An Empirical Study on the Correctness of Formally Verified Distributed Systems

@article{Fonseca2017AnES,
  title={An Empirical Study on the Correctness of Formally Verified Distributed Systems},
  author={Pedro Fonseca and Kaiyuan Zhang and Xi Wang and Arvind Krishnamurthy},
  journal={Proceedings of the Twelfth European Conference on Computer Systems},
  year={2017}
}
Recent advances in formal verification techniques enabled the implementation of distributed systems with machine-checked proofs. While results are encouraging, the importance of distributed systems warrants a large scale evaluation of the results and verification practices. This paper thoroughly analyzes three state-of-the-art, formally verified implementations of distributed systems: Iron-Fleet, Verdi, and Chapar. Through code review and testing, we found a total of 16 bugs, many of which… 
Storage Systems are Distributed Systems (So Verify Them That Way!)
TLDR
In building VeriBetrKV, a key-value store based on a state-of-the-art Bεtree, this work introduces new techniques to scale automated verification to larger code bases, still without introducing domain-specific logic or tooling, and shows a discipline that keeps the automated verification development cycle responsive.
Testing consensus implementations using communication closure
TLDR
It is shown that a random testing algorithm based on sampling lossy synchronous executions can empirically find a number of bugs—including previously unknown ones—in production distributed systems such as Zookeeper, Cassandra, and Ratis, and also produce more understandable bug traces.
Minha: Large-Scale Distributed Systems Testing Made Practical
TLDR
Minha is a framework that virtualizes multiple JVM instances in a single JVM, thus simulating a distributed environment where each host runs on a separate machine, accessing dedicated network and CPU resources.
MET: Model Checking-Driven Explorative Testing of CRDT Designs and Implementations
TLDR
It is argued that the CRDT design should be formally specified and model-checked, to uncover deep bugs which are beyond human reasoning, and how Met provides sufficient confidence in the correctness of the authors' CRDT designs and implementations is discussed.
The Design and Implementation of a Verified File System with End-to-End Data Integrity
TLDR
IFSCQ is the first certified file system that is secure against strong adversaries that can maliciously corrupt on-disk data and metadata, including attempting to roll back the disk to earlier versions of valid data.
MCoq: Mutation Analysis for Coq Verification Projects
TLDR
MCoq, the first mutation analysis tool for Coq projects, is demonstrated and it is believed MCoq can be useful to proof engineers and researchers for analyzing software verification projects.
Much ADO about failures: a fault-aware model for compositional verification of strongly consistent distributed systems
TLDR
A novel, compositional, atomic distributed object (ADO) model for strongly consistent distributed systems that combines the best of both options is proposed and it is demonstrated that proving properties even of composite distributed systems can be straightforward with Coq verification framework, Advert, thanks to the ADO model.
Verifying strong eventual consistency in distributed systems
TLDR
This work develops a modular and reusable framework in the Isabelle/HOL interactive proof assistant for verifying the correctness of CRDT algorithms, and obtains the first machine-checked correctness theorems for three concrete CRDTs.
Verifying Serializability Protocols With Version Order Recovery
TLDR
The concept of version order recovery is introduced, which recovers the version order from database systems while imposing fewer constraints than existing verifiers, that provides the means for efficient verification of serializable concurrency control protocols.
WormSpace: A Modular Foundation for Simple, Verifiable Distributed Systems
TLDR
A modular layered verification approach is used to link the proofs for WormSpace, its applications, and a verified operating system to produce the first verified distributed system stack from the application to the operating system.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 64 REFERENCES
Verdi: a framework for implementing and formally verifying distributed systems
TLDR
Verdi, a framework for implementing and formally verifying distributed systems in Coq, formalizes various network semantics with different faults, and enables the developer to first verify their system under an idealized fault model then transfer the resulting correctness guarantees to a more realistic fault model without any additional proof burden.
IronFleet: proving practical distributed systems correct
TLDR
A methodology for building practical and provably correct distributed systems based on a unique blend of TLA-style state-machine refinement and Hoare-logic verification is described, which proves that each obeys a concise safety specification, as well as desirable liveness requirements.
seL4: formal verification of an OS kernel
TLDR
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
Dafny: An Automatic Program Verifier for Functional Correctness
TLDR
A tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs, is given and the full functional specification of the Schorr-Waite algorithm is shown.
Chapar: certified causally consistent distributed key-value stores
TLDR
A framework called Chapar is presented for modular verification of causal consistency for replicated key-value store implementations and their client programs and a simple automatic model checker for the correctness of client programs is implemented.
End-to-end verification of stack-space bounds for C programs
TLDR
A framework that enables the formal verification of stack-space bounds of compiled machine code at the C level consisting of a verified CompCert-based compiler that preserves quantitative properties, a verified quantitative program logic for interactive stack-bound development, and a verified stack analyzer that automatically derives stack bounds during compilation.
D3S: Debugging Deployed Distributed Systems
TLDR
D3S is a checker that allows developers to specify predicates on distributed properties of a deployed system, and that checks these predicates while the system is running, and can detect non-trivial correctness and performance bugs at runtime and with low performance overhead.
Formal Verification of the Pastry Protocol Using TLA +
TLDR
This article relaxes the assumption from previous publication to allow arbitrary concurrent joins of nodes, which reveals new insights into Pastry through a final formal model in TLA, LuPastry, which is the first formal proof of Pastry where concurrent joins and lookups are simultaneously allowed.
Push-Button Verification of File Systems via Crash Refinement
TLDR
Yggdrasil is a toolkit for writing file systems with push-button verification that requires no manual annotations or proofs about the implementation code, and it produces a counterexample if there is a bug, and the experience shows that the ease of proof and countereXample-based debugging support make YggdrAsil practical for building reliable storage applications.
Safe kernel extensions without run-time checking
TLDR
PCC binaries can be executed with no run-time over-head, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs, and are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.
...
1
2
3
4
5
...