Adam Chlipala University of California, Berkeley ICFP 2006

Similar documents
Static and User-Extensible Proof Checking. Antonis Stampoulis Zhong Shao Yale University POPL 2012

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Formally Certified Satisfiability Solving

An experiment with variable binding, denotational semantics, and logical relations in Coq. Adam Chlipala University of California, Berkeley

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Coq. LASER 2011 Summerschool Elba Island, Italy. Christine Paulin-Mohring

Combining Coq and Gappa for Certifying FP Programs

CSCI-GA Scripting Languages

Functional Programming in Coq. Nate Foster Spring 2018

A Certified Implementation of a Distributed Security Logic

The design of a programming language for provably correct programs: success and failure

Pierce Ch. 3, 8, 11, 15. Type Systems

The Substitution Model

CMSC 330: Organization of Programming Languages

Lecture 8: Summary of Haskell course + Type Level Programming

Induction in Coq. Nate Foster Spring 2018

Proof Carrying Code(PCC)

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

The Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?

Language Techniques for Provably Safe Mobile Code

Specification, Verification, and Interactive Proof

Formal Methods for Aviation Software Design and Certification

Provably Correct Software

The Bedrock Structured Programming System

The Substitution Model. Nate Foster Spring 2018

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Embedding logics in Dedukti

Deductive Program Verification with Why3, Past and Future

Runtime Checking for Program Verification Systems

c constructor P, Q terms used as propositions G, H hypotheses scope identifier for a notation scope M, module identifiers t, u arbitrary terms

Coq quick reference. Category Example Description. Inductive type with instances defined by constructors, including y of type Y. Inductive X : Univ :=

Outline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?

Verification Condition Generation via Theorem Proving

Adam Chlipala University of California, Berkeley PLDI 2007

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

Typed Compilation Against Non-Manifest Base Classes

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Verasco: a Formally Verified C Static Analyzer

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Combining Programming with Theorem Proving

Assuring Software Protection in Virtual Machines

Programming Languages

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Behavioral Equivalence

Chapter 1. Introduction

Behavioral Equivalence

Type Theory meets Effects. Greg Morrisett

Bidirectional Certified Programming

Programming with dependent types: passing fad or useful tool?

Advances in Programming Languages

Background. From my PhD (2009): Verified Lisp interpreter in ARM, x86 and PowerPC machine code

Numerical Computations and Formal Methods

Translation Validation for a Verified OS Kernel

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

COS 320. Compiling Techniques

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs

Chapter 3 (part 3) Describing Syntax and Semantics

A Certified Non-Interference Java Bytecode Verifier

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Implicit Computational Complexity

K and Matching Logic

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Programming with C Library Functions Safely

Static program checking and verification

Intrinsically Typed Reflection of a Gallina Subset Supporting Dependent Types for Non-structural Recursion of Coq

CS4215 Programming Language Implementation

Recursion and Induction

Idris: Implementing a Dependently Typed Programming Language

Introduction to dependent types in Coq

SOFTWARE VERIFICATION AND COMPUTER PROOF (lesson 1) Enrico Tassi Inria Sophia-Antipolis

Formal verification of an optimizing compiler

Spot: A Programming Language for Verified Flight Software

Lecture 15 CIS 341: COMPILERS

Type Inference. Prof. Clarkson Fall Today s music: Cool, Calm, and Collected by The Rolling Stones

Java Modelling Language (JML) References

Operational Semantics. One-Slide Summary. Lecture Outline

A native compiler for Coq: current status, perspectives and discussion 1

CS558 Programming Languages

From Crypto to Code. Greg Morrisett

Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs

Principles of Programming Languages

Types and Type Inference

CSCE 314 Programming Languages. Type System

Type Systems. Today. 1. Organizational Matters. 1. Organizational Matters. Lecture 1 Oct. 20th, 2004 Sebastian Maneth. 1. Organizational Matters

Browser Security Guarantees through Formal Shim Verification

10 Years of Partiality and General Recursion in Type Theory

A Simple Supercompiler Formally Verified in Coq

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

Lecture 11 Lecture 11 Nov 5, 2014

Introduction to Coq Proof Assistant

ACL2 Challenge Problem: Formalizing BitCryptol April 20th, John Matthews Galois Connections

Strong Formal Verification for RISC-V From Instruction-Set Manual to RTL

Types, Type Inference and Unification

Formal Semantics. Prof. Clarkson Fall Today s music: Down to Earth by Peter Gabriel from the WALL-E soundtrack

Verification Condition Generation

Lectures 20, 21: Axiomatic Semantics

Type Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.

Transcription:

Modular Development of Certified Program Verifiers with a Proof Assistant Adam Chlipala University of California, Berkeley ICFP 2006 1

Who Watches the Watcher? Program Verifier Might want to ensure: Memory safety Resource usage bounds Total correctness Program Verifier Verifier Type-checker for stylized verifier language? Result checker on witnesses outputted by verifiers? Interactive proof assistant? Java Bytecode Verifier Extended Static Checking Typed Assembly Language Proof-Carrying Code Model Checking Untrusted Program 2

But Why? ` e : Proof mov eax, ecx Proof Proof-Carrying Code Compact proofs in a language specialized to one safety mechanism (e.g., a type system) Every new safety mechanism requires trusting a new body of code Foundational Proof-Carrying Code Proofs about the real machine semantics, written in a very general language Proofs are much larger, making them expensive to check and transmit Certified Program Verifiers Allow custom executable verifiers that can be reused Require that every verifier be proved sound No proofs generated or checked at runtime 3

