4 research outputs found
ΠΡΡ ΠΈΡΠ΅ΠΊΡΡΡΠ° ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎ-Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅Π΅ΡΡΡΠ° InnoChain
Get PDFIn this paper we consider the software architecture of InnoChain, a distributed ledger system (DLS) with 5 levels of formal verification, including a formally-verified underlying operating system (OS). The objective of this architecture is to achieve a higher level of DLS dependability compared to more traditional software architectures and quality assurance (QA) methods. The architecture of InnoChain includes (1) a programming language for smart contracts which is a domain-specific language with formal semantics embedded into CakeML, which is a functional language ofthe ML family; this allows us to carry out formal verification of smart contracts' correctness properties using higher-order logic systems, such as HOL4; (2) trusted compilation of smart contracts into the machine code using the verified compiler available for CakeML, rather than relying on a virtual machine for execution of smart contracts; (3) using CakeML for implementation of InnoChain node functionality which allows for formal verification of code correctness and trusted compilation into the machine code; (4) formal verification of the consensus protocol used InnoChain, namely HotStuff BFT; (5) using seL4, a formally-verified microkernel, as the underlying OS for InnoChain instead of more traditional general-purpose OSes such as Linux. The proposed verified architecture will allow InnoChain to be used in mission-critical applications, such as the decentralized Aircraft Fuelling Control System which is currently under development for JSC Aeroflot, the Russian national air carrier.Π Π½Π°ΡΡΠΎΡΡΠ΅ΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΡΡΡ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΠ° ΡΠΈΡΡΠ΅ΠΌΡ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅Π΅ΡΡΡΠ° (Π‘Π Π ) InnoChain. ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΡΠ΅Π»ΡΡ ΡΡΠΎΠΉ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΡ ΡΠ²Π»ΡΠ΅ΡΡΡ ΡΠ΅Π°Π»ΠΈΠ·ΡΠ΅ΠΌΠΎΡΡΡ 5-ΡΠΈ ΡΡΠΎΠ²Π½Π΅ΠΉ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ (ΠΠ) ΡΠΈΡΡΠ΅ΠΌΡ InnoChain, Π²ΠΊΠ»ΡΡΠ°Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠ΅ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΠ΅. ΠΠ΅ΡΠΎΠ΄Ρ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΡΠ²Π»ΡΡΡΡΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΠΌΠΈ ΠΌΠ΅ΡΠΎΠ΄Π°ΠΌΠΈ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΊΠ°ΡΠ΅ΡΡΠ²Π° ΠΠ Ρ ΠΊΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡΠΌΠΈ ΠΏΠΎ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΡΡΠΈ, Π½ΠΎ Π΄ΠΎ ΡΠΈΡ
ΠΏΠΎΡ ΠΎΠ½ΠΈΠ½Π΅ Π½Π°Ρ
ΠΎΠ΄ΠΈΠ»ΠΈΡΠΈΡΠΎΠΊΠΎΠ³ΠΎ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ Π² Π‘Π Π . ΠΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΠ° InnoChain Π²ΠΊΠ»ΡΡΠ°Π΅Ρ (1) ΠΏΡΠ΅Π΄ΠΌΠ΅ΡΠ½ΠΎ-ΠΎΡΠΈΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΡΠ·ΡΠΊ ΡΠΌΠ°ΡΡ-ΠΊΠΎΠ½ΡΡΠ°ΠΊΡΠΎΠ² Ρ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΠΌΠ°Π½ΡΠΈΠΊΠΎΠΉ, Π²ΡΡΡΠΎΠ΅Π½Π½ΡΠΉ Π² ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠΉ ΡΠ·ΡΠΊ CakeML (Π΄ΠΈΠ°Π»Π΅ΠΊΡ ΡΠ·ΡΠΊΠ° ML), ΡΡΠΎ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΡΡ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΡΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΡΠ²ΠΎΠΉΡΡΠ² ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΡΡΠΈ ΡΠΌΠ°ΡΡ-ΠΊΠΎΠ½ΡΡΠ°ΠΊΡΠΎΠ² Π² ΡΠΈΡΡΠ΅ΠΌΠ°Ρ
Π»ΠΎΠ³ΠΈΠΊΠΈ Π²ΡΡΡΠΈΡ
ΠΏΠΎΡΡΠ΄ΠΊΠΎΠ² (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, HOL4); (2) Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½ΡΡ ΡΡΠ°Π½ΡΠ»ΡΡΠΈΡ ΡΠΌΠ°ΡΡ-ΠΊΠΎΠ½ΡΡΠ°ΠΊΡΠΎΠ² Π² ΠΌΠ°ΡΠΈΠ½Π½ΡΠΉ ΠΊΠΎΠ΄ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠΌΠΏΠΈΠ»ΡΡΠΎΡΠ° CakeML Π²ΠΌΠ΅ΡΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
ΠΌΠ°ΡΠΈΠ½ Π΄Π»Ρ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΡΠΌΠ°ΡΡ-ΠΊΠΎΠ½ΡΡΠ°ΠΊΡΠΎΠ²; (3) ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»Π° ΡΠ·Π»Π° Π‘Π Π ΡΠ°ΠΊΠΆΠ΅ Π½Π° CakeML Ρ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠ΅ΠΉ ΡΠ²ΠΎΠΉΡΡΠ² ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΡΡΠΈ ΠΈ Ρ Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ ΡΡΠ°Π½ΡΠ»ΡΡΠΈΠ΅ΠΉ ΠΈΡΡ
ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π° ΡΠ·Π»Π° Π² ΠΌΠ°ΡΠΈΠ½Π½ΡΠΉ ΠΊΠΎΠ΄; (4) ΡΠΎΡΠΌΠ°Π»ΡΠ½ΡΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° ΠΊΠΎΠ½ΡΠ΅Π½ΡΡΡΠ° Π‘Π Π (HotStuff BFT); (5) ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎ-Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΠΌΠΈΠΊΡΠΎΡΠ΄ΡΠ° seL4 Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠ³ΠΎ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ Π‘Π Π Π²ΠΌΠ΅ΡΡΠΎ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΡΡ
ΡΠΈΡΡΠ΅ΠΌ ΠΎΠ±ΡΠ΅Π³ΠΎ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΡ. ΠΡΠ΅Π΄Π»Π°Π³Π°Π΅ΠΌΠ°Ρ Π°ΡΡ
ΠΈΡΠ΅ΠΊΡΡΡΠ° ΠΎΡΠΊΡΡΠ²Π°Π΅Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ Π΄Π»Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ Π‘Π Π InnoChain Π² ΠΊΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΠΏΠΎ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΡΡΠΈ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡΡ
, Π² ΡΠ°ΡΡΠ½ΠΎΡΡΠΈ, Π² ΡΠΈΡΡΠ΅ΠΌΠ΅ ΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΡ Π·Π°ΠΏΡΠ°Π²ΠΊΠΎΠΉ Π²ΠΎΠ·Π΄ΡΡΠ½ΡΡ
ΡΡΠ΄ΠΎΠ² ΠΠΠ ΠΡΡΠΎΡΠ»ΠΎΡ
InnoChain: ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠΉ ΡΠ΅Π΅ΡΡΡ Π΄Π»Ρ ΠΈΠ½Π΄ΡΡΡΡΠΈΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ Ρ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠ΅ΠΉ Π½Π° Π²ΡΠ΅Ρ ΡΡΠΎΠ²Π½ΡΡ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ
Get PDFThe extent of formal verification methods applied to industrial projects has always been limited. The proliferation of distributed ledger systems (DLS), also known as blockchain, is rapidly changing the situation. Since the main area of DLSs' application is the automation of financial transactions, the properties of predictability and reliability are critical for implementing such systems. The actual behavior of the DLS is determined by the chosen consensus protocol, which properties require strict specification and formal verification. Formal specification and verification of the consensus protocol is necessary but not sufficient. It is required to ensure that the software implementation of the DLS nodes complies with this protocol. The verified software implementation of the protocol must run on a fairly reliable operating system. The so-called βsmart contractsβ, which are an important part of the applied implementations of specific business processes based on DLSs, must be verifiable as well. In this paper, we describe an ongoing industrial project that will result in a DLS verified at least at the four technological levels described above. We then share our experience with the formal specification and verification of HotStuff, a leader-based fault-tolerant protocol that ensures reaching distributed consensus in the presence of Byzantine processes.Π‘ΡΠ΅ΠΏΠ΅Π½Ρ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π² ΠΈΠ½Π΄ΡΡΡΡΠΈΠ°Π»ΡΠ½ΡΡ
ΠΏΡΠΎΠ΅ΠΊΡΠ°Ρ
Π²ΡΠ΅Π³Π΄Π° Π±ΡΠ»Π° ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π°. Π Π°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΠ΅ ΡΠΈΡΡΠ΅ΠΌ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅Π΅ΡΡΡΠ° (Π‘Π Π ), ΠΈΠ·Π²Π΅ΡΡΠ½ΡΡ
ΡΠ°ΠΊΠΆΠ΅ ΠΊΠ°ΠΊ Π±Π»ΠΎΠΊΡΠ΅ΠΉΠ½, Π±ΡΡΡΡΠΎ ΠΌΠ΅Π½ΡΠ΅Ρ ΡΠΈΡΡΠ°ΡΠΈΡ. ΠΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΎΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΠΎΠ±Π»Π°ΡΡΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ Π‘Π Π ΡΠ²Π»ΡΠ΅ΡΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΠ·Π°ΡΠΈΡ ΡΠΈΠ½Π°Π½ΡΠΎΠ²ΡΡ
ΡΡΠ°Π½Π·Π°ΠΊΡΠΈΠΉ, ΡΠ²ΠΎΠΉΡΡΠ²Π° ΠΏΡΠ΅Π΄ΡΠΊΠ°Π·ΡΠ΅ΠΌΠΎΡΡΠΈ ΠΈ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΡΡΠΈ ΡΠ²Π»ΡΡΡΡΡ ΠΊΡΠΈΡΠΈΡΠ΅ΡΠΊΠΈΠΌΠΈ ΠΏΡΠΈ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΠ°ΠΊΠΈΡ
ΡΠΈΡΡΠ΅ΠΌ. Π Π΅Π°Π»ΡΠ½ΠΎΠ΅ ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΠΈΠ΅ Π‘Π Π ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΡΡΡ Π²ΡΠ±ΡΠ°Π½Π½ΡΠΌ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠΌ ΠΊΠΎΠ½ΡΠ΅Π½ΡΡΡΠ°, ΡΠ²ΠΎΠΉΡΡΠ²Π° ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ Π½ΡΠΆΠ΄Π°ΡΡΡΡ Π² ΡΡΡΠΎΠ³ΠΎΠΉ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΈ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ. Π€ΠΎΡΠΌΠ°Π»ΡΠ½Π°Ρ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΈ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° ΠΊΠΎΠ½ΡΠ΅Π½ΡΡΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠ°, Π½ΠΎ Π½Π΅Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½Π°. ΠΠ΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠ΄ΠΎΡΡΠΎΠ²Π΅ΡΠΈΡΡΡΡ, ΡΡΠΎ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½Π°Ρ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΠ·Π»ΠΎΠ² Π‘Π Π ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΠ΅Ρ Π΄Π°Π½Π½ΠΎΠΌΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ. ΠΠ΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½Π°Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½Π°Ρ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° Π΄ΠΎΠ»ΠΆΠ½Π° Π·Π°ΠΏΡΡΠΊΠ°ΡΡΡΡ Π½Π° Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΠΉ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅. Π’Π°ΠΊ Π½Π°Π·ΡΠ²Π°Π΅ΠΌΡΠ΅ βΡΠΌΠ½ΡΠ΅ ΠΊΠΎΠ½ΡΡΠ°ΠΊΡβ, ΠΊΠΎΡΠΎΡΡΠ΅ ΡΠ²Π»ΡΡΡΡΡ Π²Π°ΠΆΠ½ΠΎΠΉ ΡΠ°ΡΡΡΡ ΠΏΡΠΈΠΊΠ»Π°Π΄Π½ΡΡ
ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΉ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
Π±ΠΈΠ·Π½Π΅Ρ-ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ² Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π‘Π Π , ΡΠ°ΠΊΠΆΠ΅ Π΄ΠΎΠ»ΠΆΠ½Ρ Π±ΡΡΡ Π²Π΅ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΠΌΡ.Π Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΠΌΡ ΠΎΠΏΠΈΡΡΠ²Π°Π΅ΠΌ ΡΠ΅Π°Π»ΠΈΠ·ΡΡΡΠΈΠΉΡΡ Π² Π½Π°ΡΡΠΎΡΡΠ΅Π΅ Π²ΡΠ΅ΠΌΡ ΠΈΠ½Π΄ΡΡΡΡΠΈΠ°Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΠ΅ΠΊΡ, ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠΌ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΡΡΠ°Π½Π΅Ρ Π‘Π Π , Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½Π°Ρ ΠΏΠΎ ΠΌΠ΅Π½ΡΡΠ΅ΠΉ ΠΌΠ΅ΡΠ΅ Π½Π° ΡΠ΅ΡΡΡΠ΅Ρ
ΠΎΠΏΠΈΡΠ°Π½Π½ΡΡ
Π²ΡΡΠ΅ ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΡΠΎΠ²Π½ΡΡ
