1 / 19

Verification of Networked Server using Interaction Trees

This paper discusses the verification, testing and specification of a networked server using interaction trees. It provides a detailed overview of the process, from specifying the server behavior to testing it, and verifies its correctness using formal methods. The paper also presents examples and showcases the benefits of using interaction trees in server verification.

dhenderson
Download Presentation

Verification of Networked Server using Interaction Trees

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From Cto Interaction Trees Specifying, Testing and Verifying a Networked Server Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia Lennart Beringer, Wolf Honoré, William Mansky Benjamin C. Pierce, Steve Zdancewic January 14, 2019 (CPP)

  2. Verification from RFCs to transistors Application One theorem to verify… OS … and test! Hardware More projects at deepspec.org… 01011...

  3. Towards a verified web server HTTP Server OS Hardware 01011...

  4. Towards a verified web server Swap Server Today: a simplified server OS Hardware 01011...

  5. Main contributions • Verifying a networked C program using VST, which can run in CertiKOS • Specification describes what a client can observe over the network • Testable specification, using QuickChick

  6. Swap server specification Cat Server Client 1 Bat Bat Cat Dog Dog Elk Client 2 Cat Elk Client 3 Dog

  7. Swap server: in the real world Clients / Tester Server Cat • Messages on different connections can be reordered • Messages can be delayed indefinitely Dog Bat Elk Dog

  8. Network refinement Observable behavior by clients Specification Network semantics ∪I network-refines Observable behavior by clients Implementation Network semantics Adaptation of Observational refinement/Linearizability

  9. Overview:proof architecture *: concepts defined in the paper Specification* Written in Coq Written in C Socket API Server implementation CertiKOS

  10. Overview:proof architecture *: concepts defined in the paper Linear Specification* VST-level Socket spec.* network-refines* validates* Implementation model* CertiKOS-level Socket spec.* refines* assumed by Written in Coq implements Written in C Socket API Server implementation CertiKOS

  11. Interaction trees A unifying specification language *: concepts defined in the paper Different spec. styles Different abstraction levels Linear Specification* testing VST-level Socket spec.* network-refines* validates* Implementation model* CertiKOS-level Socket spec.* refines* network-refines* assumed by Written in Coq implements Written in C Socket API Server implementation CertiKOS

  12. Interaction trees: example (aka. Free monads) One branch for each possible result ReadBit 0 1 WriteBit 0 ReadBit Shorthand notation for two or more branches tt b2 : bit Ret 1 Ret b2 Type of effects ioE: Inductive ioE : Type -> Type := | ReadBit  : ioEbit | WriteBit : bit -> ioEunit . Result type

  13. Interaction trees: definition (aka. Free monads) Type of effects (e.g.,ioE) Type of results CoInductiveitree(E : Type -> Type) (R : Type) : Type := | Vis : ∀ Y, EY -> (Y -> itreeE R) -> itreeE R | Ret : R -> itreeE R | Tau : itreeE R -> itreeE R . Effect Continuation

  14. Interaction trees A unifying specification language *: concepts defined in the paper Different spec. styles Different abstraction levels Linear Specification* testing VST-level Socket spec.* network-refines* validates* Implementation model* CertiKOS-level Socket spec.* refines* network-refines* assumed by Written in Coq implements Written in C Socket API Server implementation CertiKOS

  15. The Swap server “linear specification” CoFixpoint loop(open_conns : list conns)      (last_msg : bytes) : itreeserverE unit :=     c <- choose open_conns ;; new_msg <- recv_msg c ;; send_msg c last_msg;; loopopen_connsnew_msg. Simplified version (see paper)

  16. Interaction trees Overview:proof architecture *: concepts defined in the paper Linear Specification* testing VST-level Socket spec.* network-refines* validates* Implementation model* CertiKOS-level Socket spec.* refines* network-refines* assumed by Written in Coq implements Written in C Socket API Server implementation CertiKOS

  17. Refinement: from C to ITrees Hoare triple: { pre1 * … * preN }C_program{ post1 * … * postN } Separating conjunction Interactions allowed by the environment Assertions on C memory { ITree(impl_model) * … }C_program{ … } Example of a networked C program with its implementation model: { ITree(msg <- Recv c ;; Send c msg ;; t) * … } recv(c, buf, len); . send(c, buf, len); . { ITree(t) * … } Implementation model (itree) C implementation Simplified triples (see paper)

  18. The Swap server correctness theorem { ITree(impl_model) }C_prog{ … } Theoremcorrect_server : existsimpl_model, refines C_progimpl_model /\ network_refinesimpl_modellinear_spec. ∪I

  19. Summary and next steps Complete connection • Verifying a networked C program using VST, which can run in CertiKOS • The specification describes a client can observe over the network • The specification is testable, using QuickChickand Interaction trees Scale up: Swap server -> HTTP Server Improve proof and testing techniques Add more interfaces: filesystem, encryption… New library https://github.com/DeepSpec/InteractionTrees

More Related