Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon...
-
Upload
keyon-pilling -
Category
Documents
-
view
214 -
download
0
Transcript of Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon...
![Page 1: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/1.jpg)
Foundational Certified Code in a Metalogical
FrameworkKarl Crary and Susmit Sarkar
Carnegie Mellon University
![Page 2: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/2.jpg)
2
Motivation: Grid Computing Make use of idle computing cycles over the
network [e.g. SETI] Computer owners download and execute
code from developers A key issue: Unknown developers, so
consumers are concerned about safety
![Page 3: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/3.jpg)
3
Certified code
Package the code with certificate [PCC, TAL] Certificate: a machine verifiable proof of safety
Typically, proof that code is well-typed in a safe type system
Developer ConsumerCode
Certificate
Is code safe ?
Knowledge Code is safe!
![Page 4: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/4.jpg)
4
Type System? Is that safe? Old Answer: Fix a type system, trust peer-review
New Answer: Give developers flexibility of using their own type systems Need to check this is safe Known as Foundational Certified Code
Developer Consumer
Machine details
Type SystemType System
Code
Certificate
![Page 5: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/5.jpg)
5
Roadmap Our system Metalogics Safety Policy A Safety Proof Related and future work
![Page 6: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/6.jpg)
6
Our System
Developer
Certificate
Code Consumer
Safety PolicySafety Condition
Does Code satisfy the
Safety Policy?
Code satisfies my Safety Condition
Why is your safety condition
any good?
I can prove it to you!
Safety Proof
![Page 7: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/7.jpg)
7
Metalogic : meta theorems We use LF to express logics
e.g., operational semantics producer’s safety conditions
We care about meta theorems: If some input derivation exists, then an output
derivation exists e.g., Safety Theorem
![Page 8: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/8.jpg)
8
How to check meta theorems? Choice 1: reflect metalogical reasoning in
the framework Choice 2: use a logic designed for
metalogical reasoning e.g. Twelf [Schurmann]
![Page 9: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/9.jpg)
9
Programming in Meta logics We write logic programs relating derivations
limited to -1 reasoning, authors plan stronger system
Need to do induction on structure of derivation
System can check these logic programs are total (user annotations required)
![Page 10: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/10.jpg)
10
Roadmap Our system Metalogics Safety policy A safety proof Related and future work
![Page 11: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/11.jpg)
11
Safety policy - Preliminaries Formalize operational semantics of the
IA32 architecture Formalize machine states: memory,
register files, stack, instruction pointer Formalize transitions from state to state Remove transitions deemed unsafe
![Page 12: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/12.jpg)
12
Example: transition for addition addl $5,(%eax)
load 4 bytes from (%eax), load immediate operand 5, add them, store result back in (%eax), update EFLAGS and advance EIP
This can go wrong, e.g. if eax points to protected memory
Solution: The formal load and store relations do not apply in such cases
![Page 13: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/13.jpg)
13
Safety Policy Define initial state on loading program P We never get to a state where the (formal)
machine does not have a transition Another way of stating: the formal machine
is never stuck Halt state treated specially
![Page 14: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/14.jpg)
14
Why is this safe? Real machine’s transitions according to
formal machine’s transitions: real machine is performing safe operations
To perform unsafe operations, real machine takes a transition not in formal machine
This does not happen in a safe machine
![Page 15: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/15.jpg)
15
Roadmap Our system Metalogics Safety policy A safety proof Related and future work
![Page 16: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/16.jpg)
16
Example Safety Proof A particular safety proof Our safety proof is for TALT [Crary]
Type system for an assembly language Fairly low-level, but still abstract
Our foundational safety proof is syntactic [Hamid et al.]
![Page 17: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/17.jpg)
17
Safety Our conditions will isolate a set of safe
states Safe states cannot transition to stuck states
Safe State M1 State M2
![Page 18: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/18.jpg)
18
Key Lemmas Progress
Preservation
Safe State M1 State M2
Safe
Safe State M1 State M2
![Page 19: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/19.jpg)
19
Putting it together – Safety Theorem
Transitions from a safe state cannot go to a stuck state
Safe State M1 State M2
Safe
![Page 20: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/20.jpg)
20
Idea of proof Safe machine
Three parts of the proof Abstract Type Safety (previous work) Simulation Determinism
Safe State M
Typed abstract M’
implements
![Page 21: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/21.jpg)
21
TALT safety proof [Crary] This has two top level lemmas: Progress: A well typed abstract machine
makes a transition Preservation: If a well typed abstract
machine makes a transition, the resulting (abstract) machine is well typed
![Page 22: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/22.jpg)
22
Concrete Machine Lemmas Simulation
Determinism
Abstract M2
Concrete M2’Concrete M1’
Abstract M1
Concrete M1
Concrete M2
Concrete M2’
![Page 23: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/23.jpg)
23
Progress
Safe State M1 State M2
Abstract, typed M1’ Abstract M2’
implements
progress
implements
State M2
![Page 24: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/24.jpg)
24
Preservation
Safe State M1 State M2Safe
implementsimplements
Typed abstract M1’ Typed Abstract M2’progress
M2+
implements
Safe
![Page 25: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/25.jpg)
25
Implementation Statistics Safety Policy : 2,081 lines of code Safety Proof : 44,827 lines of code Time to check : 75 sec Number of lemmas : 1,466 Man years : 1 and 1/2
![Page 26: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/26.jpg)
26
Related work Foundational PCC - Appel et al FTAL - Hamid et al Temporal Logic PCC - Bernard and Lee
![Page 27: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/27.jpg)
27
Future Work Develop a compiler from Standard ML to
TALT Expand the target language to include
many more IA32 instructions Specify and prove other properties, e.g.
Running time bounds
![Page 28: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/28.jpg)
28
![Page 29: Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.](https://reader035.fdocuments.in/reader035/viewer/2022062803/56649c7b5503460f9492e6ef/html5/thumbnails/29.jpg)
29
Indeterminism The data may be indeterminate, due to e.g.
input Safety demands that any instance be safe We have an oracle that the semantics
consults to determine what to do Oracle is quantified in safety theorem