An%20Open%20Framework%20for%20Certified%20System%20Software

1
An Open Framework for Certified System Software

• Xinyu Feng
• Yale University

2
Why Certified Software?
Mars Polar Lander
Mars climate orbiter
Ariane 5
3
Something More Relevant
4
Photo from edmunds.com
Toyota recalled its 160,000 Prius cars in Oct
2005, because of bugs in the software controlling
the hybrid gas-electric engine system
5
How to Guarantee Software Quality?

• We need a certified computing platform!

Uncertified legacy code becomes second-class
citizen!
Buggy? Security Infrastructure
Certified Security Infrastructure
Buggy? Runtime Services Libraries
Certified Runtime Services Libraries
Buggy? Bootloader OS Device Driver
Certified Bootloader OS Device Driver
Hardware
6
Certified Software Problem Definition

• Hardware
• processors, memory, storage, devices,
• Software
• bootloader, device drivers, OS, runtime,
  applications,
• Need a mathematical proof showing that as long
  as the hardware works, the software always
  work according to its specification

7
A Mini-OS
1300-line 16bit x86 code, Bootable! http//flint.c
s.yale.edu/feng/cos
. . .
. . .
KBD
timer
interrupts
But how to certify the code?
8
Certifying the Mini-OS
1300 lines of code
Many challenges
bootloader
Code loading
scheduler
Low-level code C/Assembly
timer int. handler
Concurrency
thread lib spawn, exit, yield,
Interrupts
sync. lib locks and monitors
Device drivers / IO
keyboard driver
Certified the whole system
keyboard int. handler
Many different features

Different abstraction levels
9
My Contributions

• Specialized program logics
• SCAP stack-based control abstractions
• SAGL modular concurrency verification
• CMAP dynamic thread creation
• concurrency with relaxed memory model ongoing
  work
• An open framework for certified systems
• OCAP embedding and interoperation between
  different verification systems TLDI07
• interoperability based on semantic models
  ongoing work

PLDI06
ESOP07
ICFP05
10
Outline of This Talk

• The OCAP Framework
• SAGL modular concurrency verification
• SCAP stack-based control abstractions
• Embedding and linking in OCAP

11
Modules at Different Levels

• Example how to certify multi-threaded software?

• All concurrency verification assumes built-in
  concurrency

• Context switching, scheduler
• Too low-level to be certified in these logics

• Threads schedulers have never been certified in
  a single logic!

12
Building Fully Certified Systems

• One logic for all code
• Consider all possible interactions.
• Very difficult!
• Reality
• Only limited combinations of features are used.
• Its simpler to use a specialized logic for each
  combination.
• Interoperability between logics

13
Our Solution

OCAP
Modeling of the machine
Mechanized Meta-Logic (CiC)
14
The Machine
(data heap) H
I1
f1
addu lw sw j f
pc
0
1
2

I2
f2
r1
r2
r3

rn
I3
f3
(register file) R

(code heap) C
(state) S
(instr. seq.) I
(H,R)
f ? I
(program) P
(C,S,pc)
15
Program Specifications
(spec) ? f ? ?
(data heap) H
?
I1
f1
addu lw sw j f
pc
0
1
2

I2
f2
r1
r2
r3

rn
I3
f3
(register file) R

(code heap) C
(state) S
(instr. seq.) I
(H,R)
f ? I
(program) P
(C,S,pc)
16
Invariant-Based Verification

• Initial condition Inv?(P0)

Progress if Inv?(P), then ?P. P ?c
P. Preservation if Inv?(P) and P ?c P, then
Inv?(P).
17
Domain specific logics
How to link modules?
Ln

L1
OCAP Rules
Modeling of the machine
Mechanized Meta-Logic (CiC)
18
How to Link Modules
f


call f
r1?1, , rn?n
P_Q
a
a'
19
How to Link Modules
How to define interpretation?
Encode the invariant enforced in our
invariant-based proof methodology.
a should be expressive enough to encode Inv.
20
An Open Framework
A set of Hoare-logic rules as the foundational
layer
use a as the assertion language supports
first-class code pointers, mutable references,
polymorphisms, recursive types,
21
The OCAP Framework TLDI'07
Sound
OCAP Rules
OCAP Soundness
Modeling of the machine
Mechanized Meta-Logic (CiC)
22
Outline of This Talk

• The OCAP Framework
• SAGL modular concurrency verification
• SCAP stack-based control abstractions
• Embedding and linking in OCAP

