Abstract
Abstract
Modern computing systems have grown in complexity, and even though system components are generally carefully designed and even verified by different groups of people, the composition of these components is often regarded with less attention. Inconsistencies between components’ assumptions on the rest of the system can have significant repercussions on this system, and may ultimately lead to safety or security issues. In this article, we introduce FreeSpec, a formalismbuilt upon the key idea that components can bemodeled as programs with algebraic effects to be realized by other components. FreeSpec allows for the modular modeling of a complex system, by defining idealized components connected together, and the modular verification of the properties of their composition. In addition, we have implemented a framework for the Coq proof assistant based on FreeSpec.
- [ABB+05] Abel A, Benke M, Bove A, Hughes J, Norell U (2005) Verifying Haskell programs using constructive type theory. In: Leijen D (ed) Proceedings of the ACM SIGPLAN workshop on Haskell, Haskell 2005, Tallinn, Estonia, September 30, 2005. ACM, pp 62–73Google Scholar
- [Abr05] The B-book: assigning programs to meanings2005CambridgeCambridge University PressGoogle ScholarDigital Library
- [Apf10] Apfelmus H (2010) The operational package. https://hackage.haskell.org/package/operationalGoogle Scholar
- [BA17] Bélanger OS, Appel AW (2017) Shrink fast correctly! In: Vanhoof W, Pientka B (eds) Proceedings of the 19th international symposium on principles and practice of declarative programming, Namur, Belgium, October 09–11, 2017. ACM, pp 49–60Google Scholar
- [BFL+11] Specification and verification: the spec# experienceCommun ACM2011546819110.1145/1953122.1953145Google ScholarDigital Library
- [BP15] Programming with algebraic effects and handlersJ Logic Algeb Methods Program2015841108123329294810.1016/j.jlamp.2014.02.001Google ScholarCross Ref
- [Bra11] Coquet: a Coq library for verifying hardwareCPP20117086330345Google Scholar
- [Bra14] Brady E (2014) Resource-dependent algebraic effects. In: international symposium on trends in functional programming. Springer, Berlin, vol 8843, pp 18–33Google Scholar
- [CRG15] Claret G, Yann R-G (2015) Mechanical verification of interactive programs specified by use cases. In: Proceedings of the third FME workshop on formal methods in software engineering. IEEE Press, pp 61–67Google Scholar
- [CVS+17] Choi J,Vijayaraghavan M, Sherman B, Chlipala A et al (2017) Kami: a platform for high-level parametric hardware specification and its modular verification. In: Proceedings of the ACM on programming languages, 1(ICFP):24Google Scholar
- [DCT19] One Monad to prove them allProgram J201933810.22152/programming-journal.org/2019/3/8Google Scholar
- [Dee] DeepSpec. DeepSpec: The Science of Deep SpecificationGoogle Scholar
- [DLMG09] Getting into the SMRAM: SMM reloaded2009Vancouver, CanadaCanSecWestGoogle Scholar
- [FLL+13] PLDI 2002: extended static checking for JavaSIGPLAN Not2013484S223310.1145/2502508.2502520Google ScholarDigital Library
- [HNDV13] Hur C-K, Georg N, Derek D, Viktor V (2013) The power of parameterization in coinductive proof. In: Giacobazzi R, Cousot R (eds) The 40th annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL '13, Rome, Italy—January 23–25, 2013. ACM, pp 193–206Google Scholar
- [HSJ12] Heyman T, Scandariato R, Joosen W (2012) Reusable formal models for secure software architectures. In: 2012 joint working IEEE/IFIP conference on software architecture and european conference on software architecture, WICSA/ECSA 2012, Helsinki, Finland, August 20–24, 2012, pp 41–50Google Scholar
- [HV15] Hinze R, Voigtländer J(eds) (2015) Mathematics of program construction—12th international conference, MPC 2015, Königswinter, Germany, June 29–July 1, 2015. Proceedings, volume 9129 of Lecture notes in computer science. Springer, BerlinGoogle Scholar
- [Inr] Inria. The Coq Proof Assistant. https://coq.inria.fr/Google Scholar
- [Jac12] Software abstractions: logic, language and analysis2012CambridgeMIT PressGoogle ScholarDigital Library
- [JNGH16] Jomaa N, Nowak D, Grimaud G, Hym S (2016) Formal proof of dynamic memory isolation based on MMU. In: 2016 10th international symposium on theoretical aspects of software engineering (TASE). IEEE, pp 73–80Google Scholar
- [KI15] Freer monads, more extensible effectsACM SIGPLAN notices. ACM2015509410510.1145/2887747.2804319Google ScholarDigital Library
- [KLL+19] Koh N, Li Y, Li Y, Xia L, Beringer L, Honoré W, Mansky W, Pierce BC, Zdancewic S (2019) From C to interaction trees: specifying, verifying, and testing a networked server. In: Mahboubi A, Myreen MO (eds) Proceedings of the 8th ACM SIGPLAN international conference on certified programs and proofs, CPP 2019, Cascais, Portugal, January 14–15, 2019 ACM, pp 234–248Google Scholar
- [LCH+16] Letan T, Chifflier P, Hiet G, Néron P, Morin B (2016) SpecCert: specifying and verifying hardware-based security enforcement. In: 21st international symposium on formal methods (FM 2016). Springer, Berlin, vol 9995Google Scholar
- [Let18] Letan T (2018) FreeSpec: a compositional reasoning framework for the Coq theorem prover https://github.com/lthms/speccertGoogle Scholar
- [LHJ95] Liang S, Hudak P, Jones M (1995) Monadtrans formers and modular interpreters. In: Proceedings of the 22nd ACM SIGPLANSIGACT symposium on principles of programming languages. ACM, pp 333–343Google Scholar
- [LRGCH18] Letan T, Yann R-G, Pierre C, Guillaume H (2018) Modular verification of programs with effects and effects handlers in Coq. In: 22st international symposium on formal methods (FM 2018). Springer, Berlin, vol 10951Google Scholar
- [LW94] A behavioral notion of subtypingACM Trans Program Lang Syst19941661811184110.1145/197320.197383Google ScholarDigital Library
- [Mey92] Applying "design by contract"IEEE Comput19922510405110.1109/2.161279Google ScholarDigital Library
- [MTT+12] RockSalt: better, faster, stronger SFI for the x86ACMSIGPLAN notices. ACM20124739540410.1145/2345156.2254111Google ScholarDigital Library
- [NMS+08] Y not: dependent types for imperative programsACM sigplan notices. ACM20084322924010.1145/1411203.1411237Google ScholarDigital Library
- [OZ05] Odersky M, Zenger M (2005) Scalable component abstractions. In: Johnson RE, Gabriel RP (eds) Proceedings of the 20th annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA 2005, October 16–20, 2005, San Diego, CA, USA. ACM, pp 41–57Google Scholar
- [Par83] A technique for software module specification with examples (Reprint)Commun ACM1983261757810.1145/357980.358011Google ScholarDigital Library
- [Pes14] Pessaux F (2014) FoCaLiZe: inside an F-IDE. arXiv preprint arXiv:1404.6607Google Scholar
- [PJ01] Peyton Jones S (2001) Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software constructionGoogle Scholar
- [Rey02] Reynolds JC (2002) Separation logic: a logic for sharedmutable data structures. In: 17th IEEE symposium on logic in computer science (LICS 2002), 22–25 July 2002, Copenhagen, Denmark, Proceedings. IEEE Computer Society, pp 55–74Google Scholar
- [Uus17] Uustalu T (2017) Container combinatorics: monads and lax monoidal functors. In: Mousavi MR, Sgall J (eds) Topics in theoretical computer science—second IFIP WG 1.8 international conference, TTCS 2017, Tehran, Iran, September 12–14, 2017, Proceedings, lecture notes in computer science. Springer, Berlin, vol 10608, pp 91–105Google Scholar
- [Wad92] Comprehending Monads. Math Struct Comput Sci199224461493120272210.1017/S0960129500001560Google ScholarCross Ref
- [Win03] A call to action: look beyond the horizonIEEE Secur Privacy20036626710.1109/MSECP.2003.1253571Google ScholarDigital Library
- [WR09] Wojtczuk R, Rutkowska J (2009) Attacking SMM memory via intel CPU cache poisoning. Invisible Things LabGoogle Scholar
- [XZH+19] Xia L, Zakowski Y, He P Hur C-K, Malecha G, Pierce BC, Zdancewic S (2019) Interaction trees: representing recursive and impure programs in Coq (work in progress). CoRR arXiv:1906.00046Google Scholar
Recommendations
Compositional reachability analysis for efficient modular verification of asynchronous designs
Compositional verification is essential to address state explosion in model checking. Traditionally, an over-approximate context is needed for each individual component in a system for sound verification. This may cause state explosion for the ...
Iris-Wasm: Robust and Modular Verification of WebAssembly Programs
WebAssembly makes it possible to run C/C++ applications on the web with near-native performance. A WebAssembly program is expressed as a collection of higher-order ML-like modules, which are composed together through a system of explicit imports and ...
Model checking and modular verification
We describe a framework for compositional verification of finite-state processes. The framework is based on two ideas: a subset of the logic CTL for which satisfaction is preserved under composition, and a preorder on structures which captures the ...
Comments