skip to main content

Aeneas: Rust verification by functional translation

Published:31 August 2022Publication History
Skip Abstract Section

Abstract

We present Aeneas, a new verification toolchain for Rust programs based on a lightweight functional translation. We leverage Rust’s rich region-based type system to eliminate memory reasoning for a large class of Rust programs, as long as they do not rely on interior mutability or unsafe code. Doing so, we relieve the proof engineer of the burden of memory-based reasoning, allowing them to instead focus on functional properties of their code.

The first contribution of Aeneas is a new approach to borrows and controlled aliasing. We propose a pure, functional semantics for LLBC, a Low-Level Borrow Calculus that captures a large subset of Rust programs. Our semantics is value-based, meaning there is no notion of memory, addresses or pointer arithmetic. Our semantics is also ownership-centric, meaning that we enforce soundness of borrows via a semantic criterion based on loans rather than through a syntactic type-based lifetime discipline. We claim that our semantics captures the essence of the borrow mechanism rather than its current implementation in the Rust compiler.

The second contribution of Aeneas is a translation from LLBC to a pure lambda-calculus. This allows the user to reason about the original Rust program through the theorem prover of their choice, and fulfills our promise of enabling lightweight verification of Rust programs. To deal with the well-known technical difficulty of terminating a borrow, we rely on a novel approach, in which we approximate the borrow graph in the presence of function calls. This in turn allows us to perform the translation using a new technical device called backward functions.

We implement our toolchain in a mixture of Rust and OCaml; our chief case study is a low-level, resizing hash table, for which we prove functional correctness, the first such result in Rust. Our evaluation shows significant gains of verification productivity for the programmer. This paper therefore establishes a new point in the design space of Rust verification toolchains, one that aims to verify Rust programs simply, and at scale.

Rust goes to great lengths to enforce static control of aliasing; the proof engineer should not waste any time on memory reasoning when so much already comes “for free”!

References

  1. 2017. Not possible to bind to a pattern. https://github.com/FStarLang/FStar/issues/1288 Google ScholarGoogle Scholar
  2. 2021. StackOverflow Developer Survey. https://insights.stackoverflow.com/survey/2021 Google ScholarGoogle Scholar
  3. 2022. Verus, an Experimental Verification Framework for Rust-like code. https://github.com/secure-foundations/verus/blob/004eadd8c31b60c886f7a8c8b568806e46a49a78/source/docs/design/returning-mutable-references.md Google ScholarGoogle Scholar
  4. Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. SIGARCH Comput. Archit. News, 44, 2 (2016), mar, 175–188. issn:0163-5964 https://doi.org/10.1145/2980024.2872404 Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Qinxiang Cao Andrew W Appel, Lennart Beringer. 2021. Verifiable C. https://softwarefoundations.cis.upenn.edu/vc-current/index.html Google ScholarGoogle Scholar
  6. V. Astrauskas, P. Müller, F. Poli, and A. J. Summers. 2019. Leveraging Rust Types for Modular Specification and Verification. In Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). Proc. ACM Program. Lang., 3, OOPSLA, 147:1–147:30. https://doi.org/10.1145/3360573 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Thibaut Balabonski, François Pottier, and Jonathan Protzenko. 2016. The design and formalization of Mezzo, a permission-based programming language. ACM Transactions on Programming Languages and Systems (TOPLAS), 38, 4 (2016), 1–94. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Michael A. Bender, Martin Farach-Colton, William Jannen, Rob Johnson, Bradley C. Kuszmaul, Donald E. Porter, Jun Yuan, and Yang Zhan. 2015. An Introduction to B∊ -trees and Write-Optimization. login Usenix Mag., 40 (2015). Google ScholarGoogle Scholar
  9. Karthikeyan Bhargavan, Barry Bond, Antoine Delignat-Lavaud, Cédric Fournet, Chris Hawblitzel, Catalin Hritcu, Samin Ishtiaq, Markulf Kohlweiss, Rustan Leino, and Jay Lorch. 2017. Everest: Towards a verified, drop-in replacement of HTTPS. In 2nd Summit on Advances in Programming Languages (SNAPL 2017). Google ScholarGoogle Scholar
  10. Aaron Bohannon, J Nathan Foster, Benjamin C Pierce, Alexandre Pilkiewicz, and Alan Schmitt. 2008. Boomerang: resourceful lenses for string data. In Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 407–419. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. John Boyland, James Noble, and William Retert. 2001. Capabilities for sharing. In European Conference on Object-Oriented Programming. 2–27. Google ScholarGoogle ScholarCross RefCross Ref
  12. Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W Appel. 2018. VST-Floyd: A separation logic tool to verify correctness of C programs. Journal of Automated Reasoning, 61, 1 (2018), 367–422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Arthur Charguéraud and François Pottier. 2008. Functional translation of a calculus of capabilities. In Proceedings of the 13th ACM SIGPLAN international conference on Functional programming. 213–224. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. David G Clarke, John M Potter, and James Noble. 1998. Ownership types for flexible alias protection. In Proceedings of the 13th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. 48–64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Xavier Denis, Jacques-Henri Jourdan, and Claude Marché. 2021. The Creusot Environment for the Deductive Verification of Rust Programs. Inria Saclay - Île de France. https://hal.inria.fr/hal-03526634 Google ScholarGoogle Scholar
  16. Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles. 287–305. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Matthew Fluet, Greg Morrisett, and Amal Ahmed. 2006. Linear regions are all you need. In European Symposium on Programming. 7–21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Chris Hawblitzel, Jon Howell, Jacob R Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill. 2014. Ironclad Apps:$End-to-End$ Security via Automated $Full-System$ Verification. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). 165–181. Google ScholarGoogle Scholar
  19. Son Ho and Jonathan Protzenko. 2022. Aeneas: A Verification Toolchain for Rust Programs. https://github.com/sonmarcho/aeneas Google ScholarGoogle Scholar
  20. Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust Verification by Functional Translation. https://doi.org/10.5281/zenodo.6672939 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust Verification by Functional Translation (Long Version). https://doi.org/10.48550/ARXIV.2206.07185 Google ScholarGoogle Scholar
  22. Son Ho, Jonathan Protzenko, Abhishek Bichhawat, and Karthikeyan Bhargavan. 2021. Noise*: A Library of Verified High-Performance Secure Channel Protocol Implementations. Google ScholarGoogle Scholar
  23. Graydon Hoare. 2022. https://twitter.com/graydon_pub/status/1492792051657629698 Google ScholarGoogle Scholar
  24. Uri Juhasz, Ioannis T Kassios, Peter Müller, Milos Novacek, Malte Schwerhoff, and Alexander J Summers. 2014. Viper: A verification infrastructure for permission-based reasoning. ETH Zurich. Google ScholarGoogle Scholar
  25. Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2019. Stacked borrows: an aliasing model for Rust. Proceedings of the ACM on Programming Languages, 4, POPL (2019), 1–32. Google ScholarGoogle Scholar
  26. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017. RustBelt: Securing the foundations of the Rust programming language. Proceedings of the ACM on Programming Languages, 2, POPL (2017), 1–34. Google ScholarGoogle Scholar
  27. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, 28 (2018). Google ScholarGoogle Scholar
  28. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, and Michael Norrish. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. 207–220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International Conference on Logic for Programming Artificial Intelligence and Reasoning. 348–370. Google ScholarGoogle ScholarCross RefCross Ref
  30. Jialin Li, Andrea Lattuada, Yi Zhou, Jonathan Cameron, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2022. Linear Types for Large-Scale Systems Verification. In Proceedings of the ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Jacob R Lorch, Yixuan Chen, Manos Kapritsos, Bryan Parno, Shaz Qadeer, Upamanyu Sharma, James R Wilcox, and Xueyuan Zhao. 2020. Armada: low-effort verification of high-performance concurrent programs. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 197–210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Niko Matsakis. 2018. Regions are Sets of Loans. http://smallcultfollowing.com/babysteps/blog/2018/04/27/an-alias-based-formulation-of-the-borrow-checker/ Google ScholarGoogle Scholar
  33. Yusuke Matsushita, Xavier Denis, Jacques-Henri Jourdan, and Derek Dreyer. 2022. RustHorn-Belt: A semantic foundation for functional verification of Rust programs with unsafe code. In Proceedings of the 43rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-Based Verification for Rust Programs.. In ESOP. 484–514. Google ScholarGoogle Scholar
  35. Leonardo de Moura, Soonho Kong, Jeremy Avigad, Floris van Doorn, and Jakob von Raumer. 2015. The Lean theorem prover (system description). In International Conference on Automated Deduction. 378–388. Google ScholarGoogle ScholarCross RefCross Ref
  36. LIAM O’Connor, Zilin Chen, Christine Rizkallah, Vincent Jackson, Sidney Amani, Gerwin Klein, Toby Murray, Thomas Sewell, and Gabriele Keller. 2021. Cogent: uniqueness types and certifying compilation. Journal of Functional Programming, 31 (2021). Google ScholarGoogle Scholar
  37. François Pottier. 2017. Verifying a hash table and its iterators in higher-order separation logic. In Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and Proofs. 3–16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jonathan Protzenko. 2014. Mezzo: a typed language for safe effectful concurrent programs. Ph. D. Dissertation. Université Paris Diderot-Paris 7. Google ScholarGoogle Scholar
  39. Jonathan Protzenko, Jean Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella Béguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, and Cédric Fournet. 2017. Verified low-level programming embedded in F.. Proc. ACM program. lang., 1, ICFP (2017), 17–1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. John C Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science. 55–74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Xavier Rival. 2011. Abstract Domains for the Static Analysis of Programs Manipulating Complex Data Structures. Habilitation à diriger des recherches, École Normale Supérieure. Google ScholarGoogle Scholar
  42. Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. 2021. RefinedC: automating the foundational verification of C code with refined ownership types. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 158–174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. The Rust Compiler Team. 2021. The Polonius Book. https://rust-lang.github.io/polonius/ Google ScholarGoogle Scholar
  44. The Rust Compiler Team. 2022. Guide to rustc development. https://rustc-dev-guide.rust-lang.org/borrow_check/two_phase_borrows.html Google ScholarGoogle Scholar
  45. Mads Tofte and Jean-Pierre Talpin. 1997. Region-based memory management. Information and computation, 132, 2 (1997), 109–176. Google ScholarGoogle Scholar
  46. Sebastian Ullrich. 2016. Simple verification of rust programs via functional purification. Master’s Thesis, Karlsruher Institut für Technologie (KIT). Google ScholarGoogle Scholar
  47. Philip Wadler. 1990. Linear types can change the world!. In Programming concepts and methods. 3, 5. Google ScholarGoogle Scholar
  48. Fabian Wolff, Aurel Bílý, Christoph Matheja, Peter Müller, and Alexander J. Summers. 2021. Modular Specification and Verification of Closures in Rust. Proc. ACM Program. Lang., 5, OOPSLA (2021), Article 145, oct, 29 pages. https://doi.org/10.1145/3485522 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Aeneas: Rust verification by functional translation

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!