research-article

Public Access

FastVer2: A Provably Correct Monitor for Concurrent, Key-Value Stores

Authors:

Tahina Ramananandro,

Aymeric Fromherz,

Ravi RamamurthyAuthors Info & Claims

CPP 2023: Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and Proofs

Pages 30 - 46

https://doi.org/10.1145/3573105.3575687

Published: 11 January 2023 Publication History

Abstract

FastVer is a protocol that uses a variety of memory-checking techniques to monitor the integrity of key-value stores with only a modest runtime cost. Arasu et al. formalize the high-level design of FastVer in the F* proof assistant and prove it correct. However, their formalization did not yield a provably correct implementation---FastVer is implemented in unverified C++ code.

In this work, we present FastVer2, a low-level, concurrent implementation of FastVer in Steel, an F* DSL based on concurrent separation logic that produces C code, and prove it correct with respect to FastVer's high-level specification. Our proof is the first end-to-end system proven using Steel, and in doing so we contribute new ghost-state constructions for reasoning about monotonic state. Our proof also uncovered a few bugs in the implementation of FastVer.

We evaluate FastVer2 by comparing it against FastVer. Although our verified monitor is slower in absolute terms than the unverified code, its performance also scales linearly with the number of cores, yielding a throughput of more that 10M op/sec. We identify several opportunities for performance improvement, and expect to address these in the future.

References

[1]

Martín Abadi. 1997. Secrecy by Typing inSecurity Protocols. In Theoretical Aspects of Computer Software, Third International Symposium, TACS ’97, Sendai, Japan, September 23-26, 1997, Proceedings, Martín Abadi and Takayasu Ito (Eds.) (Lecture Notes in Computer Science, Vol. 1281). Springer, 611–638. https://doi.org/10.1007/BFb0014571

[2]

Pieter Agten, Bart Jacobs, and Frank Piessens. 2015. Sound Modular Verification of C Code Executing in an Unverified Context. SIGPLAN Not., 50, 1 (2015), jan, 581–594. issn:0362-1340 https://doi.org/10.1145/2775051.2676972

Digital Library

[3]

Danel Ahman, Cédric Fournet, Cătălin Hriţcu, Kenji Maillard, Aseem Rastogi, and Nikhil Swamy. 2018. Recalling a Witness: Foundations and Applications of Monotonic State. PACMPL, 2, POPL (2018), jan, 65:1–65:30. arxiv:1707.02466

Digital Library

[4]

Arvind Arasu, Badrish Chandramouli, Johannes Gehrke, Esha Ghosh, Donald Kossmann, Jonathan Protzenko, Ravi Ramamurthy, Tahina Ramananandro, Aseem Rastogi, Srinath Setty, Nikhil Swamy, Alexander van Renen, and Min Xu. 2021. FastVer: Making Data Integrity a Commodity. In Proceedings of the 2021 International Conference on Management of Data (SIGMOD ’21). Association for Computing Machinery, New York, NY, USA. 89–101. isbn:9781450383431 https://doi.org/10.1145/3448016.3457312

Digital Library

[5]

M. Blum, W. Evans, P. Gemmell, S. Kannan, and M. Naor. 1991. Checking the correctness of memories. In [1991] Proceedings 32nd Annual Symposium of Foundations of Computer Science. 90–99. https://doi.org/10.1109/SFCS.1991.185352

Digital Library

[6]

John Boyland. 2003. Checking Interference with Fractional Permissions. In Static Analysis, Radhia Cousot (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg. 55–72. isbn:978-3-540-44898-3

[7]

Badrish Chandramouli, Guna Prasaad, Donald Kossmann, Justin Levandoski, James Hunter, and Mike Barnett. 2018. FASTER: An Embedded Concurrent Key-Value Store for State Management. Proc. VLDB Endow., 11, 12 (2018), aug, 1930–1933. issn:2150-8097 https://doi.org/10.14778/3229863.3236227

Digital Library

[8]

Brian F. Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. 2010. Benchmarking Cloud Serving Systems with YCSB. In Proceedings of the 1st ACM Symposium on Cloud Computing (SoCC ’10). Association for Computing Machinery, New York, NY, USA. 143–154. isbn:9781450300360 https://doi.org/10.1145/1807128.1807152

Digital Library

[9]

Intel Corp. 2012. Intel Advanced Encryption Standard Instructions (AES-NI). https://www.intel.com/content/www/us/en/developer/articles/technical/advanced-encryption-standard-instructions-aes-ni.html

[10]

Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS (Lecture Notes in Computer Science, Vol. 4963). Springer, 337–340. isbn:978-3-540-78799-0 https://doi.org/10.1007/978-3-540-78800-3_24

[11]

Aymeric Fromherz, Aseem Rastogi, Nikhil Swamy, Sydney Gibson, Guido Martínez, Denis Merigoux, and Tahina Ramananandro. 2021. Steel: Proof-Oriented Programming in a Dependently Typed Concurrent Separation Logic. In Proceedings of the International Conference on Functional Programming (ICFP).

Digital Library

[12]

Andrew D. Gordon and Alan Jeffrey. 2003. Authenticity by Typing for Security Protocols. J. Comput. Secur., 11, 4 (2003), 451–520. https://doi.org/10.3233/jcs-2003-11402

[13]

Travis Hance, Andrea Lattuada, Chris Hawblitzel, Jon Howell, Rob Johnson, and Bryan Parno. 2020. Storage Systems Are Distributed Systems (so Verify Them That Way!). In Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation (OSDI’20). USENIX Association, USA. Article 6, 17 pages. isbn:978-1-939133-19-9

Digital Library

[14]

Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill. 2014. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI ’14, Broomfield, CO, USA, October 6-8, 2014., Jason Flinn and Hank Levy (Eds.). USENIX Association, 165–181. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/hawblitzel

Digital Library

[15]

Jonas Braband Jensen and Lars Birkedal. 2012. Fictional Separation Logic. In Programming Languages and Systems - 21st European Symposium on Programming, ESOP 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012. Proceedings, Helmut Seidl (Ed.) (Lecture Notes in Computer Science, Vol. 7211). Springer, 377–396. isbn:978-3-642-28868-5 https://doi.org/10.1007/978-3-642-28869-2_19

Digital Library

[16]

Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program., 28 (2018), e20. https://doi.org/10.1017/S0956796818000151

[17]

Ralph Merkle. 1979. Method of providing digital signatures. US Patent US4309569A.

[18]

Aleksandar Nanevski, J. Gregory Morrisett, and Lars Birkedal. 2008. Hoare type theory, polymorphism and separation. J. Funct. Program., 18, 5-6 (2008), 865–911. http://ynot.cs.harvard.edu/papers/jfpsep07.pdf

Digital Library

[19]

Alexandre Pilkiewicz and François Pottier. 2011. The essence of monotonic state. In Proceedings of TLDI 2011: 2011 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, Austin, TX, USA, January 25, 2011, Stephanie Weirich and Derek Dreyer (Eds.). ACM, 73–86. isbn:978-1-4503-0484-9 https://doi.org/10.1145/1929553.1929565

Digital Library

[20]

Jonathan Protzenko, Bryan Parno, Aymeric Fromherz, Chris Hawblitzel, Marina Polubelova, Karthikeyan Bhargavan, Benjamin Beurdouche, Joonwon Choi, Antoine Delignat-Lavaud, Cédric Fournet, Natalia Kulatova, Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Christoph M. Wintersteiger, and Santiago Zanella-Beguelin. 2020. EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider. In 2020 IEEE Symposium on Security and Privacy (SP). 983–1002. https://doi.org/10.1109/SP40000.2020.00114

[21]

Jonathan Protzenko, Jean-Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella-Béguelin, Antoine Delignat-Lavaud, Cătălin Hriţcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified Low-Level Programming Embedded in F*. PACMPL, 1, ICFP (2017), Sept., 17:1–17:29. https://doi.org/10.1145/3110261

Digital Library

[22]

Tahina Ramananandro, Antoine Delignat-Lavaud, Cédric Fournet, Nikhil Swamy, Tej Chajed, Nadim Kobeissi, and Jonathan Protzenko. 2019. EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats. In Proceedings of the 28th USENIX Conference on Security Symposium (USENIX Security 2019). USENIX Association, USA. 1465–1482. isbn:9781939133069

[23]

Nikhil Swamy, Cătălin Hriţcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean-Karim Zinzindohoué, and Santiago Zanella-Béguelin. 2016. Dependent Types and Multi-Monadic Effects in F*. In 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 256–270. isbn:978-1-4503-3549-2 https://www.fstar-lang.org/papers/mumon/

