efinement R easoning for Concurrent P rograms Collaborators Chris Hawblitzel Microsoft Erez Petrank Technion Serdar Tasiran Koc University Shaz Qadeer Verified Garbage Collector ID: 1018556
Download Presentation The PPT/PDF document "Automated and Modular R" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Automated and Modular Refinement Reasoning for Concurrent ProgramsCollaborators:Chris Hawblitzel (Microsoft)Erez Petrank (Technion)Serdar Tasiran (Koc University)Shaz Qadeer
2. Verified Garbage CollectorVerified ThreadsVerified InterruptHandlersVerified DeviceInterfaceVerifiedStartupx86 Hardware, Network, PCI, TPMVerified Boot2Small Operating System(C#)Verifysafety &correctnesswithBoogie/Z3“every assembly language instruction checked for safety”Verve: a verifiably safe OS (Yang-Hawblitzel 10)
3. An Ironclad app guarantees to remote parties that every instruction it executes adheres to a high-level security spec.3My password will never leakI can run full SQL and the cloud learns nothing
4. Goal: achieve end-to-end securityUse small trusted computing base (TCB) — thousands of lines of spec, not millions of lines of codeMake approach feasible for use by system and application developersShow developers how to achieve correctness without testingApproach:Combine cryptography, secure hardware, and formal code verificationPush scale of formal verification tools to fully encompass large systems4Ironclad project (MSR OS Group)
5. Ironclad apps atop VerveVerified Garbage CollectorVerified ThreadsVerified InterruptHandlersVerified DeviceInterfaceVerifiedStartupx86 Hardware, Network, PCI, TPMNotaryVerified BootBits & ArraysMathBig IntegersRSA Enc + SigSHA HashTPM DriverNet DriverEthernetUDP/IPPassword Vault5DiffPriv DB
6. Verve and concurrencyProvides threads No mechanism to reason about themDifficult to provide any assurance beyond memory safetyVerve boots on a single coreStop-the-world garbage collectorUnacceptable multi-core performance
7. Goal of our workA scalable automated verifier for reasoning about low-level concurrencyA verified concurrent garbage collector
8. Refining concurrent programsAtomic actions as specificationsExplicit non-interference (ala Owicki-Gries and Jones)Linear resources providing free invariantsVerification works for me only when I start small. -Chris Hawblitzel
9. Garbage collector implementationExtends Dijkstra et al. 78multiple parallel mutatorsno read barrierfast write barrierFeaturesMark/Sweep/Idle phases separated by barriersMutator cooperates with collectorBarrier for atomic root scan
10. Garbage collector specificationmemAbs : [obj][fld]obj // HeaprootAbs : [idx]obj // Roots (stack, registers)allocSet: [obj]bool // Allocated objects
11. Garbage collector verificationSimple high-level specification refined down individual instructionsload, store, CAS, atomic increment/decrement Six levels of refinement2100 lines of code and specification6 min and 2GB memory on a modern Windows machineSimplifying assumptionsAllocator is naïve (sequential search for free space)All objects have the same number of fieldsSequentially consistent execution
12. Future workVerify under TSOImprove allocator performanceIncorporate variable-size objectsExtract executable code and plug into Verve