Storage Systems are Distributed Systems (So Verify Them That Way!)

To verify distributed systems, prior work introduced a methodology for verifying both the code running on individual machines and the correctness of the overall system when those machines interact via an asynchronous distributed environment. The methodology requires neither domain-specific logic nor tooling. However, distributed systems are only one instance of the more general phenomenon of systems code that interacts with an asynchronous environment. We argue that the software of a storage system can (and should!) be viewed similarly. We evaluate this approach in VeriBetrKV, a key-value store based on a state-of-the-art Bεtree. In building VeriBetrKV, we introduce new techniques to scale automated verification to larger code bases, still without introducing domain-specific logic or tooling. In particular, we show a discipline that keeps the automated verification development cycle responsive. We also combine linear types with dynamic frames to relieve the programmer from most heap-reasoning obligations while enabling them to break out of the linear type system when needed. VeriBetrKV exhibits similar query performance to unverified databases. Its insertion performance is 24× faster than unverified BerkeleyDB and 8× slower than RocksDB.

[1]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[2]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[3]  Martin Herrmann,et al.  Optimization of cyclic redundancy-check codes with 24 and 32 parity bits , 1993, IEEE Trans. Commun..

[4]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[5]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[6]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[7]  Nancy A. Lynch,et al.  Using I/O automata for developing distributed systems , 2000 .

[8]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[9]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[10]  Gerth Stølting Brodal,et al.  Lower bounds for external memory dictionaries , 2003, SODA '03.

[11]  Ioannis T. Kassios Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[12]  Anne Schilling,et al.  Linear Maps , 2007 .

[13]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[14]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[15]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[16]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[17]  Prashant Malik,et al.  Cassandra: a decentralized structured storage system , 2010, OPSR.

[18]  Adam Silberstein,et al.  Benchmarking cloud serving systems with YCSB , 2010, SoCC '10.

[19]  Sascha Böhme,et al.  Fast LCF-Style Proof Reconstruction for Z3 , 2010, ITP.

[20]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[21]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[22]  Damien Zufferey,et al.  P: safe asynchronous event-driven programming , 2013, PLDI.

[23]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[24]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[25]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[26]  John K. Ousterhout,et al.  In Search of an Understandable Consensus Algorithm , 2014, USENIX ATC.

[27]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[28]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[29]  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[30]  Serdar Tasiran,et al.  Automated and Modular Refinement Reasoning for Concurrent Programs , 2015, CAV.

[31]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[32]  Michael A. Bender,et al.  An Introduction to Bε-trees and Write-Optimization , 2015, login Usenix Mag..

[33]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[34]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[35]  Kenneth L. McMillan,et al.  Ivy: safety verification by interactive generalization , 2016, PLDI.

[36]  Sidney Amani,et al.  Cogent: Verifying High-Assurance File System Implementations , 2016, ASPLOS.

[37]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[38]  Nicolas Christin,et al.  Push-Button Verification of File Systems via Crash Refinement , 2016, USENIX Annual Technical Conference.

[39]  Thomas A. Henzinger,et al.  PSync: a partially synchronous language for fault-tolerant distributed algorithms , 2016, POPL.

[40]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[41]  Xi Wang,et al.  An Empirical Study on the Correctness of Formally Verified Distributed Systems , 2017, EuroSys.

[42]  Adam Chlipala,et al.  Verifying a high-performance crash-safe file system using a tree specification , 2017, SOSP.

[43]  John Launchbury,et al.  The HACMS program: using formal methods to eliminate exploitable bugs , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[44]  Xi Wang,et al.  Hyperkernel: Push-Button Verification of an OS Kernel , 2017, SOSP.

[45]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[46]  Butler W. Lampson,et al.  Verifying concurrent software using movers in CSPEC , 2018, OSDI.

[47]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[48]  Kenneth L. McMillan,et al.  Modularity for decidability of deductive verification with applications to distributed systems , 2018, PLDI.

[49]  Dan Grossman,et al.  Œuf: minimizing the Coq extraction TCB , 2018, CPP.

[50]  Joseph Tassarotti,et al.  Verifying concurrent, crash-safe systems with Perennial , 2019, SOSP.

[51]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[52]  Peter Müller,et al.  Leveraging rust types for modular specification and verification , 2019, Proc. ACM Program. Lang..

[53]  Deian Stefan,et al.  Pretend synchrony: synchronous verification of asynchronous distributed programs , 2019, Proc. ACM Program. Lang..

[54]  Ronghui Gu,et al.  Using concurrent relational logic with helpers for verifying the AtomFS file system , 2019, SOSP.

[55]  George Candea,et al.  Verifying software network functions with no verification expertise , 2019, SOSP.

[56]  Steven R. Marks Software Distribution , 2019, Handbook of Server Management and Administration 1999.

[57]  Michael A. Bender,et al.  Small Refinements to the DAM Can Have Big Consequences for Data-Structure Design , 2019, SPAA.

[58]  Aditya Akella,et al.  Automated Verification of Customizable Middlebox Properties with Gravel , 2020, NSDI.