Fall 2019

COMS E6998 Formal Verification of System Software

General Information

Instructor: Ronghui Gu (ronghui.gu@columbia.edu)
Office: 515 CSB

Lectures: Mon, 4:10pm ~ 6:00pm
Location: 825 Mudd Building
Office hours: Thu (2:00pm ~ 3:00pm) and by appointment

This course is a graduate seminar on research in the verification of system software. The goal of the class is to get the students to build provably correct software. The structure of the class will consist of students presenting research papers during lecture, and students working on a significant research project. We expect students to start working on the project in the first week or two, and continue for the entire semester, culminating in a draft research paper. Examples of project include building a certified file system, simple OS kernel, hypervisor, database system, etc. We expect projects will build on tools such as Coq, and Z3. To get students up to speed with these tools, we will offer several tutorial lectures on Coq, using parts of the Software Foundations textbook.

This course is about …

• Techniques for improving reliability of computer systems
  • Applicable to both software and hardware
  • Focus on software
• Theories and practices about the verification of systems software
• How to use Coq and other tools like SMT solvers to realize these theories and practices

This course is not about …

• Programming languages and type systems
• Software engineering methodology
• Dynamic analysis
• Software testing

v.s. CSEE E6863 Formal Verification HW/SW Systems

• Mostly focus on hardware
• Focus more on automated techniques

Prerequisites

• General proficiency in discrete mathematics
• C/C++ programming skills
• Coq programming skills
• COMS W4115 Programming Languages and Translators

Textbook

• Software Foundations by Benjamin C. Pierce et al.
  • https://softwarefoundations.cis.upenn.edu/index.html

Coq Tutorial Lectures

The materials are borrowed from the Software Foundations textbook. If you are not familiar with Coq already, you should start by working on the following chapters ASAP. Make sure you actually do all of the exercises!

• Coq (Basics) (_CoqProject, Coq_Lecture1_Basics)
• Coq (Induction & List) (Coq_Lecture2_Induction_List)
• Coq (Tactics & Logic) (Coq_Lecture3_Tactics_Logic)
• Coq (Modeling a language & Program equivalence) (Coq_Lecture4_Program)
• Coq (Hoare Logic I) (Coq_Lecture5_Hoare)

Grades

• 30%: paper presentation & class participation
• 70%: final project
• No final & assignments

TENTATIVE Syllabus (Subject to change!)

09/09 Intro (Lecture Notes 0)
09/16 Program Logic I (for sequential program)
09/23 Certified File System
09/30 Push-button Verification
10/07 Verification of Information-flow Security
10/14 Certified OS Kernel I: Sequential CertiKOS
10/21 Verification of Security Monitor
10/28 Verification of Smart Contracts

11/04 Holiday (no class)
11/11 Program Logic II (for concurrent program)
11/18 Linearizability
11/25 Certified Concurrent File System
12/02 Certified OS Kernel II: Concurrent CertiKOS
12/09 Verification of Quantum Programs

Reading list ideas

Program Logic I (for sequential program)

• An Axiomatic Basis for Computer Programming, Hoare, CACM 1969.
• Separation Logic: A Logic for Shared Mutable Data Structures, Reynolds, LICS 2002.

Certified File System

• Using Crash Hoare Logic for Certifying the FSCQ File System, Chen et al, SOSP 2015.
• Verifying a high-performance crash-safe file system using a tree specification, Chen et al, SOSP 2017.

Push-button Verification

• Push-Button Verification of File Systems via Crash Refinement, Sigurbjarnarson et al, OSDI 2016.
• Hyperkernel: Push-Button Verification of an OS Kernel, Nelson et al, SOSP 2017.

Verification of Information-flow Security

• Language-Based Information-Flow Security, Sabelfeld et al, JSAC 2003.
• Nickel: A Framework for Design and Verification of Information Flow Control Systems, Sigurbjarnarson et al, OSDI 2018.

Verification of Smart Contracts

• Securify: Practical Security Analysis of Smart Contracts, Tsankov et al, CCS 2018.
• VerX: Safety Verification of Smart Contracts, Permenev et al, S&P 2020.

Verification of Software Stack

• Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System, Yang et al, PLDI 2011.
• Ironclad Apps: End-to-End Security via Automated Full-System Verification, Hawblitzel et al, OSDI 2014.

Verification of Distributed System

• Verdi: A Framework for Implementing and Formally Verifying Distributed Systems, Wilcox et al, PLDI 2015.
• IronFleet: Proving Practical Distributed Systems Correct, Hawblitzel et al, SOSP 2015.

Verification of OS Kernel: seL4

• Comprehensive Formal Verification of an OS Microkernel, Klein et al, TOCS 2014.

Certified Compiler

• Formal Verification of a Realistic Compiler, Leroy, CACM 2009.
• The CompCert Memory Model, Version 2, Leroy et al.

Certified OS Kernel I: Sequential CertiKOS

• Deep Specifications and Certified Abstraction Layers, Gu et al, POPL 2015.
• End-to-End Verification of Information-Flow Security for C and Assembly Programs, Constanzo et al, PLDI 2016.

Verification of Security Monitor

• Komodo: Using verification to disentangle secure-enclave hardware from software, Ferraiuolo et al, SOSP 2017.
• Scaling symbolic evaluation for automated verification of systems code with Serval, Nelson et al, SOSP 2019.

Program Logic II (for concurrent program)

• Resources, Concurrency and Local Reasoning, O’Hearn, Theoretical Computer Science, 2007.
• Tentative Steps Toward a Development Method for Interfering Programs, Jones, TOPLAS 1983.
• Local Rely-Guarantee Reasoning, Feng, POPL 2009.

Linearizability

• Linearizability: A Correctness Condition for Concurrent Objects, Herlihy et al, TOPLAS 1990.
• Modular Verification of Linearizability with Non-Fixed Linearization Points, Liang et al, PLDI 2013.

Certified Concurrent File System

• Verifying Concurrent Crash-safe Systems with Perennial, Chajed et al, SOSP 2019.
• Using Concurrent Relational Logic with Helper for Verifying the AtomFS File System, Zou et al, SOSP 2019

Certified OS Kernel II: Concurrent CertiKOS

• CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels, Gu et al, OSDI 2016.
• Certified Concurrent Abstraction Layers, Gu et al, PLDI 2018.

Verification of Quantum Programs

• Floyd–Hoare Logic for Quantum Programs, Ying, TOPLAS 2012.
• TBD