lecture 23 verified systems
play

Lecture 23 Verified Systems Software Infrastructure is Shaky - PowerPoint PPT Presentation

Jul 06, 2023 •135 likes •538 views

Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W.

  1. Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

  2. Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W. Dijkstra prog Under the Spell of Leibniz's Dream error ⇒ ∞ proofs won’t happen patch ... not just a dream ! Proof Assistant Based Verification Proof Assistant Based Verification Verified Compiler: CompCert [ Leroy POPL 06 ] Code in language suited for reasoning Compiler Bugs Found GCC 122 Develop correctness proof in synch LLVM 181 CompCert ? [ Yang et al. PLDI 11 ] Fully formal, machine checkable proof

  3. Proof Assistant Based Verification Proof Assistant Based Verification Verified Compiler: CompCert Verified Compiler: CompCert [ Leroy POPL 06 ] [ Leroy POPL 06 ] Compiler Bugs Found Compiler Bugs Found GCC 122 GCC 122 no prog LLVM 181 LLVM 181 Proof ⇒ errors CompCert 0 CompCert 0 [ Yang et al. PLDI 11 ] [ Yang et al. PLDI 11 ] [ Vu et al. PLDI 14 ] Verified OS kernel: seL4 [ Klein et al. SOSP 09 ] Verified OS kernel: seL4 [ Klein et al. SOSP 09 ] realistic implementation guaranteed bug free realistic implementation guaranteed bug free Promise Today Promise Proof Proof ⇒ ⇒ ⇒ no prog no prog prog patch error errors errors

  4. Today Promise Today Promise Proof Proof Proof Proof Burden Burden ⇒ ⇒ ⇒ ⇒ no prog no prog prog prog patch patch error error errors errors The Burden of Proof Mitigating the Burden of Proof 1. Initial proofs require heroic effort 1: Scaling proofs to critical infrastructure CompCert: 70% proof, vast majority of effort Formal shim verification for large apps seL4: 200,000 line proof for 9,000 lines of C Q UARK : browser with security guarantees 2. Code updates require re-proving 2: Evolving formally verified systems CompCert: adding opts [ Tristan POPL 08, PLDI 09, POPL 10 ] seL4: changing RPC took 17% of proof effort Reflex DSL exploits domain for proof auto

  5. Fully Formal Verification Fully Formal Verification Coq Theorem Prover Proof Assistant Fully Formal Verification Fully Formal Verification Code Code Proof Proof Assistant Assistant in language suited to Spec reasoning logical properties characterizing correctness

  6. Fully Formal Verification Fully Formal Verification Code Code Proof Proof ML x86 Assistant Assistant Spec Spec compile down to interactively show machine code code satisfies specification Grad Grad Fully Formal Verification Fully Formal Verification Code Proof ML x86 Assistant Spec Extremely strong guarantees about actual system! Grad

  7. Fully Formal Verification Fully Formal Verification program in a purely functional language specification characterizes desired behavior Fully Formal Verification Fully Formal Verification claim program satisfies spec construct proof interactively

  8. Fully Formal Verification Fully Formal Verification browsers don’t look like factorial Scrap existing code, rewrite browsers don’t have simple specs Invest decades of person-years Intractable for large-scale apps even easy proofs grow quickly and become opaque Formally Verify a Browser?! Formally Verify a Browser?! Millions of LOC W e b B r o w s e r

  9. Formally Verify a Browser?! Formally Verify a Browser?! Resources Millions of LOC Millions of LOC High performance High performance JavaScript JavaScript Loose access policy J P E G J P E G HTML HTML Formally Verify a Browser?! Formally Verify a Browser?! Resources Resources Millions of LOC Isolate sandbox untrusted code High performance JavaScript JavaScript Loose access policy J P E G J P E G Constant evolution HTML HTML

  10. Formally Verify a Browser?! Formally Verify a Browser?! Resources Resources Isolate Isolate sandbox untrusted code sandbox untrusted code ✔ Shim Shim Implement shim Implement shim JavaScript JavaScript guards resource access guards resource access J P E G J P E G Verify shim prove security policy HTML HTML Formal Shim Verification Formal Shim Verification Resources Resources Isolate Isolate Implement shim ✔ sandbox untrusted code ✔ Shim Shim Verify shim Implement shim Sandbox Applies when: JavaScript JavaScript guards resource access 1. sys fits architecture U n t r u s t e d J P E G J P E G Verify shim 2. policy over resources C o d e prove security policy browser, httpd, sshd, ... HTML HTML

  11. Formal Shim Verification Mitigating the Burden of Proof Resources 1: Scaling proofs to critical infrastructure Key Insight: Focus Effort Isolate ✔ Implement shim Formal shim verification for large apps Shim Guarantee sec props for entire system Verify shim Q UARK : browser with security guarantees Sandbox Only implement and prove small shim JavaScript Applies when: 2: Evolving formally verified systems 1. sys decomposable Radically ease verification burden U n t r u s t e d J P E G 2. policy over resources Reflex DSL exploits domain for proof auto C o d e Prove actual code correct HTML browser, httpd, sshd, ... Mitigating the Burden of Proof Browsers: Critical Infrastructure 1: Scaling proofs to critical infrastructure Formal shim verification for large apps Q UARK : browser with security guarantees 2: Evolving formally verified systems Reflex DSL exploits domain for proof auto

  12. Browsers: Vulnerable Quark: Verified Browser Defenses / Policies: Resources [ Jang et al. W2SP ] [ Stamm et al. WWW ] ✔ [ Jackson et al. W2SP ] Shim [ Barth et al. CCS ] [ Singh et al. OAKLAND ] Sandbox.. ... Untrusted Complex + Code Implementation Bugs Quark: Verified Browser Quark: Verified Browser Resources Resources Net network persistent storage ✔ ✔ Shim Shim user interface Sandbox.. Sandbox.. Untrusted Untrusted Code Code

  13. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Net Net Quark browser kernel ✔ Quark Kernel ✔ ✔ Shim code, spec, proof in Coq Sandbox.. Sandbox.. Untrusted Untrusted Code Code Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. Sandbox.. strictly sandboxed Untrusted Untrusted Code Code

  14. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ browser components two component types run as separate procs Sandbox.. Sandbox.. strictly sandboxed Untrusted Untrusted Code Code talk to kernel over pipe Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types two component types WebKit WebKit modified WebKit, Tab Tab intercept accesses

  15. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types two component types WebKit tabs written in Python, WebKit cookie managers Cookie WebKit Cookie manages single domain Tab Manager Tab Manager Quark: Verified Browser Quark: Verified Browser Resources Shim Net Net Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie WebKit Cookie WebKit Cookie WebKit Cookie WebKit WebKit Tab Manager Tab Manager Tab Manager Tab Manager Tab Tab several instances each

  16. Quark: Verified Browser Quark Kernel Quark Kernel ✔ Quark Kernel ✔ Quark Kernel: Code, Spec, Proof Quark Kernel: Code , Spec, Proof Quark Kernel ✔ Quark Kernel ✔

  17. Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep ... Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := ... f <- select(stdin, tabs); ... kernel state Unix-style select to find a component pipe ready to read

  18. Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); f <- select(stdin, tabs); match f with match f with case: f is user input | Stdin => | Stdin => ... cmd <- read_cmd(stdin); | Tab t => ... case: f is tab pipe ... read command from user over stdin | Tab t => ... Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); f <- select(stdin, tabs); match f with match f with | Stdin => | Stdin => cmd <- read_cmd(stdin); cmd <- read_cmd(stdin); match cmd with match cmd with | AddTab => | AddTab => ... t <- mk_tab(); ... user wants to create create a new tab and focus a new tab | ... | ... | Tab t => | Tab t => ... ...

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Differential Refinement Logic Sarah M. Loos and Andr Platzer Computer Science Department Carnegie Mellon University 1 Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j p x k x i

1.97k views • 179 slides
ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems Stefan Mitsch Computer Science Department, Carnegie Mellon University CPS V&amp;V I&amp;F Workshop 2017 May 12, 2017 joint work with Andr e

537 views • 31 slides
Systems Engineering Presentation 2 1. Requirements to be verified at the Fall Validation

Systems Engineering Presentation 2 1. Requirements to be verified at the Fall Validation

Systems Engineering Presentation 2 1. Requirements to be verified at the Fall Validation Experiment 2. Significant changes to the architectures 3. Work Breakdown Structure 4. Critical path on your schedule 5. Top 3 risks and planned mitigation

567 views • 19 slides
What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I What Use Is Verified Software? 1 Software and Systems The world at large cares little for verified

734 views • 14 slides
Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan Crolard 1 ICAR15 8-9 October 2015 Joint work with: 1 Pierre Courtieu, 1 , 2 Maria-Virginia Aponte, Julia Lawall 3 1. CNAM / Cedric / CPR team 2.

980 views • 71 slides
Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems

981 views • 75 slides
Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon University September 13, 2016 Dagstuhl, Germany Robustness A system is robust if it operates correctly despite: Disturbances in actuation

516 views • 28 slides
Showing a CakeML program is safe CakeML A verified implementation of ML Formally

Showing a CakeML program is safe CakeML A verified implementation of ML Formally

First steps towards a semantic type system for CakeML Hrutvik Kanabar 1 January 23, 2020 University of Kent 1 Supervised by Scott Owens. Supported by the UK Research Institute in Verified Trustworthy Software Systems (VeTSS). Showing a CakeML

425 views • 28 slides
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems

794 views • 64 slides
Verified Switched Control System Design using Real- Time Hybrid Systems Reachability Stanley

Verified Switched Control System Design using Real- Time Hybrid Systems Reachability Stanley

Verified Switched Control System Design using Real- Time Hybrid Systems Reachability Stanley Bak, Taylor Johnson, Marco Caccamo, Lui Sha Air Force Research Lab Information Directorate Rome, NY DISTRIBUTION A. Approved for public

778 views • 40 slides
CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek

CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek

SRC #14 CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek and Nickolai Zeldovich 1 Goal: verify a concurrent file system Existing verified file systems are sequential e.g. , FSCQ,

404 views • 12 slides
Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

From the office of Texas Conference of SDA Human Resources ___________________________________ Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus She will be working with every church and

279 views • 5 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&amp;A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University CPS V&amp;V I&amp;F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at

504 views • 27 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Linear Temporal Logic for Hyperproperties (HyperLTL) Course: Specification and Verification of

Linear Temporal Logic for Hyperproperties (HyperLTL) Course: Specification and Verification of

Linear Temporal Logic for Hyperproperties (HyperLTL) Course: Specification and Verification of Parallel Systems 29 November 2019 Presented by: Elahe Fazeldehkordi 1 Hyperproperties Trace: a sequence of states System: is modeled by

546 views • 13 slides
formal software design with alloy and electrum temporal logic Universidade do Minho &amp; INESC

formal software design with alloy and electrum temporal logic Universidade do Minho &amp; INESC

Julien Brunel, David Chemouil, Alcino Cunha, Eunsuk Kang, Nuno Macedo formal software design with alloy and electrum temporal logic Universidade do Minho &amp; INESC TEC ONERA DTIS &amp; Universit fdrale de Toulouse Carnegie Mellon

740 views • 50 slides
CSGK Virtual Town Hall Meetings Wednesday, July 15 th , 7 pm: St. Augustine Cathedral School

CSGK Virtual Town Hall Meetings Wednesday, July 15 th , 7 pm: St. Augustine Cathedral School

CSGK Virtual Town Hall Meetings Wednesday, July 15 th , 7 pm: St. Augustine Cathedral School Thursday, July 16 th , 7 pm: St. Monica Catholic School Monday, July 20 th , 7 pm. Hackett Catholic Prep Opening Prayer Written by Fr. Ken Schmidt Lord,

408 views • 25 slides
DCPG TOWN HALL: AN OPPORTUNITY TO PROVIDE FEEDBACK AND DISCUSSION Housekeeping All

DCPG TOWN HALL: AN OPPORTUNITY TO PROVIDE FEEDBACK AND DISCUSSION Housekeeping All

DCPG TOWN HALL: AN OPPORTUNITY TO PROVIDE FEEDBACK AND DISCUSSION Housekeeping All participants are muted Options for participation: Chat feature Raise hand Monitoring for disruptions and recording this meeting Talking

291 views • 4 slides
Reputation Systems Reputation systems: quantify the trust between different users. Application:

Reputation Systems Reputation systems: quantify the trust between different users. Application:

Formal Verification of e-Reputation Protocols 1 Ali Kassem 2 , Pascal Lafourcade 1 , Yassine Lakhnech 2 1 University dAuvergne, LIMOS 2 Universit Grenoble Alpes, CNRS, VERIMAG The 7th International Symposium on Foundations &amp; Practice of

583 views • 33 slides
Reproducibility Tool for Digital Systems Joint work with Lennon Chaves, Iury Bessa, and Daniel

Reproducibility Tool for Digital Systems Joint work with Lennon Chaves, Iury Bessa, and Daniel

21st ACM International Conference on Hybrid Systems: Computation and Control (HSCC18) DSValidator: An Automated Counterexample Reproducibility Tool for Digital Systems Joint work with Lennon Chaves, Iury Bessa, and Daniel Kroening Lucas Cordeiro

643 views • 50 slides
02291: System Integration Acceptance Tests Hubert Baumeister huba@dtu.dk DTU Compute Technical

02291: System Integration Acceptance Tests Hubert Baumeister huba@dtu.dk DTU Compute Technical

02291: System Integration Acceptance Tests Hubert Baumeister huba@dtu.dk DTU Compute Technical University of Denmark Spring 2020 Types of Tests Supports Programming Critique Project Explorative Testing Business Facing Acceptance Tests

646 views • 19 slides
State of US Aerospace the Industry and Northrop Grumman Heritage August 16, 2019 Approved for

State of US Aerospace the Industry and Northrop Grumman Heritage August 16, 2019 Approved for

The Aerospace &amp; Defense Forum Los Angeles Chapter August 16, 2019 State of US Aerospace the Industry and Northrop Grumman Heritage August 16, 2019 Approved for Limited Public Distribution # 18-1289 1 Presentation The State of

449 views • 11 slides

More recommend