Type-Driven Correctness in Rust
Speaker Intro
- Principal Firmware Architect in Microsoft SCHIE (Silicon and Cloud Hardware Infrastructure Engineering) team
- Industry veteran with expertise in security, systems programming (firmware, operating systems, hypervisors), CPU and platform architecture, and C++ systems
- Started programming in Rust in 2017 (@AWS EC2), and have been in love with the language ever since
A practical guide to using Rust's type system to make entire classes of bugs impossible to compile. While the companion Rust Patterns book covers the mechanics (traits, associated types, type-state), this guide shows how to apply those mechanics to real-world domains β hardware diagnostics, cryptography, protocol validation, and embedded systems.
Every pattern here follows one principle: push invariants from runtime checks into the type system so the compiler enforces them.
How to Use This Book
Difficulty Legend
| Symbol | Level | Audience |
|---|---|---|
| π’ | Introductory | Comfortable with ownership + traits |
| π‘ | Intermediate | Familiar with generics + associated types |
| π΄ | Advanced | Ready for type-state, phantom types, and session types |
Pacing Guide
| Goal | Path | Time |
|---|---|---|
| Quick overview | ch01, ch13 (reference card) | 30 min |
| IPMI / BMC developer | ch02, ch05, ch07, ch10, ch17 | 2.5 hrs |
| GPU / PCIe developer | ch02, ch06, ch09, ch10, ch15 | 2.5 hrs |
| Redfish implementer | ch02, ch05, ch07, ch08, ch17, ch18 | 3 hrs |
| Framework / infrastructure | ch04, ch08, ch11, ch14, ch18 | 2.5 hrs |
| New to correct-by-construction | ch01 β ch10 in order, then ch12 exercises | 4 hrs |
| Full deep dive | All chapters sequentially | 7 hrs |
Annotated Table of Contents
| Ch | Title | Difficulty | Key Idea |
|---|---|---|---|
| 1 | The Philosophy β Why Types Beat Tests | π’ | Three levels of correctness; types as compiler-checked guarantees |
| 2 | Typed Command Interfaces | π‘ | Associated types bind request β response |
| 3 | Single-Use Types | π‘ | Move semantics as linear types for crypto |
| 4 | Capability Tokens | π‘ | Zero-sized proof-of-authority tokens |
| 5 | Protocol State Machines | π΄ | Type-state for IPMI sessions + PCIe LTSSM |
| 6 | Dimensional Analysis | π’ | Newtype wrappers prevent unit mix-ups |
| 7 | Validated Boundaries | π‘ | Parse once at the edge, carry proof in types |
| 8 | Capability Mixins | π‘ | Ingredient traits + blanket impls |
| 9 | Phantom Types | π‘ | PhantomData for register width, DMA direction |
| 10 | Putting It All Together | π‘ | All 7 patterns in one diagnostic platform |
| 11 | Fourteen Tricks from the Trenches | π‘ | SentinelβOption, sealed traits, builders, etc. |
| 12 | Exercises | π‘ | Six capstone problems with solutions |
| 13 | Reference Card | β | Pattern catalogue + decision flowchart |
| 14 | Testing Type-Level Guarantees | π‘ | trybuild, proptest, cargo-show-asm |
| 15 | Const Fn | π | Compile-time proofs for memory maps, registers, bitfields |
| 16 | Send & Sync | π | Compile-time concurrency proofs |
| 17 | Redfish Client Walkthrough | π‘ | Eight patterns composed into a type-safe Redfish client |
| 18 | Redfish Server Walkthrough | π‘ | Builder type-state, source tokens, health rollup, mixins |
Prerequisites
| Concept | Where to learn it |
|---|---|
| Ownership and borrowing | Rust Patterns, ch01 |
| Traits and associated types | Rust Patterns, ch02 |
| Newtypes and type-state | Rust Patterns, ch03 |
| PhantomData | Rust Patterns, ch04 |
| Generics and trait bounds | Rust Patterns, ch01 |
The Correct-by-Construction Spectrum
β Less Safe More Safe β
Runtime checks Unit tests Property tests Correct by Construction
βββββββββββββ ββββββββββ ββββββββββββββ ββββββββββββββββββββββ
if temp > 100 { #[test] proptest! { struct Celsius(f64);
panic!("too fn test_temp() { |t in 0..200| { // Can't confuse with Rpm
hot"); assert!( assert!(...) // at the type level
} check(42)); }
} }
Invalid program?
Invalid program? Invalid program? Invalid program? Won't compile.
Crashes in prod. Fails in CI. Fails in CI Never exists.
(probabilistic).
This guide operates at the rightmost position β where bugs don't exist because the type system cannot express them.