1 / 45

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks. C.J. Bell, Robert Dockins , Aquinas Hobor , Andrew W. Appel , David Walker. In the last decade, dozens of researchers have been investigating proof-carrying code (PCC) These researchers have split into two camps:

giulia
Download Presentation

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker

  2. In the last decade, dozens of researchers have been investigating proof-carrying code (PCC) • These researchers have split into two camps: • those using syntactic proof methods • those using semantic proof methods

  3. List-Machine Benchmark • We want to be able to investigate different proof methodologies, such as syntactic and semantic type systems • The list-machine benchmark is • assembly language • operational semantics • type system specification • two implementaions of a type system • This benchmark is • simple, so that it is easy to understand • modular, so that it is flexible • publically available at • http://www.cs.princeton.edu/~appel/listmachine/2.0

  4. Changes to the List-Machine Benchmark for 2.0 • Implemented only in Coq • Added a semantic type system • Reorganized the framework

  5. Outline • Introduction • Organization of the List-Machine framework • Extend the List Machine with fault tolerance • Semantic and syntactic methods in large systems

  6. Machine Specification

  7. Modules

  8. Modules Type System Proves: Π⊢blocksΨ→ safe Ψ Typechecking Algorithm check(Π,Ψ) = true Typechecking Algorithm Type System • Type System Specification • type operators • definitions of typing rules • statement of safety • Π⊢blocksΨ→ safe Ψ Typechecker Soundness Proof check(Π,Ψ) = true →Π⊢blocksΨ Type System Specification Typechecker Soundness Proof

  9. Type System Proves: Π⊢blocksΨ→ safe Ψ Typechecking Algorithm check(Π,Ψ) = true • Type System Specification • type operators • definitions of typing rules • statement of safety • Π⊢blocksΨ→ safe Ψ Typechecker Soundness Proof check(Π,Ψ) = true →Π⊢blocksΨ

  10. Syntactic Type System Type System Specification • Type operators defined inductively • Typing rules defined inductively • The type system is proven sound using metatheorems (progress & preservation) using induction over definitions. Syntactic Soundness Proof Π⊢blocksΨ→ safe Ψ

  11. Semantic Type System Type System Specification Semantic Soundness Proof Π⊢blocksΨ→ safe Ψ List Machine Hoare Logic Π⊢blocksΨ Π;Ψ⊢blockι:P Π;Ψ⊢instr P{ι}Q Modal Specification Logic reusable Modal Model Library

  12. Outline • Introduction • Organization of the List-Machine framework • Extend the List Machine with fault tolerance • Semantic and syntactic methods in large systems

  13. Fault Tolerance • Extend the List-Machine framework to provide fault tolerance • Requires non-trivial modifications to the framework • Demonstrates the flexibility of the framework

  14. Simple List-Machine Example(without faults)

  15. Fault Model • Single Event Upset • assume a fault will occur at most once • A fault may change just one register’s value to any other value.

  16. Simple List-Machine Example(withfaults)

  17. Fault-TolerantModified Machine Specification

  18. Fault-Tolerant Example

  19. Incorrect Fault-Tolerant Example

  20. Is the modified code fault-tolerant? • Fault tolerance becomes part of the safety property • Type system ensures proper use of colors • Model possible occurrences of faults

  21. Modify the Operational Semantics

  22. Modify the Operational Semantics Branch instructions require green and blue computations to agree

  23. FT Summary

  24. Outline • Introduction • Organization of the List-Machine framework • Extend the List Machine with fault tolerance • Semantic and syntactic methods in large systems

  25. How Semantic and Syntactic Methods Scale Princeton Foundational Proof-Carrying Code (FPCC) Vs. Carnegie Mellon ConCert project FPCC :: Semantic ConCert :: Syntactic

  26. Common Traits • Include a TAL for ML compiled to machine code • Goal: guarantee a memory property for untrusted code • Written in Twelf • Industrial-strength TALs • Large systems

  27. Composition Checker – theorem checker for FPCC and a metatheorem checker for ConCert Machine – SPARC or x86 definitions Logic – example: definition of modular arithmatic Trusted Computing Base Theorems – statement of the safety property Proof T + L + M << P

  28. Token count of TCB components

  29. Token count of TCB components The TCBs are equivalent in size except for the Checker

  30. Interface Safety Requires • updating the policy • moving the type system from Proofto Theorem • now part of the TCB Should the type system be semantic or syntactic?

  31. Scaling Law Semantic: new definition per type constructor Syntactic: new definition per expression constructor Toy systems have few expression constructors…

  32. Real systems have more expression constructors than type constructors. semantic methods require fewer definitions Is the average type definition larger than the average typing rule?

  33. In toy systems, typing rules are simple... |- stmt_prim_lbladd_ADD_imm: judge_stmt (e_prim A (p_lbladd V1 (val_diff L0 Lab I2))) Prog L CCEnv AENV KL Ps Phi L' CCEnv AENV KL Ps' Phi' <- regbind A At Prog <- targetreg At Ar <- regbind_valProg V1 Vt <- realregVtVr <- diff_valueProg (val_diff L0 Lab I2) Vc <- imm13 Vc (c Vimm13) <- valueTyProg KL Phi V1 (offset I1 (int pi= (addr Lab))) <- valueTyProg KL Phi (val_diff L0 Lab I2) (offset I2 (diff L0 Lab)) <- check_lbladd_offset I1 I2 <- num_add I1 I2 I1+I2 <- venv_add\ Prog A (offset I1+I2 (int pi= (addr L0))) Phi Phi' <- decode_list L L' Ps Ps' (instr_ADDVr (inject_imode Vimm13) Ar) = ...

  34. How does this balance in FPCC & ConCert? • FPCC’s semantic definitions are half the size of syntactic definitions for FPCC • This will become even more pronounced according to the scaling law if the compiler wishes to generate more instructions.

  35. Conclusion • Introduction • Organization of the List-Machine framework • Extend the List Machine with fault tolerance • Semantic and syntactic methods in large systems

  36. Appendix

  37. Modified Typing Rules

  38. Modified Operational Semantics w = (n,ρ,a) w = (n,ρ,a,ρ’,κ) • ρ’ – FT register store • κ – color store (and equivalent for the syntactic system)

  39. Modified Semantic Type System 39

  40. List-Machine Benchmark 2.0 • Easily extended • Facilitates small scale comparisons between many proof methods (semantic and syntactic).

  41. Princeton’s Foundational Proof Carrying Code (FPCC)vsCarnegie Mellon’s ConCert • Compare how type systems scale between semantic and syntactic proof methods

  42. Modules

  43. Type System Specification Type System Specification Typechecker Soundness Proof Typechecker Soundness Proof check(Π,Ψ) = true → Π⊢blocksΨ Typechecking Algorithm Type System Type System Π⊢blocksΨ→ safe Ψ Typechecking Algorithm check(Π,Ψ) = true

  44. Type System Specification • type operators • definitions of typing rules • statement of safety • Π⊢blocksΨ→ safe Ψ Typechecker Soundness Proof check(Π,Ψ) = true →Π⊢blocksΨ Type System Proves: Π⊢blocksΨ→ safe Ψ Typechecking Algorithm check(Π,Ψ) = true

  45. Modules

More Related