Connecting Higher-Order Separation Logic to a First-Order Outside World

Separation logic is a useful tool for proving the correctness of programs that manipulate memory, especially when the model of memory includes higher-order state: Step-indexing, predicates in the heap, and higher-order ghost state have been used to reason about function pointers, data structure invariants, and complex concurrency patterns. On the other hand, the behavior of system features (e.g., operating systems) and the external world (e.g., communication between components) is usually specified using first-order formalisms. In principle, the soundness theorem of a separation logic is its interface with first-order theorems, but the soundness theorem may implicitly make assumptions about how other components are specified, limiting its use. In this paper, we show how to extend the higher-order separation logic of the Verified Software Toolchain to interface with a first-order verified operating system, in this case CertiKOS, that mediates its interaction with the outside world. The resulting system allows us to prove the correctness of C programs in separation logic based on the semantics of system calls implemented in CertiKOS. It also demonstrates that the combination of interaction trees + CompCert memories serves well as a lingua franca to interface and compose two quite different styles of program verification.

[1]  Aleksandar Nanevski,et al.  Subjective auxiliary state for coarse-grained concurrency , 2013, POPL.

[2]  Frank Piessens,et al.  Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs , 2015, ESOP.

[3]  MORTEN KROGH-JESPERSEN,et al.  Aneris : A Logic for Node-Local , Modular Reasoning of Distributed Systems , 2018 .

[4]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[5]  Zhong Shao,et al.  An abstract stack based approach to verified compositional compilation to machine code , 2019, Proc. ACM Program. Lang..

[6]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[7]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[8]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[9]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[10]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[11]  Lars Birkedal,et al.  Aneris: A Mechanised Logic for Modular Reasoning about Distributed Systems , 2020, ESOP.

[12]  Ramana Kumar,et al.  Program Verification in the Presence of I/O - Semantics, Verified Library Routines, and Verified Applications , 2018, VSTTE.

[13]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[14]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[15]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[16]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[17]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[18]  Ramana Kumar,et al.  Verified Characteristic Formulae for CakeML , 2017, ESOP.

[19]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[20]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[21]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[22]  Andrew W. Appel,et al.  The CompCert memory model , 2014 .