skip to main content
research-article
Open Access

DeepSEA: a language for certified system software

Published:10 October 2019Publication History
Skip Abstract Section

Abstract

Writing certifiably correct system software is still very labor-intensive, and current programming languages are not well suited for the task. Proof assistants work best on programs written in a high-level functional style, while operating systems need low-level control over the hardware. We present DeepSEA, a language which provides support for layered specification and abstraction refinement, effect encapsulation and composition, and full equational reasoning. A single DeepSEA program is automatically compiled into a certified ``layer'' consisting of a C program (which is then compiled into assembly by CompCert), a low-level functional Coq specification, and a formal (Coq) proof that the C program satisfies the specification. Multiple layers can be composed and interleaved with manual proofs to ascribe a high-level specification to a program by stepwise refinement. We evaluate the language by using it to reimplement two existing verified programs: a SHA-256 hash function and an OS kernel page table manager. This new style of programming language design can directly support the development of correct-by-construction system software.

Skip Supplemental Material Section

Supplemental Material

a136-sjoberg

Presentation at OOPSLA '19

References

  1. Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’16). 175–188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe Paraskevopoulou, Randy Pollack, Olivier Savary Bélanger, Matthieu Sozeau, and Matthew Weaver. 2017. CertiCoq: A verified compiler for Coq. In CoqPL 2017: The Third International Workshop on Coq for Programming Languages.Google ScholarGoogle Scholar
  3. Andrew Appel. 2011. Verified Software Toolchain. In ESOP’11: European Symposium on Programming, Gilles Barthe (Ed.). LNCS, Vol. 6602. Springer, 1–17.Google ScholarGoogle Scholar
  4. Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (April 2015), 31 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Apple. 2013–2015. The Swift Programming Language. http://developer.apple.com/swift .Google ScholarGoogle Scholar
  6. Brian N. Bershad et al. 1995. Extensibility, Safety and Performance in the SPIN Operating System. In 15th ACM Symposium on Operating System Principles. 267–284.Google ScholarGoogle Scholar
  7. Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéric Loulergue. 2015. A case study on formal verification of the anaxagoros hypervisor paging system with frama-C. In FMICS 2015 - Formal Methods for Industrial Critical Systems (Lecture Notes in Computer Science - LNCS), Nunez M. Gudemann M. (Ed.), Vol. 9128. Springer Verlag, Oslo, Norway, 15–30. Google ScholarGoogle ScholarCross RefCross Ref
  8. Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C. In NASA Formal Methods, Aaron Dutle, César Muñoz, and Anthony Narkawicz (Eds.). Springer International Publishing, Cham, 37–53. Google ScholarGoogle ScholarCross RefCross Ref
  9. Sandrine Blazy and Xavier Leroy. 2009. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning 43, 3 (2009), 263–288.Google ScholarGoogle ScholarCross RefCross Ref
  10. Adam Chlipala. 2011. Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic. In Proc. 2011 ACM Conference on Programming Language Design and Implementation. 234–245.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17, 2016. 648–664. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Benjamin Delaware, Clement Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in Proof Assistant. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 689–700.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Olivier Gay. 2005. Software implementation in C of the FIPS 198 Keyed-Hash Message Authentication Code HMAC for SHA2. https://github.com/ogay/hmacGoogle ScholarGoogle Scholar
  14. James Gosling, Bill Joy, and Guy Steele. 1996. The Java Language Specification. Addison-Wesley.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. David Greenaway, June Andronick, and Gerwin Klein. 2012. Bridging the Gap: Automatic Verified Abstraction of C. In International Conference on Interactive Theorem Proving, Lennart Beringer and Amy Felty (Ed.). Springer, Princeton, New Jersey, USA, 99–115. Google ScholarGoogle ScholarCross RefCross Ref
  16. David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2014. Don’t Sweat the Small Stuff: Formal Verification of C Code Without the Pain. In ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, Edinburgh, UK, 429–439. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. 2002. Region-Based Memory Management in Cyclone. In Proc. 2002 ACM Conference on Programming Language Design and Implementation. ACM Press, 282–293.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan(Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proc. 42nd ACM Symposium on Principles of Programming Languages. 595–608.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16). USENIX Association, Berkeley, CA, USA, 653–669. http: //dl.acm.org/citation.cfm?id=3026877.3026928Google ScholarGoogle Scholar
