verifying filesystems in acl2
play

Verifying filesystems in ACL2 Towards verifying file recovery tools - PowerPoint PPT Presentation

Apr 30, 2023 •338 likes •681 views

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

  1. Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34

  2. Outline Motivation and related work Our approach Progress so far Future work 2/34

  3. Why we need a verified filesystem ◮ Filesystems are everywhere, even as operating systems move towards making them invisible. ◮ In the absence of a clear specification of filesystems, users (and sysadmins in particular) are underserved. ◮ Modern filesystems have become increasingly complex, and so have the tools to analyse and recover data from them. ◮ It would be worthwhile to specify and formally verify, in the ACL2 theorem prover, the guarantees claimed by filesystems and tools. 3/34

  4. Related work ◮ In Haogang Chen’s 2016 dissertation, the author uses Coq to build a filesystem (named FSCQ) which is proven safe against crashes in a new logical framework named Crash Hoare Logic. ◮ His implementation was exported into Haskell, and showed comparable performance to ext4 when run on FUSE. ◮ Hyperkernel (Nelson et al, SOSP ’17) is a ”push-button” verification effort, but approximates by changing POSIX system calls for ease of verification. ◮ In our work, we instead aim to model an existing filesystem (FAT32) faithfully and match the resulting disk image byte-to-byte. 4/34

  5. Outline Motivation and related work Our approach Progress so far Future work 5/34

  6. Choosing an initial model ◮ Our goal here is to verify the FAT32 filesystem, but we need a simpler model to begin with. ◮ Our filesystem’s operations should suffice for running a workload. ◮ Yet, parsimony and avoidance of redundancy are essential for theorem proving. ◮ What’s a necessary and sufficient set of operations? 6/34

  7. Minimal set of operations? ◮ The Google filesystem suggests a minimal set of operations: ◮ create ◮ delete ◮ open ◮ close ◮ read ◮ write ◮ Of these, open and close require the maintenance of file descriptor state - so they can wait. ◮ However, they are essential when describing concurrency and multiprogramming behaviour. ◮ Thus, we can start modelling a filesystem, and several refinements thereof. 7/34

  8. Quick overview of models ◮ Model 1: Tree representation of directory structure with unbounded file size and unbounded filesystem size. ◮ Model 2: Model 1 with file length as metadata. ◮ Model 3: Tree representation of directory structure with file contents stored in a ”disk”. ◮ Model 4: Model 3 with bounded filesystem size and garbage collection. 8/34

  9. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket1,”Sun 19:00” 9/34

  10. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket1,”Sun 19:00” ticket2,”Tue 21:00” 10/34

  11. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket2,”Tue 21:00” 11/34

  12. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket2,”Wed 01:00” 12/34

  13. Model 2 ◮ Model 1 supports nested directory structures, unbounded file size and unbounded filesystem size. ◮ However, there’s no metadata, either to provide additional information or to validate the contents of the file. ◮ With an extra field for length, we can create a simple version of fsck that checks file contents for consistency. ◮ Further, we can verify that create, write, delete etc preserve this notion of consistency. 13/34

  14. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket1,”Sun 19:00”,9 14/34

  15. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket1,”Sun 19:00”,9 ticket2,”Tue 21:00”,9 15/34

  16. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket2,”Tue 21:00”,9 16/34

  17. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket2,”Wed 01:00”,9 17/34

  18. Model 3 ◮ As the next step, we focus on externalising the storage of file contents. ◮ We also choose to break up file contents into ”blocks” of a constant length (8.) ◮ Note: this would mean storing file length is no longer optional, to avoid reading garbage past end of file at the end of a block. 18/34

  19. Model 3 \ tmp vmlinuz,(0),3 ticket1,(1 2),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 19/34

  20. Model 3 \ tmp vmlinuz,(0),3 ticket1,(1 2),9 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 20/34

  21. Model 3 \ tmp vmlinuz,(0),3 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 21/34

  22. Model 3 \ tmp vmlinuz,(0),3 ticket2,(5 6),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 Wed 01:0 0 22/34

  23. Model 4 ◮ In the fourth model, we attempt to implement garbage collection in the form of an allocation vector. ◮ The allocation vector tracks whether blocks in the filesystem are in use by a file. This allows us to reuse unused blocks. 23/34

