Modularity for decidability of deductive verification with ...

Modularity for decidability of deductive verification with applications to distributed systems Marcelo Taube Mooly Sagiv Giuliano Losa Sharon Shoham Kenneth McMillan James R. Wilcox Oded Padon

Doug Woos Deductive verification takes effort Proof assistant (e.g. Coq) Automated solver (e.g. Z3) Offload to algorithms Problems in undecidable logics Will the solver terminate? Problem: Unpredictable verification hurts productivity too Productivity at deductive verifications

Productivity is important Proposing: decidable logics Usefulness hypothesis: Decidability will make solving time stable and process effective Intuition: Why do solvers fail to decide Combination of: Interpreted theories (arithmetic, sets) Uninterpreted functions / relation Quantifiers + Can interesting systems be verified in decidable logics?

Naively no: Decidable logics are not expressive enough Decidability through modularity Undecidability happens when merging features Hypothesis: Can decidability be achieved if we split those features back? In this work: Leverage standard modularity techniques Decompose systems to components. Each decidable Verification conditions Procedure foo: requires ensures

CODE . CODE } Prover checks validity of VC: Transition relation Modularity for decidability Apply modularity Split formulas become simpler

1 1 1 Module 1 22 2 Module 2 Micro example: Elections

Elections state and transition Types ,, type type type Voters and candidates Sets of citizens Cardinalities of sets

[vote_once] [good_count] Elections state and transition Citizens shall onlyvotes once A citizen rules only with vote enough

[single_leader] Only a single leader might rule Types ,, State procedure try_become_leader(Citizen cand): requires ensures { if size(voters[cand]) > num_nodes / 2: isleader[cand] := true }

First step: move theories away Undecidable module [FOL] Sets module [FAU] + FAU fragment: Finite almost uninterpreted Abstracting arithmetic procedure try_become_leader(Citizen cand): if isquorum(voters[cand]): size(voters[cand]) > n / 2: islead[ercand] := true isleader[cand] Replace with

Main module New public symbols: Public property: This talk: mainly about remaining logic in main Sets module [FAU] Privately:

Undecidability in first order logic Solver uses quantifier instantiation: Big formula: Undecidability in first order logic Solver uses quantifier instantiation: Big formula:

( ( )) () Undecidability in first order logic Solver uses quantifier instantiation:

Big formula: ( ( )) ( ( ( ) )) ()

Effectively Propositional Logic EPR Forbids function loops: , Search space becomes finite Problem becomes decidable Are the election program in EPR? No. Function loop.

Solution: two modules Main module [EPR] Votes module [ERP]

Fitting in EPR with modularity procedure try_become_leader(Citizen cand): if isquorum(voters[cand]): enough_votes(cand): isleader[cand] := true Replace by Main module [EPR] Votes module [ERP] procedure enough_votes(Citizen cand) returns (bool ret): { ret := isquorum(voters[cand]) }

Fitting in EPR with modularity procedure try_become_leader(Citizen cand): if enough_votes(cand): Abstraction of voters isleader[cand] := true Forgot function is total Shared vocabulary: (ghost) Main module [EPR] Hide implementation Expose specification Votes module [ERP]

procedure enough_votes(Citizen cand) returns (bool (bool ret): ret): { ensures ret { ret := isquorum(voters[cand]) } ret := isquorum(voters[cand]) } Each module in a decidable logic Main module [EPR] Votes module [EPR] Sets module [FAU] +

Verifying distributed protocol implementation Implement RAFT and MULTI-PAXOS in Ivy Verify with decidable logics using 3 modules Compile to C++ Performance sanity check: Comparable to production ready systems (etcd) Methodology does not prevent from optimizing Proof Length Protocol System/Project

LOC # manual proof Coq/Verdi 530 50,000 94 Ivy

560 200 0.4 3000 12,000 4 330 266

0.8 Ratio RAFT Dafny/IronFleet *more features MULTIPAXOS Ivy Verification Effort Protocol

Human Effort Verification Time Coq/Verdi 3.7 years 30 mins Ivy 3 months

(from ground up) Few mins Several years 6hr in cloud System/Project RAFT Dafny/IronFleet *more features

