A Framework for the Automatic Formal Verification of Refinement from Cogent to C

Rizkallah, Christine; Lim, Japheth; Nagashima, Yutaka; Sewell, Thomas; Chen, Zilin; O’Connor, Liam; Murray, Toby; Keller, Gabriele; Klein, Gerwin

doi:10.1007/978-3-319-43144-4_20

Cited by 16 publications

(22 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Any properties expressed as specifications will still hold. This aspect is similar to other recent systems like Cogent [68,2] (which also targets C), but it is important to look at the differences, too. Cogent in particular is a stand-alone DSL where "interesting" program properties can be encoded in the type system, e.g.…”

Section: Discussionsupporting

confidence: 75%

“…Notable successes include the seL4 and Verve verified OS kernels [46,93], the Windows device drivers project [10], and the CompCert verified C compiler [53]. A recent example of translation validation is Cogent [68,2], a DSL for verified systems programming that generates C. The correctness of verification tools is also an important concern [22]. Nonetheless, there are clear signs that formal verification is on the verge of becoming practical for larger classes of software (e.g [57]).…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

LMS-Verify: abstraction without regret for verified systems programming

Amin

Rompf

2017

SIGPLAN Not.

View full text Add to dashboard Cite

Performance critical software is almost always developed in C, as programmers do not trust high-level languages to deliver the same reliable performance. This is bad because low-level code in unsafe languages attracts security vulnerabilities and because development is far less productive, with PL advances mostly lost on programmers operating under tight performance constraints. Highlevel languages provide memory safety out of the box, but they are deemed too slow and unpredictable for serious system software. Recent years have seen a surge in staging and generative programming: the key idea is to use high-level languages and their abstraction power as glorified macro systems to compose code fragments in first-order, potentially domain-specific, intermediate languages, from which fast C can be emitted. But what about security? Since the end result is still C code, the safety guarantees of the high-level host language are lost. In this paper, we extend this generative approach to emit ACSL specifications along with C code. We demonstrate that staging achieves "abstraction without regret" for verification: we show how high-level programming models, in particular higher-order composable contracts from dynamic languages, can be used at generation time to compose and generate first-order specifications that can be statically checked by existing tools. We also show how type classes can automatically attach invariants to data types, reducing the need for repetitive manual annotations. We evaluate our system on several case studies that varyingly exercise verification of memory safety, overflow safety, and functional correctness. We feature an HTTP parser that is (1) fast (2) high-level: implemented using staged parser combinators (3) secure: with verified memory safety. This result is significant, as input parsing is a key attack vector, and vulnerabilities related to HTTP parsing have been documented in all widely-used web servers.

show abstract

Section: Discussionsupporting

confidence: 75%

Section: Related Workmentioning

confidence: 99%

LMS-Verify: abstraction without regret for verified systems programming

Amin

Rompf

2017

SIGPLAN Not.

View full text Add to dashboard Cite

show abstract

“…The CakeML and Cogent projects have a different focus than ours, and they provide a higher assurance in their verified code. CakeML (Kumar et al, 2014) has a verified compiler and Cogent has a certifying compiler (O'Connor et al, 2016;Rizkallah et al, 2016). Both tools provide mechanically checked proofs that their shallow embeddings correspond to the functional code being verified.…”

Section: Translating Other Higher Order Functional Languagesmentioning

confidence: 99%

“…Cogent is a restricted higher order functional language (O'Connor et al, 2016) that was used to verify filesystems (Amani et al, 2016). Its compiler produces C code, a highlevel specification in Isabelle/HOL, and an Isabelle/HOL refinement proof linking the two (O'Connor et al, 2016;Rizkallah et al, 2016). Chen et al (2017) integrated propertybased testing into the Cogent framework.…”

Section: Translating Other Higher Order Functional Languagesmentioning

confidence: 99%

Ready,`Set`, Verify! Applying`hs-to-coq`to real-world Haskell code

Breitner¹,

Spector-Zabusky

et al. 2021

J. Funct. Prog.

Self Cite

View full text Add to dashboard Cite

Good tools can bring mechanical verification to programs written in mainstream functional languages. We use hs-to-coq to translate significant portions of Haskell’s containers library into Coq, and verify it against specifications that we derive from a variety of sources including type class laws, the library’s test suite, and interfaces from Coq’s standard library. Our work shows that it is feasible to verify mature, widely used, highly optimized, and unmodified Haskell code. We also learn more about the theory of weight-balanced trees, extend hs-to-coq to handle partiality, and – since we found no bugs – attest to the superb quality of well-tested functional code.

show abstract

“…We refer the interested reader to existing publications [59,60] for a detailed explanation how the Cogent compiler generates the automatic proofs of correspondence between the C code it emits and the pure, functional Isabelle/HOL shallow embedding of the Cogent source program also generated by the compiler.…”

Section: (C) Verification Effortmentioning

confidence: 99%

Provably trustworthy systems

Klein

Andronick

Keller

et al. 2017

Phil. Trans. R. Soc. A.

Self Cite

View full text Add to dashboard Cite

We present recent work on building and scaling trustworthy systems with formal, machine-checkable proof from the ground up, including the operating system kernel, at the level of binary machine code. We first give a brief overview of the seL4 microkernel verification and how it can be used to build verified systems. We then show two complementary techniques for scaling these methods to larger systems: proof engineering, to estimate verification effort; and code/proof co-generation, for scalable development of provably trustworthy applications.This article is part of the themed issue 'Verified trustworthy software systems'.

show abstract

A Framework for the Automatic Formal Verification of Refinement from Cogent to C

Cited by 16 publications

References 10 publications

LMS-Verify: abstraction without regret for verified systems programming

LMS-Verify: abstraction without regret for verified systems programming

Ready,`Set`, Verify! Applying`hs-to-coq`to real-world Haskell code

Provably trustworthy systems

Contact Info

Product

Resources

About

A Framework for the Automatic Formal Verification of Refinement from Cogent to C

Cited by 16 publications

References 10 publications

LMS-Verify: abstraction without regret for verified systems programming

LMS-Verify: abstraction without regret for verified systems programming

Ready,Set, Verify! Applyinghs-to-coqto real-world Haskell code

Provably trustworthy systems

Contact Info

Product

Resources

About

Ready,`Set`, Verify! Applying`hs-to-coq`to real-world Haskell code