using crash hoare logic for certifying the fscq file
play

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang - PowerPoint PPT Presentation

Sep 11, 2023 •655 likes •1.18k views

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

  1. Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27

  2. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 400 300 200 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] 2 / 27

  3. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 ext4 400 xfs 300 reiserfs jfs 200 btrfs 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] New file systems (and bugs) are introduced over time 2 / 27

  4. File systems are complex and have bugs File systems are complex (e.g., Linux ext4 is ∼ 60,000 lines of code) and have many bugs: 500 # patches for bugs ext3 ext4 400 xfs 300 reiserfs jfs 200 btrfs 100 0 Jan'04 Jan'05 Jan'06 Jan'07 Jan'08 Jan'09 Jan'10 Jan'11 Cumulative number of patches for file-system bugs in Linux; data from [Lu et al., FAST’13] New file systems (and bugs) are introduced over time Some bugs are serious: security exploits , data loss , etc. 2 / 27

  5. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Symbolic execution (e.g., EXE [Oakland’06]) Design modeling (e.g., in Alloy [ABZ’08]) Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] BilbyFS [Keller 2014] UBIFS [Ernst et al. 2013] 3 / 27

  6. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Reduce Symbolic execution (e.g., EXE [Oakland’06]) # bugs Design modeling (e.g., in Alloy [ABZ’08]) Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] BilbyFS [Keller 2014] UBIFS [Ernst et al. 2013] 3 / 27

  7. Much research in avoiding bugs in file systems Most research is on finding bugs: Crash injection (e.g., EXPLODE [OSDI’06]) Reduce Symbolic execution (e.g., EXE [Oakland’06]) # bugs Design modeling (e.g., in Alloy [ABZ’08]) Some elimination of bugs by proving: FS without directories [Arkoudas et al. 2004] Incomplete + BilbyFS [Keller 2014] no crashes UBIFS [Ernst et al. 2013] 3 / 27

  8. File system must preserve data after crash commit 353b67d8ced4dc53281c88150ad295e24bc4b4c5 --- a/fs/jbd/checkpoint.c +++ b/fs/jbd/checkpoint.c @@ -504,7 +503,25 @@ int cleanup_journal_tail(journal_t *journal) Crashes occur due spin_unlock(&journal->j_state_lock); return 1; to power failures, } + spin_unlock(&journal->j_state_lock); hardware failures, or + + /* software bugs + * We need to make sure that any blocks that were recently written out + * --- perhaps by log_do_checkpoint() --- are flushed out before we + * drop the transactions from the journal. It’s unlikely this will be + * necessary, especially with an appropriately sized journal, but we Difficult because + * need this to guarantee correctness. Fortunately + * cleanup_journal_tail() doesn’t get called all that often. crashes expose + */ many different + if (journal->j_flags & JFS_BARRIER) + blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL); partially-updated + spin_lock(&journal->j_state_lock); states + if (!tid_gt(first_tid, journal->j_tail_sequence)) { + spin_unlock(&journal->j_state_lock); + /* Someone else cleaned up journal so return 0 */ + return 0; + } /* OK, update the superblock to recover the freed space. * Physical blocks come first: have we wrapped beyond the end of * the log? */ 4 / 27

  9. Goal: certify a complete file system under crashes A file system with a machine-checkable proof that its implementation meets its specification under normal execution and under any sequence of crashes including crashes during recovery 5 / 27

  10. Contributions CHL : Crash Hoare Logic for persistent storage Crash condition and recovery semantics CHL automates parts of proof effort Proofs mechanically checked by Coq FSCQ : the first certified crash-safe file system Basic Unix-like file system (not parallel) Simple specification for a subset of POSIX (e.g., no fsync ) About 1.5 years of work, including learning Coq 6 / 27

  11. FSCQ runs standard Unix programs: mv , git , make , ... 7 / 27

  12. FSCQ runs standard Unix programs: mv , git , make , ... 7 / 27

  13. FSCQ runs standard Unix programs: mv , git , make , ... 7 / 27

  14. FSCQ runs standard Unix programs: mv , git , make , ... 7 / 27

  15. How to specify what is “correct”? Need a specification of “correct” behavior before we can prove anything Look it up in the POSIX standard? 8 / 27

