Upload File

the science of deep specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · the science of...

  • Home
  • Documents
  • The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,
29
The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich, Steve Zdancewic, Zhong Shao, Adam Chlipala Princeton Penn Yale MIT

Upload: others

Post on 05-Apr-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

TheScienceofDeepSpecification

AndrewW.Appel,BenjaminPierce,StephanieWeirich,SteveZdancewic,Zhong Shao,AdamChlipala

Princeton Penn Yale MIT

Page 2: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Zero-vulnerabilitycriticalsoftware– Compilers,interpreters– Operatingsystems– Filesystems,networkingstacks– Distributedmiddleware– Databases– Crypto,securityprotocols

Apipedream?

Ahigh-value“niche”

Maybeuntilrecently!

Page 3: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Heroicproofsofconcept• CompCert (Ccompiler)• L4.verified(OS)

Page 4: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Proliferationof“pointsolutions”• CertiKos (hypervisor)

• Verdi(distributedalgorithmstoolkit)• RockSalt (softwarefaultisolation)• CakeML (MLcompiler)

• VeLLVM (LLVMoptimizations)

• HMAC+SHA(crypto)• …

Individuallyimpressive!Butdisconnected

Page 5: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

TheRiseofIntegratedStacks• CompCert ecosystem• L4.verifiedecosystem• IronClad Apps• Bedrockwebserver• Everest(verifiedhttps)• … Whatmakesthischallenging?

(lotsofthings,but inparticular…)

SpecificationEngineering!

Page 6: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

WhatwelearnedfromCompCert

6

Clanguage

CompCertCompiler

PowerPCISA

ProgramLogic

VerifiableCSystem

Clanguage

IBM’sCPU

Transistors

PowerPCISA

OSclientinterface

CertiKOShypervisorkernel

Clanguage AppelShao

PeterSewellUniv.ofCambridge

XavierLeroyInria

Page 7: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Whatwediscovered ...

7

CompCertCompiler

PowerPCISA

Clanguage

IBM’sCPU

Transistors

PowerPCISA

ProgramLogic

VerifiableCSystem

Clanguage

OSclientinterface

CertiKOShypervisorkernel

Clanguage AppelShao

PeterSewellUniv.ofCambridge

XavierLeroyInria

Page 8: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Solution:exercisespec.frombothsides(2006-2015)

8

CompCertCompiler

IBM’sCPU

Transistors

ProgramLogic

VerifiableCSystem

Clanguage

OSclientinterface

CertiKOShypervisorkernel

Clanguage

XavierLeroyINRIA

AppelShao

PeterSewellUniv.ofCambridge

Clanguage

PowerPCISA

PowerPCISA

Page 9: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Integration!

TheFutureofFormalMethods…

^

Page 10: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

TheScienceofDeepSpecification

Page 11: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

AnewNSFExpedition…

11

AndrewAppel

ZhongShao

StephanieWeirich

BenjaminPierce

SteveZdancewic

AdamChlipala

Princeton Penn YaleMIT

$10m5years

Page 12: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

DeepSpecificationsareFORMAL,RICH,LIVE,and2-SIDED

12

RICH describecomplexbehaviorsindetail

FORMAL innotationwithaclearsemantics

LIVEmachine-checkedconnectiontoimplementations

2-SIDEDconnectedtobothimplementations&clients

Page 13: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

DeepSpec goals1. Coreresearch2. Education3. Communitybuilding

13

Page 14: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

14

CoreResearchTopics

Page 15: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

15AdamChlipala

Verifiedprocessordesign

Page 16: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

16

AndrewAppel

VerifiedtoolchainforverifyingconcurrentCprograms

Page 17: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

17

SteveZdancewic

VerifiedLLVMcompiler

Page 18: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

18

StephanieWeirich

Specificationoffunctionallanguage

Page 19: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

19

ZhongShao

VerifiedhypervisorOSkernel

Page 20: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Individualprojects,connectedatdeepspecs

20

BenjaminPierce

Specification-basedrandom

testing

Page 21: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

SpecificationandtestingPromisingdevelopment:Theriseofspecification-basedautomatedtestingtechniques– Property-based random testing(QuickCheck)– Model-based testing– Oracle-based testing– …

Page 22: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

End-to-EndDemo(s)Leadingcandidates:– Votingsystems– Automotive software– Datacenterinfrastructure

22

Othersuggestions??

Page 23: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Educationandtraining

23

Textbooksandon-linematerialsSoftwareFoundationstextisusedatdozensofuniversities.Nowweknow:

Withgoodinstructionalmaterialsandinteractiveproofcheckers,specification&verificationcanbetaught…

...justlikeprogrammingandsoftwareengineeringcanbetaught!

Page 24: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

BookDevelopment• Goal:UseSoftwareFoundations toseedanewseriesof“verifiedtextbooks”

• Firststep:

• Later:– Averifiedcompiler textbook?

24

VerifiedFunctionalAlgorithms

AndrewAppel

(fall2016)

Page 25: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

CurriculumDevelopment

• Modularity⇒cleanpedagogical implementations• Precise(andcorrect!)descriptionofrelevantabstractions• Specifications⇒automatedtestharnesses/testcases/property-basedtesting(forgrading)

• Connects toformalmethodscoursethatteachesverificationtechniquesfortheseartifacts

25

NewCompiler&OSCoursesbasedon

CertiKOS

Page 26: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

EducationSpecialistsBruceLenthallExecutiveDirectorPennCTL(CenterforTeaching&Learning)

EmilyElliottAssociateDirector,PennCTL

AnandaGunawardenaLecturer,PrincetonCS

Responsibilities:• determineappropriatemetricsforlearningoutcomes

• designassessmentplan• developdatacollectionplans

• helpdesignmeasurementinstruments

• analyzedata• workwithIRBs

Responsibilities:• manageimplementationofdatacollectionplan

• sendout,collect,andcompileassessments

• etc.

Page 27: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Assessmenttools1. ABETcourseoutcomes– Compare“pre-DS”to“DS-ified”versions of

courseatthesameuniversity (e.g.,Princeton),whereDS-ified versionswillbetestdriveninlateryearsoftheproject

2. Studentsurveys3. Instructorsurveys4. TrackingchangesbetweensuccessiveofferingsofDS-ified courses

Page 28: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

CommunitybuildingGoalistoactasapointaroundwhichthingscrystallize…

• Workshops (everysummer)• Summerschools(beginningnextsummer)• Visitorprogram(acceptingapplications!)• IndustrialAdvisoryBoard• SupportforCoqdevelopment• Jobs forpostdocs,engineers,PhDstudents

28

Page 29: The Science of Deep Specificationbcpierce/papers/deepspec-hcss... · 2016-05-11 · The Science of Deep Specification Andrew W. Appel, Benjamin Pierce, Stephanie Weirich , Steve Zdancewic,

Joinus!• DeepSpec isnotaboutbuildingasinglesystemorstack– It’saboutfindingouthowtomakeconnectionsbetweensystems

• Whowouldyou liketoconnectto?

29


Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University

Deep calls unto deep

CS 678 – Deep Learning1 Deep Learning Early Work Why Deep Learning Stacked Auto Encoders Deep Belief Networks

Deep Learning Lab Course 2017 (Deep Learning …ais.informatik.uni-freiburg.de/teaching/ws17/deep...Deep Learning Lab Course 2017 (Deep Learning Practical) Labs: (Computer Vision)

Lecture 1 SOFTWARE FOUNDATIONS IN COQ › ... › zdancewic-sf-lec01.pdf• Gottlob Frege: a German mathematician who started in geometry but became interested in logic and foundations

Deep Deep DecarbonisationDecarbonisationDecarbonisationfor

Lecture 21 CIS 341: COMPILERS - Penn EngineeringCIS 341: Compilers 22 LOOP OPTIMIZATIONS Zdancewic CIS 341: Compilers 23 Loop Optimizations • Program hot spots often occur in loops

How Deep Are Deep Gaussian Processes?

A UNIFIED DATA-CENTRIC APPROACH TOWARDS AN … · thesis committee chair and WPE-II committee chair; Steve Zdancewic co-authored my first paper ... that you taught me programming

INSTALLATION AND OPERATION INSTRUCTIONS FOR BI DEEP Panorama... · 2018-02-10 · INSTALLATION AND OPERATION INSTRUCTIONS FOR BI-DEEP UNITS BI-40-DEEP BI-50-DEEP BI-60-DEEP BI-72-DEEP

Deep bidirectional intelligence: AlphaZero, deep IA-search ...€¦ · Deep bidirectional intelligence: AlphaZero, deep IA‑search, deep IA‑infer, and TPC causal learning Lei Xu1,2*

Foster Lafortune Madhusudan Bodik · Foster Lafortune Bodik Alur Hartmann Zdancewic Vardi Tripakis Tabuada Kavraki Solar-Lezama Seshia Sangiovanni Kress-Gazit Loo Madhusudan Martin

From Deep Learning to Deep Reasoning

Digging Deep: Making “Deep” Connections

Lecture 1 CIS 341: COMPILERS - Penn Engineering - …cis341/current/lectures/lec01.pdf · 2018-01-16 · – Source level expressiveness for the task ... Zdancewic CIS 341: Compilers

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania

Deep Purple - Best of Deep Purple

Deep Learning Early Work Why Deep Learning Stacked Auto Encoders Deep Belief Networks CS 678 – Deep Learning1

Current Techniques in Language-based Security David Walker COS 441 With slides stolen from: Steve Zdancewic University of Pennsylvania

A Deep Specification for Dropbox - University of …bcpierce/papers/clojure-deepspec-2015.pdf · A Deep Specification for Dropbox Benjamin C. Pierce University of Pennsylvania Clojure/conj

Commercial deep fryer & Deep Fat Fryer

The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •

Einführung ins Deep Learning · Einführung ins Deep Learning deep space computing AG 6. Dezember 2019 deep-space.ch

Language-based Information-flow Security · 2003. 7. 14. · Security of data and infrastructure is critical [Trust in Cyberspace, Schneider et ... Military secrets Data. Zdancewic

Deep Calls to Deep

Generative type abstraction and type-level computation (Wrestling with System FC) Stephanie Weirich, Steve Zdancewic University of Pennsylvania Dimitrios

Robust Declassification Steve Zdancewic Andrew Myers Cornell University

1 Combining Events and Threads for Scalable Network Services Peng Li and Steve Zdancewic University of Pennsylvania PLDI 2007, San Diego

Deep 2 Deep

Applications of Programming Language Theory: Java Security David Walker COS 441 With slides stolen from: Steve Zdancewic University of Pennsylvania

PROGRAMMING LANGUAGES FOR INFORMATION SECURITYstevez/papers/Zda02.pdf · PROGRAMMING LANGUAGES FOR INFORMATION SECURITY Stephan Arthur Zdancewic, Ph.D. Cornell University 2002 Our

Deep Verifier Networks: Verification of Deep

Othe Deep,Deep Love of Jesus

20151216 Computer Vision Meetup Deep Learning Deep Learning - Rene...Deep Learning . René Donner Deep Learning Overview 2 ... coursera ... 20151216 Computer Vision Meetup Deep Learning