RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A...
Transcript of RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A...
![Page 1: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/1.jpg)
RustBelt: Securing the Foundations of the
Rust Programming Language
Ralf JungJacques-Henri Jourdan
Robbert KrebbersDerek Dreyer
MPI-SWS & TU Delft
October 13, 2017ETH Zurich
![Page 2: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/2.jpg)
RustMozilla’s replacement for C/C++
A safe & flexible systems programming language
� Modern strongly-typed PL:� First-class functions, polymorphism/generics� Traits ≈ Type classes + associated types
� But with control over resource management(e.g., memory allocation and data layout)
� Sound type system with strong guarantees:� Type & memory safety; absence of data races
2 of 35
![Page 3: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/3.jpg)
RustMozilla’s replacement for C/C++
A safe & flexible systems programming language
� Modern strongly-typed PL:� First-class functions, polymorphism/generics� Traits ≈ Type classes + associated types
� But with control over resource management(e.g., memory allocation and data layout)
� Sound? type system with strong guarantees:� Type & memory safety; absence of data races
Goal of ERC RustBelt project:
� Prove the soundness of Rust’s type system in Coq!
2 of 35
![Page 4: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/4.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
� Many Rust libraries permit mutation through aliased pointers
� The safety of this is highly non-obvious because these librariesmake use of unsafe features!
3 of 35
![Page 5: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/5.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
� Many Rust libraries permit mutation through aliased pointers
� The safety of this is highly non-obvious because these librariesmake use of unsafe features!
3 of 35
![Page 6: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/6.jpg)
The key challenge
Superficially, Rust’s approach to ensuring safety is sold as:
”No mutation through aliased pointers”
But this is not always true!
� Many Rust libraries permit mutation through aliased pointers
� The safety of this is highly non-obvious because these librariesmake use of unsafe features!
So why is any of this sound?
3 of 35
![Page 7: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/7.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
4 of 35
![Page 8: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/8.jpg)
let (snd, rcv) = channel();
join(
move || { // First thread
// Allocating [b] as Box<i32> (pointer to heap)
let mut b = Box::new(0);
*b = 1;
// Transferring the ownership to the other thread...
snd.send(b);
},
move || { // Second thread
let b = rcv.recv().unwrap(); // ... that receives it
println!("{}", *b); // ... and uses it.
});
5 of 35
![Page 9: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/9.jpg)
let (snd, rcv) = channel();
join(
move || { // First thread
// Allocating [b] as Box<i32> (pointer to heap)
let mut b = Box::new(0);
*b = 1;
// Transferring the ownership to the other thread...
snd.send(b);
*b = 2; // Error: lost ownership of [b]
// ==> Prevents data race
},
move || { // Second thread
let b = rcv.recv().unwrap(); // ... that receives it
println!("{}", *b); // ... and uses it.
});
5 of 35
![Page 10: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/10.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
v[1] = 4;
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
6 of 35
![Page 11: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/11.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
6 of 35
![Page 12: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/12.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
// Error: can invalidate [inner ptr]
v.push(1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
6 of 35
![Page 13: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/13.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
// Error: can invalidate [inner ptr]
v.push(1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
We temporarily lost ownership of vector v
We get back the full ownership of vector v
6 of 35
![Page 14: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/14.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
6 of 35
![Page 15: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/15.jpg)
Borrowing and lifetimes
let mut v = vec![1, 2, 3];
{ let mut inner_ptr = Vec::index_mut(&mut v, 1);
*inner_ptr = 4; }
v.push(6);
println!("{:?}", v);
Type of index_mut:
fn<'a> index_mut(&'a mut Vec<i32>, usize)
-> &'a mut i32
New pointer type: &'a mut T:
� mutable borrowed reference
� valid only for lifetime 'a
Lifetime 'a inferred by Rust
6 of 35
![Page 16: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/16.jpg)
Shared borrowing
let mut x = 1;
join (|| println !("Thread 1: {}" , &x),
|| println !("Thread 2: {}" , &x));
x = 2;
7 of 35
![Page 17: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/17.jpg)
Shared borrowing
let mut x = 1;
join (|| println !("Thread 1: {}" , &x),
|| println !("Thread 2: {}" , &x));
x = 2;
&x creates a shared borrow of x
� Type: &'a i32
� Can be copied/shared
� Does not allow mutation
7 of 35
![Page 18: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/18.jpg)
Summing up
� Rust’s type system is based on ownership
� Three kinds of ownership:
1. Full ownership: Vec<T> (vector), Box<T> (pointer to heap)2. Mutable borrowed reference: &'a mut T
3. Shared borrowed reference: &'a T
� Lifetimes decide when borrows are valid
8 of 35
![Page 19: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/19.jpg)
Interior mutability
What if we want shared mutable data structures?
Rust standard library provides types with interior mutability
� Allows mutation using only a shared reference &'a T
� Implemented in Rust using unsafe features� Unsafety is claimed to be safely encapsulated
� The library interface restricts what mutations are possible
9 of 35
![Page 20: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/20.jpg)
MutexAn example of Interior mutability
let m = Mutex::new(1); // m : Mutex<i32>
// We can mutate the integer
// *with a shared borrow* only
join (|| *(&m).lock().unwrap() += 1,
|| *(&m).lock().unwrap() += 1);
// Unique owner: no need to lock
println!("{}", m.into_inner().unwrap())
A shared borrow establishes a sharing protocol:
� &'a i32
� =⇒ Read-only� Safety: trivial
� &'a Mutex<i32>
� =⇒ Read-write by taking the lock� Safety: ensured by proper synchronization
10 of 35
![Page 21: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/21.jpg)
MutexAn example of Interior mutability
let m = Mutex::new(1); // m : Mutex<i32>
// We can mutate the integer
// *with a shared borrow* only
join (|| *(&m).lock().unwrap() += 1,
|| *(&m).lock().unwrap() += 1);
// Unique owner: no need to lock
println!("{}", m.into_inner().unwrap())
A shared borrow establishes a sharing protocol:
� &'a i32
� =⇒ Read-only� Safety: trivial
� &'a Mutex<i32>
� =⇒ Read-write by taking the lock� Safety: ensured by proper synchronization
10 of 35
![Page 22: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/22.jpg)
How do we know this all works?
11 of 35
![Page 23: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/23.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
12 of 35
![Page 24: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/24.jpg)
The λRust type system
� Syntactic (built-in types)
τ ::= bool | int | ownn τ | &κmut τ | &κ
shr τ | Πτ | Στ | . . .
� Typing context T assigns types τ to paths p
� Typing individual instructions:(Γ binds variables, E and L track lifetimes)
Γ | E; L | T1 ` S a x .T2
� Typing whole functions: (K tracks continuations)
Γ | E; L | K,T ` F
13 of 35
![Page 25: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/25.jpg)
Some typing rules
Γ | E; L ` κ alive
Γ | E; L | p1 C &κmut τ, p2 C τ ` p1 := p2 a p1 C &κ
mut τ
Γ | E; L | T1 ` S a x .T2 Γ, x : val | E; L | K; T2,T ` F
Γ | E; L | K; T1,T ` let x = S in F
14 of 35
![Page 26: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/26.jpg)
Some typing rules
Γ | E; L ` κ alive
Γ | E; L | p1 C &κmut τ, p2 C τ ` p1 := p2 a p1 C &κ
mut τ
Γ | E; L | T1 ` S a x .T2 Γ, x : val | E; L | K; T2,T ` F
Γ | E; L | K; T1,T ` let x = S in F
14 of 35
![Page 27: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/27.jpg)
Syntactic type safety
The standard “syntactic” approach to language safety is to prove atheorem like the following, via good old “progress and preservation”:
E; L | K,T ` F =⇒ F is safe
� Problem: This theorem does not help when unsafe code is used!
� Solution: A more semantic approach based on logical relations
15 of 35
![Page 28: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/28.jpg)
The logical relation
� Define, for every type τ , an ownership predicate, wheret is the owning thread’s id and v is the representation of τ :
JτK.own(t, v)
� Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C τ1, p2 C τ2K(t) :=
Jτ1K.own(t, [p1]) ∗ Jτ2K.own(t, [p2])
� Lift to semantic typing judgments:
E; L | T1 |= S |=T2 :=
∀t. {JEK ∗ JLK ∗ JT1K(t)} S {JEK ∗ JLK ∗ JT2K(t)}
16 of 35
![Page 29: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/29.jpg)
The logical relation
� Define, for every type τ , an ownership predicate, wheret is the owning thread’s id and v is the representation of τ :
JτK.own(t, v)
� Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C τ1, p2 C τ2K(t) :=
Jτ1K.own(t, [p1]) ∗ Jτ2K.own(t, [p2])
� Lift to semantic typing judgments:
E; L | T1 |= S |=T2 :=
∀t. {JEK ∗ JLK ∗ JT1K(t)} S {JEK ∗ JLK ∗ JT2K(t)}
16 of 35
![Page 30: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/30.jpg)
The logical relation
� Define, for every type τ , an ownership predicate, wheret is the owning thread’s id and v is the representation of τ :
JτK.own(t, v)
� Lift to semantic contexts JTK(t) using separating conjunction:
Jp1 C τ1, p2 C τ2K(t) :=
Jτ1K.own(t, [p1]) ∗ Jτ2K.own(t, [p2])
� Lift to semantic typing judgments:
E; L | T1 |= S |=T2 :=
∀t. {JEK ∗ JLK ∗ JT1K(t)} S {JEK ∗ JLK ∗ JT2K(t)}16 of 35
![Page 31: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/31.jpg)
Compatibility lemmas
To connect logical relation to type system,we show semantic versions of all syntactic typing rules.
Γ | E; L ` κ alive
Γ | E; L | p1 C &κmut τ, p2 C τ ` p1 := p2 a p1 C &κ
mut τ
E; L | T1 ` S a x .T2 E; L | K; T2,T ` F
E; L | K; T1,T ` let x = S in F
17 of 35
![Page 32: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/32.jpg)
Compatibility lemmas
To connect logical relation to type system,we show semantic versions of all syntactic typing rules.
Γ | E; L |= κ alive
Γ | E; L | p1 C &κmut τ, p2 C τ |= p1 := p2 |=p1 C &κ
mut τ
E; L | T1 |= S |=x .T2 E; L | K; T2,T |= F
E; L | K; T1,T |= let x = S in F
17 of 35
![Page 33: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/33.jpg)
Type safety (revisited)
� From compatibility:
E; L | K,T ` F a T2 =⇒ E; L | K,T |= F |=T2
� Finally, we show that the relation is adequate:
E; L | T1 |= F |=T2 =⇒ F is safe
� Conclusion: well-typed programs can’t go wrong� No data race, no memory error, . . .
18 of 35
![Page 34: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/34.jpg)
Type safety (semantic version)
The semantic approach provides a much stronger safety theorem thansyntactic type safety:
� For well-typed code, E; L | K; T ` Fsafe =⇒ E; L | K; T |= Fsafe� If unsafe features are used, manually prove E; L | K; T |= Funsafe� By compatibility, we can compose these proofs and obtain safety of
the entire program!
The whole program is safeif the “unsafe” pieces are safe.
19 of 35
![Page 35: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/35.jpg)
Type safety (semantic version)
The semantic approach provides a much stronger safety theorem thansyntactic type safety:
� For well-typed code, E; L | K; T ` Fsafe =⇒ E; L | K; T |= Fsafe� If unsafe features are used, manually prove E; L | K; T |= Funsafe� By compatibility, we can compose these proofs and obtain safety of
the entire program!
The whole program is safeif the “unsafe” pieces are safe.
19 of 35
![Page 36: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/36.jpg)
How do we define the logicalinterpretation of types?
