comparing semantic and syntactic methods in mechanized proof frameworks c.j. bell, robert dockins,...
TRANSCRIPT
![Page 1: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/1.jpg)
1
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks
C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker
![Page 2: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/2.jpg)
2
• In the last decade, dozens of researchers have been investigating proof-carrying code (PCC)
• These researchers have split into two camps:– those using syntactic proof methods– those using semantic proof methods
![Page 3: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/3.jpg)
3
• We want to be able to investigate different proof methodologies, such as syntactic and semantic type systems
• The list-machine benchmark is– assembly language– operational semantics– type system specification– two implementaions of a type system
• This benchmark is– simple, so that it is easy to understand– modular, so that it is flexible– publically available at
• http://www.cs.princeton.edu/~appel/listmachine/2.0
List-Machine Benchmark
![Page 4: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/4.jpg)
4
Changes to the List-Machine Benchmark for 2.0
• Implemented only in Coq
• Added a semantic type system
• Reorganized the framework
![Page 5: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/5.jpg)
5
Outline
Introduction
• Organization of the List-Machine framework
• Extend the List Machine with fault tolerance
• Semantic and syntactic methods in large systems
![Page 6: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/6.jpg)
6
Machine Specification
![Page 7: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/7.jpg)
7
Modules
![Page 8: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/8.jpg)
8
Modules
Typechecking Algorithm
Typechecker Soundness Proof
Type System
Type System Specification
Typechecking Algorithmcheck(Π,Ψ) = true
Typechecker Soundness Proofcheck(Π,Ψ) = true → Π⊢blocksΨ
Type SystemProves: Π⊢blocks Ψ → safe Ψ
Type System Specification•type operators•definitions of typing rules•statement of safety• Π⊢blocks Ψ → safe Ψ
![Page 9: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/9.jpg)
9
Typechecking Algorithmcheck(Π,Ψ) = true
Typechecker Soundness Proofcheck(Π,Ψ) = true → Π⊢blocksΨ
Type SystemProves: Π⊢blocks Ψ → safe Ψ
Type System Specification•type operators•definitions of typing rules•statement of safety• Π⊢blocks Ψ → safe Ψ
![Page 10: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/10.jpg)
10
Syntactic Type System
• Type operators defined inductively
• Typing rules defined inductively
• The type system is proven sound using metatheorems (progress & preservation) using induction over definitions.
Type System Specification
Syntactic Soundness ProofΠ⊢blocks Ψ → safe Ψ
![Page 11: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/11.jpg)
11
Semantic Type System
reusable
Type System Specification
Semantic Soundness ProofΠ⊢blocks Ψ → safe ΨList Machine Hoare LogicΠ⊢blocks Ψ Π;Ψ⊢block ι:P Π;Ψ⊢instr P{ι}QModal Specification Logic
Modal Model Library
![Page 12: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/12.jpg)
12
Outline
Introduction
Organization of the List-Machine framework
• Extend the List Machine with fault tolerance
• Semantic and syntactic methods in large systems
![Page 13: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/13.jpg)
13
Fault Tolerance
• Extend the List-Machine framework to provide fault tolerance
– Requires non-trivial modifications to the framework
– Demonstrates the flexibility of the framework
![Page 14: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/14.jpg)
14
Simple List-Machine Example(without faults)
![Page 15: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/15.jpg)
Fault Model
• Single Event Upset– assume a fault will occur at most once
• A fault may change just one register’s value to any other value.
![Page 16: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/16.jpg)
16
Simple List-Machine Example(with faults)
![Page 17: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/17.jpg)
17
Fault-TolerantModified Machine Specification
![Page 18: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/18.jpg)
18
Fault-Tolerant Example
![Page 19: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/19.jpg)
19
Incorrect Fault-Tolerant Example
![Page 20: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/20.jpg)
20
Is the modified code fault-tolerant?
• Fault tolerance becomes part of the safety property
• Type system ensures proper use of colors
• Model possible occurrences of faults
![Page 21: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/21.jpg)
21
Modify the Operational Semantics
![Page 22: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/22.jpg)
22
Modify the Operational Semantics
Branch instructions require green and blue computations to agree
![Page 23: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/23.jpg)
23
FT SummarySemantic
Syntactic
Machine syntax
Operational semantics
Typechecker
Type systems
Definition of “safe” to include fault states
• Safety (colors, no faults)
Model faults
Safety in the presence of faults
![Page 24: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/24.jpg)
24
Outline
Introduction
Organization of the List-Machine framework
Extend the List Machine with fault tolerance
• Semantic and syntactic methods in large systems
![Page 25: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/25.jpg)
25
How Semantic and Syntactic Methods Scale
Princeton Foundational Proof-Carrying Code (FPCC)Vs.
Carnegie Mellon ConCert project
FPCC :: Semantic ConCert :: Syntactic
![Page 26: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/26.jpg)
26
Common Traits
• Include a TAL for ML compiled to machine code• Goal: guarantee a memory property for
untrusted code• Written in Twelf• Industrial-strength TALs• Large systems
![Page 27: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/27.jpg)
27
Composition
Trusted Computing Base
T + L + M << P
Machine – SPARC or x86 definitions
Logic – example: definition of modular arithmatic
Theorems – statement of the safety property
Proof
Checker – theorem checker for FPCC and a metatheorem checker for ConCert
![Page 28: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/28.jpg)
28
Token count of TCB components
FPCC ConCert0
50000
100000
150000
200000
250000
300000
350000
400000
CheckerRuntimePolicyMachine DefinitionAxioms
![Page 29: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/29.jpg)
29
Token count of TCB components
The TCBs are equivalent in size except for the Checker
FPCC ConCert0
5000
10000
15000
20000
25000
30000
CheckerRuntimePolicyMachine DefinitionAxioms
![Page 30: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/30.jpg)
30
Interface Safety
Requires• updating the policy• moving the type system from Proof to Theorem
– now part of the TCB
Should the type system be semantic or syntactic?
![Page 31: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/31.jpg)
31
Scaling Law
Semantic: new definition per type constructor
Syntactic: new definition per expression constructor
Toy systems have few expression constructors…
![Page 32: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/32.jpg)
32
Real systems have more expression constructors than type constructors.
semantic methods require fewer definitions
Is the average type definition larger than theaverage typing rule?
![Page 33: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/33.jpg)
33
In toy systems, typing rules are simple...
|- stmt_prim_lbladd_ADD_imm: judge_stmt (e_prim A (p_lbladd V1 (val_diff L0 Lab I2))) Prog L CCEnv AENV KL Ps Phi L' CCEnv AENV KL Ps' Phi' <- regbind A At Prog <- targetreg At Ar <- regbind_val Prog V1 Vt <- realreg Vt Vr <- diff_value Prog (val_diff L0 Lab I2) Vc <- imm13 Vc (c Vimm13) <- valueTy Prog KL Phi V1 (offset I1 (int pi= (addr Lab))) <- valueTy Prog KL Phi (val_diff L0 Lab I2) (offset I2 (diff L0 Lab)) <- check_lbladd_offset I1 I2 <- num_add I1 I2 I1+I2 <- venv_add\ Prog A (offset I1+I2 (int pi= (addr L0))) Phi Phi' <-decode_list L L' Ps Ps' (instr_ADD Vr (inject_imode Vimm13) Ar) = ...
![Page 34: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/34.jpg)
34
How does this balance in FPCC & ConCert?
Semantic FPCC
Syntactic FPCC
ConCert (XTALT)
ConCert (TALT)
05000
100001500020000250003000035000
Size of Type System Specification
• FPCC’s semantic definitions are half the size of syntactic definitions for FPCC
• This will become even more pronounced according to the scaling law if the compiler wishes to generate more instructions.
![Page 35: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/35.jpg)
35
Conclusion
Introduction
Organization of the List-Machine framework
Extend the List Machine with fault tolerance
Semantic and syntactic methods in large systems
![Page 36: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/36.jpg)
36
Appendix
![Page 37: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/37.jpg)
37
Modified Typing Rules
![Page 38: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/38.jpg)
38
Modified Operational Semantics
w = (n,ρ,a) w = (n,ρ,a,ρ’,κ)• ρ’ – FT register store• κ – color store
(and equivalent for the syntactic system)
![Page 39: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/39.jpg)
39
Modified Semantic Type System
39
![Page 40: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/40.jpg)
40
List-Machine Benchmark 2.0
• Easily extended
• Facilitates small scale comparisons between many proof methods (semantic and syntactic).
![Page 41: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/41.jpg)
41
• Compare how type systems scale between semantic and syntactic proof methods
Princeton’s Foundational Proof Carrying Code (FPCC)vs
Carnegie Mellon’s ConCert
![Page 42: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/42.jpg)
42
Modules
![Page 43: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/43.jpg)
43
Type System Specification
Typechecking Algorithm
Typechecker Soundness Proof
Type System
Typechecking Algorithmcheck(Π,Ψ) = true
Typechecker Soundness Proofcheck(Π,Ψ) = true → Π⊢blocksΨ
Type SystemΠ⊢blocks Ψ → safe Ψ
Type System Specification
![Page 44: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/44.jpg)
44
Typechecking Algorithmcheck(Π,Ψ) = true
Typechecker Soundness Proofcheck(Π,Ψ) = true → Π⊢blocksΨ
Type SystemProves: Π⊢blocks Ψ → safe Ψ
Type System Specification•type operators•definitions of typing rules•statement of safety• Π⊢blocks Ψ → safe Ψ
![Page 45: Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1](https://reader030.vdocuments.site/reader030/viewer/2022032701/56649c755503460f94929a13/html5/thumbnails/45.jpg)
45
Modules