Modular verification of linked lists with views via separation logic

Abstract Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module. This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied. We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program. The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well. This article is an extended version of one that was presented at ICFP 2019 (Van Strydonck et al., 2019).

Download Full-text

Modular Verification of Termination and Execution Time Bounds Using Separation Logic

2016 IEEE 17th International Conference on Information Reuse and Integration (IRI) ◽

10.1109/iri.2016.22 ◽

2016 ◽

Cited By ~ 2

Author(s):

Jafar Hamin ◽

Bart Jacobs

Keyword(s):

Execution Time ◽

Separation Logic ◽

Modular Verification ◽

Time Bounds

Download Full-text

Satisfiability modulo abstraction for separation logic with linked lists

Proceedings of the 2014 International SPIN Symposium on Model Checking of Software - SPIN 2014 ◽

10.1145/2632362.2632376 ◽

2014 ◽

Cited By ~ 8

Author(s):

Aditya Thakur ◽

Jason Breck ◽

Thomas Reps

Keyword(s):

Separation Logic ◽

Linked Lists

Download Full-text

Modular verification of preemptive OS kernels

Journal of Functional Programming ◽

10.1017/s0956796813000075 ◽

2013 ◽

Vol 23 (4) ◽

pp. 452-514 ◽

Cited By ~ 5

Author(s):

ALEXEY GOTSMAN ◽

HONGSEOK YANG

Keyword(s):

Separation Logic ◽

Multiprocessor Systems ◽

Proof Rules ◽

Modular Verification ◽

Key Features ◽

Concurrent Separation Logic

AbstractMost major OS kernels today run on multiprocessor systems and are preemptive: it is possible for a process running in the kernel mode to get descheduled. Existing modular techniques for verifying concurrent code are not directly applicable in this setting: they rely on scheduling being implemented correctly, and in a preemptive kernel, the correctness of the scheduler is interdependent with the correctness of the code it schedules. This interdependency is even stronger in mainstream kernels, such as those of Linux, FreeBSD or Mac OS X, where the scheduler and processes interact in complex ways. We propose the first logic that is able to decompose the verification of preemptive multiprocessor kernel code into verifying the scheduler and the rest of the kernel separately, even in the presence of complex interdependencies between the two components. The logic hides the manipulation of control by the scheduler when reasoning about preemptable code and soundly inherits proof rules from concurrent separation logic to verify it thread-modularly. We illustrate the power of our logic by verifying an example scheduler, which includes some of the key features of the scheduler from Linux 2.6.11 challenging for verification.

Download Full-text