skip to main content
research-article

Deep Specifications and Certified Abstraction Layers

Published:14 January 2015Publication History
Skip Abstract Section

Abstract

Modern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client programs built on top of each layer can be understood solely based on the interface, independent of the layer implementation. Despite their obvious importance, abstraction layers have mostly been treated as a system concept; they have almost never been formally specified or verified. This makes it difficult to establish strong correctness properties, and to scale program verification across multiple layers.

In this paper, we present a novel language-based account of abstraction layers and show that they correspond to a strong form of abstraction over a particularly rich class of specifications which we call deep specifications. Just as data abstraction in typed functional languages leads to the important representation independence property, abstraction over deep specification is characterized by an important implementation independence property: any two implementations of the same deep specification must have contextually equivalent behaviors. We present a new layer calculus showing how to formally specify, program, verify, and compose abstraction layers. We show how to instantiate the layer calculus in realistic programming languages such as C and assembly, and how to adapt the CompCert verified compiler to compile certified C layers such that they can be linked with assembly layers. Using these new languages and tools, we have successfully developed multiple certified OS kernels in the Coq proof assistant, the most realistic of which consists of 37 abstraction layers, took less than one person year to develop, and can boot a version of Linux as a guest.

Skip Supplemental Material Section

Supplemental Material

p595-sidebyside.mpg

References

  1. C. Y. Baldwin and K. B. Clark. Design Rules: Volume 1, The Power of Modularity. MIT Press, March 2000.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. 4th Symp on Formal Methods for Components and Objects, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. N. Benton and C.-K. Hur. Biorthogonality, step-indexing and compiler correctness. In ICFP'09, pages 97--108, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. L. Beringer, G. Stewart, R. Dockins, and A. W. Appel. Verified compilation for shared-memory C. In ESOP'14, pages 107--127, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning, 43(3):263--288, 2009.Google ScholarGoogle ScholarCross RefCross Ref
  6. Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-end verification of stack-space bounds for C programs. In PLDI'14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. S. Chaudhuri, S. Gulwani, and R. Lublinerman. Continuity analysis of programs. In POPL'10, pages 57--69, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI'11, pages 234--245, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. E. W. Dijkstra. Notes on structured programming. In Structured programming, pages 1--82. Academic Press, 1972. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. X. Feng, Z. Shao, Y. Dong, and Y. Guo. Certifying low-level programs with hardware interrupts and preemptive threads. In PLDI'08, pages 170--182, June 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. X. Feng, Z. Shao, Y. Guo, and Y. Dong. Combining domain-specific and foundational logics to verify complete software systems. In VSTTE'08, pages 54--69, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. L. Gu, A. Vaynberg, B. Ford, Z. Shao, and D. Costanzo. CertiKOS: a certified kernel for secure cloud computing. In APSys '11, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. Wu, S.-C. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. Yale Univ. Technical Report YALEU/DCS/TR-1500; http://flint.cs.yale.edu/publications/dscal.html, Oct. 2014.Google ScholarGoogle Scholar
  14. C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576--580, Oct. 1969. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C.-K. Hur, D. Dreyer, G. Neis, and V. Vafeiadis. The marriage of bisimulations and Kripke logical relations. In POPL'12, pages 59--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. D. Jackson. Software abstractions: logic, languages, and analysis. The MIT Press, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, et al. seL4: Formal verification of an OS kernel. In SOSP'09, pages 207--220, October 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. L. Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, 16(3), May 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. X. Leroy. The CompCert verified compiler. http://compcert.inria.fr/, 2005--2014.Google ScholarGoogle Scholar
  20. X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363--446, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformation. J. Automated Reasoning, 41(1):1--31, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. N. A. Lynch and F. W. Vaandrager. Forward and backward simulations: I. Untimed systems. Inf. Comput., 121(2):214--233, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. R. Milner, M. Tofte, R. Harper, and D. MacQueen. The Definition of Standard ML (Revised). MIT Press, Cambridge, Massachusetts, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. J. C. Mitchell. Representation independence and data abstraction. In POPL'86, pages 263--276, January 1986. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. C. C. Morgan. Programming from specifications, 2nd Edition. Prentice- Hall, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare type theory. In ICFP'06, pages 62--73, Sept. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N. Levitt, and L. Robinson. A provably secure operating system: its system, its applications, and proofs. Technical Report CSL-116, SRI, May 1980.Google ScholarGoogle Scholar
  28. P. W. O'Hearn. Resources, concurrency and local reasoning. In CONCUR'04, pages 49--67, 2004.Google ScholarGoogle Scholar
  29. J. T. Perconti and A. Ahmed. Verifying an open compiler using multi- language semantics. In ESOP'14, pages 128--148, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. B. C. Pierce. Types and Programming Languages. The MIT Press, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. C. Reynolds. Theories of Programming Languages. Cambridge University Press, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS'02, pages 55--74, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A verified compiler for relaxed-memory concurrency. J. ACM, 60(3), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. M. Spivey. The Z Notation: A reference manual. Prentice Hall, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. The Coq development team. The Coq proof assistant. http://coq.inria.fr, 1999--2014.Google ScholarGoogle Scholar
  36. A. Vaynberg and Z. Shao. Compositional verification of a baby virtual memory manager. In CPP'12, pages 143--159, Dec 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Deep Specifications and Certified Abstraction Layers

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!