![Page 1: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/1.jpg)
TheScienceofDeepSpecification
AndrewW.Appel,BenjaminPierce,StephanieWeirich,SteveZdancewic,Zhong Shao,AdamChlipala
Princeton Penn Yale MIT
![Page 2: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/2.jpg)
Zero-vulnerabilitycriticalsoftware– Compilers,interpreters– Operatingsystems– Filesystems,networkingstacks– Distributedmiddleware– Databases– Crypto,securityprotocols
Apipedream?
Ahigh-value“niche”
Maybeuntilrecently!
![Page 3: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/3.jpg)
Heroicproofsofconcept• CompCert (Ccompiler)• L4.verified(OS)
![Page 4: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/4.jpg)
Proliferationof“pointsolutions”• CertiKos (hypervisor)
• Verdi(distributedalgorithmstoolkit)• RockSalt (softwarefaultisolation)• CakeML (MLcompiler)
• VeLLVM (LLVMoptimizations)
• HMAC+SHA(crypto)• …
Individuallyimpressive!Butdisconnected
![Page 5: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/5.jpg)
TheRiseofIntegratedStacks• CompCert ecosystem• L4.verifiedecosystem• IronClad Apps• Bedrockwebserver• Everest(verifiedhttps)• … Whatmakesthischallenging?
(lotsofthings,but inparticular…)
SpecificationEngineering!
![Page 6: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/6.jpg)
WhatwelearnedfromCompCert
6
Clanguage
CompCertCompiler
PowerPCISA
ProgramLogic
VerifiableCSystem
Clanguage
IBM’sCPU
Transistors
PowerPCISA
OSclientinterface
CertiKOShypervisorkernel
Clanguage AppelShao
PeterSewellUniv.ofCambridge
XavierLeroyInria
![Page 7: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/7.jpg)
Whatwediscovered ...
7
CompCertCompiler
PowerPCISA
Clanguage
IBM’sCPU
Transistors
PowerPCISA
ProgramLogic
VerifiableCSystem
Clanguage
OSclientinterface
CertiKOShypervisorkernel
Clanguage AppelShao
PeterSewellUniv.ofCambridge
XavierLeroyInria
![Page 8: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/8.jpg)
Solution:exercisespec.frombothsides(2006-2015)
8
CompCertCompiler
IBM’sCPU
Transistors
ProgramLogic
VerifiableCSystem
Clanguage
OSclientinterface
CertiKOShypervisorkernel
Clanguage
XavierLeroyINRIA
AppelShao
PeterSewellUniv.ofCambridge
Clanguage
PowerPCISA
PowerPCISA
![Page 9: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/9.jpg)
Integration!
TheFutureofFormalMethods…
^
![Page 10: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/10.jpg)
TheScienceofDeepSpecification
![Page 11: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/11.jpg)
AnewNSFExpedition…
11
AndrewAppel
ZhongShao
StephanieWeirich
BenjaminPierce
SteveZdancewic
AdamChlipala
Princeton Penn YaleMIT
$10m5years
![Page 12: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/12.jpg)
DeepSpecificationsareFORMAL,RICH,LIVE,and2-SIDED
12
RICH describecomplexbehaviorsindetail
FORMAL innotationwithaclearsemantics
LIVEmachine-checkedconnectiontoimplementations
2-SIDEDconnectedtobothimplementations&clients
![Page 13: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/13.jpg)
DeepSpec goals1. Coreresearch2. Education3. Communitybuilding
13
![Page 14: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/14.jpg)
14
CoreResearchTopics
![Page 15: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/15.jpg)
Individualprojects,connectedatdeepspecs
15AdamChlipala
Verifiedprocessordesign
![Page 16: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/16.jpg)
Individualprojects,connectedatdeepspecs
16
AndrewAppel
VerifiedtoolchainforverifyingconcurrentCprograms
![Page 17: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/17.jpg)
Individualprojects,connectedatdeepspecs
17
SteveZdancewic
VerifiedLLVMcompiler
![Page 18: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/18.jpg)
Individualprojects,connectedatdeepspecs
18
StephanieWeirich
Specificationoffunctionallanguage
![Page 19: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/19.jpg)
Individualprojects,connectedatdeepspecs
19
ZhongShao
VerifiedhypervisorOSkernel
![Page 20: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/20.jpg)
Individualprojects,connectedatdeepspecs
20
BenjaminPierce
Specification-basedrandom
testing
![Page 21: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/21.jpg)
SpecificationandtestingPromisingdevelopment:Theriseofspecification-basedautomatedtestingtechniques– Property-based random testing(QuickCheck)– Model-based testing– Oracle-based testing– …
![Page 22: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/22.jpg)
End-to-EndDemo(s)Leadingcandidates:– Votingsystems– Automotive software– Datacenterinfrastructure
22
Othersuggestions??
![Page 23: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/23.jpg)
Educationandtraining
23
Textbooksandon-linematerialsSoftwareFoundationstextisusedatdozensofuniversities.Nowweknow:
Withgoodinstructionalmaterialsandinteractiveproofcheckers,specification&verificationcanbetaught…
...justlikeprogrammingandsoftwareengineeringcanbetaught!
![Page 24: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/24.jpg)
BookDevelopment• Goal:UseSoftwareFoundations toseedanewseriesof“verifiedtextbooks”
• Firststep:
• Later:– Averifiedcompiler textbook?
24
VerifiedFunctionalAlgorithms
AndrewAppel
(fall2016)
![Page 25: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/25.jpg)
CurriculumDevelopment
• Modularity⇒cleanpedagogical implementations• Precise(andcorrect!)descriptionofrelevantabstractions• Specifications⇒automatedtestharnesses/testcases/property-basedtesting(forgrading)
• Connects toformalmethodscoursethatteachesverificationtechniquesfortheseartifacts
25
NewCompiler&OSCoursesbasedon
CertiKOS
![Page 26: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/26.jpg)
EducationSpecialistsBruceLenthallExecutiveDirectorPennCTL(CenterforTeaching&Learning)
EmilyElliottAssociateDirector,PennCTL
AnandaGunawardenaLecturer,PrincetonCS
Responsibilities:• determineappropriatemetricsforlearningoutcomes
• designassessmentplan• developdatacollectionplans
• helpdesignmeasurementinstruments
• analyzedata• workwithIRBs
Responsibilities:• manageimplementationofdatacollectionplan
• sendout,collect,andcompileassessments
• etc.
![Page 27: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/27.jpg)
Assessmenttools1. ABETcourseoutcomes– Compare“pre-DS”to“DS-ified”versions of
courseatthesameuniversity (e.g.,Princeton),whereDS-ified versionswillbetestdriveninlateryearsoftheproject
2. Studentsurveys3. Instructorsurveys4. TrackingchangesbetweensuccessiveofferingsofDS-ified courses
![Page 28: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/28.jpg)
CommunitybuildingGoalistoactasapointaroundwhichthingscrystallize…
• Workshops (everysummer)• Summerschools(beginningnextsummer)• Visitorprogram(acceptingapplications!)• IndustrialAdvisoryBoard• SupportforCoqdevelopment• Jobs forpostdocs,engineers,PhDstudents
28
![Page 29: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,](https://reader034.vdocument.in/reader034/viewer/2022042115/5e922c419b182646987dcaf7/html5/thumbnails/29.jpg)
Joinus!• DeepSpec isnotaboutbuildingasinglesystemorstack– It’saboutfindingouthowtomakeconnectionsbetweensystems
• Whowouldyou liketoconnectto?
29