to Interaction Trees Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia - - PowerPoint PPT Presentation

to interaction trees
SMART_READER_LITE
LIVE PREVIEW

to Interaction Trees Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia - - PowerPoint PPT Presentation

May 28, 2023 380 likes •580 views

Specifying, Testing and Verifying a Networked Server From C to Interaction Trees Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia Lennart Beringer, Wolf Honor, William Mansky Benjamin C. Pierce, Steve Zdancewic January 14, 2019 (CPP) 1

slide-1
SLIDE 1

From C to Interaction Trees

Specifying, Testing and Verifying a Networked Server

January 14, 2019 (CPP) Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia Lennart Beringer, Wolf Honoré, William Mansky Benjamin C. Pierce, Steve Zdancewic

1

slide-2
SLIDE 2

Verification from RFCs to transistors

Application OS Hardware

01011...

2

… and test!

More projects at deepspec.org…

One theorem to verify…

slide-3
SLIDE 3

Towards a verified web server

HTTP Server OS Hardware

01011...

3

slide-4
SLIDE 4

Towards a verified web server

Swap Server OS Hardware

01011...

4

Today: a simplified server

slide-5
SLIDE 5

Main contributions

  • Verifying a networked C program using VST, which can run in CertiKOS
  • Specification describes what a client can observe over the network
  • Testable specification, using QuickChick

5

slide-6
SLIDE 6

Swap server specification

Server Client 1 Cat Dog Bat Cat Client 2 Client 3 Elk Dog

6

Cat Bat Dog Elk

slide-7
SLIDE 7

Swap server: in the real world

Server Clients / Tester Cat Dog Dog Bat Elk

7

  • Messages on different

connections can be reordered

  • Messages can be

delayed indefinitely

slide-8
SLIDE 8

Network refinement

8

Specification

Observable behavior by clients

Network semantics

∪I

network-refi fines Adaptation of Observational refinement/Linearizability

Implementation

Observable behavior by clients

Network semantics

slide-9
SLIDE 9

Overview: proof architecture

CertiKOS Socket API Server implementation Specification*

*: concepts defined in the paper 9

Written in Coq Written in C

slide-10
SLIDE 10

Overview: proof architecture

CertiKOS Socket API Server implementation Linear Specification* Implementation model* CertiKOS-level Socket spec.* VST-level Socket spec.*

implements validates* refines* network-refines* 10

assumed by

*: concepts defined in the paper

Written in Coq Written in C

slide-11
SLIDE 11

A unifying specification language

CertiKOS Socket API Server implementation Linear Specification* Implementation model* CertiKOS-level Socket spec.* VST-level Socket spec.*

implements validates* refines* network-refines* 11 network-refines*

assumed by

*: concepts defined in the paper

Written in Coq Written in C testing Different abstraction levels Different spec. styles

Interaction trees

slide-12
SLIDE 12

Interaction trees: example

ReadBit WriteBit 0 ReadBit Ret 1 b2 : bit tt Ret b2 1 Shorthand notation for two or more branches

12 (aka. Free monads) One branch for each possible result Inductive ioE : Type -> Type := | ReadBit : ioE bit | WriteBit : bit -> ioE unit . Type of effects ioE: Result type

slide-13
SLIDE 13

Interaction trees: definition

CoInductive itree (E : Type -> Type) (R : Type) : Type := | Vis : ∀ Y, E Y -> (Y -> itree E R) -> itree E R | Ret : R -> itree E R | Tau : itree E R -> itree E R .

13

Effect Continuation

(aka. Free monads)

Type of effects (e.g., ioE) Type of results

slide-14
SLIDE 14

A unifying specification language

CertiKOS Socket API Server implementation Linear Specification* Implementation model* CertiKOS-level Socket spec.* VST-level Socket spec.*

implements validates* refines* network-refines* 14 network-refines*

assumed by

*: concepts defined in the paper

Written in Coq Written in C testing Different abstraction levels Different spec. styles

Interaction trees

slide-15
SLIDE 15

The Swap server “linear specification”

CoFixpoint loop (open_conns : list conns) (last_msg : bytes) : itree serverE unit := c <- choose open_conns ;; new_msg <- recv_msg c ;; send_msg c last_msg ;; loop open_conns new_msg.

Simplified version (see paper)

15

slide-16
SLIDE 16

Overview: proof architecture

CertiKOS Socket API Server implementation Linear Specification* Implementation model* CertiKOS-level Socket spec.* VST-level Socket spec.*

implements validates* refines* network-refines* 16 network-refines*

assumed by

*: concepts defined in the paper

Written in Coq Written in C testing

Interaction trees

slide-17
SLIDE 17

Refinement: from C to ITrees

17

{ ITree(msg <- Recv c ;; Send c msg ;; t) * … } recv(c, buf, len); . send(c, buf, len); . { ITree(t) * … }

Hoare triple: { pre1 * … * preN } C_program { post1 * … * postN }

Separating conjunction Assertions on C memory

Implementation model (itree) C implementation Interactions allowed by the environment

Simplified triples (see paper)

Example of a networked C program with its implementation model: { ITree(impl_model) * … } C_program { … }

slide-18
SLIDE 18

The Swap server correctness theorem

19

Theorem correct_server : exists impl_model, refines C_prog impl_model /\ network_refines impl_model linear_spec.

{ ITree(impl_model) } C_prog { … }

∪I

slide-19
SLIDE 19

Summary and next steps

  • Verifying a networked C program using VST, which can run in CertiKOS
  • The specification describes a client can observe over the network
  • The specification is testable, using QuickChick and Interaction trees

20

Scale up: Swap server -> HTTP Server Complete connection Improve proof and testing techniques New library https://github.com/DeepSpec/InteractionTrees Add more interfaces: filesystem, encryption…