20 of 35
![Page 37: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/37.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 38: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/38.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 39: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/39.jpg)
Choosing the right logic
Rust type system has ownership + complex sharing protocolsin a higher-order concurrent setting
“Obvious” choice of a logic for interpreting Rust types:
Higher-order concurrent separation logic
But which one?
21 of 35
![Page 40: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/40.jpg)
A brief history of concurrent separation logic
Owicki-Gries (1976)
CSL (2004)Rely-Guarantee (1983)
SAGL (2007)
RGSep (2007)
Deny-Guarantee (2009)
CAP (2010)
Liang-Feng (2013)
LRG (2009)
SCSL (2013)HOCAP (2013)
iCAP (2014)
Iris (2015)
CaReSL (2013)
FCSL (2014)
TaDA (2014)
CoLoSL (2015)
Gotsman-al (2007)
HLRG (2010)
Bornat-al (2005)
RGSim (2012)
GPS (2014)Total-TaDA (2016)
Iris 2.0 (2016)
FTCSL (2015)
Jacobs-Piessens (2011)
RSL (2013)
LiLi (2016)
Bell-al (2010)
Hobor-al (2008)
FSL (2016)
Iris 3.0 (2016)
Picture by Ilya Sergey
22 of 35
![Page 41: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/41.jpg)
A brief history of concurrent separation logic
23 of 35
![Page 42: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/42.jpg)
A brief history of concurrent separation logic
Owicki-Gries (1976)
CSL (2004)Rely-Guarantee (1983)
SAGL (2007)
RGSep (2007)
Deny-Guarantee (2009)
CAP (2010)
Liang-Feng (2013)
LRG (2009)
SCSL (2013)HOCAP (2013)
iCAP (2014)
Iris (2015)
CaReSL (2013)
FCSL (2014)
TaDA (2014)
CoLoSL (2015)
Gotsman-al (2007)
HLRG (2010)
Bornat-al (2005)
RGSim (2012)
GPS (2014)Total-TaDA (2016)
Iris 2.0 (2016)
FTCSL (2015)
Jacobs-Piessens (2011)
RSL (2013)
LiLi (2016)
Bell-al (2010)
Hobor-al (2008)
FSL (2016)
Iris 3.0 (2016)
Picture by Ilya Sergey
24 of 35
![Page 43: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/43.jpg)
Iris
Iris is a higher-order concurrent separation logic framework that wehave been developing since 2014 [POPL’15, ICFP’16, POPL’17, ESOP’17, ECOOP’17]
Distinguishing features of Iris:
� Simple foundation: Higher-order BI + a handful of modalities
� Rules for complex “sharing protocols” (which were built in asprimitive in prior logics) are derivable in Iris
� Supports impredicative invariants, which arise when modelingrecursive & generic types in Rust
� Excellent tactical support for mechanization in Coq
Iris is ideal for modeling Rust!
25 of 35
![Page 44: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/44.jpg)
Iris
Iris is a higher-order concurrent separation logic framework that wehave been developing since 2014 [POPL’15, ICFP’16, POPL’17, ESOP’17, ECOOP’17]
Distinguishing features of Iris:
� Simple foundation: Higher-order BI + a handful of modalities
� Rules for complex “sharing protocols” (which were built in asprimitive in prior logics) are derivable in Iris
� Supports impredicative invariants, which arise when modelingrecursive & generic types in Rust
� Excellent tactical support for mechanization in Coq
Iris is ideal for modeling Rust!
25 of 35
![Page 45: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/45.jpg)
Ownership interpretations of simple types
JboolK.own(t, v)
:=
v = [true] ∨ v = [false]
Jτ1 × τ2K.own(t, v)
:=
∃v1, v2. v = v1 ++ v2 ∗ Jτ1K.own(t, v1) ∗ Jτ2K.own(t, v2)
26 of 35
![Page 46: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/46.jpg)
Ownership interpretations of pointer types
Jownn τK.own(t, v)
:=
∃`. v = [`] ∗ (∃w . ` 7→ w ∗ . JτK.own(t,w)) ∗ . . .
