----
-title: "RustBelt: Securing the Foundations of the Rust Programming Language"
-categories: research rust
-forum: https://internals.rust-lang.org/t/rustbelt-securing-the-foundations-of-the-rust-programming-language/5509
----
-
-Just yesterday, we submitted our paper [RustBelt: Securing the Foundations of the Rust Programming Language](https://www.mpi-sws.org/~dreyer/papers/rustbelt/paper.pdf).
-Quoting from the abstract:
-
-> Rust is a new systems programming language that promises to overcome
-the seemingly fundamental tradeoff between high-level safety
-guarantees and low-level control over resource management.
-Unfortunately, none of Rust's safety claims have been formally proven,
-and there is good reason to question whether they actually hold.
-Specifically, Rust employs a strong, ownership-based type system, but
-then extends the expressive power of this core type system through
-libraries that internally use unsafe features. In this paper, we give
-the first formal (and machine-checked) safety proof for a language
-representing a realistic subset of Rust. Our proof is extensible in
-the sense that, for each new Rust library that uses unsafe features,
-we can say what verification condition it must satisfy in order for it
-to be deemed a safe extension to the language. We have carried out
-this verification for some of the most important libraries that are
-used throughout the Rust ecosystem.
-
-<!-- MORE -->
-
-This paper is the result of almost two years of work by the [RustBelt](http://plv.mpi-sws.org/rustbelt/) research project to [formalize Rust's type system]({{ site.baseurl }}{% post_url 2015-10-12-formalizing-rust %}).
-The paper is now undergoing peer review; some time in fall we will be notified whether the paper got accepted or not.
-
-In case you wondered which "important libraries" we verified, the full list is `Rc`, `Arc`, `Cell` (including [`alias::one`](https://huonw.github.io/alias/alias/fn.one.html), which was recently [accepted into the standard library](https://github.com/rust-lang/rfcs/pull/1789)), `RefCell`, `Mutex`, `RwLock`, `thread::spawn`, `mem::swap`, [`take_mut::take`](https://docs.rs/take_mut/0.1.3/take_mut/fn.take.html) as well as converting `&&T` into `&Box<T>` (inspired by [Abomonation](http://www.frankmcsherry.org/serialization/2015/05/04/unsafe-at-any-speed.html)).
-Our model of Rust is somewhat simplified (e.g., we don't support unwinding after panics); still, we were actually able to [find a real bug]({{ site.baseurl }}{% post_url 2017-06-09-mutexguard-sync %}).
-For all the details, have a [look at the paper](https://www.mpi-sws.org/~dreyer/papers/rustbelt/paper.pdf).
-If that's not enough details for your taste, you can also check out [all our formal proofs](https://gitlab.mpi-sws.org/FP/LambdaRust-coq/).
-
-Of course, I am far from the only person who worked on this.
-All these results were only possible because of my great collaborators, [Jacques-Henri Jourdan](https://jhjourdan.mketjh.fr/) and [Robbert Krebbers](http://robbertkrebbers.nl/), as well as my PhD advisor, [Derek Dreyer](http://www.mpi-sws.org/~dreyer/).
-I also benefited a lot from countless discussions with the Rust community at large, and with Aaron and Niko in particular.
-You guys rock!
projects / web.git / blobdiff