ABSTRACT
Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, these verifications demand such heroic manual proof effort, even for a single system, that the approach has not been widely adopted.
We demonstrate a technique to eliminate the manual proof burden for verifying many properties within an entire class of applications, in our case reactive systems, while only expending effort comparable to the manual verification of a single system. A crucial insight of our approach is simultaneously designing both (1) a domain-specific language (DSL) for expressing reactive systems and their correctness properties and (2) proof automation which exploits the constrained language of both programs and properties to enable fully automatic, pushbutton verification. We apply this insight in a deeply embedded Coq DSL, dubbed Reflex, and illustrate Reflex's expressiveness by implementing and automatically verifying realistic systems including a modern web browser, an SSH server, and a web server. Using Reflex radically reduced the proof burden: in previous, similar versions of our benchmarks written in Coq by experts, proofs accounted for over 80% of the code base; our versions require no manual proofs.
- A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In CCS, 2009. Google ScholarDigital Library
- A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI, 2011. Google ScholarDigital Library
- A. Chlipala, G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Effective interactive proofs for higher-order imperative programs. In ICFP, 2009. Google ScholarDigital Library
- G. Gonthier, B. Ziliani, A. Nanevski, and D. Dreyer. How to make ad hoc proof automation less ad hoc. In ICFP, 2006. Google ScholarDigital Library
- C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
- D. Jang, Z. Tatlock, and S. Lerner. Establishing browser security guarantees through formal shim verification. In USENIX Security, 2012. Google ScholarDigital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, et al. seL4: formal verification of an OS kernel. In SOSP, 2009. Google ScholarDigital Library
- K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, et al. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy (SP), 2010. Google ScholarDigital Library
- S. Kundu, Z. Tatlock, and S. Lerner. Proving optimizations correct using parameterized program equivalence. In PLDI, 2009. Google ScholarDigital Library
- S. Lerner, T. Millstein, and C. Chambers. Automatically proving the correctness of compiler optimizations. In PLDI, 2003. Google ScholarDigital Library
- S. Lerner, T. Millstein, E. Rice, and C. Chambers. Automated soundness proofs for dataflow analyses and transformations via local rules. In POPL, 2005. Google ScholarDigital Library
- X. Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In POPL, 2006. Google ScholarDigital Library
- G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Toward a verified relational database management system. In POPL, 2010. Google ScholarDigital Library
- G. Malecha, G. Morrisett, and R. Wisnesky. Trace-based verification of imperative programs with I/O. In Journal of Symbolic Computation, 2011. Google ScholarDigital Library
- D. McCullough. Noninterference and the composability of security properties. In Security and Privacy, 1988. Google ScholarDigital Library
- A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare type theory. In ICFP, 2006. Google ScholarDigital Library
- A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP, 2008. Google ScholarDigital Library
- N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security, 2003. Google ScholarDigital Library
- C. Reis, A. Barth, and C. Pizano. Browser security: lessons from Google Chrome. In CACM, 2009. Google ScholarDigital Library
- Z. Tatlock and S. Lerner. Bringing extensibility to verified compilers. In PLDI, 2010. Google ScholarDigital Library
- H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the gazelle web browser. Technical Report MSR-TR-2009-16, MSR, 2009.Google Scholar
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in C compilers. In PLDI, 2011. Google ScholarDigital Library
- S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSF Workshop, 2003.Google ScholarCross Ref
Index Terms
- Automating formal proofs for reactive systems
Recommendations
Automating formal proofs for reactive systems
PLDI '14Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to ...
Effective interactive proofs for higher-order imperative programs
ICFP '09: Proceedings of the 14th ACM SIGPLAN international conference on Functional programmingWe present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, ...
Effective interactive proofs for higher-order imperative programs
ICFP '09We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, ...
Comments