Blog

February 25, 2025
6 min read

Trying to make hax usable in more contexts

The hax toolchain has been successfully used to formally verify our cryptographic implementations for ML-KEM,Bertie and more. All these projects are developed with formal verification (using hax) in mind, and use a limited subset of Rust features. However, hax is under constant development and the improvements we bring are targeted at making it more usable. With these improvements we want to bring hax to a new kind of projects that don’t have restrictions on the Rust patterns they use. We want hax to be usable in this context with minimal modifications to the code (ideally no modification at all). An example of such a project is the verification of sandwich, a high-level cryptographic library built by SandboxAQ. This project revealed the weaknesses of hax in this context which brought us to implement some improvements that will be presented in this blog post.

Challenges

The projects that use hax from the beginning can limit themselves to the subset of Rust supported by hax. Applying hax to a pre-existing project means that it may use various Rust features that are probably not supported yet in hax. The challenge is then to identify which features to prioritize for support in hax (and adding support is yet another challenge), and which features have no short-term plan for support. For the latter we need to abstract out the code (if it is not relevant for proofs) or rewrite it (when possible; ideally we try to avoid this). Having external users encourages us even more to make hax an easily-usable and well-documented tool.

Frontend improvements

The hax frontend is mostly relying on rustc and cargo to extract intermediary representations of a Rust crate. It is supposed to produce a result for any Rust crate (restrictions on the available Rust features come later in the toolchain). However the information given by rustc is sometimes partial or lacks some parts that are needed for our translations. A crucial example of this is trait resolution as we need to know the trait derivation that is used by each call of a trait method. This is a part of the hax frontend that has proven tricky and still had many bugs a few months ago. At that time, launching it on a somehow complicated crate had big chances of resulting in a crash. As part of our effort to improve the usability of hax, many of these bugs have now been fixed (in collaboration with our colleagues at Inria). This is a big step forward, since even for a project that looks small and simple, we need to handle all of its dependencies which are usually more problematic.

According to our tests on the top 500 crates (by number of downloads on crates.io), hax frontend succeeds without crashing or timing out on more than 99%. However we are still looking for a better way to measure the coverage of the Rust features, and identifying the situations where we can still improve.

Recursive Bundles

Rust code is organized in modules, where modules can be seen as a namespacing system. When translating modules to our backends (F*, Coq, ProVerif) we need to generate the corresponding module-like abstraction in the backend, which typically works quite differently. In particular our backends require the module dependency graph to be acyclic while Rust has no such restriction. It is quite common in Rust to make use of this and create cyclic dependencies between modules which means it is necessary for us to have a solution for this problem. Here is an example (you can open it in the hax playground to check the code hax generates out of it):

pub struct Error();

mod private {
    pub(crate) fn f() -> Result<(), super::Error> {
        Ok(())
    }
}

pub fn user_f() -> Result<(), Error> {
    private::f()
}

Open this code snippet in the hax playground

In this example there is a dependency between the top level module and the private module. Our solution to break these cycles is simply to put the content of the cyclic modules in a single module (that we call bundle), and then re-exposing the items in their original modules. This solution is not perfect because it changes the architecture of the generated code compared to the original code, and it could be improved by minimizing the content of the bundles (choosing a set of definitions to break the cycle instead of the full content of the modules). But so far it has proven very useful as it removes a big limitation on the Rust we support.

Opaque items

Large projects usually contain code that we don’t support yet but we still want to reason about the rest of the project and have an abstract model (axiomatization) for the parts that we don’t support. We need to control which parts we want to fully extract and which parts we extract only as opaque items. The command-line options offered by the hax toolchain provide a solution to this, but they only allow to choose at the model level, which is inconvenient for large projects. To make this more practical we added another way to specify inside the source with the attribute hax_lib::opaque makes an item axiomatized. There is still the problem of complicated -i flags which will be solved in the future by having the corresponding information in configuration files.

