Diaframe: automated verification of fine-grained concurrent programs in Iris

Mulder, Ike; Krebbers, Robbert; Geuvers, Herman

doi:10.1145/3519939.3523432

Cited by 22 publications

(7 citation statements)

References 86 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bauereiss et al mention that proving stronger properties, such as capability safety, requires proof techniques that do not scale up to full-scale industry architectures. Part of the reason is that current automation techniques for separation logics in a foundational setting [11,13,15,34,39,45] are still insufficient. This is the issue that we are addressing with our proposed universal contract methodology and Katamaran to semi-automatically verify universal contracts.…”

Section: Related Workmentioning

confidence: 99%

“…The conventional way to reason about separation logic in proof assistants is to use a shallow embedding of propositions and provide meta-programming facilities, like tactics or plugins, which can be used to implement proof steps that interactive forward symbolic execution [11] of program fragments at the meta-level [13,15,34,39,45]. In the background a proof term is constructed which has to be checked by the system for each run.…”

Section: Dam Et Al and Khakpour Et Al Use A Basicmentioning

confidence: 99%

“…Additionally, taking inspiration from related work [46], Katamaran doubles as a verification tool for the ISA's assembly language, essentially by treating a contract for an assembly program 𝑃 as a contract for the ISA semantics under the assumption that it is executing program 𝑃, following related work [46]. Compared to other foundational verifiers like Diaframe [39], Lithium [45], MoSeL [34] or Bedrock [15], Katamaran is in a sense a verified verification tool rather than a verifying one, meaning that it is implemented in Gallina and does not rely on Coq and meta-programming tactics to manage and manipulate intermediate assumptions and VCs. This approach has benefits for performance and allows extracting the verifier from Gallina to OCaml.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Huyghebaert,

Keuchel,

De Roover

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Progress has recently been made on specifying instruction set architectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, general method for formally specifying an ISA's security guarantees to (1) balance the needs of ISA implementations (hardware) and clients (software), ( 2) can be semiautomatically verified to hold for the ISA operational semantics, producing a high-assurance mechanically-verifiable proof, and (3) support informal and formal reasoning about security-critical software in the presence of adversarial code. Our method leverages universal contracts: software contracts that express bounds on the authority of arbitrary untrusted code. Universal contracts can be kept agnostic of software abstractions, and strike the right balance between requiring sufficient detail for reasoning about software and preserving implementation freedom of ISA designers and CPU implementers. We semi-automatically verify universal contracts against Sail implementations of ISA semantics using our Katamaran tool; a semi-automatic separation logic verifier for Sail which produces machine-checked proofs for successfully verified contracts. We demonstrate the generality of our method by applying it to two ISAs that offer very different security primitives:(1) MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat simplified) version of RISC-V with PMP. We verify a femtokernel using the security guarantee we have formalized for RISC-V with PMP.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Dam Et Al and Khakpour Et Al Use A Basicmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Huyghebaert,

Keuchel,

De Roover

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Other promising tools automating program logics include Starling [67], Caper [20], Voila [68], and Diaframe [50]. However, these are closer to proof-outline checkers when compared to our tool.…”

Section: Related Workmentioning

confidence: 99%

“…50. If we have r ∈ P and safe P,I (st; st * , r, p) and safe P,I (skip, r, p), then safe +1 P,I (st * , r, p).…”

mentioning

confidence: 99%

A Concurrent Program Logic with a Future and History

Meyer,

Wies,

Wolff

2022

Preprint

View full text Add to dashboard Cite

Verifying fine-grained optimistic concurrent programs remains an open problem. Modern program logics provide abstraction mechanisms and compositional reasoning principles to deal with the inherent complexity. However, their use is mostly confined to pencil-and-paper or mechanized proofs. We devise a new separation logic geared towards the lacking automation. While local reasoning is known to be crucial for automation, we are the first to show how to retain this locality for (i) reasoning about inductive properties without the need for ghost code, and (ii) reasoning about computation histories in hindsight. We implemented our new logic in a tool and used it to automatically verify challenging concurrent search structures that require inductive properties and hindsight reasoning, such as the Harris set. 1 struct N = { val key: K; var next: N } 2 3 val tail = new N { key = ∞; next = tail } 4 val head = new N { key = −∞; next = tail } 5 6 procedure traverse( : K, : N, ln: N, : N): (N * N * N) { 7 val tn = .next 8 val tmark = is_marked(tn) 9 if (tmark) return traverse( , , ln, tn) 10 else if ( .key < ) return traverse( , , tn, tn) 11 else return ( , ln, ) 12 } 13 procedure find( : K): N * N { 14 val hn = head.next 15 val , ln, := traverse( , head, hn, hn) 16 if ((ln == || CAS( .next, ln, )) 17 && !is_marked( .next)) return ( , ) 18 else return find( ) 19 } 20 21 procedure search( : K) : Bool { 22 val _, = find( ) 23 return .key == 24 } −∞ 3 4 6 7 1 5 9 ∞ head ln 1 * next ( ) = ln * mark(ln) .next := * next ( ) = and the right update chunk is described by 2 * next ( ) = * mark( ) * next ( ) = tn .next := tn * next ( ) = tn .1 is derived inductively during the traversal of the marked segment from to using the same process that we are about to describe for deriving . The future 2 can be easily proved in isolation. In particular the precondition mark( ) implies C( ) = . Hence, the keyset invariant C( ) ⊆ KS( )

show abstract

Concise outlines for a complex logic: a proof outline checker for TaDA

Wolf,

Schwerhoff,

Müller

2022

Form Methods Syst Des

View full text Add to dashboard Cite

Modern separation logics allow one to prove rich properties of intricate code, e.g., functional correctness and linearizability of non-blocking concurrent code. However, this expressiveness leads to a complexity that makes these logics difficult to apply. Manual proofs or proofs in interactive theorem provers consist of a large number of steps, often with subtle side conditions. On the other hand, automation with dedicated verifiers typically requires sophisticated proof search algorithms that are specific to the given program logic, resulting in limited tool support that makes it difficult to experiment with program logics, e.g., when learning, improving, or comparing them. Proof outline checkers fill this gap. Their input is a program annotated with the most essential proof steps, just like the proof outlines typically presented in papers. The tool then checks automatically that this outline represents a valid proof in the program logic. In this paper, we systematically develop a proof outline checker for the TaDA logic, which reduces the checking to a simpler verification problem, for which automated tools exist. Our approach leads to proof outline checkers that provide substantially more automation than interactive provers, but are much simpler to develop than custom automatic verifiers.

show abstract

Diaframe: automated verification of fine-grained concurrent programs in Iris

Cited by 22 publications

References 86 publications

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

A Concurrent Program Logic with a Future and History

Concise outlines for a complex logic: a proof outline checker for TaDA

Contact Info

Product

Resources

About