article

Public Access

Refinement through restraint: bringing down the cost of verification

Authors:

Christine Rizkallah,

Yutaka Nagashima,

Gerwin KleinAuthors Info & Claims

ACM SIGPLAN Notices, Volume 51, Issue 9

Pages 89 - 102

https://doi.org/10.1145/3022670.2951940

Published: 04 September 2016 Publication History

Abstract

We present a framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems. Our framework allows for equational reasoning about systems code written in our new language, Cogent. Cogent is a restricted, polymorphic, higher-order, and purely functional language with linear types and without the need for a trusted runtime or garbage collector. Linear types allow us to assign two semantics to the language: one imperative, suitable for efficient C code generation; and one functional, suitable for equational reasoning and verification. As Cogent is a restricted language, it is designed to easily interoperate with existing C functions and to connect to existing C verification frameworks. Our framework is based on certifying compilation: For a well-typed Cogent program, our compiler produces C code, a high-level shallow embedding of its semantics in Isabelle/HOL, and a proof that the C code correctly refines this embedding. Thus one can reason about the full semantics of real-world systems code productively and equationally, while retaining the interoperability and leanness of C. The compiler certificate is a series of language-level proofs and per-program translation validation phases, combined into one coherent top-level theorem in Isabelle/HOL.

References

[1]

Amal Ahmed, Matthew Fluet, and Greg Morrisett. A step-indexed model of substructural state. In Proceedings of the 10th International Conference on Functional Programming, pages 78–91, 2005.

Digital Library

[2]

Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. Cogent: Verifying high-assurance file system implementations. In International Conference on Architectural Support for Programming Languages and Operating Systems, pages 175–188, Atlanta, GA, USA, April 2016.

Digital Library

[3]

Erik Barendsen and Sjaak Smetsers. Conventional and uniqueness typing in graph rewrite systems. In Foundations of Software Technology and Theoretical Computer Science, volume 761 of Lecture Notes in Computer Science, pages 41–51, 1993.

Digital Library

[4]

Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. Verified correctness and security of OpenSSL HMAC. In Proceedings of the 24th USENIX Security Symposium, pages 207–221, Washington, DC, US, August 2015.

Digital Library

[5]

Arthur Charguéraud. Program verification through characteristic formulae. In Proceedings of the 15th International Conference on Functional Programming, ICFP ’10, pages 321–332, New York, NY, USA, 2010.

Digital Library

[6]

Arthur Charguéraud. Characteristic formulae for the verification of imperative programs. In Proceedings of the 16th International Conference on Functional Programming, ICFP ’11, pages 418–430, New York, NY, USA, 2011.

Digital Library

[7]

2034828.

[8]

Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans Kaashoek, and Nickolai Zeldovich. Using Crash Hoare logic for certifying the FSCQ file system. In ACM Symposium on Operating Systems Principles, pages 18–37, Monterey, CA, October 2015.

Digital Library

[9]

Adam Chlipala. An optimizing compiler for a purely functional webapplication language. In Proceedings of the 20th International Conference on Functional Programming, ICFP 2015, pages 10–21, New York, NY, USA, 2015.

Digital Library

[10]

2784741.

[11]

David Cock, Gerwin Klein, and Thomas Sewell. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics, pages 167–182, Montreal, Canada, August 2008.

Digital Library

[12]

Robert DeLine and Manuel Fähndrich. Enforcing high-level protocols in low-level software. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’01, pages 59–69, New York, NY, USA, 2001.

Digital Library

[13]

Edsger Wybe Dijkstra. A Discipline of Programming. Upper Saddle River, NJ, USA, 1st edition, 1997.

Digital Library

[14]

Rob Ennals, Richard Sharp, and Alan Mycroft. Linear types for packet processing. In Proceedings of the 13th European Symposium on Programming, volume 2986 of Lecture Notes in Computer Science, pages 204–218, 2004.

[15]

Manuel Fahndrich and Robert DeLine. Adoption and focus: Practical linear types for imperative programming. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’02, pages 13–24, New York, NY, USA, 2002.

Digital Library

[16]

Filebench Project. Filebench file system benchmark. http:// sourceforge.net/projects/filebench. Accessed Nov 2015.

[17]

Go. The Go programming language. https://go.googlesource.com/ go, 2015. Accessed Nov 2015.

[18]

David Greenaway, June Andronick, and Gerwin Klein. Bridging the gap: Automatic verified abstraction of C. In International Conference on Interactive Theorem Proving, pages 99–115, Princeton, New Jersey, USA, August 2012.

[19]

David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. Don’t sweat the small stu ff: Formal verification of C code without the pain. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 429–439, Edinburgh, UK, June 2014.

Digital Library

[20]

Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. Deep specifications and certified abstraction layers. In Proceedings of the 42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 595–608, 2015.

Digital Library

[21]

HASP project. The Habit programming language: The revised preliminary report. Technical Report http://hasp.cs.pdx.edu/habitreport-Nov2010.pdf, Department of Computer Science, Portland State University, Portland, OR, USA, November 2010.

