1 / 12

Automated and Modular R efinement R easoning for Concurrent P rograms

Automated and Modular R efinement R easoning for Concurrent P rograms. Shaz Qadeer. Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank ( Technion ) Serdar Tasiran ( Koc University). Verve: a verifiably safe OS (Yang-Hawblitzel 10). Small Operating System (C#).

bikita
Download Presentation

Automated and Modular R efinement R easoning for Concurrent P rograms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated and Modular Refinement Reasoning for Concurrent Programs Shaz Qadeer Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc University)

  2. Verve: a verifiably safe OS (Yang-Hawblitzel 10) Small Operating System (C#) “every assembly language instruction checked for safety” Verified Threads Verified Interrupt Handlers Verified Device Interface Verified Startup Verified Garbage Collector Verify safety & correctness with Boogie/Z3 Verified Boot x86 Hardware, Network, PCI, TPM

  3. An Ironclad app guarantees to remote parties that every instruction it executes adheres to a high-level security spec. My password will never leak I can run full SQL and the cloud learns nothing

  4. Ironclad project (MSR OS Group) • Goal: achieve end-to-end security • Use small trusted computing base (TCB) — thousands of lines of spec, not millions of lines of code • Make approach feasible for use by system and application developers • Show developers how to achieve correctness without testing • Approach: • Combine cryptography, secure hardware, and formal code verification • Push scale of formal verification tools to fully encompass large systems

  5. Ironclad apps atop Verve Notary Password Vault DiffPriv DB Bits & Arrays Net Driver RSA Enc + Sig Big Integers Ethernet UDP/IP SHA Hash TPM Driver Math Verified Threads Verified Interrupt Handlers Verified Device Interface Verified Startup Verified Garbage Collector Verified Boot x86 Hardware, Network, PCI, TPM

  6. Verve and concurrency • Provides threads • No mechanism to reason about them • Difficult to provide any assurance beyond memory safety • Verve boots on a single core • Stop-the-world garbage collector • Unacceptable multi-core performance

  7. Goal of our work • A scalable automated verifier for reasoning about low-level concurrency • A verified concurrent garbage collector

  8. Refining concurrent programs Verification works for me only when I start small. -Chris Hawblitzel • Atomic actions as specifications • Explicit non-interference (alaOwicki-Gries and Jones) • Linear resources providing free invariants

  9. Garbage collector implementation • Extends Dijkstra et al. 78 • multiple parallel mutators • no read barrier • fast write barrier • Features • Mark/Sweep/Idle phases separated by barriers • Mutatorcooperates with collector • Barrier for atomic root scan

  10. Garbage collector specification memAbs : [obj][fld]obj // Heap rootAbs : [idx]obj // Roots (stack, registers) allocSet: [obj]bool // Allocated objects

  11. Garbage collector verification • Simple high-level specification refined down individual instructions • load, store, CAS, atomic increment/decrement • Six levels of refinement • 2100 lines of code and specification • 6 min and 2GB memory on a modern Windows machine • Simplifying assumptions • Allocator is naïve (sequential search for free space) • All objects have the same number of fields • Sequentially consistent execution

  12. Future work • Verify under TSO • Improve allocator performance • Incorporate variable-size objects • Extract executable code and plug into Verve

More Related