Deep Specifications and Certified Abstraction Layers

Modern computer systems consist of a multitude of abstraction layers (e.g., OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client programs built on top of each layer can be understood solely based on the interface, independent of the layer implementation. Despite their obvious importance, abstraction layers have mostly been treated as a system concept; they have almost never been formally specified or verified. This makes it difficult to establish strong correctness properties, and to scale program verification across multiple layers. In this paper, we present a novel language-based account of abstraction layers and show that they correspond to a strong form of abstraction over a particularly rich class of specifications which we call deep specifications. Just as data abstraction in typed functional languages leads to the important representation independence property, abstraction over deep specification is characterized by an important implementation independence property: any two implementations of the same deep specification must have contextually equivalent behaviors. We present a new layer calculus showing how to formally specify, program, verify, and compose abstraction layers. We show how to instantiate the layer calculus in realistic programming languages such as C and assembly, and how to adapt the CompCert verified compiler to compile certified C layers such that they can be linked with assembly layers. Using these new languages and tools, we have successfully developed multiple certified OS kernels in the Coq proof assistant, the most realistic of which consists of 37 abstraction layers, took less than one person year to develop, and can boot a version of Linux as a guest.

[1]  Carroll Morgan,et al.  Programming from specifications (2nd ed.) , 1994 .

[2]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[3]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[4]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[5]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[6]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[7]  Sumit Gulwani,et al.  Continuity analysis of programs , 2010, POPL '10.

[8]  Robin Milner,et al.  Definition of standard ML , 1990 .

[9]  Carroll Morgan,et al.  Programming from specifications, 2nd Edition , 1994, Prentice Hall International series in computer science.

[10]  Xinyu Feng,et al.  Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems , 2008, VSTTE.

[11]  Xavier Leroy,et al.  Mechanized Semantics for the Clight Subset of the C Language , 2009, Journal of Automated Reasoning.

[12]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[13]  Yu Guo,et al.  Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads , 2009, Journal of Automated Reasoning.

[14]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[15]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[16]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[17]  Suresh Jagannathan,et al.  CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency , 2013, JACM.

[18]  Aaron Turon Representation independence and data abstraction , 2010 .

[19]  Zhong Shao,et al.  End-to-end verification of stack-space bounds for C programs , 2014, PLDI.

[20]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[21]  Amal Ahmed,et al.  Verifying an Open Compiler Using Multi-language Semantics , 2014, ESOP.

[22]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[23]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[24]  Carroll Morgan,et al.  Programming from specifications , 1990, Prentice Hall International Series in computer science.

[25]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[26]  Edsger W. Dijkstra,et al.  Notes on structured programming , 1970 .

[27]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[28]  Andrew W. Appel,et al.  Verified Compilation for Shared-Memory C , 2014, ESOP.

[29]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[30]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[31]  Liang Gu,et al.  CertiKOS: a certified kernel for secure cloud computing , 2011, APSys.

[32]  Peter Claussen Theories of programming languages , 2000, SOEN.

[33]  Kim B. Clark,et al.  Design Rules: The Power of Modularity , 2000 .

[34]  Nile W. Hatch,et al.  Design Rules, Volume 1: The Power of Modularity , 2001 .

[35]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[36]  N. Lynch,et al.  Forward and backward simulations , 1993 .

[37]  Chung-Kil Hur,et al.  The marriage of bisimulations and Kripke logical relations , 2012, POPL '12.

[38]  Zhong Shao,et al.  Compositional Verification of a Baby Virtual Memory Manager , 2012, CPP.

[39]  Peter Beike,et al.  The Definition Of Standard Ml Revised , 2016 .

[40]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.