automating formal proofs for reactive systemsztatlock/pubs/reflex...automating formal proofs for...
TRANSCRIPT
-
Automating Formal Proofs for Reactive Systems
Daniel Ricketts, Valentin Robert, Dongseok Jang, Sorin Lerner
University of California, San Diego University of Washington
Zachary “Danger” Tatlock
-
Proof Assistant Based Verification
-
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs Found
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs FoundGCC 122
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs FoundGCC 122
Clang/LLVM 181
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert ?
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert 0
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers
-
Compiler Bugs FoundGCC 122
Clang/LLVM 181CompCert 0
Proof Assistant Based Verification
[Yang et al. PLDI 11]Testing tool for C compilers[Le et al. PLDI 14]
-
Proof Assistant Based Verification
-
Proof Assistant
Proof Assistant Based Verification
-
Proof Assistant
Coq Theorem Prover
Proof Assistant Based Verification
-
CodeProof
Assistant
Proof Assistant Based Verification
-
CodeProof
Assistantin language supporting reasoning
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
logical properties characterizing correctness
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Grads
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Grads
interactively show code satisfies specification
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Grads
ML x86
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Grads
ML x86
compile down to machine code
Proof Assistant Based Verification
-
Code
Spec
Proof Assistant
Extremely strong guarantees about
actual system!Grads
ML x86
Proof Assistant Based Verification
-
Verified Compiler: CompCert
Proof Assistant Based Verification
[Leroy POPL 06]
-
Verified Compiler: CompCert
Verified OS micro-kernel: seL4
Proof Assistant Based Verification
[Leroy POPL 06]
[Klein et al. SOSP 09]
-
Verified Compiler: CompCert
Verified OS micro-kernel: seL4
Verified Web browser: Quark
Proof Assistant Based Verification
[Leroy POPL 06]
[Klein et al. SOSP 09]
[Jang et al. Security 12]
-
Manual Proof Burden
Code
Spec
Proof
-
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
-
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
9,000 lines of C code
-
Manual Proof Burden
Code
Spec
Proof
Verified OS micro-kernel: seL4
9,000 lines of C code
20 person-years for verification
-
Manual Proof Burden
Code
Spec
Proof
-
Manual Proof Burden
Requires expertise in proof assistantsCode
Spec
Proof
-
Manual Proof Burden
Requires expertise in proof assistants
Extremely brittle, maintenance burden
Code
Spec
Proof
-
Manual Proof Burden
Code
Spec
Proof
-
Code
Spec
Ideal(no manual proofs)
Manual Proof Burden
-
Single application domain
-
Single application domain
Code1
Spec1
Proof1
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar properties
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architectureSimilar reasoning
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesDSL for Specs
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesDSL for Specs
Similar architectureSimilar reasoning
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
DSL for Specs
DSL for Code
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architecture
DSL for Specs
DSL for Code
Similar reasoning
-
Single application domain
Code1
Spec1
Proof1
Code2
Spec2
Proof2
Code3
Spec3
Proof3
Similar propertiesSimilar architectureSimilar reasoning
DSL for Specs
DSL for Code
Proof Automation
-
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Single application domain
-
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Single application domain
-
DSL for Specs
DSL for Code
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
Single application domain
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEX
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
Automation incomplete,
-
Reactive systems
Proof Automation
Code1
Spec1
Code2
Spec2
Code3
Spec3
Proof1
Proof2
Proof3
DSL for Specs
DSL for Code REFLEXNo manual proofs,
yet proof assistant guarantee.
Automation incomplete,
but verified browser, ssh, web server.
-
Reactive systems
Reactive system
-
Reactive systems
Reactive system
Continuously read messages from
components and send messages to
components
-
Reactive systems
Reactive system
-
Kernel
Example: Web browser kernel
-
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
-
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
google
CookieManager
facebook
-
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
google
CookieManager
facebook
👤
-
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
google
CookieManager
facebook
👤(1) Tabs request
resources (e.g. cookies)
-
Example: Web browser kernel
Kernel
Tab3facebook
Tab2gmail
Tab1google
CookieManager
google
CookieManager
facebook
👤
(2) Kernel grants access subject to
access controls (e.g. domain checks)
(1) Tabs request
resources (e.g. cookies)
-
Example: Web browser kernel
-
Example: Web browser kernel
Components = Tab | CookieMgr | ...
Types of components
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Types of messages
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers:
How the kernel responds to messages from components
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c):
When tab t sends the kernel a CookieSet
message with payload c
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Example: Web browser kernel
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Properties
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Properties
Specify allowed behaviors
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Properties
Specify allowed behaviors wrt sequence of system calls
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Properties
When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Components = Tab | CookieMgr | ... Messages = CookieSet | CookieGet | ...