[22]

Martin Hofmann. A type system for bounded space and functional in-place update–extended abstract. In ESOP, volume 1782 of Lecture Notes in Computer Science, pages 165–179, 2000.

Digital Library

[23]

IOZone. IOzone filesystem benchmark. http://www.iozone.org/. Accessed Mar 2015.

[24]

Gabriele Keller, Toby Murray, Sidney Amani, Liam O’Connor-Davis, Zilin Chen, Leonid Ryzhyk, Gerwin Klein, and Gernot Heiser. File systems deserve verification too! In Workshop on Programming Languages and Operating Systems (PLOS), pages 1–7, Farmington, Pennsylvania, USA, November 2013.

Digital Library

[25]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4: Formal verification of an OS kernel. In ACM Symposium on Operating Systems Principles, pages 207–220, Big Sky, MT, USA, October 2009.

Digital Library

[26]

Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems, 32(1):2:1–2:70, February 2014.

Digital Library

[27]

Ramana Kumar, Magnus Myreen, Michael Norrish, and Scott Owens. CakeML: A verified implementation of ML. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 179–191, San Diego, January 2014.

Digital Library

[28]

Xavier Leroy. Formal certification of a compiler back-end, or: Programming a compiler with a proof assistant. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 42–54, Charleston, SC, USA, 2006.

Digital Library

[29]

Xavier Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7):107–115, 2009.

Digital Library

[30]

LLVM. The Low-Level Virtual Machine Compiler. Accessed Feb 2016.

[31]

Karl Mazurak, Jianzhou Zhao, and Steve Zdancewic. Lightweight Linear Types in System F ◦. In Proceedings of the 5th ACM SIGPLAN Workshop on Types in Language Design and Implementation, TLDI ’10, pages 77–88, New York, NY, USA, 2010.

Digital Library

[32]

Andrew McCreight, Tim Chevalier, and Andrew Tolmach. A certified framework for compiling and executing garbage-collected languages. In Proceedings of the 15th International Conference on Functional Programming, pages 273–284, 2010.

Digital Library

[33]

Mirabox. MiraBox development kit. https://www. globalscaletechnologies.com/p-58-mirabox-developmentkit.aspx, 2015. Accessed Nov 2015.

[34]

Georg Neis, Chung-Kil Hur, Jan-Oliver Kaiser, Craig McLaughlin, Derek Dreyer, and Viktor Vafeiadis. Pilsner: A compositionally verified compiler for a higher-order imperative language. In Proceedings of the 20th International Conference on Functional Programming, ICFP ’15, pages 166–178, New York, NY, USA, 2015.

Digital Library

[35]

Tobias Nipkow and Gerwin Klein. Concrete Semantics with Isabelle /HOL. 2014.

Digital Library

[36]

Martin Odersky. Observers for linear types. In ESOP ’92: 4th European Symposium on Programming, Rennes, France, Proceedings, pages 390– 407, February 1992. Lecture Notes in Computer Science 582. Nicolas Palix, Ga¨el Thomas, Suman Saha, Christophe Calvès, Julia Lawall, and Gilles Muller. Faults in Linux: ten years later. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 305–318, Newport Beach, CA, US, 2011.

Digital Library

[37]

Benjamin C. Pierce. Types and Programming Languages. 2002.

Digital Library

[38]

Lee Pike, Patrick Hickey, James Bielman, Trevor Elliott, Thomas DuBuisson, and John Launchbury. Programming languages for high-assurance autonomous vehicles: Extended abstract. In Proceedings of the 2014ACM SIGPLAN Workshop on Programming Languages Meets Program Verification, pages 1–2, San Diego, California, USA, 2014.

Digital Library

[39]

Christine Rizkallah, Japheth Lim, Yutaka Nagashima, Thomas Sewell, Zilin Chen, Liam O’Connor, Toby Murray, Gabriele Keller, and Gerwin Klein. A framework for the automatic formal verification of refinement from cogent to c. In International Conference on Interactive Theorem Proving, Nancy, France, August 2016.

[40]

Rust. The Rust programming language. http://rustlang.org, 2014.

[41]

Accessed March 2015.

[42]

Amr Sabry and Matthias Felleisen. Reasoning about programs in continuation-passing style. SIGPLAN Lisp Pointers, V(1):288–298, January 1992.

Digital Library

[43]

Norbert Schirmer. Verification of Sequential Imperative Programs in Isabelle /HOL. PhD thesis, Technische Universität München, 2006.

[44]

Thomas Sewell, Magnus Myreen, and Gerwin Klein. Translation validation for a verified OS kernel. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 471–481, Seattle, Washington, USA, June 2013.

Digital Library

[45]

Harvey Tuch, Gerwin Klein, and Michael Norrish. Types, bytes, and separation logic. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 97–108, Nice, France, January 2007.

Digital Library

[46]

Philip Wadler. Linear types can change the world! In Programming Concepts and Methods, 1990.