Control flow rewriting without monads including inside loops

Translating imperative code to functional backends for verification implies some handling of side effects and transformation of control flow. A classic solution for this is to have a monadic encoding state which results in generated code that can be hard to read (and to reason about). This is the solution that was implemented (with some bugs) in hax but we decided to replace it with a solution without monads. The code we produce is simpler to read, but the main limitation is that there is code duplication which in some cases can lead to an extracted code that is exponentially bigger than the source.

Here is a simple example of this:

fn f() -> i32{
    if true {
        if true {
            return 1
        }
    }
    3
}

Open this code snippet in the hax playground

The F* code extracted from this example is the following:

let f (_: Prims.unit) : i32 =
 if true
 then if true then mk_i32 1 else mk_i32 3
 else mk_i32 3

Here the semantics is preserved, but adding the else branches results in a duplication of the return value 3. Our idea to improve in the future is to revive the monadic version, but use it only if the duplication is too big. Support for control flow (return, break and continue) in loops has been added as well. In hax, loops are translated as a functional fold in which the accumulator keeps track of the modification of the environment done by the effectful operations in the source. This extension relies on a monadic encoding of the loop result, that is passed in the accumulator to deal with the specific cases of return, break and continue.

Items sorting

A quality of life feature that we have been lacking for a long time is trying to respect, as much as possible, the same order of items in the generated code compared to the source. We need to modify the order because (as for modules), Rust allows items to be defined in any order, while our backends need items to be defined after the other items they depend on (except for mutual recursion). We rely on a graph topological sort to ensure this property, and now use a modified version of the stable topological sort provided by ocamlgraph, which produces an order that respects the dependencies, but in the absence of constraints tries respects the order of the source.

Conclusion

Bringing hax to a new kind of project revealed the gap needed for it to be usable, but thanks to our active work, we have made great progress towards this goal. Even though there is still much more to do, this has allowed us to get results in these new applications of hax (stay tuned for more details about that!).

February 10, 2025
2 min read

This Month in Hax: January 2025

This blog post continues our ongoing series introduced in the previous blog of hax, a monthly collection of highlights showcasing key developments in hax and its ecosystem.

This month, we merged 31 pull requests and celebrated a major milestone by releasing the first official version of hax: v0.1.0. If you haven’t already, be sure to check out our blog post for more details on this release!

We tackled a variety of bug fixes and engine improvements. One significant achievement was resolving a long-standing issue related to the inconsistent preservation of declaration orders between Rust and the extractions. This problem was finally fixed. 🎉

Additionally, we merged a comprehensive overhaul of how identifiers are treated and represented within the engine. This rework allowed us to fix nearly ten related issues, making the system more robust and efficient.

In the F* backend, we transitioned away from using HACL* machine integers. Instead, we now rely on a thin wrapper over F*'s native mathematical integers. Unlike HACL*'s opaque machine integers, this new representation allows us to use F*'s normalizer freely, offering a cleaner and more lightweight solution.

Stay tuned for more updates in the coming months!

Full list of PRs

#1278: ci(gha): drop magic-nix-cache action because of EOL
#1277: fix(mkdocs): use codemirror instead of ace, re-setup on page reload
#1275: Create CODEOWNERS
#1273: Various F* core lib additions.
#1267: fix(hax-lib/macros): handle correctly &mut Self arguments in ensures
#1265: Fix announce-v0.1.md
#1263: updatge readme and docs
#1261: Update website landing page
#1260: chore(deps): bump hashbrown from 0.15.0 to 0.15.2
#1259: changelog: initialize
#1258: Delete frontend/exporter/json-visualizer directory
#1247: Stable topological sort using original order.
#1245: Release hax v0.1.0
#1241: hax v0.1 blog post
#1238: Transparent integers
#1237: Fix order of Call trait clauses
#1236: Add more info to ImplExprAtom::Builtin
#1230: fix(engine) Propagate return rewrite to avoid crash in side_effect_utils
#1229: fix(engine) Add type arguments for associated constants.
#1228: fix(engine) Use ocamlgraph fork to fix missing rec bug.
#1225: Hax home page using mkdocs
#1223: fix(engine) Attempt to fix double return bug.
#1222: Make predicate handling a bit more consistent
#1220: Visit trait goals to rename impl expr they may contain.
#1216: Update README.md: unsafe is OK to use
#1215: Fix generics handling for function calls
#1212: fix(CI) Update F* version to fix mlkem CI job
#1206: fix(engine) Make sub-parts of Quote visited by visitors
#1199: Engine: rework global name representation
#1075: Move trait methods in cyclic dependencies bundling.
#1066: Add EBNF for AST to book

Contributors

January 21, 2025
3 min read

Hax Takes Flight: Announcing Our First Release and New Home at Cryspen!

We're thrilled to announce that hax is entering a new era of stability and growth with the launch of our new website, a fresh start at Cryspen, and our first official release, v0.1.0!

After an intense period of research and development, hax is transitioning to a more stable phase. To support this evolution, we've moved the repository to its new home within the Cryspen GitHub organization. This change streamlines our processes and clarifies project ownership while maintaining hax's open-source nature. Cryspen is responsible for driving hax forward, but we enthusiastically welcome contributions from the community, and continue working closely with the team of existing contributors!

This move also marks our shift to a release-driven development model, culminating in our first official release, v0.1.0. While we anticipate some breaking changes in the lead-up to v1.0, detailed release notes will clearly outline any backward compatibility issues.

The state of hax

Hax currently boasts three actively used backends: (F*, Rocq and SSProve). While Cryspen primarily focuses on the F* backend, Bas Spitters and his team at the University of Aarhus are actively developing and utilizing the Rocq and SSProve backends. Cryspen also supports an experimental backend for ProVerif.

With this initial release, hax can process a significant subset of Rust code. Both the frontend, which extracts a JSON AST from the Rust compiler, and the engine, which lowers the code to the backends, have undergone major improvements and stabilization throughout 2024.

Our new website provides a central hub for all things hax. Users can explore the manual, experiment with the interactive hax playground, and delve into a diverse collection of examples showcasing hax's capabilities.

We will work on improving the manual and developer documentation over the next few months.

Hax in Action

Over the past year, hax has proven its versatility in various projects:

Verifying Bertie: A TLS 1.3 implementation, verified with the ProVerif backend
Verifying ML-KEM: A post quantum cryptographic algorithm verified with the F* backend
Verifying Smart Contracts: Leveraging the Rocq backend for enhanced security verification.

The Road Ahead

While hax can handle a substantial portion of Rust code, certain limitations remain. Features like Generic Associated Types (GATs), some Rust nightly features, specific loop and pattern structures, and a range of mutations are not yet supported.

Detailed list of unsupported features

Here's some content.

GATs

Support for Generic Associated Types (GATs) in the frontend is under consideration (Issue #915)

Rust nightly features

A full list of unsupported Rust nightly features can be found with the unsupported-rust label.

Pattern

Some expressive Rust patterns are not supported yet in the hax engine. For example, range patterns such as 0..12, as patterns such as x @ Option(_) or array or slice patterns such as [head, ..tail] are not supported.

Mutation

Mutations inside closures are not supported (Issue #1060)
Re-borrowing mutable refferences is not allowed (Issue #420)
Implicit reborrowing of mutable references is not supported (Issue #419)
User-defined functions cannot return &muts (Issue #418)
Calling &mut-returning functions is not allowed in general (Issue #418, Issue #494 and Issue #491)
Enum variants cannot be mutated (Issue #493)

Loops

Unconditional loops loop {...} (Issue #124)
While let while let .. = .. {} (Issue #113)
Loops without side effect (Issue #405)

const inline blocks

Inline const blocks are not supported yet. Issue #923

Parting Thoughts

This is an exciting time for hax! With our new home at Cryspen, a dedicated release model, and a growing community, we're confident that hax will continue to mature and empower developers to build secure and reliable software.

We encourage you to explore the new hax website, dive into the documentation, and experiment with the playground. Join us on this journey! Contribute to the project, share your feedback, and help us shape the future of Rust verification.