MULTIPAXOS Ivy 1 month (pre-verified model) Few mins Contributions Methodology: Modularity for decidability Microsoft Ivy (from Ken McMillan) now incorporates: Modularity, compilation Applied for obtaining provably correct distributed consensus implementations

Decidability was possible and payed off Backup slides Performance of the implementation Key value stores implemented on top of consensus With 16 requests in parallel, 50% writes, 50% read Implementation Requests per ms Latency (ms) Verdi

4.4 3.7 etcd 8.7 1.7 Ivy RAFT 13.5 1.2

Ivy MULTIPAXOS 8.7 1.9 *performance affected by extra operations FAU explanations? Tricks with ghost vairables?

Recently Viewed Presentations

  • Chapter 29: Plant Structure and Function

    Chapter 29: Plant Structure and Function

    Compounds move from cell to cell through end walls called sieve plates. Each sieve tube member lies next to a companion cell, a specialized parenchyma cell that assists in transport Meristems Regions where cells continuously divide Plant growth originates mainly...
  • "Effectively Utilizing Volunteers" - Purdue Extension

    "Effectively Utilizing Volunteers" - Purdue Extension

    What truly matters is that you find a way to be successful and efficient with your time and that you get more done, gain control over your life, add time to your daily life, and reduce stress. * * Conclusion...
  • Witness from Science--Biomimetics  -- Romans 1:20 For the

    Witness from Science--Biomimetics -- Romans 1:20 For the

    Witness from Science--Biomimetics科学见证--仿生学 Romans 1:20 "For the invisible things of him from the creation of the world are clearly seen, being understood by the things that are made, even his eternal power and Godhead; so that they are without excuse:"...
  • Tutorium der Sektion CL: Einführung in die Statistik für ...

    Tutorium der Sektion CL: Einführung in die Statistik für ...

    Tutorium der Sektion CL: Einführung in die Statistik für Linguisten mit „R" 35. Jahrestagung der DGfS 12. März 2013 Stefan Evert (FAU Erlangen-Nürnberg)
  • SIM326: Microsoft Forefront End-to-End Protection for ...

    SIM326: Microsoft Forefront End-to-End Protection for ...

    Microsoft Forefront End-to-End Protection for Information Worker Business. Frank O. Trujillo Senior Program Manager ... Avast PC Tools Rising Trend Micro (CPR) Trend Micro CA-AV Authentium F-Prot ... Option of alternative 3rd party content filter . Above 99% detection rate.
  • FLOTILLA MEETING TRAINING MS PREVENTION OUTREACH SPECIALIST &

    FLOTILLA MEETING TRAINING MS PREVENTION OUTREACH SPECIALIST &

    * * MT COMPENDIUM CERTIFICATION SECTION * * Completion of online courses: 1. Introduction to Marine Safety and Environmental Protection (IMSEP) 2. Good Mate Course 3. Hazardous Materials: A Citizens Guide, FEMA EMI course IS-5a 4. Hold current USCG Auxiliary...
  • Anne Delauzun Careers @AnneDelauzun CHANGE IT UP, CHANGE

    Anne Delauzun Careers @AnneDelauzun CHANGE IT UP, CHANGE

    Student march for free tuition 2, Trafalgar Square, London, UK by Cory Doctorow, ... Tomlinson, M. (2007) Graduate Employability and Student Attitudes and Orientations to the Labour Market, Journal of Education and Work, 20, 4, 285-304.
  • Infectious Disease and Immune - Faculty Site Listing

    Infectious Disease and Immune - Faculty Site Listing

    hiv women are the fasting growing group contracting HIV/AIDS. In North America alone, Approximately 16% of women with diagnosed with it. 25 % are men who use drugs, and 46% are men who have sex with other men