• Corpus ID: 15350257

Push-Button Verification of File Systems via Crash Refinement

@inproceedings{Sigurbjarnarson2016PushButtonVO,
  title={Push-Button Verification of File Systems via Crash Refinement},
  author={Helgi Sigurbjarnarson and James Bornholt and Nicolas Christin and Lorrie Faith Cranor},
  booktitle={USENIX Annual Technical Conference},
  year={2016}
}
The file system is an essential operating system component for persisting data on storage devices. Writing bug-free file systems is non-trivial, as they must correctly implement and maintain complex on-disk data structures even in the presence of system crashes and reorderings of disk operations. This paper presents Yggdrasil, a toolkit for writing file systems with push-button verification: Yggdrasil requires no manual annotations or proofs about the implementation code, and it produces a… 

Figures from this paper

Verifying a high-performance crash-safe file system using a tree specification
DFSCQ is the first file system that (1) provides a precise specification for fsync and fdatasync, which allow applications to achieve high performance and crash safety, and (2) provides a
A Modular Verification Methodology for Caching and Lock-Based Concurrency in File Systems
The Flashix project is a team effort to develop a functionally correct, crash-safe and concurrent file system for flash memory. The approach is based on encapsulated, modular components and their
RoosterFS CS 260 Project Writeup
TLDR
This work introduces concurrent crash Hoare logic (CCHL) as a means of reasoning about system correctness in the presence of of both concurrency and crashes, and has implemented the logic in Coq proof assistant and begun proving it sound according to the semantics of an imperative language with locks, heap, and disk operations.
Finding semantic bugs in file systems with an extensible fuzzing framework
TLDR
This paper showcases the effectiveness of Hydra with four checkers that hunt crash inconsistency, POSIX violations, logic assertion failures, and memory errors, and showcases the potential of applying fuzzing to find not just memory errors but, in theory, any type of file system bugs with an extensible fuzzing framework: Hydra.
Finding Crash-Consistency Bugs with Bounded Black-Box Crash Testing
TLDR
B3 builds upon insights derived from a study of crash-consistency bugs reported in Linux file systems in the last five years, which observed that most reported bugs can be reproduced using small workloads of three or fewer file-system operations on a newly-created file system, and that all reported bugs result from crashes after fsync().
EasyChair Preprint No 1235 Binary-compatible verification of filesystems with ACL 2
TLDR
LoFAT is a model of the FAT32 filesystem which efficiently implements a subset of the POSIX filesystem operations, and HiFAT, a more abstract model of FAT32 which is simpler to reason about are introduced.
Towards Robust File System Checkers
TLDR
This work demonstrates via fault injection experiments that checkers of widely used file systems (EXT4, XFS, BtrFS, and F2FS) may leave the file system in an uncorrectable state if the repair procedure is interrupted unexpectedly.
Determinizing Crash Behavior with a Verified Snapshot-Consistent Flash Translation Layer
TLDR
The design of a snapshot-consistent flash translation layer (SCFTL) for flash disks, which has a stronger guarantee about the possible behavior after a crash than conventional designs, is introduced and modified to support group commit and utilize SCFTL's stronger crash guarantee.
A Crash-Safe Key-Value Store Using Chained Copy-on-Write B-trees
TLDR
This thesis presents a design of a crash-safe key-value store amenable to automated verification that uses chained copy-on-write b-trees to finitize the free-space map.
Modular Verification of Order-Preserving Write-Back Caches
TLDR
A novel crash-safety criterion is defined that facilitates specification and verification of order-preserving caches and proof obligations for crash- safety have been verified for the Flashix flash file system.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 64 REFERENCES
Using Crash Hoare logic for certifying the FSCQ file system
TLDR
The Crash Hoare logic (CHL), which extends traditionalHoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels, is introduced, which reduces the proof effort for developers through proof automation.
Specifying and Checking File System Crash-Consistency Models
TLDR
A formal framework for developing crash-consistency models, analogous to memory consistency models, which describe the behavior of a file system across crashes, and a toolkit for validating those models against real file system implementations are presented.
Using model checking to find serious file system errors
TLDR
This article shows how to use model checking to find serious errors in file systems by building a system, FiSC, and applying it to four widely-used, heavily-tested file systems: ext3, JFS, ReiserFS and XFS.
EXPLODE: a lightweight, general system for finding serious storage system errors
TLDR
ExPLODE is a system that makes it easy to systematically check real storage systems for errors, taking user-written, potentially system-specific checkers and uses them to drive a storage system into tricky corner cases, including crash recovery errors.
All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications
TLDR
It is found that applications use complex update protocols to persist state, and that the correctness of these protocols is highly dependent on subtle behaviors of the underlying file system, which is referred to as persistence properties.
Automatically generating malicious disks using symbolic execution
TLDR
This paper shows how to automatically find bugs in file system code using symbolic execution, and checks the disk mounting code of three widely-used Linux file systems and found bugs where malicious data could either cause a kernel panic or form the basis of a buffer overflow attack.
Reducing crash recoverability to reachability
TLDR
A hierarchical formal model of what it means for a program to be crash recoverable is provided and a novel technique capable of automatically proving that a program correctly recovers from a crash via a reduction to reachability is introduced.
Refinement through restraint: bringing down the cost of verification
TLDR
A framework aimed at significantly reducing the cost of verifying certain classes of systems software, such as file systems, and allowing for equational reasoning about systems code written in Cogent, a restricted, polymorphic, higher-order, and purely functional language with linear types.
Error propagation analysis for file systems
TLDR
This work proposes an interprocedural static analysis that tracks errors as they propagate through file system code, and detects overwritten, out-of-scope, and unsaved unchecked errors.
Fsck—the UNIX file system check program
TLDR
The purpose of this document is to describe the normal updating of the file system, to discuss the possible causes of file system corruption, and to present the corrective actions implemented by fsck.
...
1
2
3
4
5
...