using crash hoare logic for certifying the fscq file
play

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang - PowerPoint PPT Presentation

Sep 23, 2022 •238 likes •765 views

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

  1. Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1

  2. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 400 300 200 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] 2 / 1

  3. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 ext4 400 xfs 300 reiserfs jfs 200 btrfs 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] New file systems (and bugs) are introduced over time 2 / 1

  4. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 ext4 400 xfs 300 reiserfs jfs 200 btrfs 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] New file systems (and bugs) are introduced over time Some bugs are serious: security exploits , data loss , etc. 2 / 1

  5. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Symbolic execution (e.g., EXE [Oakland’06]) Design modeling (e.g., in Alloy [ABZ’08]) Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] BilbyFS [Keller, Amani, et al. 2014] Flashix [Ernst et al. 2015] 3 / 1

  6. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Symbolic execution (e.g., EXE [Oakland’06]) Design modeling (e.g., in Alloy [ABZ’08]) Reduce # bugs Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] BilbyFS [Keller, Amani, et al. 2014] Flashix [Ernst et al. 2015] 3 / 1

  7. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Symbolic execution (e.g., EXE [Oakland’06]) Design modeling (e.g., in Alloy [ABZ’08]) Reduce # bugs Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] BilbyFS [Keller, Amani, et al. 2014] Flashix [Ernst et al. 2015] Incomplete + no crashes 3 / 1

  8. File system must preserve data after crash commit 353b67d8ced4dc53281c88150ad295e24bc4b4c5 --- a/fs/jbd/checkpoint.c +++ b/fs/jbd/checkpoint.c @@ -504,7 +503,25 @@ int cleanup_journal_tail(journal_t *journal) Crashes occur due spin_unlock(&journal->j_state_lock); return 1; to power failures, } + spin_unlock(&journal->j_state_lock); hardware failures, or + + /* software bugs + * We need to make sure that any blocks that were recently written out + * --- perhaps by log_do_checkpoint() --- are flushed out before we + * drop the transactions from the journal. It’s unlikely this will be + * necessary, especially with an appropriately sized journal, but we Difficult because + * need this to guarantee correctness. Fortunately + * cleanup_journal_tail() doesn’t get called all that often. crashes expose + */ many different + if (journal->j_flags & JFS_BARRIER) + blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL); partially-updated + spin_lock(&journal->j_state_lock); states + if (!tid_gt(first_tid, journal->j_tail_sequence)) { + spin_unlock(&journal->j_state_lock); + /* Someone else cleaned up journal so return 0 */ + return 0; + } /* OK, update the superblock to recover the freed space. * Physical blocks come first: have we wrapped beyond the end of * the log? */ 4 / 1

  9. File system must preserve security after crash Mistakes in crash handling can also lead to data disclosure Two optimizations in Linux ext4: direct data write and log checksum Subtle interaction: new file can contain other users’ data after crash Bug introduced in 2008, fixed in 2014 (six years later!) Author: Jan Kara <jack@suse.cz> Date: Tue Nov 25 20:19:17 2014 -0500 ext4: forbid journal_async_commit in data=ordered mode Option journal_async_commit breaks gurantees of data=ordered mode as it sends only a single cache flush after writing a transaction commit block. Thus even though the transaction including the commit block is fully stored on persistent storage, file data may still linger in drives caches and will be lost on power failure. Since all checksums match on journal recovery, we replay the transaction thus possibly exposing stale user data. [...] 5 / 1

  10. Goal: certify a complete file system under crashes A file system with a machine-checkable proof that its implementation meets its specification under normal execution and under any sequence of crashes including crashes during recovery 6 / 1

  11. Contributions CHL : Crash Hoare Logic for persistent storage Crash condition and recovery semantics CHL automates parts of proof effort Proofs mechanically checked by Coq FSCQ : the first certified crash-safe file system Basic Unix-like file system (not parallel) Simple specification for a subset of POSIX (e.g., no fsync ) About 1.5 years of work, including learning Coq 7 / 1

  12. FSCQ runs standard Unix programs: mv , git , make , ... 8 / 1

  13. FSCQ runs standard Unix programs: mv , git , make , ... 8 / 1

  14. FSCQ runs standard Unix programs: mv , git , make , ... 8 / 1

  15. FSCQ runs standard Unix programs: mv , git , make , ... TCB includes Coq’s extractor, Haskell compiler and runtime, ... 8 / 1

