An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and Yu Guo (USTC)

Motivation How to build fully certified software systems? Source-level codeLibraries and runtime + References with weak upd. Dynamic mem. alloc. Functions, exceptions, … Concurrency I/O Garbage collectors malloc() (strong update) Stacks, code pointers Context switching & Scheduler Device drivers

Motivation All concurrency verification assumes built-in concurrency Assume-Guarantee (A-G) reasoning Concurrent Separation logic (CSL) … Context switching, scheduler Too low-level to be certified in these logics [Yu&Shao, ICFP ’ 04] Threads & schedulers have never been modularly certified!

Motivation Certify all code in a single type system/program logic? Hard to combine all features weak vs. strong update, functions/exceptions vs. goto ’ s, threads vs. thread contexts May not be modular Very complex, hard to use Don ’ t know how to design such a logic Certify modules using the most appropriate logic! Modules do not use all the features at the same time It is simpler to use specialized logic for each module

An Open Framework Certify different modules using different verification systems!

Challenges Extensibility and openness not designed for certain specific interoperations But can we just use MLFs, e.g. Coq? Expressiveness type safety, concurrency properties, partial correctness, … A general and uniform model of control flow Allow functions certified in different systems to call each other the key for modularity: separate verification & proof reuse Principled interoperation with clear meta-property properties of the whole system composed of modules Not readily supported in Coq!

Our contributions OCAP: an open framework Embedding of different systems TAL, non-CPS Hoare-logic, A-G reasoning, … Open & Extensible Modularity with first-class code pointers [Ni&Shao POPL ’ 06] Soundness Type safety, & preservation of invariants in foreign systems Applications TAL + memory allocation libs. Threads + Scheduler The first time to modularly certify both sides …

Outline OCAP Framework Certifying Threads & Schedulers

OCAP Rules LnLn … OCAP : Overview OCAP Soundness Mechanized Meta-Logic (CiC) Modeling of the machine TCB Sound L1L1 ( ) L1 ( ) Ln Sound Mechanized Meta-Logic (CiC) Modeling of the machine … C1C1 CnCn

The Machine I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc

The OCAP Logic : Overview Hoare-style program logic for assembly CPS-style reasoning Assign a precondition to each basic block Similar to TAL [Morrisett et al. POPL ’ 98]

The OCAP Logic : Overview I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

OCAP: Code pointers codeptr(f,a)   (f) = a (Spec)  ::= {f  a} *  a codeptr Not well-founded! Support of first-class code pointers:

OCAP: Code Pointers A generic specification: (CdSpec)  ::= … (Assert) a  Spec  State  Prop (Spec)  ::= {f   } * (  ) ,S. … No interoperation between multiple systems…  a codeptr a   codeptr  ()()

OCAP: Foreign Languages (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L Inductive TalType : Type := T_int : TalType T_pair: TalType -> TalType-> TalType … Inductive Tal2Type : Type := T2_int : TalType T2_pair: TalType -> TalType-> TalType … L ::= TalType | Tal2Type | …  1 ::= T_int | T_pair  1  1 | …  TalType  2 ::= T2_int | T2_pair  2  2 | …  Tal2Type

OCAP: Specifications (OCdSpec)  ::=   L.( L  Assert )* L (Spec)  ::= {(f 1,  1 ), … (f n,  n )} (Assert) a  Spec  State  Prop (Interp) ( ) L  L  Assert (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L Not well-founded:  ( ) L a

OCAP: Specifications (OCdSpec)  ::= (Spec)  ::= {(f 1,  1 ), … (f n,  n )} (Assert) a  Spec  State  Prop (Interp) ( ) L  L  Assert (LangTy) L ::= CiC Terms  Type (CodeSpec)  ::= CiC Terms  L (LangID)  ::= n  nat (LangDict) D ::= {  1 ,…,  n  }  LangID  (  L. L  Assert)  ( ) L a  

Selected OCAP Rules D 1  D 2 ;  1  2 ┝ C 1  C 2 :  1 ’  2 ’ D 1 ;  1 ┝ C 1 :  1 ’ (link) D 2 ;  2 ┝ C 2 :  2 ’ … D ┝ {a}jr r ,S.a  S .(codeptr(S.R(r),  )  a’)  S (jr) a’ = [[[  ]]] D codeptr(f,  )  ,S.  (f)=  [[[  ]]] D  ,S.  ( ) L. ( D (  )= )  ( (  ) L  S)  =

Outline OCAP Framework Certifying Threads & Schedulers

Threads and Scheduler Thread code C 1,…,C n Certified following CCAP [Yu&Shao, ICFP ’ 04] Assume-Guarantee reasoning Thread modularity Do not know about thread queue SCAP CCAP + Scheduler C S Certified in SCAP [Feng et al. PLDI’06] as sequential code Manages thread queue TQ Do not touch H

Scheduler in SCAP yield: pick one word (pc i ) from TQ swap pc i and r 31 jr r 31 H1H1 pc 1 pc n … TQ r 31 r0r0 H1H1 pc 1 pc n … TQ r 31 r0r0 … jal yield ct: … Thread code: ct

Scheduler in SCAP yield: (p s, g s ) pick one word (pc i ) from TQ swap pc i and r 31 jr r 31 gsgs g s  (  r  {r 1,…,r 30 }.[r]=[r]’)   Q, Q ’.  p’.  Q  {[r31]} = Q ’  {[r31]’} WFTQ( Q )*p’ WFTQ( Q ’ )*p’ H1H1 pc 1 pc n … TQ r 31 r0r0 H1H1 pc 1 pc n … TQ r 31 r0r0 ct p s   Q.WFTQ( Q ) * True

Embedding SCAP ( (p,g) ) D scap  … jr $ra g p … D Soundness:  scap ┝ scap C:  ’ scap   (  scap ) D scap D  D scap,  ┝ C:  ’  ’  (  ’ scap ) D scap D scap  {  scap  }

Threads: Assume-Guarantee S p1p1 p2p2 S’S’ Spec. for threads: (p, A, G) p: State  Prop p’1p’1 p 2 ? A, G: State  State  Prop Stability of p: p i S  A i S S ’  p i S ’ G1G1  A 2 A 1, G 1 A 2, G 2

CCAP embedding  ccap ┝ ccap C i :  ’ ccap D all  {  ccap ,  scap  } D all ;  c  y ┝ C i :  ’ c  y  {yield  }  c  (  ccap ) ccap  ’ c  (  ’ ccap ) ccap ( (p,A,G) ) ccap  ,S. …

Certify the code  ccap ┝ ccap C i :  ’ ccap  scap ┝ scap C s :  ’ scap D all  {  ccap ,  scap  } D all ;  y ┝ C s :  ’ y D all ;  c  y ┝ C i :  ’ c SCAP CCAP the “link” rule D all ;  c  y ┝ C i  C s :  ’ c   ’ y

Summary It is simpler and natural to certify different modules using different logics OCAP: framework for interoperation Embedding TAL: type system SCAP: non-cps logic for assembly CCAP: Assume-guarantee reasoning Interoperation TAL + newpair Threads + Scheduler TAL + GC (ongoing work by Lin, McCreight, et al.)

Future work Explore the applicability of OCAP Interoperation of different languages Currently just for assembly language But logics are at different levels (TAL, CCAP, … ) May support C + inlined assembly

Thank you!