People
Activity
    Gary
    @gbenattar
    Hi all,
    We are a company based in Tel Aviv (KZen Networks) working on multi-party digital signatures for blockchains and our cryptography layer is exclusively in Rust. We are dealing with several types of elliptic curves, implementing zero-knowledge proofs, bullet-proofs etc...
    We are talking with the French INRIA Prosecco team led by Karthik Bhargavan (http://prosecco.gforge.inria.fr/personal/karthik/) and we are investigating in Rust code generation with HACL / F. Our goal is to formally verify our cryptographic protocols.
    We were wondering how mature is formal verification in Rust and what could be a good starting point.
    Vytautas Astrauskas
    @vakaras
    @gbenattar I think you may want to talk with someone from Galois (@atomb ?) about verifying crypto code because as far as I understand that is one of the strong sides of SAW.
    Diane Hosfelt
    @avadacatavra
    @gbenattar we're just starting out. i'd definitely be interested to hear about any progress you make with Rust codegen from F* (although, I'd note that we don't have a verified compiler like compcert). i would second speaking to galois
    @/all i'm planning on doing a "reboot" soon, similar to what the unsafe code guidelines wg recently did--if anyone has comments/ideas about that, let me know
    Gary
    @gbenattar
    @avadacatavra cool I will loop you in, we will have one of our Rust guys working on it with the Prosecco team. I will also touch base with Galois. Thanks guys
    Dragoș Tiselice
    @dragostis
    Hi! I'm trying to write a formalization of parsing expression grammars and I'm not quite sure what tool to use. What I think I need is something that can use a partial definition: in order not to complicate things with a full formalization, I'm thinking about just writing the properties of the base combinatord then have more complicated ones defined on top. I need this to be able to tell me whether two expressions invalida
    ... whether two expression's purported equivalence invalidates any of the properties/definition.
    Dragoș Tiselice
    @dragostis
    I've been trying to use Z3 for this purpose but after adding some number of properties, I started to get timeouts. (Also, it's kind of hard to tell whether I'm using Z3 quite right.) I'm also thinking about writing this in Prolog, but I'm not quite sure.
    Dragoș Tiselice
    @dragostis
    I could also have a full definition, but I feel like would complicate things a lot since it has to deal with substring comparisons.
    Brendan Zabarauskas
    @brendanzab
    Did a quick search, and it seems somebody has verified PEGs in Coq, but sadly the artifacts were never made public :( https://arxiv.org/pdf/1105.2576.pdf
    looking at the inductive types that they use and the proof outlines could be helpful though
    Z3 doesn't do any termination checking, afaik, so understandable that you might start running into timeouts
    Another interesting one, for parser combinators (not PEGs) in Agda is: http://www.cse.chalmers.se/~nad/publications/danielsson-parser-combinators.pdf
    Brendan Zabarauskas
    @brendanzab
    https://github.com/gallais/agdarsec
    Dragoș Tiselice
    @dragostis
    There's an Idris implementation as well and it's not as long as I imagined. Maybe it's worth a shot to try and implement a complete model. My original idea was to only have properties checking.
    Aaron Tomb
    @atomb
    Somehow I missed your comments a while back, @gbenattar . If you'd like to try SAW, it currently supports LLVM and has some MIR support in progress. Trying the existing LLVM verification capabilities on some of your primitives could give you some sense for how applicable it might be. This example might be helpful to look over: https://github.com/GaloisInc/saw-script/tree/master/examples/salsa20
    I wouldn't be surprised if you encounter problems with unimplemented LLVM intrinsics that are used by rustc but not by clang. If you come across anything like that, we'd love a GitHub issue describing it.
    And once the MIR support is done, that'll likely be an even better path to take. I suspect it'll be able to handle typical crypto code by the end of the year.
    Oh, and use nightly binaries, rather than the somewhat old GitHub releases. See here: https://saw.galois.com/builds/nightly/
    Dragoș Tiselice
    @dragostis
    SAW is interesting, but what seems to be the best fit for me is something like E/Vampire prover. They seem to work really well in my use case.
    Aaron Tomb
    @atomb
    Yeah, if you're reasoning about the properties of a protocol in the abstract, rather than checking whether an implementation is correct, a pure theorem prover is probably the way to go. SAW is really tuned for comparing specs to implementations.
    Zhen Zhang
    @izgzhen
    Hi, PhD from UW here. Worked with @RalfJung on Iris before and on Servo with Rust team as well -- hoping to see exciting news on this line of work!
