Johannes Åman Pohjola
Michael Norrish
Gernot Heiser
ABSTRACT
We introduce Pancake, a new language for verifiable, low-level systems programming, especially device drivers. Pancake eschews complex type systems to make the language attractive to systems programmers, while at the same time aiming to ease the formal verification of code. We describe the design of the language and its verified compiler, and examine its usability, performance and current limitations through case studies of device drivers and related systems components for an seL4-based operating system.
- E. Alkassar, M. Hillebrand, S. Knapp, R. Rusev, and S. Tverdyshev. 2007. Formal Device and Programming Model for a Serial Interface. In International Verification Workshop. Bremen, DE, 4--20.Google Scholar
- Eyad Alkassar and Mark A. Hillebrand. 2008. Formal Functional Verification of Device Drivers. In Verified Software: Theories, Tools and Experiments (Lecture Notes in Computer Science, Vol. 5295). Springer, Toronto, Canada, 225--239.Google Scholar
- Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O'Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, and Gernot Heiser. 2016. Cogent: Verifying High-Assurance File System Implementations. In International Conference on Architectural Support for Programming Languages and Operating Systems. Atlanta, GA, USA, 175--188. https://doi.org/10.1145/2872362.2872404Google ScholarDigital Library
- Andrew W. Appel. 2011. Verified Software Toolchain - (Invited Talk). In European Symposium on Programming (ESOP) (LNCS, Vol. 6602). Springer, 1--17. https://doi.org/10.1007/978-3-642-19718-5_1Google ScholarCross Ref
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press, USA.Google ScholarDigital Library
- Vytautas Astrauskas, Christoph Matheja, Federico Poli, Peter Müller, and Alexander J. Summers. 2020. How do programmers use unsafe Rust? Proceedings of the ACM on Programming Languages 4, OOPSLA (2020), 136:1--136:27. https://doi.org/10.1145/3428204Google ScholarDigital Library
- Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward compositional verification of interruptible OS kernels and device drivers. In ACM SIGPLAN Conference on Programming Language Design and Implementation. 431--447. https://doi.org/10.1145/2908080.2908101Google ScholarDigital Library
- Jianjun Duan and John Regehr. 2010. Correctness Proofs for Device Drivers in Embedded Systems. In Systems Software Verification. USENIX Association, Vancouver, BC, CA.Google Scholar
- Adam Dunkels. 2001. Minimal TCP/IP implementation with proxy support. Technical Report T2001-20. SICS. 81 pages. http://www.sics.se/~adam/thesis.pdf.Google Scholar
- Ana Nora Evans, Bradford Campbell, and Mary Lou Soffa. 2020. Is Rust Used Safely by Software Developers?. In International Conference on Software Engineering. 246--257. https://doi.org/10.1145/3377811.3380413Google ScholarDigital Library
- Alejandro Gómez-Londoño, Johannes Åman Pohjola, Hira Taqdees Syeda, Magnus O. Myreen, and Yong Kiam Tan. 2020. Do you have space for dessert? a verified space cost semantics for CakeML programs. Proc. ACM Program. Lang. 4, OOPSLA (2020), 204:1--204:29. https://doi.org/10.1145/3428272Google ScholarDigital Library
- David Greenaway, Japheth Lim, June Andronick, and Gerwin Klein. 2014. Don't Sweat the Small Stuff: Formal Verification of C Code Without the Pain. In ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, Edinburgh, UK, 429--439. https://doi.org/10.1145/2594291.2594296Google ScholarDigital Library
- Gernot Heiser, Lucy Parker, Peter Chubb, Ivan Velickovic, and Ben Leslie. 2022. Can We Put the "S" Into IoT?. In IEEE World Forum on Internet of Things. Yokohama, JP.Google Scholar
- Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, June 10--15, 2002, Monterey, California, USA. USENIX, 275--288. http://www.usenix.org/publications/library/proceedings/usenix02/jim.htmlGoogle Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: securing the foundations of the rust programming language. Proc. ACM Program. Lang. 2, POPL (2018), 66:1--66:34. https://doi.org/10.1145/3158154Google ScholarDigital Library
- Shuanglong Kan, David Sanán, Shang-Wei Lin, and Yang Liu. 2018. K-Rust: An Executable Formal Semantics for Rust. CoRR abs/1804.07608 (2018). http://arxiv.org/abs/1804.07608 Preprint.Google Scholar
- Moonzoo Kim, Yunja Choi, Yunho Kim, and Hotae Kim. 2008. Formal Verification of a Flash Memory Device Driver -- An Experience Report. In SPIN Workshop on Model Checking Software (Lecture Notes in Computer Science, Vol. 5156). Los Angeles, CA, US, 144--159. https://doi.org/10.1007/978-3-540-85114-1_12Google ScholarDigital Library
- Steve Klabnik and Carol Nichols. 2017. The Rust Programming Language. No Starch Press.Google Scholar
- Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive Formal Verification of an OS Microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1--2:70. https://doi.org/10.1145/2560537Google ScholarDigital Library
- Ramana Kumar, Magnus Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: A Verified Implementation of ML. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM Press, San Diego, 179--191. https://doi.org/10.1145/2535838.2535841Google ScholarDigital Library
- Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107--115. https://doi.org/10.1145/1538788.1538814Google ScholarDigital Library
- MITRE Corporation. 2023. Linux >> Linux Kernel: Security Vulnerabilities (CVSS score ≥ 9). https://www.cvedetails.com/vulnerability-list.php?vendor_id=33&product_id=47&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=3034&sha=544260ec3a86a7e17f8b02b39d6342815d8d4bd5 Accessed: 2023-01-25.Google Scholar
- Tomas Möre. 2021. Formal verification of device driver monitors in HOL 4. Masters Thesis. School of EECS, KTH, SE.Google Scholar
- Magnus O. Myreen. 2021. A Minimalistic Verified Bootstrapped Compiler (Proof Pearl). In Certified Programs and Proofs (CPP). ACM, 32--45. https://doi.org/10.1145/3437992.3439915Google ScholarDigital Library
- Magnus O. Myreen, Michael J. C. Gordon, and Konrad Slind. 2008. Machinecode Verification for Multiple Architectures: An Application of Decompilation into Logic. In Proceedings of the 2008 Conference on Formal Methods in Computer-Aided Design. IEEE, Portland, OR, US.Google ScholarCross Ref
- Wolfgang Naraschewski and Tobias Nipkow. 1999. Type Inference Verified: Algorithm W in Isabelle/HOL. J. Autom. Reason. 23, 3--4 (1999), 299--318. https://doi.org/10.1023/A:1006277616879Google ScholarDigital Library
- Scott Owens, Magnus O. Myreen, Ramana Kumar, and Yong Kiam Tan. 2016. Functional Big-Step Semantics. In European Symposium on Programming (ESOP) (LNCS, Vol. 9632). Springer, 589--615. https://doi.org/10.1007/978-3-662-49498-1_23Google ScholarDigital Library
- Lucy Parker. 2023. The seL4 Device Driver Framework. https://trustworthy.systems/publications/papers/Parker_23%3Asel4s.abstract Talk at the 5th seL4 Summit.Google Scholar
- Willem Penninckx, Jan Tobias Mühlberg, Jan Smans, Bart Jacobs, and Frank Piessens. 2012. Sound Formal Verification of Linux's USB BP Keyboard Driver. In NASA Formal Methods Symposium (Lecture Notes in Computer Science, Vol. 7226). https://doi.org/10.1007/978-3-642-28891-3_21Google ScholarDigital Library
- Leonid Ryzhyk, Peter Chubb, Ihor Kuz, and Gernot Heiser. 2009. Dingo: Taming Device Drivers. In EuroSys Conference. Nuremberg, DE, 275--288.Google Scholar
- Leonid Ryzhyk, Yanjin Zhu, and Gernot Heiser. 2010. The Case for Active Device Drivers. In Asia-Pacific Workshop on Systems (APSys). New Delhi, India, 25--30.Google Scholar
- Thomas Sewell, Magnus Myreen, and Gerwin Klein. 2013. Translation Validation for a Verified OS Kernel. In ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, Seattle, Washington, USA, 471--481.Google ScholarDigital Library
- Konrad Slind and Michael Norrish. 2008. A Brief Overview of HOL4. In Theorem Proving in Higher Order Logics (TPHOLs) (LNCS, Vol. 5170). Springer, 28--32. https://doi.org/10.1007/978-3-540-71067-7_6Google ScholarDigital Library
- Yong Kiam Tan, Magnus Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2019. The verified CakeML compiler backend. Journal of Functional Programming 29 (Feb. 2019), 57 pages. https://doi.org/10.1017/S0956796818000229Google ScholarCross Ref
- Trustworthy Systems. 2023. The seL4 Microkit. UNSW Sydney. https://trustworthy.systems/projects/microkit/Google Scholar
- Feng Wang, Fu Song, Min Zhang, Xiaoran Zhu, and Jun Zhang. 2018. KRust: A Formal Executable Semantics of Rust. In 2018 International Symposium on Theoretical Aspects of Software Engineering, TASE 2018, Guangzhou, China, August 29-31, 2018. IEEE Computer Society, 44--51. https://doi.org/10.1109/TASE.2018.00014Google ScholarCross Ref
- Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. 2019. Oxide: The Essence of Rust. CoRR abs/1903.00982 (2019). http://arxiv.org/abs/1903.00982 Preprint.Google Scholar
- Ian Wienand and Luke Macpherson. 2004. ipbench: A Framework for Distributed Network Benchmarking. In Conference for Unix, Linux and Open Source Professionals (AUUG). Melbourne, Australia, 163--170.Google Scholar
- Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory Malecha, Benjamin C. Pierce, and Steve Zdancewic. 2020. Interaction trees: representing recursive and impure programs in Coq. Proceedings of the ACM on Programming Languages 4 (Jan. 2020), 51:1--51:32. https://doi.org/10.1145/3371119Google ScholarDigital Library
Index Terms
- Pancake: Verified Systems Programming Made Sweeter
Index terms have been assigned to the content through auto-classification.
Recommendations
Pancake flipping and sorting permutations
In this paper, we study several variations of the pancake flipping problem, which is also well known as the problem of sorting by prefix reversals. We consider the variations in the sorting process by adding with prefix reversals other similar ...
Pancake Flipping is hard
Pancake Flipping is the problem of sorting a stack of pancakes of different sizes (that is, a permutation), when the only allowed operation is to insert a spatula anywhere in the stack and to flip the pancakes above it (that is, to perform a prefix ...
Comments