Using Crash Hoare logic for certifying the FSCQ file system

@article{Chen2016UsingCH,
  title={Using Crash Hoare logic for certifying the FSCQ file system},
  author={Haogang Chen and Daniel Ziegler and Tej Chajed and Adam Chlipala and M. Frans Kaashoek and Nickolai Zeldovich},
  journal={Proceedings of the 25th Symposium on Operating Systems Principles},
  year={2016}
}
FSCQ is the first file system with a machine-checkable proof (using the Coq proof assistant) that its implementation meets its specification and whose specification includes crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by… 

Figures from this paper

Certifying a file system using crash hoare logic
TLDR
The Crash Hoare logic (CHL), which extends traditionalHoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels, is introduced, which develops, specified, and proved the correctness of the FSCQ file system.
Verifying a high-performance crash-safe file system using a tree specification
DFSCQ is the first file system that (1) provides a precise specification for fsync and fdatasync, which allow applications to achieve high performance and crash safety, and (2) provides a
Push-Button Verification of File Systems via Crash Refinement
TLDR
Yggdrasil is a toolkit for writing file systems with push-button verification that requires no manual annotations or proofs about the implementation code, and it produces a counterexample if there is a bug, and the experience shows that the ease of proof and countereXample-based debugging support make YggdrAsil practical for building reliable storage applications.
GoJournal: a verified, concurrent, crash-safe journaling system
TLDR
GoJournal, a verified, concurrent journaling system that provides atomicity for storage applications, together with Perennial 2.0, a framework for formally specifying and verifying concurrent crash-safe systems, are implemented.
RoosterFS CS 260 Project Writeup
TLDR
This work introduces concurrent crash Hoare logic (CCHL) as a means of reasoning about system correctness in the presence of of both concurrency and crashes, and has implemented the logic in Coq proof assistant and begun proving it sound according to the semantics of an imperative language with locks, heap, and disk operations.
Argosy: verifying layered storage systems with recovery refinement
TLDR
Argosy is presented, a framework for machine-checked proofs of storage systems that supports layered recovery implementations with modular proofs that includes a proof that recovery refinements compose, using Kleene algebra for concise definitions and metatheory.
Determinizing Crash Behavior with a Verified Snapshot-Consistent Flash Translation Layer
TLDR
The design of a snapshot-consistent flash translation layer (SCFTL) for flash disks, which has a stronger guarantee about the possible behavior after a crash than conventional designs, is introduced and modified to support group commit and utilize SCFTL's stronger crash guarantee.
A methodology for trustworthy file systems
TLDR
The goal of this research is to demonstrate that an implementation level machine-checked proof of correctness of a file system can be done at reasonable cost, and that overall the methodology drastically reduces the effort of verifying file system code.
Proving confidentiality in a file system using DiskSec
TLDR
This paper introduces DISKSEC, a novel approach for reasoning about confidentiality of storage systems, such as a file system, that addresses the challenge of specifying confidentiality using the notion of data noninterference to find a middle ground between strong and precise information-flow-control guarantees and the weaker but more practical discretionary access control.
Reducing crash recoverability to reachability
TLDR
A hierarchical formal model of what it means for a program to be crash recoverable is provided and a novel technique capable of automatically proving that a program correctly recovers from a crash via a reduction to reachability is introduced.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 85 REFERENCES
Using model checking to find serious file system errors
TLDR
This article shows how to use model checking to find serious errors in file systems by building a system, FiSC, and applying it to four widely-used, heavily-tested file systems: ext3, JFS, ReiserFS and XFS.
Universität Augsburg Crash-Safe Refinement for a Verified Flash File System
TLDR
This paper presents formal proof obligations for data refinement in the presence of unexpected crashes, notably due to a power failure, to one of the components in the flash file system, namely the erase block management layer.
Verdi: a framework for implementing and formally verifying distributed systems
TLDR
Verdi, a framework for implementing and formally verifying distributed systems in Coq, formalizes various network semantics with different faults, and enables the developer to first verify their system under an idealized fault model then transfer the resulting correctness guarantees to a more realistic fault model without any additional proof burden.
Verifying a File System Implementation
TLDR
This work proves the implementation of a basic file system implementation correct by establishing a simulation relation between the specification of the file system and its implementation (which uses fixed-size disk blocks to store the contents of the files).
Specifying Crash Safety for Storage Systems
TLDR
The goal is to certify a simple Unix-like file system with logging, and the three goals were to prevent real bugs, to enable proof automation, and to allow for modularity.
EXPLODE: a lightweight, general system for finding serious storage system errors
TLDR
ExPLODE is a system that makes it easy to systematically check real storage systems for errors, taking user-written, potentially system-specific checkers and uses them to drive a storage system into tricky corner cases, including crash recovery errors.
seL4: formal verification of an OS kernel
TLDR
To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
Formally Proved Anti-tearing Properties of Embedded C Code
  • June Andronick
  • Computer Science
    Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006)
  • 2006
TLDR
This paper presents a method to formally prove that a C program verifies the anti-tearing property for a given "tearing- sensitive" operation, which requires an extension of the method in order to specify and verify functions behaviour in the case of a sudden interruption of their execution.
All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications
TLDR
It is found that applications use complex update protocols to persist state, and that the correctness of these protocols is highly dependent on subtle behaviors of the underlying file system, which is referred to as persistence properties.
Safe to the last instruction: automated verification of a type-safe operating system
TLDR
Verve is the first operating system mechanically verified to guarantee both type and memory safety, and its approach demonstrates a practical way to mix high-level typed code with low-level untyped code in a verifiably safe manner.
...
1
2
3
4
5
...