the age of deep specification - information and computer...
TRANSCRIPT
![Page 1: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/1.jpg)
The Age of Deep Specification
Benjamin C. PierceUniversity of Pennsylvania
May, 2015
![Page 2: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/2.jpg)
“We can’t build software that works…”
![Page 3: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/3.jpg)
“We can’t build software that works…”
![Page 4: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/4.jpg)
But just look at all the software that does work!
![Page 5: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/5.jpg)
But just look at all the software that does work!
![Page 6: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/6.jpg)
How did that happen?
![Page 7: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/7.jpg)
![Page 8: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/8.jpg)
Lots of ways!
![Page 9: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/9.jpg)
Lots of ways!
• Better software development methodology
![Page 10: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/10.jpg)
Lots of ways!
• Better software development methodology
• Better programming languages
• Basic safety guarantees built in
• Powerful mechanisms for abstraction and modularity
![Page 11: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/11.jpg)
Lots of ways!
• Better software development methodology
• Better programming languages
• Basic safety guarantees built in
• Powerful mechanisms for abstraction and modularity
• Better testing
![Page 12: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/12.jpg)
Lots of ways!
• Better software development methodology
• Better programming languages
• Basic safety guarantees built in
• Powerful mechanisms for abstraction and modularity
• Better testing
• Better use of specifications
![Page 13: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/13.jpg)
Lots of ways!
• Better software development methodology
• Better programming languages
• Basic safety guarantees built in
• Powerful mechanisms for abstraction and modularity
• Better testing
• Better use of specifications
I.e., descriptions of what software does (as opposed to the
instructions for how to do it)
![Page 14: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/14.jpg)
Lots of ways!
• Better software development methodology
• Better programming languages
• Basic safety guarantees built in
• Powerful mechanisms for abstraction and modularity
• Better testing
• Better use of specifications
I.e., descriptions of what software does (as opposed to the
instructions for how to do it)
![Page 15: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/15.jpg)
Why are specifications useful?
![Page 16: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/16.jpg)
Why are specifications useful?
If you want to build software that works, it is helpful to know
what you mean by "works"!
![Page 17: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/17.jpg)
A Specification:
The “sort” function should take a list of items and return a list of the same items
in increasing order.
![Page 18: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/18.jpg)
A Specification:
The “sort” function should take a list of items and return a list of the same items
in increasing order.
useful!
![Page 19: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/19.jpg)
A Specification:
The “sort” function should take a list of items and return a list of the same items
in increasing order.
useful!
but…
simple
![Page 20: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/20.jpg)
A Specification:
The “sort” function should take a list of items and return a list of the same items
in increasing order.
useful!
but…
simple informal
![Page 21: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/21.jpg)
A Specification:
The “sort” function should take a list of items and return a list of the same items
in increasing order.
useful!
disconnected from code
but…
simple informal
![Page 22: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/22.jpg)
![Page 23: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/23.jpg)
Simple ⟶ Rich• C Language Reference
• 592 pages
• also Java (792 pages), C++ (1354 pages, etc.
• x86 CPU reference• 1499 pages
• AUTOSAR standardized automotive architecture• 3000 pages
![Page 24: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/24.jpg)
Informal ⟶ Precise
• Z, Alloy, VDM, ACL2, Coq, Isabelle, …• x86 instruction set (and
many others)
• Ada, Java virtual machine, C, JavaScript, …
• …
Formal specification languages
![Page 25: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/25.jpg)
Disconnected ⟶ Integrated
• Formal verification tools• Human constructs “proof script”; computer checks it
• Capable in principle of establishing connections between arbitrary specifications and code
• Challenging to use at scale
• Type systems• Highly successful “lightweight formal methods”
• Built into programming languages
• Limited expressiveness, but “always on”
![Page 26: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/26.jpg)
![Page 27: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/27.jpg)
![Page 28: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/28.jpg)
![Page 29: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/29.jpg)
![Page 30: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/30.jpg)
![Page 31: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/31.jpg)
![Page 32: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/32.jpg)
Deep specifications
1. Rich
2. Formal
3. Integrated with code
![Page 33: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/33.jpg)
early tours de force…
![Page 34: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/34.jpg)
CompCert C compiler
• Fully verified translator from C to machine code
• Accepts most of ISO C 99
• Produces machine code for PowerPC, ARM, and IA32 (x86 32-bit) architectures
• 90% of the performance of GCC (v4, opt. level 1)
![Page 35: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/35.jpg)
seL4
Real-world operating-system kernel with an end-to-end proof of implementation correctness and security enforcement
![Page 36: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/36.jpg)
Emerging trends…
![Page 37: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/37.jpg)
New specification / verification tools
• Coq
• Isabelle
• ACL2
• …
• F*
• Dafny
• Boogie
• …
Powerful proof assistants and
program logics
Quasi-automatic verifiersbased on SMT solvers
![Page 38: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/38.jpg)
Formal verification of real software
• Verified TLS implementation• (Core technology for secure web communications)
• Verified compilers• CakeML, Bedrock, CompCertTSO, …
• Verified distributed systems• Verdi, …
• Verified operating systems and OS components• CertiKOS, Ironclad Apps, Jitk, …
• Verified cryptography
• …
![Page 39: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/39.jpg)
Expressive type systems• security types
• session types
• component types / object types / module systems
• generalized abstract datatypes
• …
![Page 40: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/40.jpg)
Property-based random testing
• TCP networking protocol suite [Sewell et al., Cambridge]
• Testable AutoSAR model [Quviq, Göteborg]• Found >200 faults in AUTOSAR Basic Software,
including >100 inconsistencies in the informal standard
• Testable model of Dropbox and other synchronization frameworks [ongoing work with Quviq]
• …
![Page 41: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/41.jpg)
Where are we going?
![Page 42: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/42.jpg)
Where are we going?
![Page 43: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/43.jpg)
Where are we going?
One possibility…
A zero-vulnerability software stack
![Page 44: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/44.jpg)
![Page 45: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/45.jpg)
A zero-vulnerability software stack
![Page 46: The Age of Deep Specification - Information and Computer ...bcpierce/papers/chalmers-deepspec-2015.pdf•Better software development methodology •Better programming languages •](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f05e5b57e708231d415442f/html5/thumbnails/46.jpg)
Thank you!
(Any questions?)