’
•
•
10 Emerging Technologies 2011,
In: Technology Review, 2011(6), MIT Press
http://www.technologyreview.com/tr10/
Certifying a computing host?
Formal
proofs for
resilience,
extensibility,
security?
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #1: bug-free host
impossible. Treat it as a
biological system.
Certifying a computing host?
Formal
proofs for
resilience,
extensibility,
security?
HW & Env
Model
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #2: focus on
software since it is a
rigorous mathematical
entity!
Certified software
01011010101010101111100011001
11011011111110101010101010101
01010101111111110101010101011
11000110001010101010101011111
SOFTWARE
100011001001111001111111100111
111100011110001010101011111101
110011001110101010111111100011
110001110001110011
Formal
specs &
proofs for
resilience,
extensibility,
security?
HW & Env
Model
Find a mathematical proof showing that
if the HW/Env follows its model, the software will run according
to its specification
Certified OS kernel
01011010101010101111100011001110110111
11110101010101010101010101011111111101
Application & other
0101010101111000110001010101010101011
system SW
111100011001001111001111111100111111100
Legacy
Java/
NaCl
Legacy
01111000101010101111110111001100111010
X86
MSIL
App
OS + App
App
App
10101111111000111100
Protected
Executors
Native
Executor
Typesafe
Executor
SFI
Executor
Formal
specs &
proofs for
resilience,
extensibility,
security?
VMM
Executor
Certified Kernel
Resource
Managers
Scheduler
Device
Drivers
CPU
CPU
Scheduler
FS
Net
Driver
Driver
Driver
Driver
GPU
GPU
Disk
NIC
HW & Env
Model
Research tasks & key innovations:
• new OS kernel that can “crash-proof” the entire system & application SW
• new PLs for writing certified kernel plug-ins (new OCAP + DSPLs)
• new formal methods for automating proofs & specs (VeriML)
Certified “hypervisor” kernel
Rogue PC
WinCC
Other
&
rogue OS &
its kernel
Secure PC
w. IFC labels
WinCC
Other
Apps
Secure
PLC
&
Step 7
COTS OS
certified
firmware
Step 7
Protecting
against
Stuxnet
attacks!
firmware
Apps
Rogue
PLC
certified kernel
zero-day kernel vulnerabilities
small mechanized proof checker
& fake/stolen driver certificates
•
Problems w. existing platforms
•
Attacks: Zero-Day Kernel Vulnerabilities
(ZDKVs) & rogue driver certificates
•
leads to rogue kernels
•
•
New CRASH technologies
•
A small certified “hypervisor” kernel provides a
reliable ZDKV-free core to fall back on, even
under attacks
leads to rogue WinCC/Step7 apps
•
Information-Flow-Control to enforce security
leads to rogue PLC firmeware
•
Mechanized proof certificates are unforgeable
CertiKOS architecture
Applica'on*
Mgmt OS
(Linux 1)
Linux 2
Certified
App 2
App 1
Virtual
Device
Trap Handling
(Interrupt, Exception, Syscall)
V-PIC
Cer'KOS*
SVM*/*VMX*module*
IPC
Pass-Through
Devices
V-PCI
Scheduler
Hypercall
IOMMU/VT-d module
Process Management
Memory Management
Device*Drivers*
KBD*Driver*
Hardware*
Disk*Driver*
VGA*Driver*
SVM&VMX*Driver*
Timer*Driver*
IOMMU&VT-d Driver
IOCAPIC*Driver*
APIC*Driver*
Serial*Driver*
PCI*Driver*
Compositional specification & verification
high-level kernel spec
kinit.c
abs-layer-x spec
…………………………
kmody.c
CompCert
kmodx.c
kmody.s
kmody.c
CompCert
abs-layer-z spec
CompCert
kmodx.s
kmody.s
kmodz.c
abs-layer-2 spec
CompCert
…………………………
abs-layer-1 spec
kmod1.c
kmod2.c
kmod3.c
CompCert
CompCert
CompCert
kmod1.s
kmod2.s
kmod3.s
Raw Machine / HW Spec
Safety
(never
crash)
Correctness
Secure
(no info leak)
kmodz.s
abs-layer-k spec
Liveness
(resource usage)
kmodk.s
Compositonal specification & verification
current target: single-core CertiKOS
Decomposing CertiKOS
Providing address space
Initialization of paging mechanism
Physical Memory and Virtual
Memory Management
Decomposing CertiKOS (cont’d)
Thread and Process
Management
•
•
•
•
•
•
•
Predicate Logic
Predicate logic over integer expressions:
a language of logical assertions, for example
8x. x + 0 = x
Why discuss predicate logic?
It is an example of a simple language
It has simple denotational semantics
We will use it later in program specifications
Abstract Syntax
Describes the structure of a phrase
ignoring the details of its representation.
An abstract grammar for predicate logic over integer expressions:
intexp ::= 0 | 1 | . . .
| var
| intexp | intexp + intexp | intexp
intexp | . . .
assert ::= true | false
| intexp = intexp | intexp < intexp | intexp  intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
Resolving Notational Ambiguity
Using parentheses: (8x. ((((x) + (0)) + 0) = (x)))
Using precedence and parentheses: 8x. (x + 0) + 0 = x
arithmetic operators (⇤ / rem . . .) with the usual precedence
relational operators (= 6= <  . . .)
¬
^
_
)
,
The body of a quantified term extends to a delimiter.
Carriers and Constructors
Carriers:
sets of abstract phrases (e.g. intexp , assert )
Constructors: specify abstract grammar productions
intexp ::= 0
intexp ::= intexp + intexp
!
!
c0 2
{hi} ! intexp
c+ 2intexp ⇥ intexp ! intexp
Note: Independent of the concrete pattern of the production:
intexp ::= plus intexp intexp
!
c+ 2intexp ⇥ intexp ! intexp
Constructors must be injective and have disjoint ranges
Carriers must be either predefined or their elements must be
constructible in finitely many constructor applications
Inductive Structure of Carrier Sets
With these properties of constructors and carriers,
carriers can be defined inductively:
intexp (0)
intexp (j+1)
assert (0)
assert (j+1)
=
=
=
=
intexp =
assert =
{}
{c0hi, . . .} [ {c+(x0, x1) | x0, x1 2 intexp (j)} [ . . .
{}
{ctruehi, cfalsehi}
[{c=(x0, x1) | x0, x1 2 intexp (j)} [ . . .
[{c¬(x0) | x0 2 assert (j)} [ . . .
1
[
j=0
1
[
j=0
intexp (j)
assert (j)
Denotational Semantics of Predicate Logic
The meaning of a term e 2 intexp is [[e]]intexp
i.e. the function [[ ]]intexp maps intexp objects to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp of the term 5| +
{z 37} could be the integer 42.
(that is, c+(c5hi, c37hi))
However the term x + 5 contains the free variable x,
so the meaning of an intexp in general cannot be an integer. . .
Mathematical Background
Sets
Relations
Functions
Sequences
Products and Sums
Sets
membership
the empty set
natural numbers
inclusion
integers
finite subset
set comprehension
intersection
and
is a bound variable
union
or
difference
and not
powerset
integer range
and
Generalized Set Operations
def
def
def
def
def
def
meaningless
Examples:
Relations
A relation
is a set of primitive pairs
relates
.
and
is an identity relation
def
the identity on
the domain of
the range of
composition of
with
reflection of
dom
def
ran
def
def
def
and
Relations: Properties and Examples
dom
dom
ran
Functions
A relation
is a function if
and
If
is a function,
maps
and
If
and
are functions.
are functions, then
is a function:
is not necessarily a function:
consider
is an injection if both
and
are functions.
to
Notation for Functions
def
Typed abstraction:
Defined only when
is defined for all
(consider
)
dom
Placeholder:
, if ran
with a dash
dom .
standing for the bound variable
if
Variation of a function :
dom
dom
ran
ran
otherwise
Sequences
def
def
def
— the empty function
— the empty sequence
— an -tuple
— a (non-primitive) pair
dom
=
=
when
Products
Let
be an indexed family of sets (a function with sets in its range).
The Cartesian product of
def
dom
is
dom
and
dom
More Products
def
def
def
def
“ ”
def
times
Sets of Sequences
Let
def
def
def
(finite)
(finite)
(infinite)
Sums
Let ✓ be an indexed family of sets (a function with sets in its range).
The disjoint union (sum) of ✓ is
P
X
x2T
n
X
def
✓ = {hi, xi | i 2 dom ✓ and x 2 ✓ i}
def X
S =
def
S =
i=m
x 2 T. S
X
S
i2(m to n)
n ⇥ S = (0 to (n
P
n
def X
S 1 + . . . + Sn =
T ⇥S =
i=1
X
“Si”
S
x2T
1)) ⇥ S = S
. . + S}
| + .{z
n times
B + B = hB, Bi = {h0, truei, h0, falsei, h1, truei, h1, falsei}
= 2⇥B
Functions of Multiple Arguments
Use tuples instead of multiple arguments:
f (a0, . . . an 1)
! f ha0, . . . an 1i
Syntactic sugar:
hx0 2 S0, . . . , xn 1 2 Sn 1i. E
def
=
x 2 S0 ⇥ . . . ⇥ Sn 1. ( x0 2 S0. . . . xn 1 2 Sn 1. E)
(x 0) . . . (x(n 1))
Use Currying:
f (a0, . . . an 1)
! f a 0 . . . an 1
=(. . . (f a0) . . .) an
1
where f is a Curried function x0 2 S0. . . . xn 1 2 Sn 1. E.
Relations Between Sets
⇢ is a relation from S to T
!T
() ⇢ 2 S REL
() dom ⇢ ✓ S and ran ⇢ ✓ T .
def
Relation on S = relation from S to S.
!S
IS 2 S REL
! T ) ⇢† 2 T ! S
⇢ 2 S REL
REL
!T
For all S and T , {} 2 S REL
! {}
{} 2! S REL
!T
{} 2! {} REL
Total Relations
! T is a total relation from S to T
⇢ 2 S REL
!T
() ⇢ 2 S TREL
() 8x 2 S. 9y 2 T. x ⇢ y
() dom ⇢ = S
() IS ✓ ⇢† · ⇢
S ^^^^^^^^^^^^^^
wv
pq
T
ut
wv ut
ZZZZZZZ
eei24
ZZZZZZZ
eeieieieieirirr8
e
e
e
ZZZZZZZ
e
e
ZZZZZeZeZeeeeeee iiiiii rrrr
eeee ZiZiZiZiZiZiZZZZ rrr
e
e
e
e
rZZZZZZZ
eee
e
e
iii
e
e
ZZ,
e
e
rrr
r
iiii
i
r
i
i
r
kk5
i
k
r
i
r
ii
kk
i
r
k
i
k
r
i
k
rr
iiii
kkk
kkk
rrr
iiii
k
i
r
i
k
i
r
k
r
ii
kk
rrr kkkkkk
r
pq rs
r
k
r kkk
r
r
k
rr kkk
rkrkrkkk
r
k
r
ZZZ
k
rs
⇢
^^^^^^^^^^^^^^^^^
! T () T ◆ ran ⇢
⇢ 2 (dom ⇢) TREL
Functions Between Sets
f is a partial function from S to T
!T
() f 2 S PFUN
! T and f is a function.
() f 2 S REL
! T ) dom f ✓ S
“Partial”: f 2 S REL
! T is a (total) function from S to T
f 2 S PFUN
() f 2 S ! T
() dom f = S.
S ! T = TS =
Y
x2S
T
S ! T ! U = S ! (T ! U )
Surjections, Injections, Bijections
f is a surjection from S to T () ran f = T
f is a injection from S to T () f † 2 T
!S
PFUN
f is a bijection from S to T () f † 2 T ! S
() f is an isomorphism from S to T
S ^^^^^^^^^^^
wv
pq
T
ut
wv ut
XXXXX
h4
XXXXX
hhhh
h
h
XXXXX
h
XXXXXhhhhhh
hhh XXXXXXX
h
h
XXXXX
h h
X+3
hhhh
fffff
f
f
f
f
fffff
fffff
f
f
f
f
fffff
fffff
h4
rs
hhhh
hhpq
h
h
h
hhh
h
h
h
h
hhhh
ZZZ
hhhh
rs
^^^^^^^^^^^^^^
sur
S ^^^^^^^^^^
wv
pq
S ^^^^^^^^^^
T
ut
wv
rs
pq
ut
wv
WWWWW
iii4
WWWWW
iiii
WWWWW
i
i
i
WWWiWiWii
iiii WWWWWWWWW
i
i
i
WW+
ii
rs
^^^^^^^^^^^^^
in
pq
ZZZ
T
ut
wv
WWWWW
o7
WWWWW
ooo
WWWWW
o
o
WWWWW ooo
oWoWW
ooo WWWWWWW+
o
o
UUUUoooo
oo UUUUUU
UUUU
ooo
o
o
UUUU
oo
o
UUUU
o
oo
*
pq
rs
^^^^^^^^^^^^^
bi
ut
rs
ZZZ
Back to Predicate Logic
intexp ::= 0 | 1 | . . .
| var
| intexp | intexp + intexp | intexp
intexp | . . .
assert ::= true | false
| intexp = intexp | intexp < intexp | intexp  intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
Denotational Semantics of Predicate Logic
The meaning of term e 2 intexp is [[e]]intexp
i.e. the function [[ ]]intexp maps objects from intexp to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp of the term 5 + 37 could be the integer 42.
But the term x + 5 contains the free variable x. . .
Environments
. . . hence we need an environment (variable assignment, state)
def
2 ⌃ = var ! Z
to give meaning to free variables.
The meaning of a term is a function from the states to Z or B.
[[ ]]intexp
[[ ]]assert
if
2
2
intexp ! ⌃ ! Z
assert ! ⌃ ! B
= [x : 3, y : 4], then [[x+5]]intexp
=8
[[9z. x < z ^ z < y]]
= false
Direct Semantics Equations for Predicate Logic
v 2 var
e 2 intexp
[[0]]intexp
( really [[c0hi]]intexp
[[v]]intexp
[[e0+e1]]intexp
[[true]]assert
[[e0=e1]]assert
[[¬p]]assert
[[p0 ^ p1]]assert
[[8v. p]]assert
p 2 assert
= 0
= 0)
=
v
= [[e0]]intexp + [[e1]]intexp
= true
= [[e0]]intexp
= [[e1]]intexp
= ¬([[p]]assert )
= [[p0]]assert ^ [[p1]]assert
= 8n 2 Z. [[p]]assert [ |v : n]
Example: The Meaning of a Term
[[8x. x+0=x]]assert
= 8n 2 Z. [[x+0=x]]assert [ |x : n]
= 8n 2 Z. [[x+0]]intexp [ |x : n] = [[x]]intexp [ |x : n]
= 8n 2 Z. [[x]]intexp [ |x : n]+[[0]]intexp [ |x : n] = [[x]]intexp [ |x : n]
= 8n 2 Z. [ |x : n](x) + 0 = [ |x : n](x)
= 8n 2 Z. n + 0 = n
= true
Properties of the Semantic Equations
They are syntax-directed (homomorphic):
exactly one equation for each abstract grammar production
(constructor)
result expressed using functions (meanings)
of subterms only (arguments of constructor)
) they have exactly one solution h[[ ]]intexp , [[ ]]assert i
(proof by induction on the structure of terms).
They define compositional semantic functions
(depending only on the meaning of the subterms)
) “equivalent” subterms can be substituted
Validity of Assertions
p holds/is true in
()
satisfies p () [[p]]assert
p is valid
() 8 2 ⌃. p holds in
p is unsatisfiable
() 8 2 ⌃. [[p]]assert
= true
= false
() ¬p is valid
p is stronger than p0
() 8 2 ⌃. (p0 holds if p holds )
() (p ) p0) is valid
p and p0 are equivalent () p is stronger than p0
and p0 is stronger than p
Inference Rules
Class
` p (Axiom)
`p
(Axiom Schema)
` p0
. . . ` pn 1
(Rule)
`p
Examples
` x + 0 = x (xPlusZero)
` e1=e0 ) e0=e1
(SymmObjEq)
` p ` p ) p0
(ModusPonens)
0
`p
`p
(Generalization)
` 8v. p
Formal Proofs
A set of inference rules defines a logical theory `.
A formal proof (in a logical theory):
a sequence of instances of the inference rules, where
the premisses of each rule occur as conclusions earlier in the sequence.
1. ` x + 0 = x
(xPlusZero)
3. ` x = x + 0
(ModusPonens, 1, 2)
[p : x + 0 = x | p0 : x = x + 0]
2. ` x + 0 = x ) x = x + 0 (SymmObjEq)
[e0 : x | e1 : x + 0]
4. ` 8x. x = x + 0
(Generalization, 3)
[v : x | p : x = x + 0]
Tree Representation of Formal Proofs
(SymmObjEq)
`x+0=x `x+0=x)x=x+0
(MP)
`x=x+0
(Gen)
` 8x. x = x + 0
Soundness of a Logical Theory
An inference rule is sound if in every instance of the rule
the conclusion is valid if all the premisses are.
A logical theory ` is sound if all inference rules in it are sound.
If ` is sound and there is a formal proof of ` p, then p is valid.
Object vs Meta implication:
`p
` p ) 8v. p is not a sound rule, although
is.
` 8v. p
Completeness of a Logical Theory
A logical theory ` is complete if
for every valid p there is a formal proof of ` p.
A logical theory ` is axiomatizable if
there exists a finite set of inference rules
from which can be constructed formal proofs of all assertions in `.
No first-order theory of arithmetic is complete and axiomatizable.
Variable Binding
```````````` ________________________________________________
_________________
`````
owv
8xnpq
. 9y. rsx
<
ut
y
^
9pq
O x. rsx
>
^^^^^^^^^^^
x
⇥@
⇥⇥
⇥
⇥⇥
⇥⇥
8 _????
??
??
y
?
~~
~
~
~~
~~
9 gOOOOOOO
OOO
OOO
OOO
p7
ppp
p
p
pp
ppp
p
p
pp
^ _???
??
??
?
<_???
x
?
~~
~
~
~~
~~
??
??
?
y
x
?





9 _@@@@
@@
@@
>_???
x
~?
~~
~
~~
~~
??
??
?
y
ut
y
Variable Binding
```````````` ________________________________________________
_________________
`````
owv
8xnpq
. 9y. rsx
ut
y
<
9pq
O x. rsx
^
>
^^^^^^^^^^^
8 _????
??
??
w
p
y
?
~~
~
~
~~
~~
??
??
??
??
??
??
?? ab
??
?
9 gOOOOOOO
OOO
OOO
OOO
p7
ppp
p
p
pp
ppp
p
p
pp
<_???
??
??
?
y
^ _???
??
??
?
⇥⇥
⇥⇥
w
p
9 _@@@@
@@
@@
>_???
?
?? ab 
??

??
??
?
y
ut
y
Bound and Free Variables
In 8v. p, v is the binding occurrence (binder) and p is its scope.
If a non-binding occurrence of v is within the scope of a binder for v,
then it is a bound occurrence; otherwise it’s a free one.
F Vintexp (0) = {}
F V (v) = {v}
F V ( e) = F V (e)
F Vassert (true) = {}
F V (e0=e1) = F V (e0) [ F V (e1)
F V (¬p) = F V (p)
F V (e0 + e1) = F V (e0) [ F V (e1) F V (p0 ^ p1) = F V (p0) [ F V (p1)
F V (8v. p) = F V (p)
Example:
F V (9y. x < y ^ 9x. x > y) = {x}
{v}
Only Assignment of Free Variables Matters
Coincidence Theorem:
If v = 0v for all v 2 F V✓ (p), then [[p]]✓ = [[p]]✓ 0
(where p is a phrase of type ✓).
Proof: By structural induction.
Inductive hypothesis:
The statement of the theorem holds
for all
phrases of depth less than that of the phrase p0.
Base cases:
p0 = 0 ) [[0]]intexp
p0 = v ) [[v]]intexp
= 0 = [[0]]intexp 0
=
v = 0v = [[v]]intexp 0, since F V (v) = {v}.
Proof of Concidence Theorem, cont’d
Coincidence Theorem:
If v = 0v for all v 2 F V✓ (p), then [[p]]✓ = [[p]]✓ 0.
Inductive cases:
p0 = e0 + e1:
[[p0]]intexp
p0 = 8u. q:
Then by IH
by IH
[[ei]]intexp = [[ei]]intexp 0, i 2 {1, 2}.
= [[e0]]intexp + [[e1]]intexp
= [[e0]]intexp 0 + [[e1]]intexp 0 = [[p0]]intexp 0
v = 0v,
8v 2 F V (p0) = F V (q)
then [ |u : n]v = [ 0|u : n]v, 8v 2 F V (q), n 2 Z
{u}
[[q]]assert [ |u : n] = [[q]]assert [ 0|u : n] for all n 2 Z,
hence 8n 2 Z. [[q]]assert [ |u : n] = 8n 2 Z. [[q]]assert [ 0|u : n]
[[8u. q]]assert = [[8u. q]]assert 0.
Substitution
/ 2 intexp !
/ 2 assert !
= 0
0/
(-e)/
9
=
intexp >
;
assert >
= -(e/ )
(e0+e1)/
= (e0/ )+(e1/ )
...
Examples:
when
2 var ! intexp
v/
(p0 ^ p1)/
(8v. p)/
where v 0
2
/
=
v
= (p0/ ) ^ (p1/ )
= 8v 0. (p/[ |v : v 0]),
[
u2F V (p) {v}
(x < 0 ^ 9x. x  y)/[x : y+1] = y+1 < 0 ^ 9x. x  y
(x < 0 ^ 9x. x  y)/[y : x+1] = x < 0 ^ 9z. z  x+1
F V ( u)
Preserving Binding Structure
(x < 0 ^ 9x. x  y)/[ x : y+1]
:B
}}}}
}
}
}
}}}
}}}}
x
;C
~~~~
~
~
~~~~
~~~~
<[c >>>>
>>>>
>>>>
>>>>
⇥⇥
⇥⇥⇥⇥
⇥
⇥
⇥⇥
y+1 < 0 ^ 9x. x  y
!
^ [c ?????
???
????
??
=
:B
}}}}
}
}
}
}}}
}}}}
9 Zb >>>>>>
;C





>>>>
>>>>
>>
0 pw? ab ;C<Zb =====
????
???



===
====
====
<D
y
y
^ [c ?????
???
????
??
< \d AAAAA
AAAA
AAAA
AAA
+ [c @@@@@@
@@@@@
@@@@
@
1
⇤⇤⇤⇤
⇤⇤⇤⇤
0
w
p
9 [c @@@@@@
@@@@
@@@@
 ;C
?????? ab 

??

< [c @@@@@
@@@@
@@@@
@@@
y
1
Avoiding Variable Capture
(x < 0 ^ 9x. x  y)/[ y : x+1]
:B
}}}}
}
}
}}}}
}}}}
x
 ;C





< \d AAAAA
AAAA
AAAA
AAA
⇥⇥
⇥⇥⇥⇥
⇥⇥⇥⇥
0 pw
x < 0 ^ 9z. z  x+1
!
^ [c ?????
???
????
??
=
:B
}}}}
}
}
}}}}
}}}}
9 [c @@@@@@
@@@@
@@@@
C;
?????? ab 
??

x
<[c ????
????
????
??
y
 ;C





^ [c ?????
???
????
??
< \d AAAAA
AAAA
AAAA
AAA
⇤⇤⇤⇤
⇤⇤⇤⇤
0
w
p
9 [c @@@@@@
@@@@
@@@@
;C
?????? ab 
??

< \d AAAA
AAAAA
AAAA
A
x
} :B
}}}}}
}
}
}}}
}}}}}
+ [c >>>>>>
>>>>
>>>>
1
Substitution Theorems
Substitution Theorem:
If
= [[ ]]intexp 0 · on F V (p), then ([[ ]] )p = ([[ ]] 0 · ( / ))p.
Finite Substitution Theorem:
[[p/v0 ! e0, . . . vn 1 ! en 1]] = [[p]][ |v0 : [[e0]] , . . .].
where
def
p/v0 ! e0, . . . vn 1 ! en 1 = p/[cvar|v0 : e0| . . . |vn 1 : en 1].
Renaming:
If u 2
/ F V (q)
{v}, then [[8u. (q/v ! u)]]boolexp = [[8v. q]]boolexp .