research-article

Open access

DeepSEA: a language for certified system software

Authors:

Vilhelm Sjöberg,

Zhong ShaoAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 3, Issue OOPSLA

Article No.: 136, Pages 1 - 27

https://doi.org/10.1145/3360562

Published: 10 October 2019 Publication History

Abstract

Writing certifiably correct system software is still very labor-intensive, and current programming languages are not well suited for the task. Proof assistants work best on programs written in a high-level functional style, while operating systems need low-level control over the hardware. We present DeepSEA, a language which provides support for layered specification and abstraction refinement, effect encapsulation and composition, and full equational reasoning. A single DeepSEA program is automatically compiled into a certified ``layer'' consisting of a C program (which is then compiled into assembly by CompCert), a low-level functional Coq specification, and a formal (Coq) proof that the C program satisfies the specification. Multiple layers can be composed and interleaved with manual proofs to ascribe a high-level specification to a program by stepwise refinement. We evaluate the language by using it to reimplement two existing verified programs: a SHA-256 hash function and an OS kernel page table manager. This new style of programming language design can directly support the development of correct-by-construction system software.

Supplementary Material

a136-sjoberg (a136-sjoberg.webm)

Presentation at OOPSLA '19

Download
100.31 MB

References

[1]

Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’16). 175–188.

Digital Library

[2]

Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Bélanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In CoqPL 2017: The Third International Workshop on Coq for Programming Languages.

[3]

Andrew Appel. 2011. Verified Software Toolchain. In ESOP’11: European Symposium on Programming, Gilles Barthe (Ed.). LNCS, Vol. 6602. Springer, 1–17.

[4]

Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (April 2015), 31 pages.

Digital Library

[5]

Apple. 2013–2015. The Swift Programming Language. http://developer.apple.com/swift .

[6]

Brian N. Bershad et al. 1995. Extensibility, Safety and Performance in the SPIN Operating System. In 15th ACM Symposium on Operating System Principles. 267–284.

[7]

Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéric Loulergue. 2015. A case study on formal verification of the anaxagoros hypervisor paging system with frama-C. In FMICS 2015 - Formal Methods for Industrial Critical Systems (Lecture Notes in Computer Science - LNCS), Nunez M. Gudemann M. (Ed.), Vol. 9128. Springer Verlag, Oslo, Norway, 15–30.

[8]

Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C. In NASA Formal Methods, Aaron Dutle, César Muñoz, and Anthony Narkawicz (Eds.). Springer International Publishing, Cham, 37–53.

[9]

Sandrine Blazy and Xavier Leroy. 2009. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning 43, 3 (2009), 263–288.

[10]

Adam Chlipala. 2011. Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic. In Proc. 2011 ACM Conference on Programming Language Design and Implementation. 234–245.

Digital Library

[11]

David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17, 2016. 648–664.

Digital Library

[12]

Benjamin Delaware, Clement Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in Proof Assistant. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 689–700.

Digital Library

[13]

Olivier Gay. 2005. Software implementation in C of the FIPS 198 Keyed-Hash Message Authentication Code HMAC for SHA2. https://github.com/ogay/hmac

[14]

James Gosling, Bill Joy, and Guy Steele. 1996. The Java Language Specification. Addison-Wesley.

Digital Library

[15]

David Greenaway, June Andronick, and Gerwin Klein. 2012. Bridging the Gap: Automatic Verified Abstraction of C. In International Conference on Interactive Theorem Proving, Lennart Beringer and Amy Felty (Ed.). Springer, Princeton, New Jersey, USA, 99–115.

[16]

David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2014. Don’t Sweat the Small Stuff: Formal Verification of C Code Without the Pain. In ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, Edinburgh, UK, 429–439.

Digital Library

[17]

Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In Proc. 2002 ACM Conference on Programming Language Design and Implementation. ACM Press, 282–293.

Digital Library

[18]

Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan(Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 595–608.

Digital Library

[19]

Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16). USENIX Association, Berkeley, CA, USA, 653–669. http: //dl.acm.org/citation.cfm?id=3026877.3026928

Digital Library

[20]

Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jeremie Koenig, Vilhelm Sjober, Hao Chen, David Costanzo, and Tahnia Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proc. 2018 ACM Conference on Programming Language Design and Implementation. ACM, New York, 646–661.

Digital Library

[21]

Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified Characteristic Formulae for CakeML. In Programming Languages and Systems. Springer Berlin Heidelberg, 584–610.

