Verifying an HTTP Key-Value Server with Interaction Trees and VST

We present a networked key-value server, implemented in C and formally verified in Coq. The server interacts with clients using a subset of the HTTP/1.1 protocol and is specified and verified using interaction trees and the Verified Software Toolchain. The codebase includes a reusable and fully verified C string library that provides 17 standard POSIX string functions and 17 general purpose non-POSIX string functions. For the KVServer socket system calls, we establish a refinement relation between specifications at user-space level and at CertiKOS kernel-space level.

[1]  Cristina Cifuentes,et al.  Parfait: designing a scalable bug checker , 2008, SAW '08.

[2]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[3]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 1: Overview , 2005 .

[4]  Oleg Kiselyov,et al.  Freer monads, more extensible effects , 2015, Haskell.

[5]  Tom Ridge,et al.  TCP, UDP, and Sockets: Volume 3: The Service-level Specification , 2009 .

[6]  Lennart Beringer,et al.  Verified Software Units , 2021, ESOP.

[7]  Fang Yu,et al.  String Abstractions for String Verification , 2011, SPIN.

[8]  Alexey V. Khoroshilov,et al.  Deductive Verification of Unmodified Linux Kernel Library Functions , 2018, ISoLA.

[9]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[10]  Andrew W. Appel,et al.  Connecting Higher-Order Separation Logic to a First-Order Outside World , 2020, ESOP.

[11]  Paul E. Black Axiomatic semantics verification of a secure web server , 1998 .

[12]  Mark A. Hillebrand,et al.  The Verisoft Approach to Systems Verification , 2008, VSTTE.

[13]  Yann Régis-Gianas,et al.  Modular Verification of Programs with Effects and Effect Handlers in Coq , 2018, FM.

[14]  Joseph Tassarotti,et al.  Verifying concurrent, crash-safe systems with Perennial , 2019, SOSP.

[15]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[16]  Yannick Moy,et al.  Modular inference of subprogram contracts for safety checking , 2010, J. Symb. Comput..

[17]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[18]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 2: The Specification , 2005 .

[19]  Nikhil Swamy,et al.  EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats , 2019, USENIX Security Symposium.

[20]  Conor McBride Turing-Completeness Totally Free , 2015, MPC.

[21]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[22]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[23]  Butler W. Lampson,et al.  Verifying concurrent software using movers in CSPEC , 2018, OSDI.

[24]  Andrew W. Appel,et al.  Verified sequential Malloc/Free , 2020, ISMM.

[25]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[26]  Benjamin C. Pierce,et al.  Model-based testing of networked applications , 2021, ISSTA.

[27]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing , 2014, RFC.

[28]  Nikhil Swamy,et al.  SteelCore: an extensible concurrent separation logic for effectful dependently typed programs , 2020, Proc. ACM Program. Lang..

[29]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[30]  Chung-Kil Hur,et al.  Interaction trees: representing recursive and impure programs in Coq , 2020, Proc. ACM Program. Lang..

[31]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[32]  Peter W. O'Hearn,et al.  Separation logic , 2019, Commun. ACM.

[33]  Benjamin C. Pierce,et al.  From C to interaction trees: specifying, verifying, and testing a networked server , 2018, CPP.

[34]  Adam Koprowski,et al.  TRX: A Formally Verified Parser Interpreter , 2010, Log. Methods Comput. Sci..

[35]  Artem Starostin Formal Verification of a C-Library for Strings , 2006 .

[36]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[37]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[38]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[39]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[40]  Andrew W. Appel,et al.  Position paper: the science of deep specification , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[41]  Andrew W. Appel,et al.  Abstraction and subsumption in modular verification of C programs , 2019, Formal Methods in System Design.

[42]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.