Cogent: Verifying High-Assurance File System Implementations

We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system implementation errors. We show how verification effort is drastically reduced for proving higher-level properties of the file system implementation by reasoning about the generated formal specification rather than its low-level C code. We use the framework to write two Linux file systems, and compare their performance with their native C implementations.

[1]  Carroll Morgan,et al.  Specification of the UNIX Filing System , 1984, IEEE Transactions on Software Engineering.

[2]  Richard H. Thayer,et al.  Guest Editorial: Software Engineering Project Management , 1984, IEEE Trans. Software Eng..

[3]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[4]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[5]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[6]  Kurt Stenzel,et al.  Structured Specifications and Interactive Proofs with KIV , 1998 .

[7]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[8]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[9]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[10]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[11]  Viktor Kuncak,et al.  Verifying a File System Implementation , 2004, ICFEM.

[12]  Herbert Bos,et al.  MINIX 3: a highly reliable, self-repairing operating system , 2006, OPSR.

[13]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[14]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[15]  Junfeng Yang,et al.  EXPLODE: a lightweight, general system for finding serious storage system errors , 2006, OSDI '06.

[16]  LeroyXavier Formal certification of a compiler back-end or , 2006 .

[17]  June Andronick Formally Proved Anti-tearing Properties of Embedded C Code , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[18]  Gerard J. Holzmann,et al.  A mini challenge: build a verifiable filesystem , 2007, Formal Aspects of Computing.

[19]  Andrea C. Arpaci-Dusseau,et al.  EIO: Error Handling is Occasionally Correct , 2008, FAST.

[20]  Michael J. Butler,et al.  Modelling and Proof of a Tree-Structured File System in Event-B and Rodin , 2008, ICFEM.

[21]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[22]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[23]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[24]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[25]  Wolfgang Reif,et al.  Abstract Specification of the UBIFS File System for Flash Memory , 2009, FM.

[26]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[27]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[28]  Wim H. Hesselink,et al.  Formalizing a hierarchical file system , 2009, Formal Aspects of Computing.

[29]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[30]  C. Hawblitzel,et al.  Safe to the last instruction , 2011, Commun. ACM.

[31]  Liang Gu,et al.  CertiKOS: a certified kernel for secure cloud computing , 2011, APSys.

[32]  Christophe Calvès,et al.  Faults in linux: ten years later , 2011, ASPLOS XVI.

[33]  Suman Saha,et al.  An approach to improving the structure of error-handling code in the linux kernel , 2011, LCTES '11.

[34]  Steven Swanson,et al.  Understanding the impact of power loss on flash memory , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[35]  Ben Liblit,et al.  Defective error/pointer interactions in the Linux kernel , 2011, ISSTA '11.

[36]  Suman Saha,et al.  Hector: Detecting Resource-Release Omission Faults in error-handling code for systems software , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[37]  Gidon Ernst,et al.  Verification of a Virtual Filesystem Switch , 2013, VSTTE.

[38]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[39]  Sidney Amani,et al.  File systems deserve verification too! , 2013, PLOS '13.

[40]  Gernot Heiser,et al.  From L3 to seL4 what have we learnt in 20 years of L4 microkernels? , 2013, SOSP.

[41]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[42]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[43]  Ognjen Maric,et al.  Verification of a Transactional Memory Manager under Hardware Failures and Restarts , 2014, FM.

[44]  Gidon Ernst,et al.  Development of a Verified Flash File System , 2014, ABZ.

[45]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[46]  Sidney Amani,et al.  Specifying a Realistic File System , 2015, MARS.

[47]  D. Ross Jeffery,et al.  Empirical Study Towards a Leading Indicator for Cost of Formal Software Verification , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[48]  Sidney Amani,et al.  COGENT: Certified Compilation for a Functional Systems Language , 2016, ArXiv.

[49]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.