skip to main content
research-article

Automating formal proofs for reactive systems

Published:09 June 2014Publication History
Skip Abstract Section

Abstract

Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, these verifications demand such heroic manual proof effort, even for a single system, that the approach has not been widely adopted.

We demonstrate a technique to eliminate the manual proof burden for verifying many properties within an entire class of applications, in our case reactive systems, while only expending effort comparable to the manual verification of a single system. A crucial insight of our approach is simultaneously designing both (1) a domain-specific language (DSL) for expressing reactive systems and their correctness properties and (2) proof automation which exploits the constrained language of both programs and properties to enable fully automatic, pushbutton verification. We apply this insight in a deeply embedded Coq DSL, dubbed Reflex, and illustrate Reflex's expressiveness by implementing and automatically verifying realistic systems including a modern web browser, an SSH server, and a web server. Using Reflex radically reduced the proof burden: in previous, similar versions of our benchmarks written in Coq by experts, proofs accounted for over 80% of the code base; our versions require no manual proofs.

References

  1. A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In CCS, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. Chlipala, G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Effective interactive proofs for higher-order imperative programs. In ICFP, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. G. Gonthier, B. Ziliani, A. Nanevski, and D. Dreyer. How to make ad hoc proof automation less ad hoc. In ICFP, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. D. Jang, Z. Tatlock, and S. Lerner. Establishing browser security guarantees through formal shim verification. In USENIX Security, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, et al. seL4: formal verification of an OS kernel. In SOSP, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, et al. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy (SP), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. S. Kundu, Z. Tatlock, and S. Lerner. Proving optimizations correct using parameterized program equivalence. In PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. S. Lerner, T. Millstein, and C. Chambers. Automatically proving the correctness of compiler optimizations. In PLDI, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. S. Lerner, T. Millstein, E. Rice, and C. Chambers. Automated soundness proofs for dataflow analyses and transformations via local rules. In POPL, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. X. Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In POPL, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Toward a verified relational database management system. In POPL, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. G. Malecha, G. Morrisett, and R. Wisnesky. Trace-based verification of imperative programs with I/O. In Journal of Symbolic Computation, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. D. McCullough. Noninterference and the composability of security properties. In Security and Privacy, 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare type theory. In ICFP, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. C. Reis, A. Barth, and C. Pizano. Browser security: lessons from Google Chrome. In CACM, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Z. Tatlock and S. Lerner. Bringing extensibility to verified compilers. In PLDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the gazelle web browser. Technical Report MSR-TR-2009-16, MSR, 2009.Google ScholarGoogle Scholar
  22. X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in C compilers. In PLDI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSF Workshop, 2003.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Automating formal proofs for reactive systems

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!