skip to main content

Verus: Verifying Rust Programs using Linear Ghost Types

Published:06 April 2023Publication History
Skip Abstract Section

Abstract

The Rust programming language provides a powerful type system that checks linearity and borrowing, allowing code to safely manipulate memory without garbage collection and making Rust ideal for developing low-level, high-assurance systems. For such systems, formal verification can be useful to prove functional correctness properties beyond type safety. This paper presents Verus, an SMT-based tool for formally verifying Rust programs. With Verus, programmers express proofs and specifications using the Rust language, allowing proofs to take advantage of Rust's linear types and borrow checking. We show how this allows proofs to manipulate linearly typed permissions that let Rust code safely manipulate memory, pointers, and concurrent resources. Verus organizes proofs and specifications using a novel mode system that distinguishes specifications, which are not checked for linearity and borrowing, from executable code and proofs, which are checked for linearity and borrowing. We formalize Verus' linearity, borrowing, and modes in a small lambda calculus, for which we prove type safety and termination of specifications and proofs. We demonstrate Verus on a series of examples, including pointer-manipulating code (an xor-based doubly linked list), code with interior mutability, and concurrent code.

Skip Supplemental Material Section

Supplemental Material

References

  1. Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). https://doi.org/10.1145/2872362.2872404 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Vytautas Astrauskas, Aurel Bílý, Jonás Fiala, Zachary Grannan, Christoph Matheja, Peter Müller, Federico Poli, and Alexander J. Summers. 2022. The Prusti Project: Formal Verification for Rust. In NASA Formal Methods - 14th International Symposium, NFM 2022, Pasadena, CA, USA, May 24-27, 2022, Proceedings (LNCS, Vol. 13260). Springer, 88–108. https://doi.org/10.1007/978-3-031-06773-0_5 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust Types for Modular Specification and Verification. Proc. ACM Program. Lang., 3, OOPSLA (2019), 147:1–147:30. https://doi.org/10.1145/3360573 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2005. Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1-4, 2005, Revised Lectures (LNCS, Vol. 4111). Springer, 364–387. https://doi.org/10.1007/11804192_17 Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Clark Barrett, Aaron Stump, and Cesare Tinelli. 2010. The SMT-LIB Standard: Version 2.0. In Proceedings of the 8th International Workshop on Satisfiability Modulo Theories (Edinburgh, UK), A. Gupta and D. Kroening (Eds.). Google ScholarGoogle Scholar
  6. François Bobot, Jean-Christophe Filliâtre, Claude Marché, and Andrei Paskevich. 2011. Why3: Shepherd Your Herd of Provers. In Boogie 2011: First International Workshop on Intermediate Verification Languages. Wrocł aw, Poland. 53–64. https://hal.inria.fr/hal-00790310 Google ScholarGoogle Scholar
  7. Alexander Borgida, John Mylopoulos, and Raymond Reiter. 1995. On the Frame Problem in Procedure Specifications. IEEE Trans. Software Eng., 21, 10 (1995), 785–798. https://doi.org/10.1109/32.469460 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Coq Development Team. 2022. The Coq Proof Assistant. https://coq.inria.fr/ Google ScholarGoogle Scholar
  9. Karl Crary, David Walker, and Greg Morrisett. 1999. Typed Memory Management in a Calculus of Capabilities. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). https://doi.org/10.1145/292540.292564 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2020. RustBelt meets relaxed memory. Proc. ACM Program. Lang., 4, POPL (2020), 34:1–34:29. https://doi.org/10.1145/3371102 Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Leonardo de Moura, Soonho Kong, Jeremy Avigad, Floris van Doorn, and Jakob von Raumer. 2015. The Lean Theorem Prover. In Proceedings of the Conference on Automated Deduction (CADE). Google ScholarGoogle Scholar
  12. Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2007. Efficient E-Matching for SMT Solvers. In Automated Deduction - CADE-21, 21st International Conference on Automated Deduction, Bremen, Germany, July 17-20, 2007, Proceedings, Frank Pfenning (Ed.) (Lecture Notes in Computer Science, Vol. 4603). Springer, 183–198. https://doi.org/10.1007/978-3-540-73595-3_13 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings (LNCS, Vol. 4963). Springer, 337–340. https://doi.org/10.1007/978-3-540-78800-3_24 Google ScholarGoogle ScholarCross RefCross Ref
  14. Xavier Denis, Jacques-Henri Jourdan, and Claude Marché. 2022. Creusot: A Foundry for the Deductive Verication of Rust Programs. In Proceedings of ICFEM 2022 - International Conference on Formal Engineering Methods (Lecture Notes in Computer Science). Springer Verlag, Madrid, Spain. https://doi.org/10.1007/978-3-031-17244-1_6 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Edsger W. Dijkstra. 1975. Guarded Commands, Nondeterminacy and Formal Derivation of Programs. Commun. ACM, 18, 8 (1975), 453–457. https://doi.org/10.1145/360933.360975 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Aymeric Fromherz, Aseem Rastogi, Nikhil Swamy, Sydney Gibson, Guido Martínez, Denis Merigoux, and Tahina Ramananandro. 2021. Steel: proof-oriented programming in a dependently typed concurrent separation logic. Proc. ACM Program. Lang., 5, ICFP (2021), 1–30. https://doi.org/10.1145/3473590 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Google Security Blog. 2021. Rust in the Android platform. https://security.googleblog.com/2021/04/rust-in-android-platform.html Google ScholarGoogle Scholar
  18. Travis Hance, Yi Zhou, Andrea Lattuada, Reto Achermann, Alex Conway, Ryan Stutsman, Gerd Zellweger, Chris Hawblitzel, Jon Howell, and Bryan Parno. 2022. Sharding the State Machine: Automated Modular Reasoning for Complex Concurrent Systems. CyLab, Carnegie Mellon University. Google ScholarGoogle Scholar
  19. Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust Verification by Functional Translation. Proc. ACM Program. Lang., 6, ICFP (2022), 711–741. https://doi.org/10.1145/3547647 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods - Third International Symposium, NFM 2011, Pasadena, CA, USA, April 18-20, 2011. Proceedings, Mihaela Gheorghiu Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.) (Lecture Notes in Computer Science, Vol. 6617). Springer, 41–55. https://doi.org/10.1007/978-3-642-20398-5_4 Google ScholarGoogle ScholarCross RefCross Ref
  21. Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2019. Stacked Borrows: An Aliasing Model for Rust. Proc. ACM Program. Lang., 4, POPL (2019), Article 41, dec, 32 pages. https://doi.org/10.1145/3371109 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang., 2, POPL (2018), 66:1–66:34. https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, https://doi.org/10.1017/S0956796818000151 Google ScholarGoogle ScholarCross RefCross Ref
  24. Steve Klabnik and Carol Nichols. 2018. The Rust Programming Language. No Starch Press, USA. isbn:1593278284 Google ScholarGoogle Scholar
  25. Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types – Artifact. https://doi.org/10.5281/zenodo.7511039 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types – Supplementary Material. https://doi.org/10.5281/zenodo.7718486 The copy of record of the supplementary material is available in the ACM DL. Google ScholarGoogle ScholarCross RefCross Ref
  27. Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types (extended version). https://doi.org/10.48550/ARXIV.2303.05491 Google ScholarGoogle Scholar
  28. K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers (LNCS, Vol. 6355). Springer, 348–370. https://doi.org/10.1007/978-3-642-17511-4_20 Google ScholarGoogle ScholarCross RefCross Ref
  29. Rustan Leino and Philipp Rümmer. 2010. A Polymorphic Intermediate Verification Language: Design and Logical Encoding. In Conference: Tools and Algorithms for the Construction and Analysis of Systems, 16th International Conference, TACAS 2010, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2010, Paphos, Cyprus, March 20-28, 2010.. https://doi.org/978-3-642-12002-2_26 Google ScholarGoogle Scholar
  30. Jialin Li, Andrea Lattuada, Yi Zhou, Jonathan Cameron, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2022. Linear types for large-scale systems verification. Proc. ACM Program. Lang., 6, OOPSLA (2022), 1–28. https://doi.org/10.1145/3527313 Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Nicholas D. Matsakis and Felix S. Klock. 2014. The Rust Language. Ada Lett., 34, 3 (2014), Oct., 103–104. issn:1094-3641 https://doi.org/10.1145/2692956.2663188 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Yusuke Matsushita, Xavier Denis, Jacques-Henri Jourdan, and Derek Dreyer. 2022. RustHornBelt: A Semantic Foundation for Functional Verification of Rust Programs With Unsafe Code. In PLDI ’22: 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, San Diego, CA, USA, June 13 - 17, 2022. ACM, 841–856. https://doi.org/10.1145/3519939.3523704 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-Based Verification for Rust Programs. In Programming Languages and Systems - 29th European Symposium on Programming, ESOP 2020, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020, Dublin, Ireland, April 25-30, 2020, Proceedings (LNCS, Vol. 12075). Springer, 484–514. https://doi.org/10.1007/978-3-030-44914-8_18 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Greg Morrisett, Amal Ahmed, and Matthew Fluet. 2005. L3: A Linear Language with Locations. In Typed Lambda Calculi and Applications. https://doi.org/10.1007/11417170_22 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings (LNCS, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Theor. Comput. Sci., 375, 1-3 (2007), 271–307. https://doi.org/10.1016/j.tcs.2006.12.035 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. David J. Pearce. 2021. A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust. ACM Transactions on Programming Languages and Systems (TOPLAS), 43, 1 (2021), Article 3, apr, 73 pages. https://doi.org/10.1145/3443420 Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In 17th IEEE Symposium on Logic in Computer Science (LICS 2002), 22-25 July 2002, Copenhagen, Denmark, Proceedings. IEEE Computer Society, 55–74. https://doi.org/10.1109/LICS.2002.1029817 Google ScholarGoogle ScholarCross RefCross Ref
  39. Frederick Smith, David Walker, and J. Gregory Morrisett. 2000. Alias Types. In Proceedings of the 9th European Symposium on Programming Languages and Systems (ESOP ’00). Google ScholarGoogle Scholar
  40. Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoué, and Santiago Zanella-Béguelin. 2016. Dependent Types and Multi-Monadic Effects in F*. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL). isbn:978-1-4503-3549-2 https://doi.org/10.1145/2837614.2837655 Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Steven Vaughan-Nichols. 2022. Linus Torvalds: Rust will go into Linux 6.1. https://www.zdnet.com/article/linus-torvalds-rust-will-go-into-linux-6-1/ Google ScholarGoogle Scholar
  42. Philip Wadler. 1990. Linear Types can Change the World!. In Programming concepts and methods: Proceedings of the IFIP Working Group 2.2, 2.3 Working Conference on Programming Concepts and Methods, Sea of Galilee, Israel, 2-5 April, 1990. North-Holland, 561. Google ScholarGoogle Scholar
  43. Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. CoRR, abs/1903.00982 (2019), arXiv:1903.00982. arxiv:1903.00982 Google ScholarGoogle Scholar
  44. Joshua Yanovski, Hoang-Hai Dang, Ralf Jung, and Derek Dreyer. 2021. GhostCell: Separating Permissions from Data in Rust. Proc. ACM Program. Lang., 5, ICFP (2021), 1–30. https://doi.org/10.1145/3473597 Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Dengping Zhu and Hongwei Xi. 2005. Safe Programming with Pointers through Stateful Views. In Proceedings of the 7th International Conference on Practical Aspects of Declarative Languages (PADL’05). https://doi.org/10.1007/978-3-540-30557-6_8 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Verus: Verifying Rust Programs using Linear Ghost Types

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!