rustbelt: securing the foundations of the 10pt rust ...mpi-sws.org/~dreyer/talk.pdf · rust...
TRANSCRIPT
![Page 1: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/1.jpg)
RustBelt: Securing the Foundations of the
Rust Programming Language
Ralf JungJacques-Henri Jourdan
Robbert KrebbersDerek Dreyer
MPI-SWS & TU Delft
October 13, 2017ETH Zurich
![Page 2: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/2.jpg)
RustMozilla’s replacement for C/C++
A safe & flexible systems programming language
⌅ Modern strongly-typed PL:⇤ First-class functions, polymorphism/generics⇤
Traits ⇡ Type classes + associated types
⌅ But with control over resource management(e.g., memory allocation and data layout)
⌅ Sound type system with strong guarantees:⇤ Type & memory safety; absence of data races
2 of 35
![Page 3: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/3.jpg)
RustMozilla’s replacement for C/C++
A safe & flexible systems programming language
⌅ Modern strongly-typed PL:⇤ First-class functions, polymorphism/generics⇤
Traits ⇡ Type classes + associated types
⌅ But with control over resource management(e.g., memory allocation and data layout)
⌅ Sound? type system with strong guarantees:⇤ Type & memory safety; absence of data races
Goal of ERC RustBelt project:
⌅ Prove the soundness of Rust’s type system in Coq!
2 of 35
![Page 4: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/4.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
⌅ Many Rust libraries permit mutation through aliased pointers
⌅ The safety of this is highly non-obvious because these librariesmake use of unsafe features!
3 of 35
![Page 5: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/5.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
⌅ Many Rust libraries permit mutation through aliased pointers
⌅ The safety of this is highly non-obvious because these librariesmake use of unsafe features!
3 of 35
![Page 6: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/6.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
⌅ Many Rust libraries permit mutation through aliased pointers
⌅ The safety of this is highly non-obvious because these librariesmake use of unsafe features!
So why is any of this sound?
3 of 35
![Page 7: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/7.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
4 of 35
![Page 8: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/8.jpg)
let (snd, rcv) = channel();
join(
move || { // First thread
// Allocating [b] as Box<i32> (pointer to heap)
let mut b = Box::new(0);
*b = 1;
// Transferring the ownership to the other thread...
snd.send(b);
},
move || { // Second thread
let b = rcv.recv().unwrap(); // ... that receives it
println!("{}", *b); // ... and uses it.
});
5 of 35
![Page 9: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/9.jpg)
let (snd, rcv) = channel();
join(
move || { // First thread
// Allocating [b] as Box<i32> (pointer to heap)
let mut b = Box::new(0);
*b = 1;
// Transferring the ownership to the other thread...
snd.send(b);
*b = 2; // Error: lost ownership of [b]
// ==> Prevents data race
},
move || { // Second thread
let b = rcv.recv().unwrap(); // ... that receives it
println!("{}", *b); // ... and uses it.
});
5 of 35
![Page 10: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/10.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
v[1] = 4;
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
6 of 35
![Page 11: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/11.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
6 of 35
![Page 12: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/12.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
// Error: can invalidate [inner ptr]
v.push(1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
6 of 35
![Page 13: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/13.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
// Error: can invalidate [inner ptr]
v.push(1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
We temporarily lost ownership of vector v
We get back the full ownership of vector v
6 of 35
![Page 14: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/14.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
6 of 35
![Page 15: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/15.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
⌅ mutable borrowed reference
⌅ valid only for lifetime 'a
Lifetime 'a inferred by Rust
6 of 35
![Page 16: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/16.jpg)
Shared borrowing
let mut x = 1;
join (|| println !("Thread 1: {}" , &x),
|| println !("Thread 2: {}" , &x));
x = 2;
7 of 35
![Page 17: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/17.jpg)
Shared borrowing
let mut x = 1;
join (|| println !("Thread 1: {}" , &x),
|| println !("Thread 2: {}" , &x));
x = 2;
&x creates a shared borrow of x
⌅ Type: &'a i32
⌅ Can be copied/shared
⌅ Does not allow mutation
7 of 35
![Page 18: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/18.jpg)
Summing up
⌅ Rust’s type system is based on ownership
⌅ Three kinds of ownership:1. Full ownership: Vec<T> (vector), Box<T> (pointer to heap)2. Mutable borrowed reference: &'a mut T
3. Shared borrowed reference: &'a T
⌅ Lifetimes decide when borrows are valid
8 of 35
![Page 19: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/19.jpg)
Interior mutability
What if we want shared mutable data structures?
Rust standard library provides types with interior mutability
⌅ Allows mutation using only a shared reference &'a T
⌅ Implemented in Rust using unsafe features⌅ Unsafety is claimed to be safely encapsulated
⇤ The library interface restricts what mutations are possible
9 of 35
![Page 20: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/20.jpg)
MutexAn example of Interior mutability
let m = Mutex::new(1); // m : Mutex<i32>
// We can mutate the integer
// *with a shared borrow* only
join (|| *(&m).lock().unwrap() += 1,
|| *(&m).lock().unwrap() += 1);
// Unique owner: no need to lock
println!("{}", m.into_inner().unwrap())
A shared borrow establishes a sharing protocol:
⌅&'a i32
⇤ =) Read-only⇤ Safety: trivial
⌅&'a Mutex<i32>
⇤ =) Read-write by taking the lock⇤ Safety: ensured by proper synchronization
10 of 35
![Page 21: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/21.jpg)
MutexAn example of Interior mutability
let m = Mutex::new(1); // m : Mutex<i32>
// We can mutate the integer
// *with a shared borrow* only
join (|| *(&m).lock().unwrap() += 1,
|| *(&m).lock().unwrap() += 1);
// Unique owner: no need to lock
println!("{}", m.into_inner().unwrap())
A shared borrow establishes a sharing protocol:
⌅&'a i32
⇤ =) Read-only⇤ Safety: trivial
⌅&'a Mutex<i32>
⇤ =) Read-write by taking the lock⇤ Safety: ensured by proper synchronization
10 of 35
![Page 22: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/22.jpg)
How do we know this all works?
11 of 35
![Page 23: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/23.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
12 of 35
![Page 24: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/24.jpg)
The �Rust type system
⌅ Syntactic (built-in types)
⌧ ::= bool | int | ownn ⌧ | &mut ⌧ | &
shr ⌧ | ⇧⌧ | ⌃⌧ | . . .
⌅ Typing context T assigns types ⌧ to paths p
⌅ Typing individual instructions:(� binds variables, E and L track lifetimes)
� | E;L | T1 ` S a x .T2
⌅ Typing whole functions: (K tracks continuations)
� | E;L | K,T ` F
13 of 35
![Page 25: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/25.jpg)
Some typing rules
� | E;L ` alive
� | E;L | p1 C &mut ⌧, p2 C ⌧ ` p1 := p2 a p1 C &
mut ⌧
� | E;L | T1 ` S a x .T2 �, x : val | E;L | K;T2,T ` F
� | E;L | K;T1,T ` let x = S in F
14 of 35
![Page 26: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/26.jpg)
Some typing rules
� | E;L ` alive
� | E;L | p1 C &mut ⌧, p2 C ⌧ ` p1 := p2 a p1 C &
mut ⌧
� | E;L | T1 ` S a x .T2 �, x : val | E;L | K;T2,T ` F
� | E;L | K;T1,T ` let x = S in F
14 of 35
![Page 27: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/27.jpg)
Syntactic type safety
The standard “syntactic” approach to language safety is to prove atheorem like the following, via good old “progress and preservation”:
E;L | K,T ` F =) F is safe
⌅ Problem: This theorem does not help when unsafe code is used!
⌅ Solution: A more semantic approach based on logical relations
15 of 35
![Page 28: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/28.jpg)
The logical relation
⌅ Define, for every type ⌧ , an ownership predicate, wheret is the owning thread’s id and v is the representation of ⌧ :
J⌧K.own(t, v)
⌅ Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C ⌧1, p2 C ⌧2K(t) :=
J⌧1K.own(t, [p1]) ⇤ J⌧2K.own(t, [p2])
⌅ Lift to semantic typing judgments:
E;L | T1 |= S |=T2 :=
8t. {JEK ⇤ JLK ⇤ JT1K(t)} S {JEK ⇤ JLK ⇤ JT2K(t)}
16 of 35
![Page 29: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/29.jpg)
The logical relation
⌅ Define, for every type ⌧ , an ownership predicate, wheret is the owning thread’s id and v is the representation of ⌧ :
J⌧K.own(t, v)
⌅ Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C ⌧1, p2 C ⌧2K(t) :=
J⌧1K.own(t, [p1]) ⇤ J⌧2K.own(t, [p2])
⌅ Lift to semantic typing judgments:
E;L | T1 |= S |=T2 :=
8t. {JEK ⇤ JLK ⇤ JT1K(t)} S {JEK ⇤ JLK ⇤ JT2K(t)}
16 of 35
![Page 30: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/30.jpg)
The logical relation
⌅ Define, for every type ⌧ , an ownership predicate, wheret is the owning thread’s id and v is the representation of ⌧ :
J⌧K.own(t, v)
⌅ Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C ⌧1, p2 C ⌧2K(t) :=
J⌧1K.own(t, [p1]) ⇤ J⌧2K.own(t, [p2])
⌅ Lift to semantic typing judgments:
E;L | T1 |= S |=T2 :=
8t. {JEK ⇤ JLK ⇤ JT1K(t)} S {JEK ⇤ JLK ⇤ JT2K(t)}16 of 35
![Page 31: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/31.jpg)
Compatibility lemmas
To connect logical relation to type system,we show semantic versions of all syntactic typing rules.
� | E;L ` alive
� | E;L | p1 C &mut ⌧, p2 C ⌧ ` p1 := p2 a p1 C &
mut ⌧
E;L | T1 ` S a x .T2 E;L | K;T2,T ` F
E;L | K;T1,T ` let x = S in F
17 of 35
![Page 32: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/32.jpg)
Compatibility lemmas
To connect logical relation to type system,we show semantic versions of all syntactic typing rules.
� | E;L |= alive
� | E;L | p1 C &mut ⌧, p2 C ⌧ |= p1 := p2 |=p1 C &
mut ⌧
E;L | T1 |= S |=x .T2 E;L | K;T2,T |= F
E;L | K;T1,T |= let x = S in F
17 of 35
![Page 33: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/33.jpg)
Type safety (revisited)
⌅ From compatibility:
E;L | K,T ` F a T2 =) E;L | K,T |= F |=T2
⌅ Finally, we show that the relation is adequate:
E;L | T1 |= F |=T2 =) F is safe
⌅ Conclusion: well-typed programs can’t go wrong⇤ No data race, no memory error, . . .
18 of 35
![Page 34: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/34.jpg)
Type safety (semantic version)
The semantic approach provides a much stronger safety theorem thansyntactic type safety:
⌅ For well-typed code, E;L | K;T ` Fsafe =) E;L | K;T |= Fsafe
⌅ If unsafe features are used, manually prove E;L | K;T |= Funsafe
⌅ By compatibility, we can compose these proofs and obtain safety ofthe entire program!
The whole program is safeif the “unsafe” pieces are safe.
19 of 35
![Page 35: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/35.jpg)
Type safety (semantic version)
The semantic approach provides a much stronger safety theorem thansyntactic type safety:
⌅ For well-typed code, E;L | K;T ` Fsafe =) E;L | K;T |= Fsafe
⌅ If unsafe features are used, manually prove E;L | K;T |= Funsafe
⌅ By compatibility, we can compose these proofs and obtain safety ofthe entire program!
The whole program is safeif the “unsafe” pieces are safe.
19 of 35
![Page 36: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/36.jpg)
How do we define the logicalinterpretation of types?
20 of 35
![Page 37: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/37.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 38: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/38.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 39: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/39.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 40: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/40.jpg)
A brief history of concurrent separation logic
Owicki-Gries (1976)
CSL (2004)Rely-Guarantee (1983)
SAGL (2007)RGSep (2007)
Deny-Guarantee (2009)
CAP (2010)
Liang-Feng (2013)
LRG (2009)
SCSL (2013)HOCAP (2013)
iCAP (2014)
Iris (2015)
CaReSL (2013)
FCSL (2014)
TaDA (2014)
CoLoSL (2015)
Gotsman-al (2007)
HLRG (2010)
Bornat-al (2005)
RGSim (2012)
GPS (2014)Total-TaDA (2016)
Iris 2.0 (2016)
FTCSL (2015)
Jacobs-Piessens (2011)
RSL (2013)
LiLi (2016)
Bell-al (2010)Hobor-al (2008)
FSL (2016)
Iris 3.0 (2016)Picture by Ilya Sergey
22 of 35
![Page 41: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/41.jpg)
A brief history of concurrent separation logic
23 of 35
![Page 42: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/42.jpg)
A brief history of concurrent separation logic
Owicki-Gries (1976)
CSL (2004)Rely-Guarantee (1983)
SAGL (2007)RGSep (2007)
Deny-Guarantee (2009)
CAP (2010)
Liang-Feng (2013)
LRG (2009)
SCSL (2013)HOCAP (2013)
iCAP (2014)
Iris (2015)
CaReSL (2013)
FCSL (2014)
TaDA (2014)
CoLoSL (2015)
Gotsman-al (2007)
HLRG (2010)
Bornat-al (2005)
RGSim (2012)
GPS (2014)Total-TaDA (2016)
Iris 2.0 (2016)
FTCSL (2015)
Jacobs-Piessens (2011)
RSL (2013)
LiLi (2016)
Bell-al (2010)Hobor-al (2008)
FSL (2016)
Iris 3.0 (2016)Picture by Ilya Sergey
24 of 35
![Page 43: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/43.jpg)
Iris
Iris is a higher-order concurrent separation logic framework that wehave been developing since 2014 [POPL’15, ICFP’16, POPL’17, ESOP’17, ECOOP’17]
Distinguishing features of Iris:
⌅ Simple foundation: Higher-order BI + a handful of modalities
⌅ Rules for complex “sharing protocols” (which were built in asprimitive in prior logics) are derivable in Iris
⌅ Supports impredicative invariants, which arise when modelingrecursive & generic types in Rust
⌅ Excellent tactical support for mechanization in Coq
Iris is ideal for modeling Rust!
25 of 35
![Page 44: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/44.jpg)
Iris
Iris is a higher-order concurrent separation logic framework that wehave been developing since 2014 [POPL’15, ICFP’16, POPL’17, ESOP’17, ECOOP’17]
Distinguishing features of Iris:
⌅ Simple foundation: Higher-order BI + a handful of modalities
⌅ Rules for complex “sharing protocols” (which were built in asprimitive in prior logics) are derivable in Iris
⌅ Supports impredicative invariants, which arise when modelingrecursive & generic types in Rust
⌅ Excellent tactical support for mechanization in Coq
Iris is ideal for modeling Rust!
25 of 35
![Page 45: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/45.jpg)
Ownership interpretations of simple types
JboolK.own(t, v):=
v = [true] _ v = [false]
J⌧1 ⇥ ⌧2K.own(t, v):=
9v1, v2. v = v1 ++ v2 ⇤ J⌧1K.own(t, v1) ⇤ J⌧2K.own(t, v2)
26 of 35
![Page 46: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/46.jpg)
Ownership interpretations of pointer types
Jownn ⌧K.own(t, v):=
9`. v = [`] ⇤ (9w . ` 7! w ⇤ . J⌧K.own(t,w)) ⇤ . . .
J&mut ⌧K.own(t, v)
:=
9`. v = [`] ⇤ &�9w . ` 7! w ⇤ J⌧K.own(t,w)
�
27 of 35
![Page 47: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/47.jpg)
Ownership interpretations of pointer types
Jownn ⌧K.own(t, v):=
9`. v = [`] ⇤ (9w . ` 7! w ⇤ . J⌧K.own(t,w)) ⇤ . . .
J&mut ⌧K.own(t, v)
:=
9`. v = [`] ⇤ &�9w . ` 7! w ⇤ J⌧K.own(t,w)
�
What is this? Not your grandma’s separation logic!
27 of 35
![Page 48: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/48.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ⇤ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V & P ⇤�[†] V .P
�
28 of 35
![Page 49: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/49.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ⇤ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V & P ⇤�[†] V .P
�
.P can be transformed into. . .
29 of 35
![Page 50: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/50.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ⇤ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V & P ⇤�[†] V .P
�
A borrowed part:
⌅ access of P when is ongoing
⌅P must be preserved when ends
29 of 35
![Page 51: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/51.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ⇤ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V & P ⇤�[†] V .P
�
An inheritance part, that givesback P when is finished.
29 of 35
![Page 52: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/52.jpg)
Lifetime tokens
How to witness that is alive?
We use a lifetime token []
⌅ Left in deposit when opening a borrow:
&P ⇤ [] V .P ⇤
�.P V &
P ⇤ []�
⌅ Needed to terminate :
[] V [†]
30 of 35
![Page 53: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/53.jpg)
Modeling shared references
As we’ve seen, each type T may have a di↵erent “sharing protocol”defining the semantics of &'a T.
⌅ E.g., &'a i32 is read-only, whereas &'a Mutex<i32> grantsmutable access to its contents once a lock is acquired
We model this by defining for each ⌧ a “sharing predicate” J⌧K.shr:
J&shr ⌧K.own(t, v)
:=
9`. v = [`] ⇤ J⌧K.shr(JK, t, `)
The sharing predicate is required to be persistent:
⌅ I.e., freely duplicable, since in Rust &'a T is a Copy type
31 of 35
![Page 54: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/54.jpg)
Modeling “thread-safety” of types
Some interior-mutable types are not thread-safe
⌅ They support shared mutable access without atomics
⌅ Examples: reference-counted pointer (Rc<T>), . . .
Still, Rust guarantees absence of data races
⌅ Ownership transfer between threads only allowed for some types
⌅T : Send () T is thread-safe
In our model:
⌅ Interpretations of types may depend on the thread ID
⌅ JT : SendK () JTK does not depend on TID
32 of 35
![Page 55: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/55.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
33 of 35
![Page 56: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/56.jpg)
What else is in the paper [POPL’18]
More details about the �Rust type system and “lifetime logic”
How to model essential Rust types featuring interior mutability
⌅Cell<T>, RefCell<T>, Rc<T>, Arc<T>, Mutex<T>, RwLock<T>
How to handle lifetime inclusion and subtyping
Still missing from RustBelt:
⌅ Trait objects (existential types), weak memory, panics, . . .
34 of 35
![Page 57: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/57.jpg)
Conclusion
Logical relations are a great way to prove safety of a real languagein an “extensible” way.
Advances in separation logic (as embodied in Iris) make thispossible for even a language as sophisticated as Rust!
http://plv.mpi-sws.org/rustbelt/
35 of 35
![Page 58: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/58.jpg)
Lifetime logic
Usually: we split ownership with respect to space
Let’s allow splitting ownership over time:
.P V & P ⇤�[†] V .P
�
.P can be transformed into. . .
1 of 5
![Page 59: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/59.jpg)
Lifetime logic
Usually: we split ownership with respect to space
Let’s allow splitting ownership over time:
.P V & P ⇤�[†] V .P
�
A borrowed part:
⌅ access of P when is ongoing
⌅P must be preserved when ends
1 of 5
![Page 60: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/60.jpg)
Lifetime logic
Usually: we split ownership with respect to space
Let’s allow splitting ownership over time:
.P V & P ⇤�[†] V .P
�
An inheritance part, that givesback P when is finished.
1 of 5
![Page 61: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/61.jpg)
Lifetime tokens
How to witness that is alive?
We use a lifetime token []
⌅ Left in deposit when opening a borrow:
&P ⇤ [] V .P ⇤
�.P V &
P ⇤ []�
⌅ Needed to terminate :
[] V [†]
2 of 5
![Page 62: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/62.jpg)
fn f<'a>(pair : &'a mut (i32, i32)) {
let fst : &'a mut i32 = &mut pair.0;
let snd : &'a mut i32 = &mut pair.1;
join(|| *fst *= 2,
|| *snd += 1);
}
3 of 5
![Page 63: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/63.jpg)
fn f<'a>(pair : &'a mut (i32, i32)) {
let fst : &'a mut i32 = &mut pair.0;
let snd : &'a mut i32 = &mut pair.1;
join(|| *fst *= 2,
|| *snd += 1);
}
We need to split borrows:
&(P ⇤ Q) WV &P ⇤&
Q
3 of 5
![Page 64: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/64.jpg)
fn f<'a>(pair : &'a mut (i32, i32)) {
let fst : &'a mut i32 = &mut pair.0;
let snd : &'a mut i32 = &mut pair.1;
join(|| *fst *= 2,
|| *snd += 1);
}
Both threads witness that the lifetime is alive.=) We make the lifetime token fractional:
[]q+q0 , []q ⇤ []q0
3 of 5
![Page 65: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/65.jpg)
Fractional lifetime tokens
How to witness that is alive?
We use lifetime tokens []q⌅ Fractional: []q+q0 , []q ⇤ []q0⌅ Full token needed to terminate :
[]1 V [†]
⌅ Fraction left in deposit when opening a borrow:
&P ⇤ []q V .P ⇤
�.P V &
P ⇤ []q�
4 of 5
![Page 66: RustBelt: Securing the Foundations of the 10pt Rust ...mpi-sws.org/~dreyer/talk.pdf · Rust Mozilla’s replacement for C/C++ A safe & flexible systems programming language ⌅ Modern](https://reader034.vdocuments.mx/reader034/viewer/2022042301/5ecccf86c221095fc21e2bc1/html5/thumbnails/66.jpg)
Sharing protocols
J&'a TK.own([l ]) := JTK.shr(J'aK, l) := ?
Depends on T. Common idea:
⌅ Share a borrow using an invariant:
JTK.shr(J'aK, l) := & [Protocol]N
⇤ Technical problems with step-indexing
⌅ Specific construction: persistent borrows: &/Nat [Protocol]
⇤ Behave like cancellable invariant
5 of 5