DOCSLIB.ORG

COGENT: Verifying High-Assurance File System Implementations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
COGENT: Verifying High-Assurance File System Implementations COGENT: Verifying High-Assurance File System Implementations Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray, Gerwin Klein, Gernot Heiser Data61 (formerly NICTA) and UNSW, Australia fi[email protected] Abstract File systems, which constitute the largest fraction of code We present an approach to writing and formally verify- in Linux after device drivers, have among the highest defect ing high-assurance file-system code in a restricted lan- density of Linux kernel code [38]. Furthermore, new file sys- tems are frequently added for new media types or for new guage called COGENT, supported by a certifying compiler performance and reliability trade-offs. The lack of support that produces C code, high-level specification of COGENT, and translation correctness proofs. The language is strongly for correctly writing new file systems is a standard bottle- typed and guarantees absence of a number of common file neck. system implementation errors. We show how verification ef- Formal verification in the style of seL4 [26] or Ironclad fort is drastically reduced for proving higher-level proper- [15] is the only approach to fully solve this problem. While ties of the file system implementation by reasoning about formal verification for file systems has seen a surge in ac- the generated formal specification rather than its low-level C tivity in recent years [9, 11, 18], it has however not yet code. We use the framework to write two Linux file systems, reached that same level of detail and assurance. In the most and compare their performance with their native C imple- advanced and deepest of these verifications, Chen et al. [8] mentations. formally shows crash-resilience of the FSCQ file system im- plemented in the Coq prover [6]. Even this verification still Categories and Subject Descriptors D.4.5 [Operating relies on generating Haskell code from the Coq implemen- Systems]: Reliability—Verification; D.2.4 [Software Engi- tation, and executing that generated code with a full Haskell neering]: Software / Program Verification—Formal meth- run-time at user level. This proof crosses an important bar- ods; D.3.2 [Programming Languages]: Language Classi- rier for formal verification: it removes human intervention fication—Applicative (functional) languages from the link between the code that runs and the model that is verified. However, the trusted code base is still huge: the Keywords file systems; verification; domain-specific lan- run-time is larger than the file system, the code generation guages; co-generation; Isabelle/HOL step from Coq is unverified, and the semantics of the tar- get language (Haskell) is complex and informal. While cer- 1. Introduction tainly an impressive result, for high-assurance systems on Operating systems (OS) code is critical for the dependability potentially resource-constrained devices, this is not yet good and security of computer systems. In monolithic systems, enough. most OS services are part of the kernel and are included in As motivated in [23], we design a new language called the trusted computing base (TCB) of any application. While COGENT to bridge the gap between verifiable formal model microkernels can help reduce the TCB [10, 17, 29, 47], in and low-level code. In separate work [36], we define the practice we need more, because most applications depend on formal semantics of COGENT, describe the COGENT com- the correct operation of a significant number of OS services. piler in detail which generates C code and an Isabelle/HOL specification, and show how the seven main stages of au- tomatic compiler-produced proof work that connect the C Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed and the Isabelle/HOL specification. In this paper, we show for profit or commercial advantage and that copies bear this notice and the full citation how to reason about COGENT programs, how COGENT is on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or used to implement two Linux file systems, and we analyse republish, to post on servers or to redistribute to lists, requires prior specific permission how COGENT reduces the effort of reasoning about a low- and/or a fee. Request permissions from [email protected]. ASPLOS ’16, April 02 – 06, 2016, Atlanta, GA, USA. level C implementation in order to more productively rea- Copyright is held by the owner/author(s). Publication rights licensed to ACM. son about high-level functional specifications — similar in ACM 978-1-4503-4091-5/16/04. $15.00. http://dx.doi.org/10.1145/10.1145/2872362.2872404 style to Chen et al’s verification. To this end, we verified two high-level functional correctness properties of one of the two 1. We demonstrate the use of COGENT for implementing Linux file systems. These are properties that would form key actual file systems (Section 3). building blocks in, for instance, a proof of crash resilience. 