how trustworthy can systems become
play

How Trustworthy Can Systems Become? Vincent Rahli - PowerPoint PPT Presentation

How Trustworthy Can Systems Become? Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ January 28, 2015 Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 1/62 My collaborators PRL group Abhishek Anand


  1. How Trustworthy Can Systems Become? Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ January 28, 2015 Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 1/62

  2. My collaborators PRL group Abhishek Anand Mark Bickford Robert L. Constable Richard Eaton Vincent Rahli ATC-NY David Guaspari Matt Stillerman System group Robbert van Renesse Nicolas Schiper Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 2/62

  3. Distributed systems are ubiquitous Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 3/62

  4. Distributed systems are ubiquitous Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 4/62

  5. Correctness What evidence do we have that these systems are correct? Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 5/62

  6. Correctness What evidence do we have that these systems are correct? Type checking Testing Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 6/62

  7. Correctness What evidence do we have that these systems are correct? Type checking Testing Model checking Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 7/62

  8. Correctness What evidence do we have that these systems are correct? Type checking Testing Model checking Theorem proving Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 8/62

  9. Correctness Specification Program Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 9/62

  10. Correctness Specification Verification Program Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 10/62

  11. Correctness — Constructive Type Theory Specification Proofs as programs Verification Program Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 11/62

  12. Correctness — Constructive Type Theory What does it mean? Lemma comm : ∀ A B : Type , ( A × B ) → ( B × A ). Proof . refine ( fun A B p ⇒ match p with | ( a , b ) ⇒ ( b , a ) end ). Qed . Proofs are programs and vice-versa Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 12/62

  13. Proof assistants The technology is mature { ACL2 : Motorola, AMD, IBM, Centaur, Rockwell Collins,. . . { Coq : Java Card, Compcert, Four Colour Theorem, Odd Order Theorem,. . . { HOL : Hardware verification, CakeML, Kepler conjecture,. . . { Nuprl : Ensemble, Paxos, Higman’s Lemma,. . . { PVS : Flight control systems,. . . Agda , Idris , Twelf , Matita , Mizar , . . . Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 13/62

  14. Projects What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct? Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 14/62

  15. Projects What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq. Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 15/62

  16. Distributed Systems Distributed systems are hard to specify, implement and verify. We need to tolerate failures. It is hard to test all possible scenarios. State space explosion using model checking. Model checking often done on abstractions of the code rather than on the code itself. Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 16/62

  17. Distributed Systems We use Nuprl as a specification, programming and verification language. Programming interface: a constructive specification language called EventML Verification methodology Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 17/62

  18. Distributed Systems A logic of events implemented in Nuprl. Specified, verified, and generated consensus protocols (e.g., Paxos) using EventML . Aneris : a total ordered broadcast service. ShadowDB : a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris. Improved performance without introducing bugs. We get decent performance . Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 18/62

  19. Distributed Systems — Big picture Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 19/62

  20. Distributed Systems — Message sequence diagram See: Paxos Made Moderately Complex Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 20/62

  21. Distributed Systems — Combinators Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 21/62

  22. Distributed Systems — Combinators Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 22/62

  23. Distributed Systems — EventML EventML for Paxos Synod: . . . agent Leader = SpawnFirstSc out | | (( LeaderPropose | | LeaderAdopted ) > > = Commander ) | | ( LeaderPreempted > > = Scout ) ; ; main Leader @ l d r s | | Acceptor @ ac c pts Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 23/62

  24. Distributed Systems — Verification We use causal induction + inductive logical forms (ILFs) + state machine invariants Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 24/62

  25. Distributed Systems — Verification We use causal induction + inductive logical forms (ILFs) + state machine invariants Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 25/62

  26. Distributed Systems — Code generation Efficiency? January 2012: 2 seconds per transaction Faster process combinators. June 2012: 500 milliseconds per transaction Optimization/compilation to Lisp. End of 2012: 60 milliseconds per transaction (interpreted), 9 milliseconds per transaction (compiled) Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 26/62

  27. Distributed Systems — What next? Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 27/62

  28. Correctness What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct? Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 28/62

  29. Correctness What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq. Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 29/62

  30. Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 30/62

  31. Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness . . . but rarely use them to prove their own correctness Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 31/62

  32. Nuprl in Coq — Our initial motivation How do we know that our systems are sound? How do we safely extend them? Proofs mostly carried out on paper Not carried out in full detail Spread over several papers/PhD theses Precise metatheory, precise account of Nuprl Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 32/62

  33. Nuprl in Coq — Our initial motivation Agda & Coq { 2013/2014: bug in the termination checker Nuprl { Invalid rules after modifying the theory Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 33/62

  34. Nuprl in Coq — Our initial motivation Agda & Coq { 2013/2014: bug in the termination checker Nuprl { Invalid rules after modifying the theory How can we be sure that these rules are valid? Nuprl’s PER semantics (types are defined as partial equivalence relations on terms — extensional) in Coq and Agda. Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 34/62

  35. Nuprl in Coq — Mechanization and Experimentation! Mechanization Experimentation { Adding new computations { Less error prone { Adding new types { Easier to propagate changes { Exploring type theory { Positive feedback loop { Changing the theory { Additive Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 35/62

  36. Nuprl in Coq — What do we cover? Stuart Allen had his own meta-theory that was meant to be meaningful on its own and needs not be framed into type theory. We chose to use Coq and Agda. Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 36/62

  37. Nuprl in Coq — Nuprl Stack Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 37/62

  38. Nuprl in Coq — Nuprl Environment Distributed Runs in the cloud Structure editor Tactic language: Classic ML Shared library Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 38/62

  39. Nuprl in Coq — Nuprl Types Based on Martin-L¨ of’s extensional type theory. Equality : a = b ∈ T Dependent function : a : A → B [ a ] Dependent product : a : A × B [ a ] Universe : U i Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 39/62

Recommend


More recommend