research-article

Deep Specifications and Certified Abstraction Layers

Authors:

Jérémie Koenig,

Tahina Ramananandro,

Xiongnan (Newman) Wu,

Haozhong Zhang,

Yu GuoAuthors Info & Claims

ACM SIGPLAN Notices, Volume 50, Issue 1

Pages 595 - 608

https://doi.org/10.1145/2775051.2676975

Published: 14 January 2015 Publication History

Abstract

Modern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client programs built on top of each layer can be understood solely based on the interface, independent of the layer implementation. Despite their obvious importance, abstraction layers have mostly been treated as a system concept; they have almost never been formally specified or verified. This makes it difficult to establish strong correctness properties, and to scale program verification across multiple layers.

In this paper, we present a novel language-based account of abstraction layers and show that they correspond to a strong form of abstraction over a particularly rich class of specifications which we call deep specifications. Just as data abstraction in typed functional languages leads to the important representation independence property, abstraction over deep specification is characterized by an important implementation independence property: any two implementations of the same deep specification must have contextually equivalent behaviors. We present a new layer calculus showing how to formally specify, program, verify, and compose abstraction layers. We show how to instantiate the layer calculus in realistic programming languages such as C and assembly, and how to adapt the CompCert verified compiler to compile certified C layers such that they can be linked with assembly layers. Using these new languages and tools, we have successfully developed multiple certified OS kernels in the Coq proof assistant, the most realistic of which consists of 37 abstraction layers, took less than one person year to develop, and can boot a version of Linux as a guest.

Supplementary Material

MPG File (p595-sidebyside.mpg)

Download
1799.40 MB

References

[1]

C. Y. Baldwin and K. B. Clark. Design Rules: Volume 1, The Power of Modularity. MIT Press, March 2000.

Digital Library

[2]

M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. 4th Symp on Formal Methods for Components and Objects, 2005.

Digital Library

[3]

N. Benton and C.-K. Hur. Biorthogonality, step-indexing and compiler correctness. In ICFP'09, pages 97--108, 2009.

Digital Library

[4]

L. Beringer, G. Stewart, R. Dockins, and A. W. Appel. Verified compilation for shared-memory C. In ESOP'14, pages 107--127, 2014.

Digital Library

[5]

S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning, 43(3):263--288, 2009.

[6]

Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-end verification of stack-space bounds for C programs. In PLDI'14.

Digital Library

[7]

S. Chaudhuri, S. Gulwani, and R. Lublinerman. Continuity analysis of programs. In POPL'10, pages 57--69, 2010.

Digital Library

[8]

A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI'11, pages 234--245, 2011.

Digital Library

[9]

E. W. Dijkstra. Notes on structured programming. In Structured programming, pages 1--82. Academic Press, 1972.

Digital Library

[10]

X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In PLDI'08, pages 170--182, June 2008.

Digital Library

[11]

X. Feng, Z. Shao, Y. Guo, and Y. Dong. Combining domain-specific and foundational logics to verify complete software systems. In VSTTE'08, pages 54--69, 2008.

Digital Library

[12]

L. Gu, A. Vaynberg, B. Ford, Z. Shao, and D. Costanzo. CertiKOS: a certified kernel for secure cloud computing. In APSys '11, 2011.

Digital Library

[13]

R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. Wu, S.-C. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. Yale Univ. Technical Report YALEU/DCS/TR-1500; http://flint.cs.yale.edu/publications/dscal.html, Oct. 2014.

[14]

C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576--580, Oct. 1969.

Digital Library

[15]

C.-K. Hur, D. Dreyer, G. Neis, and V. Vafeiadis. The marriage of bisimulations and Kripke logical relations. In POPL'12, pages 59--72.

Digital Library

[16]

D. Jackson. Software abstractions: logic, languages, and analysis. The MIT Press, 2012.

Digital Library

[17]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, et al. seL4: Formal verification of an OS kernel. In SOSP'09, pages 207--220, October 2009.

Digital Library

[18]

L. Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, 16(3), May 1994.

Digital Library

[19]

X. Leroy. The CompCert verified compiler. http://compcert.inria.fr/, 2005--2014.

[20]

X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363--446, 2009.

Digital Library

[21]

X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformation. J. Automated Reasoning, 41(1):1--31, 2008.

Digital Library

[22]

N. A. Lynch and F. W. Vaandrager. Forward and backward simulations: I. Untimed systems. Inf. Comput., 121(2):214--233, 1995.

Digital Library

[23]

R. Milner, M. Tofte, R. Harper, and D. MacQueen. The Definition of Standard ML (Revised). MIT Press, Cambridge, Massachusetts, 1997.

Digital Library

[24]

J. C. Mitchell. Representation independence and data abstraction. In POPL'86, pages 263--276, January 1986.

Digital Library

[25]

C. C. Morgan. Programming from specifications, 2nd Edition. Prentice- Hall, 1994.

Digital Library

[26]

A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare type theory. In ICFP'06, pages 62--73, Sept. 2006.

Digital Library

[27]

P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N. Levitt, and L. Robinson. A provably secure operating system: its system, its applications, and proofs. Technical Report CSL-116, SRI, May 1980.

[28]

P. W. O'Hearn. Resources, concurrency and local reasoning. In CONCUR'04, pages 49--67, 2004.

[29]

J. T. Perconti and A. Ahmed. Verifying an open compiler using multi- language semantics. In ESOP'14, pages 128--148, 2014.

Digital Library

[30]

B. C. Pierce. Types and Programming Languages. The MIT Press, 2002.

Digital Library

[31]

J. C. Reynolds. Theories of Programming Languages. Cambridge University Press, 1998.

Digital Library

[32]

J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS'02, pages 55--74, 2002.

Digital Library

[33]

J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A verified compiler for relaxed-memory concurrency. J. ACM, 60(3), 2013.

Digital Library

[34]

M. Spivey. The Z Notation: A reference manual. Prentice Hall, 1992.

Digital Library

[35]

The Coq development team. The Coq proof assistant. http://coq.inria.fr, 1999--2014.

[36]

A. Vaynberg and Z. Shao. Compositional verification of a baby virtual memory manager. In CPP'12, pages 143--159, Dec 2012.

Digital Library

Cited By

Zhang LWang YWu JKoenig JShao Z(2024)Fully Composable and Adequate Verified Compilation with Direct Refinements between Open ModulesProceedings of the ACM on Programming Languages10.1145/36329148:POPL(2160-2190)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632914
Feng ZYongwang ZYang LJun S(2024)A Comprehensive Formal Specification of ARINC 653 With Conformity ProofSoftware Testing, Verification and Reliability10.1002/stvr.190135:1Online publication date: Oct-2024
https://doi.org/10.1002/stvr.1901
Yang KYu JWei XYou FHuang HHuo X(2023)Survey of the Formal Verification of Operating Systems in Power Monitoring SystemProceedings of the 2023 5th International Conference on Pattern Recognition and Intelligent Systems10.1145/3609703.3609714(65-70)Online publication date: 28-Jul-2023
https://dl.acm.org/doi/10.1145/3609703.3609714
Show More Cited By

Index Terms

Deep Specifications and Certified Abstraction Layers
1. Software and its engineering
2. Theory of computation
  1. Logic
    1. Proof theory

Recommendations

seL4: formal verification of an OS kernel
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

Complete formal verification is the only known way to guarantee that a system is free of programming errors.

We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to ...
Certified concurrent abstraction layers
PLDI '18

Concurrent abstraction layers are ubiquitous in modern computer systems because of the pervasiveness of multithreaded programming and multicore hardware. Abstraction layers are used to hide the implementation details (e.g., fine-grained synchronization) ...
Deep Specifications and Certified Abstraction Layers
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

Modern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 50, Issue 1

POPL '15

January 2015

682 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2775051

Editor:
Andy Gill
University of Kansas, Lawrence, KS

Issue’s Table of Contents

POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
January 2015
716 pages
ISBN:9781450333009
DOI:10.1145/2676726
General Chair:
Sriram Rajamani
Microsoft Research, India
,
Program Chair:
David Walker
Princeton University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 January 2015

Published in SIGPLAN Volume 50, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

137
Total Citations
View Citations
773
Total Downloads

Downloads (Last 12 months)83
Downloads (Last 6 weeks)10

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang LWang YWu JKoenig JShao Z(2024)Fully Composable and Adequate Verified Compilation with Direct Refinements between Open ModulesProceedings of the ACM on Programming Languages10.1145/36329148:POPL(2160-2190)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632914
Feng ZYongwang ZYang LJun S(2024)A Comprehensive Formal Specification of ARINC 653 With Conformity ProofSoftware Testing, Verification and Reliability10.1002/stvr.190135:1Online publication date: Oct-2024
https://doi.org/10.1002/stvr.1901
Yang KYu JWei XYou FHuang HHuo X(2023)Survey of the Formal Verification of Operating Systems in Power Monitoring SystemProceedings of the 2023 5th International Conference on Pattern Recognition and Intelligent Systems10.1145/3609703.3609714(65-70)Online publication date: 28-Jul-2023
https://dl.acm.org/doi/10.1145/3609703.3609714
Erata FDeng SZaghloul FXiong WDemir OSzefer J(2023)Survey of Approaches and Techniques for Security Verification of Computer SystemsACM Journal on Emerging Technologies in Computing Systems10.1145/356478519:1(1-34)Online publication date: 19-Jan-2023
https://dl.acm.org/doi/10.1145/3564785
Derakhshan FZhang ZVasudevan AJia L(2023)Towards End-to-End Verified TEEs via Verified Interface Conformance and Certified Compilers2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00021(324-339)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00021
Sun HMao ZWang JZhao ZWang W(2023)Applying Rely-Guarantee Reasoning on Concurrent Memory Management and Mailbox in $$\mu $$C/OS-II: A Case StudyFormal Methods for Industrial Critical Systems10.1007/978-3-031-43681-9_13(224-241)Online publication date: 17-Sep-2023
https://doi.org/10.1007/978-3-031-43681-9_13
Ribeiro LLorber FNyman ULarsen KBaunach M(2023)A Modeling Concept for Formal Verification of OS-Based Compositional SoftwareFundamental Approaches to Software Engineering10.1007/978-3-031-30826-0_2(26-46)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30826-0_2
Guo YWang ZZhong BZeng Q(2022)Formal Modeling and Security Analysis for Intra-level Privilege SeparationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567984(88-101)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567984
Tao RShi YYao JLi XJavadi-Abhari ACross AChong FGu RJhala RDillig I(2022)Giallar: push-button verification for the qiskit Quantum compilerProceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3519939.3523431(641-656)Online publication date: 9-Jun-2022
https://dl.acm.org/doi/10.1145/3519939.3523431
Wang YZhang LShao ZKoenig J(2022)Verified compilation of C programs with a nominal memory modelProceedings of the ACM on Programming Languages10.1145/34986866:POPL(1-31)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498686
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents