World's First Formally-Proven OS Kernel

An anonymous reader writes "Operating systems usually have bugs — the 'blue screen of death,' the Amiga Hand, and so forth are known by almost everyone. NICTA's team of researchers has managed to prove that a particular OS kernel is guaranteed to meet its specification. It is fully, formally verified, and as such it exceeds the Common Criteria's highest level of assurance. The researchers used an executable specification written in Haskell, C code that mapped to Haskell, and the Isabelle theorem prover to generate a machine-checked proof that the C code in the kernel matches the executable and the formal specification of the system." Does it run Linux? "We're pleased to say that it does. Presently, we have a para-virtualized version of Linux running on top of the (unverified) x86 port of seL4. There are plans to port Linux to the verified ARM version of seL4 as well." Further technical details are available from NICTA's website.

spec?

[polar+red]

but is the spec useable ? bugfree ?

Re:spec?

Someone take away this person's keyboard and internet connection please!

Re:spec?

[IamTheRealMike]

Is the hardware itself bug free?!

Re:spec?

Also, the fact that they are using a functional language like Haskell is pure smoke and mirrors.

In java, we all agree - form before function.

Re:spec?

no. another theorem tells that you can never verify that a code is bug free (it may be bug free, but you cannot prove it)

Re:spec?

[VoidCrow]

Perhaps not currently but, given the work on high level hardware compilation languages, it's only a matter of time before similar techniques are applied to hardware design.

Re:spec?

[maxwell+demon]

form before function.

That's why you first write it in a formal language, then in a functional language.

Re:spec?

[jadrian]

To verify the software meets its specification the specification itself must formalised in the theorem prover. This in turn gives you the possibility of proving properties of the spec itself.

Re:spec?

[mkeeler]

Why is C a linux language. Most operating systems are all written using C except maybe vista which would account for why it is such a slow piece of crap.

Re:spec?

[JasterBobaMereel]

It only means it meets the spec, not that the spec is correct ...

It does not mean that the faulty or erratic hardware cannot crash the system

It does not mean that other programs cannot crash and lose your data ...

It does not mean that buggy device drivers can make your system unusable

It does not mean that the system is perfect, only that it will always do what it is supposed to ... which may not be what you want ...

Re:spec?

[hesiod]

first write it in a formal language, then in a functional language.M

I don't believe Java fits either of those.

Re:spec?

[Pascal+Sartoretti]

but is the spec useable ? bugfree ?

And does it match the user or system needs ? And how easily can it be modified to cover new needs ?

Re:spec?

[EdZ]

For older hardware with well-known errata, yes. Why do you think modern fighter aircraft and spacecraft run on 486-derivatives and the like?

Re:spec?

I have two words for you:

denial.

Re:spec?

It doesn't really even fit "language" either.

Re:spec?

[maxwell+demon]

For spacecraft: AFAIK because the larger structures on the older chips are more robust against cosmic radiation.

Re:spec?

You could not even read the post correctly, let alone the article? The specification was written in Haskell. The final implementation was written in C and formally verified against the specification. Whomever marked you insightful fails, too. Slashdot really needs a -1 ignorant moderation.

Re:spec?

[Yvanhoe]

By definition, the spec only contains features, not bugs.

Re:spec?

[MBGMorden]

Actually from my recollection it's merely a design time issue. Spacecraft take a LONG time to design, test, and then produce. You can't just swap out the computer systems randomly during these phases, so generally a spacecraft will eventually be built with computer chips that were whatever was stable and mature (not the cutting edge stuff) at the time that the DESIGN phase began. Actual construction and launch can happen decades or more later, hence the use of what would seem like antiquated computer technology.

Really though, from everything I've gathered, from the standpoint of a computer, the calculations needed on most spacecraft are fairly simple. Lots of number crunching. Even older chips can perform those calculations with ease, so even though the technology is outdated it's not likely that big of a disadvantage.

Re:spec?

[eyrieowl]

there may be other advantages...but i'd suspect the 10-15 year development time for such projects plays a role. just b/c the state-of-the-art kept evolving during your projects development phase doesn't justify spending tons of money to keep revamping your system and software to take advantage of the new goodies.

Re:spec?

[digitig]

"Usable?" is a sensible question, but "bugfree?" is not. It's a meaningless question at the level of an OS kernel. You are wrongly thinking at the application level, not at the kernel level. The kernel gives you some guaranteed behaviour. If that behavour provides what you want then it's usable. If it doesn't then it's not. Neither case is a "bug".

Re:spec?

[digitig]

no. another theorem tells that you can never verify that a code is bug free (it may be bug free, but you cannot prove it)

[Citation needed]

Re:spec?

It's been done more, than twenty years ago. The floating-point support in the transputer processor was designed using formal methods, and was claimed at the time to be the world's first error-free IEEE floating-point implementation in hardware.

Re:spec?

[GundamFan]

On the plus side, if you can write good, stable Java code you can code in any language. Clearly because you have a brain the size of a planet.

Re:spec?

I'm not going to go into a lot of detail here, but the common criteria defines 7 levels of assurance; EAL 1-7. EAL 1 equates to no robustness. EALs 2-4 equate to medium robustness. EALs 5-7 equate to high robustness. An OS, or in the case of the kernel mentioned on the home page a hypervisor, is evaluated against a protection profile. The protection profile is the spec asked about by the original poster. I believe there is only one protection profile, applicable to an OS or hyperviser, that has been evaluated to high robustness - the separation kernel protection profile (SKPP). Generally, when an OS is evaluated against a PP, it is proven to meet at least the minimum requirements of that PP. Or, another way to look at it is, it will be proven do everything it says it is going to do and nothing else.

An OS/hyperviser is evaluated. The OS/hypervisor + applications + hardware is accredited. The OS/hypervisor + applications + hardware + installation is certified.

As an interesting side note, there is a protection profile that evaluates to medium robustness which specifies an OS on a computer not connected to a network in an enclosed room with an armed gaurd standing at the door. WinXP has been successfully evaluated to medium robustness against this PP.

Re:spec?

[itsdapead]

but is the spec useable ? bugfree ?

Practical upshot seems to be that, yes, the spec could always be wrong, but once you've proven the code meets the specification, you can reliably "test" for bugs by further analysis of the spec*. Its worth scanning this part of TFA

where they discuss the limitations of what they have done. Key quote:

The C code of the seL4 microkernel correctly implements the behaviour described in its abstract specification and nothing more.

This sort of technique sounds ideally suited to microkernels which, by their nature (a) are tightly specified, and are supposed to eschew feeping creaturism (b) serve a technical audience (they're inmteracting almost exclusively with other software, so the "users" are really programmers) and (c) make minimal assumptions about any hardware other than the CPU.

That's valuable, but I think it will be a while yet before we see a formally proven web browser, or any other software with a direct meatspace interface...

Re:spec?

[JunkmanUK]

My thoughts entirely. This seems an entirely meaningless boast to make, I'm almost angered by the title 'Safer Software' as this is almost implying that a fully functional OS is totally flawless. Not only that but they state it's "free of a large class of errors". What does that mean? What type of errors were not tested for (i.e. useability, functionality?).

Out of interest: 7,500 lines of C++ code? Is that really all that a kernel contains? If so they really are testing on far too small a scale. That's like saying 'the "ECU in this car is flawless therefore you'll never have an engine failure". Of course, that doesn't take into account that an oxygen sensor may fail, or a sensor reports incorrect data causing another piece of hardware to react wrongly.

In fact the more I think about this the more angry I become. Essentially this 'test' is completely meaningless. If they could mathematically prove that the millions of lines of code required to provide a fully functional system are flawless (i.e. would cause no undesired conditions during normal production use) then I'll be genuinely impressed.

Re:spec?

[arethuza]

Please tell me you aren't being serious.

Re:spec?

[Amouth]

actualy it's both.. cosmic ray's flipping bits is a concern.. or disrupting clock cycles.. there is a reason they use slower larger circuits in long term space applications..

Re:spec?

[orangesquid]

The study of the halting problem taught us that certain categories of algorithms cannot be formally proved to do certain things. Work on incompleteness tells us that we know algorithms must exist that fit that category.

The question, really, is whether the algorithms in and design of operating systems can be done in such a way that we don't run into incompleteness and halting-problem issues within the constraints of what we are trying to achieve -- after all, we aren't trying to achieve the impossible, just trying to make some specific, absolute guarantees.

I'd recommend a solid study of the Mizar Journal of Formalized Mathematics, the implications of the standard axioms of set theory (maybe including reduced forms of the axiom of choice, but that's not necessarily highly relevant), and careful analyses of what Goedel and Turning actually proved. After that, emergent behavior from cellular automata may be a good next investigation.

[IANA professional set-theory mathematician, logician, nor computer scientist, so take my post as a starting point for finding answers, please, not as anything definitive!]

Re:spec?

[maxwell+demon]

I have two words for you:

denial.

And the second word is?

Re:spec?

[bill_kress]

I don't know about usable, but a spec cannot have a bug. A bug is code that does not meet the spec. If the spec says "BSOD When user presses 7", and the user presses 7, a "Bug" would be a 7 showing up on the screen.

Re:spec?

[digitig]

The study of the halting problem taught us that certain categories of algorithms cannot be formally proved to do certain things. Work on incompleteness tells us that we know algorithms must exist that fit that category.

The question, really, is whether the algorithms in and design of operating systems can be done in such a way that we don't run into incompleteness and halting-problem issues within the constraints of what we are trying to achieve

And the answer in this case is pretty certainly "Yes, we can"; the tasks you can't do without running into halting or incompleteness issues are pretty esoteric and well outside the sort of thing an OS kernel would sensibly be called on to do.

Re:spec?

[BenoitRen]

It does not mean that buggy device drivers can make your system unusable

I don't think this is what you were going for. :)

Re:spec?

[Brewmeister_Z]

I worked as software engineer on avionics. The device I wrote for had a 486 chip and was basically the GUI for other avionics such as navigation and communication. It used a bunch of military and avionic standard protocols to communicate to the other boxes. I started coding for it in 2000 and at time it was just updates, new features and new boxes to integrate. However, they were on their way to porting this to PowerPC chips and using TCP/IP to a scalable multiple processor/box approach instead of a master/slave in two 486 boxes. The port to PowerPC also had forethought to write code that code be modular since the endian and bit size of the data had to be changed so code was was devised to know which architecture was being used for data.

The main reason for the port to PowerPC was the lack of 486 chips for new hardware for retrofitting other aircraft. At this point, they maybe looking for a new chip to replace the PowerPC.

Re:spec?

It only means it meets the spec, not that the spec is correct ...

But, as others have mentioned, the spec is formalised, and hence properties can be proven about the spec. For instance, a security proof on the formal spec shows that if two applications do not have permission to communicate, they can not (overtly) communicate.

It does not mean that the faulty or erratic hardware cannot crash the system

True.

It does not mean that other programs cannot crash and lose your data ...

But it does mean that one application can not bring down another, unless it has permission to.

It does not mean that buggy device drivers can make your system unusable

Buggy device drivers are only capable of bringing the particular device down. (If the hardware of that device can bring the system down through software, then yes, your are stuffed. In particular, DMA isn't addressed under the ARM port).

It does not mean that the system is perfect, only that it will always do what it is supposed to ... which may not be what you want ...

But is still a big first step in the direction of having a computer you can trust.

(Disclaimer: I have previously studied under researchers associated with this project.)

Re:spec?

[kamatsu]

1) L4 is a microkernel. You have no idea what you're talking about. If L4 works, then you could apply similar principles for all the other servers that run in kernel space.

2)This is the largest formal proof ever done in this sort of field. Seriously, the results are not immediately useful, but it's a good start.

Disclaimer: I have worked at NICTA in the past.

Re:spec?

[Brewmeister_Z]

This kernel is only meaningful if any process on top of it cannot cause a failure that locks the machine or forces a complete reboot.

For example, a life support system with a GUI that crashes should be able to recover that without forcing the respirator or other critical device to restart as well. Avionics also require that. The GUI device I coded was always paired as master/slave so the slave could immediately take over the master functions. It the old master recovered, then it would come back as the slave. The pilot would barely notice the hand off. This device handled only pilot aids such as nav and comm. The aircraft controls are another system but lack of nav and comm systems can be detrimental in some situations (military, landing/takeoff, and poor visibility).

Re:spec?

[ockegheim]

...and somewhere between halting and incompleteness, Omega sits, mocking us.

Re:spec?

[Tanktalus]

In your case? I think the second word is "*WHOOSH*".

Re:spec?

[TheLink]

Which is useful in certain scenarios, but not so useful in most real world scenarios. After all, it still does not prove the spec is what the customer really wants.

In the real world the problem is not so much the program not following the specs, but the problem is you can never get complete specs, and "correct behaviour" when you get down to the details often starts to become a matter of preference - you can make up pros and cons for the various options, you could make it configurable, but then you also have to decide which should be default ;).

A DHCP server I wrote, would give up and exit if someone shutdown the interface it was trying to send packets out from. Perhaps it shouldn't do that - but there was no spec on what it should do in that case (and many other cases).

One could spend years trying to write a complete spec, but most bosses, companies and customers can't wait that long.

For example: by the time you've finished a DHCP server spec, people might have long rolled out IPv6 and suddenly the requirements and specs change - people don't want an IPv4 dhcp server anymore ;).

Re:spec?

[Killotron]

I would hope he's being serious, because that statement is correct. Correctness of software is defined as meeting the spec. Does this mean the spec is right? No, but software that correctly meets the spec is doing exactly what the software was specified to do. A bug appears when the software doesn't meet the spec.

Re:spec?

[tuxgeek]

"The spec is written in C, a Linux language,"

C is not just a Linux language.
The win32 api is all C with some OOP and many system specific calls mixed in to make the thing work. Win32 still exists today in most M$ products, if not all.

Re:spec?

Nile

Re:spec?

The spec can, however, be inconsistent and contradictory with itself. If the spec demands features A and B and they absolutely preclude each other, can that not be considered a "bug" in the specification? God knows, crummy specs must be common. Whole sections end up rewritten when people actually start reading through the whole damn thing and notice that it's gonna blow up.

Re:spec?

[jhol13]

Actually it would seem that they did prove other programs cannot at crash lose your data (provided MMU works and the assumptions on that are OK).

Compare the others to any other OS. They cannot claim a single bit more about their specs, their HW, a lot less about their programs and immensely hugely less about device drivers (this is microkernel, after all).

"Perfect" is such a silly notion that I will not even go into it. But if definitely does what they want as it works "perfectly" according to their specs. I do not know what "you" want.

So claiming "only" or "not" in every sentence just means that you cannot admit these guys are years ahead everybody else.

Re:spec?

[TheLink]

Exactly. That's why these formal verification stuff is rather useless for most cases I see.

If you pass the customer a mix of water, flour, yeast, eggs and sugar and the customer says "That's not cake, it's not acceptable".

And you then say - "But we meet the cake spec we agreed on, so by that definition it's cake, you have to pay us".

Sure you can go sue the customer and force them to pay you the full sum, but unless most other people agree the customer has just been way too fussy, you might have fewer customers in the future.

Re:spec?

[BrokenHalo]

I guess if we gaze into our navels long enough, the probability is fairly high that we might find something interesting in there... ;-)

Re:spec?

[arethuza]

So what do you call a problem in a specification?

Re:spec?

Similar techniques may be perhaps be applied to hardware design in the future, but it is largely just a formality. At the very least the hardware will still be subject to random effects due to multi-domain clock synchronization effects.

Re:spec?

[Garridan]

Right. So Isabelle is necessarily an incomplete theorem prover -- but is it consistent? Also, is it bug-free?

And more concretely... is the spec bug-free? It took us years of trusting the DNS spec before Kaminsky found that little bug in the spec and could have pwn'd the world.

Re:spec?

[turbidostato]

"...and somewhere between halting and incompleteness, Omega sits, mocking us."

What the f*...? My Omega is no sitting but on my wrist ticking Ok and it's automatic, so no halting problem nor incompleteness, no sir.

Re:spec?

They verified 7,500 lines of C code.

They didn't verify the compiler.

Re:spec?

[Osvaldo+Doederlein]

L4 is a microkernel, so it DOES mean that buggy device drivers cannot crash, corrupt, DoS or own the system; because drivers would all run in userland.

Of course, if bugs prevents that some essential driver works at all, the system may becomes unusable anyway. But the kernel is still in control and it can resort to techniques like restarting the driver or, if the driver keeps failing, replacing it by a much simpler, "safe mode" driver so you can use the system even with some reduced functionality or performance.

Re:spec?

[HomelessInLaJolla]

Ladies and gentlemen, I bring to you a new and never before seen technique: the flowchart.

Re:spec?

[gr8_phk]

It only means it meets the spec, not that the spec is correct ...

Yes, and the spec is written in Haskell. So essentially they've proven the C code is equivalent to the Haskell code in some sense.
I would still like to see the paper, there must be more value in it than that right?

Re:spec?

[EvanED]

Incorrect, and a common misconstruation of the halting problem (or really Rice's theorem, which is a short extension of the halting problem).

What Rice's Theorem says is that for any proof technique, there will be some program that confounds it. That is at least one program will cause it to either not terminate or give an incorrect answer.

What we can still do is verify a lot of programs, and in particular, perhaps even most "realistic" programs.

Re:spec?

"It only means it meets the spec, not that the spec is correct ..."

And that too only under the assumption that the theorem prover is bug-free...

Re:spec?

[EvanED]

It's a good thing that the original AC who posted about the task being impossible was right and your arrogance is justified.

Oh wait, he wasn't.

Re:spec?

Perhaps you are unclear on the concept of a device driver. The whole point of a device driver is that it allows you to direct access to the device's hardware. If that hardware has a way to crash, corrupt, or DoS the system, there's nothing the kernel can do about it.

dom

Re:spec?

Uh, seriously? Look up Rice's theorem. There are programs that contain bugs. There are programs that don't. Ergo, no computer program can distinguish programs that contain bugs and programs that don't.

Re:spec?

[KDR_11k]

But that still doesn't matter when a production error occurs or, say, radiation causes the electronics to misbehave.

Re:spec?

Why would they want to replace the PowerPC? They are better, and more powerful than ever. Especially with Power7 on the horizon (next year?). Also you can get hardened versions still for those places where you really need such.

Re:spec?

[digitig]

Seriously. Learn a bit about how formal program proof works, and you'll find out why Rice's theorem is not relevant. Some clues:

• It's not all done by a computer, it's done by humans with a computer making sure the steps are valid.
• The proof is based in part on information not contained in the program
• The process is not guaranteed to terminate, but if it does terminate then you have a valid proof
• "Contains bugs" is rather too vague a property of a program for Rice's Theorem to apply.

Re:spec?

[KDR_11k]

You probably won't use verification for random consumer grade stuff. You use it for security critical systems where the safest reaction gets determined by researchers and then codified into the spec.

Re:spec?

[david_thornley]

What's wrong with what you're talking about? It sounds like standard practice at the big consulting firms.

Re:spec?

I don't think you realize how strong Rice's theorem is. You said it yourself: "That is at least one program will cause it to either not terminate or give an incorrect answer." But you neglect to mention that you cannot know which program this is beforehand. Indeed, there are infinitely many such programs, since the theorem still holds if you exclude the original confounding program. So you can't trust the output of any recursive function that distinguishes recursive functions by a non-trivial property. If you want to know if a program has a certain property, you need to run it yourself. (On the other hand, the notion of "running" can vary by context. Consider time analysis: typically, you make estimates and count them up as you "run" an algorithm by induction or more sophisticated evaluation models.)

You can't trust machinery that occasionally provides incorrect answers. It's like asking a liar if he is telling the truth.

The properties that can be verified are the so-called "trivial properties" of programs. These are properties that every program satisfy or that no program satisfy. For example, every program's parse tree has finite depth.

Re:spec?

What you are describing falls under "running a program to verify properties about it". Yes, that is a valid proof. And it cannot be automated away, specifically because of Rice's theorem.

Re:spec?

[poopdeville]

"Contains bugs" is rather too vague a property of a program for Rice's Theorem to apply.

Not really. Fitness for purpose is as good a property as any.

Re:spec?

[poopdeville]

In fact, here's some more knowledge for you: every constructive proof is equivalent to an algorithm, under the Howard-Curry Isomorphism. Since formal verification as you describe it aims to construct a constructive proof of a program's validity (albeit in a larger logic than the underlying program), it aims to construct an algorithm to validate the program, via the Howard-Curry correspondence. Ergo, Rice's theorem applies directly.

Re:spec?

[EvanED]

"So you can't trust the output of any recursive function that distinguishes recursive functions by a non-trivial property."

Yes you can. Suppose that you want a decider that answers questions of the form "does this other program halt". There are several options for this program:

1. If the decider terminates, it will always be correct. (Rice's theorem says there are input programs to the decider for which the decider will not terminate.)

2. The decider will always terminate, but will sometimes say that the input program does halt when, in fact, it does not. However, if the decider says that the program will not halt, it is correct.

3. The decider will always terminate, but will sometimes say that the input program does not halt when, in fact, it necessarily does. However, if the decider says that the program will halt, it is correct.

Rice's theorem does not say that you can't statically determine anything about any program ever.

Re:spec?

[EvanED]

Basically, put it this way. There are three properties we would like to have of a verification engine:

1. Soundness -- if the verification engine says a program has a property (e.g. "this program will necessarily halt" or "this program will not dereference a null pointer"), then the program actually does have that property.

2. Completeness -- if the verification engine says a program does not have a property, then the program actually does not have that property.

3. Termination -- the verification engine will halt on all inputs.

"All" Rice's theorem says is that you can't have all three properties. If you want, you can have any two of them. If you choose #1 and #2, then if you get an answer from your verification engine, you can trust it.

Re:spec?

[pnewhook]

PowerPC is still available and in use for space designs. Mainly because you can shut off the cache and still get decent performance - the cache is typically the weak point for radiation tolerance.

Re:spec?

[pnewhook]

No, its actually mainly a radiation issue. If you tried to bring a Core2 to the space station it would pretty much crash before you got into orbit.

Re:spec?

[pnewhook]

no. another theorem tells that you can never verify that a code is bug free (it may be bug free, but you cannot prove it)

That is sheer bullshit spread by software coders too stupid and inexperienced to be able to write good code and test it properly.

Re:spec?

[pnewhook]

Theorem says is that for any proof technique, there will be some program that confounds it.

Goes beyond proof programs. My now ex software lead wrote code so badly that even though it technically worked, commercial lines of code counters would often crash trying to parse it. Or if it didn't outright crash it would just spit out zero lines of code.

So yea, no matter what you technique you use there will be instances where it will break down. Doesn't mean the proof technique is wrong though.

Re:spec?

[digitig]

No it doesn't. The information that is external to the program code can (and typically does) include assertions about the code that cannot be computed but can be proven mathematically. And it doesn't matter that it can't be automated away, because it isn't automated (it wouldn't take so long if it were).

Re:spec?

[digitig]

It's an important property (and not the same property as "contains bugs" -- or even as "doesn't contain bugs"), but unless you can specify what it means in computational terms, precisely how is Rice's theorem going to apply?

Re:spec?

[m50d]

You could also try and prove that the proof is correct. Of course, you'd have no guarantee that the proof that the proof was correct was correct.

This is why I don't get these efforts - they never remove the possibility of a mistake, only shift it up a level. Well-written code is usually much easier to verify directly, by reading it, than the proofs are.

Re:spec?

[m50d]

Uh, "verifying whether a program has gone zombie" is a pretty basic task for the OS which the halting problem prevents you from doing correctly.

Re:spec?

[digitig]

Two things. One is that "verifying whether a program has gone zombie" doesn't seem to be within the scope of an L4 kernel. The other is that kernels don't verify whether a program has "gone zombie" by doing static code analysis, which is what the halting problem is about, and if they do decide that a program has "gone zombie" they don't do it on the basis that it will never terminate, only that it hasn't terminated within a reasonable timescale, so again the halting problem doesn't apply.

Re:spec?

The halting problem says that there exists *no* single algorithm that proves all instances. However, (1) - as has been pointed out - the specification for an OS is a specific spec, not all possible specs and (2) the proof of the micro kernel was machine assisted, this mean not a "single" algorithm, but partially manual. The theorem prover assisted, by automatining the easy bits, and checking correctness of the other manual difficult bit.

The halting problem does not make it impossible to prove particular instances of a problem, it just say that there is not algorithm that can deal with all. And Goedels incompleteness theorem says the same. If a specific problem is undecidale in a given logic, this doesn't mean that it can't be decidable in a more expressive logic. But that more expressive logic will have its own undecidable problems.

Re:spec?

[Trogre]

I think you've just summed up what's wrong with the POSIX spec.

Re:spec?

[Pseudonym]

It's an important property (and not the same property as "contains bugs" -- or even as "doesn't contain bugs"), but unless you can specify what it means in computational terms, precisely how is Rice's theorem going to apply?

Right, and this is probably the most important point.

The primary limitation to proving programs correct is not the halting problem, not the inability of theorem provers to understand your C code and not Rice's theorem. It's that the desired behaviour of your program isn't well-specified in the first place. Moreover, a formal specification for most nontrivial programs is likely to be as hard to write and debug as the program itself, or even harder.

You may want to bear in mind, for example, that L4 contains no peripheral drivers.

(Disclaimer: I work for NICTA. Different lab, though.)

Re:spec?

Constructing a proof is hard, and requires a lot of human intelligence in just about any nontrivial case. Checking a proof is easy, does not require any human assistance at all and can be done by multiple independently developed proof checking programs.

Re:spec?

[mikiN]

Pseudonym, pardon me for 'hijacking' this thread, but since you work for NICTA and I'm very interested in this result, I would like to ask:

In the summary, 'verified' and 'unverified' ports are mentioned. Does 'verified' in this context mean: formally proven hardware and compiler design?

Reason I ask is that having a formally proven kernel is of much less practical use when the generated binary doesn't implement the source code correctly, or the hardware doesn't execute the instructions given correctly.

Re:spec?

[Pseudonym]

The details are on NICTA's web site. Basically, they have verified that the C source code accurately implements a formal model of the L4 spec. They have not, for example, verified that the C compiler accurately implements the formal subset of C.

Formally verified compilers are still an active research area. Formally verified hardware has at least been around for a while, at least for chips smaller than VLSI.

What you'd like is for the entire stack to be formally verifiable, but we're a long way off that at the moment. Remember, it's only been in the last few years that assisted theorem provers like Isabelle and Coq have been up to the job.

Re:spec?

[EvanED]

That is sheer bullshit spread by software coders too stupid and inexperienced to be able to write good code and test it properly.

To be fair, testing is now how you verify that a program is bug free. (It's basically impossible; because using testing to prove correctness relative to a spec, which is what we're talking about here, would require running a test with every single possible input.)

Re:spec?

[RegularFry]

Yes it does, because if the design is proven and you've got a faulty part, you know it *must* be a production error. Just knowing what stage the fault comes from is a valuable thing.

Re:spec?

[st0nes]

That's why you first write it in a formal language, then in a functional language.

No, that's why you write the code first, then the spec once you've seen what the code actually does.

Re:spec?

Exactly. That's why these formal verification stuff is rather useless for most cases I see.

If you pass the customer a mix of water, flour, yeast, eggs and sugar and the customer says "That's not cake, it's not acceptable".

And you then say - "But we meet the cake spec we agreed on, so by that definition it's cake, you have to pay us".

Sure you can go sue the customer and force them to pay you the full sum, but unless most other people agree the customer has just been way too fussy, you might have fewer customers in the future.

In simpler words, if the spec doesn't meet the customer's needs then verifying the spec isn't going to help.

But I think you're missing the point about formal verification. It isn't supposed to replace validation of the spec - that still needs to be done. Rather, it effectively replaces a large component of testing. (It can't replace testing entirely, since you still need to test that the logic used in the formal proof is sound. But this can generally be verified with far fewer tests.)

Consider your analogy applied to test driven development instead of formal verification. If your test cases are lousy, you can't just say "it passes our tests so you have to pay us". Surely the customer will be equally dissatisfied with this situation.

Re:spec?

Exactly. That's why these formal verification stuff is rather useless for most cases I see.

If you pass the customer a mix of water, flour, yeast, eggs and sugar and the customer says "That's not cake, it's not acceptable".

And you then say - "But we meet the cake spec we agreed on, so by that definition it's cake, you have to pay us".

Sure you can go sue the customer and force them to pay you the full sum, but unless most other people agree the customer has just been way too fussy, you might have fewer customers in the future.

This cake analogy was not very insightful. It was pretty lame, actually.
I'd rather go with some marriage analogy.

Re:spec?

[pnewhook]

To be fair, testing is now how you verify that a program is bug free.

Thats part of it, there are others including visual inspection.

(It's basically impossible; because using testing to prove correctness relative to a spec, which is what we're talking about here, would require running a test with every single possible input.

My point is I've seen programmers with the attitude 'its impossible to verify that this is correct so I'm not going to bother testing'. That is what I'm calling bullshit. It is perfectly possible to use a combination of testing techniques to be reasonably certain that the code is correct and works as intended and required.

Re:spec?

[m50d]

if they do decide that a program has "gone zombie" they don't do it on the basis that it will never terminate, only that it hasn't terminated within a reasonable timescale, so again the halting problem doesn't apply.

No. They do it that way out of necessity, because of the halting problem. And it's a good enough approximation most of the time. But the correct way to do it would be to solve the halting problem. (Well, if it weren't impossible)

Re:spec?

[mikiN]

Thanks very much for the info. I'll be looking forward to some very interesting developments in this field.

Re:spec?

[mikiN]

Fluff!! The lowly navel lint that may turn out to be the key ingredient to obtaining visions of the future that may save the universe!

Re:spec?

[digitig]

No, they do it because the OS doesn't have the necessary information. As I say, it's possible to write a program that is guaranteed to halt, but the OS doesn't know whether you've done that or not. So even if the halting problem could be solved, it still wouldn't be how the OS would determine that a program had gone zombie (eg, due to a hardware fault).

Re:spec?

If the specification itself would have been written in a specification language (e.g., LTL, CTL, PSL) rather than a programming language, then once they foramlly verified that the implementation correctly implements the specification, they can be sure that there are no bugs. Have they fully and correctly specificed the system? That's a different question/story...

Re:spec?

[badkarmadayaccount]

I see a market for low cost, high endurance i486 chips... Any takers?

Re:spec?

[badkarmadayaccount]

Beginner question: Why not just use the Haskell code?

Re:spec?

[badkarmadayaccount]

#include

void main() {
cout<<"Hello world.";
}

Re:spec?

[JasterBobaMereel]

The Haskell code will run slower and might (depending on the compiler) be larger

Correct code will do the correct thing, but it will only be correct in the sense that it will do what it was asked to do, not what you want it to do....

Re:spec?

lol
don't forget to write your first own interactive theorem prover before you do anything useful

first post hopefully

first please

Re:first post hopefully

[larry+bagina]

Unfortunately, formally proving your first post changed the outcome.

Re:first post hopefully

[DrVxD]

Prove it. Formally.

Thank goodness

[2.7182]

People are starting to see the value of this. Also of programming in logic based languages like Haskell, ML etc.

Re:Thank goodness

[morgan_greywolf]

As opposed to programming languages that aren't logic-based? What separates Haskell, Ocaml, Lisp, Scheme, etc. from others is that they are functional programming languages, as opposed to imperative-based languages like C.

Both use logic, just in different ways.

Re:Thank goodness

[johannesg]

People are starting to see the value of this. Also of programming in logic based languages like Haskell, ML etc.

People have seen the value of this since the first days of programming. In fact, the value is so enormous that no one can afford it... And they have just finished proving that first few lines of code they wrote. In another five decades they hope to be able to have Notepad proven and ready to run so you can actually get some work done!

Re:Thank goodness

[mrjb]

In fact, the value is so enormous that no one can afford it...

If you're a techie, you should use be more accurate in your use of language. Substituting the word 'price' for 'value' is something you should only do in sleazy sales pitches.

Re:Thank goodness

[Desler]

Also of programming in logic based languages like Haskell, ML etc.

Since when was C not based in logic? Do you even know what the hell you're talking about?

Re:Thank goodness

Name the logic that C is based on, then.

C may be "logical" in a colloquial sense. It's not based on a formal logical calculus.

Do you even know what the hell you are talking about?

Re:Thank goodness

[Idiot+with+a+gun]

It's a paradigm, technically. Although Haskell isn't a logic language, it's functional. Prolog is logical, and nigh useless for most applications.

Re:Thank goodness

What separates Haskell, Ocaml, Lisp, Scheme, etc. from others is that they are functional programming languages, as opposed to imperative-based languages like C.

And all (pure) functional lanuages are equivalent by a very well-known and understood isomorphism (Curry-Howard) to a deductive logic system. C and other imperative languages afford no known similar isomorphism (indeed, it can be proven that such a thing can't possibly exist).

Both use logic, just in different ways.

Not at all. It's not about "using" logic -- it's about programs being equivalent to logical proofs. This is demonstrable with functional languages. Absolutely not so with imperative ones.

Re:Thank goodness

[pjturpeau]

I think he used a kind of ironic structure in his sentence. And you should check your language too.

Re:Thank goodness

[Waffle+Iron]

In another five decades they hope to be able to have Notepad proven and ready to run so you can actually get some work done!

Progress has been slow, mainly because for most of the last 20 years, they've been hung up trying to formally prove that a newline character looks like a rectangle.

Re:Thank goodness

[maxwell+demon]

So what does the following Haskell program proof?

main = putStrLn "Hello, World!"

Re:Thank goodness

Yes he does. From what I understand C is not "provable", or at least nigh impossible. With functional languages like ML, it is provable.

Re:Thank goodness

According to Wikipedia, Haskell and ML are actually functional langauges. Prolog is a logic-based one, while C is considered a procedural language.

Re:Thank goodness

you should use be more accurate in your use of language

Indeed :)

Re:Thank goodness

[xaxa]

It's a paradigm, technically. Although Haskell isn't a logic language, it's functional. Prolog is logical, and nigh useless for most applications.

No, it's just more difficult to write the program for most applications.

IMO, it's because it's more difficult to precisely articulate the problem and method (for Prolog) than to work through the solution (for an imperative language).

Re:Thank goodness

[Hurricane78]

He meant functional programming. And no, he doesn't. ^^

Re:Thank goodness

Do you? Try to google haskel, or Logic based languages vs functional languages. It's a term used to describe the difference types of programming languages( and if you didnt realize there are differences, just kill yourself).

Maybe then you wont jump the gun and say something stupid,er...wrong.

Re:Thank goodness

[maxwell+demon]

Yes he does. From what I understand C is not "provable", or at least nigh impossible. With functional languages like ML, it is provable.

Isn't TFA about a proof of C code?

Re:Thank goodness

[arethuza]

While C includes some logical operators based on boolean logic most of the language has no connection whatsoever to anything that looks like formal logic. Compare this to Prolog - which has a much closer mapping to predicate calculus or pure functional languages which have a very good mapping to lambda calculus.

Re:Thank goodness

[morgan_greywolf]

main = True (provided that the putStrLn is successful)

Re:Thank goodness

In fact, the value is so enormous that no one can afford it...

If you're a techie, you should use be more accurate in your use of language. Substituting the word 'price' for 'value' is something you should only do in sleazy sales pitches.

If you're a techie, you should use be more accurate in your use of language. Substituting the word 'price' for 'value' is something you should only do in sleazy sales pitches. (Read your comment again. You'll see it.)

Re:Thank goodness

[jorghis]

You know the funny thing about this whole discussion is that the OS linked to in the article is not the first. Integrity from Green Hills Software was proven correct a while ago. It is popular for safety critical stuff like flight controls for airplanes and is one of the dominant players in that niche.

http://www.informationweek.com/blog/main/archives/2008/11/green_hills_sof.html

And what is truly amusing about following this argument, is that Integrity is written in C. :)

Re:Thank goodness

So you're complaining that the syntax doesn't look like what you learned in your esoteric mathematics courses?

God save you when you have to write a mathematical proof in English which, last I checked, wasn't based in any formal logical calculus either.

Re:Thank goodness

[kamatsu]

no, Main is IO. putStrLn does not tell you if it was successful by returning a boolean.

Re:Thank goodness

[kamatsu]

Dude, can C's types be reasoned by formal inference? No. Hence, C does not follow typed logical calculus.

C doesn't follow boolean logic either, actually, it just maps to assembly instructions. The best thing you could do to reason about C is to use Dijkstra's proof method which is impractical in a large scale and easy to screw up.

Re:Thank goodness

[johannesg]

In fact, the value is so enormous that no one can afford it...

If you're a techie, you should use be more accurate in your use of language. Substituting the word 'price' for 'value' is something you should only do in sleazy sales pitches.

The mind boggles at the quality of todays' trolls. If I had substituted the word "price" for "value", I would imagine that my posting would contain the word "price" somewhere. Since it doesn't, I can only conclude that you are full of it.

Besides, yours is a language in which you need qualifiers for "free" to indicate whether you mean "as in beer" or "as in speech". I was merely making a clever play on that by substituting "value" (as in beer) for "value" (as in speech). Meanwhile, a decent language, such as mine, makes the distinction between freedoms naturally through the simple measure of using different words to begin with ("gratis" and "vrij").

We will have this discussion again when you can speak my language, Dutch, as well as I can speak yours...

Re:Thank goodness

[Killotron]

Haskell is a functional language, not a logic based language. Prolog is the most common logic based language. You use logic statements that describe known facts, then give relations between facts. To get a solution, you provide a query, and Prolog performs an evaluation using your facts and relations. Neat stuff.

Re:Thank goodness

[pintpusher]

Just to see if I understand, Main is IO(), and thus it proves an attempted interaction with the outside world?

Re:Thank goodness

I don't think I'll listen to an argument that starts with "dude." Idiot.

Re:Thank goodness

[kamatsu]

Yes.

Re:Thank goodness

[morgan_greywolf]

But certainly putStrLn returns something, yes? We are talking about a functional language, yes?

I don't know Haskell (obviously), so "True" is just a stand-in for whatever the function would return if successful. If that's IO or whatever, okay then.

Re:Thank goodness

[ioshhdflwuegfh]

You know the funny thing about this whole discussion is that the OS linked to in the article is not the first. Integrity from Green Hills Software was proven correct a while ago. It is popular for safety critical stuff like flight controls for airplanes and is one of the dominant players in that niche.
http://www.informationweek.com/blog/main/archives/2008/11/green_hills_sof.html
And what is truly amusing about following this argument, is that Integrity is written in C. :)

Although I can see that you're amused, what you're saying is false: Integrity is not formally proven correct, it only has some amusing but mathematically irrelevant industry certificate.

Re:Thank goodness

[morgan_greywolf]

You're conflating two different concepts. Common Criteria Evaluation Assurance Level focuses on security while this test focuses on complete mathematical provability IOW, can it be mathematically proven that the kernel meets all of its specifications and that the compiled kernel is exactly what was specified in the source code? CC EAL focuses only on security aspects.

Furthermore, a system that was specified as being completely secure[1] would, in theory, be equivalent to a EAL 7, not merely "6+".

[1] I mean this only in a hypothetical sense since I don't believe it is even possible to specify a system that is completely impenetrable, let alone implement one. But then, that's because I subscribe to the theory of information security that says a completely secure system is impossible, therefore we must use multiple compensating ocntrols that get us to a 'virtually impenetrable' state, tuned to prevent the most likely types of attacks (cheap) vs. the possibility of someone building a multi-billion dollar super cluster to break the security.

Re:Thank goodness

[kamatsu]

It doesn't return anything about success or failure.

Re:Thank goodness

Dude, I don't think I'll listen to an argument that ends with "idiot."

Re:Thank goodness

[Ifni]

Oblig movie quote:

Dr. Evil: You know Goldmember, I don't speak freaky-deaky Dutch. Okay, perv boy?

Yeah, I'm sure you've NEVER heard that one before and all, but, you know, it never gets old. :p

By the way, how do you pronounce "vrij" - is it like "fridge", but with a vee, or what? I'm gonna start using that just to throw people off.

Re:Thank goodness

Yes, surprisingly enough Haskell does have uses other than scaring 1st year undergraduates.

Re:Thank goodness

[shutdown+-p+now]

The point wasn't about syntax. The point is that C semantics lack certain restrictions that make it hard or impossible to do formal reasoning on the code.

Re:Thank goodness

[zes]

I'm not dutch but I believe they pronounce it "frai", but the r being a german/french r.

Swedish makes the same distinction between fri and gratis, as do many other lanuages.

Re:Thank goodness

[arethuza]

Well, if anyone is demonstrating a lack of understanding, I respectfully suggest it is the AC who thinks that C is *based* on, rather than incorporates some operations from, boolean logic.

Re:Thank goodness

All that tells me is that formal reasoning is limited and useless.
Can you write an equivalent to any C program in Haskell? If the answer is not, then Haskell is crap. If the answer is yes, then your reasoning system is crap.
In any case, both Haskell and your reasoning system are wrong.

Re:Thank goodness

[shutdown+-p+now]

All that tells me is that formal reasoning is limited and useless.

It is definitely limited, but it clearly isn't useless, since it lets you prove things that you otherwise have to blindly trust - "we are 99% sure that this code behaves as specified, because our unit tests all run correctly" vs "we know that this code behaves as specified, because we mathematically proved it" - can you comprehend the difference?

If you can come up with a way of doing the same for an arbitrary C program (and not the subset that's mappable onto Haskell), then you're definitely welcome to do so, and it would be quite a feat.

On the other hand, if you think that "just throw more unit tests at it" school of verification is good enough for everything, then you probably don't have anything useful to add to this discussion.

Re:Thank goodness

[neomorph]

The "mathematically irrelevent industry certificate" of which you speak, Common Criteria EAL 6, does require formal analysis, and Integrity did have certain important security properties proved about it. Now, this L4 kernel set a much higher bar, in that it was proven correct, a super-set of what what proved about Integrity.

Re:Thank goodness

[neomorph]

There is nothing in the Common Criteria that specifies that an EAL7 system is "completely secure". It merely indicates that a great deal of evidence exists that the system meets its security function requirements, nothing more, nothing less. In Common Criteria, the actual security function requirements can be extremely weak, but to make EAL 7, a great deal of evidence must be presented to show that the extremely weak requirement was implemented correctly.