  16. How to specify what is “correct”? Need a specification of “correct” behavior before we can prove anything Look it up in the POSIX standard? 9 / 1

  17. How to specify what is “correct”? Need a specification of “correct” behavior before we can prove anything Look it up in the POSIX standard? [...] a power failure [...] can cause data to be lost. The data may be associated with a file that is still open, with one that has been closed, with a directory, or with any other internal system data structures associated with permanent storage. This data can be lost, in whole or part, so that only careful inspection of file contents could determine that an update did not occur. IEEE Std 1003.1, 2013 Edition POSIX is vague about crash behavior POSIX’s goal was to specify “common-denominator” behavior File system implementations have different interpretations Leads to bugs in higher-level applications [Pillai et al. OSDI’14] 9 / 1

  18. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() 10 / 1

  19. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() log_begin and log_commit implement a write-ahead log on disk After crash, replay any committed transaction in the write-ahead log 10 / 1

  20. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() log_begin and log_commit implement a write-ahead log on disk After crash, replay any committed transaction in the write-ahead log Q: How to formally specify both normal-case and crash behavior? Q: How to specify that it’s safe to crash during recovery itself? 10 / 1

  21. Approach: Hoare Logic specifications {pre} code {post} SPEC disk_write( a , v ) PRE a �→ v 0 POST a �→ v 11 / 1

  22. CHL extends Hoare Logic with crash conditions {pre} code {post} {crash} SPEC disk_write( a , v ) PRE a �→ v 0 POST a �→ v CRASH a �→ v 0 ∨ a �→ v CHL’s disk model matches what most other file systems assume: writing a single block is an atomic operation no data corruption Disk model axiom specs: disk_write , disk_read , and disk_sync 12 / 1

  23. Certifying larger procedures def bmap(inode, bnum): if bnum >= NDIRECT: indirect = log_read(inode.blocks[NDIRECT]) pre post return indirect[bnum - NDIRECT] else : return inode.blocks[bnum] crash 13 / 1

  24. Certifying larger procedures Need pre/post/crash conditions for each called procedure log_read return pre post if return Function bmap crash 13 / 1

  25. Certifying larger procedures CHL’s proof automation chains pre- and postconditions log_read return pre post if return Function bmap crash 13 / 1

  26. Certifying larger procedures CHL’s proof automation combines crash conditions log_read return pre post if return Function bmap crash 13 / 1

  27. Certifying larger procedures Remaining proof effort: changing representation invariants log_read return pre post if return Function bmap crash 13 / 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge

Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge

Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction Last time, we saw that that proofs in Hoare logic can involve large amounts of very error-prone bookkeeping

690 views • 48 slides
Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge

Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge

Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Semantics of Hoare Logic

663 views • 10 slides
Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we

Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we

Recap Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we specified and verified some example programs using the syntactic rules of Hoare logic that we introduced in the first lecture. Jean

477 views • 13 slides
Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it

Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it

Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it reduces a program and its specification to a set of verifications conditions. Slides by Wishnu Prasetya URL : www.cs.uu.nl/~wishnu Course URL :

1.4k views • 124 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969

Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969

Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969 builds on first-order logic Hoare logic introduced by Hoare in 1969 builds on first-order logic correctness specification = pre- and

401 views • 37 slides
COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification Invented: Quicksort, the null reference (called it his billion dollar mistake) CSP (formal specification language), and Hoare Logic 2 Summary L

770 views • 59 slides
COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification Invented: Quicksort, the null reference (called it his billion dollar mistake) CSP (formal specification language), and Hoare Logic 2 Summary L

2k views • 158 slides
Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre

Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre

Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre ==&gt; post] Probabilistic Hoare Logic [ c : = ] = (see Lecture 6): bd_hoare [ c : pre ==&gt; post ] = r Probabilistic Relational Hoare

377 views • 23 slides
Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 /

Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 /

Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 / 25 Outline Background 1 Axioms and Rules 2 A note on Weakest Preconditions 3 Jari Stenman () Hoare Logic February 10, 2012 2 / 25 Outline

463 views • 25 slides
Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen

Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen

Recap Decoration Preliminaries Radboud University Nijmegen Decorations Hoare as Logic Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen Type Theory and Coq - 2016 Thomas Churchman Type Theory

289 views • 18 slides
Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last

Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last

Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last time Natural deduction 2 This lecture Semantics of computer programs A logic for reasoning about them 3 Syntax of programming language The BNF

