SLIDE 1
Automating Formal Proofs for Reactive Systems
Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner
University of California, San Diego University of Washington Zachary βDangerβ Tatlock
Automating Formal Proofs for Reactive Systems Daniel Ricketts , - - PowerPoint PPT Presentation
Automating Formal Proofs for Reactive Systems Daniel Ricketts , - - PowerPoint PPT Presentation
Automating Formal Proofs for Reactive Systems Daniel Ricketts , Valentin Robert, Zachary Danger Tatlock Dongseok Jang, Sorin Lerner University of California, San Diego University of Washington Proof Assistant Based Verification Proof
SLIDE 2
SLIDE 3
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 4
Compiler Bugs Found
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 5
Compiler Bugs Found GCC 122
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 6
Compiler Bugs Found GCC 122 Clang/LLVM 181
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 7
Compiler Bugs Found GCC 122 Clang/LLVM 181 CompCert ?
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 8
Compiler Bugs Found GCC 122 Clang/LLVM 181 CompCert
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
SLIDE 9
Compiler Bugs Found GCC 122 Clang/LLVM 181 CompCert
Proof Assistant Based Verification
[Yang et al. PLDI 11]
Testing tool for C compilers
[Le et al. PLDI 14]
SLIDE 10
Proof Assistant Based Verification
SLIDE 11
Proof Assistant
Proof Assistant Based Verification
SLIDE 12
Proof Assistant
Coq Theorem Prover
Proof Assistant Based Verification
SLIDE 13
Code
Proof Assistant
Proof Assistant Based Verification
SLIDE 14
Code
Proof Assistant
in language supporting reasoning
Proof Assistant Based Verification
SLIDE 15
Code Spec
Proof Assistant
Proof Assistant Based Verification
SLIDE 16
Code Spec
Proof Assistant
logical properties characterizing correctness
Proof Assistant Based Verification
SLIDE 17
Code Spec
Proof Assistant Grads
Proof Assistant Based Verification
SLIDE 18
Code Spec
Proof Assistant Grads
interactively show code satisfies specification
Proof Assistant Based Verification
SLIDE 19
Code Spec
Proof Assistant Grads
ML x86
Proof Assistant Based Verification
SLIDE 20
Code Spec
Proof Assistant Grads
ML x86 compile down to machine code
Proof Assistant Based Verification
SLIDE 21
Code Spec
Proof Assistant
Extremely strong guarantees about actual system!
Grads
ML x86
Proof Assistant Based Verification
SLIDE 22
Verified Compiler: CompCert
Proof Assistant Based Verification
[Leroy POPL 06]
SLIDE 23
Verified Compiler: CompCert Verified OS micro-kernel: seL4
Proof Assistant Based Verification
[Leroy POPL 06] [Klein et al. SOSP 09]
SLIDE 24
Verified Compiler: CompCert Verified OS micro-kernel: seL4 Verified Web browser: Quark
Proof Assistant Based Verification
[Leroy POPL 06] [Klein et al. SOSP 09] [Jang et al. Security 12]
SLIDE 25
Manual Proof Burden
Code Spec Proof
SLIDE 26
Manual Proof Burden
Code Spec Proof
Verified OS micro-kernel: seL4
SLIDE 27
Manual Proof Burden
Code Spec Proof
Verified OS micro-kernel: seL4
9,000 lines of C code
SLIDE 28
Manual Proof Burden
Code Spec Proof
Verified OS micro-kernel: seL4
9,000 lines of C code 20 person-years for verification
SLIDE 29
Manual Proof Burden
Code Spec Proof
SLIDE 30
Manual Proof Burden
Requires expertise in proof assistants Code Spec Proof
SLIDE 31
Manual Proof Burden
Requires expertise in proof assistants Extremely brittle, maintenance burden Code Spec Proof
SLIDE 32
Manual Proof Burden
Code Spec Proof
SLIDE 33
Code Spec
Ideal
(no manual proofs)
Manual Proof Burden
SLIDE 34
Single application domain
SLIDE 35
Single application domain
Code1 Spec1 Proof1
SLIDE 36
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2
SLIDE 37
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
SLIDE 38
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties
SLIDE 39
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties Similar architecture
SLIDE 40
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties Similar architecture Similar reasoning
SLIDE 41
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties
DSL for Specs
SLIDE 42
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties
DSL for Specs
Similar architecture Similar reasoning
SLIDE 43
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties Similar architecture
DSL for Specs DSL for Code
SLIDE 44
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties Similar architecture
DSL for Specs DSL for Code
Similar reasoning
SLIDE 45
Single application domain
Code1 Spec1 Proof1 Code2 Spec2 Proof2 Code3 Spec3 Proof3
Similar properties Similar architecture Similar reasoning
DSL for Specs DSL for Code Proof Automation
SLIDE 46
DSL for Specs DSL for Code Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3
Single application domain
SLIDE 47
DSL for Specs DSL for Code Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3
Single application domain
SLIDE 48
DSL for Specs DSL for Code Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3
Single application domain
SLIDE 49
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code
SLIDE 50
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code
SLIDE 51
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code REFLEX
SLIDE 52
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code REFLEX
No manual proofs,
SLIDE 53
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code REFLEX
No manual proofs, yet proof assistant guarantee.
SLIDE 54
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code REFLEX
No manual proofs, yet proof assistant guarantee. Automation incomplete,
SLIDE 55
Reactive systems
Proof Automation Code1 Spec1 Code2 Spec2 Code3 Spec3 Proof1 Proof2 Proof3 DSL for Specs DSL for Code REFLEX
No manual proofs, yet proof assistant guarantee. Automation incomplete, but verified browser, ssh, web server.
SLIDE 56
Reactive systems
Reactive system
SLIDE 57
Reactive systems
Reactive system
Continuously read messages from components and send messages to components
SLIDE 58
Reactive systems
Reactive system
SLIDE 59
Kernel
Example: Web browser kernel
SLIDE 60 facebook
google
Example: Web browser kernel
Kernel Tab3
Tab2
gmail
Tab1
SLIDE 61 facebook
google
google
facebook
Example: Web browser kernel
Kernel Tab3
Tab2
gmail
Tab1
Cookie Manager
Cookie Manager
SLIDE 62 facebook
google
google
facebook
Example: Web browser kernel
Kernel Tab3
Tab2
gmail
Tab1
Cookie Manager
Cookie Manager
π₯
SLIDE 63 facebook
google
google
facebook
Example: Web browser kernel
Kernel Tab3
Tab2
gmail
Tab1
Cookie Manager
Cookie Manager
π₯
(1) Tabs request resources (e.g. cookies)
SLIDE 64 facebook
google
google
facebook
Example: Web browser kernel
Kernel Tab3
Tab2
gmail
Tab1
Cookie Manager
Cookie Manager
π₯
(2) Kernel grants access subject to access controls (e.g. domain checks) (1) Tabs request resources (e.g. cookies)
SLIDE 65
Example: Web browser kernel
SLIDE 66
Example: Web browser kernel
Components = Tab | CookieMgr | ...
Types of components
SLIDE 67
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Types of messages
SLIDE 68
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers:
How the kernel responds to messages from components
SLIDE 69
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c):
When tab t sends the kernel a CookieSet message with payload c
SLIDE 70
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain)
Get existing cookie manager with domain of t or spawn a new one
SLIDE 71
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Send the cookie c to the found cookie manager
SLIDE 72
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
More handlers
SLIDE 73
Properties
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
SLIDE 74
Properties
Specify allowed behaviors
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
SLIDE 75
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
SLIDE 76
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ... When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
SLIDE 77
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
SLIDE 78
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
Time
SLIDE 79
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
β¦
Time
SLIDE 80
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
β¦
Time
SLIDE 81
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
[Tab t] sends CookieSet(c)
β¦
Time
SLIDE 82
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Time
β¦
SLIDE 83
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c))
Time
β¦
SLIDE 84
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c)) cp <- find CookieMgr(t.domain)
Time
β¦
SLIDE 85
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c))
Time
β¦
SLIDE 86
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c)) Spawn CookieMgr(t.domain)
Time
β¦
SLIDE 87
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c)) Spawn CookieMgr(t.domain) send(cp, CookieSet(c))
Time
β¦
SLIDE 88
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c)) Spawn CookieMgr(t.domain)
Time
β¦
SLIDE 89
Properties
When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Specify allowed behaviors wrt sequence of system calls
The system calls so far
Recv(Tab, CookieSet(c)) Spawn CookieMgr(t.domain) Send(cp, CookieSet(c))
Time
β¦
SLIDE 90
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ... When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c))
Example: Web browser kernel
SLIDE 91
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
SLIDE 92
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
Specify cookie integrity
SLIDE 93
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
SLIDE 94
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c,
For any domain d and cookie c
SLIDE 95
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Send(CookieMgr(d), CookieSet(c))]
The kernel sends the cookie manager for domain d a cookie c
SLIDE 96
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, Enables [Send(CookieMgr(d), CookieSet(c))]
Only if
SLIDE 97
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
The kernel already received a cookie c from a tab of domain d
SLIDE 98
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))] A Enables B
iff every sys call B is preceded by sys call A
SLIDE 99
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
SLIDE 100
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
SLIDE 101
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
REFLEX Benefits:
SLIDE 102
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
REFLEX Benefits: Proofs fully automated
SLIDE 103
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
REFLEX Benefits: Proofs fully automated No lemmas
SLIDE 104
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
REFLEX Benefits: Proofs fully automated No lemmas No invariants
SLIDE 105
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ... Handlers: When [Tab t] sends CookieSet(c): cp <- find CookieMgr(t.domain) send(cp, CookieSet(c)) When [Tab t] sends CookieGet(c): ...
Example: Web browser kernel
forall d c, [Recv(Tab(d), CookieSet(c))] Enables [Send(CookieMgr(d), CookieSet(c))]
REFLEX Benefits: Proofs fully automated No lemmas No invariants No manual proofs
SLIDE 106
Proof Automation
SLIDE 107
Proof Automation
Prove kernel code satisfies properties
SLIDE 108
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
SLIDE 109
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
SLIDE 110
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
{
Handler
SLIDE 111
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
{
Handler
{
Handler
SLIDE 112
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
{
Handler
{
Handler
{
Handler
SLIDE 113
Proof Automation
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
{
Handler
{
Handler
{
Handler Handlers create structure for induction
SLIDE 114
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
Proof Automation
SLIDE 115
β
Induction hypothesis: property holds up to this point
Prove kernel code satisfies properties
by induction on sys call sequences kernel can produce
Proof Automation
SLIDE 116
β
{
Run a single handler
Prove kernel code satisfies properties
Induction hypothesis: property holds up to this point
by induction on sys call sequences kernel can produce
Proof Automation
SLIDE 117
β
{
Proof obligation: does property still hold?
?
Prove kernel code satisfies properties
Induction hypothesis: property holds up to this point
by induction on sys call sequences kernel can produce
Proof Automation
SLIDE 118
β
{?
Prove kernel code satisfies properties
Induction hypothesis: property holds up to this point Proof obligation: does property still hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler
SLIDE 119
β
{?
Prove kernel code satisfies properties
Induction hypothesis: property holds up to this point Proof obligation: does property still hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler Symbolically run all paths
SLIDE 120
β
{?
Case analysis on handler Symbolically run all paths Prove automatically
Prove kernel code satisfies properties
Induction hypothesis: property holds up to this point Proof obligation: does property still hold?
by induction on sys call sequences kernel can produce
Proof Automation
SLIDE 121
Proof Automation
SLIDE 122
Single domain insights:
Proof Automation
SLIDE 123
Single domain insights:
Small number of carefully designed property primitives
Proof Automation
SLIDE 124
Single domain insights:
Small number of carefully designed property primitives Loop free handlers allowed symbolic eval of all paths
Proof Automation
SLIDE 125
Single domain insights:
Small number of carefully designed property primitives Loop free handlers allowed symbolic eval of all paths Domain-specific heuristics for non-local reasoning
Proof Automation
SLIDE 126
Evaluation
SLIDE 127
Evaluation
Web browser SSH server Web server
SLIDE 128
Evaluation
Web browser SSH server Web server
Auto verified 33 properties (80% in < 2 minutes)
SLIDE 129
Evaluation
Web browser SSH server Web server Domains do not interfere, Cookie integrity, β¦ No PTY access before authentication, At most 3 authentication attempts, β¦ Clients only spawned after successful login, File requests guarded by access control, β¦
Auto verified 33 properties (80% in < 2 minutes)
SLIDE 130
Evaluation
Web browser SSH server Web server Domains do not interfere, Cookie integrity, β¦ No PTY access before authentication, At most 3 authentication attempts, β¦ Clients only spawned after successful login, File requests guarded by access control, β¦
Auto verified 33 properties (80% in < 2 minutes) Able to automate proofs of non- interference
SLIDE 131
Evaluation
Web browser SSH server Web server Domains do not interfere, Cookie integrity, β¦ No PTY access before authentication, At most 3 authentication attempts, β¦ Clients only spawned after successful login, File requests guarded by access control, β¦