J&κmut τK.own(t, v)
:=
∃`. v = [`] ∗ &κ(∃w . ` 7→ w ∗ JτK.own(t,w)
)
27 of 35
![Page 47: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/47.jpg)
Ownership interpretations of pointer types
Jownn τK.own(t, v)
:=
∃`. v = [`] ∗ (∃w . ` 7→ w ∗ . JτK.own(t,w)) ∗ . . .
J&κmut τK.own(t, v)
:=
∃`. v = [`] ∗ &κ(∃w . ` 7→ w ∗ JτK.own(t,w)
)
What is this? Not your grandma’s separation logic!
27 of 35
![Page 48: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/48.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ∗ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V &κ P ∗([†κ] V .P
)
28 of 35
![Page 49: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/49.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ∗ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V &κ P ∗([†κ] V .P
).P can be transformed into. . .
29 of 35
![Page 50: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/50.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ∗ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V &κ P ∗([†κ] V .P
)A borrowed part:
� access of P when κ is ongoing
� P must be preserved when κ ends
29 of 35
![Page 51: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/51.jpg)
Lifetime logic: A custom logic derived within Iris
Traditionally, P ∗ Q splits ownership w.r.t. space
Let’s allow splitting ownership w.r.t. time!
.P V &κ P ∗([†κ] V .P
)An inheritance part, that givesback P when κ is finished.
29 of 35
![Page 52: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/52.jpg)
Lifetime tokens
How to witness that κ is alive?
We use a lifetime token [κ]
� Left in deposit when opening a borrow:
&κ P ∗ [κ] V .P ∗(.P V &κ P ∗ [κ]
)� Needed to terminate κ:
[κ] V [†κ]
30 of 35
![Page 53: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/53.jpg)
Modeling shared references
As we’ve seen, each type T may have a different “sharing protocol”defining the semantics of &'a T.
� E.g., &'a i32 is read-only, whereas &'a Mutex<i32> grantsmutable access to its contents once a lock is acquired
We model this by defining for each τ a “sharing predicate” JτK.shr:
J&κshr τK.own(t, v)
:=
∃`. v = [`] ∗ JτK.shr(JκK, t, `)
The sharing predicate is required to be persistent:
� I.e., freely duplicable, since in Rust &'a T is a Copy type
31 of 35
![Page 54: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/54.jpg)
Modeling “thread-safety” of types
Some interior-mutable types are not thread-safe
� They support shared mutable access without atomics
� Examples: reference-counted pointer (Rc<T>), . . .
Still, Rust guarantees absence of data races
� Ownership transfer between threads only allowed for some types
� T : Send ⇐⇒ T is thread-safe
In our model:
� Interpretations of types may depend on the thread ID
� JT : SendK ⇐⇒ JTK does not depend on TID
32 of 35
![Page 55: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/55.jpg)
Introduction
Overview of Rust
RustBelt
Conclusion
33 of 35
![Page 56: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/56.jpg)
What else is in the paper [POPL’18]
More details about the λRust type system and “lifetime logic”
How to model essential Rust types featuring interior mutability
� Cell<T>, RefCell<T>, Rc<T>, Arc<T>, Mutex<T>, RwLock<T>
How to handle lifetime inclusion and subtyping
Still missing from RustBelt:
� Trait objects (existential types), weak memory, panics, . . .
34 of 35
![Page 57: RustBelt: Securing the Foundations of the 10pt Rust ... · Rust Mozilla’s replacement for C/C++ A safe & exible systems programming language Modern strongly-typed PL: First-class](https://reader034.fdocuments.in/reader034/viewer/2022042301/5ecccf5ac221095fc21e2b4f/html5/thumbnails/57.jpg)
Conclusion
Logical relations are a great way to prove safety of a real languagein an “extensible” way.
Advances in separation logic (as embodied in Iris) make thispossible for even a language as sophisticated as Rust!
http://plv.mpi-sws.org/rustbelt/
35 of 35