[22]

Tony Hoare. 1974. Hints on programming language design. In Computer Systems Reliability, State of the Art Report, C. Bunyan (Ed.), Vol. 20. Pergamon/Infotech, 505–534.

[23]

Galen C. Hunt and James R. Larus. 2007. Singularity: rethinking the software stack. Operating Systems Review 41, 2 (2007), 37–49.

Digital Library

[24]

Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Aspects of Computing 27, 3 (Jan. 2015), 573–609.

[25]

Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1–2:70.

Digital Library

[26]

Viktor Kuncak, Mikaël Mayer, Ruzica Piskac, and Philippe Suter. 2012. Software Synthesis Procedures. Commun. ACM 55, 2 (February 2012), 103–111.

[27]

Xavier Leroy. 2009. A formally verified compiler back-end. Journal of Automated Reasoning 43, 4 (2009), 363–446.

[28]

Paul Blain Levy. 1999. Call-by-Push-Value: A Subsuming Paradigm. In Typed Lambda Calculi and Applications, Jean-Yves Girard (Ed.). Lecture Notes in Computer Science, Vol. 1581. Springer Berlin Heidelberg, 228–243.

[29]

David MacQueen. 1984. Modules for Standard ML. In Proceedings of the 1984 ACM Symposium on LISP and Functional Programming (LFP ’84). ACM, New York, NY, USA, 198–207.

Digital Library

[30]

Frédéric Mangano, Simon Duquennoy, and Nikolai Kosmatov. 2016. Formal Verification of a Memory Allocation Module of Contiki with Frama-C: a Case Study. In CRiSIS 2016 - 11th International Conference on Risks and Security of Internet and Systems. Roscoff, France. https://hal.inria.fr/hal- 01351142

[31]

Zohar Manna and Richard J. Waldinger. 1971. Automatic Program Synthesis. Commun. ACM 14, 3 (March 1971), 151–165.

[32]

Microsoft Corp., et al. 2001. C# language specification. (2001). Drafts of the ECMA TC39/TG3 standardization process. http://msdn.microsoft.com/net/ecma/ .

[33]

James G. Mitchell, William Maybury, and Richard Sweet. 1979. Mesa Language Manual. Technical Report CSL-79-3. Xerox PARC, Palo Alto, CA.

[34]

Eugenio Moggi. 1989. Computational Lambda-Calculus and Monads. In Proceedings of Symposium on Logic in Computer Science. IEEE, 14–23.

[35]

Greg Nelson. 1991. Systems Programming with Modula-3. Prentice Hall.

[36]

Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement Through Restraint: Bringing Down the Cost of Verification. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 89–102.

Digital Library

[37]

Martin Odersky, Philippe Altherr, Vincent Cremet, Burak Emir, Sebastian Maneth, Stéphane Micheloud, Nikolay Mihaylov, Michel Schinz, Erik Stenman, and Matthias Zenger. 2005. An Overview of the Scala Programming Language. Technical Report IC/2004/64. Ecole Polytechnique Federale de Lausanne.

[38]

Jonathan Protzenko, Jean-Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago ZanellaBéguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified Low-Level Programming Embedded in F*. PACMPL 1, ICFP (Sept. 2017), 17:1–17:29.

Digital Library

[39]

Norbert Schirmer. 2006. Verification of sequential imperative programs in Isabelle-HOL. Ph.D. Dissertation. Technical University Munich, Germany.

[40]

Armando Solar-Lezama. 2008. Programming Synthesis by Sketching. Ph.D. Dissertation. University of California, Berkeley.

[41]

Saurabh Srivastava, Sumit Gulwani, and Jeffrey S. Foster. 2010. From Program Verification to Program Synthesis. In Proc. 37th ACM Symposium on Principles of Programming Languages. 313–326.

[42]

Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2016. A New Verified Compiler Backend for CakeML. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 60–73.

Digital Library

[43]

The Coq development team. 1999 – 2014. The Coq proof assistant. http://coq.inria.fr .

[44]

The Kestrel Institute. 2015. The SpecWare System. www.kestrel.edu/home/prototypes/specware.html .

[45]

The Rust Team. 2011–2015. The Rust Programming Language. http://www.rust- lang.org .

[46]

Emina Torlak and Rastislav Bodik. 2014. A Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages. In Proc. 2014 ACM Conference on Programming Language Design and Implementation. 530–541.

