Abstract
Writing certifiably correct system software is still very labor-intensive, and current programming languages are not well suited for the task. Proof assistants work best on programs written in a high-level functional style, while operating systems need low-level control over the hardware. We present DeepSEA, a language which provides support for layered specification and abstraction refinement, effect encapsulation and composition, and full equational reasoning. A single DeepSEA program is automatically compiled into a certified ``layer'' consisting of a C program (which is then compiled into assembly by CompCert), a low-level functional Coq specification, and a formal (Coq) proof that the C program satisfies the specification. Multiple layers can be composed and interleaved with manual proofs to ascribe a high-level specification to a program by stepwise refinement. We evaluate the language by using it to reimplement two existing verified programs: a SHA-256 hash function and an OS kernel page table manager. This new style of programming language design can directly support the development of correct-by-construction system software.
Supplemental Material
- Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’16). 175–188.Google Scholar
Digital Library
- Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Bélanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In CoqPL 2017: The Third International Workshop on Coq for Programming Languages.Google Scholar
- Andrew Appel. 2011. Verified Software Toolchain. In ESOP’11: European Symposium on Programming, Gilles Barthe (Ed.). LNCS, Vol. 6602. Springer, 1–17.Google Scholar
- Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (April 2015), 31 pages. Google Scholar
Digital Library
- Apple. 2013–2015. The Swift Programming Language. http://developer.apple.com/swift .Google Scholar
- Brian N. Bershad et al. 1995. Extensibility, Safety and Performance in the SPIN Operating System. In 15th ACM Symposium on Operating System Principles. 267–284.Google Scholar
- Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéric Loulergue. 2015. A case study on formal verification of the anaxagoros hypervisor paging system with frama-C. In FMICS 2015 - Formal Methods for Industrial Critical Systems (Lecture Notes in Computer Science - LNCS), Nunez M. Gudemann M. (Ed.), Vol. 9128. Springer Verlag, Oslo, Norway, 15–30. Google Scholar
Cross Ref
- Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C. In NASA Formal Methods, Aaron Dutle, César Muñoz, and Anthony Narkawicz (Eds.). Springer International Publishing, Cham, 37–53. Google Scholar
Cross Ref
- Sandrine Blazy and Xavier Leroy. 2009. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning 43, 3 (2009), 263–288.Google Scholar
Cross Ref
- Adam Chlipala. 2011. Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic. In Proc. 2011 ACM Conference on Programming Language Design and Implementation. 234–245.Google Scholar
Digital Library
- David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17, 2016. 648–664. Google Scholar
Digital Library
- Benjamin Delaware, Clement Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in Proof Assistant. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 689–700.Google Scholar
Digital Library
- Olivier Gay. 2005. Software implementation in C of the FIPS 198 Keyed-Hash Message Authentication Code HMAC for SHA2. https://github.com/ogay/hmacGoogle Scholar
- James Gosling, Bill Joy, and Guy Steele. 1996. The Java Language Specification. Addison-Wesley.Google Scholar
Digital Library
- David Greenaway, June Andronick, and Gerwin Klein. 2012. Bridging the Gap: Automatic Verified Abstraction of C. In International Conference on Interactive Theorem Proving, Lennart Beringer and Amy Felty (Ed.). Springer, Princeton, New Jersey, USA, 99–115. Google Scholar
Cross Ref
- David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2014. Don’t Sweat the Small Stuff: Formal Verification of C Code Without the Pain. In ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, Edinburgh, UK, 429–439. Google Scholar
Digital Library
- Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In Proc. 2002 ACM Conference on Programming Language Design and Implementation. ACM Press, 282–293.Google Scholar
Digital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan(Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 595–608.Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16). USENIX Association, Berkeley, CA, USA, 653–669. http: //dl.acm.org/citation.cfm?id=3026877.3026928Google Scholar
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jeremie Koenig, Vilhelm Sjober, Hao Chen, David Costanzo, and Tahnia Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proc. 2018 ACM Conference on Programming Language Design and Implementation. ACM, New York, 646–661.Google Scholar
Digital Library
- Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified Characteristic Formulae for CakeML. In Programming Languages and Systems. Springer Berlin Heidelberg, 584–610. Google Scholar
Cross Ref
- Tony Hoare. 1974. Hints on programming language design. In Computer Systems Reliability, State of the Art Report, C. Bunyan (Ed.), Vol. 20. Pergamon/Infotech, 505–534.Google Scholar
- Galen C. Hunt and James R. Larus. 2007. Singularity: rethinking the software stack. Operating Systems Review 41, 2 (2007), 37–49.Google Scholar
Digital Library
- Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Aspects of Computing 27, 3 (Jan. 2015), 573–609. Google Scholar
Cross Ref
- Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1–2:70.Google Scholar
Digital Library
- Viktor Kuncak, Mikaël Mayer, Ruzica Piskac, and Philippe Suter. 2012. Software Synthesis Procedures. Commun. ACM 55, 2 (February 2012), 103–111.Google Scholar
- Xavier Leroy. 2009. A formally verified compiler back-end. Journal of Automated Reasoning 43, 4 (2009), 363–446.Google Scholar
Cross Ref
- Paul Blain Levy. 1999. Call-by-Push-Value: A Subsuming Paradigm. In Typed Lambda Calculi and Applications, Jean-Yves Girard (Ed.). Lecture Notes in Computer Science, Vol. 1581. Springer Berlin Heidelberg, 228–243. Google Scholar
Cross Ref
- David MacQueen. 1984. Modules for Standard ML. In Proceedings of the 1984 ACM Symposium on LISP and Functional Programming (LFP ’84). ACM, New York, NY, USA, 198–207. Google Scholar
Digital Library
- Frédéric Mangano, Simon Duquennoy, and Nikolai Kosmatov. 2016. Formal Verification of a Memory Allocation Module of Contiki with Frama-C: a Case Study. In CRiSIS 2016 - 11th International Conference on Risks and Security of Internet and Systems. Roscoff, France. https://hal.inria.fr/hal- 01351142Google Scholar
- Zohar Manna and Richard J. Waldinger. 1971. Automatic Program Synthesis. Commun. ACM 14, 3 (March 1971), 151–165.Google Scholar
- Microsoft Corp., et al. 2001. C# language specification. (2001). Drafts of the ECMA TC39/TG3 standardization process. http://msdn.microsoft.com/net/ecma/ .Google Scholar
- James G. Mitchell, William Maybury, and Richard Sweet. 1979. Mesa Language Manual. Technical Report CSL-79-3. Xerox PARC, Palo Alto, CA.Google Scholar
- Eugenio Moggi. 1989. Computational Lambda-Calculus and Monads. In Proceedings of Symposium on Logic in Computer Science. IEEE, 14–23.Google Scholar
Cross Ref
- Greg Nelson. 1991. Systems Programming with Modula-3. Prentice Hall.Google Scholar
- Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement Through Restraint: Bringing Down the Cost of Verification. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 89–102. Google Scholar
Digital Library
- Martin Odersky, Philippe Altherr, Vincent Cremet, Burak Emir, Sebastian Maneth, Stéphane Micheloud, Nikolay Mihaylov, Michel Schinz, Erik Stenman, and Matthias Zenger. 2005. An Overview of the Scala Programming Language. Technical Report IC/2004/64. Ecole Polytechnique Federale de Lausanne.Google Scholar
- Jonathan Protzenko, Jean-Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago ZanellaBéguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified Low-Level Programming Embedded in F*. PACMPL 1, ICFP (Sept. 2017), 17:1–17:29. Google Scholar
Digital Library
- Norbert Schirmer. 2006. Verification of sequential imperative programs in Isabelle-HOL. Ph.D. Dissertation. Technical University Munich, Germany.Google Scholar
- Armando Solar-Lezama. 2008. Programming Synthesis by Sketching. Ph.D. Dissertation. University of California, Berkeley.Google Scholar
- Saurabh Srivastava, Sumit Gulwani, and Jeffrey S. Foster. 2010. From Program Verification to Program Synthesis. In Proc. 37th ACM Symposium on Principles of Programming Languages. 313–326.Google Scholar
- Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2016. A New Verified Compiler Backend for CakeML. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 60–73. Google Scholar
Digital Library
- The Coq development team. 1999 – 2014. The Coq proof assistant. http://coq.inria.fr .Google Scholar
- The Kestrel Institute. 2015. The SpecWare System. www.kestrel.edu/home/prototypes/specware.html .Google Scholar
- The Rust Team. 2011–2015. The Rust Programming Language. http://www.rust- lang.org .Google Scholar
- Emina Torlak and Rastislav Bodik. 2014. A Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages. In Proc. 2014 ACM Conference on Programming Language Design and Implementation. 530–541.Google Scholar
Digital Library
Index Terms
DeepSEA: a language for certified system software
Recommendations
Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP
This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...
Refinement-Based Verification of Interactive Real-Time Systems
Formal specification provides a system description that is much more precise than the natural language one and it can help to solve a lot of specification problems. But even a formal specification of a system can contain mistakes or can disagree with ...
A formal approach for the development of reactive systems
Context: This paper deals with the development and verification of liveness properties on reactive systems using the Event-B method. By considering the limitation of the Event-B method to invariance properties, we propose to apply the language TLA^+ to ...






Comments