Ln
L1
SAGL
SCAP
OCAP
Modeling of the machine
Mechanized Meta-Logic (CiC)
23
Certifying Concurrent Programs

• How to guarantee
• non-interference

in a modular way?
Existing work is not modular/general
24
Certifying Concurrent Programs

• Assume-Guarantee (A-G) reasoning
  MisraChandy81, Jones83
• thread modularity, general
• spec of AG requires global data invariants
• Concurrent Separation Logic (CSL) OHearn,
  Brookes 2004
• thread modularity local reasoning
• restrictive synchronization pattern
• shared resources can be accessed only inside
  critical regions
• SAGL extend A-G with local reasoning ESOP'07
• improved modularity without loss of generality

25
Assume-Guarantee Reasoning

• Thread T and its environment
• Environment the collection of all other threads
  except T
• A assumption about environments transition
• G guarantee to the environment
• a precondition

26
A-G Reasoning
Non-Interference of threads
?i,j . Gi ? Aj ( i ? j )

• To certify each thread

stability of precondition
? S, S'. a S ? A S S' ? a S'
transitions satisfy the guarantee
G S Nextc(S)
27
A-G Reasoning
Requires global invariants!
G1
G2
a1
a2
A1
A2
a2
a1
28
SAGL Overview

• Partition of resources shared private

Threads specs
(a1, p1), (a2, p2),
Partition is conceptual
(p1 ? p2) ? (a1 ? a2)
29
SAGL Memory Access
Threads have exclusive access to their private
resources.
All threads can access shared part.
Needs to guarantee non-interference.
Follows assume/guarantee reasoning.
Partitions can be dynamically adjusted.
30
SAGL Access Shared Resource
G2
a1
A1
a1
A-G reasoning a special case where
p1 and p2 are emp.
31
SAGL Access Private Resource
32
SAGL - Redistribution
a1
a1
G2
A1
G2
A1
a1
a1
lock
unlock
33
Example List
getNode() l.acq()
l.rel()
-(ainv , emp)
-(emp, emp ? List(x))
-(emp, Node(y) ? List(x))
ainv free(l) ? List(x) ? ?free(l) ? emp
ainv
-(List(x), Node(y))
34
SAGL ESOP07
A-G reasoning
Threads have exclusive access to their private
resources.
Partitions can be dynamically adjusted.
CSL
35
Outline of this talk

• The OCAP Framework
• SAGL modular concurrency verification
• SCAP stack-based control abstractions
• Embedding and linking in OCAP

Ln
L1
SAGL
SCAP
OCAP
Modeling of the machine
Mechanized Meta-Logic (CiC)
36
Certifying C Assembly Code?
How to specify/verify control abstractions?

• Stack-based control abstractions
• call/return, tail call, exceptions (stack
  cutting/ stack unwinding), coroutines/threads
  context switching

How to formulate the stack invariants?
37
Problems call/return
void f() void h() h()
return return
Stacks are hidden!
38
Problems call/return
R
void f() void h() h()
return return
ra
ct
??
pc
Does f use the right return addr.?
39
Problems setjmp/longjmp
env cannot outlive the stack frame of rev !
jmp_buf env
void cmp0(int x,jmp_buf env) cmp1(x, env)
int rev(int x) if (setjmp(env) 0)
cmp0(x, env) return 0 else return
1
pc
pc
void cmp1(int x,jmp_buf env) if (x 0)
longjmp(env, 1) else return
pc
env
sp

40
Stack-Based Control Abstractions

• A simple system (SCAP) for modular verification
  of
• (1) compiled C code (2) manually-written
  assembly code

Function call/return
PLDI'06
Tail calls
Exceptions Stack-unwinding
Exceptions Stack-cutting
PLDI06
weak-continuation
YALEU/DCS/TR-1336
setjmp/longjmp
Coroutines (w. function call)
Threads context switching
TLDI07
41
Specifications

• Challenges
• f uses the right return addr.?
• Hoare triple p f q?
• In different basic blocks!

f ... sw ra, -4(fp)
jal h ct lw ra, -4(fp) ...
jr ra
(p0, g0)

• SCAP specifications (p, g)
• p State ? Prop
• g State ? State ? Prop

(p1, g1)
g0 S S? S.ra S.ra
42
Program Spec. and Code Pointers
p0
p1

• Program Specification
• ?
• f1?(p1,g1), ,fn?(pn,gn)
• safe to return (jr ra)
• ra?dom(?) ? ?(ra)(p,g)
• p holds at the time of return

jal f
p2
jal h
g2
g0
g1
p3
jr ra
g3
p4
jr ra

g4
jr ra
43
SCAP Stack Invariant
Always safe to return?
p0
S0
g0
p1
jr ra
g0 S0 S1 ? S1.ra ? ? ? ?(S1.ra))(p1, g1) ? p1
S1
S1
g1
p2
S2
g0 S0 S1 ? g1 S1 S2 ? S2.ra ? ? ?
?(S2.ra)(p2, g2) ? p2 S2
g2
p3
S3
g0 S0 S1 ? g1 S1 S2 ? g2 S2 S3 ? S3.ra ? ? ?
?(S3.ra)(p3, g3) ? p3 S3
g3
Logical control stack

44
SCAP Stack Invariant
p0

• WFST(n, g0, S0, ?) ?
• ?S1. g0 S0 S1 ?
• ? p1,g1.
• ?(S1.ra)(p1, g1) ?
• p1 S1 ?
• WFST(n-1, g1, S1, ?)
• WFST(0, g0, S0, ?) ?
• ? ?S1. g0 S0 S1
• Invariant
• p S ? ?n.WFST(n, g, S, ?)

S0
g0
p1
jr ra
S1
g1
p2
S2
g2
p3
S3
g3
Logical control stack
45
SCAP Invariant Preservation

• Inv(S)
• p S ? ?n.WFST(n, g, S, ?)

S
46
SCAP call
p S ? WFST(n, g, S, ?)
p0 S0 ? WFST(n1, g0, S0, ?)
p
p0
p0
S
S0
g0
g0
p1
p1
jr ra
jr ra
g
g1
g1
S1
S1
n
n
S2
S2


p S ? p0 S0
g0 S0 S1 ? S0.ra S1.ra
p S ? g0 S0 S1 ? p1 S1
p S ? g0 S0 S1 ? g1 S1 S2 ? g S S2
47
SCAP ret
p S ? WFST(n, g S, ?)
p1 S1 ? WFST(n-1, g1 S1, ?)
p
n
p1
p1
S
g
S1
g1
g1
jr ra
n-1
n-1


p S ? g S S1
48
Generalization Stack Unwinding/Cutting
49
Example setjmp/longjmp
jmp_buf env
void cmp0(int x,jmp_buf env) cmp1(x, env)
int rev(int x) if (setjmp(env) 0)
cmp0(x, env) return 0 else return
1
void cmp1(int x,jmp_buf env) if (x 0)
longjmp(env, 1) else return
50
(No Transcript)
51
Applications of SCAP

• malloc/free Feng et al. PLDI'06, Xiang et al.
  QSIC'06
• thread scheduler Feng et al. TLDI'07
• garbage collectors McCreightShao PLDI'07

52
Outline of This Talk

• The OCAP Framework
• SAGL modular concurrency verification
• SCAP stack-based control abstractions
• Embedding and linking in OCAP

Ln
L1
SAGL
SCAP
OCAP
Modeling of the machine
Mechanized Meta-Logic (CiC)
53
Threads and Scheduler

• Thread code C1,,Cn
• Certified in SAGL
• as concurrent code
• Do not know about thread queue

• Scheduler CS
• Certified in SCAP
• as sequential code
• Manages thread queue TQ
• Do not touch H

SCAP
SAGL

54
How to Specify Scheduler/yield
S1
S1
S2
S2
yield
SAGL
SCAP
55
Embedding of SCAP
Embedding
((p, g))scap ? ?, S. p S ?
?n.WFST(n, g, S, ?)
Soundness
?scap C?
?ocap C ?
If
, then
Supports proof reuse.
56
Embedding of SAGL
Embedding

• (((a,p),A,G))sagl
• ?, S.
• ?Qpc1, , pcn.
• ?(pci) ((ai,pi),Ai,Gi)?
• InMem(Q)?(p1??pn)?(a1??an) ?
• NI((A1,G1), , (An,Gn)) ?
• stable(ai,Ai)

57
Soundness of SAGL Embedding
?sagl C?
?y?ocap C?.
If
, then
58
Certifying The System
SCAP
SAGL
?sagl Ci?i
?scap Cs?y
?ocap Cs ?y
?y?ocap Ci ?i
?ocap Ci ? Cs ?i ? ?y
59
More Applications of OCAP
TAL Morrisett'98
malloc lib.
GCs
60
Conclusion

• Goal modular verification of system software
• modules use different computation features
• modules are at different abstraction levels
• Solution to certify different modules using
  different logics
• SCAP stack-based control abstractions
• SAGL modular concurrency verification
• CMAP assume-guarantee with dynamic threads
• OCAP interoperation between different
  verification systems

