From C to interaction trees: specifying, verifying, and testing a networked server

We present the first formal verification of a networked server implemented in C. Interaction trees, a general structure for representing reactive computations, are used to tie together disparate verification and testing tools (Coq, VST, and QuickChick) and to axiomatize the behavior of the operating system on which the server runs (CertiKOS). The main theorem connects a specification of acceptable server behaviors, written in a straightforward “one client at a time” style, with the CompCert semantics of the C program. The variability introduced by low-level buffering of messages and interleaving of multiple TCP connections is captured using network refinement, a variant of observational refinement.

[1]  Gordon D. Plotkin,et al.  Algebraic Operations and Generic Effects , 2003, Appl. Categorical Struct..

[2]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[3]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[4]  Ulf Norell,et al.  Testing AUTOSAR software with QuickCheck , 2015, 2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW).

[5]  Oleg Kiselyov,et al.  Freer monads, more extensible effects , 2015, Haskell.

[6]  Philip Wadler,et al.  Monads for functional programming , 1995, NATO ASI PDC.

[7]  Andrew W. Appel,et al.  Position paper: the science of deep specification , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[8]  J. Gregory Morrisett,et al.  Trace-based verification of imperative programs with I/O , 2011, J. Symb. Comput..

[9]  Paul E. Black Axiomatic semantics verification of a secure web server , 1998 .

[10]  Chung-Kil Hur,et al.  The power of parameterization in coinductive proof , 2013, POPL.

[11]  Andrew W. Appel,et al.  VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs , 2018, Journal of Automated Reasoning.

[12]  Peter Hancock,et al.  Ordinals and interactive programs , 2000 .

[13]  Danfeng Zhang,et al.  Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[14]  Ramana Kumar,et al.  Program Verification in the Presence of I/O - Semantics, Verified Library Routines, and Verified Applications , 2018, VSTTE.

[15]  B. Pierce,et al.  QuickChick: Property-based testing for Coq , 2014 .

[16]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[17]  Conor McBride Turing-Completeness Totally Free , 2015, MPC.

[18]  Adam Chlipala Infinite Data and Proofs , 2013 .

[19]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 1: Overview , 2005 .

[20]  George C. Necula,et al.  Minimizing Faulty Executions of Distributed Systems , 2016, NSDI.

[21]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[22]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[23]  Eran Yahav,et al.  Experience with Model Checking Linearizability , 2009, SPIN.

[24]  Lukas Bulwahn,et al.  The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof , 2012, CPP.

[25]  Tom Ridge,et al.  TCP, UDP, and Sockets: Volume 3: The Service-level Specification , 2009 .

[26]  Matthew Z. Weaver,et al.  CertiCoq : A verified compiler for Coq , 2016 .

[27]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[28]  Eran Yahav,et al.  Testing atomicity of composed concurrent operations , 2011, OOPSLA '11.

[29]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[30]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[31]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[32]  Butler W. Lampson,et al.  Verifying concurrent software using movers in CSPEC , 2018, OSDI.

[33]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[34]  Yann Régis-Gianas,et al.  Modular Verification of Programs with Effects and Effect Handlers in Coq , 2018, FM.

[35]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[36]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[37]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[38]  Sebastian Burckhardt,et al.  Concurrent Library Correctness on the TSO Memory Model , 2012, ESOP.

[39]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[40]  Adam Chlipala From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification , 2015, POPL.

[41]  John M. Hughes,et al.  Testing a database for race conditions with QuickCheck: none , 2011, Erlang '11.

[42]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[43]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[44]  Willy Zwaenepoel,et al.  Flash: An efficient and portable Web server , 1999, USENIX Annual Technical Conference, General Track.

[45]  Andrew W. Appel,et al.  A verified messaging system , 2017, Proc. ACM Program. Lang..

[46]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[47]  Ulf Norell,et al.  Mysteries of DropBox: Property-Based Testing of a Distributed Synchronization Service , 2016, 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[48]  Tom Ridge Verifying distributed systems: the operational approach , 2009, POPL '09.

[49]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[50]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[51]  Eugenio Moggi,et al.  Computational lambda-calculus and monads , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[52]  Frank Piessens,et al.  Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs , 2015, ESOP.

[53]  Sebastian Burckhardt,et al.  Line-up: a complete and automatic linearizability checker , 2010, PLDI '10.

[54]  Richard J. Lipton,et al.  Hints on Test Data Selection: Help for the Practicing Programmer , 1978, Computer.