research-article

Automating formal proofs for reactive systems

Authors:
Daniel Ricketts

University of California, San Diego

University of California, San Diego
View Profile

,
Valentin Robert

University of California, San Diego

University of California, San Diego
View Profile

,
Dongseok Jang

University of California, San Diego

University of California, San Diego
View Profile

,
Zachary Tatlock

University of Washington

University of Washington
View Profile

,
Sorin Lerner

University of California, San Diego

University of California, San Diego
View Profile

PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2014Pages 452–462https://doi.org/10.1145/2594291.2594338

Published:09 June 2014Publication History

PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 452–462

ABSTRACT

Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, these verifications demand such heroic manual proof effort, even for a single system, that the approach has not been widely adopted.

We demonstrate a technique to eliminate the manual proof burden for verifying many properties within an entire class of applications, in our case reactive systems, while only expending effort comparable to the manual verification of a single system. A crucial insight of our approach is simultaneously designing both (1) a domain-specific language (DSL) for expressing reactive systems and their correctness properties and (2) proof automation which exploits the constrained language of both programs and properties to enable fully automatic, pushbutton verification. We apply this insight in a deeply embedded Coq DSL, dubbed Reflex, and illustrate Reflex's expressiveness by implementing and automatically verifying realistic systems including a modern web browser, an SSH server, and a web server. Using Reflex radically reduced the proof burden: in previous, similar versions of our benchmarks written in Coq by experts, proofs accounted for over 80% of the code base; our versions require no manual proofs.

References

A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In CCS, 2009. Google ScholarDigital Library
A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI, 2011. Google ScholarDigital Library
A. Chlipala, G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Effective interactive proofs for higher-order imperative programs. In ICFP, 2009. Google ScholarDigital Library
G. Gonthier, B. Ziliani, A. Nanevski, and D. Dreyer. How to make ad hoc proof automation less ad hoc. In ICFP, 2006. Google ScholarDigital Library
C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
D. Jang, Z. Tatlock, and S. Lerner. Establishing browser security guarantees through formal shim verification. In USENIX Security, 2012. Google ScholarDigital Library
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, et al. seL4: formal verification of an OS kernel. In SOSP, 2009. Google ScholarDigital Library
K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, et al. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy (SP), 2010. Google ScholarDigital Library
S. Kundu, Z. Tatlock, and S. Lerner. Proving optimizations correct using parameterized program equivalence. In PLDI, 2009. Google ScholarDigital Library
S. Lerner, T. Millstein, and C. Chambers. Automatically proving the correctness of compiler optimizations. In PLDI, 2003. Google ScholarDigital Library
S. Lerner, T. Millstein, E. Rice, and C. Chambers. Automated soundness proofs for dataflow analyses and transformations via local rules. In POPL, 2005. Google ScholarDigital Library
X. Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In POPL, 2006. Google ScholarDigital Library
G. Malecha, G. Morrisett, A. Shinnar, and R. Wisnesky. Toward a verified relational database management system. In POPL, 2010. Google ScholarDigital Library
G. Malecha, G. Morrisett, and R. Wisnesky. Trace-based verification of imperative programs with I/O. In Journal of Symbolic Computation, 2011. Google ScholarDigital Library
D. McCullough. Noninterference and the composability of security properties. In Security and Privacy, 1988. Google ScholarDigital Library
A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare type theory. In ICFP, 2006. Google ScholarDigital Library
A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP, 2008. Google ScholarDigital Library
N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security, 2003. Google ScholarDigital Library
C. Reis, A. Barth, and C. Pizano. Browser security: lessons from Google Chrome. In CACM, 2009. Google ScholarDigital Library
Z. Tatlock and S. Lerner. Bringing extensibility to verified compilers. In PLDI, 2010. Google ScholarDigital Library
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the gazelle web browser. Technical Report MSR-TR-2009-16, MSR, 2009.Google Scholar
X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in C compilers. In PLDI, 2011. Google ScholarDigital Library
S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSF Workshop, 2003.Google ScholarCross Ref

Index Terms

Automating formal proofs for reactive systems
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Software functional properties
      1. Correctness
      2. Formal methods
2. Theory of computation
  1. Logic
    1. Proof theory
  2. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Recommendations

Automating formal proofs for reactive systems
PLDI '14

Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to ...
Read More
Effective interactive proofs for higher-order imperative programs
ICFP '09: Proceedings of the 14th ACM SIGPLAN international conference on Functional programming

We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, ...
Read More
Effective interactive proofs for higher-order imperative programs
ICFP '09

We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2014
619 pages
ISBN:9781450327848
DOI:10.1145/2594291
General Chair:
Michael O'Boyle
University of Edinburgh
,
Program Chair:
Keshav Pingali
University of Texas, Austin
ACM SIGPLAN Notices Volume 49, Issue 6
PLDI '14
June 2014
598 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2666356
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 June 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dependent types
domain-specific languages
interactive proof assistants
proof automation
reactive systems
Qualifiers
- research-article
Conference

Acceptance Rates
PLDI '14 Paper Acceptance Rate52of287submissions,18%Overall Acceptance Rate406of2,067submissions,20%
More
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 260
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Automating formal proofs for reactive systems

PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automating formal proofs for reactive systems

Effective interactive proofs for higher-order imperative programs

Effective interactive proofs for higher-order imperative programs