Automating Formal Proofs for Reactive Systemsztatlock/pubs/reflex...Automating Formal Proofs for Reactive Systems Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner University

Automating Formal Proofs for Reactive Systems

Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner

University of California, San Diego University of Washington

Zachary “Danger” Tatlock

Proof Assistant Based Verification


[Yang et al. PLDI 11]Testing tool for C compilers

Compiler Bugs Found



Compiler Bugs FoundGCC 122




Clang/LLVM 181




Clang/LLVM 181CompCert ?




Clang/LLVM 181CompCert 0




Clang/LLVM 181CompCert 0


[Yang et al. PLDI 11]Testing tool for C compilers[Le et al. PLDI 14]

Proof Assistant


Proof Assistant

Coq Theorem Prover


CodeProof

Assistant


CodeProof

Assistantin language supporting reasoning


Code

Spec

Proof Assistant


Code

Spec

Proof Assistant

logical properties characterizing correctness


Code

Spec

Proof Assistant

Grads


Code

Spec

Proof Assistant

Grads

interactively show code satisfies specification


Code

Spec

Proof Assistant

Grads

ML x86


Code

Spec

Proof Assistant

Grads

ML x86

compile down to machine code


Code

Spec

Proof Assistant

Extremely strong guarantees about

actual system!Grads

ML x86


Verified Compiler: CompCert


[Leroy POPL 06]


Verified OS micro-kernel: seL4


[Leroy POPL 06]

[Klein et al. SOSP 09]



Verified Web browser: Quark


[Leroy POPL 06]

[Klein et al. SOSP 09]

[Jang et al. Security 12]

Manual Proof Burden

Code

Spec

Proof

Manual Proof Burden

Code

Spec

Proof


9,000 lines of C code

Manual Proof Burden

Code

Spec

Proof


9,000 lines of C code

20 person-years for verification

Manual Proof Burden

Code

Spec

Proof

Manual Proof Burden

Requires expertise in proof assistantsCode

Spec

Proof

Manual Proof Burden

Requires expertise in proof assistants

Extremely brittle, maintenance burden

Code

Spec

Proof

Manual Proof Burden

Code

Spec

Proof

Code

Spec

Ideal(no manual proofs)

Manual Proof Burden

Single application domain


Code1

Spec1

Proof1


Code1

Spec1

Proof1

Code2

Spec2

Proof2


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar properties


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar propertiesSimilar architecture


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar propertiesSimilar architectureSimilar reasoning


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar propertiesDSL for Specs


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar propertiesDSL for Specs

Similar architectureSimilar reasoning


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3


DSL for Specs

DSL for Code


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3


DSL for Specs

DSL for Code

Similar reasoning


Code1

Spec1

Proof1

Code2

Spec2

Proof2

Code3

Spec3

Proof3

Similar propertiesSimilar architectureSimilar reasoning

DSL for Specs

DSL for Code

Proof Automation

DSL for Specs

DSL for Code

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3


DSL for Specs

DSL for Code

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3


Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs

DSL for Code

Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs

DSL for Code REFLEX

Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs

DSL for Code REFLEXNo manual proofs,

Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs


yet proof assistant guarantee.

Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs



Automation incomplete,

Reactive systems

Proof Automation

Code1

Spec1

Code2

Spec2

Code3

Spec3

Proof1

Proof2

Proof3

DSL for Specs



Automation incomplete,

but verified browser, ssh, web server.

Reactive systems

Reactive system

Reactive systems

Reactive system

Continuously read messages from

components and send messages to

components

Reactive systems

Reactive system

Kernel

Example: Web browser kernel


Kernel

Tab3facebook

Tab2gmail

Tab1google


Kernel

Tab3facebook

Tab2gmail

Tab1google

CookieManager

google

CookieManager

facebook


Kernel

Tab3facebook

Tab2gmail

Tab1google

CookieManager

google

CookieManager

facebook

👤


Kernel

Tab3facebook

Tab2gmail

Tab1google

CookieManager

google

CookieManager

facebook

👤(1) Tabs request

resources (e.g. cookies)


Kernel

Tab3facebook

Tab2gmail

Tab1google

CookieManager

google

CookieManager

facebook

👤

(2) Kernel grants access subject to

access controls (e.g. domain checks)

(1) Tabs request

resources (e.g. cookies)


Components = Tab | CookieMgr | ...

Types of components


Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...

Types of messages



Handlers:

How the kernel responds to messages from components



Handlers: When [Tab t] sends CookieSet(c):

When tab t sends the kernel a CookieSet

message with payload c



Handlers: When [Tab t] sends CookieSet(c): cp

Properties



Properties

Specify allowed behaviors



Properties

Specify allowed behaviors wrt sequence of system calls



Properties

When [Tab t] sends CookieSet(c): cp

Proof Automation

Proof Automation

Prove kernel code satisfies properties

Proof Automation

Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce

Proof Automation


{Handler

Proof Automation


{Handler{Handler

Proof Automation


{Handler{Handler{Handler

Proof Automation


{Handler{Handler{Handler

Handlers create structure for

induction


Proof Automation

✔Induction hypothesis: property holds up to

this point


Proof Automation

✔

{Run a single handlerProve kernel code satisfies properties

Induction hypothesis: property holds up to

this point

by induction on sys call sequences kernel can produce

Proof Automation

✔

{Proof obligation: does property still hold? ?Prove kernel code satisfies properties


this point


Proof Automation

✔

{?Prove kernel code satisfies properties


this point

Proof obligation: does property still

hold?


Proof Automation

Case analysis on handler

✔

{?Prove kernel code satisfies properties


this point


hold?


Proof Automation

Case analysis on handler

Symbolically run all paths

✔

{? Case analysis on handler Symbolically run all paths Prove automaticallyProve kernel code satisfies properties


this point


hold?


Proof Automation

Proof Automation

Single domain insights:

Proof Automation


Small number of carefully designed property primitives

Proof Automation



Loop free handlers allowed symbolic eval of all paths

Proof Automation



Loop free handlers allowed symbolic eval of all paths

Domain-specific heuristics for non-local reasoning

Proof Automation

Evaluation

Evaluation

Web browser

SSH server

Web server

Evaluation

Web browser

SSH server

Web server

Auto verified 33 properties (80% in < 2 minutes)

Evaluation

Web browser

SSH server

Web server

Domains do not interfere, Cookie integrity, …

No PTY access before authentication, At most 3 authentication attempts, …

Clients only spawned after successful login, File requests guarded by access control, …


Evaluation

Web browser

SSH server

Web server





Able to automate proofs of non-interference

Evaluation

Web browser

SSH server

Web server





Evaluation

Web browser

SSH server

Web server





Able to automate proofs of non-local

properties

Development Effort: Framework


Reflex : 7500 lines of Coq



Web browser SSH server Web server



Quark Web browser :5500 lines of Coq




Quark Web browser :5500 lines of Coq Single reactive system




Quark Web browser :5500 lines of Coq Single reactive system

Many reactive systems


Development Effort: Systems


Benchmark Language Lines of Code/Spec

BrowserREFLEX 81 37

C++, Python 970,240 -

SSH serverREFLEX 64 22

C, Python 89,567 -

Web serverREFLEX 56 29

Python 386 -



BrowserREFLEX 81 37

C++, Python 970,240 -


C, Python 89,567 -


Python 386 -

Webkit



BrowserREFLEX 81 37

C++, Python 970,240 -


C, Python 89,567 -


Python 386 -

Webkit

OpenSSH

Limitations

LimitationsExpressiveness:

Incompleteness:


Strict subset of temporal logic + non-interference

Incompleteness:



Loop free handlers

Incompleteness:



Loop free handlers

No user-defined unbounded data structures

Incompleteness:



Loop free handlers


Incompleteness: Unable to infer some inductive invariants



Loop free handlers


Incompleteness: Unable to infer some inductive invariants

Low level incompleteness in automation tactics

SSH Server Kernel in REFLEX

Web Browser Kernel in REFLEX

TODO: Browser/SSH video

ConclusionA

utom

atio

n

Expressiveness

Proof assistant based verification

ConclusionA

utom

atio

n

Expressiveness

Coq


ConclusionA

utom

atio

n

Expressiveness

Ynot

Coq


ConclusionA

utom

atio

n

Expressiveness

Bedrock

Ynot

Coq


ConclusionA

utom

atio

n

Expressiveness

Bedrock

Ynot

Coq

Reflex


Conclusion

Reflex

Conclusion

Reflex

DSL expressive enough for entire domain

Conclusion

Reflex


Automation eliminates manual proof burden

Conclusion

Reflex



http://goto.ucsd.edu/reflex/


Reflex




Thank You!

Documents

Automating Formal Proofs for Reactive Systemsztatlock/pubs/reflex...Automating Formal Proofs for Reactive Systems Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner University