Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and."— Presentation transcript:

1 An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and Yu Guo (USTC)

2 Motivation How to build fully certified software systems? Source-level codeLibraries and runtime + References with weak upd. Dynamic mem. alloc. Functions, exceptions, … Concurrency I/O Garbage collectors malloc() (strong update) Stacks, code pointers Context switching & Scheduler Device drivers

3 Motivation All concurrency verification assumes built-in concurrency Assume-Guarantee (A-G) reasoning Concurrent Separation logic (CSL) … Context switching, scheduler Too low-level to be certified in these logics [Yu&Shao, ICFP ’ 04] Threads & schedulers have never been modularly certified!

4 Motivation Certify all code in a single type system/program logic? Hard to combine all features weak vs. strong update, functions/exceptions vs. goto ’ s, threads vs. thread contexts May not be modular Very complex, hard to use Don ’ t know how to design such a logic Certify modules using the most appropriate logic! Modules do not use all the features at the same time It is simpler to use specialized logic for each module

5 An Open Framework Certify different modules using different verification systems!

6 Challenges Extensibility and openness not designed for certain specific interoperations But can we just use MLFs, e.g. Coq? Expressiveness type safety, concurrency properties, partial correctness, … A general and uniform model of control flow Allow functions certified in different systems to call each other the key for modularity: separate verification & proof reuse Principled interoperation with clear meta-property properties of the whole system composed of modules Not readily supported in Coq!

7 Our contributions OCAP: an open framework Embedding of different systems TAL, non-CPS Hoare-logic, A-G reasoning, … Open & Extensible Modularity with first-class code pointers [Ni&Shao POPL ’ 06] Soundness Type safety, & preservation of invariants in foreign systems Applications TAL + memory allocation libs. Threads + Scheduler The first time to modularly certify both sides …

8 Outline OCAP Framework Certifying Threads & Schedulers

9 OCAP Rules LnLn … OCAP : Overview OCAP Soundness Mechanized Meta-Logic (CiC) Modeling of the machine TCB Sound L1L1 ( ) L1 ( ) Ln Sound Mechanized Meta-Logic (CiC) Modeling of the machine … C1C1 CnCn

10 The Machine I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc

11 The OCAP Logic : Overview Hoare-style program logic for assembly CPS-style reasoning Assign a precondition to each basic block Similar to TAL [Morrisett et al. POPL ’ 98]

12 The OCAP Logic : Overview I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

13 OCAP: Code pointers codeptr(f,a)   (f) = a (Spec)  ::= {f  a} *  a codeptr Not well-founded! Support of first-class code pointers:

14 OCAP: Code Pointers A generic specification: (CdSpec)  ::= … (Assert) a  Spec  State  Prop (Spec)  ::= {f   } * (  ) ,S. … No interoperation between multiple systems…  a codeptr a   codeptr  ()()

15 OCAP: Foreign Languages (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L Inductive TalType : Type := T_int : TalType T_pair: TalType -> TalType-> TalType … Inductive Tal2Type : Type := T2_int : TalType T2_pair: TalType -> TalType-> TalType … L ::= TalType | Tal2Type | …  1 ::= T_int | T_pair  1  1 | …  TalType  2 ::= T2_int | T2_pair  2  2 | …  Tal2Type

16 OCAP: Specifications (OCdSpec)  ::=   L.( L  Assert )* L (Spec)  ::= {(f 1,  1 ), … (f n,  n )} (Assert) a  Spec  State  Prop (Interp) ( ) L  L  Assert (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L Not well-founded:  ( ) L a

17 OCAP: Specifications (OCdSpec)  ::= (Spec)  ::= {(f 1,  1 ), … (f n,  n )} (Assert) a  Spec  State  Prop (Interp) ( ) L  L  Assert (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L (LangID)  ::= n  nat (LangDict) D ::= {  1 ,…,  n  }  LangID  (  L. L  Assert)  ( ) L a  