796 views • 78 slides
locales C ONTENT I SAR I S B ASED O N C ONTEXTS Intro &amp; motivation, getting started with

locales C ONTENT I SAR I S B ASED O N C ONTEXTS Intro &amp; motivation, getting started with

L AST T IME Syntax and semantics of IMP Hoare logic rules Soundness of Hoare logic NICTA Advanced Course Verification conditions Slide 1 Theorem Proving Slide 3 Principles, Techniques, Applications Example program proofs

322 views • 8 slides
Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

557 views • 19 slides
Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina

Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina

Varese, September 19-21 2012 Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina Lenisa Universit degli studi di Udine, Italy Daniel Pellarini and Marina Lenisa Hoare Logic for Multiprocessing Hoare

507 views • 23 slides
NUMA-Aware Thread Migration for High Performance NVMM File Systems Ying Wang , Dejun Jiang, Jin

NUMA-Aware Thread Migration for High Performance NVMM File Systems Ying Wang , Dejun Jiang, Jin

NUMA-Aware Thread Migration for High Performance NVMM File Systems Ying Wang , Dejun Jiang, Jin Xiong Institute of Computing Technology, CAS University of Chinese Academy of

1.37k views • 103 slides
Theory of Reals for Verification and Synthesis of Hybrid Dynamical Systems Ashish Tiwari

Theory of Reals for Verification and Synthesis of Hybrid Dynamical Systems Ashish Tiwari

Theory of Reals for Verification and Synthesis of Hybrid Dynamical Systems Ashish Tiwari Computer Science Laboratory (CSL) SRI International (SRI) Menlo Park, CA 94025 Email: ashish.tiwari@sri.com Ashish Tiwari Theory of

706 views • 56 slides
Physics 2D Lecture Slides Lecture 27: Mar 8th Vivek Sharma UCSD Physics Quiz 8 16 14 12

Physics 2D Lecture Slides Lecture 27: Mar 8th Vivek Sharma UCSD Physics Quiz 8 16 14 12

Confirmed: 2D Final Exam: Thursday 18 th March 11:30-2:30 PM WLH 2005 Course Review 14 th March 10am WLH 2005 (TBC) Physics 2D Lecture Slides Lecture 27: Mar 8th Vivek Sharma UCSD Physics Quiz 8 16 14 12 Frequency 10 8 6 4 2 0 0 1

766 views • 13 slides
WBS 121.3.11 Cryogenics SC Acceleration Modules and Cryogenics Anindya Chakravarty and Arkadiy

WBS 121.3.11 Cryogenics SC Acceleration Modules and Cryogenics Anindya Chakravarty and Arkadiy

WBS 121.3.11 Cryogenics SC Acceleration Modules and Cryogenics Anindya Chakravarty and Arkadiy Klebaner In partnership with: India Institutes Fermilab Collaboration PIP-II Directors Review Istituto Nazionale di Fisica Nucleare Science and

388 views • 35 slides
Computer System Design Depth in ECE Computer System Design Depth Qualcomm Snapdragon 845 Mobile

Computer System Design Depth in ECE Computer System Design Depth Qualcomm Snapdragon 845 Mobile

Computer System Design Depth in ECE Computer System Design Depth Qualcomm Snapdragon 845 Mobile Processor ECE 16: Rapid HW/SW Design (Embedded Software) ECE 141AB: Software Foundations ECE 25: (Application Software) Intro Digital Design

137 views • 3 slides
From One To Many: Checking A Set Of Models Rohit Dureja and Kristin Yvonne Rozier Iowa State

From One To Many: Checking A Set Of Models Rohit Dureja and Kristin Yvonne Rozier Iowa State

From One To Many: Checking A Set Of Models Rohit Dureja and Kristin Yvonne Rozier Iowa State University October 4, 2016 Motivation Complex systems design often requires analyzing several models of the system under development. Rohit Dureja

357 views • 7 slides
Systems Development (DRCHSD) Program The Center DRCHSD Team April 30, 2018 1 Presentation

Systems Development (DRCHSD) Program The Center DRCHSD Team April 30, 2018 1 Presentation

Delta Region Community Health Systems Development (DRCHSD) Program The Center DRCHSD Team April 30, 2018 1 Presentation Agenda Introductions Program Purpose and Goals Technical Assistance Approach Community Care Coordination

571 views • 23 slides
Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation Organization =How to implement a database system and have fun doing it ;-) 01: Introduction Boris Glavic Slides: adapted from a course taught by

198 views • 7 slides

More recommend