Add all missing meetings

Xavier Denis · Xavier Denis · commit 517940c6a461 · 2024-09-05T16:42:28.000+02:00
diff --git a/content/meetings/_index.md b/content/meetings/_index.md
@@ -1,4 +1,6 @@
 +++
 title = "RFMIG meetings"
+sort_by = "date"
+render = false
 +++
 meetings section
diff --git a/content/meetings/aeneas.md b/content/meetings/aeneas.md
@@ -0,0 +1,8 @@
++++
+title = "Aeneas"
+date = 2022-10-24
++++
+
+We present Aeneas, a new verification toolchain for Rust programs based on a lightweight functional translation. We leverage Rust's rich region-based type system to eliminate memory reasoning for a large class of Rust programs by translating them to a pure lambda-calculus, as long as they do not rely on interior mutability or unsafe code. Doing so, we relieve the proof engineer of the burden of memory-based reasoning, allowing them to instead focus on *functional* properties of their code.
+
+[Video]( https://youtu.be/9j9EE36lJJI )
diff --git a/content/meetings/axiom-profiler.md b/content/meetings/axiom-profiler.md
@@ -0,0 +1,8 @@
++++
+date = "2024-05-27"
+title = "Debugging SMT issues: Axiom Profiler 2.0"
++++
+
+The majority of automated verification tools rely on SMT solvers for logical reasoning. Often tools spend most of the verification time querying them. However, these solvers are rather opaque: what can I as a verification tool developer or even user do when I run into poor performance or timeouts? In this talk I will describe our work on a new SMT analysis tool called “Axiom Profiler 2.0” which can help with debugging such performance problems. Currently the tool can help with the analysis of quantifier instantiations (the most common root cause of performance issues) during a run of z3, though in the future we hope to enable the analysis of other aspects.
+A prior tool simply called “Axiom Profiler” (1.0) was created with the same goal, but was cumbersome to use (only running on an older version of Windows), suffered from performance issues and frequent crashes, and supported only a single z3 version. Our new 2.0 tool has been rebuilt from scratch in Rust: it can be compiled to WASM to run anywhere, it is ~10x faster and much more stable, and it supports all modern z3 versions (we are open to supporting other SMT solvers in the future).
+The talk will cover the basics of how SMT solvers handle quantifiers, demonstrate how the Axiom Profiler 2.0 helps one to debug and fix related issues, and discuss potential future features. We aim to make this a beneficial tool for all users of SMT solvers and thus I encourage people to raise [suggestions/feature requests/smt-performance-related issues they’ve encountered] during the talk or in the subsequent discussion.
diff --git a/content/meetings/contracts.md b/content/meetings/contracts.md
@@ -2,9 +2,6 @@
 title = "Contracts in Rust"
 date = 2024-09-24
 +++
-**Title**: 
-
-**Abstract**:
 
 As the growing number of verification tools (Aeneas, Creusot, Kani, Prusti, Verus, ...) has shown, there is a growing community for formal verification of Rust code. 
 Each of these tools needs to re-invent a specification language, leading to a rapidly fragmenting ecosystem of incompatible languages and tools.
diff --git a/content/meetings/creusat.md b/content/meetings/creusat.md
@@ -0,0 +1,12 @@
++++
+title = "CreuSAT"
+date = 2022-09-26
++++
+
+This talk describes CreuSAT, a formally verified SAT solver written in Rust. In addition to implementing the core conflict-driven clause learning (CDCL) algorithm, CreuSAT also implements a series of crucial optimizations.
+The most important of these is the two watched literals scheme with blocking literals and circular search, the variable move-to-front (VMTF) decision heuristic, clause deletion, phase saving, and moving average based restarts.
+
+The resulting solver is the first deductively verified solver which is able to consistently solve problems from the SAT competition.
+This is done while maintaining a relatively small code base, amounting to around 4 thousand lines of proof code and program code combined, with a low proof overhead of around three lines of proof code per line of program code.