2. We present proofs of high-level correctness properties of COGENT goes further than just bridging the gap from a file system implemented in COGENT and discuss how model to code. It also provides tools for file system program- COGENT facilitates such proofs (Section 4). mers without any formal verification expertise to provably avoid common errors: The language is type safe, i.e. the type 3. We discuss the effort involved in implementing file sys- system is strictly enforced. The compiler and type system in tems with verified properties in COGENT (Section 5). turn enforces basics like memory safety, but also the absence 4. We evaluate the COGENT-implemented file systems of any undefined behaviour on the C level, null pointer deref- against their native C counterparts (Section 5). erences, buffer overflows, memory leaks, and pointer mis- management in error handling. Mismanagement of pointers 2. Overview of Our Approach in error-handling code is a wide-spread problem in Linux file 2.1 COGENT systems specifically [41], and Saha et al. [42] shows that file systems have among the highest density of error-handling COGENT is tailored to writing systems code, with a specific code in Linux. In the verification of seL4, a significant frac- focus on file systems. It is intentionally more restrictive tion of the overall effort went into proving absence of such than general-purpose functional languages, to enable the use errors [25]–COGENT’s linear type system [49] provides this of efficient and powerful reasoning techniques on its high- for free and assists the programmer with memory alloca- level semantics, to avoid the need for an elaborate language tion handling. Memory safety and memory leaks are prob- run-time, and to enable the COGENT compiler to output lems with file systems, but also more generally in systems an automatic proof that the C code it generates correctly code [43]. The infamous Heartbleed bug for instance, was implements the behaviour of the COGENT program [36]. In a buffer overflow [16], the recent “goto-fail” defect in Ap- this paper, we further demonstrate how to prove functional ple’s SSL/TLS implementation was an error-handling prob- correctness of the COGENT program. lem obscured by gotos in an if-cascade [37], and the recent COGENT manages to avoid a garbage collector, unlike memory leak in Android Lollipop also was part of error- most existing high-level languages such as Java, Haskell, handling code [30]. All of these problems are prevented on and OCaml, by implementing a linear type system [49], the language level by COGENT, and are enforced by its certi- which ensures that each linearly typed object is used exactly fying compiler. Few other languages come with type-system once. The type system not only provides memory safety, but guarantees that address problems like memory leaks without also makes memory leaks compile-time errors. Traditional significant overhead or large language run-times (e.g. Rust), pure functional languages, such as Haskell, that disallow and none come with a formal semantics and a machine- side effects, favour frequent copies of dynamically allocated checked proof of their guarantees. data structures and make it hard to reason about the perfor- COGENT compiles to straight C code that can be com- mance of the generated code. COGENT’s linear type sys- piled by gcc or CompCert [27, 28]. The generated C code tem increases performance by allowing the compiled code also falls into the fragment understood by Sewell et al.’s gcc to modify data structures in-place. The type system sup- translation validation tool [46], providing a pathway to ex- ports parametric polymorphism. While doing so might not tend the verification all the way to binary level if needed. be an obvious choice for a language geared towards systems We designed COGENT with the code patterns and common programming, it is particularly important in the context of errors in Linux file systems in mind. As detailed in sepa- COGENT, which relies on external ADTs to implement data rate work [36], its semantics is sequential (allowing asyn- structures that cannot be implemented with linear types. chronous I/O, but not full concurrency), restricted to total COGENT also supports higher-order functions. In contrast functions, and contains no built-in loops or recursion. This to general-purpose functional languages, however, all func- simplifies reasoning, both for the compiler and on top of tions in COGENT have to be defined on the top-level. This the language. Iterators, external abstract functions, and types restriction is necessary to avoid the run-time overhead and that rely on sharing, are implemented in a formally modelled heap allocations necessary to implement closures otherwise.
Load more

Recommended publications
  • Huawei Announces EROFS Linux File-System, Might Eventually Be Used
    ARTICLES & REVIEWS NEWS ARCHIVE FORUMS PREMIUM CATEGORIES Custom Search Search Latest Linux News Huawei Announces EROFS Linux File-System, Might Huawei Announces EROFS Linux File- Eventually Be Used By Android Devices System, Might Eventually Be Used By Android Devices Written by Michael Larabel in Linux Storage on 31 May 2018 at 09:00 AM EDT. 3 Comments Mesa 18.0.5 Is The Last Planned Release In Huawei's Gao Xiang has announced the EROFS open-source Linux file-system The Series intended for Android devices, but still at its very early stages of AMD K8 Support Stripped Out Of Coreboot development. NVIDIA’s Next Generation Mainstream GPU Will At Least Be Detailed In August EROFS is the company's new approach for a read-only file-system that would work well for Android devices. EROFS is short for the Extendable Read-Only GNOME 3 Might Be Too Resource Hungry To File-System and they began developing it with being unsatisfied with other read-only file- Ever Run Nicely On The Raspberry Pi system alternatives. XWayland Gets Patch To Automatically Use EGLStreams For NVIDIA Support When EROFS is designed to offer better performance than other read-only alternatives while still Needed focusing upon saving storage space. As part of EROFS is also a compression mode pursuing BPFILTER Landing For Linux 4.18 For a different design approach than other file-systems: the compression numbers shared in Eventually Better Firewall / Packet Filtering today's announcement on both server hardware and a Kirin 970 are compelling for being in AMDGPU Patches Prepping JPEG Support For the early stages of development.
    [Show full text]
  • A Critical Review of Acquisitions Within the Australian Vocational Education and Training Sector 2012 to 2017 Kristina M. Nicho
    A Critical Review of Acquisitions within the Australian Vocational Education and Training Sector 2012 to 2017 Kristina M. Nicholls Victoria University Business School Submitted in fulfilment of requirements for the degree of Doctor of Business Administration 2020 Abstract A Critical Review of Acquisitions within the Vocational Education and Training Sector 2012 to 2017 Organisations often look to acquisitions as a means of achieving their growth strategy. However, notwithstanding the theoretical motivations for engaging in acquisitions, research has shown that the acquiring organisation, following the acquisition, frequently experiences a fall in share price and degraded operating performance. Given the failure rates that are conservatively estimated at over 50%, the issue of acquisitions is worthy of inquiry in order to determine what factors make for a successful or alternately an unsuccessful outcome. The focus of this study is the vocational education sector in Australia, where private registered training organisations [RTOs] adopted acquisitions as a strategy to increase their market share and/or support growth strategies prompted by deregulation and a multi-billion dollar training investment by both Australian State and Federal governments in the past ten years. Fuelled by these changes in Government policy, there was a dramatic growth in RTO acquisitions between the period 2012 and 2017. Many of these acquisitions ended in failure, including several RTOs that listed on the Australian Stock Exchange [ASX]. This study investigates acquisitions of Australian RTOs, focusing on the period from 2012 to 2017 [study period]. The aim is to understand what factors contributed to the success and/or failure of acquisitions of registered training organisations in the Australian Private Education Sector.
    [Show full text]
  • Total Cost of Ownership and Open Source Software
    What Place Does Open Source Software Have In Australian And New Zealand Schools’ and Jurisdictions’ ICT Portfolios? TOTAL COST OF OWNERSHIP AND OPEN SOURCE SOFTWARE Research paper by Kathryn Moyle Department of Education and Children’s Services South Australia July 2004 1 Contents Contents 2 List of tables and diagrams 3 Abbreviations 4 Acknowledgements 5 Executive summary 6 Options for future actions 7 Introduction 9 Key questions 9 Open source software and standards 9 Comparison of open source and proprietary software licences 11 Building on recent work 12 Contexts 14 Use of ICT in schools 14 Current use of open source software in Australia and New Zealand 14 Procurement and deployment of ICT 15 Department of Education and Children’s Services, South Australia 16 What is total cost of ownership? 17 Purpose of undertaking a total cost of ownership analysis 17 Why undertake total cost of ownership work? 17 How can total cost of ownership analyses help schools, regions and central agencies plan? 17 Total cost of ownership analyses should not be undertaken in isolation 18 Total cost of ownership and open source software 18 Review of literature 19 Open source software in government schools 19 Total cost of ownership 20 Total cost of ownership in schools 21 Total cost of ownership, open source software and schools 23 Summary 25 Undertaking a financial analysis 26 Principles underpinning a total cost of ownership 26 Processes 27 Testing a financial model: Total Cost of Ownership in a school 33 Scenario 33 Future plans 40 ICT deployment options
    [Show full text]
  • Z/OS Distributed File Service Zseries File System Implementation Z/OS V1R13
    Front cover z/OS Distributed File Service zSeries File System Implementation z/OS V1R13 Defining and installing a zSeries file system Performing backup and recovery, sysplex sharing Migrating from HFS to zFS Paul Rogers Robert Hering ibm.com/redbooks International Technical Support Organization z/OS Distributed File Service zSeries File System Implementation z/OS V1R13 October 2012 SG24-6580-05 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. Sixth Edition (October 2012) This edition applies to version 1 release 13 modification 0 of IBM z/OS (product number 5694-A01) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2010, 2012. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . .xv The team who wrote this book . .xv Now you can become a published author, too! . xvi Comments welcome. xvi Stay connected to IBM Redbooks . xvi Chapter 1. zFS file systems . 1 1.1 zSeries File System introduction. 2 1.2 Application programming interfaces . 2 1.3 zFS physical file system . 3 1.4 zFS colony address space . 4 1.5 zFS supports z/OS UNIX ACLs. 4 1.6 zFS file system aggregates. 5 1.6.1 Compatibility mode aggregates. 5 1.6.2 Multifile system aggregates. 6 1.7 Metadata cache. 7 1.8 zFS file system clones . 7 1.8.1 Backup file system . 8 1.9 zFS log files.
    [Show full text]
  • Page 14 Street, Hudson, 715-386-8409 (3/16W)
    JOURNAL OF THE AMERICAN THEATRE ORGAN SOCIETY NOVEMBER | DECEMBER 2010 ATOS NovDec 52-6 H.indd 1 10/14/10 7:08 PM ANNOUNCING A NEW DVD TEACHING TOOL Do you sit at a theatre organ confused by the stoprail? Do you know it’s better to leave the 8' Tibia OUT of the left hand? Stumped by how to add more to your intros and endings? John Ferguson and Friends The Art of Playing Theatre Organ Learn about arranging, registration, intros and endings. From the simple basics all the way to the Circle of 5ths. Artist instructors — Allen Organ artists Jonas Nordwall, Lyn Order now and recieve Larsen, Jelani Eddington and special guest Simon Gledhill. a special bonus DVD! Allen artist Walt Strony will produce a special DVD lesson based on YOUR questions and topics! (Strony DVD ships separately in 2011.) Jonas Nordwall Lyn Larsen Jelani Eddington Simon Gledhill Recorded at Octave Hall at the Allen Organ headquarters in Macungie, Pennsylvania on the 4-manual STR-4 theatre organ and the 3-manual LL324Q theatre organ. More than 5-1/2 hours of valuable information — a value of over $300. These are lessons you can play over and over again to enhance your ability to play the theatre organ. It’s just like having these five great artists teaching right in your living room! Four-DVD package plus a bonus DVD from five of the world’s greatest players! Yours for just $149 plus $7 shipping. Order now using the insert or Marketplace order form in this issue. Order by December 7th to receive in time for Christmas! ATOS NovDec 52-6 H.indd 2 10/14/10 7:08 PM THEATRE ORGAN NOVEMBER | DECEMBER 2010 Volume 52 | Number 6 Macy’s Grand Court organ FEATURES DEPARTMENTS My First Convention: 4 Vox Humana Trevor Dodd 12 4 Ciphers Amateur Theatre 13 Organist Winner 5 President’s Message ATOS Summer 6 Directors’ Corner Youth Camp 14 7 Vox Pops London’s Musical 8 News & Notes Museum On the Cover: The former Lowell 20 Ayars Wurlitzer, now in Greek Hall, 10 Professional Perspectives Macy’s Center City, Philadelphia.
    [Show full text]
  • A Study of Failure Recovery and Logging of High-Performance Parallel File Systems
    1 A Study of Failure Recovery and Logging of High-Performance Parallel File Systems RUNZHOU HAN, OM RAMESHWAR GATLA, MAI ZHENG, Iowa State University JINRUI CAO, State University of New York at Plattsburgh DI ZHANG, DONG DAI, North Carolina University at Charlotte YONG CHEN, Texas Tech University JONATHAN COOK, New Mexico State University Large-scale parallel file systems (PFSes) play an essential role in high performance computing (HPC). However, despite the importance, their reliability is much less studied or understood compared with that of local storage systems or cloud storage systems. Recent failure incidents at real HPC centers have exposed the latent defects in PFS clusters as well as the urgent need for a systematic analysis. To address the challenge, we perform a study of the failure recovery and logging mechanisms of PFSes in this paper. First, to trigger the failure recovery and logging operations of the target PFS, we introduce a black- box fault injection tool called PFault, which is transparent to PFSes and easy to deploy in practice. PFault emulates the failure state of individual storage nodes in the PFS based on a set of pre-defined fault models, and enables examining the PFS behavior under fault systematically. Next, we apply PFault to study two widely used PFSes: Lustre and BeeGFS. Our analysis reveals the unique failure recovery and logging patterns of the target PFSes, and identifies multiple cases where the PFSes are imperfect in terms of failure handling. For example, Lustre includes a recovery component called LFSCK to detect and fix PFS-level inconsistencies, but we find that LFSCK itself may hang or trigger kernel panicswhen scanning a corrupted Lustre.
    [Show full text]
  • Lustre* Software Release 2.X Operations Manual Lustre* Software Release 2.X: Operations Manual Copyright © 2010, 2011 Oracle And/Or Its Affiliates
    Lustre* Software Release 2.x Operations Manual Lustre* Software Release 2.x: Operations Manual Copyright © 2010, 2011 Oracle and/or its affiliates. (The original version of this Operations Manual without the Intel modifications.) Copyright © 2011, 2012, 2013 Intel Corporation. (Intel modifications to the original version of this Operations Man- ual.) Notwithstanding Intel’s ownership of the copyright in the modifications to the original version of this Operations Manual, as between Intel and Oracle, Oracle and/or its affiliates retain sole ownership of the copyright in the unmodified portions of this Operations Manual. Important Notice from Intel INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IM- PLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSO- EVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR IN- FRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL IN- DEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE AT- TORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCON- TRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
    [Show full text]
  • The Dark Side of the Attack on Colonial Pipeline
    “Public GitHub is 54 often a blind spot in the security team’s perimeter” Jérémy Thomas Co-founder and CEO GitGuardian Volume 5 | Issue 06 | June 2021 Traceable enables security to manage their application and API risks given the continuous pace of change and modern threats to applications. Know your application DNA Download the practical guide to API Security Learn how to secure your API's. This practical guide shares best practices and insights into API security. Scan or visit Traceable.ai/CISOMag EDITOR’S NOTE DIGITAL FORENSICS EDUCATION MUST KEEP UP WITH EMERGING TECHNOLOGIES “There is nothing like first-hand evidence.” Brian Pereira - Sherlock Holmes Volume 5 | Issue 06 Editor-in-Chief June 2021 f the brilliant detective Sherlock Holmes and his dependable and trustworthy assistant Dr. Watson were alive and practicing today, they would have to contend with crime in the digital world. They would be up against cybercriminals President & CEO Iworking across borders who use sophisticated obfuscation and stealth techniques. That would make their endeavor to Jay Bavisi collect artefacts and first-hand evidence so much more difficult! As personal computers became popular in the 1980s, criminals started using PCs for crime. Records of their nefarious Editorial Management activities were stored on hard disks and floppy disks. Tech-savvy criminals used computers to perform forgery, money Editor-in-Chief Senior Vice President laundering, or data theft. Computer Forensics Science emerged as a practice to investigate and extract evidence from Brian Pereira* Karan Henrik personal computers and associated media like floppy disk, hard disk, and CD-ROM. This digital evidence could be used [email protected] [email protected] in court to support cases.
    [Show full text]
  • Operating System Security – a Short Note
    Operating System Security – A Short Note 1,2Mr. Kunal Abhishek, 2Dr. E. George Dharma Prakash Raj 1Society for Electronic Transactions and Security (SETS), Chennai 2Bharathidasan University, Trichy [email protected], [email protected] 1. Introduction An Operating System (OS) is viewed as a Reference Monitor (RM) or a Reference Validation Mechanism (RVM) that provides basic level security. In [1], Anderson reported three design requirements for a Reference Monitor or Operating System. He suggested that an OS or RM should be tamper proof that means OS programs are not alterable, OS should always be invoked and OS must be small enough for analysis and testing purposes so that completeness of which can be assured. These OS design requirements became the deriving principle of OS development. A wide range of operating systems follow Anderson’s design principles in modern time. It was also observed in [2] that most of the attacks are imposed either on OS itself or on the programs running on the OS. The attacks on OS can be mitigated through formal verification to a great extent which prove the properties of OS code on various criteria like safeness, reliability, validity and completeness etc. Also, formal verification of OS is an intricate task which is feasible only when RVM or RM is small enough for analysis and testing within a reasonable time frame. Other way of attacking an OS is to attack the programs like device drivers running on top of it and subsequently inject malware through these programs interfacing with the OS. Thus, a malware can be injected in to the sensitive kernel code to make OS malfunction.