Handlers: When [Tab t] sends CookieSet(c): cp
-
Proof Automation
-
Proof Automation
Prove kernel code satisfies properties
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler{Handler
-
Proof Automation
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
{Handler{Handler{Handler
Handlers create structure for
induction
-
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
-
✔Induction hypothesis: property holds up to
this point
Prove kernel code satisfies propertiesby induction on sys call sequences kernel can produce
Proof Automation
-
âś”
{Run a single handlerProve kernel code satisfies properties
Induction hypothesis: property holds up to
this point
by induction on sys call sequences kernel can produce
Proof Automation
-
âś”
{Proof obligation: does property still hold? ?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
by induction on sys call sequences kernel can produce
Proof Automation
-
âś”
{?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler
-
âś”
{?Prove kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
Case analysis on handler
Symbolically run all paths
-
âś”
{? Case analysis on handler Symbolically run all paths Prove automaticallyProve kernel code satisfies properties
Induction hypothesis: property holds up to
this point
Proof obligation: does property still
hold?
by induction on sys call sequences kernel can produce
Proof Automation
-
Proof Automation
-
Single domain insights:
Proof Automation
-
Single domain insights:
Small number of carefully designed property primitives
Proof Automation
-
Single domain insights:
Small number of carefully designed property primitives
Loop free handlers allowed symbolic eval of all paths
Proof Automation
-
Single domain insights:
Small number of carefully designed property primitives
Loop free handlers allowed symbolic eval of all paths
Domain-specific heuristics for non-local reasoning
Proof Automation
-
Evaluation
-
Evaluation
Web browser
SSH server
Web server
-
Evaluation
Web browser
SSH server
Web server
Auto verified 33 properties (80% in < 2 minutes)
-
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
-
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Able to automate proofs of non-interference
-
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
-
Evaluation
Web browser
SSH server
Web server
Domains do not interfere, Cookie integrity, …
No PTY access before authentication, At most 3 authentication attempts, …
Clients only spawned after successful login, File requests guarded by access control, …
Auto verified 33 properties (80% in < 2 minutes)
Able to automate proofs of non-local
properties
-
Development Effort: Framework
-
Development Effort: Framework
Reflex : 7500 lines of Coq
-
Development Effort: Framework
Reflex : 7500 lines of Coq
Web browser SSH server Web server
-
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq
Web browser SSH server Web server
-
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq Single reactive system
Web browser SSH server Web server
-
Development Effort: Framework
Reflex : 7500 lines of Coq
Quark Web browser :5500 lines of Coq Single reactive system
Many reactive systems
Web browser SSH server Web server
-
Development Effort: Systems
-
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
-
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
Webkit
-
Development Effort: Systems
Benchmark Language Lines of Code/Spec
BrowserREFLEX 81 37
C++, Python 970,240 -
SSH serverREFLEX 64 22
C, Python 89,567 -
Web serverREFLEX 56 29
Python 386 -
Webkit
OpenSSH
-
Limitations
-
LimitationsExpressiveness:
Incompleteness:
-
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Incompleteness:
-
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
Incompleteness:
-
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness:
-
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness: Unable to infer some inductive invariants
-
LimitationsExpressiveness:
Strict subset of temporal logic + non-interference
Loop free handlers
No user-defined unbounded data structures
Incompleteness: Unable to infer some inductive invariants
Low level incompleteness in automation tactics
-
SSH Server Kernel in REFLEX
-
SSH Server Kernel in REFLEX
-
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
-
Web Browser Kernel in REFLEX
TODO: Browser/SSH video
-
ConclusionA
utom
atio
n
Expressiveness
Proof assistant based verification
-
ConclusionA
utom
atio
n
Expressiveness
Coq
Proof assistant based verification
-
ConclusionA
utom
atio
n
Expressiveness
Ynot
Coq
Proof assistant based verification
-
ConclusionA
utom
atio
n
Expressiveness
Bedrock
Ynot
Coq
Proof assistant based verification
-
ConclusionA
utom
atio
n
Expressiveness
Bedrock
Ynot
Coq
Reflex
Proof assistant based verification
-
Conclusion
Reflex
-
Conclusion
Reflex
DSL expressive enough for entire domain
-
Conclusion
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
-
Conclusion
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
http://goto.ucsd.edu/reflex/
http://goto.ucsd.edu/reflex/
-
Reflex
DSL expressive enough for entire domain
Automation eliminates manual proof burden
http://goto.ucsd.edu/reflex/
Thank You!
http://goto.ucsd.edu/reflex/