An%20Open%20Framework%20for%20Foundational%20Proof-Carrying%20Code

1
An Open Framework for Foundational Proof-Carrying
Code

• Xinyu Feng
• Yale University
• Joint work with Zhaozhong Ni (Yale, now at MSR),
  Zhong Shao (Yale) and
• Yu Guo (USTC)

2
Motivation
How to build fully certified software systems?
Source-level code
References with weak upd.
Garbage collectors
Dynamic mem. alloc.
malloc() (strong update)
Functions, exceptions,
Stacks, code pointers
Concurrency
Context switching Scheduler
Device drivers
I/O
3
Motivation

• All concurrency verification assumes built-in
  concurrency
• Assume-Guarantee (A-G) reasoning
• Concurrent Separation logic (CSL)

• Context switching, scheduler
• Too low-level to be certified in these logics

• Threads schedulers have never been modularly
  certified!

4
Motivation

• Certify all code in a single type system/program
  logic?
• Hard to combine all features
• weak vs. strong update, functions/exceptions vs.
  gotos, threads vs. thread contexts
• May not be modular
• Very complex, hard to use
• Dont know how to design such a logic

• Certify modules using the most appropriate logic!
• Modules do not use all the features at the same
  time
• It is simpler to use specialized logic for each
  module

5
An Open Framework
Certify different modules using different
verification systems!
6
Challenges

• Extensibility and openness
• not designed for certain specific interoperations

But can we just use MLFs, e.g. Coq?

• Expressiveness
• type safety, concurrency properties, partial
  correctness,

• A general and uniform model of control flow
• Allow functions certified in different systems to
  call each other
• the key for modularity separate verification
  proof reuse

• Principled interoperation with clear
  meta-property
• properties of the whole system composed of
  modules

7
Our contributions

• OCAP an open framework
• Embedding of different systems
• TAL, non-CPS Hoare-logic, A-G reasoning,
• Open Extensible
• Modularity with first-class code pointers
  NiShao POPL06
• Soundness
• Type safety, preservation of invariants in
  foreign systems
• Applications
• TAL memory allocation libs.
• Threads Scheduler
• The first time to modularly certify both sides

8
Outline

• OCAP Framework
• Certifying Threads Schedulers

9
OCAP Overview
Sound
OCAP Rules
OCAP Soundness
Modeling of the machine
Mechanized Meta-Logic (CiC)
10
The Machine
(data heap) H
I1
f1
addu lw sw j f
pc
0
1
2

I2
f2
r1
r2
r3

rn
I3
f3
(register file) R

(code heap) C
(state) S
(instr. seq.) I
(H,R)
f ? I
(program) P
(C,S,pc)
11
The OCAP Logic Overview

• Hoare-style program logic for assembly
• CPS-style reasoning
• Assign a precondition to each basic block
• Similar to TAL Morrisett et al. POPL98

12
The OCAP Logic Overview
(spec) ? f ? a
(data heap) H
I1
f1
a
addu lw sw j f
pc
0
1
2

I2
f2
r1
r2
r3

rn
I3
f3
(register file) R

(code heap) C
(state) S
(instr. seq.) I
(H,R)
f ? I
(program) P
(C,S,pc)
13
OCAP Code pointers
Support of first-class code pointers
codeptr(f,a) ? ?(f) a
(Spec) ? f ? a
Not well-founded!
14
OCAP Code Pointers
No interoperation between multiple systems
15
OCAP Foreign Languages
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
Inductive TalType Type T_int
TalType T_pair TalType -gt TalType-gt
TalType
Inductive Tal2Type Type T2_int
TalType T2_pair TalType -gt TalType-gt
TalType
L TalType Tal2Type
?1 T_int T_pair ?1 ?1 ? TalType
?2 T2_int T2_pair ?2 ?2 ? Tal2Type
16
OCAP Specifications
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
(Interp) ( )L ? L ? Assert
(OCdSpec) ? ltL,( )L,?gt ? ?L.(L ? Assert)L
(Spec) ? (f1,?1), (fn,?n)
(Assert) a ? Spec ? State ? Prop
Not well-founded
17
OCAP Specifications
(LangTy) L CiC Terms ? Type
(CodeSpec) ? CiC Terms ? L
(Interp) ( )L ? L ? Assert
(OCdSpec) ? lt?,L,( )L,?gt
(Spec) ? (f1,?1), (fn,?n)
(Assert) a ? Spec ? State ? Prop
(LangID) ? n ? nat
(LangDict) D ?1?ltL1,( )L1gt,, ?n?ltLn,(
)Lngt ? LangID ?
(?L.L ? Assert)
18
Selected OCAP Rules
D1?1? C1?1
D2?2? C2?2

(link)
D1?D2 ?1??2? C1?C2 ?1??2
??,S.a ? S ???.(codeptr(S.R(r),?)?a) ? S
a ? D
(jr)
D? ajr r
codeptr(f,?) ? ??,S. ?(f)?
? D ? ??,S.? ( )L.(D(?)ltL, ( )Lgt)?((?)L ?
S)
? lt?,L,?gt
19
Outline

• OCAP Framework
• Certifying Threads Schedulers

20
Threads and Scheduler

• Thread code C1,,Cn
• Certified following CCAP YuShao, ICFP04
• Assume-Guarantee reasoning
• Thread modularity
• Do not know about thread queue

• Scheduler CS
• Certified in SCAP Feng et al. PLDI06
• as sequential code
• Manages thread queue TQ
• Do not touch H

SCAP
CCAP

21
Scheduler in SCAP
ct
Thread code
jal yield ct
yield pick one word (pci) from TQ
swap pci and r31 jr r31
ct
22
Scheduler in SCAP
ct
yield (ps, gs) pick one word (pci) from
TQ swap pci and r31 jr r31
gs
ps ? ?Q.WFTQ(Q) True
ct
23
Embedding SCAP
D
p
((p,g))Dscap ?
Soundness
g

?scap?scap C?scap
jr ra
? ? (?scap)Dscap
D ?Dscap,?? C?
? ? (?scap)Dscap
Dscap ? ?scap ? ltLscap, (_)scapgt
24
Threads Assume-Guarantee
A1, G1
A2, G2
Spec. for threads (p, A, G)
p State ? Prop
A, G State ? State ? Prop
? A2
G1
Stability of p pi S ? Ai S S ? pi S
25
CCAP embedding
((p,A,G))ccap ? ??,S.
Dall ? ?ccap ? ltLccap, (_)ccapgt, ?scap ?
ltLscap, (_)scapgt
?ccap?ccap Ci?ccap
Dall ?c??y? Ci ?c
?c ? (?ccap) ccap
?c ? (?ccap) ccap
?y ? yield ? lt?scap ,Lscap,(ps, gs)gt
26
Certify the code
Dall ? ?ccap ? ltLccap, (_)ccapgt, ?scap ?
ltLscap, (_)scapgt
SCAP
CCAP
?ccap?ccap Ci?ccap
?scap?scap Cs?scap
Dall ?y? Cs ?y
Dall ?c??y? Ci ?c
Dall ?c??y? Ci ? Cs ?c ? ?y
27
Summary

• It is simpler and natural to certify different
  modules using different logics
• OCAP framework for interoperation
• Embedding
• TAL type system
• SCAP non-cps logic for assembly
• CCAP Assume-guarantee reasoning
• Interoperation
• TAL newpair
• Threads Scheduler
• TAL GC (ongoing work by Lin, McCreight, et al.)

28
Future work

• Explore the applicability of OCAP
• Interoperation of different languages
• Currently just for assembly language
• But logics are at different levels (TAL, CCAP, )
• May support C inlined assembly

29
Thank you!