A verified messaging system

We present a concurrent-read exclusive-write buffer system with strong correctness and security properties. Our motivating application for this system is the distribution of sensor values in a multicomponent vehicle-control system, where some components are unverified and possibly malicious, and other components are vehicle-control-critical and must be verified. Valid participants are guaranteed correct communication (i.e., the writer is always able to write to an unused buffer, and readers always read the most recently published value), while invalid readers or writers cannot compromise the correctness or liveness of valid participants. There is only one writer, all operations are wait-free, and there is no extra process or thread mediating communication. We prove the correctness of the system with valid participants by formally verifying a C implementation of the system in Coq, using the Verified Software Toolchain extended with an atomic exchange operation. The result is the first C-level mechanized verification of a nonblocking communication protocol.

[1]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[2]  Paul E. McKenney,et al.  READ-COPY UPDATE: USING EXECUTION HISTORY TO SOLVE CONCURRENCY PROBLEMS , 2002 .

[3]  Joseph Tassarotti,et al.  Verifying read-copy-update in a logic for weak memory , 2015, PLDI.

[4]  Morgan Quigley,et al.  ROS: an open-source Robot Operating System , 2009, ICRA 2009.

[5]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[6]  Peter W. O'Hearn,et al.  Modular verification of a non-blocking stack , 2007, POPL '07.

[7]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[8]  David Lorge Parnas,et al.  Concurrent control with “readers” and “writers” , 1971, CACM.

[9]  Andrew W. Appel,et al.  Oracle Semantics for Concurrent Separation Logic , 2008, ESOP.

[10]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[11]  Viktor Vafeiadis,et al.  Tackling Real-Life Relaxed Concurrency with FSL++ , 2017, ESOP.

[12]  Marieke Huisman,et al.  History-Based Verification of Functional Behaviour of Concurrent Programs , 2015, SEFM.

[13]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[14]  Frank Piessens,et al.  Expressive modular fine-grained concurrency specification , 2011, POPL '11.

[15]  Andrew W. Appel,et al.  Program Logics for Certified Compilers: Hoare logic , 2014 .

[16]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[17]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[18]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[19]  Gernot Heiser,et al.  Secure mathematically-assured composition of control models , 2017 .

[20]  Gerard J. Holzmann,et al.  Design and validation of protocols , 1990 .

[21]  Gerard J. Holzmann,et al.  Design and Validation of Protocols: A Tutorial , 1993, Comput. Networks ISDN Syst..

[22]  Viktor Vafeiadis,et al.  Relaxed separation logic: a program logic for C11 concurrency , 2013, OOPSLA.