Digital Library

[24]

Nikhil Swamy, Tahina Ramananandro, Aseem Rastogi, Irina Spiridonova, Haobin Ni, Dmitry Malloy, Juan Vazquez, Michael Tang, Omar Cardona, and Arti Gupta. 2022. Hardening Attack Surfaces with Formally Proven Binary Format Parsers. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022). Association for Computing Machinery, New York, NY, USA. 31–45. isbn:9781450392655 https://doi.org/10.1145/3519939.3523708

Digital Library

[25]

Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz, Denis Merigoux, Danel Ahman, and Guido Martínez. 2020. SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependently Typed Programs. Proc. ACM Program. Lang., 4, ICFP (2020), Article 121, Aug., 30 pages. https://doi.org/10.1145/3409003

Digital Library

[26]

Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz, Denis Merigoux, Danel Ahman, and Guido Martínez. 2020. SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependently Typed Programs. Proc. ACM Program. Lang., 4, ICFP (2020), Article 121, Aug., 30 pages. https://doi.org/10.1145/3409003

Digital Library

[27]

Roberto Tamassia. 2003. Authenticated Data Structures. In Algorithms - ESA 2003, Giuseppe Di Battista and Uri Zwick (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 2–5. isbn:978-3-540-39658-1

[28]

Amin Timany and Lars Birkedal. 2021. Reasoning about Monotonicity in Separation Logic. In Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and Proofs (CPP 2021). Association for Computing Machinery, New York, NY, USA. 91–104. isbn:9781450382991 https://doi.org/10.1145/3437992.3439931

Digital Library

[29]

Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A Verified Modern Cryptographic Library. In ACM Conference on Computer and Communications Security. ACM, 1789–1806. http://eprint.iacr.org/2017/536

Digital Library

Cited By

Andrici CCiobâcă ȘHriţcu CMartínez GRivas ETanter ÉWinterhalter T(2024)Securing Verified IO Programs Against Unverified Code in F*Proceedings of the ACM on Programming Languages10.1145/36329168:POPL(2226-2259)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632916
Basin DKrstić SSchneider JTraytel D(2023)Correct and Efficient Policy Monitoring, a RetrospectiveAutomated Technology for Verification and Analysis10.1007/978-3-031-45329-8_1(3-30)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-45329-8_1

Index Terms

FastVer2: A Provably Correct Monitor for Concurrent, Key-Value Stores
1. Information systems
  1. Data management systems
    1. Database management system engines
      1. Integrity checking
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification

Recommendations

Building Efficient Key-Value Stores via a Lightweight Compaction Tree
Special Issue on MSST 2017 and Regular Papers

Log-Structure Merge tree (LSM-tree) has been one of the mainstream indexes in key-value systems supporting a variety of write-intensive Internet applications in today’s data centers. However, the performance of LSM-tree is seriously hampered by ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Interactive proofs in higher-order concurrent separation logic
POPL '17

When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPP 2023: Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and Proofs

January 2023

347 pages

ISBN:9798400700262

DOI:10.1145/3573105

General Chairs:
Robbert Krebbers
Radboud University Nijmegen, Netherlands
,
Dmitriy Traytel
University of Copenhagen, Denmark
,
Program Chairs:
Brigitte Pientka
McGill University, Canada
,
Steve Zdancewic
University of Pennsylvania, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

CPP '23

Sponsor:

SIGPLAN

CPP '23: 12th ACM SIGPLAN International Conference on Certified Programs and Proofs

January 16 - 17, 2023

MA, Boston, USA

Acceptance Rates

Overall Acceptance Rate 18 of 26 submissions, 69%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
185
Total Downloads

Downloads (Last 12 months)119
Downloads (Last 6 weeks)15

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Andrici CCiobâcă ȘHriţcu CMartínez GRivas ETanter ÉWinterhalter T(2024)Securing Verified IO Programs Against Unverified Code in F*Proceedings of the ACM on Programming Languages10.1145/36329168:POPL(2226-2259)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632916
Basin DKrstić SSchneider JTraytel D(2023)Correct and Efficient Policy Monitoring, a RetrospectiveAutomated Technology for Verification and Analysis10.1007/978-3-031-45329-8_1(3-30)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-45329-8_1

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten