How Trustworthy Can Systems Become? Vincent Rahli - - PowerPoint PPT Presentation

How Trustworthy Can Systems Become?

Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ January 28, 2015

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 1/62

My collaborators

PRL group Abhishek Anand Mark Bickford Robert L. Constable Richard Eaton Vincent Rahli ATC-NY David Guaspari Matt Stillerman System group Robbert van Renesse Nicolas Schiper Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 2/62

Distributed systems are ubiquitous

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 3/62

Distributed systems are ubiquitous

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 4/62

Correctness What evidence do we have that these systems are correct?

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 5/62

Correctness What evidence do we have that these systems are correct? Type checking Testing

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 6/62

Correctness What evidence do we have that these systems are correct? Type checking Testing

Model checking

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 7/62

Correctness What evidence do we have that these systems are correct? Type checking Testing

Model checking Theorem proving

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 8/62

Correctness Specification Program

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 9/62

Correctness Specification Verification Program

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 10/62

Correctness — Constructive Type Theory Specification Verification Proofs as programs Program

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 11/62

Correctness — Constructive Type Theory What does it mean?

Lemma comm : ∀ A B : Type, (A × B) → (B × A). Proof. refine (fun A B p ⇒ match p with | (a,b) ⇒ (b,a) end). Qed.

Proofs are programs and vice-versa

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 12/62

Proof assistants The technology is mature

Order Theorem,. . .

Agda, Idris, Twelf, Matita, Mizar, . . .

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 13/62

Projects What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct?

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 14/62

Projects What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 15/62

Distributed Systems Distributed systems are hard to specify, implement and verify.

We need to tolerate failures. It is hard to test all possible scenarios. State space explosion using model checking. Model checking often done on abstractions of the code rather than on the code itself.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 16/62

Distributed Systems We use Nuprl as a specification, programming and verification language.

Programming interface: a constructive specification language called EventML Verification methodology

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 17/62

Distributed Systems

A logic of events implemented in Nuprl. Specified, verified, and generated consensus protocols (e.g., Paxos) using EventML. Aneris: a total ordered broadcast service. ShadowDB: a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris. Improved performance without introducing bugs. We get decent performance.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 18/62

Distributed Systems — Big picture

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 19/62

Distributed Systems — Message sequence diagram

See: Paxos Made Moderately Complex

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 20/62

Distributed Systems — Combinators

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 21/62

Distributed Systems — Combinators

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 22/62

Distributed Systems — EventML

EventML for Paxos Synod:

. . . agent Leader = SpawnFirstSc out | | (( LeaderPropose | | LeaderAdopted ) > >= Commander ) | | ( LeaderPreempted > >= Scout ) ; ; main Leader @ l d r s | | Acceptor @ ac c pts Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 23/62

Distributed Systems — Verification

We use causal induction + inductive logical forms (ILFs) + state machine invariants

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 24/62

Distributed Systems — Verification

We use causal induction + inductive logical forms (ILFs) + state machine invariants

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 25/62

Distributed Systems — Code generation Efficiency?

January 2012: 2 seconds per transaction Faster process combinators. June 2012: 500 milliseconds per transaction Optimization/compilation to Lisp. End of 2012: 60 milliseconds per transaction (interpreted), 9 milliseconds per transaction (compiled)

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 26/62

Distributed Systems — What next?

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 27/62

Correctness What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct?

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 28/62

Correctness What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 29/62

Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 30/62

Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness . . . but rarely use them to prove their own correctness

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 31/62

Nuprl in Coq — Our initial motivation How do we know that our systems are sound? How do we safely extend them?

Proofs mostly carried out on paper Not carried out in full detail Spread over several papers/PhD theses Precise metatheory, precise account of Nuprl

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 32/62

Nuprl in Coq — Our initial motivation

Agda & Coq

Nuprl

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 33/62

Nuprl in Coq — Our initial motivation

Agda & Coq

Nuprl

How can we be sure that these rules are valid? Nuprl’s PER semantics (types are defined as partial equivalence relations on terms — extensional) in Coq and Agda.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 34/62

Nuprl in Coq — Mechanization and Experimentation!

Mechanization

Experimentation

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 35/62

Nuprl in Coq — What do we cover?

Stuart Allen had his own meta-theory that was meant to be meaningful on its own and needs not be framed into type

• theory. We chose to use Coq and Agda.

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 36/62

Nuprl in Coq — Nuprl Stack

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 37/62

Nuprl in Coq — Nuprl Environment

Distributed Runs in the cloud Structure editor Tactic language: Classic ML Shared library

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 38/62

Nuprl in Coq — Nuprl Types

Based on Martin-L¨

• f’s extensional type theory.

Equality: a = b ∈ T Dependent function: a:A → B[a] Dependent product: a:A × B[a] Universe: Ui

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 39/62

Nuprl in Coq — Nuprl Types

Less “conventional types” Partial: A Disjoint union: A + B Intersection: ∩a:A.B[a] Union: ∪a:A.B[a] Subset: {a : A | B[a]} Quotient: T//E Domain: Base Simulation: t1 t2 Bisimulation: t1 ∼ t2 Image: Img(A, f ) PER: per(R)

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 40/62

Nuprl in Coq — Nuprl Types Rich type language facilitates specification Makes type-checking harder

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 41/62

Nuprl in Coq — Trusted core

Nuprl’s proof engine is called a refiner. A generic goal directed reasoner:

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 42/62

Nuprl in Coq — Trusted core

Nuprl’s proof engine is called a refiner. A generic goal directed reasoner:

Parameterized by a collection of rules

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 43/62

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 44/62

Nuprl in Coq — An untyped λ-calculus

Parameterized by a library of definitions Nominal features Lazy exceptions Provides a generic framework for defining and reasoning about programming languages using a “nominal” style

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 45/62

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 46/62

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a)

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 47/62

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a) Purely by computation: map(f ,map(g,l)) ∼ map(f ◦ g,l) Used for program optimization

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 48/62

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a) Purely by computation: map(f ,map(g,l)) ∼ map(f ◦ g,l) Used for program optimization and ∼ are congruences Restricts the computation system

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 49/62

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x).

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 50/62

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 51/62

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t Least upper bound principle G(fix(f )) is the lub of the chain G(f n(⊥)) for n ∈ N

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 52/62

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t Least upper bound principle G(fix(f )) is the lub of the chain G(f n(⊥)) for n ∈ N Compactness if G(fix(f )) converges, then there exists a natural number n such that G(f n(⊥)) converges

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 53/62

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 54/62

Nuprl in Coq — Universes

A theory of types was introduced by Russell (1903) to avoid paradoxes in set theory: R = {r | r ∈ r} Types were organized in a hierarchy of universes of types to avoid Girard’s paradox: Type ∈ Type. We have: N ∈ Type(i + 1) Type(i) ∈ Type(i + 1) (∀T : Type(i).P[T]) ∈ Type(i + 1)

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 55/62

Nuprl in Coq — Allen’s PER semantics

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 56/62

Nuprl in Coq — Allen’s PER semantics

Interesting fact: n:N → U(n) is a Nuprl type

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 57/62

Nuprl in Coq — Allen’s PER semantics

Interesting fact: n:N → U(n) is a Nuprl type . . . but it’s not in any universe

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 58/62

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 59/62

Nuprl in Coq — Inference rules The more (verified) rules the better

Expose more of the metatheory Encode Mathematical knowledge

We have verified over 70 rules

Gives us the basis for a formally verified Nuprl

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 60/62

Nuprl in Coq — What now?

Support for a library of definitions Experimenting with new types (e.g., PER types) Mendler’s recursive types? Experimenting with new computations Nominal type theory Continuity Bar induction

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 61/62

Nuprl in Coq — What next?

Write a parser Build a verified refiner Type checker/type inferencer? Build a proof assistant

Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 62/62