  16. How to specify what is “correct”? Need a specification of “correct” behavior before we can prove anything Look it up in the POSIX standard? [...] a power failure [...] can cause data to be lost. The data may be associated with a file that is still open, with one that has been closed, with a directory, or with any other internal system data structures associated with permanent storage. This data can be lost, in whole or part, so that only careful inspection of file contents could determine that an update did not occur. IEEE Std 1003.1, 2013 Edition POSIX is vague about crash behavior POSIX’s goal was to specify “common-denominator” behavior File system implementations have different interpretations Leads to bugs in higher-level applications [Pillai et al. OSDI’14] 8 / 27

  17. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() 9 / 27

  18. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() log_begin and log_commit implement a write-ahead log on disk After crash, replay any committed transaction in the write-ahead log 9 / 27

  19. This work: “correct” is transactional Run every file-system call inside a transaction def create(d, name): log_begin() newfile = allocate_inode() newfile.init() d.add(name, newfile) log_commit() log_begin and log_commit implement a write-ahead log on disk After crash, replay any committed transaction in the write-ahead log Q: How to formally specify both normal-case and crash behavior? Q: How to specify that it’s safe to crash during recovery itself? 9 / 27

  20. Approach: Hoare Logic specifications {pre} code {post} SPEC disk_write( a , v ) PRE a �→ v 0 POST a �→ v 10 / 27

  21. CHL extends Hoare Logic with crash conditions {pre} code {post} {crash} SPEC disk_write( a , v ) PRE a �→ v 0 POST a �→ v CRASH a �→ v 0 ∨ a �→ v CHL’s disk model matches what most other file systems assume: writing a single block is an atomic operation no data corruption Disk model axiom specs: disk_write , disk_read , and disk_sync 11 / 27

  22. Certifying larger procedures def bmap(inode, bnum): if bnum >= NDIRECT: indirect = log_read(inode.blocks[NDIRECT]) pre post return indirect[bnum - NDIRECT] else : return inode.blocks[bnum] crash 12 / 27

  23. Certifying larger procedures Need pre/post/crash conditions for each called procedure log_read return pre post if return Function bmap crash 12 / 27

  24. Certifying larger procedures CHL’s proof automation chains pre- and postconditions log_read return pre post if return Function bmap crash 12 / 27

  25. Certifying larger procedures CHL’s proof automation combines crash conditions log_read return pre post if return Function bmap crash 12 / 27

  26. Certifying larger procedures Remaining proof effort: changing representation invariants log_read return pre post if return Function bmap crash 12 / 27

  27. Common pattern: representation invariant SPEC log_write( a , v ) PRE disk : log_rep(ActiveTxn, start_state , old_state ) old_state : a �→ v 0 POST disk : log_rep(ActiveTxn, start_state , new_state ) new_state : a �→ v CRASH disk : log_rep(ActiveTxn, start_state , any ) log_rep is a representation invariant Connects logical transaction state to an on-disk representation Describes the log’s on-disk layout using many �→ primitives 13 / 27

  28. Specifying an entire system call (simplified) SPEC create( dnum , fn ) PRE disk : log_rep(NoTxn, start_state ) start_state : dir_rep( tree ) ∧ ∃ path , tree [ path ].inode = dnum ∧ fn / ∈ tree [ path ] 14 / 27

  29. Specifying an entire system call (simplified) SPEC create( dnum , fn ) PRE disk : log_rep(NoTxn, start_state ) start_state : dir_rep( tree ) ∧ ∃ path , tree [ path ].inode = dnum ∧ fn / ∈ tree [ path ] POST disk : log_rep(NoTxn, new_state ) new_state : dir_rep( new_tree ) ∧ new_tree = tree .update( path , fn , empty_file) 14 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge

Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge

Hoare logic Lecture 4: A verifier for Hoare logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction Last time, we saw that that proofs in Hoare logic can involve large amounts of very error-prone bookkeeping

690 views • 48 slides
Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge

Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge

Hoare Logic and Model Checking Semantics of Hoare Logic Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Semantics of Hoare Logic

663 views • 10 slides
Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we

Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we

Recap Hoare logic Lecture 3: Formalising the semantics of Hoare logic In the previous lecture, we specified and verified some example programs using the syntactic rules of Hoare logic that we introduced in the first lecture. Jean

477 views • 13 slides
Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it

Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it

Hoare Logic Hoare Logic is used to reason about the correctness of programs. In the end, it reduces a program and its specification to a set of verifications conditions. Slides by Wishnu Prasetya URL : www.cs.uu.nl/~wishnu Course URL :

1.4k views • 124 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969

Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969

Hoare Logic Andreas Podelski November 8, 2011 Hoare logic introduced by Hoare in 1969 builds on first-order logic Hoare logic introduced by Hoare in 1969 builds on first-order logic correctness specification = pre- and

401 views • 37 slides
COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification Invented: Quicksort, the null reference (called it his billion dollar mistake) CSP (formal specification language), and Hoare Logic 2 Summary L

770 views • 59 slides
COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification

COMP2111 Week 8 Term 1, 2020 Hoare Logic 1 Sir Tony Hoare Pioneer in formal verification Invented: Quicksort, the null reference (called it his billion dollar mistake) CSP (formal specification language), and Hoare Logic 2 Summary L

2k views • 158 slides
Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre

Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre

Probabilistic Relational Hoare Logic Main judgments Hoare Logic c : = : hoare [ c : pre ==> post] Probabilistic Hoare Logic [ c : = ] = (see Lecture 6): bd_hoare [ c : pre ==> post ] = r Probabilistic Relational Hoare

377 views • 23 slides
Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 /

Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 /

Hoare Logic Jari Stenman February 10, 2012 Jari Stenman () Hoare Logic February 10, 2012 1 / 25 Outline Background 1 Axioms and Rules 2 A note on Weakest Preconditions 3 Jari Stenman () Hoare Logic February 10, 2012 2 / 25 Outline

463 views • 25 slides
Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen

Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen

Recap Decoration Preliminaries Radboud University Nijmegen Decorations Hoare as Logic Hoare Logic Part II Decorations and Hoare as Logic Thomas Churchman Radboud University Nijmegen Type Theory and Coq - 2016 Thomas Churchman Type Theory

289 views • 18 slides
Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last

Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last

Logic for Computer Science 15 Hoare logic Wouter Swierstra University of Utrecht 1 Last time Natural deduction 2 This lecture Semantics of computer programs A logic for reasoning about them 3 Syntax of programming language The BNF

796 views • 78 slides
locales C ONTENT I SAR I S B ASED O N C ONTEXTS Intro & motivation, getting started with

locales C ONTENT I SAR I S B ASED O N C ONTEXTS Intro & motivation, getting started with

L AST T IME Syntax and semantics of IMP Hoare logic rules Soundness of Hoare logic NICTA Advanced Course Verification conditions Slide 1 Theorem Proving Slide 3 Principles, Techniques, Applications Example program proofs

322 views • 8 slides
Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

557 views • 19 slides
Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina

Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina

Varese, September 19-21 2012 Hoare Logic for Multiprocessing (Work in progress) Daniel Pellarini joint work with Marina Lenisa Universit degli studi di Udine, Italy Daniel Pellarini and Marina Lenisa Hoare Logic for Multiprocessing Hoare

507 views • 23 slides
Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science,

Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science,

Set of Support for Theory Reasoning Giles Reger 1 , Martin Suda 2 1 School of Computer Science, University of Manchester, UK 2 TU Wien, Vienna, Austria IWIL 2017 Maun, May 7, 2017 1/18 Theory axioms in proofs Consider the following toy

966 views • 53 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

206 views • 20 slides
CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact

CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact

CHOOSING NG M MODES O OF DE DELI LIVERY Dr. Tony Bates Research Associate Contact North|Contact Nord www.contactnord.ca 1 Webinar F Format Aim of series: Discuss issues raised in Teaching in a Digital Age Draw on your

332 views • 17 slides
in ISPD11 and DAC12 Routability- Driven Placement Contests Wen-Hao Liu 1,3 , Cheng-Kok Koh 2 , and

in ISPD11 and DAC12 Routability- Driven Placement Contests Wen-Hao Liu 1,3 , Cheng-Kok Koh 2 , and

Case Study for Placement Solutions in ISPD11 and DAC12 Routability- Driven Placement Contests Wen-Hao Liu 1,3 , Cheng-Kok Koh 2 , and Yih-Lang Li 3 1 Department of Computer Science, National Tsing Hua University, Taiwan 2 School of Electrical and

479 views • 15 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Life of a Password

Life of a Password

Life of a Password Arvind Mani Data & Infrastructure

1.05k views • 30 slides
Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will

Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will

Claim your Baruch accounts before the Baruch Honors Orientation Through this Tutorial, you will learn how to retrieve your: Baruch Username Baruchmail Student Email Account Update the email listed in Blackboard Please note, the default

459 views • 8 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides

More recommend