+
+[Video]( https://youtu.be/MkhjDpai8fM )
diff --git a/content/meetings/creusot-type-invariants.md b/content/meetings/creusot-type-invariants.md
@@ -0,0 +1,6 @@
++++
+title = "Type Invariants in Creusot"
+date = 2023-09-25
++++
+
+Type invariants are a common mechanism in program verification, that allows attaching logical predicates to data types. They typically capture properties of a data type that are preserved by operations on its values. Creusot is a tool for automated deductive verification of (safe) Rust programs. Leveraging the non-aliasing guarantees of Rust's type system, it translates annotated Rust to a functional language. The challenge of supporting type invariants in Creusot is preserving its strong composability without introducing unsoundness in the interaction with Creusot's encoding of mutable borrows. We present a novel translation of invariants for mutable borrows, that overcomes these challenges. Type invariants in Creusot proved useful for the verification of Rust's iterator combinators, reducing the required amount of manual specifications.
diff --git a/content/meetings/creusot.md b/content/meetings/creusot.md
@@ -0,0 +1,8 @@
++++
+title = "Creusot"
+date = 2022-02-28
++++
+
+Xavier Denis will discuss [Creusot](https://github.com/xldenis/creusot), his deductive verifier for Rust. Creusot aims to provide efficient verification of complex *safe* Rust code, and is backed by the Why3 verification platform. In this talk we'll briefly cover the high-level architecture of Creusot and some of the unique features in the tool.
+
+https://www.eventbrite.com/e/creusot-tickets-260072873967
diff --git a/content/meetings/crux-mir.md b/content/meetings/crux-mir.md
@@ -0,0 +1,10 @@
++++
+title = "CRUX MIR"
+date = 2022-05-30
++++
+
+
+crux-mir is a symbolic testing tool for Rust.  The user writes test cases using symbolic variables as inputs; crux-mir uses symbolic execution to check that the tests pass for all possible values of the symbolic variables.  crux-mir checks for absence of panics, overflows, and some forms of undefined behavior, and it supports user-defined assertions.  Recently, crux-mir gained support for calling Cryptol specifications directly from Rust code and for compositional reasoning, which allows efficiently verifying more complex functions, such as Rust implementations of cryptographic primitives.
+In this talk, I'll describe the design of crux-mir and show some examples of its use, with particular focus on the newer Cryptol and compositional reasoning features.
+
+[Video](https://www.youtube.com/watch?v=f3b5V3B4Q8c)
diff --git a/content/meetings/ferrocene.md b/content/meetings/ferrocene.md
@@ -0,0 +1,15 @@
++++
+title = "Ferrocene"
+date = 2022-04-25
++++
+
+
+Ferrocene is an effort to bring Rust into the realm of safety-critical software while also bringing tangible benefits to so called mission-critical efforts. The project has been ongoing for about a year now. This talk will give an overview of current findings and particularly an observation of the current state of the safety-critical ecosystem.
+
+Particularly, it will share observations on the application of formal methods in the realm right now.
+
+---
+
+Florian Gilcher is a co-founder of Ferrous Systems and a Rust teacher since 2015. Previously a member of the Rust Community and Core team and a co-founder of the Rust Foundation, Florian is currently focusing to bringing Rust to safety critical systems, such as cars.
+
+[Video](https://www.youtube.com/watch?v=eaObPhTnoGo)
diff --git a/content/meetings/flowistry b/content/meetings/flowistry
@@ -0,0 +1,9 @@
+### June Meeting (June 27th, 2022)
+
+#### Abstract
+Statically analyzing information flow, or how data influences other data within a program, is a challenging task in languages with mutation and pointers. Prior work addressed these challenges with bespoke type systems to encode information flow, such as in JFlow (for Java) and FlowCaml (for OCaml). We demonstrate that Rust's existing system of ownership types can repurposed for modular information flow analysis. We describe our analysis using Oxide, a formal model of safe Rust, and prove its soundness as noninterference. We implement the analysis as Flowistry, a tool that analyzes information flow within Rust's MIR CFG. And we show that Flowistry is reasonably precise versus a whole-program analysis via an evaluation on a dataset of large Rust codebases.
