Add main body and diagrams for phase II formal verification blog article

[chrihop]

We’d love for you to take a look and share any suggestions you might have about the lessons learned from our recent work on the formal verification of Asterinas OSTD. Your input would be really valuable! Thanks!

Principles and outlines:

Target audience: Kernel and Rust developers. We may briefly recap verification basics, but avoid explaining concepts they already know (e.g., do not trust the caller in the "adversarial guarantees" or link to unsafe in “What is soundness”).

Key idea: To prove no UB, we have to prove defined behaviour.
Concise requirement: The blog is currently too long; aim for roughly 5–6 pages with tighter exposition and reduced repetition.

Compositional verification goals:
-- Vertical composability: Individual functions should be verified in a way that enables sound composition across abstraction layers.
-- Horizontal composability: The system architecture should support composition across modules/components.

Invariant design: Move specific and concrete invariants, avoiding vague descriptions.

Whole picture: Put all things into the whole picture, distinguishing user and kernel memory.

[Copilot]

Pull request overview

Adds a new blog post draft describing Phase II formal verification progress for OSTD soundness (with diagrams), and introduces an English logo SVG asset.

Changes:

• Add a new post: “Verifying OSTD soundness” describing vertical/horizontal composition and invariants for UB-freedom.
• Add a new SVG asset (logo_en.svg) under assets/images/.

Reviewed changes

Copilot reviewed 1 out of 6 changed files in this pull request and generated 10 comments.

File	Description
assets/images/logo_en.svg	Adds a new SVG logo asset to the site’s image bundle.
_posts/2026-tbd-verifying-ostd-soundness.md	Adds the main body of the formal verification blog article, including figures/diagrams and example specs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tatetian]

Thanks for writing up this post! The core technical content -- proving soundness via defined behavior, vertical composition (soundness-correctness feedback loop), and horizontal composition (invariant preservation) -- is solid.

However, the post needs significant revision before it's ready for a broad audience:

1. Blocking: Missing Jekyll front matter and placeholder filename date prevent the post from rendering.
2. Title and framing: "Verifying OSTD soundness" frames the post as a project update, but its real value is educational -- a methodology piece on proving soundness for unsafe Rust.
3. Audience accessibility: Many Asterinas/OSTD-specific concepts are used without introduction, but the post will reach a broad Rust audience via "This Week in Rust."
4. Narrative structure: The Verus section is misplaced and disconnected from the composition narrative; the Vertical Composition subsection ends on a tangent; multiple "soundness" variants create unnecessary confusion.
5. Repetition: Every major section restates its core insight 3-5 times across prose, blockquotes, and figure captions -- the single biggest obstacle to the PR description's own "concise requirement."
6. Diagrams: Figure 1's text doesn't match the diagram's labels; Figure 3 is unreadable at rendered size.

[tatetian]

Missing Jekyll front matter; title needs rethinking: The post has no YAML front matter block. All other posts in this repo use:

---
layout: post
title:  "..."
date:   2026-XX-XX HH:MM:SS +0800
author: "CertiK and Hongliang Tian"
---

Without this, Jekyll will not process the file as a blog post.

The # Verifying OSTD soundness heading on line 1 must be removed. Jekyll's post layout automatically renders the title from the YAML title field, so keeping the manual heading will produce a duplicate title.

Please ensure that the post can be rendered correctly before marking the PR as "Ready for Review".

The title itself should be reconsidered. "Verifying OSTD soundness" frames this as a project status update, but what it offers is a methodology for proving soundness of unsafe code, using OSTD as the concrete case study. The three main takeaways (prove defined behavior, vertical composition, horizontal composition) describe a strategy that any Rust project with an unsafe core could learn from. As the post only describes a strategy, insufficient information (e.g., specs, models, invariants, and proofs) are provided to convince the readers that we actually complete the verification.

So I think the post's real value is educational, a bridge between Rust/kernel developers and verification experts. The title should lead with that educational angle, especially since this will be promoted on "This Week in Rust" to an audience that has never heard of Asterinas. The content should also be adjusted accordingly.

Suggested alternatives:

1. "What It Takes to Formally Verify Rust Soundness: A Kernel Perspective"
2. "Proving Soundness for Unsafe Rust: Lessons from a Kernel"
3. "From Unsafe to Sound: Verifying a Rust Kernel's Trusted Core"

[tatetian]

Progress characterization undersells the advance: "A collection of functions... Now we have expanded that effort to all components" is vague and doesn't convey the qualitative shift. Phase I verified a small set of internal functions for specific safety concerns in isolation. Phase II verifies the public API surface with composable specifications that provide system-wide soundness guarantees.

That's a fundamentally different kind of result: the difference between "we checked some internal functions don't have UB" and "we proved the public interface is sound against any safe caller." The paragraph should make this leap explicit. For example:

This also sets up the vertical/horizontal composition narrative that follows.

[SNoAnd]

Rephrased in introduction to make it more clear that this is a qualitative difference, and emphasized it even more in the conclusion.

[tatetian]

Confusing "soundness" variants -- simplify to one concept: The post introduces multiple flavors: "soundness," "kernel soundness" (in the Figure 1 table), and "weak soundness" (line 137). This is unnecessarily confusing. There should be only one soundness concept: no UB in the kernel. Userspace is both out of scope and impractical to enforce -- a userspace program can be inherently flawed, and there is no way for the kernel to prevent it from shooting itself in the foot and compromising its own memory safety. That's not the kernel's responsibility.

Rather than framing vm_space as having "weaker" soundness, reframe it as: vm_space is fully sound in the sense that matters -- it guarantees no UB in kernel space. The fact that a caller can misconfigure userspace mappings is expected behavior; it's the userspace program's problem. Drop "weak soundness" entirely and align with the single definition from the Figure 1 table's "Kernel Soundness" row: arbitrary caller, kernel scope, no UB in kernel space.

Additionally, this point is stated twice: the parenthetical at line 21 and the full paragraph at line 137. Remove the parenthetical in the introduction and let the Horizontal Composition section (line 137) handle it, where the reader has the context to understand why.

[SNoAnd]

Rolled everything into soundness, with a very shallow mention of why soundness requires giving definition to behavior that might be unexpected. For this audience I think that is sufficient.

[tatetian]

Verus material deserves its own section and needs tighter focus on what serves the post's narrative: Two issues:

1. Structure -- Verus is wedged into "Proving Rust Soundness Positively" but is a separate topic. The section is about a conceptual insight (prove defined behavior, not absence of UB). The Verus material is about tooling. Verus deserves its own ## heading (e.g., "Verification with Verus") to make the structure honest.

2. Relevance -- much of the Verus content doesn't connect to the rest of the post:

• PointsTo tokens (line 55): Explained at length, including a deep dive into Rust memory model provenance and exposed-address semantics. But PointsTo never appears again in the post -- not in the vertical composition example (which uses Entry::replace and CursorMut::map), nor in the horizontal composition invariant (which uses EntryOwner and MetaRegionOwners). The reader invests effort understanding it and then it's abandoned. The points-to.png image, which illustrates this concept well, is included in the PR but never referenced. If PointsTo stays, use the diagram; if it's cut, remove the image.

• SMT solver and automatic proof discharge (lines 47-51): The if x > 0 { x - 1 } else { 0 } example illustrates Verus basics but has nothing to do with kernel verification. It doesn't set up any concept used later.

• Witnesses and ghost code (line 53): This concept is important -- EntryOwner and MetaRegionOwners in the horizontal composition section are exactly this kind of ghost state, and CursorModel is a ghost struct. But the connection is never made explicit. The reader learns about "ghost code" here and encounters ghost structs later without realizing they're the same concept.

• Missing: how Verus specs compose -- The one thing the Verus section should set up -- that Verus verifies per-function pre/post-conditions, and that a caller's preconditions can be discharged by its callee's postconditions -- is mentioned in passing (line 47) but not emphasized. This is exactly the mechanism that makes vertical composition work, and it deserves to be the centerpiece.

In short, the Verus section explains how Verus works in general rather than the aspects that matter for this post. Consider restructuring to: (a) briefly introduce Verus; (b) focus on per-function specs with pre/post-conditions (the basis for vertical composition); (c) introduce ghost state as the mechanism for tracking invariants (the basis for horizontal composition); and (d) either cut or drastically shorten the PointsTo/provenance material.

Also, line 55's paragraph is very long -- it covers PointsTo, Rust MM provenance semantics, and ghost-state tracking in a single block. If the PointsTo content is kept, break it into shorter paragraphs.

[SNoAnd]

Verus material is now introduced right away, before moving on to the actual property definition. Vertical composition is explained at this point, because it's so fundamental to Verus' structure, leaving the question of horizontal composition to be explained once we have the property.

[tatetian]

Tangent that derails Vertical Composition and ends abruptly: The Vertical Composition subsection (lines 61-89) has two parts, and the second doesn't belong:

Lines 61-74 are the actual vertical composition argument: caller soundness requires callee correctness, illustrated with the Entry::replace → CursorMut::replace_cur_entry → CursorMut::map chain, capped by Figure 2. This is strong and self-contained.

Lines 76-89 pivot to a different topic: what makes a good spec at the API boundary (abstract vs. implementation-tracking). This is a spec design philosophy point, not a composition point.

The CursorModel example compounds the problem:

• It has no connection to the vertical composition argument. The reader was following Entry::replace → CursorMut::map and suddenly encounters a linked list cursor.
• It ends the subsection abruptly. The code block is the last thing before "Horizontal Composition" -- no concluding sentence, no tie-back.
• The reader has no context for why a linked list cursor exists in a memory management module, or what LinkModel and LinkedListModel represent.

Consider either: (a) cutting lines 76-89 entirely and ending the subsection on the strong Figure 2 at line 74, or (b) giving the abstract-spec point its own short subsection with a better-motivated example.

[SNoAnd]

Dropped the CursorModel example. We don't really need to get into the different kinds of specifications. The rest of this section has been merged into the Verus discussion, where hopefully it flows better.

[tatetian]

Minor wording nit: In a post about Rust verification, "unsafe" is an overloaded term. The kernel's code doesn't become unsafe Rust -- its safety guarantees are voided. Consider: "...the safety guarantees of the entire 100,000-line kernel are compromised."

[SNoAnd]

Fixed.

[tatetian]

Filename uses placeholder date tbd: The Jekyll filename convention is YYYY-MM-DD-slug.md. The tbd will cause Jekyll to either fail to parse the date or sort the post incorrectly. This should be updated to the intended publication date before merging.

Please ensure that the post can be rendered correctly before marking the PR as "Ready for Review".

[SNoAnd]

The current draft is 2026-04-01-verifying-ostd-soundness.md because that's when I created it. When we decide on a publication date I will change it.

[tatetian]

Many Asterinas/OSTD-specific concepts are used without introduction: This post will be advertised on "This Week in Rust" and similar forums, so it cannot assume the reader is familiar with Asterinas or OSTD. Every project-specific concept needs a brief definition or explanation on first use. Here is an inventory of terms that are dropped in without context:

1. "Asterinas" (line 5) -- mentioned as "a kernel" but never described further. A one-sentence description (e.g., "Asterinas, a general-purpose OS kernel written in Rust") and a link to the project would orient the reader.

2. "framekernel architecture" (line 5) -- a term specific to Asterinas that most developers won't know. Even a parenthetical ("our framekernel architecture, which isolates all unsafe code into a single trusted layer") would help.

3. "OSTD" (line 3, 5) -- used from the very first sentence of the foreword before the reader knows what it is. The name is never unpacked. What does OSTD stand for? What does it provide -- is it a runtime, a HAL, a stdlib?

4. "mm module" (line 9) -- the reader must guess this means "memory management." Spell it out on first use.

5. "frames" (line 17) -- OS kernel developers know what a physical page frame is, but Rust application developers may not. A brief gloss on first use (e.g., "frames (fixed-size blocks of physical memory)") would help.

6. "metadata slots" (line 17) -- an OSTD-internal concept with no context. Why does OSTD track metadata in an unsafe array? What kind of metadata?

7. "TCB" (line 151) -- acronym used without expansion. Spell out "Trusted Computing Base" on first use.

8. "CortenMM" (line 143) -- appears once with no introduction. What is it? A sub-project? A tool? A paper?

9. "KVerus" (line 151) -- described as "our AI-assisted proof tool" but that's vague. Is it open-source? A link or one more sentence of context would help.

10. "sync module" (line 143) -- assumes the reader knows OSTD has a sync module. A brief qualifier (e.g., "the sync module, which provides concurrency primitives") would suffice.

This also includes verification concepts such as EntryOwner, MetaRegionOwners, and CursorModel. Simply making them hyperlinks without layman-friendly descriptions harms readability.

As a general principle: if a term is specific to Asterinas/OSTD, it needs at least a parenthetical explanation on first use.

[SNoAnd]

All of these individual concepts are addressed, and I hope we're doing better on this issue as a whole. I'm uncertain as to how much the reader needs to know about page tables. At this level it may be sufficient to just understand that a pt is a complex tree structure, but maybe more context would be good.

[tatetian]

Figure 3 is too dense -- text is unreadable at rendered size: This diagram packs three panels (Challenge, Solution, Conclusion) into a single wide image, each containing labeled boxes, arrows, numbered steps, bullet lists, and fine-print annotations. At typical blog content width, the text shrinks to the point of illegibility.

The core message is simple:

1. Challenge: An arbitrary caller can invoke any API function in any order.
2. Solution: Each function assumes invariants on entry and proves they hold on exit.
3. Conclusion: Any sequence of calls preserves invariants, so the system is UB-free.

Consider: (a) splitting into two or three separate, taller diagrams so each renders at readable size, or (b) stripping secondary details and keeping only the essential flow. Figures 1 and 2 work well because each communicates one idea at readable scale; Figure 3 tries to communicate three.

[SNoAnd]

I reduced figure three down to just the third panel, which I think captures the point more succinctly.

[tatetian]

Unrelated asset: This SVG logo file is not referenced in the blog post. It may belong in a separate PR.

[SNoAnd]

Removed. Later I will also go through and make sure we don't have extra images left from previous iterations of this post.

[tatetian]

(Supplementary comment from the same review — the original submission missed this one due to a parser limitation.)

[tatetian]

Formatting nits:

• Lines 67-68: Hard line-wrap mid-sentence ("...and validate the\nassumptions of the ones above"). The rest of the post uses single long lines per paragraph; clean up for consistency.
• Lines 103, 131: Triple-hyphen --- used as em dash. Use a proper em dash — or consistent spacing to avoid rendering inconsistencies across Markdown parsers.

[SNoAnd]

Fixed.

[tatetian]

I marked this PR as "Draft". Please resolve or reply all issues. When you are done with the revision, mark it as "Ready for Review". Thanks.

[rikosellic]

This code does not match the latest version. Please modify this after we finalize our model in June.

[rikosellic]

Do you mean 0.17.2?

[rikosellic]

Do we still need to show the proof-code-ratio, as more and more proofs are generated by AI (which is not very good at generating concise proofs)?