Proof-oriented programming for high-assurance systems

Proof-oriented programming is a paradigm where programs are designed and developed along with mathematical proofs of their correctness and security. In recent years, proof-oriented programming has reached a point where not only several high-assurance software components have been developed using it, but these components have also been deployed in production systems. In this talk, I will provide an overview of this paradigm in the context of F*, a proof-oriented programming language developed at Microsoft Research. I will briefly discuss several critical software components, developed from scratch in F*. These components are already deployed in production systems such as Windows Hyper-V, the Linux kernel, Firefox, and mbedTLS. As a complementary methodology for retrofitting strong, formal guarantees on existing legacy services, I will present the Zeta framework. Zeta works by running a small, proven correct monitor in a trusted execution environment validating responses from the service. The key idea is that we only need to develop the monitor using proof-oriented programming once-and-for-all, while the large legacy service remains untrusted. I will illustrate Zeta by sketching an example of how we can make a concurrent, high-performance, key-value store "zero trust" and argue that this step incurs modest software engineering effort and modest runtime overheads.