RustBelt: Securing the Foundations of the Rust Programming Language

Transcription

1 RustBelt: Securing the Foundations of the Rust Programming Language Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, Derek Dreyer POPL 2018 in Los Angeles, USA Max Planck Institute for Software Systems (MPI-SWS), TU Delft 1

2 Rust Mozilla s replacement for C/C++ A safe & modern systems PL 2

3 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types 2

4 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Control over resource management (e.g., memory allocation and data layout) 2

5 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Control over resource management (e.g., memory allocation and data layout) Strong type system guarantees: Type & memory safety; absence of data races 2

6 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Goal of RustBelt project: Control over Prove resource safetymanagement of Rust and its (e.g., memory allocation standardand library. data layout) Strong type system guarantees: Type & memory safety; absence of data races 2

7 Contributions λ Rust : Core calculus representing a fragment of Rust and its type system Semantic soundness proof using logical relation in Iris Safety proof of some important unsafe libraries 3

8 Rust 101 4

9 Rust 101 Aliasing + Mutation 4

10 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); 5

11 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); Ownership transferred to send: fn send(vec<i32>) 5

12 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); // Let's try to use v again v.push(5); Error: v has been moved. Prevents possible data race. 5

13 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); x: T expresses ownership of x at type T Mutation allowed, no aliasing We can deallocate x 5

14 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); Why is v not moved? // Send v to another thread send(v); 5

15 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Method call was just sugar. &mut v creates a reference. 6

16 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); Pass-by-reference: Vec::push borrows ownership temporarily // Send v to another thread send(v); Pass-by-value: Ownership moved to send permanently 6

17 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); Pass-by-reference: Vec::push borrows ownership temporarily // Send v to another thread send(v); 6

18 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Type of push: fn Vec::push<'a>(&'a mut Vec<i32>, i32) 6

19 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Type of push: fn Vec::push<'a>(&'a mut Vec<i32>, i32) Lifetime 'a is inferred by Rust. 6

20 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; &mut Vec::push(&mut x creates a mutable v, 4); reference of type &'a mut T: Ownership temporarily borrowed // Send v to another thread send(v); Borrow lasts for inferred lifetime 'a Mutation, no aliasing Unique pointer 6

21 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x);) x = 2; 7

22 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x)); x = 2; &x creates a shared reference of type &'a T Ownership borrowed for lifetime 'a Can be aliased Does not allow mutation 7

23 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x)); x = 2; After 'a has ended, x is writeable again. 7

24 Rust s type system is based on ownership: 1. Full ownership: T 2. Mutable borrowed reference: &'a mut T 3. Shared borrowed reference: &'a T Aliasing + Mutation Lifetimes 'a decide how long borrows last. 8

25 But what if I need aliased mutable state? Synchronization mechanisms: Locks, channels,... Memory management: Reference counting,... 9

26 let m = Mutex::new(1); // m : Mutex<i32> // Concurrent increment: // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10

27 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) // Concurrent increment: -> LockResult<MutexGuard<'a, i32>> // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10

28 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) // Concurrent increment: -> &'a mut i32 // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10

29 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) -> &'a mut i32 // Concurrent increment: Interior mutability // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10

30 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) -> &'a mut i32 // Concurrent increment: Interior mutability // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); Aliasing? + Mutation // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10

31 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { unsafe { libc::pthread_mutex_lock(self.inner.get()); MutexGuard::new(self) } } 11

32 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { } unsafe { } Mutex has an unsafe implementation. But the interface (API) is safe: libc::pthread_mutex_lock(self.inner.get()); fn MutexGuard::new(self) lock<'a>(&'a Mutex<i32>) -> &'a mut T 11

33 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { } Mutex has an unsafe implementation. But the interface (API) is safe: unsafe fn lock<'a>(&'a { Mutex<i32>) -> &'a mut T libc::pthread_mutex_lock(self.inner.get()); Similar MutexGuard::new(self) for join: unsafely implemented user } library, safe interface. 11

34 Goal: Prove safety of Rust and its standard library. Safety proof needs to be extensible. 12

35 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... 13

36 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Typing context assigns types to paths p (denoting fields of structures) 13

37 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F Typing individual instructions I (E and L track lifetimes) Typing whole functions F (K tracks continuations) 13

38 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F 13

39 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F 13

40 Syntactic type safety E; L K, T F = F is safe Usually proven by progress and preservation. But what about unsafe code? 14

41 Syntactic type safety E; L K, T F = F is safe Usually proven by progress and preservation. But what about unsafe code? Use a semantic approach based on logical relations. 14

42 The logical relation Ownership predicate for every type τ: τ.own(t, v) 15

43 The logical relation Ownership predicate for every type τ: τ.own(t, v) Owning thread s ID Data in memory 15

44 The logical relation Ownership predicate for every type τ: τ.own(t, v) Owning thread s ID Data in memory We use Iris to define ownership: Concurrent separation logic Designed to derive new reasoning principles inside the logic 15

45 The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic contexts T (t): p 1 τ 1, p 2 τ 2 (t) := τ 1.own(t, [p 1 ]) τ 2.own(t, [p 2 ]) 15

46 The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic contexts T (t): p 1 τ 1, p 2 τ 2 (t) := τ 1.own(t, [p 1 ]) τ 2.own(t, [p 2 ]) Separating conjunction 15

47 = The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic typing judgments: E; L T 1 = I T 2 := t. { E L T 1 (t)} I { E L T 2 (t)} 15

48 Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Γ E; L κ alive Γ E; L p 1 & κ mut τ, p 2 τ p 1 := p 2 p 1 & κ mut τ E; L T 1 I x. T 2 E; L K; T 2, T F E; L K; T 1, T let x = I in F 16

49 = Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Γ E; L = κ alive Γ E; L p 1 & κ mut τ, p 2 τ = p 1 := p 2 p 1 & κ mut τ E; L T 1 = I x. T 2 E; L K; T 2, T = F = E; L K; T 1, T = let x = I in F 16

50 Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Well-typed programs can t go wrong Γ E; L = κ alive No data race Γ E; L p 1 & κ mut τ, p 2 τ = p 1 := p 2 p 1 & κ mut τ No invalid memory access E; L T 1 = I x. T 2 E; L K; T 2, T = F = = E; L K; T 1, T = let x = I in F 16

51 Linking with unsafe code unsafe 17

52 Linking with unsafe code unsafe 17

53 Linking with unsafe code The whole program is safe if the unsafe pieces are safe! unsafe 17

54 How do we define τ.own(t, v)? 18

55 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... 19

56 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... 19

57 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... & κ mut τ.own(t, v) := l. v = [l] & κ ( full w. l w τ.own(t, w) ) 19

58 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... & κ mut τ.own(t, v) := l. v = [l] & κ ( full w. l w τ.own(t, w) ) Lifetime logic connective 19

59 Traditionally, P Q splits ownership in space. Lifetime logic allows splitting ownership in time! 20

60 P & κ full P ( [ κ] P ) now [ κ] time κ alive κ dead 21

61 P & κ full P ( [ κ] P ) Access to P while κ lasts now [ κ] time 21

62 P & κ full P ( [ κ] P ) Access to P while κ lasts now Access to P when κ has ended [ κ] time 21

63 P & κ full P ( [ κ] P ) Access to P while κ lasts The lifetime logic has been fully derived inside Iris. now Access to P when κ has ended [ κ] time 21

64 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T> 22

65 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T>, RefCell<T>, Rc<T>, Arc<T>, RwLock<T> (found a bug),... 22

66 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T>, RefCell<T>, Rc<T>, Arc<T>, RwLock<T> (found a bug),... Still missing from RustBelt: Trait objects (existential types), weak memory, drop,... 22

67 Logical relations can be used to prove safety of languages with unsafe operations. Advances in separation logic (as embodied in Iris) make this possible for even a language as sophisticated as Rust! 23