Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Automating Formal Proofs for Reactive Systems
Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner
University of California, San Diego University of Washington
Zachary “Danger” Tatlock
Proof Assistant Based Verification
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs Found
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs FoundGCC 122
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs FoundGCC 122
Clang/LLVM 181
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert ?
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert 0
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert 0
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers[Le et al. PLDI 14]
Proof Assistant Based Verification
Proof Assistant
Proof Assistant Based Verification
Proof Assistant
Coq Theorem Prover
Proof Assistant Based Verification
CodeProof
Assistant
Proof Assistant Based Verification
CodeProof
Assistantin language supporting reasoning
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Proof Assistant Based Verification
Code
Spec
Proof Assistant
logical properties characterizing correctness
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Grads
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Grads
interactively show code satisfies specification
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Grads
ML x86
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Grads
ML x86
compile down to machine code
Proof Assistant Based Verification
Code
Spec
Proof Assistant
Extremely strong guarantees about
actual system!Grads
ML x86
Proof Assistant Based Verification
Verified Compiler: CompCert
Proof Assistant Based Verification
[Leroy POPL 06]
Verified Compiler: CompCert
Verified OS micro-kernel: seL4
Proof Assistant Based Verification
[Leroy POPL 06]
[Klein et al. SOSP 09]
Verified Compiler: CompCert
Verified OS micro-kernel: seL4
Verified Web browser: Quark
Proof Assistant Based Verification
[Leroy POPL 06]
[Klein et al. SOSP 09]
[Jang et al. Security 12]
Manual Proof Burden
Code
Spec
Proof
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
9,000 lines of C code
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
9,000 lines of C code
20 person-years for verification
Manual Proof Burden
Code
Spec
Proof
Manual Proof Burden
Requires expertise in proof assistantsCode
Spec
Proof
Manual Proof Burden
Requires expertise in proof assistants
Extremely brittle, maintenance burden
Code
Spec
Proof
Manual Proof Burden
Code
Spec
Proof
Code
Spec
Ideal(no manual proofs)
Manual Proof Burden
Single application domain
Single application domain
Code1
Spec1
Proof1
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar properties
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architectureSimilar reasoning
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesDSL for Specs
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesDSL for Specs
Similar architectureSimilar reasoning
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
DSL for Specs
DSL for Code
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
DSL for Specs
DSL for Code
Similar reasoning
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architectureSimilar reasoning
DSL for Specs
DSL for Code
Proof Automation
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Single application domain
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Single application domain
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
Single application domain
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEX
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
Automation incomplete,
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
Automation incomplete,
but verified browser, ssh, web server.
Reactive systems
Reactive system
Reactive systems
Reactive system
Continuously read messages from
components and send messages to
components
Reactive systems
Reactive system
Kernel
Example: Web browser kernel
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
CookieManager
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
CookieManager
👤
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
CookieManager
👤(1) Tabs request
resources (e.g. cookies)
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
CookieManager
👤
(2) Kernel grants access subject to
access controls (e.g. domain checks)
(1) Tabs request
resources (e.g. cookies)
Example: Web browser kernel
Example: Web browser kernel
Components = Tab | CookieMgr | ...
Types of components
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Types of messages
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers:
How the kernel responds to messages from components
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c):
When tab t sends the kernel a CookieSet
message with payload c
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Properties
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Properties
Specify allowed behaviors
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Properties
When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
Proof Automation
Proof Automation
Prove kernel code satisfies properties
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler{Handler
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler{Handler
Handlers create structure for
induction
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
✔Induction hypothesis: property holds up to
this point
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
✔
{Run a single handlerProve kernel code satisfies properties
Induction hypothesis: property holds up to
this point
by induction on sys call sequences kernel can produce
Proof Automation
✔
{Proof obligation: does property still hold? ?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
by induction on sys call sequences kernel can produce
Proof Automation
✔
{?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler
✔
{?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler
Symbolically run all paths
✔
{? Case analysis on handler Symbolically run all paths Prove automaticallyProve kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
Proof Automation
Single domain insights:
Proof Automation
Single domain insights:
Small number of carefully designed property primitives
Proof Automation
Single domain insights:
Small number of carefully designed property primitives
Loop free handlers allowed symbolic eval of all paths
Proof Automation
Single domain insights:
Small number of carefully designed property primitives
Loop free handlers allowed symbolic eval of all paths
Domain-specific heuristics for non-local reasoning
Proof Automation
Evaluation
Evaluation
Web browser
SSH server
Web server
Evaluation
Web browser
SSH server
Web server
Auto verified 33 properties (80% in < 2 minutes)
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Able to automate proofs of non-interference
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Able to automate proofs of non-local
properties
Development Effort: Framework
Development Effort: Framework
Reflex : 7500 lines of Coq
Development Effort: Framework
Reflex : 7500 lines of Coq
Web browser SSH server Web server
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq
Web browser SSH server Web server
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq Single reactive system
Web browser SSH server Web server
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq Single reactive system
Many reactive systems
Web browser SSH server Web server
Development Effort: Systems
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
Webkit
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
Webkit
OpenSSH
Limitations
LimitationsExpressiveness:
Incompleteness:
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Incompleteness:
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
Incompleteness:
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness:
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness: Unable to infer some inductive invariants
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness: Unable to infer some inductive invariants
Low level incompleteness in automation tactics
SSH Server Kernel in REFLEX
SSH Server Kernel in REFLEX
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
ConclusionA
utom
atio
n
Expressiveness
Proof assistant based verification
ConclusionA
utom
atio
n
Expressiveness
Coq
Proof assistant based verification
ConclusionA
utom
atio
n
Expressiveness
Ynot
Coq
Proof assistant based verification
ConclusionA
utom
atio
n
Expressiveness
Bedrock
Ynot
Coq
Proof assistant based verification
ConclusionA
utom
atio
n
Expressiveness
Bedrock
Ynot
Coq
Reflex
Proof assistant based verification
Conclusion
Reflex
Conclusion
Reflex
DSL expressive enough for entire domain
Conclusion
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
Conclusion
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
http://goto.ucsd.edu/reflex/
http://goto.ucsd.edu/reflex/
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
http://goto.ucsd.edu/reflex/
Thank You!
http://goto.ucsd.edu/reflex/