18 Selected OCAP Rules D 1  D 2 ;  1  2 ┝ C 1  C 2 :  1 ’  2 ’ D 1 ;  1 ┝ C 1 :  1 ’ (link) D 2 ;  2 ┝ C 2 :  2 ’ … D ┝ {a}jr r ,S.a  S .(codeptr(S.R(r),  )  a’)  S (jr) a’ = [[[  ]]] D codeptr(f,  )  ,S.  (f)=  [[[  ]]] D  ,S.  ( ) L. ( D (  )= )  ( (  ) L  S)  =

19 Outline OCAP Framework Certifying Threads & Schedulers

20 Threads and Scheduler Thread code C 1,…,C n Certified following CCAP [Yu&Shao, ICFP ’ 04] Assume-Guarantee reasoning Thread modularity Do not know about thread queue SCAP CCAP + Scheduler C S Certified in SCAP [Feng et al. PLDI’06] as sequential code Manages thread queue TQ Do not touch H

21 Scheduler in SCAP yield: pick one word (pc i ) from TQ swap pc i and r 31 jr r 31 H1H1 pc 1 pc n … TQ r 31 r0r0 H1H1 pc 1 pc n … TQ r 31 r0r0 … jal yield ct: … Thread code: ct

22 Scheduler in SCAP yield: (p s, g s ) pick one word (pc i ) from TQ swap pc i and r 31 jr r 31 gsgs g s  (  r  {r 1,…,r 30 }.[r]=[r]’)   Q, Q ’.  p’.  Q  {[r31]} = Q ’  {[r31]’} WFTQ( Q )*p’ WFTQ( Q ’ )*p’ H1H1 pc 1 pc n … TQ r 31 r0r0 H1H1 pc 1 pc n … TQ r 31 r0r0 ct p s   Q.WFTQ( Q ) * True

23 Embedding SCAP ( (p,g) ) D scap  … jr $ra g p … D Soundness:  scap ┝ scap C:  ’ scap   (  scap ) D scap D  D scap,  ┝ C:  ’  ’  (  ’ scap ) D scap D scap  {  scap  }

24 Threads: Assume-Guarantee S p1p1 p2p2 S’S’ Spec. for threads: (p, A, G) p: State  Prop p’1p’1 p 2 ? A, G: State  State  Prop Stability of p: p i S  A i S S ’  p i S ’ G1G1  A 2 A 1, G 1 A 2, G 2

25 CCAP embedding  ccap ┝ ccap C i :  ’ ccap D all  {  ccap ,  scap  } D all ;  c  y ┝ C i :  ’ c  y  {yield  }  c  (  ccap ) ccap  ’ c  (  ’ ccap ) ccap ( (p,A,G) ) ccap  ,S. …

26 Certify the code  ccap ┝ ccap C i :  ’ ccap  scap ┝ scap C s :  ’ scap D all  {  ccap ,  scap  } D all ;  y ┝ C s :  ’ y D all ;  c  y ┝ C i :  ’ c SCAP CCAP the “link” rule D all ;  c  y ┝ C i  C s :  ’ c   ’ y

27 Summary It is simpler and natural to certify different modules using different logics OCAP: framework for interoperation Embedding TAL: type system SCAP: non-cps logic for assembly CCAP: Assume-guarantee reasoning Interoperation TAL + newpair Threads + Scheduler TAL + GC (ongoing work by Lin, McCreight, et al.)

28 Future work Explore the applicability of OCAP Interoperation of different languages Currently just for assembly language But logics are at different levels (TAL, CCAP, … ) May support C + inlined assembly

29 Thank you!

Download ppt "An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Computer Architecture CSCE 350

Computer Architecture CSCE 350
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November 2010 Focus Areas: Operating Systems,

Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.

Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
An Open Framework for Certified System Software Xinyu Feng Yale University.

An Open Framework for Certified System Software Xinyu Feng Yale University.

Similar presentations

Ads by Google