push button verification of file systems
play

Push-Button Verification of File Systems via Crash Refinement Helgi - PowerPoint PPT Presentation

Apr 28, 2023 •361 likes •799 views

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James Bornholt, Emina Torlak, Xi Wang University of Washington 1 / 24 File systems are hard to get right Complex hierarchical on-disk data structures

  1. Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James Bornholt, Emina Torlak, Xi Wang University of Washington 1 / 24

  2. File systems are hard to get right Complex hierarchical on-disk data structures Maintain consistency in the face of crashes 2 / 24

  3. Example: Missing flush in ext4 Bugs are hard to reproduce Hard to test fixes It’s unlikely this will be necessary [..] but we need this in order to guarantee correctness. File System Developers 3 / 24

  4. Verification: Effective at eliminating bugs, but costly Prove the absence of bugs ◮ BilbyFS [ASPLOS 2016] ◮ FSCQ [SOSP 2015] Requires expertise and are labor intensive impl 2 , 000 20 , 000 proof 4 / 24

  5. Goal: Push-button verification No manual annotation / proof of implementation Get a concrete test case for any bug Our approach: System design to leverage a state-of-the-art automated theorem prover, Z3. 5 / 24

  6. Push-button verification: Challenges Need a formalization of correctness ◮ Needs to capture crash & recovery ◮ Needs to be automatically verifiable Too many states to exhaust ◮ Disks are large ◮ Many execution paths ◮ Non-determinism Prior work focused on bug finding ◮ eXplode [OSDI ’06], EXE [CCS ’06] ◮ Useful, but incomplete 6 / 24

  7. Contributions and outlines Yggdrasil [’yg:,drasil:] : A toolkit for building verified file systems Crash refinement ◮ A new definition of file-system correctness ◮ Enable modularity to scale verification Case study: The Yxv6 file system ◮ Similar to ext3 and xv6, but guarantees functional correctness and crash safety 7 / 24

  8. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  9. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  10. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants class TxnDisk(BaseSpec): pass fail def begin_tx(self): verifier self._txn = [] def write_tx(self, bid, data): compiler visualizer self._cache = self._cache.update(bid, data) self._txn.append((bid, data)) C code for counterexample def commit_tx(self): file system with self._mach.transaction(): for bid, data in self._txn: self._disk = self._disk.update(bid, data) 8 / 24

  11. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  12. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  13. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  14. Yggdrasil Overview (Green – trusted components) consistency specification implementation invariants pass fail verifier compiler visualizer C code for counterexample file system 8 / 24

  15. Summary of the Yggdrasil toolkit Easy to use, no complex logic required Useful test-cases for bugs Limitations ◮ No concurrency ◮ Unverified Python to C compiler and FUSE 9 / 24

  16. Straw-man approach to verify FS Model FS as a state machine with a set of operations { mknod , rename , etc.}. spec S0 S1 impl I0 I1 I2 I3 Limitation: Doesn’t capture crashes 10 / 24

  17. Crash refinement: Intuition spec S0 S1 I4 I5 impl I0 I1 I2 I3 Formalize this intuition Capture crashes explicitly with a crash schedule 1 Use the crash schedule to define correctness 2 11 / 24

  18. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings 12 / 24

  19. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state write ( a 1 , v 1 ) write ( a 2 , v 2 ) 12 / 24

  20. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state ⇒ write ( a 1 , v 1 ) write ( a 2 , v 2 ) 12 / 24

  21. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state ⇒ write ( a 1 , v 1 ) { b 1 } write ( a 2 , v 2 ) 12 / 24

  22. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state ⇒ write ( a 1 , v 1 ) { b 1 } d [ a 1 �→ if b 1 then v 1 else old ( a 1 )] write ( a 2 , v 2 ) 12 / 24

  23. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state write ( a 1 , v 1 ) { b 1 } d [ a 1 �→ if b 1 then v 1 else old ( a 1 )] ⇒ write ( a 2 , v 2 ) 12 / 24

  24. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state write ( a 1 , v 1 ) { b 1 } d [ a 1 �→ if b 1 then v 1 else old ( a 1 )] ⇒ write ( a 2 , v 2 ) { b 1 , b 2 } 12 / 24

  25. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state write ( a 1 , v 1 ) { b 1 } d [ a 1 �→ if b 1 then v 1 else old ( a 1 )] � a 1 �→ if b 1 then v 1 else old ( a 1 ) � ⇒ write ( a 2 , v 2 ) { b 1 , b 2 } d a 2 �→ if b 2 then v 2 else old ( a 2 ) 12 / 24

  26. Crash refinement 1 / 2 : Crash schedule Explicit crash-schedule ◮ A set of boolean variables ◮ Captures crashes and disk reorderings Operation Schedule Disk state write ( a 1 , v 1 ) { b 1 } d [ a 1 �→ if b 1 then v 1 else old ( a 1 )] � a 1 �→ if b 1 then v 1 else old ( a 1 ) � write ( a 2 , v 2 ) { b 1 , b 2 } d a 2 �→ if b 2 then v 2 else old ( a 2 ) Note: this program can produce 4 possible states 12 / 24

  27. Crash refinement 2 / 2 : Definition 1 Augment each op in FS with an explicit crash schedule : op ( disk , inp , sched ) → disk 2 For each op ∈ FS , prove: ∀ disk , inp , sched impl . ∃ sched spec . op spec ( disk , inp , sched spec ) = op impl ( disk , inp , sched impl ) Z3 is good at solving this particular form 13 / 24

  28. Crash refinement 2 / 2 : Definition 1 Augment each op in FS with an explicit crash schedule : op ( disk , inp , sched ) → disk implementation states 2 For each op ∈ FS , prove: ∀ disk , inp , sched impl . ∃ sched spec . op spec ( disk , inp , sched spec ) = op impl ( disk , inp , sched impl ) Z3 is good at solving this particular form 13 / 24

  29. Crash refinement 2 / 2 : Definition 1 Augment each op in FS with an explicit crash schedule : op ( disk , inp , sched ) → disk specification states 2 For each op ∈ FS , prove: ∀ disk , inp , sched impl . ∃ sched spec . op spec ( disk , inp , sched spec ) = op impl ( disk , inp , sched impl ) Z3 is good at solving this particular form 13 / 24

  30. Crash refinement summary Amenable to automatic verification using Z3 Enables modular, scalable verification Example: Decouple logical / physical data layout ◮ Verify a simple layout first (ex. one inode per block) ◮ Prove a separate crash-refinement for efficient layout Example: Stacking of layered abstractions 14 / 24

  31. Verifying multiple layers: Straw-man approach regular files, symbolic links, and directories xv6 files xv6 inodes write-ahead logging disk specification implementation 15 / 24

  32. Verifying multiple layers: Straw-man approach regular files, symbolic links, and directories xv6 files xv6 inodes write-ahead logging disk specification implementation 15 / 24

  33. Yxv6 file system: Stack of layered abstractions regular files, symbolic links, and directories Crash refinement Each layer has a Yxv6 files specification inodes Crash refinement Each layer builds Yxv6 inodes upon a lower layer transactional disk specification Crash refinement write-ahead logging Limit verification to a disk single layer at a time specification implementation 16 / 24

  34. Implementation using Python and Z3 Two Yxv6 variants ◮ Yxv6+sync: similar to xv6, FSCQ and ext4+sync ◮ Yxv6+group_commit: an optimized Yxv6+sync component specification implementation consistency inv Yxv6 250 1,500 5 infrastructure – 1,500 – FUSE stub – 250 – Also built: YminLFS, Ycp and Ylog No manual proofs! 17 / 24

  35. Yxv6 evaluation 1 How long does it take to verify? 2 Is the implementation actually correct? 3 What is the development effort for Yxv6? 4 Is the performance of Yxv6 reasonable? 18 / 24

  36. Yxv6 evaluation 1 / 4 : Verification time Let’s see how many days it takes to verify Yxv6+sync 19 / 24

Recommend

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan Johnson, Helgi Sigurbjarnarson, Emina Torlak, Xi Wang, Kaiyuan Zhang OSes are everywhere OSes (& bugs) are everywhere Goals Develop

289 views • 15 slides
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential for application correctness and

871 views • 57 slides
Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al Zimmerschied NMRA 2015 National Convention Portland Oregon August 23-29, 2015 1 Forced to move, the Boeing Employees Model Railroad Club (BEMRRC)

656 views • 43 slides
push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville, Chapter 29 Instructor: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 "Good, Fast, Cheap: office: room 88, Research 1

363 views • 20 slides
Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are delivering a system or product, you should set up a register of hazards containing information about each hazard. 16.2.2 a Can we find some hazards?

769 views • 66 slides
Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Towards Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal Fontaine Stephan Schulz Uwe Waldmann Vision: Take the Hard Labor out of Vision: Interactive Verification Push button automation for

263 views • 14 slides
Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More Choice = Good Thing A Complement to Public Transit UBER + PSTA Pinellas Suncoast Transit Authority pays half the cost of any trip (up to $6) to or

354 views • 7 slides
Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage, February 21, 2012 - Public - Dynamic Services for Infrastructure, Version 2.0 July, 2011 1 The cloud is out there. But what's inside?

516 views • 22 slides
Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction Levels Product Offering Sprinter 50 (Standard / US) Sprinter 150 Art. No. 762628 / 764686 Art. No. 762629 Sprinter 50, 2.0 mm,

249 views • 11 slides
Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system implementation n Example file systems Chapter 6 CS 1550, cs.pitt.edu 2 (originaly modified by Ethan Long-term information storage n Must store large amounts

1.01k views • 66 slides
Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system implementation Example file systems Chapter 6 CMPS 111, UC Santa Cruz 2 Long-term information storage Must store large amounts of data

829 views • 57 slides
SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What is SoCGen? - System on Chip (SoC) design automation tool Motivation - Facilitate SoC design - Reduce time-to-fabrication - Making use of the

563 views • 22 slides
File Systems: All data structures are cached for better performance Create a new file

File Systems: All data structures are cached for better performance Create a new file

File Systems: Consistency Issues What about Multiple Updates? File systems maintain many data structures Several file system operations update multiple data structures Free list/bit vector Directories Examples: File headers and inode

257 views • 3 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/15/2017 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

352 views • 16 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/16/2018 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

373 views • 13 slides
Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in File S Systems t User Access Control The operating system is fully trusted to enforce the security policy. Is it good enough? Is it

888 views • 44 slides
CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr

CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr

CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework last week File Systems File

795 views • 50 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects

CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects

CPSC 410 / 611 : Operating Systems CPSC 410/611: Final Week -- File Systems File Systems over a Networks: Sun NFS Aspects of Distributed File Systems Communication Processes Naming Synchronization Fault Tolerance Caching and

315 views • 9 slides
Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification Project February 26, 2020 Welcome HMOs, MCOs, IRIS FEAs Sandata team (EVV vendor) Wisconsin Department of Health Services team

941 views • 47 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
NFS Heterogeneous systems must be supported Different HW, OS, underlying file system

NFS Heterogeneous systems must be supported Different HW, OS, underlying file system

Distributed File Systems Distributed Systems Case Studies NFS AFS CODA DFS SMB CIFS Distributed File Systems Dfs WebDAV GFS Gmail -FS ? xFS Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted,

430 views • 19 slides
File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many data structures Free list/bit vector Directories File headers and inode structures Data blocks All data structures are cached for better

357 views • 14 slides

More recommend