  20. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jeremie Koenig, Vilhelm Sjober, Hao Chen, David Costanzo, and Tahnia Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proc. 2018 ACM Conference on Programming Language Design and Implementation. ACM, New York, 646–661.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified Characteristic Formulae for CakeML. In Programming Languages and Systems. Springer Berlin Heidelberg, 584–610. Google ScholarGoogle ScholarCross RefCross Ref
  22. Tony Hoare. 1974. Hints on programming language design. In Computer Systems Reliability, State of the Art Report, C. Bunyan (Ed.), Vol. 20. Pergamon/Infotech, 505–534.Google ScholarGoogle Scholar
  23. Galen C. Hunt and James R. Larus. 2007. Singularity: rethinking the software stack. Operating Systems Review 41, 2 (2007), 37–49.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Aspects of Computing 27, 3 (Jan. 2015), 573–609. Google ScholarGoogle ScholarCross RefCross Ref
  25. Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1–2:70.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Viktor Kuncak, Mikaël Mayer, Ruzica Piskac, and Philippe Suter. 2012. Software Synthesis Procedures. Commun. ACM 55, 2 (February 2012), 103–111.Google ScholarGoogle Scholar
  27. Xavier Leroy. 2009. A formally verified compiler back-end. Journal of Automated Reasoning 43, 4 (2009), 363–446.Google ScholarGoogle ScholarCross RefCross Ref
  28. Paul Blain Levy. 1999. Call-by-Push-Value: A Subsuming Paradigm. In Typed Lambda Calculi and Applications, Jean-Yves Girard (Ed.). Lecture Notes in Computer Science, Vol. 1581. Springer Berlin Heidelberg, 228–243. Google ScholarGoogle ScholarCross RefCross Ref
  29. David MacQueen. 1984. Modules for Standard ML. In Proceedings of the 1984 ACM Symposium on LISP and Functional Programming (LFP ’84). ACM, New York, NY, USA, 198–207. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Frédéric Mangano, Simon Duquennoy, and Nikolai Kosmatov. 2016. Formal Verification of a Memory Allocation Module of Contiki with Frama-C: a Case Study. In CRiSIS 2016 - 11th International Conference on Risks and Security of Internet and Systems. Roscoff, France. https://hal.inria.fr/hal- 01351142Google ScholarGoogle Scholar
  31. Zohar Manna and Richard J. Waldinger. 1971. Automatic Program Synthesis. Commun. ACM 14, 3 (March 1971), 151–165.Google ScholarGoogle Scholar
  32. Microsoft Corp., et al. 2001. C# language specification. (2001). Drafts of the ECMA TC39/TG3 standardization process. http://msdn.microsoft.com/net/ecma/ .Google ScholarGoogle Scholar
  33. James G. Mitchell, William Maybury, and Richard Sweet. 1979. Mesa Language Manual. Technical Report CSL-79-3. Xerox PARC, Palo Alto, CA.Google ScholarGoogle Scholar
  34. Eugenio Moggi. 1989. Computational Lambda-Calculus and Monads. In Proceedings of Symposium on Logic in Computer Science. IEEE, 14–23.Google ScholarGoogle ScholarCross RefCross Ref
  35. Greg Nelson. 1991. Systems Programming with Modula-3. Prentice Hall.Google ScholarGoogle Scholar
  36. Liam O’Connor, Zilin Chen, Christine Rizkallah, Sidney Amani, Japheth Lim, Toby Murray, Yutaka Nagashima, Thomas Sewell, and Gerwin Klein. 2016. Refinement Through Restraint: Bringing Down the Cost of Verification. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 89–102. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Martin Odersky, Philippe Altherr, Vincent Cremet, Burak Emir, Sebastian Maneth, Stéphane Micheloud, Nikolay Mihaylov, Michel Schinz, Erik Stenman, and Matthias Zenger. 2005. An Overview of the Scala Programming Language. Technical Report IC/2004/64. Ecole Polytechnique Federale de Lausanne.Google ScholarGoogle Scholar
  38. Jonathan Protzenko, Jean-Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago ZanellaBéguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified Low-Level Programming Embedded in F*. PACMPL 1, ICFP (Sept. 2017), 17:1–17:29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Norbert Schirmer. 2006. Verification of sequential imperative programs in Isabelle-HOL. Ph.D. Dissertation. Technical University Munich, Germany.Google ScholarGoogle Scholar
  40. Armando Solar-Lezama. 2008. Programming Synthesis by Sketching. Ph.D. Dissertation. University of California, Berkeley.Google ScholarGoogle Scholar
  41. Saurabh Srivastava, Sumit Gulwani, and Jeffrey S. Foster. 2010. From Program Verification to Program Synthesis. In Proc. 37th ACM Symposium on Principles of Programming Languages. 313–326.Google ScholarGoogle Scholar
  42. Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2016. A New Verified Compiler Backend for CakeML. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA, 60–73. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. The Coq development team. 1999 – 2014. The Coq proof assistant. http://coq.inria.fr .Google ScholarGoogle Scholar
  44. The Kestrel Institute. 2015. The SpecWare System. www.kestrel.edu/home/prototypes/specware.html .Google ScholarGoogle Scholar
  45. The Rust Team. 2011–2015. The Rust Programming Language. http://www.rust- lang.org .Google ScholarGoogle Scholar
  46. Emina Torlak and Rastislav Bodik. 2014. A Lightweight Symbolic Virtual Machine for Solver-Aided Host Languages. In Proc. 2014 ACM Conference on Programming Language Design and Implementation. 530–541.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. DeepSEA: a language for certified system software

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!