![Page 1: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/1.jpg)
An Open Framework for Certified System Software
Xinyu Feng
Yale University
![Page 2: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/2.jpg)
Why Certified Software?
Ariane 5
Mars Polar Lander
Mars climate orbiter
![Page 3: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/3.jpg)
Something More Relevant …
“A typical modern car contains around 20 built-in microcontrollers. Luxury models can have as many as 80. Such microcontrollers, …, are in constant communication with one another. In extreme cases, a single programming error in one of the control elements can mean life or death.”
-- Fraunhofer Magazine, 2004 (2)
Fig. from:www.howstuffworks.com
![Page 4: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/4.jpg)
Toyota recalled its 160,000 Prius cars in Oct 2005, because of bugs in the software controlling the hybrid gas-electric engine system…
Photo from edmunds.com
![Page 5: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/5.jpg)
How to Guarantee Software Quality?
Hardware
We need a “certified” computing platform!
Buggy? Bootloader + OS + Device DriverCertified Bootloader + OS + Device Driver
Buggy? Runtime Services & LibrariesCertified Runtime Services & Libraries
Buggy? Security InfrastructureCertified Security Infrastructure
Uncertified legacy code becomes second-class citizen!
We need firm control of the lowest-level software! [King et al. S&P'06]
![Page 6: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/6.jpg)
Certified Software: Problem Definition
• Hardware– processors, memory, storage, devices, …
• Software– bootloader, device drivers, OS, runtime, applications,
…
• Need a mathematical proof showing that as long as the hardware works, the software always work according to its specification
specification S
binary code C
formal proof P
![Page 7: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/7.jpg)
OS
timer
KBD
.
.
.
scheduler
spawn, yield, exit, lock, monitors, …
…ctxt ctxt ctxt
.
.
.interrupts
… threads
A Mini-OS
33 MHz
bootloader
1300-line 16bit x86 code,
Bootable!
http://flint.cs.yale.edu/feng/cos
But how to certify the code?
![Page 8: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/8.jpg)
Low-level code: C/Assembly
Certifying the Mini-OS
Many challenges:
Interrupts
Certified the whole system
Many different features
Different abstraction levels
Device drivers / IO
1300 lines of code
Code loading
Concurrency
bootloader
scheduler
timer int. handler
keyboard driver
keyboard int. handler
thread lib: spawn, exit, yield, …
sync. lib: locks and monitors
…
![Page 9: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/9.jpg)
My Contributions
• Specialized program logics– SCAP: stack-based control abstractions– SAGL: modular concurrency verification– CMAP: dynamic thread creation– concurrency with relaxed memory model [ongoing work]
• An open framework for certified systems– OCAP: embedding and interoperation between
different verification systems [TLDI’07]
– interoperability based on semantic models [ongoing work]
[PLDI’06]
[ICFP’05]
[ESOP’07]
![Page 10: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/10.jpg)
Outline of This Talk
• The OCAP Framework
• SAGL: modular concurrency verification
• SCAP: stack-based control abstractions
• Embedding and linking in OCAP
![Page 11: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/11.jpg)
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
Modules at Different Levels
• All concurrency verification assumes built-in concurrency
• Context switching, scheduler– Too low-level to be certified in
these logics
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
• Threads & schedulers have never been certified in a single logic!
• Example: how to certify multi-threaded software?
![Page 12: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/12.jpg)
L1
L2
L3
L4
Building Fully Certified Systems
• One logic for all code– Consider all possible
interactions.– Very difficult!
• Reality– Only limited combinations of
features are used.– It’s simpler to use a specialized
logic for each combination.– Interoperability between logics
![Page 13: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/13.jpg)
OCAP
Our Solution
Ln…L1
Mechanized Meta-Logic (CiC)
Modeling of the machine
…C1 Cn
C1C1
Cn
…OS
Cn
…C1 Cn
TCB
![Page 14: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/14.jpg)
The Machine
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
![Page 15: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/15.jpg)
Program Specifications
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
1
2
3
(spec) ::= {f }*
![Page 16: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/16.jpg)
Invariant-Based Verification
Initial condition: Inv(P0)
P0
c1 P1
c2 P2
c3 … cn Pn
Progress:
if Inv(P), then P’. P c P’.
Preservation:
if Inv(P) and P c P’, then Inv(P’).
![Page 17: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/17.jpg)
Mechanized Meta-Logic (CiC)
OCAP Rules
Ln…
“Domain specific” logics
Modeling of the machine
L1
…C1 Cn
may use different How to link modules?
![Page 18: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/18.jpg)
How to Link Modules
{r1:1, …, rn:n} {P}_{Q}
call f
( _ )t
a
( _ )h
a'
…
…
f:
…
…
![Page 19: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/19.jpg)
{r1:1, …, rn:n} {P}_{Q}
( _ )t
a
( _ )h
a'
How to Link Modules
How to define interpretation?
Encode the invariant enforced in our invariant-based proof methodology.
a should be expressive enough to encode Inv.
![Page 20: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/20.jpg)
An Open FrameworkA set of Hoare-logic rules as the foundational layer
XCAP[Ni&Shao'06] approacha(S) = …
used and generalized in OCAP [TLDI'07]
use “a” as the assertion language
supports first-class code pointers, mutable references, polymorphisms, recursive types, …
Indexed approach
simpler model for weak-ref, partial correctness, concurrency…,than existing work on indexed model [Appel&McAllester'01] [Amed'04] [Appel et al.'07]
ai(S) = … [ongoing work with Cai, Shao & Tan]
![Page 21: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/21.jpg)
OCAP Rules
The OCAP Framework [TLDI'07]
Ln…L1
…C1 Cn
( )L1 ( )LnSoundSound
OCAPSoundness
Mechanized Meta-Logic (CiC)
Modeling of the machine
XCAP
SCAPTAL …SAGL
![Page 22: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/22.jpg)
OCAP
Outline of This Talk
• The OCAP Framework
• SAGL: modular concurrency verification
• SCAP: stack-based control abstractions
• Embedding and linking in OCAP
Ln…
Mechanized Meta-Logic (CiC)
…C1
Modeling of the machine
L1
Cn
SAGLSAGL SCAP
![Page 23: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/23.jpg)
Certifying Concurrent Programs
How to guarantee
non-interference…
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
in a modular way?
Existing work is not modular/general…
![Page 24: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/24.jpg)
Certifying Concurrent Programs
• Assume-Guarantee (A-G) reasoning [Misra&Chandy’81, Jones’83]
thread modularity, general spec of A&G requires global data invariants
• Concurrent Separation Logic (CSL) [O’Hearn, Brookes 2004]
thread modularity + local reasoning restrictive synchronization pattern
shared resources can be accessed only inside critical regions
• SAGL: extend A-G with local reasoning [ESOP'07]
improved modularity without loss of generality
![Page 25: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/25.jpg)
Assume-Guarantee Reasoning
• Thread T and its environment– Environment: the collection of all other threads except T
• A: assumption about environment’s transition
• G: guarantee to the environment
• a: precondition
![Page 26: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/26.jpg)
A-G Reasoning
To certify each thread:
S, S'. a S A S S' a S'
Non-Interference of threads:
stability of precondition:
G S Nextc(S)
transitions satisfy the guarantee:
i,j . Gi Aj ( i j )
![Page 27: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/27.jpg)
A-G Reasoning
a1a2
a1a2 a1a2
G2
A1A2
G1
a2
a2
a1
a1
Requires global invariants!
![Page 28: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/28.jpg)
SAGL: Overview
Partition of resources: shared & private
p1
a1a2
p2
Threads specs:
(a1, p1), (a2, p2), …
Partition is conceptual:
(p1 p2) (a1 a2)
![Page 29: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/29.jpg)
SAGL: Memory Access
p1
a1a2
p2
Threads have exclusive access to their private resources.
All threads can access shared part.
Needs to guarantee non-interference.
Follows assume/guarantee reasoning.
Partitions can be dynamically adjusted.
![Page 30: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/30.jpg)
p1
a1a2'
p2
p1
a1a2
p2
SAGL – Access Shared Resource
A1
G2
a1 a1
A-G reasoning: a special case where
p1 and p2 are emp.
![Page 31: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/31.jpg)
p1
a1a2
p2'
p1
a1a2
p2
SAGL – Access Private Resource
![Page 32: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/32.jpg)
p1
a1a2
p2
p1
a1a2
p2
p1
a1a2'
p2
SAGL - Redistribution
A1
G2 A1
G2
lock unlock
a1
a1
a1
a1
![Page 33: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/33.jpg)
getNode():
l.acq();
…
l.rel();
-{(ainv , emp)}
Example: List
-{(emp, emp List(x))};
-{(emp, Node(y) List(x))}
-{(List(x), Node(y))}
ainv = free(l) List(x)
free(l) emp
x…
x … y
ainv
![Page 34: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/34.jpg)
SAGL [ESOP’07]
p1
a1a2
p2
Threads have exclusive access to their private resources.
All threads can access shared part.
Needs to guarantee non-interference.
Follows assume/guarantee reasoning.
Partitions can be dynamically adjusted.
A-G reasoning
CSL
![Page 35: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/35.jpg)
OCAP
Outline of this talk
• The OCAP Framework
• SAGL: modular concurrency verification
• SCAP: stack-based control abstractions
• Embedding and linking in OCAP
Ln…
Mechanized Meta-Logic (CiC)
…C1
Modeling of the machine
L1
Cn
SAGL SCAPSCAP
![Page 36: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/36.jpg)
Certifying C & Assembly Code?
How to specify/verify control abstractions?
Stack-based control abstractionscall/return, tail call, exceptions (stack cutting/ stack unwinding),
coroutines/threads context switching
How to formulate the stack invariants?
![Page 37: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/37.jpg)
Problems – call/return
void f(){ void h(){
h(); return;
return; }
}
Stacks are hidden!
![Page 38: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/38.jpg)
f: ...
sw $ra, -4($fp) h:
jal h ;; $ra contains ct
ct: lw $ra, -4($fp) jr $ra
...
jr $ra
fp
stack
??ct
Problems – call/return
void f(){ void h(){
h(); return;
return; }
}
Does f use the right return addr.?
pc
ra
R
![Page 39: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/39.jpg)
void cmp1(int x,jmp_buf env){
if (x == 0)
longjmp(env, 1);
else
return;
}
Problems – setjmp/longjmp
int rev(int x){
if (setjmp(env) == 0){
cmp0(x, env); return 0;
}else{
return 1;
}
}
void cmp0(int x,jmp_buf env){
cmp1(x, env);
}
jmp_buf env = …;
pc
f0
… sp
env
f0 pc
pc
env cannot outlive the stack frame of rev !
…
…
![Page 40: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/40.jpg)
Stack-Based Control Abstractions
A simple system (SCAP) for modular verification of (1) compiled C code & (2) manually-written assembly code
weak-continuation
Tail calls
Exceptions: Stack-cutting
Exceptions: Stack-unwinding
Threads context switching
Coroutines (w. function call)
setjmp/longjmp
Function call/returnPLDI'06
PLDI’06
TLDI’07
YALEU/DCS/TR-1336
![Page 41: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/41.jpg)
• SCAP specifications: (p, g)– p: State Prop– g: State State Prop
Specifications
f:
...
sw $ra, -4($fp)
jal h
ct:
lw $ra, -4($fp)
...
jr $ra
{(p0, g0)}
{(p1, g1)}
g0
g1
g0 S S’ S’.$ra = S.$ra …
• Challenges– f uses the “right” return addr.?
– Hoare triple {p} f {q}?• In different basic blocks!
{$ra = n …}
{$ra = n …}
![Page 42: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/42.jpg)
Program Spec. and Code Pointers
jal f
jal h
jr $ra
jr $ra
g0
g4
p0
p4
g1
p1
g2
p2
g3
p3
…
jr $ra
• Program Specification::=
{f1(p1,g1), …,fn(pn,gn)}
• “safe” to return (jr $ra):– $radom() ($ra)=(p,g)– p holds at the time of return
![Page 43: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/43.jpg)
SCAP : Stack Invariant
p0
g0p1
g1p2
g2p3
g3
g0 S0 S1
S1.$ra (S1.$ra))=(p1, g1) p1 S1
g0 S0 S1 g1 S1 S2
S2.$ra (S2.$ra)=(p2, g2) p2 S2
g0 S0 S1 g1 S1 S2 g2 S2 S3
S3.$ra (S3.$ra)=(p3, g3) p3 S3
jr $ra
Logical control stack
Always safe to return?S0
S1
S2
S3
…
![Page 44: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/44.jpg)
SCAP : Stack Invariant
WFST(n, g0, S0, ) S1. g0 S0 S1
p1,g1.
(S1.$ra)=(p1, g1) p1 S1 WFST(n-1, g1, S1, )
WFST(0, g0, S0, ) S1. g0 S0 S1
Invariant:p S n.WFST(n, g, S, )
p0
g0p1
g1p2
g2p3
g3
jr $ra
Logical control stack
S0
S1
S2
S3
![Page 45: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/45.jpg)
SCAP : Invariant Preservation
• Inv(S): p S n.WFST(n, g, S, )
cS’
p S n.WFST(n,g,S,)
S
p’ S’ n.WFST(n,g’,S’,)
p’,g’
![Page 46: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/46.jpg)
SCAP: call
p0
g0p1
g1
jr $ra
p0
g0jr $ra
p
g
jal f
p S WFST(n, g, S, ) p0 S0 WFST(n+1, g0, S0, )
S S0
n+1
n
…
p S p0 S0
p1
g1
n
…
p S g0 S0 S1 p1 S1
p S g0 S0 S1 g1 S1 S2 g S S2
g0 S0 S1 S0.$ra = S1.$ra
S1S1
S2 S2
![Page 47: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/47.jpg)
SCAP: ret
pgp1
g1
p1
g1jr $ra
p S WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, )
n
n-1
… n-1
…
p S g S S1
SS1
![Page 48: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/48.jpg)
Generalization: Stack Unwinding/Cutting
g1
p1
jr ra
p
g
+
p1
g1jr ra
p
g
Multi-ret
p1
g1
jr ra
p
g
Tail-call
![Page 49: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/49.jpg)
Example: setjmp/longjmp
int rev(int x){
if (setjmp(env) == 0){
cmp0(x, env); return 0;
}else{
return 1;
}
}
void cmp0(int x,jmp_buf env){
cmp1(x, env);
}
void cmp1(int x,jmp_buf env){
if (x == 0)
longjmp(env, 1);
else
return;
}
jmp_buf env = …;
![Page 50: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/50.jpg)
![Page 51: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/51.jpg)
Applications of SCAP
• malloc/free [Feng et al. PLDI'06, Xiang et al. QSIC'06]
• thread scheduler [Feng et al. TLDI'07]
• garbage collectors [McCreight&Shao PLDI'07]
![Page 52: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/52.jpg)
OCAP
Outline of This Talk
• The OCAP Framework
• SAGL: modular concurrency verification
• SCAP: stack-based control abstractions
• Embedding and linking in OCAP
Ln…
Mechanized Meta-Logic (CiC)
…C1
Modeling of the machine
L1
Cn
SAGL SCAP
![Page 53: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/53.jpg)
Threads and Scheduler
• Thread code C1,…,Cn
– Certified in SAGL• as concurrent code
– Do not know about thread queue
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
SCAPSAGL +
• Scheduler CS
– Certified in SCAP• as sequential code
– Manages thread queue TQ– Do not touch H
![Page 54: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/54.jpg)
How to Specify Scheduler/yield
jal yieldyield:
.
.
.
jr $ra
yield
gS1
S2|S2||S1|
SAGL SCAP
![Page 55: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/55.jpg)
Embedding of SCAP
((p, g))scap = , S. p S n.WFST(n, g, S, )
┝scap C: ┝ocap C :||If , then
Soundness:
Embedding:
Supports proof reuse.
![Page 56: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/56.jpg)
Embedding of SAGL
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
(((a,p),A,G))sagl =
, S.
Q={pc1, …, pcn}.
(pci) =((ai,pi),Ai,Gi)
InMem(Q)(p1…pn)(a1…an)
NI((A1,G1), …, (An,Gn))
stable(ai,Ai)
Embedding:
![Page 57: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/57.jpg)
Soundness of SAGL Embedding
┝sagl C: y┝ocap C:||.If , then
![Page 58: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/58.jpg)
Certifying The System
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
┝sagl Ci:i┝scap Cs:y
┝ocap Cs: y y┝ocap Ci: i
SCAPSAGL
the “link” rule
┝ocap Ci Cs : i y
![Page 59: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/59.jpg)
More Applications of OCAP
TAL [Morrisett'98]
malloc lib. GCs
[TLDI'07] [Lin et al. TASE'07]
![Page 60: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/60.jpg)
Conclusion
• Goal: modular verification of system software– modules use different computation features– modules are at different abstraction levels
• Solution: to certify different modules using different logics– SCAP: stack-based control abstractions– SAGL: modular concurrency verification– CMAP: assume-guarantee with dynamic threads– …– OCAP: interoperation between different verification systems
![Page 61: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/61.jpg)
Conclusion
• Applications
– malloc/free [Feng et al. PLDI'06, Xiang et al. QSIC'06]
– garbage collectors [McCreight&Shao PLDI'07]
– thread scheduler [Feng et al. TLDI'07]
– threads + scheduler [Feng et al. TLDI'07]
– TAL + mem. alloc [Feng et al. TLDI'07]
– TAL + GC [Lin et al. TASE'07]
SCAP
OCAP
![Page 62: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/62.jpg)
Ongoing and Future Work
• Certifying OS– Mini-OS: ongoing work– More realistic OS in the future, e.g. OS for embedded systems
• Concurrency with relaxed memory models – relaxed memory models and STM
• General Hoare-logic (next generation of OCAP)– based on a uniform semantic model of features– support concurrency, partial correctness, frame rules …
• Push verification to high level code– C-like code with inlined assembly– Automated spec. inference and theorem proving
![Page 63: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/63.jpg)
Thank you!
Acknowledgments
Zhong Shao, Hongxu Cai, Rodrigo Ferreira, Yu Guo, Andrew McCreight, Zhaozhong Ni, Gang Tan, Alex Vaynberg, Sen Xiang
![Page 64: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/64.jpg)
Backup Slides
![Page 65: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/65.jpg)
Certifying the Mini-OS
• Modeling of x86 machine– Real mode– PIC, keyboard, hard drive– 8- and 16-bit integers
• Verifying the code– Multi-threaded code
• SAGL with extension of interrupts– Scheduler, thread lib., interrupt handler
• SCAP with extension of interrupts– Interactions with devices (PIC, PIT, keyboard, HDR)
• Finite state machine in the specifications
![Page 66: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/66.jpg)
Statistics
• FIFO scheduler/context switching code– 30 line of MIPS code– 1400 line of proof scripts
• malloc/free: – 42/50 line of MIPS code– 1400/1560 line of proof scripts
![Page 67: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/67.jpg)
Statistics [McCreight et al. PLDI’07]
![Page 68: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/68.jpg)
Statistics – TAL & GC[Lin et al. TASE'07]
![Page 69: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/69.jpg)
SCAP: tail call
p0
g0
jr $ra
p
g
S
n
… j f
p0
g0
jr $ra
S0
n
…
p S WFST(n, g S, ) p0 S0 WFST(n, g0 S0, )
p S p0 S0 p S g0 S0 S1 g S S1
S1S1
![Page 70: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/70.jpg)
CMAP
• A-G reasoning– properly nested structures: P1 || P2
• low-level code– fork/join based structures– dynamic thread environment
• CMAP– unbounded dynamic creation/termination– similar to the support of dynamic mem. alloc.– change A and G to approximate the dynamic
thread env.
…
![Page 71: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/71.jpg)
H1 pc
1
pc
n…
TQ
r31
r0
ct
Scheduler in SCAP
yield:
pick one word (pci) from TQ
swap pci and r31
jr r31
…
jal yield
ct: …
Thread code:
H1 pc
1
pc
n…
TQ
r31
r0
ct
pc
![Page 72: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/72.jpg)
Scheduler in SCAP
yield: (ps, gs)
pick one word (pci) from TQ
swap pci and r31
jr r31
gs
gs (r{r1,…,r30}.[r]=[r]’) Q, Q’.
p’.
Q{[r31]} = Q’{[r31]’}
WFTQ(Q) p’WFTQ(Q’) p’
H1 pc
1
pc
n…
TQ
r31
r0
H1 pc
1
pc
n…
TQ
r31
r0
ct
ct
ps Q.WFTQ(Q) True
![Page 73: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/73.jpg)
Example: A-G reasoning
…
[100] := m;
…
…
[101] := n;
…
100 101
G1: [101] = [101]'
A1: [100] = [100]'
G2: [100] = [100]'
A2: [101] = [101]'
![Page 74: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/74.jpg)
Example: SAGL reasoning
…
[100] := m;
…
…
[101] := n;
…
100 101
-{(emp , 100 _) } -{(emp , 101 _)}
G1: emp
A1: emp
G2: emp
A2: emp
![Page 75: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/75.jpg)
OCAP: Code pointers
codeptr(f,a) (f) = a (Spec) ::= {f a}*
acodeptr
Not well-founded!
Support of first-class code pointers:
![Page 76: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/76.jpg)
OCAP: Code Pointers
A generic specification:
(CdSpec) ::= …
(Assert) a Spec State Prop
(Spec) ::= {f }*
() ,S. …
No interoperation between multiple systems…
acodeptr
a
codeptr
()
![Page 77: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/77.jpg)
OCAP: Foreign Languages
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Inductive TalType : Type :=
T_int : TalType
T_pair: TalType -> TalType-> TalType
…
Inductive Tal2Type : Type :=
T2_int : TalType
T2_pair: TalType -> TalType-> TalType
…
L ::= TalType | Tal2Type | …
1 ::= T_int | T_pair 1 1 | … TalType
2 ::= T2_int | T2_pair 2 2 | … Tal2Type
![Page 78: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/78.jpg)
OCAP: Specifications
(OCdSpec) ::= <L,( )L,> L.(L Assert)*L
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Not well-founded:
( )L
a
![Page 79: An Open Framework for Certified System Software](https://reader036.vdocument.in/reader036/viewer/2022062314/56814483550346895db119d3/html5/thumbnails/79.jpg)
OCAP: Specifications
(OCdSpec) ::= <,L,( )L,>
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
(LangID) ::= n nat
(LangDict) D ::= {1<L1,( )L1>,…, n<Ln,( )Ln>}
LangID (L.L Assert)
( )L
a