an open framework for foundational proof-carrying code
DESCRIPTION
An Open Framework for Foundational Proof-Carrying Code. Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and Yu Guo (USTC). Libraries and runtime. +. Motivation. How to build fully certified software systems?. Source-level code. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/1.jpg)
An Open Framework for Foundational Proof-Carrying Code
Xinyu FengYale University
Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and
Yu Guo (USTC)
![Page 2: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/2.jpg)
Motivation
How to build fully certified software systems?Source-level code Libraries and runtime+
References with weak upd.Dynamic mem. alloc.
Functions, exceptions, …
Concurrency
I/O
Garbage collectors
malloc() (strong update)
Stacks, code pointers
Context switching & SchedulerDevice drivers
![Page 3: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/3.jpg)
Motivation All concurrency verification
assumes built-in concurrency Assume-Guarantee (A-G) reasoning Concurrent Separation logic (CSL) …
Context switching, scheduler Too low-level to be certified
in these logics
[Yu&Shao, ICFP’04]
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
Threads & schedulers have never been modularly certified!
![Page 4: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/4.jpg)
Motivation Certify all code in a single type system/program logic?
Hard to combine all features weak vs. strong update, functions/exceptions vs. goto’s, threa
ds vs. thread contexts May not be modular Very complex, hard to use Don’t know how to design such a logic
Certify modules using the most appropriate logic!
Modules do not use all the features at the same time It is simpler to use specialized logic for each module
![Page 5: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/5.jpg)
An Open Framework
Certify different modules using different verification systems!
Proof ofSP
C1
C2
C1L1 k Ck
LkCk
CC1C2
Ck
. . .C2:L2
![Page 6: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/6.jpg)
Challenges Extensibility and openness
not designed for certain specific interoperationsBut can we just use MLFs, e.g. Coq?
Expressiveness type safety, concurrency properties, partial correctness, …
A general and uniform model of control flow Allow functions certified in different systems to call each other the key for modularity: separate verification & proof reuse
Principled interoperation with clear meta-property properties of the whole system composed of modules
Not readily supported in Coq!
![Page 7: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/7.jpg)
Our contributions OCAP: an open framework
Embedding of different systems TAL, non-CPS Hoare-logic, A-G reasoning, …
Open & Extensible Modularity with first-class code pointers [Ni&Shao POPL’06] Soundness
Type safety, & preservation of invariants in foreign systems
Applications TAL + memory allocation libs. Threads + Scheduler
The first time to modularly certify both sides …
![Page 8: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/8.jpg)
Outline
OCAP Framework
Certifying Threads & Schedulers
![Page 9: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/9.jpg)
OCAP Rules
Ln…
OCAP : Overview
OCAPSoundness
Mechanized Meta-Logic (CiC)
Modeling of the machineTCB
Sound
L1
( )L1 ( )LnSound
Mechanized Meta-Logic (CiC)
Modeling of the machine
…C1 Cn
![Page 10: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/10.jpg)
The Machine
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
![Page 11: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/11.jpg)
The OCAP Logic : Overview
Hoare-style program logic for assembly
CPS-style reasoning Assign a precondition to each basic block
Similar to TAL [Morrisett et al. POPL’98]
![Page 12: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/12.jpg)
The OCAP Logic : Overview
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
a1
a2
a3
(spec) ::= {f a}*
a
![Page 13: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/13.jpg)
OCAP: Code pointers
codeptr(f,a) (f) = a (Spec) ::= {f a}*
acodeptr
Not well-founded!
Support of first-class code pointers:
![Page 14: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/14.jpg)
OCAP: Code Pointers
A generic specification:
(CdSpec) ::= …
(Assert) a Spec State Prop
(Spec) ::= {f }*
() ,S. …
No interoperation between multiple systems…
acodeptr
a
codeptr
()
![Page 15: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/15.jpg)
OCAP: Foreign Languages
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Inductive TalType : Type :=
T_int : TalType
T_pair: TalType -> TalType-> TalType
…
Inductive Tal2Type : Type :=
T2_int : TalType
T2_pair: TalType -> TalType-> TalType
…
L ::= TalType | Tal2Type | …1 ::= T_int | T_pair 1 1 | … TalType
2 ::= T2_int | T2_pair 2 2 | … Tal2Type
![Page 16: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/16.jpg)
OCAP: Specifications
(OCdSpec) ::= <L,( )L,> L.(L Assert)*L
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Not well-founded:
( )L
a
![Page 17: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/17.jpg)
OCAP: Specifications
(OCdSpec) ::= <,L,( )L,>
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type(CodeSpec) ::= CiC Terms L
(LangID) ::= n nat
(LangDict) D ::= {1<L1,( )L1>,…, n<Ln,( )Ln>}
LangID (L.L Assert)
( )L
a
![Page 18: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/18.jpg)
Selected OCAP Rules
D1D2; 12┝ C1C2 : 1’2’
D1;1┝ C1:1’ (link)D2;2┝ C2:2’ …
D┝ {a}jr r
,S.a S .(codeptr(S.R(r),)a’) S
(jr)a’ = [[[ ]]]D
codeptr(f,) ,S. (f)=
[[[ ]]]D ,S. ( )L.(D()=<L, ( )L>)(()L S)
= <,L,>
![Page 19: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/19.jpg)
Outline
OCAP Framework
Certifying Threads & Schedulers
![Page 20: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/20.jpg)
Threads and Scheduler
Thread code C1,…,Cn
Certified following CCAP [Yu&Shao, ICFP’04]
Assume-Guarantee reasoning Thread modularity Do not know about thread queue
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
SCAPCCAP +
Scheduler CS
Certified in SCAP [Feng et al. PLDI’06]
as sequential code Manages thread queue TQ Do not touch H
![Page 21: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/21.jpg)
Scheduler in SCAP
yield:
pick one word (pci) from TQ
swap pci and r31
jr r31
H1 pc
1
pcn…
TQ
r31
r0
H1 pc
1
pcn…
TQ
r31
r0
…
jal yield
ct: …
Thread code:
ct
ct
![Page 22: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/22.jpg)
Scheduler in SCAP
yield: (ps, gs)
pick one word (pci) from TQ
swap pci and r31
jr r31
gs
gs (r{r1,…,r30}.[r]=[r]’) Q, Q’.
p’.
Q{[r31]} = Q’{[r31]’}
WFTQ(Q)*p’WFTQ(Q’)*p’
H1 pc
1
pcn…
TQ
r31
r0
H1 pc
1
pcn…
TQ
r31
r0
ct
ct
ps Q.WFTQ(Q) * True
![Page 23: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/23.jpg)
Embedding SCAP
((p,g))Dscap …
jr $ra
g
p
…
D
Soundness:
scap┝scap C:’scap
(scap)Dscap D Dscap,┝ C:
’’ (’scap)Dsc
ap
Dscap {scap <Lscap, (_)scap> }
![Page 24: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/24.jpg)
Threads: Assume-Guarantee
S
p1 p2
S’
Spec. for threads: (p, A, G)p: State Prop
p’1 p2 ?
A, G: State State Prop
Stability of p:
pi S Ai S S’ pi S’
G1 A2
A1, G1 A2, G2
![Page 25: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/25.jpg)
CCAP embedding
ccap┝ccap Ci:’ccap
Dall {ccap <Lccap, (_)ccap>,
scap <Lscap, (_)scap> }
Dall; cy┝ Ci: ’c
y {yield <scap ,Lscap,(ps, gs)>}
c (ccap) ccap ’c (’ccap) c
cap
((p,A,G))ccap ,S. …
![Page 26: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/26.jpg)
Certify the code
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
ccap┝ccap Ci:’ccapscap┝scap Cs:’scap
Dall {ccap <Lccap, (_)ccap>,
scap <Lscap, (_)scap> }
Dall; y┝ Cs: ’y Dall; cy┝ Ci: ’c
SCAPCCAP
the “link” rule
Dall; cy┝ Ci Cs : ’c ’y
![Page 27: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/27.jpg)
Summary It is simpler and natural to certify different module
s using different logics OCAP: framework for interoperation Embedding
TAL: type system SCAP: non-cps logic for assembly CCAP: Assume-guarantee reasoning
Interoperation TAL + newpair Threads + Scheduler TAL + GC (ongoing work by Lin, McCreight, et al.)
![Page 28: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/28.jpg)
Future work
Explore the applicability of OCAP
Interoperation of different languages Currently just for assembly language
But logics are at different levels (TAL, CCAP, …)
May support C + inlined assembly
![Page 29: An Open Framework for Foundational Proof-Carrying Code](https://reader036.vdocuments.site/reader036/viewer/2022062322/568147f1550346895db5295e/html5/thumbnails/29.jpg)
Thank you!