Digital Library

Cited By

Erbsen APhilipoom JJamner DLin AGruetter SPit-Claudel CChlipala A(2024)Foundational Integration Verification of a Cryptographic ServerProceedings of the ACM on Programming Languages10.1145/36564468:PLDI(1704-1729)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656446
Yang KYu JWei XYou FHuang HHuo X(2023)Survey of the Formal Verification of Operating Systems in Power Monitoring SystemProceedings of the 2023 5th International Conference on Pattern Recognition and Intelligent Systems10.1145/3609703.3609714(65-70)Online publication date: 28-Jul-2023
https://dl.acm.org/doi/10.1145/3609703.3609714
Qian ZZhong SSun GXing XJin Y(2023)A Formal Approach to Design and Security Verification of Operating Systems for Intelligent Transportation Systems Based on Object ModelIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2022.322438524:12(15459-15467)Online publication date: Dec-2023
https://doi.org/10.1109/TITS.2022.3224385
Show More Cited By

Index Terms

DeepSEA: a language for certified system software
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Software verification
    2. Software system structures
      1. Abstraction, modeling and modularity

Recommendations

Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP

This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...
Refinement-Based Verification of Interactive Real-Time Systems

Formal specification provides a system description that is much more precise than the natural language one and it can help to solve a lot of specification problems. But even a formal specification of a system can contain mistakes or can disagree with ...
A formal approach for the development of reactive systems

Context: This paper deals with the development and verification of liveness properties on reactive systems using the Event-B method. By considering the limitation of the Event-B method to invariance properties, we propose to apply the language TLA^+ to ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 3, Issue OOPSLA

October 2019

2077 pages

EISSN:2475-1421

DOI:10.1145/3366395

Issue’s Table of Contents

Copyright © 2019 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2019

Published in PACMPL Volume 3, Issue OOPSLA

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
719
Total Downloads

Downloads (Last 12 months)205
Downloads (Last 6 weeks)33

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Erbsen APhilipoom JJamner DLin AGruetter SPit-Claudel CChlipala A(2024)Foundational Integration Verification of a Cryptographic ServerProceedings of the ACM on Programming Languages10.1145/36564468:PLDI(1704-1729)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656446
Yang KYu JWei XYou FHuang HHuo X(2023)Survey of the Formal Verification of Operating Systems in Power Monitoring SystemProceedings of the 2023 5th International Conference on Pattern Recognition and Intelligent Systems10.1145/3609703.3609714(65-70)Online publication date: 28-Jul-2023
https://dl.acm.org/doi/10.1145/3609703.3609714
Qian ZZhong SSun GXing XJin Y(2023)A Formal Approach to Design and Security Verification of Operating Systems for Intelligent Transportation Systems Based on Object ModelIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2022.322438524:12(15459-15467)Online publication date: Dec-2023
https://doi.org/10.1109/TITS.2022.3224385
Zhao ZBeillahi SSong RCai YVeneris ALong F(2022)SigVM: enabling event-driven execution for truly decentralized smart contractsProceedings of the ACM on Programming Languages10.1145/35633126:OOPSLA2(673-698)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563312
Oliveira Vale AMelliès PShao ZKoenig JStefanesco L(2022)Layered and object-based game semanticsProceedings of the ACM on Programming Languages10.1145/34987036:POPL(1-32)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498703
Honoré WKim JShin JShao Z(2021)Much ADO about failures: a fault-aware model for compositional verification of strongly consistent distributed systemsProceedings of the ACM on Programming Languages10.1145/34854745:OOPSLA(1-31)Online publication date: 15-Oct-2021
https://dl.acm.org/doi/10.1145/3485474
Qian ZLiu WYao Y(2021)Verification of Operating Systems for Internet of Things in Smart Cities From the Assembly Perspective Using Isabelle/HOLIEEE Access10.1109/ACCESS.2020.30474119(2854-2863)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2020.3047411
Sun XLin SSjöberg VJie J(2021)How to Exploit a DeFi ProjectFinancial Cryptography and Data Security. FC 2021 International Workshops10.1007/978-3-662-63958-0_14(162-167)Online publication date: 17-Sep-2021
https://doi.org/10.1007/978-3-662-63958-0_14
Beringer L(2021)Verified Software UnitsProgramming Languages and Systems10.1007/978-3-030-72019-3_5(118-147)Online publication date: 23-Mar-2021
https://doi.org/10.1007/978-3-030-72019-3_5

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents