Abstract
The Rust programming language provides a powerful type system that checks linearity and borrowing, allowing code to safely manipulate memory without garbage collection and making Rust ideal for developing low-level, high-assurance systems. For such systems, formal verification can be useful to prove functional correctness properties beyond type safety. This paper presents Verus, an SMT-based tool for formally verifying Rust programs. With Verus, programmers express proofs and specifications using the Rust language, allowing proofs to take advantage of Rust's linear types and borrow checking. We show how this allows proofs to manipulate linearly typed permissions that let Rust code safely manipulate memory, pointers, and concurrent resources. Verus organizes proofs and specifications using a novel mode system that distinguishes specifications, which are not checked for linearity and borrowing, from executable code and proofs, which are checked for linearity and borrowing. We formalize Verus' linearity, borrowing, and modes in a small lambda calculus, for which we prove type safety and termination of specifications and proofs. We demonstrate Verus on a series of examples, including pointer-manipulating code (an xor-based doubly linked list), code with interior mutability, and concurrent code.
Supplemental Material
Available for Download
Supplementary material for the paper "Verus: Verifying Rust Programs using Linear Ghost Types" (https://doi.org/10.1145/3586037) accepted at OOPSLA 2023. This archive contains the full code of the examples discussed in the paper and the full formalization and related proofs.
- Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). https://doi.org/10.1145/2872362.2872404
Google Scholar
Digital Library
- Vytautas Astrauskas, Aurel Bílý, Jonás Fiala, Zachary Grannan, Christoph Matheja, Peter Müller, Federico Poli, and Alexander J. Summers. 2022. The Prusti Project: Formal Verification for Rust. In NASA Formal Methods - 14th International Symposium, NFM 2022, Pasadena, CA, USA, May 24-27, 2022, Proceedings (LNCS, Vol. 13260). Springer, 88–108. https://doi.org/10.1007/978-3-031-06773-0_5
Google Scholar
Digital Library
- Vytautas Astrauskas, Peter Müller, Federico Poli, and Alexander J. Summers. 2019. Leveraging Rust Types for Modular Specification and Verification. Proc. ACM Program. Lang., 3, OOPSLA (2019), 147:1–147:30. https://doi.org/10.1145/3360573
Google Scholar
Digital Library
- Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2005. Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1-4, 2005, Revised Lectures (LNCS, Vol. 4111). Springer, 364–387. https://doi.org/10.1007/11804192_17
Google Scholar
Digital Library
- Clark Barrett, Aaron Stump, and Cesare Tinelli. 2010. The SMT-LIB Standard: Version 2.0. In Proceedings of the 8th International Workshop on Satisfiability Modulo Theories (Edinburgh, UK), A. Gupta and D. Kroening (Eds.).
Google Scholar
- François Bobot, Jean-Christophe Filliâtre, Claude Marché, and Andrei Paskevich. 2011. Why3: Shepherd Your Herd of Provers. In Boogie 2011: First International Workshop on Intermediate Verification Languages. Wrocł aw, Poland. 53–64. https://hal.inria.fr/hal-00790310
Google Scholar
- Alexander Borgida, John Mylopoulos, and Raymond Reiter. 1995. On the Frame Problem in Procedure Specifications. IEEE Trans. Software Eng., 21, 10 (1995), 785–798. https://doi.org/10.1109/32.469460
Google Scholar
Digital Library
- Coq Development Team. 2022. The Coq Proof Assistant. https://coq.inria.fr/
Google Scholar
- Karl Crary, David Walker, and Greg Morrisett. 1999. Typed Memory Management in a Calculus of Capabilities. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). https://doi.org/10.1145/292540.292564
Google Scholar
Digital Library
- Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2020. RustBelt meets relaxed memory. Proc. ACM Program. Lang., 4, POPL (2020), 34:1–34:29. https://doi.org/10.1145/3371102
Google Scholar
Digital Library
- Leonardo de Moura, Soonho Kong, Jeremy Avigad, Floris van Doorn, and Jakob von Raumer. 2015. The Lean Theorem Prover. In Proceedings of the Conference on Automated Deduction (CADE).
Google Scholar
- Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2007. Efficient E-Matching for SMT Solvers. In Automated Deduction - CADE-21, 21st International Conference on Automated Deduction, Bremen, Germany, July 17-20, 2007, Proceedings, Frank Pfenning (Ed.) (Lecture Notes in Computer Science, Vol. 4603). Springer, 183–198. https://doi.org/10.1007/978-3-540-73595-3_13
Google Scholar
Digital Library
- Leonardo Mendonça de Moura and Nikolaj S. Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings (LNCS, Vol. 4963). Springer, 337–340. https://doi.org/10.1007/978-3-540-78800-3_24
Google Scholar
Cross Ref
- Xavier Denis, Jacques-Henri Jourdan, and Claude Marché. 2022. Creusot: A Foundry for the Deductive Verication of Rust Programs. In Proceedings of ICFEM 2022 - International Conference on Formal Engineering Methods (Lecture Notes in Computer Science). Springer Verlag, Madrid, Spain. https://doi.org/10.1007/978-3-031-17244-1_6
Google Scholar
Digital Library
- Edsger W. Dijkstra. 1975. Guarded Commands, Nondeterminacy and Formal Derivation of Programs. Commun. ACM, 18, 8 (1975), 453–457. https://doi.org/10.1145/360933.360975
Google Scholar
Digital Library
- Aymeric Fromherz, Aseem Rastogi, Nikhil Swamy, Sydney Gibson, Guido Martínez, Denis Merigoux, and Tahina Ramananandro. 2021. Steel: proof-oriented programming in a dependently typed concurrent separation logic. Proc. ACM Program. Lang., 5, ICFP (2021), 1–30. https://doi.org/10.1145/3473590
Google Scholar
Digital Library
- Google Security Blog. 2021. Rust in the Android platform. https://security.googleblog.com/2021/04/rust-in-android-platform.html
Google Scholar
- Travis Hance, Yi Zhou, Andrea Lattuada, Reto Achermann, Alex Conway, Ryan Stutsman, Gerd Zellweger, Chris Hawblitzel, Jon Howell, and Bryan Parno. 2022. Sharding the State Machine: Automated Modular Reasoning for Complex Concurrent Systems. CyLab, Carnegie Mellon University.
Google Scholar
- Son Ho and Jonathan Protzenko. 2022. Aeneas: Rust Verification by Functional Translation. Proc. ACM Program. Lang., 6, ICFP (2022), 711–741. https://doi.org/10.1145/3547647
Google Scholar
Digital Library
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods - Third International Symposium, NFM 2011, Pasadena, CA, USA, April 18-20, 2011. Proceedings, Mihaela Gheorghiu Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.) (Lecture Notes in Computer Science, Vol. 6617). Springer, 41–55. https://doi.org/10.1007/978-3-642-20398-5_4
Google Scholar
Cross Ref
- Ralf Jung, Hoang-Hai Dang, Jeehoon Kang, and Derek Dreyer. 2019. Stacked Borrows: An Aliasing Model for Rust. Proc. ACM Program. Lang., 4, POPL (2019), Article 41, dec, 32 pages. https://doi.org/10.1145/3371109
Google Scholar
Digital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the Foundations of the Rust Programming Language. Proc. ACM Program. Lang., 2, POPL (2018), 66:1–66:34. https://doi.org/10.1145/3158154
Google Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, https://doi.org/10.1017/S0956796818000151
Google Scholar
Cross Ref
- Steve Klabnik and Carol Nichols. 2018. The Rust Programming Language. No Starch Press, USA. isbn:1593278284
Google Scholar
- Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types – Artifact. https://doi.org/10.5281/zenodo.7511039
Google Scholar
Digital Library
- Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types – Supplementary Material. https://doi.org/10.5281/zenodo.7718486 The copy of record of the supplementary material is available in the ACM DL.
Google Scholar
Cross Ref
- Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2023. Verus: Verifying Rust Programs using Linear Ghost Types (extended version). https://doi.org/10.48550/ARXIV.2303.05491
Google Scholar
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers (LNCS, Vol. 6355). Springer, 348–370. https://doi.org/10.1007/978-3-642-17511-4_20
Google Scholar
Cross Ref
- Rustan Leino and Philipp Rümmer. 2010. A Polymorphic Intermediate Verification Language: Design and Logical Encoding. In Conference: Tools and Algorithms for the Construction and Analysis of Systems, 16th International Conference, TACAS 2010, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2010, Paphos, Cyprus, March 20-28, 2010.. https://doi.org/978-3-642-12002-2_26
Google Scholar
- Jialin Li, Andrea Lattuada, Yi Zhou, Jonathan Cameron, Jon Howell, Bryan Parno, and Chris Hawblitzel. 2022. Linear types for large-scale systems verification. Proc. ACM Program. Lang., 6, OOPSLA (2022), 1–28. https://doi.org/10.1145/3527313
Google Scholar
Digital Library
- Nicholas D. Matsakis and Felix S. Klock. 2014. The Rust Language. Ada Lett., 34, 3 (2014), Oct., 103–104. issn:1094-3641 https://doi.org/10.1145/2692956.2663188
Google Scholar
Digital Library
- Yusuke Matsushita, Xavier Denis, Jacques-Henri Jourdan, and Derek Dreyer. 2022. RustHornBelt: A Semantic Foundation for Functional Verification of Rust Programs With Unsafe Code. In PLDI ’22: 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation, San Diego, CA, USA, June 13 - 17, 2022. ACM, 841–856. https://doi.org/10.1145/3519939.3523704
Google Scholar
Digital Library
- Yusuke Matsushita, Takeshi Tsukada, and Naoki Kobayashi. 2020. RustHorn: CHC-Based Verification for Rust Programs. In Programming Languages and Systems - 29th European Symposium on Programming, ESOP 2020, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020, Dublin, Ireland, April 25-30, 2020, Proceedings (LNCS, Vol. 12075). Springer, 484–514. https://doi.org/10.1007/978-3-030-44914-8_18
Google Scholar
Digital Library
- Greg Morrisett, Amal Ahmed, and Matthew Fluet. 2005. L3: A Linear Language with Locations. In Typed Lambda Calculi and Applications. https://doi.org/10.1007/11417170_22
Google Scholar
Digital Library
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings (LNCS, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2
Google Scholar
Digital Library
- Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Theor. Comput. Sci., 375, 1-3 (2007), 271–307. https://doi.org/10.1016/j.tcs.2006.12.035
Google Scholar
Digital Library
- David J. Pearce. 2021. A Lightweight Formalism for Reference Lifetimes and Borrowing in Rust. ACM Transactions on Programming Languages and Systems (TOPLAS), 43, 1 (2021), Article 3, apr, 73 pages. https://doi.org/10.1145/3443420
Google Scholar
Digital Library
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In 17th IEEE Symposium on Logic in Computer Science (LICS 2002), 22-25 July 2002, Copenhagen, Denmark, Proceedings. IEEE Computer Society, 55–74. https://doi.org/10.1109/LICS.2002.1029817
Google Scholar
Cross Ref
- Frederick Smith, David Walker, and J. Gregory Morrisett. 2000. Alias Types. In Proceedings of the 9th European Symposium on Programming Languages and Systems (ESOP ’00).
Google Scholar
- Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoué, and Santiago Zanella-Béguelin. 2016. Dependent Types and Multi-Monadic Effects in F*. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL). isbn:978-1-4503-3549-2 https://doi.org/10.1145/2837614.2837655
Google Scholar
Digital Library
- Steven Vaughan-Nichols. 2022. Linus Torvalds: Rust will go into Linux 6.1. https://www.zdnet.com/article/linus-torvalds-rust-will-go-into-linux-6-1/
Google Scholar
- Philip Wadler. 1990. Linear Types can Change the World!. In Programming concepts and methods: Proceedings of the IFIP Working Group 2.2, 2.3 Working Conference on Programming Concepts and Methods, Sea of Galilee, Israel, 2-5 April, 1990. North-Holland, 561.
Google Scholar
- Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. CoRR, abs/1903.00982 (2019), arXiv:1903.00982. arxiv:1903.00982
Google Scholar
- Joshua Yanovski, Hoang-Hai Dang, Ralf Jung, and Derek Dreyer. 2021. GhostCell: Separating Permissions from Data in Rust. Proc. ACM Program. Lang., 5, ICFP (2021), 1–30. https://doi.org/10.1145/3473597
Google Scholar
Digital Library
- Dengping Zhu and Hongwei Xi. 2005. Safe Programming with Pointers through Stateful Views. In Proceedings of the 7th International Conference on Practical Aspects of Declarative Languages (PADL’05). https://doi.org/10.1007/978-3-540-30557-6_8
Google Scholar
Digital Library
Index Terms
Verus: Verifying Rust Programs using Linear Ghost Types
Recommendations
Linear types for large-scale systems verification
Reasoning about memory aliasing and mutation in software verification is a hard problem. This is especially true for systems using SMT-based automated theorem provers. Memory reasoning in SMT verification typically requires a nontrivial amount of manual ...
Leveraging rust types for modular specification and verification
Rust's type system ensures memory safety: well-typed Rust programs are guaranteed to not exhibit problems such as dangling pointers, data races, and unexpected side effects through aliased references. Ensuring correctness properties beyond memory safety,...
Verifying dynamic trait objects in rust
ICSE-SEIP '22: Proceedings of the 44th International Conference on Software Engineering: Software Engineering in PracticeRust has risen in prominence as a systems programming language in large part due to its focus on reliability. The language's advanced type system and borrow checker eliminate certain classes of memory safety violations. But for critical pieces of code, ...






Comments