Program Verification as a Toolbox 2005Now Todays Verification A - - PowerPoint PPT Presentation

program verification as a toolbox
SMART_READER_LITE
LIVE PREVIEW

Program Verification as a Toolbox 2005Now Todays Verification A - - PowerPoint PPT Presentation

Aug 29, 2023 96 likes •433 views

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

slide-1
SLIDE 1

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Program Verification as a Toolbox

A Brief, Subjective History David Cock January 23, 2015

1 / 32

slide-2
SLIDE 2

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Is Your System Correct?

Short answer — no.

2 / 32

slide-3
SLIDE 3

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Is Your System Correct?

Short answer — no.

3 / 32

slide-4
SLIDE 4

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

The Bug Rate in Linux 1

2004 2005 2006 2007 2008 2009 2010

0.0 0.2 0.4 0.6 0.8

% of faulty notes Average Staging Drivers Sound Arch FS Net Other

2.6.5 2.6.10 2.6.15 2.6.20 2.6.25 2.6.30

It’s dropping, but there’s a long way to go.

1Source: Palix et. al., Faults in Linux: Ten Years Later, ASPLOS’11 4 / 32

slide-5
SLIDE 5

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Bug Lifetime in Linux 2

2 4 6

Years

500 1000 1500

Cumulative number

  • f faults fixed

All faults 80 % of all faults 50 % of all faults Staging Drivers 50 % of drivers Sound Arch FS Net Other

  • Only 60% fixed within a year.
  • Asymptotic — some bugs live 5+ years!

2Source: Palix et. al., Faults in Linux: Ten Years Later, ASPLOS’11 5 / 32

slide-6
SLIDE 6

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Why Now?

  • Less expertise is required than 10 years ago.
  • We’ve seen some real milestones:
  • seL4
  • CompCert
  • Tool support has matured dramatically.

6 / 32

slide-7
SLIDE 7

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009

7 / 32

slide-8
SLIDE 8

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft

8 / 32

slide-9
SLIDE 9

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT

9 / 32

slide-10
SLIDE 10

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4

10 / 32

slide-11
SLIDE 11

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications

11 / 32

slide-12
SLIDE 12

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert

12 / 32

slide-13
SLIDE 13

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert

13 / 32

slide-14
SLIDE 14

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert SIMPL C-SIMPL

14 / 32

slide-15
SLIDE 15

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

SIMPL/C

C is an awful language to reason about...

15 / 32

slide-16
SLIDE 16

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

SIMPL/C

C is an awful language to reason about... but it’s fast and universal.

16 / 32

slide-17
SLIDE 17

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

SIMPL/C

C is an awful language to reason about... but it’s fast and universal. *(a++) = ++*a-- + (*(a++))++ * *--a;

17 / 32

slide-18
SLIDE 18

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

SIMPL/C

C is an awful language to reason about... but it’s fast and universal. *(a++) = ++*a-- + (*(a++))++ * *--a;

  • We’ve now got a formal semantics for C3.

3Winwood et. al., Mind the gap: A verification framework for

low-level C, TPHOLS’09

18 / 32

slide-19
SLIDE 19

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

SIMPL/C

C is an awful language to reason about... but it’s fast and universal. *(a++) = ++*a-- + (*(a++))++ * *--a;

  • We’ve now got a formal semantics for C3.
  • As long as you don’t write nonsense like this.

3Winwood et. al., Mind the gap: A verification framework for

low-level C, TPHOLS’09

19 / 32

slide-20
SLIDE 20

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert SIMPL C-SIMPL

20 / 32

slide-21
SLIDE 21

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert SIMPL C-SIMPL CompCert

21 / 32

slide-22
SLIDE 22

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

22 / 32

slide-23
SLIDE 23

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

  • A verified kernel: seL4.

23 / 32

slide-24
SLIDE 24

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

  • A verified kernel: seL4.
  • A verifying compiler: CompCert.

24 / 32

slide-25
SLIDE 25

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

  • A verified kernel: seL4.
  • A verifying compiler: CompCert.
  • An automatic verifier for concurrent C: VCC.

25 / 32

slide-26
SLIDE 26

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

  • A verified kernel: seL4.
  • A verifying compiler: CompCert.
  • An automatic verifier for concurrent C: VCC.
  • seL4 compiles with CompCert...

26 / 32

slide-27
SLIDE 27

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

seL4, VCC & CompCert

As of 2009, we’ve got:

  • A verified kernel: seL4.
  • A verifying compiler: CompCert.
  • An automatic verifier for concurrent C: VCC.
  • seL4 compiles with CompCert...

but VCC can’t (yet) verify seL4.

27 / 32

slide-28
SLIDE 28

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert SIMPL C-SIMPL CompCert

28 / 32

slide-29
SLIDE 29

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

A Timeline

2003 2004 2005 2006 2007 2010 2011 2012 2013 2014 2008 2009 Verisoft Verisoft XT seL4 seL4 Applications CompCert SIMPL C-SIMPL CompCert ASM Verification AutoCorres

29 / 32

slide-30
SLIDE 30

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

AutoCorres4 & Assembly Verification5

  • Brand new tools.
  • Highly automated.
  • Autocorres
  • Abstract from pointers and

fixed-length words.

  • Lift to a verification-friendly model.
  • ASM Verification
  • Alternative approach to CompCert.
  • Verify the output of gcc -O1 (-O2

coming).

4Greenaway et. al., Don’t Sweat the Small Stuff: Formal Verification of

C Code Without the Pain, PLDI’14

5Sewell et. al., Translation validation for a verified OS kernel, PLDI’13 30 / 32

slide-31
SLIDE 31

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Putting It Into Practice

  • Tools
  • Still not seamless.
  • Interoperability and re-use.
  • Formal concerns (different logics).
  • Education
  • Introduce programmers to the formal mindset.
  • Applications
  • Trusted partitioning (Virtualisation, SDN, ...).
  • Trusted computing.
  • Safety-critical systems.

31 / 32

slide-32
SLIDE 32

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems 2005–Now Today’s Verification Toolbox What’s Next?

Questions?

32 / 32