SLIDE 1
Œuf: Minimizing the Coq Extraction TCB
Eric Mullen, Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman
1
Extraction
2
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart - - PowerPoint PPT Presentation
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart - - PowerPoint PPT Presentation
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman 1 Extraction 2 Extraction K coq 2 Extraction K coq 2 Extraction K coq Extraction 2 Extraction K coq Extraction K
SLIDE 2
SLIDE 3
Extraction
Kcoq
2
SLIDE 4
Extraction
Kcoq
2
SLIDE 5
Extraction
Kcoq
Extraction
2
SLIDE 6
Extraction
Kcoq Kocaml
Extraction
2
SLIDE 7
Extraction
Kcoq Kocaml
?
Extraction
2
SLIDE 8
Extraction
Kcoq Kocaml
?
Extraction
- camlc
2
SLIDE 9
Extraction
Kcoq Kocaml
?
Extraction
Kasm
- camlc
2
SLIDE 10
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
2
SLIDE 11
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Current:
2
SLIDE 12
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Current: Œuf:
2
SLIDE 13
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq Current: Œuf:
2
SLIDE 14
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq Current: Œuf:
2
SLIDE 15
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq
Œuf
Current: Œuf:
2
SLIDE 16
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Current: Œuf:
2
SLIDE 17
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Current: Œuf:
2
SLIDE 18
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf CompCert
Current: Œuf:
2
SLIDE 19
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Kasm
CompCert
Current: Œuf:
2
SLIDE 20
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Kasm
CompCert
Current: Œuf:
2
SLIDE 21
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Kasm
CompCert
Current: Œuf:
Shim
2
SLIDE 22
Extraction
Kcoq Kocaml
?
Extraction
Kasm
?
- camlc
Kcoq KCminor
Œuf
Kasm
CompCert
Current: Œuf:
Shim Shim
2
SLIDE 23
3
Kcoq KCminor
Œuf
Extraction
Shim
Kasm
CompCert
Œuf:
SLIDE 24
3
Kcoq KCminor
Œuf
Extraction
Shim
Kasm
CompCert
Œuf:
1.Novel frontend guarantees correct input
SLIDE 25
3
Kcoq KCminor
Œuf
Extraction
Shim
Kasm
CompCert
Œuf:
1.Novel frontend guarantees correct input 2.Correctness theorem allows shim reasoning
SLIDE 26
Related Work
4
SLIDE 27
Related Work
4
- Built in HOL
- Uses Different
Frontend Technique
SLIDE 28
Related Work
4
- Built in HOL
- Uses Different
Frontend Technique
- Aims to compile all
- f Gallina
- Doesn’t support
shim reasoning
- No frontend trust
story
SLIDE 29
Related Work
4
- Built in HOL
- Uses Different
Frontend Technique
- Aims to compile all
- f Gallina
- Doesn’t support
shim reasoning
- No frontend trust
story
CompCert
Provides the compiler backend for Œuf (and CertiCoq)
SLIDE 30
Outline
5
Architecture Guarantee Evaluation
SLIDE 31
Outline
6
Architecture Guarantee Evaluation
SLIDE 32
7
SLIDE 33
Outline
8
Architecture Guarantee Evaluation
SLIDE 34
Outline
9
Architecture Guarantee Evaluation
SLIDE 35
Architecture
Kcoq KCminor
Oeuf
Kasm
CompCert
Shim
10
SLIDE 36
Architecture
Kcoq
10
SLIDE 37
Architecture
Kcoq
11
SLIDE 38
Architecture
Kcoq
Reflect
11
SLIDE 39
Architecture
Kcoq
Reflect
KAST
11
SLIDE 40
Architecture
Kcoq
Reflect Denote
KAST
11
SLIDE 41
Architecture
Kcoq
Reflect Denote
KAST
Serialize
11
SLIDE 42
Architecture
Kcoq
Reflect Denote
KAST
Serialize
11
SLIDE 43
Architecture
Kcoq
Reflect Denote
KAST
Serialize Deserialize
11
SLIDE 44
Architecture
Kcoq
Reflect Denote
KAST
Serialize Deserialize KAST
11
SLIDE 45
Architecture
Kcoq
Reflect Denote
KAST
Serialize Deserialize KAST Compile
11
SLIDE 46
Architecture
Kcoq KCminor
Reflect Denote
KAST
Serialize Deserialize KAST Compile
11
SLIDE 47
Architecture
Kcoq KCminor Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
11
SLIDE 48
Architecture
Kcoq KCminor Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile CompCert
11
SLIDE 49
Architecture
Kcoq KCminor Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
SCminor
CompCert
11
SLIDE 50
Architecture
Kcoq KCminor Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
SCminor
CompCert Link
11
SLIDE 51
Architecture
Kcoq KCminor Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
SCminor LCminor
CompCert Link
11
SLIDE 52
Architecture
Kcoq KCminor
CompCert
Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
SCminor LCminor
CompCert Link
11
SLIDE 53
Architecture
Kcoq KCminor Lasm
CompCert
Shim
Reflect Denote
KAST
Serialize Deserialize KAST Compile
SCminor LCminor
CompCert Link
11
SLIDE 54
Frontend
Reflect Denote
KAST
12
Kcoq
SLIDE 55
Frontend
Reflect Denote
KAST
e ::= | x (var) | e e (application) | C e* (constructor) | E e* e (eliminator) | f e* (closure creation)
12
Kcoq
SLIDE 56
Frontend
Reflect Denote
KAST
e ::= | x (var) | e e (application) | C e* (constructor) | E e* e (eliminator) | f e* (closure creation)
K’coq Kcoq
Remove Dep Types Pattern Matching -> Elims
12
SLIDE 57
Frontend
Reflect Denote
KAST
e ::= | x (var) | e e (application) | C e* (constructor) | E e* e (eliminator) | f e* (closure creation)
K’coq Kcoq
Remove Dep Types Pattern Matching -> Elims
12
Theorem:
SLIDE 58
Frontend Language Restrictions
13
Denote
KAST Kcoq
SLIDE 59
Frontend Language Restrictions
- No Fixpoints
13
Denote
KAST Kcoq
SLIDE 60
Frontend Language Restrictions
- No Fixpoints
- No Pattern Matching
13
Denote
KAST Kcoq
SLIDE 61
Frontend Language Restrictions
- No Fixpoints
- No Pattern Matching
- No Dependent Types
13
Denote
KAST Kcoq
SLIDE 62
Frontend Language Restrictions
- No Fixpoints
- No Pattern Matching
- No Dependent Types
- All Types built into Œuf
13
Denote
KAST Kcoq
SLIDE 63
Compiler
Serialize Deserialize KAST Compile
KCminor
14
SLIDE 64
Compiler
Serialize Deserialize KAST Compile
KCminor 45 verified compilation passes
14
SLIDE 65
Compiler
Serialize Deserialize KAST Compile
KCminor 45 verified compilation passes
14
SLIDE 66
Compiler
Serialize Deserialize KAST Compile
KCminor 45 verified compilation passes
14
SLIDE 67
Shim
KCminor
Shim
15
SLIDE 68
Shim
KCminor
Shim
CompCert
15
SLIDE 69
Shim
KCminor
Shim SCminor
CompCert
15
SLIDE 70
Shim
KCminor
Shim SCminor
CompCert Link
15
SLIDE 71
Shim
KCminor
Shim SCminor
LCminor
CompCert Link
15
SLIDE 72
Shim
KCminor
Shim SCminor
LCminor
CompCert Link CompCert
15
SLIDE 73
Shim
KCminor
Shim SCminor
LCminor
CompCert Link
Lasm
CompCert
15
SLIDE 74
Shim
KCminor
Shim SCminor
LCminor
CompCert Link
Lasm
CompCert
15
SLIDE 75
Outline
16
Architecture Guarantee Evaluation
SLIDE 76
Outline
17
Architecture Guarantee Evaluation
SLIDE 77
Guarantee
SCminor
18
SLIDE 78
Guarantee
SCminor SCoq
18
SLIDE 79
Guarantee
SCminor SCoq match
18
SLIDE 80
Guarantee
SCminor SCoq match 1) evaluate
18
SLIDE 81
Guarantee
SCminor SCoq VCoq match 1) evaluate
18
SLIDE 82
Guarantee
SCminor SCoq VCoq match 2) match 1) evaluate
18
SLIDE 83
Guarantee
SCminor SCoq VCoq VCminor match 2) match 1) evaluate
18
SLIDE 84
Guarantee
SCminor SCoq VCoq VCminor match 2) match 1) evaluate 3) steps*
18
SLIDE 85
Guarantee
*Cminor is Deterministic
SCminor SCoq VCoq VCminor match 2) match 1) evaluate 3) steps*
18
SLIDE 86
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
19
SLIDE 87
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq
19
SLIDE 88
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq
Extraction
19
SLIDE 89
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
Extraction
19
SLIDE 90
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
?
Extraction
19
SLIDE 91
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
?
Extraction
Œuf Driver
19
SLIDE 92
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
?
Extraction
- camlc
Œuf Driver
19
SLIDE 93
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
?
Extraction
Œufasm
- camlc
Œuf Driver
19
SLIDE 94
TCB
Kcoq KCminor
Œuf
Kasm
CompCert
Œuf:
Shim
Œufcoq Œufocaml
?
Extraction
Œufasm
- camlc
Œuf Driver
?
19
SLIDE 95
Outline
20
Architecture Guarantee Evaluation
SLIDE 96
Outline
21
Architecture Guarantee Evaluation
SLIDE 97
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
SLIDE 98
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
SLIDE 99
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
SLIDE 100
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
SLIDE 101
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
SLIDE 102
Evaluation
- Eliminate trust in parser
- Provide API for shim reasoning
- Verify the compiler
- Works on real code
- Performance?
22
?
SLIDE 103
Evaluation
Program Input Size Default Boehm Slab OCaml list_max 100 items 0.03 s 0.04 s 0.01 s 0.00 s list_max 1000 items (OOM) 34.63 s 11.31 s 0.02 s SHA256 55 bytes 2.22 s 3.12 s 1.31 s 0.07 s SHA256 500 bytes (OOM) 24.44 s 10.75 s 0.58 s SHA256 5000 bytes (OOM) 246.94 s 107.06 s 5.85 s
23
SLIDE 104
Evaluation
Program Input Size Default Boehm Slab OCaml list_max 100 items 0.03 s 0.04 s 0.01 s 0.00 s list_max 1000 items (OOM) 34.63 s 11.31 s 0.02 s SHA256 55 bytes 2.22 s 3.12 s 1.31 s 0.07 s SHA256 500 bytes (OOM) 24.44 s 10.75 s 0.58 s SHA256 5000 bytes (OOM) 246.94 s 107.06 s 5.85 s
23
Verification of a Cryptographic Primitive,
- A. Appel. TOPLAS 2015
SLIDE 105
Evaluation
24
Specification Size Lines of Code Œuf Specification
~100
CompCert Specification
~350
Total Specification
~450
Total Code Size Lines of Code Gallina/ Vernacular LOC
26k
Ltac LOC
27k
Total LOC
53k
SLIDE 106
Œuf
25
Kcoq KCminor
Œuf
Kasm
CompCert
Shim
https://oeuf.uwplse.org https://github.com/uwplse/oeuf