The interior mutability primitives in the standard library already have a proof, incidentally. Look at the Rust Belt work.