ACM Digital Library home
ACM home
Advanced Search
10.1145/3293880.3294106acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article
Public Access

From C to interaction trees: specifying, verifying, and testing a networked server

CPP 2019: Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and ProofsJanuary 2019 Pages 234–248https://doi.org/10.1145/3293880.3294106
Online:14 January 2019Publication History
  • 26citation
  • 576
    • Downloads
Metrics
Total Citations26
Total Downloads576
Last 12 Months268
Last 6 weeks21
CPP 2019: Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs
From C to interaction trees: specifying, verifying, and testing a networked server
Pages 234–248
PreviousChapterNextChapter

ABSTRACT

We present the first formal verification of a networked server implemented in C. Interaction trees, a general structure for representing reactive computations, are used to tie together disparate verification and testing tools (Coq, VST, and QuickChick) and to axiomatize the behavior of the operating system on which the server runs (CertiKOS). The main theorem connects a specification of acceptable server behaviors, written in a straightforward “one client at a time” style, with the CompCert semantics of the C program. The variability introduced by low-level buffering of messages and interleaving of multiple TCP connections is captured using network refinement, a variant of observational refinement.

References

  1. Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Belanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In The Third International Workshop on Coq for Programming Languages (CoqPL).Google ScholarGoogle Scholar
  2. Andrew W. Appel. 2014. Program Logics - for Certified Compilers. Cambridge University Press. http://www.cambridge.org/de/academic/subjects/ computer-science/programming-languages-and-applied-logic/ program-logics-certified-compilers?format=HB Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Andrew W. Appel, Lennart Beringer, Adam Chlipala, Benjamin C. Pierce, Zhong Shao, Stephanie Weirich, and Steve Zdancewic. 2017. Position paper: the science of deep specification. Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences 375, 2104 (2017).Google ScholarGoogle Scholar
  4. Thomas Arts, John Hughes, Ulf Norell, and Hans Svensson. 2015. Testing AUTOSAR software with QuickCheck. In Eighth IEEE International Conference on Software Testing, Verification and Validation, ICST 2015 Workshops, Graz, Austria, April 13-17, 2015. 1–4.Google ScholarGoogle ScholarCross RefCross Ref
  5. M. Belshe, R. Peon, and M. Thomson. 2015. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540. RFC Editor. http://www.rfc-editor.org/ rfc/rfc7540.txtGoogle ScholarGoogle Scholar
  6. Steven Bishop, Matthew Fairbairn, Michael Norrish, Peter Sewell, Michael Smith, and Keith Wansbrough. 2005a. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 1: Overview. Technical Report UCAM-CL-TR-624. Computer Laboratory, University of Cambridge. http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-624. html 88pp.Google ScholarGoogle Scholar
  7. Steven Bishop, Matthew Fairbairn, Michael Norrish, Peter Sewell, Michael Smith, and Keith Wansbrough. 2005b. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 2: The Specification. Technical Report UCAM-CL-TR-625. Computer Laboratory, University of Cambridge. http://www.cl.cam.ac.uk/TechReports/ UCAM-CL-TR-625.html 386pp.Google ScholarGoogle Scholar
  8. Paul E. Black. 1998. Axiomatic Semantics Verification of a Secure Web Server. Ph.D. Dissertation. Provo, UT, USA. AAI9820483. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Lukas Bulwahn. 2012. The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof. In Certified Programs and Proofs - Second International Conference, CPP 2012, Kyoto, Japan, December 13-15, 2012. Proceedings. 92–108. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Sebastian Burckhardt, Chris Dern, Madanlal Musuvathi, and Roy Tan. 2010. Line-up: a complete and automatic linearizability checker. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2010, Toronto, Ontario, Canada, June 5-10, 2010. 330–340. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Sebastian Burckhardt, Alexey Gotsman, Madanlal Musuvathi, and Hongseok Yang. 2012. Concurrent Library Correctness on the TSO Memory Model. In Programming Languages and Systems - 21st European Symposium on Programming, ESOP 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012. Proceedings. 87–107. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Qinxiang Cao, Lennart Beringer, Samuel Gruetter, Josiah Dodds, and Andrew W. Appel. 2018. VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs. J. Autom. Reasoning 61, 1-4 (2018), 367–422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Tej Chajed, Frans Kaashoek, Butler Lampson, and Nickolai Zeldovich. 2018. Verifying a concurrent mail server with CSPEC. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). USENIX Association, Carlsbad, CA. https://www.usenix.org/conference/osdi18/ presentation/chajed Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Adam Chlipala. 2015. From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 609–622. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Adam Chlipala. 2017. Infinite Data and Proofs. In Certified Programming with Dependent Types. MIT Press. http://adam.chlipala.net/cpdt/html/ Cpdt.Coinductive.htmlGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  16. Koen Claessen and John Hughes. 2000. QuickCheck: a lightweight tool for random testing of Haskell programs. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming (ICFP ’00), Montreal, Canada, September 18-21, 2000. 268–279. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. R. A. DeMillo, R. J. Lipton, and F. G. Sayward. 1978. Hints on Test Data Selection: Help for the Practicing Programmer. Computer 11, 4 (April 1978), 34–41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Hugo Férée, Johannes Åman Pohjola, Ramana Kumar, Scott Owens, Magnus O Myreen, and Son Ho. 2018. Program Verification in the Presence of I/O: Semantics, verified library routines, and verified applications. In 10th Working Conference on Verified Software: Theories, Tools, and Experiments.Google ScholarGoogle ScholarCross RefCross Ref
  19. Ivana Filipovic, Peter W. O’Hearn, Noam Rinetzky, and Hongseok Yang. 2009. Abstraction for Concurrent Objects. In Programming Languages and Systems, 18th European Symposium on Programming, ESOP 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings. 252–266. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). ACM, New York, NY, USA, 595– 608. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2016, Savannah, GA, USA, November 2-4, 2016. 653–669. https://www.usenix. org/conference/osdi16/technical-sessions/presentation/gu Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, Philadelphia, PA, USA, June 18-22, 2018. 646–661. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Peter Hancock. 2000. Ordinals and interactive programs. Ph.D. Dissertation. University of Edinburgh, UK. http://hdl.handle.net/1842/376Google ScholarGoogle Scholar
  24. Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath T. V. Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, Monterey, CA, USA, October 4-7, 2015. 1–17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill. 2014. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI ’14, Broomfield, CO, USA, October 6-8, 2014. 165–181. https://www.usenix.org/conference/ osdi14/technical-sessions/presentation/hawblitzel Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Jifeng He, C. A. R. Hoare, and Jeff W. Sanders. 1986. Data Refinement Refined. In ESOP 86, European Symposium on Programming, Saarbrücken, Federal Republic of Germany, March 17-19, 1986, Proceedings. 187–196. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Maurice Herlihy and Jeannette M. Wing. 1990. Linearizability: A Correctness Condition for Concurrent Objects. ACM Trans. Program. Lang. Syst. 12, 3 (1990), 463–492. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. John Hughes, Benjamin C. Pierce, Thomas Arts, and Ulf Norell. 2016. Mysteries of DropBox: Property-Based Testing of a Distributed Synchronization Service. In 2016 IEEE International Conference on Software Testing, Verification and Validation, ICST 2016, Chicago, IL, USA, April 11-15, 2016. 135–145.Google ScholarGoogle ScholarCross RefCross Ref
  29. John M. Hughes and Hans Bolinder. 2011. Testing a database for race conditions with QuickCheck. In Proceedings of the 10th ACM SIGPLAN workshop on Erlang, Tokyo, Japan, September 23, 2011. 72–77. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Chung-Kil Hur, Georg Neis, Derek Dreyer, and Viktor Vafeiadis. 2013. The Power of Parameterization in Coinductive Proof. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’13). ACM, New York, NY, USA, 193–206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Oleg Kiselyov and Hiromi Ishii. 2015. Freer monads, more extensible effects. In Proceedings of the 8th ACM SIGPLAN Symposium on Haskell, Haskell 2015, Vancouver, BC, Canada, September 3-4, 2015. 94–105. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Leslie Lamport. 2002. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Leonidas Lampropoulos and Benjamin C. Pierce. 2018. QuickChick: PropertyBased Testing in Coq. Electronic textbook. https://softwarefoundations. cis.upenn.edu/qc-current/index.htmlGoogle ScholarGoogle Scholar
  34. K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers. 348–370. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Thomas Letan, Yann Régis-Gianas, Pierre Chifflier, and Guillaume Hiet. 2018. Modular Verification of Programs with Effects and Effect Handlers in Coq. In Formal Methods - 22nd International Symposium, FM 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 15-17, 2018, Proceedings. 338–354.Google ScholarGoogle Scholar
  37. Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (1975), 717–721. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Gregory Malecha, Greg Morrisett, and Ryan Wisnesky. 2011. Trace-based Verification of Imperative Programs with I/O. J. Symb. Comput. 46, 2 (Feb. 2011), 95–118. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. William Mansky, Andrew W. Appel, and Aleksey Nogin. 2017. A Verified Messaging System. PACMPL 1, OOPSLA, Article 87 (Oct. 2017), 28 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Coq development team. 2017. Coq and Axioms. https://github.com/coq/ coq/wiki/CoqAndAxiomsGoogle ScholarGoogle Scholar
  41. Coq development team. 2018. The Coq proof assistant reference manual. LogiCal Project. http://coq.inria.fr Version 8.8.1.Google ScholarGoogle Scholar
  42. Conor McBride. 2015. Turing-Completeness Totally Free. In Mathematics of Program Construction - 12th International Conference, MPC 2015, Königswinter, Germany, June 29 - July 1, 2015. Proceedings. 257–275.Google ScholarGoogle Scholar
  43. Eugenio Moggi. 1989. Computational lambda-calculus and monads. 14–23. Full version, titled Notions of Computation and Monads, in Information and Computation, 93(1), pp. 55–92, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Vivek S. Pai, Peter Druschel, and Willy Zwaenepoel. 1999. Flash: An efficient and portable Web server. In Proceedings of the 1999 USENIX Annual Technical Conference, June 6-11, 1999, Monterey, California, USA. 199–212. http://www.usenix.org/events/usenix99/full_papers/pai/pai.pdf Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Willem Penninckx, Bart Jacobs, and Frank Piessens. 2015. Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs. In Programming Languages and Systems - 24th European Symposium on Programming, ESOP 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015. Proceedings. 158–182.Google ScholarGoogle Scholar
  46. Gordon D. Plotkin and John Power. 2003. Algebraic Operations and Generic Effects. Applied Categorical Structures 11, 1 (2003), 69–94.Google ScholarGoogle ScholarCross RefCross Ref
  47. Thomas Ridge. 2009. Verifying distributed systems: the operational approach. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009. 429–440. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Thomas Ridge, Michael Norrish, and Peter Sewell. 2009. TCP, UDP, and Sockets: Volume 3: The Service-level Specification. Technical Report UCAM-CL-TR-742. University of Cambridge, Computer Laboratory. 305pp.Google ScholarGoogle Scholar
  49. Colin Scott, Aurojit Panda, Vjekoslav Brajkovic, George C. Necula, Arvind Krishnamurthy, and Scott Shenker. 2016. Minimizing Faulty Executions of Distributed Systems. In 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016, Santa Clara, CA, USA, March 16-18, 2016. 291–309. https://www.usenix.org/conference/nsdi16/ technical-sessions/presentation/scott Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Ohad Shacham, Nathan Grasso Bronson, Alex Aiken, Mooly Sagiv, Martin T. Vechev, and Eran Yahav. 2011. Testing atomicity of composed concurrent operations. In Proceedings of the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2011, part of SPLASH 2011, Portland, OR, USA, October 22 - 27, 2011. 51–64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and Jean Yang. 2011. Secure distributed programming with value-dependent types. In Proceeding of the 16th ACM SIGPLAN international conference on Functional Programming, ICFP 2011, Tokyo, Japan, September 19-21, 2011. 266–278. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Martin T. Vechev, Eran Yahav, and Greta Yorsh. 2009. Experience with Model Checking Linearizability. In Model Checking Software, 16th International SPIN Workshop, Grenoble, France, June 26-28, 2009. Proceedings. 261–278. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Philip Wadler. 1992. Monads for functional programming. In Program Design Calculi, Proceedings of the NATO Advanced Study Institute on Program Design Calculi, Marktoberdorf, Germany, July 28 - August 9, 1992. 233–264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. James R. Wilcox, Doug Woos, Pavel Panchekha, Zachary Tatlock, Xi Wang, Michael D. Ernst, and Thomas E. Anderson. 2015. Verdi: a framework for implementing and formally verifying distributed systems. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, June 15-17, 2015. 357–368. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Doug Woos, James R. Wilcox, Steve Anton, Zachary Tatlock, Michael D. Ernst, and Thomas E. Anderson. 2016. Planning for change in a formal verification of the Raft consensus protocol. In Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, Saint Petersburg, FL, USA, January 20-22, 2016. 154–165. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. From C to interaction trees: specifying, verifying, and testing a networked server

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!