Auto verified 33 properties (80% in < 2 minutes)
SLIDE 132
Evaluation
Web browser SSH server Web server Domains do not interfere, Cookie integrity, β¦ No PTY access before authentication, At most 3 authentication attempts, β¦ Clients only spawned after successful login, File requests guarded by access control, β¦
Auto verified 33 properties (80% in < 2 minutes) Able to automate proofs of non-local properties
SLIDE 133
Development Effort: Framework
SLIDE 134
Development Effort: Framework
Reflex :
7500 lines of Coq
SLIDE 135
Development Effort: Framework
Reflex :
7500 lines of Coq
Web browser SSH server Web server
SLIDE 136
Development Effort: Framework
Reflex :
7500 lines of Coq
Quark Web browser :
5500 lines of Coq
Web browser SSH server Web server
SLIDE 137
Development Effort: Framework
Reflex :
7500 lines of Coq
Quark Web browser :
5500 lines of Coq
Single reactive system
Web browser SSH server Web server
SLIDE 138
Development Effort: Framework
Reflex :
7500 lines of Coq
Quark Web browser :
5500 lines of Coq
Single reactive system Many reactive systems
Web browser SSH server Web server
SLIDE 139
Development Effort: Systems
SLIDE 140
Development Effort: Systems
Benchmark Language Lines of Code/Spec Browser REFLEX 81 37 C++, Python 970,240
- SSH server
REFLEX 64 22 C, Python 89,567
- Web server
REFLEX 56 29 Python 386
SLIDE 141
Development Effort: Systems
Benchmark Language Lines of Code/Spec Browser REFLEX 81 37 C++, Python 970,240
- SSH server
REFLEX 64 22 C, Python 89,567
- Web server
REFLEX 56 29 Python 386
- Webkit
SLIDE 142
Development Effort: Systems
Benchmark Language Lines of Code/Spec Browser REFLEX 81 37 C++, Python 970,240
- SSH server
REFLEX 64 22 C, Python 89,567
- Web server
REFLEX 56 29 Python 386
- Webkit
OpenSSH
SLIDE 143
Limitations
SLIDE 144
Limitations
Expressiveness: Incompleteness:
SLIDE 145
Limitations
Expressiveness:
Strict subset of temporal logic + non-interference
Incompleteness:
SLIDE 146
Limitations
Expressiveness:
Strict subset of temporal logic + non-interference Loop free handlers
Incompleteness:
SLIDE 147
Limitations
Expressiveness:
Strict subset of temporal logic + non-interference Loop free handlers No user-defined unbounded data structures
Incompleteness:
SLIDE 148
Limitations
Expressiveness:
Strict subset of temporal logic + non-interference Loop free handlers No user-defined unbounded data structures
Incompleteness:
Unable to infer some inductive invariants
SLIDE 149
Limitations
Expressiveness:
Strict subset of temporal logic + non-interference Loop free handlers No user-defined unbounded data structures
Incompleteness:
Unable to infer some inductive invariants Low level incompleteness in automation tactics
SLIDE 150
SSH Server Kernel in REFLEX
SLIDE 151
SSH Server Kernel in REFLEX
SLIDE 152
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
SLIDE 153
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
SLIDE 154
Conclusion
Automation Expressiveness
Proof assistant based verification
SLIDE 155
Conclusion
Automation Expressiveness Coq
Proof assistant based verification
SLIDE 156
Conclusion
Automation Expressiveness Ynot Coq
Proof assistant based verification
SLIDE 157
Conclusion
Automation Expressiveness Bedrock Ynot Coq
Proof assistant based verification
SLIDE 158
Conclusion
Automation Expressiveness Bedrock Ynot Coq Reflex
Proof assistant based verification
SLIDE 159
Conclusion
Reflex
SLIDE 160
Conclusion
Reflex
DSL expressive enough for entire domain
SLIDE 161
Conclusion
Reflex
DSL expressive enough for entire domain Automation eliminates manual proof burden
SLIDE 162
Conclusion
Reflex
DSL expressive enough for entire domain Automation eliminates manual proof burden http://goto.ucsd.edu/reflex/
SLIDE 163
Reflex
DSL expressive enough for entire domain Automation eliminates manual proof burden http://goto.ucsd.edu/reflex/