. ΠΡ ΡΠ°ΠΊΠΆΠ΅ ΠΎΠΏΠΈΡΡΠ²Π°Π΅ΠΌ Π½Π°Ρ ΠΎΠΏΡΡ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΈ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° HotStuff - ΠΎΡΠΊΠ°Π·ΠΎΡΡΡΠΎΠΉΡΠΈΠ²ΠΎΠ³ΠΎ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π° Π΄Π»Ρ Π³Π°ΡΠ°Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ Π΄ΠΎΡΡΠΈΠΆΠ΅Π½ΠΈΡ ΠΊΠΎΠ½ΡΠ΅Π½ΡΡΡΠ° Π² ΠΏΡΠΈΡΡΡΡΡΠ²ΠΈΠΈ Π²ΠΈΠ·Π°Π½ΡΠΈΠΉΡΠΊΠΈΡ
ΠΏΡΠΎΡΠ΅ΡΡΠΎΠ² ΠΈ Π»ΠΈΠ΄Π΅ΡΠ°
Architecture of the Formally-Verified Distributed Ledger System InnoChain
Get PDFIn this paper we consider the software architecture of InnoChain, a distributed ledger system (DLS) with 5 levels of formal verification, including a formally-verified underlying operating system (OS). The objective of this architecture is to achieve a higher level of DLS dependability compared to more traditional software architectures and quality assurance (QA) methods. The architecture of InnoChain includes (1) a programming language for smart contracts which is a domain-specific language with formal semantics embedded into CakeML, which is a functional language ofthe ML family; this allows us to carry out formal verification of smart contracts' correctness properties using higher-order logic systems, such as HOL4; (2) trusted compilation of smart contracts into the machine code using the verified compiler available for CakeML, rather than relying on a virtual machine for execution of smart contracts; (3) using CakeML for implementation of InnoChain node functionality which allows for formal verification of code correctness and trusted compilation into the machine code; (4) formal verification of the consensus protocol used InnoChain, namely HotStuff BFT; (5) using seL4, a formally-verified microkernel, as the underlying OS for InnoChain instead of more traditional general-purpose OSes such as Linux. The proposed verified architecture will allow InnoChain to be used in mission-critical applications, such as the decentralized Aircraft Fuelling Control System which is currently under development for JSC Aeroflot, the Russian national air carrier
InnoChain: a Distributed Ledger for Industry with Formal Verification on all Implementation Levels
Get PDFThe extent of formal verification methods applied to industrial projects has always been limited. The proliferation of distributed ledger systems (DLS), also known as blockchain, is rapidly changing the situation. Since the main area of DLSs' application is the automation of financial transactions, the properties of predictability and reliability are critical for implementing such systems. The actual behavior of the DLS is determined by the chosen consensus protocol, which properties require strict specification and formal verification. Formal specification and verification of the consensus protocol is necessary but not sufficient. It is required to ensure that the software implementation of the DLS nodes complies with this protocol. The verified software implementation of the protocol must run on a fairly reliable operating system. The so-called βsmart contractsβ, which are an important part of the applied implementations of specific business processes based on DLSs, must be verifiable as well. In this paper, we describe an ongoing industrial project that will result in a DLS verified at least at the four technological levels described above. We then share our experience with the formal specification and verification of HotStuff, a leader-based fault-tolerant protocol that ensures reaching distributed consensus in the presence of Byzantine processes
