CS 260r Projects and Close Readings in Software Systems
2017: VERIFIED SYSTEMS
MW 1–2:30, MD 221
Eddie Kohler
What is CS 260r?
- Research seminar in computer systems
- Relatively informal
- Different topic each time
- We read papers
- We complete a couple assignments
- We do research
- We learn together
Why read research papers?
- Learn currently hot topics in systems research and important past research
- Learn how to read research papers
- Learn how to do research
- Prepare for graduate school and other lifelong learning
Why do assignments?
- Ground your research knowledge in real skills
Why do research?
- A major outcome for this course is your final research project
- A great project could be accepted for publication to a workshop or research conference—but whether it is is up to you
- Group projects are OK
- Many projects will involve implementation (or, this time, proving)
- A good research survey is also acceptable
Expectations
- Read papers before they are discussed in class
- Each paper will be accompanied by a short survey question you should answer before class
- Present at least one paper
- Engage actively in class discussion
- Complete assignments
- Project
Verified systems
Verified systems
- Systems that have been formally verified correct
- Systems whose purpose is formally verifying other systems
- Verification techniques and tricks
Verified systems
- Systems that have been formally verified correct
- Systems whose purpose is formally verifying other systems
- Verification techniques and tricks
- Rant
What this class is not
- Theory of verification
- Category theory
- Predicative vs. impredicative mathematics
- Respectable
Topics
- Individual verified systems: l4, CompCert, CertiKOS, Ironclad Apps, IronFleet, …
- Verification frameworks: Coq, Dafny, NuPRL, Verdi, TLA+, SAT solvers, …
- Digressions: SAT optimizations, constraint solvers, …
Coq
Coq
- An interactive theorem prover developed in France
- Based on the Calculus of (co)Inductive Constructions
- A small, proven-correct core plus layers of libraries
- A functional programming language with an advanced type system, including dependent types
- Allows extraction of working, efficient code!
- Basis of some of the most impressive software projects ever, especially CompCert
Coq
- An interactive theorem prover developed in France
- Based on the Calculus of (co)Inductive Constructions
- A small, proven-correct core plus layers of libraries
- A functional programming language with an advanced type system, including dependent types
- Allows extraction of working, efficient code!
- Basis of some of the most impressive software projects ever, especially CompCert
- An incredible pain in the ass
An idiosyncratic introduction to Coq
Types as proofs
- A well-typed program is a proof of a proposition; the proposition proved is the program’s type
- The program is a witness certifying the existence of a proof
- The Curry–Howard correspondence
Types as proofs
- Example: Let’s prove that an integer exists
Definition AnIntegerExists : nat.
- The type of this program will be
nat
, the type of nonnegative integers in Coq (part of the standard library)
- If we can produce an integer, we’ll have proved the lemma
- Our goal: “
AnIntegerExists is defined.
”
Types as proofs
- If proofs are types, then limitations in your type system limit what you can prove
- Simple type systems are limited to simple existence arguments
- That’s why Coq has a complicated type system!
- Coq’s type system can express ideas as complicated as “this compiler correctly translates C to assembly language”
What’s wrong with Coq?
- The world is full of truths, many of which Coq already knows in libraries, but finding out the terms in which it knows those truths is tiresome; you find yourself proving trivial truths again and again
- Its users can be insane math people or arrogant
- It is super complicated and that’s OK to admit
More examples
Next time
- seL4: Formal Verification of an OS Kernel (presented by Eddie)
- More Coq, and our first assignment