    [Show full text]
  • November 1981
    ... - ~.~ AMERICAN VIOLA SOCIETY American Chapter of the INTERNATIONALE VIOLA FORSCHUNGSGESELLSCHAFr November NKtNSLETTEFt 21 19t5l A MESSAGE -.FftOK OUR- NEW- PRESIDENT-_.-_-- A Tribute to Myron ftoaenblulD I want to thank the members of the American Viola Society for trle honor you have beatowed on me in the recent electiona. I am indeed grateful, but alac awed by the responsibility of being the prei1dent of the American Viola Society. It wll1~be very difficult to fill the ahoes of Myron Roaenblum, the founder of our Society. Durin! hi. tenure as prealdemt, the society member­ ah1p has grown to over 38' memberlil. For many yearl, Myron was the preslden.t, secretary, treasurer, and edltorof the Newsletter of our organization. In addition, his home was stored with booka, music, and recordinga w·hich were ma.de available to members of the Society at reduced ratel. Mra. Pto8enblum ahould a1ao receive due credit for a811atanoe and interest in this project, which did not include any monetary profit. The New.letter, which Myron hal ed1ted, hag been a. source of information 1n all ares.& perralnin~ to the viola. ",:tTe all regret that this will be the la&t Newiletter written by Myron. He will continue, however, to contribute articles and act a8 .n advlaer for future issues. The recently ratified iy-La.wl of the American Viola Society provide that the immediate Past-Prealdent will contluue to serve aa an officer. Thil 1. indeed fortunate for the new president. I aha.II rely on Myren for advice and aaalatance during the next two yeara, whenever new problema confront the Society.
    [Show full text]
  • Error Propagation Analysis for File Systems!
    Error Propagation Analysis for File Systems! Cindy Rubio-González, Haryadi S. Gunawi, Ben Liblit, Remzi H. Arpaci-Dusseau, and Andrea C. Arpaci-Dusseau! University of Wisconsin-Madison PLDI’09 ECS 289C Seminar on Program Analysis February 17th, 2015 Motivation! • Systems software plays an important role! o Designed to operate the computer hardware! o Provides platform for running application software! • Particular focus on file systems! o Store massive amounts of data! o Used everywhere!! § Home use: photos, movies, tax returns! § Servers: network file servers, search engines! • Incorrect error handling → serious consequences! o Silent data corruption, data loss, system crashes, etc.! • Broken systems software → Broken user applications!! ! 2 Error Handling! Error Propagation + Error Recovery! USER-LEVEL APPLICATION SYSTEMS SOFTWARE Error Recovery:! ERROR ERROR • Logging! • Notifying! • Re-trying! Run-time ERROR ERROR Errors! HARDWARE Incorrect error handling → longstanding problem! 3 Return-Code Idiom! • Widely used in systems software written in C! • Also used in large C++ applications! • Run-time errors represented as integer values! • Propagated through variable assignments and function return values! 4 Error Codes in Linux! 5 Example of Error-Propagation Bug! 1 int txCommit(...) { 2 ... 3 if (isReadOnly(...)) { 4 rc = -EROFS; read-only file-system error! 5 ... 6 goto TheEnd; 7 } ... 8 if (rc = diWrite(...)) diWrite may return EIO error! 9 txAbort(...); 10 TheEnd: return rc; function returns variable rc 11 } 13 int diFree(...) { 14 ..
    [Show full text]
  • Advanced Development of Certified OS Kernels Prof
    Advanced Development of Certified OS Kernels Zhong Shao (PI) and Bryan Ford (Co-PI) Department of Computer Science Yale University P.O.Box 208285 New Haven, CT 06520-8285, USA {zhong.shao,bryan.ford}yale.edu July 15, 2010 1 Innovative Claims Operating System (OS) kernels form the bedrock of all system software—they can have the greatest impact on the resilience, extensibility, and security of today’s computing hosts. A single kernel bug can easily wreck the entire system’s integrity and protection. We propose to apply new advances in certified software [86] to the development of a novel OS kernel. Our certified kernel will offer safe and application-specific extensibility [8], provable security properties with information flow control, and accountability and recovery from hardware or application failures. Our certified kernel builds on proof-carrying code concepts [74], where a binary executable includes a rigorous machine-checkable proof that the software is free of bugs with respect to spe- cific requirements. Unlike traditional verification systems, our certified software approach uses an expressive general-purpose meta-logic and machine-checkable proofs to support modular reason- ing about sophisticated invariants. The rich meta-logic enables us to verify all kinds of low-level assembly and C code [10,28,31,44,68,77,98] and to establish dependability claims ranging from simple safety properties to advanced security, correctness, and liveness properties. We advocate a modular certification framework for kernel components, which mirrors and enhances the modularity of the kernel itself. Using this framework, we aim to create not just a “one-off” lump of verified kernel code, but a statically and dynamically extensible kernel that can be incrementally built and extended with individual certified modules, each of which will provably preserve the kernel’s overall safety and security properties.
    [Show full text]