  24. Model 4 \ vmlinuz,(0),3 tmp ticket1,(1 2),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 true 0 true false false false 24/34

  25. Model 4 \ vmlinuz,(0),3 tmp ticket1,(1 2),9 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 true 0 true Tue 21:0 true 0 true false 25/34

  26. Model 4 \ vmlinuz,(0),3 tmp ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 false 0 false Tue 21:0 true 0 true false 26/34

  27. Model 4 \ vmlinuz,(0),3 tmp ticket2,(1 2),9 Table: Disk \ 0 \ 0 \ 0 true Wed 01:0 true 0 true Tue 21:0 false 0 false false 27/34

  28. Outline Motivation and related work Our approach Progress so far Future work 28/34

  29. Proof approaches and techniques ◮ There are many properties that could be considered for correctness, but we choose to focus on the read-over-write theorems from the first-order theory of arrays. ◮ Read n characters starting at position start in the file at path hns in filesystem fs : l1-rdchs(hns, fs, start, n) ◮ Write string text characters starting at position start in the file at path hns in filesystem fs : l1-wrchs(hns, fs, start, text) 29/34

  30. Proof approaches and techniques ◮ First read-over-write theorem: reading from a location after writing to the same location should yield the data that was written. Formally, assuming n = length(text) and suitable ”type” hypotheses (omitted here): l1-rdchs(hns, l1-wrchs(hns, fs, start, text), start, n) = text ◮ Second read-over-write-theorem: Reading from a location after writing to a different location should yield the same result as reading before writing. Formally, assuming hns1 != hns2 and suitable ”type” hypotheses (omitted here): l1-rdchs(hns1, l1-wrchs(hns2, fs, start2, text2), start1, n1) = l1-rdchs(hns1, fs, start1, n1) 30/34

  31. Proof approaches and techniques ◮ For each of the models 1, 2, 3 and 4, we have proofs of correctness of the two read-after-write properties, making use of the proofs of equivalence between models and their successors. ◮ Model 4 presented some unique challenges - proving the read-after-write properties required proving an equivalence between model 4 and model 2, rather than model 3. 31/34

  32. Proof approaches and techniques l 2 l 2 write l2-to-l1-fs l2-to-l1-fs l 1 l 1 write l 2 text read l2-to-l1-fs read l 1 l 2 l 2 text write read l2-to-l1-fs l2-to-l1-fs read l 1 l 1 write 32/34

  33. Outline Motivation and related work Our approach Progress so far Future work 33/34

  34. Future work ◮ Model and verify file permissions. ◮ Linearise the tree, leaving only the disk. ◮ Add the system call open and close with the introduction of file descriptors. This would be a step towards the study of concurrent FS operations. ◮ Eventually emulate the FAT32 filesystem as a convincing proof of concept, and move on to fsck and file recovery tools. 34/34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik Reeber {reeber,hunt}@cs.utexas.edu The University of Texas ACL2 Workshop, August 16 , 2006 Introduction The ACL2 theorem prover is great

252 views • 22 slides
Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta

Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta

Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 05 November, 2018 1/25 Why filesystem verification matters

486 views • 25 slides
ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya http://staff.computing.dundee.ac.uk/katya/acl2ml/ 12 July 2014 ACL214 J. Heras ACL2(ml): Machine-Learning for ACL2 1/23 Outline Some Challenges in ACL2 1 An overview of

871 views • 56 slides
This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

Linux System Administration SSU: Disks and Filesystems 1 This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are the traditional places to put filesystems. Then we'll take a look at logical

711 views • 58 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach Steve Roach Fares Fraij Department of Computer Science The University of Texas at El Paso Fifth International Workshop on the ACL2 Theorem

299 views • 17 slides
Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2 Workshop, FLoC, Seattle, August 16, 2006 1 Introduction ACL2 provides a powerful congruence-based rewriting capability. However, some have

537 views • 19 slides
How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1 Introduction (1) ACL2 Version 3.5 was released in May, 2009. Release note items (see :DOC release-notes) since then: (+ 41 ; 3.6 (8/2009) 3 ;

622 views • 49 slides
Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a logic of total functions. Some recursive equations have no satisfying ACL2 functions: No ACL2 function g satisfies this recursive equation

518 views • 35 slides
A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro Coglio Kestrel Institute Workshop 2018 ATJ Java code generator for ACL2 (ACL2 To Java) based on AIJ deep embedding of ACL2 in Java (ACL2 In Java)

901 views • 38 slides
Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu Northeastern University Boston, MA, USA 1 ACL2 2 ACL2 Formal verification based on pure, first-order Common Lisp. Used to model critical

909 views • 61 slides
Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop 2018 This talk is for hint abusers This might be you if: You cant be bothered to figure out a good rewriting strategy You just dont know

541 views • 30 slides
Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon Austel IBM IBM Outline Outline What a typed ACL2 might look like Vague proposal concerning how to change ACL2 to allow experimentation with type

873 views • 19 slides
DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August

DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August

DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August 16, 2006 1 Undergraduate Software Engineering Page teaches two SE courses at Oklahoma U. Covers usual topics - specification, documentation,

557 views • 51 slides
June 13, 2018 Disclaimer - Estimates are considered accurate based on data as of the date of

June 13, 2018 Disclaimer - Estimates are considered accurate based on data as of the date of

1 SOUTH WHIDBEY SCHOOL DISTRICT NO. 206 Revenue June 13, 2018 Disclaimer - Estimates are considered accurate based on data as of the date of publication. Final adjustments/modifications may be made up to the board certification date (July

1.12k views • 75 slides
Pima County Transportation Advisory Committee Regional Local Road Repair Program September 12,

Pima County Transportation Advisory Committee Regional Local Road Repair Program September 12,

Pima County Transportation Advisory Committee Regional Local Road Repair Program September 12, 2017 Initial Methodology Discussion 1. To keep roads from moving to failure, methodology reviews/includes PASER 5 roads only. 2. ADT was determined

174 views • 14 slides
File System Implementation Sunu Wibirama Thursday, December 16, 2010 Outline File-System

File System Implementation Sunu Wibirama Thursday, December 16, 2010 Outline File-System

File System Implementation Sunu Wibirama Thursday, December 16, 2010 Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Thursday,

743 views • 40 slides
The Magic Stick Q-Stick is a small, stylish and powerful gateway which connects to an existing

The Magic Stick Q-Stick is a small, stylish and powerful gateway which connects to an existing

The Magic Stick Q-Stick is a small, stylish and powerful gateway which connects to an existing Wi-Fi network and provides control over up to 16 Z-Wave devices through a mobile phone , tablet or computer . It resembles a USB stick and comes with a

365 views • 9 slides
FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li,

FINDING A NEEDLE IN HAYSTACK, FACEBOOKS PHOTO STORAGE Based on: D. Beaver, S. Kumar, H. C. Li, J. Sobel, and P. Vajgel: Finding a Needle in Haystack: Facebook's Photo Storage, in Proceedings USENIX OSDI 2010, Vancouver, Canada, October

397 views • 23 slides
Board Self-Evaluation August 2, 2017 Grace Mah CSBA Board Self-Evaluation Objective A

Board Self-Evaluation August 2, 2017 Grace Mah CSBA Board Self-Evaluation Objective A

Board Self-Evaluation August 2, 2017 Grace Mah CSBA Board Self-Evaluation Objective A governance team can strengthen or maintain its effectiveness by periodically assessing its own performance. A self assessment provides the

293 views • 7 slides
Screenshot Presentation Learning Management System Description (pt-br) Ivela uma aplicao

Screenshot Presentation Learning Management System Description (pt-br) Ivela uma aplicao

Screenshot Presentation Learning Management System Description (pt-br) Ivela uma aplicao de cdigo-aberto (GPL v2) para o Gerenciamento de Ensino Distncia (LMS Learning Management System). O nome Ivela significa na lngua

617 views • 32 slides
United States Court of Appeals for the Federal Circuit 05-1074, -1075, -1100 ON DEMAND MACHINE

United States Court of Appeals for the Federal Circuit 05-1074, -1075, -1100 ON DEMAND MACHINE

United States Court of Appeals for the Federal Circuit 05-1074, -1075, -1100 ON DEMAND MACHINE CORPORATION, Plaintiff-Cross Appellant, v. INGRAM INDUSTRIES, INC. and LIGHTNING SOURCE, INC., Defendants-Appellants, and AMAZON.COM, INC.,

355 views • 23 slides

More recommend