Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permissionbased programming language. TOPLAS 38, 4 (2016). Google ScholarDigital Library
Ariel Ben-Yehuda. 2015a. Can mutate in match-arm using a closure. Rust issue #27282. https://github.com/rust- lang/rust/ issues/27282 .Google Scholar
Ariel Ben-Yehuda. 2015b. dropck can be bypassed via a trait object method. Rust issue #26656. https://github.com/rust- lang/ rust/issues/26656 .Google Scholar
Ariel Ben-Yehuda. 2015c. std::thread::JoinGuard (and scoped) are unsound because of reference cycles. Rust issue #24292. https://github.com/rust- lang/rust/issues/24292 .Google Scholar
Christophe Biocca. 2017. std::vec::IntoIter::as_mut_slice borrows &self, returns &mut of contents. Rust issue #39465. https://github.com/rust- lang/rust/issues/39465 .Google Scholar
John Boyland. 2003. Checking interference with fractional permissions. In SAS (LNCS). Google ScholarCross Ref
Arthur Charguéraud and François Pottier. 2017. Temporary read-only permissions for separation logic. In ESOP (LNCS). Google ScholarCross Ref
David G. Clarke, John M. Potter, and James Noble. 1998. Ownership types for flexible alias protection. In OOPSLA. Google ScholarDigital Library
The Coq team. 2017. The Coq proof assistant. https://coq.inria.fr/ .Google Scholar
Robert DeLine and Manuel Fähndrich. 2001. Enforcing high-level protocols in low-level software. In PLDI. Google ScholarDigital Library
Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew J. Parkinson, and Hongseok Yang. 2013. Views: Compositional reasoning for concurrent programs. In POPL. Google ScholarDigital Library
Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In ECOOP (LNCS). Google ScholarCross Ref
Mike Dodds, Xinyu Feng, Matthew J. Parkinson, and Viktor Vafeiadis. 2009. Deny-guarantee reasoning. In ESOP (LNCS). Google ScholarDigital Library
Derek Dreyer, Amal Ahmed, and Lars Birkedal. 2011. Logical step-indexed logical relations. LMCS 7, 2:16 (2011). Google ScholarCross Ref
Derek Dreyer, Georg Neis, Andreas Rossberg, and Lars Birkedal. 2010. A relational modal logic for higher-order stateful ADTs. In POPL. Google ScholarDigital Library
Manuel Fähndrich and Robert DeLine. 2002. Adoption and Focus: Practical Linear Types for Imperative Programming. In PLDI. Google ScholarDigital Library
Matthew Fluet, Greg Morrisett, and Amal J. Ahmed. 2006. Linear regions are all you need. In ESOP (LNCS). Google ScholarDigital Library
Douglas Gregor and Sibylle Schupp. 2003. Making the usage of STL safe. In IFIP TC2 / WG2.1 Working Conference on Generic Programming. Google ScholarCross Ref
Dan Grossman, J. Gregory Morrisett, Trevor Jim, Michael W. Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In PLDI. Google ScholarDigital Library
ISO Working Group 21. 2011. Programming languages – C++.Google Scholar
Jonas Braband Jensen and Lars Birkedal. 2012. Fictional separation logic. In ESOP (LNCS). Google ScholarDigital Library
Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In USENIX ATC.Google ScholarDigital Library
Ralf Jung. 2017. MutexGuard〈Cell〈i32〉〉 must not be Sync. Rust issue #41622. https://github.com/rust- lang/rust/issues/ 41622 .Google Scholar
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017a. RustBelt: Securing the foundations of the Rust programming language – Technical appendix and Coq development. https://plv.mpi- sws.org/rustbelt/popl18/ .Google Scholar
Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP. Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2017b. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. (2017). Conditionally accepted to Journal of Functional Programming.Google Scholar
Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In POPL. Google ScholarDigital Library
Jan-Oliver Kaiser, Hoang-Hai Dang, Derek Dreyer, Ori Lahav, and Viktor Vafeiadis. 2017. Strong logic for weak memory: Reasoning about release-acquire consistency in Iris. In ECOOP.Google Scholar
Robbert Krebbers. 2015. The C standard formalized in Coq. Ph.D. Dissertation. Radboud University.Google Scholar
Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In ESOP (LNCS). Google ScholarDigital Library
Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In POPL. Google ScholarDigital Library
Neelakantan R. Krishnaswami, Aaron Turon, Derek Dreyer, and Deepak Garg. 2012. Superficially substructural types. In ICFP. Google ScholarDigital Library
Morten Krogh-Jespersen, Kasper Svendsen, and Lars Birkedal. 2017. A relational model of types-and-effects in higher-order concurrent separation logic. In POPL. Google ScholarDigital Library
Juneyoung Lee, Yoonseung Kim, Youngju Song, Chung-Kil Hur, Sanjoy Das, David Majnemer, John Regehr, and Nuno P. Lopes. 2017. Taming undefined behavior in LLVM. In PLDI. Google ScholarDigital Library
Xavier Leroy, Andrew Appel, Sandrine Blazy, and Gordon Stewart. 2012. The CompCert memory model, version 2. Technical Report RR-7987. Inria.Google Scholar
Nicholas D. Matsakis. 2016a. Introducing MIR. https://blog.rust- lang.org/2016/04/19/MIR.html .Google Scholar
Nicholas D. Matsakis. 2016b. Non-lexical lifetimes: Introduction. http://smallcultfollowing.com/babysteps/blog/2016/04/27/ non- lexical- lifetimes- introduction/ .Google Scholar
Nicholas D. Matsakis and Felix S. Klock II. 2014. The Rust language. In SIGAda Ada Letters, Vol. 34. Google ScholarDigital Library
Robin Milner. 1978. A theory of type polymorphism in programming. J. Comput. System Sci. 17, 3 (1978), 348–375. Google ScholarCross Ref
Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating state transition systems for fine-grained concurrent resources. In ESOP (LNCS). Google ScholarDigital Library
Aleksandar Nanevski, Greg Morrisett, Avraham Shinnar, Paul Govereau, and Lars Birkedal. 2008. Ynot: Dependent types for imperative programs. In ICFP. Google ScholarDigital Library
Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement through restraint: Bringing down the cost of verification. In ICFP. Google ScholarDigital Library
Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Theoretical computer science 375, 1-3 (2007). Google ScholarDigital Library
Gordon Plotkin. 1973. Lambda-definability and logical relations. Unpublished manuscript.Google Scholar
Eric Reed. 2015. Patina: A formalization of the Rust programming language. Master’s thesis. University of Washington.Google Scholar
John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In LICS. Google ScholarCross Ref
The Rust team. 2016. Drop Check. In The Rustonomicon. https://doc.rust- lang.org/nomicon/dropck.html .Google Scholar
The Rust team. 2017. The Rust programming language. http://rust- lang.org/ .Google Scholar
Simon Sapin. 2015. Add std::cell::Ref::map and friends. Rust PR #25747. https://github.com/rust- lang/rust/pull/25747# issuecomment- 105175235 .Google Scholar
Josh Stone and Nicholas D. Matsakis. 2017. The Rayon library. https://crates.io/crates/rayon .Google Scholar
Bjarne Stroustrup. 2012. Foundations of C++. In ESOP. Google ScholarDigital Library
Kasper Svendsen and Lars Birkedal. 2014. Impredicative concurrent abstract predicates. In ESOP (LNCS). Google ScholarDigital Library
Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoue, and Santiago Zanella-Béguelin. 2016. Dependent types and multi-monadic effects in F*. In POPL. Google ScholarDigital Library
David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and compositional verification of object capability patterns. In OOPSLA (PACMPL). Google ScholarDigital Library
W. W. Tait. 1967. Intensional interpretations of functionals of finite type I. Journal of Symbolic Logic 32, 2 (1967). Google ScholarCross Ref
Joseph Tassarotti, Ralf Jung, and Robert Harper. 2017. A higher-order logic for concurrent termination-preserving refinement. In ESOP (LNCS). Google ScholarDigital Library
Amin Timany, Léo Stefanesco, Morten Krogh-Jespersen, and Lars Birkedal. 2018. A Logical Relation for Monadic Encapsulation of State: Proving contextual equivalences in the presence of runST. Accepted to POPL.Google Scholar
John Toman, Stuart Pernsteiner, and Emina Torlak. 2015. CRUST: A bounded verifier for Rust. In ASE.Google Scholar
Jesse A. Tov and Riccardo Pucella. 2011. Practical affine types. In POPL. Google ScholarDigital Library
Aaron Turon. 2015a. Abstraction without overhead: Traits in Rust. https://blog.rust- lang.org/2015/05/11/traits.html .Google Scholar
Aaron Turon. 2015b. Implied bounds on nested references + variance = soundness hole. Rust issue #25860. https: //github.com/rust- lang/rust/issues/25860 .Google Scholar
Aaron Turon, Derek Dreyer, and Lars Birkedal. 2013. Unifying refinement and Hoare-style reasoning in a logic for higher-order concurrency. In ICFP. Google ScholarDigital Library
Philip Wadler. 1990. Linear types can change the world! In Programming Concepts and Methods.Google Scholar
Andrew K Wright and Matthias Felleisen. 1994. A syntactic approach to type soundness. Information and computation 115, 1 (1994). Google ScholarDigital Library

Index Terms

RustBelt: securing the foundations of the Rust programming language
1. Theory of computation
  1. Logic
    1. Programming logic
    2. Separation logic
  2. Semantics and reasoning
    1. Program semantics
      1. Operational semantics

Recommendations

RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code
PLDI 2022: Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation

Rust is a systems programming language that offers both low-level memory operations and high-level safety guarantees, via a strong ownership type system that prohibits mutation of aliased state. In prior work, Matsushita et al. developed RustHorn, a ...
Read More
Leveraging rust types for modular specification and verification

Rust's type system ensures memory safety: well-typed Rust programs are guaranteed to not exhibit problems such as dangling pointers, data races, and unexpected side effects through aliased references. Ensuring correctness properties beyond memory safety, ...
Read More
Leveraging Rust Types for Program Synthesis

The Rust type system guarantees memory safety and data-race freedom. However, to satisfy Rust's type rules, many familiar implementation patterns must be adapted substantially. These necessary adaptations complicate programming and might hinder ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Proceedings of the ACM on Programming Languages Volume 2, Issue POPL
January 2018
1961 pages
EISSN:2475-1421
DOI:10.1145/3177123
Issue’s Table of Contents

Copyright © 2017 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 December 2017
Published in pacmpl Volume 2, Issue POPL

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Available
- Artifacts Evaluated & Functional
Author Tags
Rust
concurrency
logical relations
separation logic
type systems
Qualifiers
- article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 152
  Total Citations
  View Citations
- 13,292
  Total Downloads
- Downloads (Last 12 months)2,284
- Downloads (Last 6 weeks)370
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

RustBelt: securing the foundations of the Rust programming language

Proceedings of the ACM on Programming Languages

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code

Leveraging rust types for modular specification and verification

Leveraging Rust Types for Program Synthesis