The Big Picture x86 Machine Code Semantics Coq Proof Checker Proof of Verifier Soundness Program Extraction OCaml Source Memory Safety Verifier Compiler Annotations x86 executable Safe _ Unknown Type annotations on registers, stack slots, etc., for each basic block Native Code 4

The Big Picture High-Level Type System + Soundness Proof Verifier Construction Library (Functor) Memory Safety Verifier Proof of Verifier Soundness 5

Outline Programming with dependent types...using a proof assistant A library for constructing certified verifiers Implementation 6

Classical Program Verification A ^ B! C Verification Condition Generator A' ^ B'! C' Verification Condition Interactive Automated Provers (Coq, (Simplify, Isabelle, PVS, etc.) etc.) Proof 7

Internal Verification Precondition and postcondition x y f h Proof of postcondition Proof of precondition Precondition and postcondition Proof of precondition Precondition and postcondition... u g Proof of postcondition Proof of precondition Proof of postcondition 8

Benefits vs. Classical Type System A B Verification...... Query (+ precondition proof) Main Loop Query (+ precondition proof) Type Inference Type (+ postcondition proof) Verification Condition Generator Instruction Decoder Proof This verifier is sound. new Type Your error proof at line is wrong! 1234! Thanks! 9

Dealing with Proof Terms fun ls1 : list => list_ind (fun ls2 : list => forall ls3 ls4 : list, append (append ls2 ls3) ls4 = append ls2 (append ls3 ls4)) (fun ls2 ls3 : list => refl_equal (append ls2 ls3)) (fun (n : nat) (ls2 : list) (IHls1 : forall ls3 ls4 : list, append (append ls2 ls3) ls4 = append ls2 (append ls3 ls4)) (ls3 ls4 : list) => eq_ind_r (fun l : list => cons n l = cons n (append ls2 (append ls3 ls4))) (refl_equal (cons n (append ls2 (append ls3 ls4)))) (IHls1 ls3 ls4)) ls1 x y 1 + 1 = 2 list append associativity Proof of postcondition... Proof of precondition 10

Mixing Programming with Tactics Definition iseven : forall n, [even(n)]. refine (fix iseven (n : nat) : [even(n)] := match n return [even(n)] The with type of O > Yes an optional Step 1. Declare the function proof we mean of a to write S O > No as a proof search proposition goal. Step 3. Generate the proof part of the S (S n') > Yes); auto. Qed. proof < iseven proof n'; implementation Generate a using tactics. obligation Monadic notation: fail if the recursive call fails; otherwise, Step 2. Give the program part of the bind proof in the body. implementation. 11

A Verification Stack ::= int ptr Phantom state: Map from addresses to types Phantom state: Map from flags to correlation with High-level type language definition Type inference procedure Type-based registers/memory checker for potentially dangerous operations ::= int ptr Phantom state: Map from flags to correlation with Semantic registers/memory interpretation of types Proofs that inference procedure and operation ::= int checker ptr respect that semantics ::= int ptr stackptr(n) retptr callee_save(r) D ::= register! step : state RISC instruction! state Assumption: Code is immutable D ::= register! Function from x86 executables to optional proofs of their safety step : state RISC instruction! state D ::= register! Note: The proofs are erased by program extraction! (They are just a formal device for proving the verifier's soundness.) step : state x86 instruction! state Generic fixed point computation procedure Weak Update Type System Simple Flags Stack Types Type System Fixed Code Reduction Abstract Interpretation x86 Semantics 12

Implementation Component Lines of code Verification stack 7k (Coq) Bitvectors and fixed-precision arithmetic 1k (Coq) x86 semantics 1k (Coq) Utility library 10k (Coq) x86 binary parser New extraction optimizations Algebraic datatype verifier Total trusted 1500 (OCaml) 1k (OCaml) 600 (Coq) ~5k 13

Sample Code: Type Language Inductive ty : Set := Constant : int32 > ty Product : product > ty Sum : ty > ty > ty Var : var > ty Recursive : var > ty > ty with product : Set := PNil : product PCons : ty > product > product. 14

Sample Code: Subtype Checker Definition subty : forall (t1 t2 : ty), poption (forall ctx v, hasty ctx v t1 > hasty ctx v t2). refine (fix subty (t1 t2 : ty) {struct t2} : poption (forall ctx v, hasty ctx v t1 > hasty ctx v t2) := match (t1, t2) with (Constant n1, Constant n2) => pfeq < int32_eq n1 n2; Yes (Product (PCons (Constant n) (PCons t PNil)), Sum t1 t2) => if int32_eq n 0 && ty_eq t t1 then Yes else if int32_eq n 1 && ty_eq t t2 then Yes else No (Recursive x body, t2) => pfsub < subty (subst x (Recursive x body) body) t2; Yes... end);... Qed. 15

Related Work CompCert certified C compiler project [Leroy et al.] Foundational proof checkers with small witnesses [Wu et al.] Lots of work on building bytecode verifiers with proof assistants 16

Conclusion Today's technology makes constructing certified verifiers with dependent types feasible Good mixture of soundness guarantees, ease of engineering, and runtime efficiency Code and documentation on the web at: http://proofos.sourceforge.net/ 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback