469 research outputs found
Hoare-style Specifications as Correctness Conditions for Non-linearizable Concurrent Objects
Designing scalable concurrent objects, which can be efficiently used on
multicore processors, often requires one to abandon standard specification
techniques, such as linearizability, in favor of more relaxed consistency
requirements. However, the variety of alternative correctness conditions makes
it difficult to choose which one to employ in a particular case, and to compose
them when using objects whose behaviors are specified via different criteria.
The lack of syntactic verification methods for most of these criteria poses
challenges in their systematic adoption and application.
In this paper, we argue for using Hoare-style program logics as an
alternative and uniform approach for specification and compositional formal
verification of safety properties for concurrent objects and their client
programs. Through a series of case studies, we demonstrate how an existing
program logic for concurrency can be employed off-the-shelf to capture
important state and history invariants, allowing one to explicitly quantify
over interference of environment threads and provide intuitive and expressive
Hoare-style specifications for several non-linearizable concurrent objects that
were previously specified only via dedicated correctness criteria. We
illustrate the adequacy of our specifications by verifying a number of
concurrent client scenarios, that make use of the previously specified
concurrent objects, capturing the essence of such correctness conditions as
concurrency-aware linearizability, quiescent, and quantitative quiescent
consistency. All examples described in this paper are verified mechanically in
Coq.Comment: 18 page
Concurrent Data Structures Linked in Time
Arguments about correctness of a concurrent data structure are typically
carried out by using the notion of linearizability and specifying the
linearization points of the data structure's procedures. Such arguments are
often cumbersome as the linearization points' position in time can be dynamic
(depend on the interference, run-time values and events from the past, or even
future), non-local (appear in procedures other than the one considered), and
whose position in the execution trace may only be determined after the
considered procedure has already terminated.
In this paper we propose a new method, based on a separation-style logic, for
reasoning about concurrent objects with such linearization points. We embrace
the dynamic nature of linearization points, and encode it as part of the data
structure's auxiliary state, so that it can be dynamically modified in place by
auxiliary code, as needed when some appropriate run-time event occurs. We name
the idea linking-in-time, because it reduces temporal reasoning to spatial
reasoning. For example, modifying a temporal position of a linearization point
can be modeled similarly to a pointer update in separation logic. Furthermore,
the auxiliary state provides a convenient way to concisely express the
properties essential for reasoning about clients of such concurrent objects. We
illustrate the method by verifying (mechanically in Coq) an intricate optimal
snapshot algorithm due to Jayanti, as well as some clients
Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation
Compartmentalization is good security-engineering practice. By breaking a
large software system into mutually distrustful components that run with
minimal privileges, restricting their interactions to conform to well-defined
interfaces, we can limit the damage caused by low-level attacks such as
control-flow hijacking. When used to defend against such attacks,
compartmentalization is often implemented cooperatively by a compiler and a
low-level compartmentalization mechanism. However, the formal guarantees
provided by such compartmentalizing compilation have seen surprisingly little
investigation.
We propose a new security property, secure compartmentalizing compilation
(SCC), that formally characterizes the guarantees provided by
compartmentalizing compilation and clarifies its attacker model. We reconstruct
our property by starting from the well-established notion of fully abstract
compilation, then identifying and lifting three important limitations that make
standard full abstraction unsuitable for compartmentalization. The connection
to full abstraction allows us to prove SCC by adapting established proof
techniques; we illustrate this with a compiler from a simple unsafe imperative
language with procedures to a compartmentalized abstract machine.Comment: Nit
Recommended from our members
Algebraic specification : syntax, semantics, structure
Algebraic specification is the technique of using algebras to model properties of a system and using axioms to characterize such algebras. Algebraic specification comprises two aspects: the underlying logic used in the axioms and algebras, and the use of a small, general set of operators to build specifications in a structured manner. We describe these two aspects using the unifying notion of institutions. An institution is an abstraction of a logical system, describing the vocabulary, the kinds of axioms, the kinds of algebras, and the relation between them. Using institutions, one can define general structuring operators which are independent of the underlying logic. In this paper, we survey the different kind of logics, syntax, semantics, and structuring operators that have been used in algebraic specification
Symbolic execution proofs for higher order store programs
Higher order store programs are programs which store, manipulate and invoke code at runtime. Important examples of higher order store programs include operating system kernels which dynamically load and unload kernel modules. Yet conventional Hoare logics, which provide no means of representing changes to code at runtime, are not applicable to such programs. Recently, however, new logics using nested Hoare triples have addressed this shortcoming. In this paper we describe, from top to bottom, a sound semi-automated verification system for higher order store programs. We give a programming language with higher order store features, define an assertion language with nested triples for specifying such programs, and provide reasoning rules for proving programs correct. We then present in full our algorithms for automatically constructing correctness proofs. In contrast to earlier work, the language also includes ordinary (fixed) procedures and mutable local variables, making it easy to model programs which perform dynamic loading and other higher order store operations. We give an operational semantics for programs and a step-indexed interpretation of assertions, and use these to show soundness of our reasoning rules, which include a deep frame rule which allows more modular proofs. Our automated reasoning algorithms include a scheme for separation logic based symbolic execution of programs, and automated provers for solving various kinds of entailment problems. The latter are presented in the form of sets of derived proof rules which are constrained enough to be read as a proof search algorithm
- …