verifying filesystems in acl2
play

Verifying filesystems in ACL2 Towards verifying file recovery tools - PowerPoint PPT Presentation

Apr 30, 2023 •338 likes •681 views

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

  1. Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34

  2. Outline Motivation and related work Our approach Progress so far Future work 2/34

  3. Why we need a verified filesystem ◮ Filesystems are everywhere, even as operating systems move towards making them invisible. ◮ In the absence of a clear specification of filesystems, users (and sysadmins in particular) are underserved. ◮ Modern filesystems have become increasingly complex, and so have the tools to analyse and recover data from them. ◮ It would be worthwhile to specify and formally verify, in the ACL2 theorem prover, the guarantees claimed by filesystems and tools. 3/34

  4. Related work ◮ In Haogang Chen’s 2016 dissertation, the author uses Coq to build a filesystem (named FSCQ) which is proven safe against crashes in a new logical framework named Crash Hoare Logic. ◮ His implementation was exported into Haskell, and showed comparable performance to ext4 when run on FUSE. ◮ Hyperkernel (Nelson et al, SOSP ’17) is a ”push-button” verification effort, but approximates by changing POSIX system calls for ease of verification. ◮ In our work, we instead aim to model an existing filesystem (FAT32) faithfully and match the resulting disk image byte-to-byte. 4/34

  5. Outline Motivation and related work Our approach Progress so far Future work 5/34

  6. Choosing an initial model ◮ Our goal here is to verify the FAT32 filesystem, but we need a simpler model to begin with. ◮ Our filesystem’s operations should suffice for running a workload. ◮ Yet, parsimony and avoidance of redundancy are essential for theorem proving. ◮ What’s a necessary and sufficient set of operations? 6/34

  7. Minimal set of operations? ◮ The Google filesystem suggests a minimal set of operations: ◮ create ◮ delete ◮ open ◮ close ◮ read ◮ write ◮ Of these, open and close require the maintenance of file descriptor state - so they can wait. ◮ However, they are essential when describing concurrency and multiprogramming behaviour. ◮ Thus, we can start modelling a filesystem, and several refinements thereof. 7/34

  8. Quick overview of models ◮ Model 1: Tree representation of directory structure with unbounded file size and unbounded filesystem size. ◮ Model 2: Model 1 with file length as metadata. ◮ Model 3: Tree representation of directory structure with file contents stored in a ”disk”. ◮ Model 4: Model 3 with bounded filesystem size and garbage collection. 8/34

  9. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket1,”Sun 19:00” 9/34

  10. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket1,”Sun 19:00” ticket2,”Tue 21:00” 10/34

  11. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket2,”Tue 21:00” 11/34

  12. Model 1 \ vmlinuz,” \ 0 \ 0 \ 0” tmp ticket2,”Wed 01:00” 12/34

  13. Model 2 ◮ Model 1 supports nested directory structures, unbounded file size and unbounded filesystem size. ◮ However, there’s no metadata, either to provide additional information or to validate the contents of the file. ◮ With an extra field for length, we can create a simple version of fsck that checks file contents for consistency. ◮ Further, we can verify that create, write, delete etc preserve this notion of consistency. 13/34

  14. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket1,”Sun 19:00”,9 14/34

  15. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket1,”Sun 19:00”,9 ticket2,”Tue 21:00”,9 15/34

  16. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket2,”Tue 21:00”,9 16/34

  17. Model 2 \ vmlinuz,” \ 0 \ 0 \ 0”,3 tmp ticket2,”Wed 01:00”,9 17/34

  18. Model 3 ◮ As the next step, we focus on externalising the storage of file contents. ◮ We also choose to break up file contents into ”blocks” of a constant length (8.) ◮ Note: this would mean storing file length is no longer optional, to avoid reading garbage past end of file at the end of a block. 18/34

  19. Model 3 \ tmp vmlinuz,(0),3 ticket1,(1 2),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 19/34

  20. Model 3 \ tmp vmlinuz,(0),3 ticket1,(1 2),9 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 20/34

  21. Model 3 \ tmp vmlinuz,(0),3 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 21/34

  22. Model 3 \ tmp vmlinuz,(0),3 ticket2,(5 6),9 Table: Disk \ 0 \ 0 \ 0 Sun 19:0 0 Tue 21:0 0 Wed 01:0 0 22/34

  23. Model 4 ◮ In the fourth model, we attempt to implement garbage collection in the form of an allocation vector. ◮ The allocation vector tracks whether blocks in the filesystem are in use by a file. This allows us to reuse unused blocks. 23/34

  24. Model 4 \ vmlinuz,(0),3 tmp ticket1,(1 2),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 true 0 true false false false 24/34