    Kelly Thomas Kline
    @kellytk
    Thanks for undertaking this work
    Diane Hosfelt
    @avadacatavra
    Hi all--expect to see some more from me on Monday
    I'd like to gather as much information on the tools that are interested in working on rust codebases as possible, so if that describes you, either message me or open up an issue/pr on the github :)
    Vytautas Astrauskas
    @vakaras
    @avadacatavra I will create a pull request as soon as I have a free moment for that. Hopefully, until Monday.
    Diane Hosfelt
    @avadacatavra
    https://doodle.com/poll/zncq2asiusctqtab
    if anyone has opinions on chat medium, pop them in there
    Vytautas Astrauskas
    @vakaras
    @avadacatavra I have created a github repository https://github.com/vakaras/mir-dump/ that illustrates how we extract information from the compiler.
    Vytautas Astrauskas
    @vakaras
    An important missing part is how we extract functional specifications from Rust attributes. I am currently rewriting that logic; I will update you as soon as I have it implemented.
    Denis Merigoux
    @denismerigoux
    Hi @vakaras ! Thank you for your work, it'll help a lot for those of us who are not familiar with the inner workings of MIR yet. I have never heard about extracting functional specifications from Rust attributes ; could you point me to some info on that ?
    Is there some "pure" subset of Rust in which you can write specs and that can be embedded into an attribute ?
    Vytautas Astrauskas
    @vakaras
    Hello @denismerigoux .The functional specifications were discussed in this issue: rust-lang-nursery/wg-verification#14. As far as I know, we currently do not even have a consensus how specifications should be written.
    Denis Merigoux
    @denismerigoux
    Oups, sorry for being so late :) Now that I'm working on the topic, I'll be able to bring a more informed opinion to the discussion
    Vytautas Astrauskas
    @vakaras
    What I am currently working on, is a way to get typed ASTs of something like this: https://github.com/nrc/libhoare
    Denis Merigoux
    @denismerigoux
    Wouahou this is very nice ! I'm currently wortking on code examples from Servo that would benefit some verification, to see exactly what kind of invariants and pre/post-conditions we're looking at. I'm manually translating the Rust code into pure functional Fstar (think of it as a full-spectrum dependently typed OCaml/F#), and using Fstar to verify some properties
    If you want I can show you what annotations I would need on the Rust code and that would be expressed using libhoare
    Vytautas Astrauskas
    @vakaras
    Could you post some examples either in the specification issue or create a pull request? In this way, I think it will be easier to ensure that requirements of different tools are taken into account.
    Denis Merigoux
    @denismerigoux
    Yes, I'll do that !
    Vytautas Astrauskas
    @vakaras
    Thank you!
    Denis Merigoux
    @denismerigoux
    Have you thought of keeping what's inside PhantomData types ? That could be used to model ghost proof artifacts and keep them around in structures
    Vytautas Astrauskas
    @vakaras
    I have not thought yet about PhantomData. That is a very good point. Thank you!
    Zhou Fangyi
    @fangyi-zhou
    Hello. My name is Fangyi. I'm a final year master student at Imperial College London. I'm curious to know whether this WG has interest in formalising the type system, or the main focus has been on verification of safety guarantees?
    Aaron Weiss
    @aatxe
    @fangyi-zhou I can't speak for the work group as a whole, but I certainly have an interest in formalizing (at least parts of) the type system, and indeed have been working on that for some time now.
    Diane Hosfelt
    @avadacatavra
    I've created a zulip for the wg--https://rust-lang.zulipchat.com/#narrow/stream/183875-wg-formal-methods
    The reason I've chosen zulip is that the way it groups topics is much easier to process asynchronously
    And it will organize the discussions more I hope :)
    There's also a number of other working groups on zulip--let me know if anyone as questions/needs help getting onto zulip!
    Dragoș Tiselice
    @dragostis
    Is there any fuzzer that works well with small functions? I've noticed that libFuzzer can take quite a long while for some particularly small test cases (if data == "some longer string" { panic!(); }).
    Ralf Jung
    @RalfJung
    @dragostis it's not about the function being small, it's about the bug only triggering on a tiny part of the input space. typically, fuzzers basically send random data into your program, so you cannot expect them to find such panics. for this you'd need some kind of instrumented fuzzer that determines how it can get a good branch coverage. such fuzzers exist as research prototypes but I don't know how far into the practically appliable tools this technology has made it.