Presentation is loading. Please wait.

Presentation is loading. Please wait.

IronFleet: Proving Practical Distributed Systems Correct

Published byHilary Lynch Modified over 7 years ago

Similar presentations

Presentation on theme: "IronFleet: Proving Practical Distributed Systems Correct"— Presentation transcript:

1 IronFleet: Proving Practical Distributed Systems Correct
Chris Hawblitzel Jon Howell Manos Kapritsos Jacob R. Lorch Bryan Parno Michael L. Roberts Srinath Setty Brian Zill

2 Jay Lorch, Microsoft Research
IronFleet

3 [Mickens 2013] “not one of the properties claimed invariant in [PODC] is actually true of it.” [Zave 2015] Jay Lorch, Microsoft Research IronFleet

4 IronFleet Implementations are correct, not just abstract protocols We show how to build complex, efficient distributed systems whose implementations are provably safe and live. First mechanical proof of liveness of a non-trivial distributed protocol, let alone an implementation Proof is subject to assumptions, not absolute Spec Proofs are machine-checked System will make progress given sufficient time, e.g., it cannot deadlock or livelock Jay Lorch, Microsoft Research IronFleet

5 What we built You can do it too! IronRSL IronKV Paxos B
Replicated state library B A C You can do it too! Complex with many features: state transfer log truncation dynamic view-change timeouts batching reply cache IronKV Sharded key-value store Jay Lorch, Microsoft Research IronFleet

6 IronFleet extends state-of-the-art verification to distributed systems
Toolset modifications Methodology Libraries Discussed in talk Key contributions of our work: Two-level refinement Concurrency control via reduction Always-enabled actions Invariant quantifier hiding Automated proofs of temporal logic Discussed in paper Jay Lorch, Microsoft Research IronFleet

7 IronFleet builds on existing research
Recent advances Single-machine system verification SMT solvers IDEs for automated software verification Demo: Provably correct marshalling method MarshallMessage(msg:Message) returns (data:array<byte>) requires !msg.Invalid?; ensures ParseMessage(data) == msg; Jay Lorch, Microsoft Research IronFleet

8 Not writing unit tests and having it work the first time: priceless
Jay Lorch, Microsoft Research IronFleet

9 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

10 Running example: IronRSL replicated state library
Paxos B A C Safety property: Equivalence to single machine Liveness property: Clients eventually get replies Jay Lorch, Microsoft Research IronFleet

11 Specification approach: Rule out all bugs by construction
Invariant violations Parsing errors Race conditions Marshalling errors Integer overflow Deadlock Buffer overflow Livelock ... Jay Lorch, Microsoft Research IronFleet

12 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

13 Background: Refinement
[Milner 1971, Park 1981, Lamport 1983, Lynch 1983, ...] Spec S0 S1 S2 S3 S4 S5 S6 S7 Implementation I0 I1 I2 I3 I4 method Main() Jay Lorch, Microsoft Research IronFleet

14 Specification is a simple, logically centralized state machine
type SpecState = int function SpecInit(s:SpecState) : bool { s == 0 } function SpecNext(s:SpecState, s’:SpecState) : bool { s’ == s + 1 } function SpecRelation(realPackets:set<Packet>, s:SpecState) : bool { forall p, i :: p in realPackets && p.msg == MarshallCounterVal(i) ==> i <= s } Jay Lorch, Microsoft Research IronFleet

15 Host implementation is a single-threaded event-handler loop
method Main() { var s:ImplState; s := ImplInit(); while (true) { s := EventHandler(s); } Host implementation is a single-threaded event-handler loop Jay Lorch, Microsoft Research IronFleet

16 Proving correctness is hard
Subtleties of distributed protocols Complexities of implementation Maintaining global invariants Using efficient data structures Dealing with hosts acting concurrently Memory management Ensuring progress Avoiding integer overflow Jay Lorch, Microsoft Research IronFleet

17 Two-level refinement Spec S0 S1 S2 S3 S4 S5 S6 S7 Protocol P0 P1 P2 P3
Implementation Jay Lorch, Microsoft Research IronFleet

18 Protocol layer Spec Protocol Implementation seq<int>
array<uint64> function ProtocolNext(s:HostState, s’:HostState) : bool method EventHandler(s:HostState) returns (s’:HostState) type Message = MessageRequest() | MessageReply() | ... type Packet = array<byte> Jay Lorch, Microsoft Research IronFleet

19 Protocol layer Spec Protocol Implementation Distributed system model
Jay Lorch, Microsoft Research IronFleet

20 Protocol layer Spec S0 S1 S2 S3 S4 S5 S6 S7 Protocol P0 P1 P2 P3 P4
Impl I0 I1 I2 I3 I4 method EventHandler(s:HostState) returns (s’:HostState) ensures ProtocolNext(s, s’); Jay Lorch, Microsoft Research IronFleet

21 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

22 Cross-host concurrency is hard
Host A Step 1 Host A Step 2 Host B Step 1 Host B Step 2 Host B Step 3 Host A Step 3 Hosts are single-threaded, but we need to reason about concurrency of different hosts Jay Lorch, Microsoft Research IronFleet

23 Cross-host concurrency is hard
Requires reasoning about all possible interleaving of the substeps Jay Lorch, Microsoft Research IronFleet

24 Concurrency containment strategy
Enforce that receives precede sends in event handler Assume in proof that all host steps are atomic Jay Lorch, Microsoft Research IronFleet

25 Why concurrency containment works
Reduction argument: for every real trace... Jay Lorch, Microsoft Research IronFleet

26 Why concurrency containment works
Reduction argument: for every real trace... ...there’s a corresponding legal trace with atomic host steps Constraining the implementation lets us think of the entire distributed system as hosts taking one step at a time. Jay Lorch, Microsoft Research IronFleet

27 Most of the work of protocol refinement is proving invariants
Complicated! P P P P P SystemInit(states[0]) ==> P(0) Nearly all cases proved automatically, without proof annotations P(j) && SystemNext(states[j], states[j+1]) ==> P(j+1) automated theorem proving Jay Lorch, Microsoft Research IronFleet

28 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

29 One constructs a liveness proof by finding a chain of conditions
... C0 C1 C2 C3 C4 Cn Ultimate goal Assumed starting condition Jay Lorch, Microsoft Research IronFleet

30 Simplified example Client sends request Replica receives request
Replica suspects leader Replica receives request Leader election starts Paxos A B C Jay Lorch, Microsoft Research IronFleet

31 Some links can be proven from assumptions about the network
Client sends request Replica receives request Replica suspects leader Network eventually delivers packets in bounded time Leader election starts Jay Lorch, Microsoft Research IronFleet

32 Most links involve reasoning about host actions
Client sends request Replica has request Replica suspects leader One action that event handler can perform is “become suspicious” Leader election starts Jay Lorch, Microsoft Research IronFleet

33 Lamport provides a rule for proving links
Ci Ci+1 Action Enablement poses difficulty for automated theorem proving Tricky things to prove: Action is enabled (can be done) whenever Ci holds If Action is always enabled it’s eventually performed Jay Lorch, Microsoft Research IronFleet

34 Always-enabled actions
Handle a client request If you have a request to handle, handle it; otherwise, do nothing Jay Lorch, Microsoft Research IronFleet

35 Always-enabled actions allow a simpler form of Lamport’s rule
Ci Ci+1 Action Tricky things to prove: Action is enabled (can be done) whenever Ci holds If Action is always enabled it’s eventually performed Action is performed infinitely often Jay Lorch, Microsoft Research IronFleet

36 To execute each action infinitely often, event handler is a simple scheduler
ProtocolNext Action 1 Action 9 Action 2 Action 8 Action 3 Action 7 Action 4 Action 6 Action 5 Straightforward to prove that if event handler runs infinitely often, each action does too Jay Lorch, Microsoft Research IronFleet

37 Always-enabled actions pose a danger we’re immune to
Always-enabled actions can create an unimplementable protocol Handle a client request We’ll discover this when we try to implement it! Jay Lorch, Microsoft Research IronFleet

38 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

39 We built general-purpose verified libraries
Proof Implementation Assumptions about hardware and network Temporal logic Induction Liveness P S0 S1 S2 ... Ci Ci+1 Action Parsing and marshalling uint64 uint64 Jay Lorch, Microsoft Research IronFleet

40 Much more in the paper! Invariant quantifier hiding
Embedding temporal logic in Dafny Reasoning about time Strategies for writing imperative code Tool improvements Jay Lorch, Microsoft Research IronFleet

41 Concurrency containment
Outline Introduction Methodology Methodology overview Two-level refinement Concurrency containment Liveness ... Libraries Evaluation Related work Conclusions Jay Lorch, Microsoft Research IronFleet

42 Including liveness, proof-to-code ratio is 8:1
Line counts Common Libraries IronKV IronRSL Including liveness, proof-to-code ratio is 8:1 Safety proof to code ratio is 5:1, comparable to Ironclad (4:1) and seL4 (26:1) Few lines of spec in TCB Jay Lorch, Microsoft Research IronFleet

43 IronRSL performance We trade some performance for strong correctness,
Adding batching (~2-3 person-months) improved performance significantly We trade some performance for strong correctness, but no fundamental reason verified code should be slower Separating implementation from protocol allows performance improvement without disturbing proof Reasoning about the heap is currently difficult Each optimization requires a proof of equivalence Jay Lorch, Microsoft Research IronFleet

44 Throughput 25%-75% of Redis
IronKV performance Get Set Throughput 25%-75% of Redis Jay Lorch, Microsoft Research IronFleet

45 Related work Single-system verification
seL4 microkernel [Klein et al., SOSP 2009] CompCert C compiler [Leroy, CACM 2009] Ironclad end-to-end secure applications [Hawblitzel et al., OSDI 2014] Distributed-system verification (but no liveness properties) EventML replicated database [Rahli et al, DSN 2014] Framework with components useful for building verified distributed systems Proof only about consensus algorithm, not state machine replication Uses only one layer of refinement, so all optimizations done by compiler Verdi framework and Raft implementation [Wilcox et al., PLDI 2015] Uses interactive theorem proving to build verified distributed systems Missing features like batching, state transfer, etc. Uses system transformers, a cleaner approach to composition Jay Lorch, Microsoft Research IronFleet

46 https://github.com/Microsoft/Ironclad
Conclusions It’s now possible to build provably correct distributed systems... ...including both safety and liveness properties ...despite implementation complexity necessary for features and performance To build on our code: To try Dafny: Thanks for your attention! Jay Lorch, Microsoft Research IronFleet

Download ppt "IronFleet: Proving Practical Distributed Systems Correct"

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
The SMART Way to Migrate Replicated Stateful Services Jacob R. Lorch, Atul Adya, Bill Bolosky, Ronnie Chaiken, John Douceur, Jon Howell Microsoft Research.

The SMART Way to Migrate Replicated Stateful Services Jacob R. Lorch, Atul Adya, Bill Bolosky, Ronnie Chaiken, John Douceur, Jon Howell Microsoft Research.
Tam Vu (tvu@mail.eecis.udel.edu) Remote Procedure Call CISC 879 – Spring 03 Tam Vu (tvu@mail.eecis.udel.edu) March 06, 03.

Tam Vu Remote Procedure Call CISC 879 – Spring 03 Tam Vu March 06, 03.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Similar presentations

Ads by Google