61
Conclusion

• Applications
• malloc/free Feng et al. PLDI'06, Xiang et al.
  QSIC'06
• garbage collectors McCreightShao PLDI'07
• thread scheduler Feng et al. TLDI'07
• threads scheduler Feng et al. TLDI'07
• TAL mem. alloc Feng et al. TLDI'07
• TAL GC Lin et al. TASE'07

62
Ongoing and Future Work

• Certifying OS
• Mini-OS ongoing work
• More realistic OS in the future, e.g. OS for
  embedded systems
• Concurrency with relaxed memory models
• relaxed memory models and STM
• General Hoare-logic (next generation of OCAP)
• based on a uniform semantic model of features
• support concurrency, partial correctness, frame
  rules
• Push verification to high level code
• C-like code with inlined assembly
• Automated spec. inference and theorem proving

63
Thank you!
Acknowledgments Zhong Shao, Hongxu Cai, Rodrigo
Ferreira, Yu Guo, Andrew McCreight, Zhaozhong Ni,
Gang Tan, Alex Vaynberg, Sen Xiang
64
Backup Slides
65
Certifying the Mini-OS

• Modeling of x86 machine
• Real mode
• PIC, keyboard, hard drive
• 8- and 16-bit integers
• Verifying the code
• Multi-threaded code
• SAGL with extension of interrupts
• Scheduler, thread lib., interrupt handler
• SCAP with extension of interrupts
• Interactions with devices (PIC, PIT, keyboard,
  HDR)
• Finite state machine in the specifications

66
Statistics

• FIFO scheduler/context switching code
• 30 line of MIPS code
• 1400 line of proof scripts
• malloc/free
• 42/50 line of MIPS code
• 1400/1560 line of proof scripts

67
Statistics
McCreight et al. PLDI07
68
Statistics TAL GC
Lin et al. TASE'07
69
SCAP tail call
p S ? WFST(n, g S, ?)
p0 S0 ? WFST(n, g0 S0, ?)
p
p0
p0
S
S0
g0
g0
g
jr ra
jr ra
j f
n
n
S1

S1

p S ? p0 S0
p S ? g0 S0 S1 ? g S S1
70
CMAP

• A-G reasoning
• properly nested structures P1 P2
• low-level code
• fork/join based structures
• dynamic thread environment
• CMAP
• unbounded dynamic creation/termination
• similar to the support of dynamic mem. alloc.
• change A and G to approximate the dynamic thread
  env.

71
Scheduler in SCAP
Thread code
jal yield ct
pc
yield pick one word (pci) from TQ
swap pci and r31 jr r31
72
Scheduler in SCAP
ct
yield (ps, gs) pick one word (pci) from
TQ swap pci and r31 jr r31
gs
ps ? ?Q.WFTQ(Q) ? True
ct
73
Example A-G reasoning
100
101
100 m
101 n
G1 101 101' A1 100 100'
G2 100 100' A2 101 101'
74
Example SAGL reasoning
100
101
-(emp , 101 ? _)
-(emp , 100 ? _)
100 m
101 n
75
OCAP Code pointers
Support of first-class code pointers
codeptr(f,a) ? ?(f) a
(Spec) ? f ? a
Not well-founded!
76
OCAP Code Pointers
No interoperation between multiple systems
77
OCAP Foreign Languages
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
Inductive TalType Type T_int
TalType T_pair TalType -gt TalType-gt
TalType
Inductive Tal2Type Type T2_int
TalType T2_pair TalType -gt TalType-gt
TalType
L TalType Tal2Type
?1 T_int T_pair ?1 ?1 ? TalType
?2 T2_int T2_pair ?2 ?2 ? Tal2Type
78
OCAP Specifications
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
(Interp) ( )L ? L ? Assert
(OCdSpec) ? ltL,( )L,?gt ? ?L.(L ? Assert)L
(Spec) ? (f1,?1), (fn,?n)
(Assert) a ? Spec ? State ? Prop
Not well-founded
79
OCAP Specifications
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
(Interp) ( )L ? L ? Assert
(OCdSpec) ? lt?,L,( )L,?gt
(Spec) ? (f1,?1), (fn,?n)
(Assert) a ? Spec ? State ? Prop
(LangID) ? n ? nat
(LangDict) D ?1?ltL1,( )L1gt,, ?n?ltLn,(
)Lngt ? LangID ?
(?L.L ? Assert)