An Open Framework for Certified System Software

An Open Framework for Certified System Software Xinyu Feng Yale University

Why Certified Software? Mars Polar Lander Mars climate orbiter Ariane 5

Fig. from:www.howstuffworks.com “A typical modern car contains around 20 built-in microcontrollers. Luxury models can have as many as 80. Such microcontrollers, …, are in constant communication with one another. In extreme cases, a single programming error in one of the control elements can mean life or death.” -- Fraunhofer Magazine, 2004 (2) Something More Relevant …

Photo from edmunds.com Toyota recalled its 160,000 Prius cars in Oct 2005, because of bugs in the software controlling the hybrid gas-electric engine system…

We need firm control of the lowest-level software! [King et al. S&P'06] How to Guarantee Software Quality? We need a “certified” computing platform! Uncertified legacy code becomes second-class citizen! Buggy? Security Infrastructure Certified Security Infrastructure Buggy? Runtime Services & Libraries Certified Runtime Services & Libraries Buggy? Bootloader + OS + Device Driver Certified Bootloader + OS + Device Driver Hardware

specification S binary code C formal proof P Certified Software: Problem Definition • Hardware • processors, memory, storage, devices, … • Software • bootloader, device drivers, OS, runtime, applications, … • Need a mathematical proof showing that as long as the hardware works, the software always work according to its specification

… threads … ctxt ctxt ctxt spawn, yield, exit, lock, monitors, … scheduler bootloader OS A Mini-OS 1300-line 16bit x86 code, Bootable! http://flint.cs.yale.edu/feng/cos . . . . . . KBD timer interrupts But how to certify the code?

Certifying the Mini-OS 1300 lines of code Many challenges: bootloader Code loading scheduler Low-level code: C/Assembly timer int. handler Concurrency thread lib: spawn, exit, yield, … Interrupts sync. lib: locks and monitors Device drivers / IO keyboard driver Certified the whole system keyboard int. handler Many different features … Different abstraction levels

My Contributions • Specialized program logics • SCAP: stack-based control abstractions • SAGL: modular concurrency verification • CMAP: dynamic thread creation • concurrency with relaxed memory model [ongoing work] • An open framework for certified systems • OCAP: embedding and interoperation between different verification systems [TLDI’07] • interoperability based on semantic models [ongoing work] [PLDI’06] [ESOP’07] [ICFP’05]

Outline of This Talk • The OCAP Framework • SAGL: modular concurrency verification • SCAP: stack-based control abstractions • Embedding and linking in OCAP

Modules at Different Levels • Example: how to certify multi-threaded software? • All concurrency verification assumes built-in concurrency • Context switching, scheduler • Too low-level to be certified in these logics • Threads & schedulers have never been certified in a single logic!

L2 L1 L4 L3 Building Fully Certified Systems • One logic for all code • Consider all possible interactions. • Very difficult! • Reality • Only limited combinations of features are used. • It’s simpler to use a specialized logic for each combination. • Interoperability between logics

OS Cn C1 C1 Cn … … C1 C1 Cn Cn L1 … Ln TCB Our Solution … OCAP Modeling of the machine Mechanized Meta-Logic (CiC)

The Machine (data heap) H f1: I1 addu … lw … sw … … j f pc 0 1 2 … f2: I2 r1 r2 r3 … rn f3: I3 (register file) R … (code heap) C (state) S ::=(H,R) (instr. seq.) I ::={fI}* (program) P ::=(C,S,pc)

1 2 3 Program Specifications (spec) ::={f}* (data heap) H  f1: I1 addu … lw … sw … … j f pc 0 1 2 … f2: I2 r1 r2 r3 … rn f3: I3 (register file) R … (code heap) C (state) S ::=(H,R) (instr. seq.) I ::={fI}* (program) P ::=(C,S,pc)

c1 c2 c3 cn … P0 P1 P2 Pn Invariant-Based Verification Initial condition:Inv(P0) Progress: if Inv(P), then P’. P c P’. Preservation: if Inv(P) and P cP’, then Inv(P’).

may use different  … C1 Cn “Domain specific” logics How to link modules? L1 … Ln OCAP Rules Modeling of the machine Mechanized Meta-Logic (CiC)

( _ )t (_)h How to Link Modules f: … … … … call f {r1:1, …, rn:n} {P}_{Q} a a'

{r1:1, …, rn:n} {P}_{Q} ( _ )t (_)h a a' How to Link Modules How to define interpretation? Encode the invariant enforced in our invariant-based proof methodology. ashould be expressive enough to encode Inv.

XCAP[Ni&Shao'06] approach a(S) = … used and generalized in OCAP [TLDI'07] Indexed approach ai(S) = … [ongoing work with Cai, Shao & Tan] simpler model for weak-ref, partial correctness, concurrency…,than existing work on indexed model [Appel&McAllester'01] [Amed'04] [Appel et al.'07] An Open Framework A set of Hoare-logic rules as the foundational layer use “a” as the assertion language supports first-class code pointers, mutable references, polymorphisms, recursive types, …

TAL XCAP SCAP SAGL … … C1 Cn L1 Ln … Sound ( )L1 ( )Ln The OCAP Framework [TLDI'07] Sound OCAP Rules OCAP Soundness Modeling of the machine Mechanized Meta-Logic (CiC)

SAGL C1 Cn Outline of This Talk • The OCAP Framework • SAGL: modular concurrency verification • SCAP: stack-based control abstractions • Embedding and linking in OCAP … … L1 Ln SAGL SCAP OCAP Modeling of the machine Mechanized Meta-Logic (CiC)

Certifying Concurrent Programs How to guarantee non-interference… in a modular way? Existing work is not modular/general…

Certifying Concurrent Programs • Assume-Guarantee (A-G) reasoning[Misra&Chandy’81, Jones’83] • thread modularity, general • spec of A&G requires global data invariants • Concurrent Separation Logic (CSL) [O’Hearn, Brookes 2004] • thread modularity + local reasoning • restrictive synchronization pattern • shared resources can be accessed only inside critical regions • SAGL: extend A-G with local reasoning [ESOP'07] • improved modularity without loss of generality

Assume-Guarantee Reasoning • Thread T and its environment • Environment: the collection of all other threads except T • A: assumption about environment’s transition • G: guarantee to the environment • a: precondition

A-G Reasoning Non-Interference of threads: To certify each thread: i,j . Gi  Aj ( i  j ) stability of precondition:  S, S'. a S  A S S' a S' transitions satisfy the guarantee: G S Nextc(S)

a1a2 a1a2 a1a2 A-G Reasoning Requires global invariants! G1 G2 a1 a2 A1 A2 a2 a1

p2 p1 a1a2 SAGL: Overview Partition of resources: shared & private Threads specs: (a1, p1), (a2, p2), … Partition is conceptual: (p1 p2)  (a1  a2)

p2 p1 a1a2 SAGL: Memory Access Threads have exclusive access to their private resources. All threads can access shared part. Needs to guarantee non-interference. Follows assume/guarantee reasoning. Partitions can be dynamically adjusted.

p2 p2 p1 p1 a1a2 a1a2' SAGL – Access Shared Resource G2 a1 A1 a1 A-G reasoning: a special case wherep1andp2areemp.

p2 p2' p1 p1 a1a2 a1a2 SAGL – Access Private Resource

p2 p2 p1 p1 p1 p2 a1a2 a1a2' a1a2 SAGL - Redistribution a1 a1 G2 A1 G2 A1 a1 a1 lock unlock

x … y x … Example: List getNode(): l.acq(); … l.rel(); -{(ainv , emp)} -{(emp,emp List(x))}; -{(emp,Node(y) List(x))} ainv=free(l)  List(x) free(l)  emp ainv -{(List(x),Node(y))}

p2 p1 All threads can access shared part. a1a2 Needs to guarantee non-interference. Follows assume/guarantee reasoning. SAGL [ESOP’07] A-G reasoning Threads have exclusive access to their private resources. Partitions can be dynamically adjusted. CSL

SCAP C1 Cn Outline of this talk • The OCAP Framework • SAGL: modular concurrency verification • SCAP: stack-based control abstractions • Embedding and linking in OCAP … … L1 Ln SAGL SCAP OCAP Modeling of the machine Mechanized Meta-Logic (CiC)

Certifying C & Assembly Code? How to specify/verify control abstractions? Stack-based control abstractions call/return, tail call, exceptions (stack cutting/ stack unwinding), coroutines/threads context switching How to formulate the stack invariants?

Problems – call/return void f(){ void h(){ h(); return; return; } } Stacks are hidden!

stack fp f: ... sw $ra, -4($fp) h: jal h ;; $ra contains ct ct: lw $ra, -4($fp) jr $ra ... jr $ra Problems – call/return R void f(){ void h(){ h(); return; return; } } ra ct ?? pc Does f use the right return addr.?

env cannot outlive the stack frame of rev ! f0 f0 … … Problems – setjmp/longjmp jmp_buf env = …; void cmp0(int x,jmp_buf env){ cmp1(x, env); } int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } } pc pc void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } pc env sp …

Stack-Based Control Abstractions A simple system (SCAP) for modular verification of (1) compiled C code & (2) manually-written assembly code Function call/return PLDI'06 Tail calls Exceptions: Stack-unwinding Exceptions: Stack-cutting PLDI’06 weak-continuation YALEU/DCS/TR-1336 setjmp/longjmp Coroutines (w. function call) Threads context switching TLDI’07

{$ra = n …} g0 g1 {$ra = n …} Specifications • Challenges • f uses the “right” return addr.? • Hoare triple {p} f {q}? • In different basic blocks! f: ... sw $ra, -4($fp) jal h ct: lw $ra, -4($fp) ... jr $ra {(p0, g0)} • SCAP specifications: (p, g) • p: State  Prop • g: State  State  Prop {(p1, g1)} g0 S S’ S’.$ra = S.$ra …

Program Spec. and Code Pointers • Program Specification ::= {f1(p1,g1), …,fn(pn,gn)} • “safe” to return (jr $ra): • $radom()  ($ra)=(p,g) • pholds at the time of return p0 p1 jal f p2 jal h g2 g0 g1 p3 jr$ra g3 p4 jr $ra … g4 jr $ra

SCAP : Stack Invariant Always safe to return? p0 S0 g0 p1 jr $ra g0 S0S1  S1.$ra   (S1.$ra))=(p1, g1) p1S1 S1 g1 p2 S2 g0 S0S1  g1 S1S2  S2.$ra   (S2.$ra)=(p2, g2) p2S2 g2 p3 S3 g0 S0S1  g1 S1S2  g2 S2S3  S3.$ra    (S3.$ra)=(p3, g3) p3 S3 g3 … Logical control stack

SCAP : Stack Invariant WFST(n, g0, S0, )  S1. g0 S0 S1   p1,g1. (S1.$ra)=(p1, g1)  p1 S1  WFST(n-1, g1, S1, ) WFST(0, g0, S0, )   S1. g0 S0 S1 Invariant: p S  n.WFST(n, g, S, ) p0 S0 g0 p1 jr $ra S1 g1 p2 S2 g2 p3 S3 g3 Logical control stack

c S p’,g’ p S  n.WFST(n,g,S,) p’ S’  n.WFST(n,g’,S’,) SCAP : Invariant Preservation • Inv(S): p S  n.WFST(n, g, S, ) S’

n+1 jal f SCAP: call p S  WFST(n, g, S, ) p0 S0 WFST(n+1, g0, S0, ) p p0 p0 S S0 g0 g0 p1 p1 g jr $ra jr $ra g1 g1 S1 S1 n n S2 S2 … … p S  p0 S0 g0 S0 S1 S0.$ra = S1.$ra p S  g0 S0 S1 p1 S1 p S  g0 S0 S1  g1 S1 S2  g S S2

SCAP: ret p S  WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, ) p n p1 p1 S g S1 g1 g1 jr $ra n-1 n-1 … … p S  g S S1

Multi-ret p1 p1 p p g1 g1 jr ra jr ra g g + Tail-call p1 p g1 g jr ra Generalization: Stack Unwinding/Cutting

Example: setjmp/longjmp jmp_buf env = …; void cmp0(int x,jmp_buf env){ cmp1(x, env); } int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } } void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; }

An Open Framework for Certified System Software

An Open Framework for Certified System Software

Presentation Transcript

Open Source Software for

Creating An Integrated Library System Using Open Source Software for Afghanistan Academic Libraries

“Open System Solutions…a Framework for Success” September 2007

Open Source Open Architecture Software Development Framework for ...

SciencePAD Open Software for Open Science

An Introduction To Open Source Software

Assuring Identities in an Open Trust Framework

Open Modeling Framework

An open framework for parameter mapping and image processing

An SDL Framework for X-ray Spectrometer Software

Exploring an Open Source Automation Framework Implementation

An Open Source Reporting System for Life Sciences

Towards an Openness Rating System for Open Source Software

OFLOPS: An Open Framework for OpenFlow Switch Evaluation

Towards an Open Source Project for Online Software

An Open Collaboration Framework

KBS-HYPERBOOK An Open Hyperbook System for Education

An Appropriate Software for your System

Exploring an Open Source Automation Framework Implementation

An open system.

AngularJS Guide: An Open Source structural framework