+
+#### About the Speaker
+Will Crichton is a 6th year CS Ph.D. student at Stanford University advised by Profs. Pat Hanrahan and Maneesh Agrawala. His research combines programming language theory and cognitive psychology to build better tools for programmers. Will just defended his thesis, "Revisiting Program Slicing with Ownership-based Information Flow", and will soon be starting a postdoc with Shriram Krishnamurthi at Brown to study the learnability of Rust.
+
+[Video](https://youtu.be/adDGcSSZKI4)
diff --git a/content/meetings/flux.md b/content/meetings/flux.md
@@ -0,0 +1,8 @@
++++
+date = 2023-03-27
+title = "Flux: Ergonomic Verification of Rust Programs with Liquid Types"
++++
+
+Low-level, pointer-manipulating programs are tricky to write and devilishly hard to verify, requiring complex spatial program logics to reason about heap updates. Recent systems like Prusti and Creusot take advantage of Rust ownership mechanisms to shield the programmer from some spatial assertions, allowing them to only write pure, first-order logic specifications which can be automatically verified by a solver. Even with these advances, verification remains unpleasant. For instance, when working over collections, program-logic based methods require the use of loop invariants that are universally quantified to account for the potentially unbounded contents of the collection. Such invariants often require a sophisticated understanding of the underlying spatial program logic, and worse, the quantification makes them difficult to synthesize.
+
+This talk presents Flux, a refinement type checker for Rust that shows how logical refinements can work in tandem with Rust’s ownership mechanisms to yield ergonomic type-based verification. First, we describe how Flux extends Rust’s type system with logical refinements that can be used to specify properties about data. Next, we demonstrate how the combination of refinements and Rust’s ownership mechanisms allows the specification and verification of imperative code. Finally, by looking at some examples, we show how the combination of refinements, ownership, and Rust polymorphic constructors, enables ergonomic verification of lightweight properties.
diff --git a/content/meetings/gillian-rust.md b/content/meetings/gillian-rust.md
@@ -0,0 +1,12 @@
++++
+title ="Gillian-Rust: A hybrid approach to unsafe Rust verification"
+date = 2024-05-25
++++
+
+The Rust Formal Methods Interest group has seen several talks about scalable verification of safe Rust (Prusti, Creusot, Aeneas, Flux…), and other analyses that leverage the guarantees provided by the Rust type and borrow checker (Flowistry, RusSOL…). However, there has been little work on the verification of unsafe Rust, which requires techniques that do not scale as well to large programs. In this talk, we propose a hybrid approach to Rust verification, where safe code is verified by Creusot, and unsafe code is verified by a prototype tool called Gillian-Rust. At the core of this approach is the ability of Gillian-Rust to interpret and verify specifications that Creusot is able to use but not verify.
+
+--- 
+
+About the Speaker
+
+Sacha Ayoun is a PhD student at Imperial College London, under the supervision of Prof. Philippa Gardner. He has been working on the Gillian verification framework, and is now its lead developer. His research covers all aspects of Gillian, from its meta-theory to its most real-world use-cases, with a focus on applications to C and more recently Rust. On his free time, you may find him rollerblading around London or complaining about British food.
diff --git a/content/meetings/hacl-rust.md b/content/meetings/hacl-rust.md
@@ -0,0 +1,10 @@
++++
+date = 2024-01-22
++++
+
+
+The program verification community is slowly realizing that life is much better when one verifies Rust programs instead of C or ASM programs. Yet, a large body of verified code has already been written to generate C and/or ASM – I am talking specifically about the HACL* and Vale projects, respectively. What do we do about those, then, in a world where users want pure Rust code? (The answer is NOT "hire 10 more PhD students and have them redo everything". That would not be nice.)
+
+In this talk, I will present two projects that, together, provide a smooth transition path while offering backwards-compatibility.
+HACL-rs is a new code-generation path that compiles the HACL* verified cryptographic library from F* to Rust. HACL* is written in a DSL of F*, called "Low*", which models C-like pointer arithmetic and arrays. The research question is: how do we rewire the compilation pipeline to produce safe Rust code instead? This poses an array (pun intended) of interesting challenges, such as how to deal with borrows and pointer arithmetic.
+Eurydice (same family as Charon and Aeneas, which were presented here before) is a compiler from Rust to C. While this is possibly one of the least glamorous projects ever, it actually fills a very real use-case: we are now writing new verified crypto in Rust, yet a lot of folks are not ready to take a dependency on Rust in their codebases. These people include flagship customers of HACL*, like Mozilla. I'll talk about the engineering behind the project and how to reconstruct palatable C code out of MIR, relying on Charon for some of the heavy-lifting.
diff --git a/content/meetings/hacspec.md b/content/meetings/hacspec.md
@@ -0,0 +1,21 @@
++++
+title = "CONCERT and HACSPEC"
+date = 2021-11-29
++++
+
+Rust is a big and complex language. Fortunately, it contains a number of interesting sublanguages for which formal verification is more manageable.
+I will give an overview of three projects that we are working on in my group.
+ 
+[ConCert](https://github.com/AU-COBRA/ConCert) is a Coq framework for reasoning about functional programs, in particular focussing on smart contracts. 
+As part of this we have developed a general backend to the Coq proof assistant which allows one to generate provably correct functional *rust* programs.
+One main use case is to generate rust smart contracts which can be used on the [concordium](https://concordium.com) blockchain.
+
+[HACSPEC](https://github.com/HACS-workshop/hacspec) is a subset of rust for the specification of high assurance cryptography. We have used it to specify the BLS elliptic curve. This sepcification can be translated to Coq from where we use [fiat-cryptography](https://github.com/mit-plv/fiat-crypto) and [BedRock](https://github.com/mit-plv/bedrock) to generate a correct by construction, efficient, platform independent implementation.
+
+---
+
+
+[Bas Spitters](twitter.com/basspittersbs) [EventBrite](https://www.eventbrite.com/e/november-meeting-rust-verification-with-bas-spitters-tickets-198474531667).
+
+
+Find the YouTube video [here](https://www.youtube.com/watch?v=OCehhVDMXKQ).
diff --git a/content/meetings/inaugural.md b/content/meetings/inaugural.md
@@ -0,0 +1,13 @@
++++
+title = "Inaugural Meeting"
+date = 2021-09-21
++++
+
+During this meeting, we will introduced the RFMIG, and had a presentation from Vytautas Astraukas of Prusti, showing a little glimpse of verification for Rust software.
+
+[Youtube recording](https://www.youtube.com/watch?v=ACqgutP0jXs)
+
+## Previous events
+
+* [RustVerify2021](https://sites.google.com/view/rustverify2021)
+* [RustVerify2020](https://sites.google.com/view/rustverify2020)
diff --git a/content/meetings/kani.md b/content/meetings/kani.md
@@ -0,0 +1,14 @@
++++
+title = "Kani"
+date = 2022-03-28
++++
+
+
+
+Kani is a Rust verification tool based on model checking. With Kani, you can ensure that broad classes of problems are absent from your Rust code by writing proof harnesses, which are broadly similar to tests (especially property tests). Kani is especially useful for verifying unsafe code in Rust, where many of the language's usual guarantees can no longer be checked by the compiler. But Kani is also useful for finding panics in safe Rust, and it can check user-defined assertions.
+
+Kani is currently in the initial development phase, and has not yet made an official release. It is under active development, but it does not yet support all Rust language features."
+
+https://model-checking.github.io/kani/getting-started.html
+
+Celina Val and Daniel Schwartz-Narbonne will present their work on [Kani](https://github.com/model-checking/kani), a Rust model-checker they are developing at Amazon.
diff --git a/content/meetings/minirust.md b/content/meetings/minirust.md
@@ -0,0 +1,12 @@
++++
+title = "MiniRust with Ralf Jung"
+date = 2022-11-28
++++
+
+As Rust grows in popularity and usage, it is becoming more and more important to clearly define its operational semantics.
+Despite plenty of work on Rust verification, so far no semantics exist that can capture all the aspects of the 'real thing'.
+MiniRust is a new project I started to define a normative specification of a Rust 'core language', which is versatile enough to be used as a cornerstone for a full Rust specification.
+Rather than use the traditional mathematical jargon, MiniRust is written as an interpreter using Rust syntax (with a few extensions).
+
+In this talk I will introduce MiniRust, what has been specified so far, and the road left to go.
+We'll also see how to use MiniRust to explain the behavior of several intricate snippets of unsafe Rust code.
diff --git a/content/meetings/mirai.md b/content/meetings/mirai.md
@@ -0,0 +1,9 @@
++++
+title = "MIRAI"
+date = 2022-01-31
++++
+
+
+Herman Venter gave a retrospective view of his work on [MIRAI](https://github.com/facebookexperimental/mirai), an abstract interpreter for MIR code. We went over key design choices for abstract interpreters and the tradeoffs they imply. 
+
+Find the YouTube video [here](https://www.youtube.com/watch?v=Slf1QWaRe2c).
diff --git a/content/meetings/russol.md b/content/meetings/russol.md
@@ -0,0 +1,5 @@
++++
+title = "Leveraging Rust Types for Program Synthesis"
+date = 2023-01-30
++++
+This talk will explore how one can apply ideas from verification to synthesize Rust function bodies given a signature and possibly some functional annotation, which has been implemented in a tool called RusSOL. Due to Rust's strong type system, RusSOL can get away with significantly simpler specifications (counting the function signature + annotation) while also reducing the search space to improve performance when compared to similar tools for imperative languages. The key ingredient of RusSOL's synthesis procedure is Synthetic Ownership Logic, a new program logic for deriving programs that are guaranteed to satisfy both a user-provided functional specification and, importantly, Rust's intricate type system.
diff --git a/content/meetings/tree-borrows.md b/content/meetings/tree-borrows.md
@@ -0,0 +1,28 @@
++++
+title = "Tree Borrows, a pointer aliasing model for Rust"
+date = 2023-05-29
++++
+
+The strong guarantees of unique ownership and immutability provided by reference types
+in Rust should in principle allow compilers to apply more powerful optimizations that rely
+on uniqueness. However `unsafe` code can easily break these assumptions by allowing
+shared mutability, which makes many optimizations seemingly incompatible with the use
+of `unsafe`. Since optimizations are necessary for Rust to achieve its promised performance,
+and because `unsafe` is rooted in the low level manipulations of nearly every major library,
+these two aspects need to be reconciled somehow.
+Much like its predecessor Stacked Borrows which it improves upon, Tree Borrows defines an
+alternative operational semantics of memory accesses by enforcing a pointer aliasing discipline.
+Programs that violate this discipline are declared to have undefined behavior (UB) and are ruled
+out from the verification of compiler optimizations. This introduces a tradeoff in which the stricter
+the aliasing discipline is, the stronger optimizations can be performed, but also the more
+programmers need to be careful not to accidentally write code that exhibits UB.
+Common patterns that Stacked Borrows is known for rejecting too aggressively or being inconsistent
+with have in part guided the design and evaluation of Tree Borrows, in order to ensure that the
+balance between enabling optimizations and being able to write `unsafe` code is suited to real-life
+codebases.
+The rules of Tree Borrows are thus,
+- consistent, with as few exceptions as possible (notably two-phase borrows and `extern`
+types of unknown size do not require special handling);
+- permissive enough to allow most common patterns that would break backwards compatibility
+if forbidden, even at the cost of some optimizations;
+- configurable in their details in case a version with stronger guarantees is desired.
diff --git a/content/meetings/verif-challenge.md b/content/meetings/verif-challenge.md
diff --git a/content/meetings/verus-mimalloc.md b/content/meetings/verus-mimalloc.md
diff --git a/templates/index.html b/templates/index.html