  25. Model 4 \ vmlinuz,(0),3 tmp ticket1,(1 2),9 ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 true 0 true Tue 21:0 true 0 true false 25/34

  26. Model 4 \ vmlinuz,(0),3 tmp ticket2,(3 4),9 Table: Disk \ 0 \ 0 \ 0 true Sun 19:0 false 0 false Tue 21:0 true 0 true false 26/34

  27. Model 4 \ vmlinuz,(0),3 tmp ticket2,(1 2),9 Table: Disk \ 0 \ 0 \ 0 true Wed 01:0 true 0 true Tue 21:0 false 0 false false 27/34

  28. Outline Motivation and related work Our approach Progress so far Future work 28/34

  29. Proof approaches and techniques ◮ There are many properties that could be considered for correctness, but we choose to focus on the read-over-write theorems from the first-order theory of arrays. ◮ Read n characters starting at position start in the file at path hns in filesystem fs : l1-rdchs(hns, fs, start, n) ◮ Write string text characters starting at position start in the file at path hns in filesystem fs : l1-wrchs(hns, fs, start, text) 29/34

  30. Proof approaches and techniques ◮ First read-over-write theorem: reading from a location after writing to the same location should yield the data that was written. Formally, assuming n = length(text) and suitable ”type” hypotheses (omitted here): l1-rdchs(hns, l1-wrchs(hns, fs, start, text), start, n) = text ◮ Second read-over-write-theorem: Reading from a location after writing to a different location should yield the same result as reading before writing. Formally, assuming hns1 != hns2 and suitable ”type” hypotheses (omitted here): l1-rdchs(hns1, l1-wrchs(hns2, fs, start2, text2), start1, n1) = l1-rdchs(hns1, fs, start1, n1) 30/34

  31. Proof approaches and techniques ◮ For each of the models 1, 2, 3 and 4, we have proofs of correctness of the two read-after-write properties, making use of the proofs of equivalence between models and their successors. ◮ Model 4 presented some unique challenges - proving the read-after-write properties required proving an equivalence between model 4 and model 2, rather than model 3. 31/34

  32. Proof approaches and techniques l 2 l 2 write l2-to-l1-fs l2-to-l1-fs l 1 l 1 write l 2 text read l2-to-l1-fs read l 1 l 2 l 2 text write read l2-to-l1-fs l2-to-l1-fs read l 1 l 1 write 32/34

  33. Outline Motivation and related work Our approach Progress so far Future work 33/34

  34. Future work ◮ Model and verify file permissions. ◮ Linearise the tree, leaving only the disk. ◮ Add the system call open and close with the introduction of file descriptors. This would be a step towards the study of concurrent FS operations. ◮ Eventually emulate the FAT32 filesystem as a convincing proof of concept, and move on to fsck and file recovery tools. 34/34

Recommend

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik

A SAT-Based Procedure for Verifying Finite State Machines in ACL2 Warren A. Hunt, Jr. and Erik Reeber {reeber,hunt}@cs.utexas.edu The University of Texas ACL2 Workshop, August 16 , 2006 Introduction The ACL2 theorem prover is great

252 views • 22 slides
Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta

Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta

Formalising Filesystems in the ACL2 Theorem Prover An Application To FAT32 Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 05 November, 2018 1/25 Why filesystem verification matters

486 views • 25 slides
ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya

ACL2(ml): Machine-Learning for ACL2 J. Heras and E. Komendantskaya http://staff.computing.dundee.ac.uk/katya/acl2ml/ 12 July 2014 ACL214 J. Heras ACL2(ml): Machine-Learning for ACL2 1/23 Outline Some Challenges in ACL2 1 An overview of

871 views • 56 slides
This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

Linux System Administration SSU: Disks and Filesystems 1 This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are the traditional places to put filesystems. Then we'll take a look at logical

711 views • 58 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach

Verifying Transformation Rules of the HATS High-Assurance Transformation System: An Approach Steve Roach Fares Fraij Department of Computer Science The University of Texas at El Paso Fifth International Workshop on the ACL2 Theorem

299 views • 17 slides
Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2

Double Rewriting for Equivalential Reasoning in ACL2 Matt Kaufmann and J Strother Moore ACL2 Workshop, FLoC, Seattle, August 16, 2006 1 Introduction ACL2 provides a powerful congruence-based rewriting capability. However, some have

537 views • 19 slides
How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1

How Can I Do That with ACL2? Recent Enhancements to ACL2 Matt Kaufmann and J Strother Moore 1 Introduction (1) ACL2 Version 3.5 was released in May, 2009. Release note items (see :DOC release-notes) since then: (+ 41 ; 3.6 (8/2009) 3 ;

622 views • 49 slides
Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a

Flat Domains and Recursive Equations in ACL2 by John Cowles University of Wyoming 1 ACL2 is a logic of total functions. Some recursive equations have no satisfying ACL2 functions: No ACL2 function g satisfies this recursive equation

518 views • 35 slides
A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro

A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java Alessandro Coglio Kestrel Institute Workshop 2018 ATJ Java code generator for ACL2 (ACL2 To Java) based on AIJ deep embedding of ACL2 in Java (ACL2 In Java)

901 views • 38 slides
Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu

Hygienic Macros for ACL2 Carl Eastlund Matthias Felleisen cce@ccs.neu.edu matthias@ccs.neu.edu Northeastern University Boston, MA, USA 1 ACL2 2 ACL2 Formal verification based on pure, first-order Common Lisp. Used to model critical

909 views • 61 slides
Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop 2018 This talk is for hint abusers This might be you if: You cant be bothered to figure out a good rewriting strategy You just dont know

541 views • 30 slides
Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon

Adding a typing Adding a typing mechanism to ACL2 mechanism to ACL2 Vernon Austel Vernon Austel IBM IBM Outline Outline What a typed ACL2 might look like Vague proposal concerning how to change ACL2 to allow experimentation with type

873 views • 19 slides
DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August

DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August

DrACuLa: ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen ACL2 Workshop August 16, 2006 1 Undergraduate Software Engineering Page teaches two SE courses at Oklahoma U. Covers usual topics - specification, documentation,

557 views • 51 slides
Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004 Goals

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004 Goals

Partial Clock Functions in ACL2 John Matthews and Daron Vroon ACL2 Workshop 2004 Goals Given a state machine, we want : A termination proof: from a set of starting states, a desired goal state will always eventually be reached. An

423 views • 26 slides
Theorems About Programming Languages in ACL2 Sol Swords William Cook

Theorems About Programming Languages in ACL2 Sol Swords William Cook

Theorems About Programming Languages in ACL2 Sol Swords William Cook {sswords,wcook}@cs.utexas.edu Department of Computer Science University of Texas at Austin ACL2 Workshop, FLoC 2006 Outline 1 Introduction: Mechanizing Programming

540 views • 18 slides
So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute

So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute

So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute ACL2 Workshop 2015 Outline Overview of Refinement-Based Synthesis Proof-EmiJng Transforma9ons

460 views • 21 slides
Literate Proofs Ruben Gamboa July 14, 2003 Motivation Make it easier to understand ACL2 books

Literate Proofs Ruben Gamboa July 14, 2003 Motivation Make it easier to understand ACL2 books

Literate Proofs Ruben Gamboa July 14, 2003 Motivation Make it easier to understand ACL2 books after the fact Organize ACL2 books in a human-oriented, not a proof-oriented manner Publish ACL2 books in different formats (web, print, ...) and

372 views • 15 slides
Formal Verification of Arithmetic RTL: Translating Verilog to C++ to ACL2 David M. Russinoff Arm

Formal Verification of Arithmetic RTL: Translating Verilog to C++ to ACL2 David M. Russinoff Arm

Formal Verification of Arithmetic RTL: Translating Verilog to C++ to ACL2 David M. Russinoff Arm May 28, 2020 1/27 V ERIFICATION OF RTL D ESIGN WITH ACL2 Requirements for RTL verification by theorem proving: Semantics-preserving

422 views • 27 slides
Parallelizing an Interactive Theorem Prover Functional Programming and Proofs with ACL2 David L.

Parallelizing an Interactive Theorem Prover Functional Programming and Proofs with ACL2 David L.

Introduction Parallelism Primitives Parallelizing ACL2 Evaluate Approach Conclusion Talking Points Parallelizing an Interactive Theorem Prover Functional Programming and Proofs with ACL2 David L. Rager ragerdl@gmail.com June 17, 2013 1 /

751 views • 57 slides
Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann)

Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann)

Support for Trusted Extension in ACL2 J Strother Moore (joint work with Matt Kaufmann) Department of Computer Sciences University of Texas at Austin August, 2010 1 A C omputational L ogic for A pplicative C ommon L isp = ACL2 a

639 views • 35 slides
Challenge Problems for Challenge Problems for the ACL2 Community the ACL2 Community David

Challenge Problems for Challenge Problems for the ACL2 Community the ACL2 Community David

Challenge Problems for Challenge Problems for the ACL2 Community the ACL2 Community David Hardin David Hardin First, the good news First, the good news ACL2 has been shown to scale to industrial problems ACL2 has been shown to scale

239 views • 11 slides

More recommend