Cited By

Bezza AMerah EAmeur-Boulifa RBenaboud RMessaoud Maarouk T(2020)Formalization and Refinement Proof for Embedded Systems2020 4th International Symposium on Informatics and its Applications (ISIA)10.1109/ISIA51297.2020.9416544(1-6)Online publication date: 15-Dec-2020
https://doi.org/10.1109/ISIA51297.2020.9416544
Torrini PNowak DJomaa NCherif M(2018)Formalising Executable Specifications of Low-Level SystemsVerified Software. Theories, Tools, and Experiments10.1007/978-3-030-03592-1_9(155-176)Online publication date: 24-Nov-2018
https://doi.org/10.1007/978-3-030-03592-1_9
Wadler P(2018)Programming Language Foundations in AgdaFormal Methods: Foundations and Applications10.1007/978-3-030-03044-5_5(56-73)Online publication date: 24-Oct-2018
https://doi.org/10.1007/978-3-030-03044-5_5
Show More Cited By

Recommendations

Refinement through restraint: bringing down the cost of verification
ICFP 2016: Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming

We present a framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems. Our framework allows for equational reasoning about systems code written in our new language, Cogent. Cogent is a ...
Cogent: Verifying High-Assurance File System Implementations
ASPLOS '16

We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness ...
Cogent: Verifying High-Assurance File System Implementations
ASPLOS'16

We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 51, Issue 9

ICFP '16

September 2016

501 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/3022670

Editor:
Matthew Fluet

Issue’s Table of Contents

ICFP 2016: Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming
September 2016
501 pages
ISBN:9781450342193
DOI:10.1145/2951913
General Chairs:
Jacques Garrigue
Nagoya University, Japan
,
Gabriele Keller
University of New South Wales, Australia
,
Program Chair:
Eijiro Sumii
Tohoku University, Japan

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 September 2016

Published in SIGPLAN Volume 51, Issue 9

Check for updates

Author Tags

Qualifiers

Article

Funding Sources

DARPA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
535
Total Downloads

Downloads (Last 12 months)102
Downloads (Last 6 weeks)25

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bezza AMerah EAmeur-Boulifa RBenaboud RMessaoud Maarouk T(2020)Formalization and Refinement Proof for Embedded Systems2020 4th International Symposium on Informatics and its Applications (ISIA)10.1109/ISIA51297.2020.9416544(1-6)Online publication date: 15-Dec-2020
https://doi.org/10.1109/ISIA51297.2020.9416544
Torrini PNowak DJomaa NCherif M(2018)Formalising Executable Specifications of Low-Level SystemsVerified Software. Theories, Tools, and Experiments10.1007/978-3-030-03592-1_9(155-176)Online publication date: 24-Nov-2018
https://doi.org/10.1007/978-3-030-03592-1_9
Wadler P(2018)Programming Language Foundations in AgdaFormal Methods: Foundations and Applications10.1007/978-3-030-03044-5_5(56-73)Online publication date: 24-Oct-2018
https://doi.org/10.1007/978-3-030-03044-5_5
Klein GAndronick JKeller GMatichuk DMurray TO'Connor L(2017)Provably trustworthy systemsPhilosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences10.1098/rsta.2015.0404375:2104(20150404)Online publication date: 4-Sep-2017
https://doi.org/10.1098/rsta.2015.0404
Guéneau AHostert JSpies SSammler MBirkedal LDreyer D(2023)Melocoton: A Program Logic for Verified Interoperability Between OCaml and CProceedings of the ACM on Programming Languages10.1145/36228237:OOPSLA2(716-744)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622823
Chen ZLafont AO'Connor LKeller GMcLaughlin CJackson VRizkallah C(2023)Dargent: A Silver Bullet for Verified Data Layout RefinementProceedings of the ACM on Programming Languages10.1145/35712407:POPL(1369-1395)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571240
Pearce D(2021)A Lightweight Formalism for Reference Lifetimes and Borrowing in RustACM Transactions on Programming Languages and Systems10.1145/344342043:1(1-73)Online publication date: 17-Apr-2021
https://dl.acm.org/doi/10.1145/3443420
O’CONNOR LCHEN ZRIZKALLAH CJACKSON VAMANI SKLEIN GMURRAY TSEWELL TKELLER G(2021)Cogent: uniqueness types and certifying compilationJournal of Functional Programming10.1017/S095679682100023X31Online publication date: 27-Oct-2021
https://doi.org/10.1017/S095679682100023X
BREITNER JSPECTOR-ZABUSKY ALI YRIZKALLAH CWIEGLEY JCOHEN JWEIRICH S(2021) Ready, Set , Verify! Applying hs-to-coq to real-world Haskell code Journal of Functional Programming10.1017/S095679682000028331Online publication date: 26-Feb-2021
https://doi.org/10.1017/S0956796820000283
Bodenmüller SSchellhorn GBitterlich MReif W(2021)Flashix: Modular Verification of a Concurrent and Crash-Safe Flash File SystemLogic, Computation and Rigorous Methods10.1007/978-3-030-76020-5_14(239-265)Online publication date: 4-Jun-2021
https://doi.org/10.1007/978-3-030-76020-5_14
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents