Kani: A Model Checker for Rust

📅 2026-07-01
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the limitations of Rust’s compiler in guaranteeing memory safety, functional correctness, and panic freedom for unsafe code. The authors present the first open-source verification framework for Rust that integrates both bounded and unbounded model checking. By precisely translating Rust’s Mid-level Intermediate Representation (MIR) into input suitable for the C Bounded Model Checker (CBMC), and by incorporating function and loop contracts, quantifiers, and stub functions, the framework enables fully automated verification without requiring user annotations. Evaluated on industrial-scale codebases, the approach uncovered six previously unknown vulnerabilities and has been integrated into the Rust standard library’s continuous integration pipeline, where it automatically verifies over 16,000 verification harnesses with every code change.
📝 Abstract
Rust's ownership type system prevents memory errors in safe code, but certain desirable properties remain orthogonal to compilation: the soundness of unsafe operations (e.g., raw pointer dereferences), functional correctness, and absence of runtime panics. We present Kani, an open-source model checker for Rust that pushes bounded model checking beyond bug-finding to provide correctness guarantees for these properties. Kani compiles proof harnesses from Rust's Mid-level Intermediate Representation (MIR) into CBMC's bit-precise verification engine, automatically checking a comprehensive set of safety properties with no user annotation. To extend verification from bounded to unbounded, Kani provides a specification language comprising function contracts, loop contracts, quantifiers, and function stubbing. We demonstrate feasibility through case studies on industrial Rust projects, where contracts upgraded verification from panic-freedom to functional correctness, uncovering six previously unknown bugs. Kani operates at scale in production CI, with over 16,000 harnesses verified per code change in the Rust standard library verification campaign.
Problem

Research questions and friction points this paper is trying to address.

Rust
memory safety
functional correctness
runtime panics
unsafe code
Innovation

Methods, ideas, or system contributions that make the work stand out.

bounded model checking
Rust MIR
function contracts
bit-precise verification
automated correctness guarantees