Re:Thank goodness

[johannesg]

Oblig movie quote:

Dr. Evil: You know Goldmember, I don't speak freaky-deaky Dutch. Okay, perv boy?

Yeah, I'm sure you've NEVER heard that one before and all, but, you know, it never gets old. :p

By the way, how do you pronounce "vrij" - is it like "fridge", but with a vee, or what? I'm gonna start using that just to throw people off.

The "ij" sound in Dutch is a vowel, you are not supposed to pronounce the "j" as a separate consonant. I don't think there is an equivalent sound in English, but if you think of it as "i" you are not too far off. It will mark you instantly as an English speaker though ;-)

Re:Thank goodness

The sound is not unlike 'rye' with a 'v' sound before it.

Re:Thank goodness

The world uses english for international communications. Not some weird ass language spoken by a handful of insignificant swamp dwellers.

Yeah right

Major bug found in 3...2...

Re:Yeah right

[oji-sama]

It's not a bug, it's a formally proved feature ^.^

Amiga Hand?

[ArcadeNut]

Or do you mean the "Guru Meditation Error"?

Re:Amiga Hand?

Ah you beat me to this. The submitter only seems to know a little about the Amiga. What I think he is referring to is the Floppy Boot Screen, which you get if you don't have a hard drive. It has a hand holding a floppy and a number like 1.0, 1.1, 1.2 or 1.3. It later got replaced by an other floppy boot screen for higher kickstart roms.

Re:Amiga Hand?

[arth1]

Amiga 1000s and early Amiga 3000s had the kickstart on floppy too -- you would first get a hand/floppy image with the word "Kickstart" on it, upside down of course, and only after that would it ask for "Workbench", possibly with a version number (which inexplicably wasn't written upside down on the floppy itself. Sloppy).

Re:Amiga Hand?

[Canazza]

I prefer SACF interrupts, much more exciting

Re:Amiga Hand?

[NetNinja]

Yes the Amiga Blue screen of death "Guru Meditation Error"

As the above posters have stated the looping graphical Amiga animated hand just showed a flesh clored hand with a floppy disk in it informing you to insert it into the 3 1/2 disk drive.

I miss my Amiga :(

Re:Amiga Hand?

[Domini]

Yea. I stopped reading at that point ...

Re:Amiga Hand?

[Chelloveck]

But the Amiga error message should have been a hand. The Guru Meditation was cool and all that, but an image of a hand with the middle finger extended would be so inappropriately appropriate!

Re:Amiga Hand?

Yes, that was the bad crash message and code. The hand was saying insert the Workbench diskette when you first power the machine on.

Re:Amiga Hand?

[rjstanford]

Hell, I still miss "Carrier Command." Haven't found a reasonable replacement for it since. Not to mention most anything by Psygnosis (nigh impossible, but they sure were purty).

Sigh.

And the kids today. Always on my lawn... grumble... mutter...

Re:Amiga Hand?

Exactly... the Amiga hand is NOT an error message... but the startup screen for = KS 1.3. The Guru meditation is the error he meant.

Re:Amiga Hand?

Came here to say that... good show.

I think the hand was to insert a disk (e.g. the Workbench disk) if it wasn't found on boot.

Re:Amiga Hand?

[Darinbob]

Most of these "bugs" causing blue screens or guru meditations or frowning bombs were not the fault of the operating system. Instead applications in a system without memory protection can cause all sorts of crashes, and even in protected systems a badly behaved driver can screw things up.

Having a formally proven operating system only helps as far as the actual functions of the operating system. It doesn't help you with applications or addons like drivers. The Amiga kernel could have been proven correct, and 99% of those guru meditations would still have occured.

Re:Amiga Hand?

[ArcadeNut]

or frowning bombs

Amiga line has the Guru Meditation Error

Atari ST line has Bombs (Not frowning). The number of Bombs told you the type of Exception that had occurred.

Mac line has the "Sad Mac" which basically told you, you were screwed, but just not how.

Re:Amiga Hand?

[Nyder]

It was going to be the middle finger for serious errors, but they ran out of memory for the picture, so they went with the Guru Meditation Error instead.

Re:Amiga Hand?

[drfreak]

Yes, and the text above the hand could have read: "If you expected memory protection..."

Re:Amiga Hand?

[snuf23]

"...on a home computer made in 1985 you will be sadly disappointed by every computer available on the market"

Re:Amiga Hand?

[sudog]

Flesh-coloured hand? It was white wasn't it?

Re:Amiga Hand?

[badkarmadayaccount]

Not if the compiler is formally proven as well.
http://en.wikipedia.org/wiki/Language-based_system

The Amiga Hand?

[johannesg]

The Amiga Hand was the boot screen, not an error screen. You're thinking of the famous Guru Meditation.

Besides, who says that the Amiga kernel did _not_ meet the specifications? Have you read them? Does it mention "crash free" anywhere?

The Haskell code is called a "specfication", but if it is Haskell code, surely it should count as a _program_ already? How can you prove that that program is bug-free? How about conceptual bugs?

Was the toolchain verified? How about the hardware on which it runs?

What overhead does this approach have? Are the benefits worth it?

I'm not saying this is all bullshit, but it looks like me that they are pointing to one program, calling it a "specification", and then demonstrating machine translation / verification to a similar program. I'm not sure if I buy that methodology.

Re:The Amiga Hand?

[TheCycoONE]

Well the typical bugs that affect C programs, like buffer overflows, using a dereferenced pointer, etc; along with common mistakes made in procedural programming in general like off-by-one errors are much less likely to come up in a functional language like Haskel. In a lot of cases Haskel code is simply a LOT shorter and easier to read than it's C/C++ counterpart which makes it much easier to find a problem; not much harder than finding the problem in a spec on paper.

So, no I don't think it guarantees anything, but it's a lot better than C code on its own.

Re:The amiga hand?

[cdrom600]

The "Amiga hand" is the Amiga bootscreen. Whoever wrote this probably meant "Guru Meditation".

Isn't being older than 14 (or knowing how to use wikipedia) required to be a slashdot editor?

You must be new here.

Re:The amiga hand?

Isn't being older than 14 (or knowing how to use wikipedia) required to be a slashdot editor?

You don't even have to know anything about computers to be an editor. CmdrTaco just takes any warm body that can hen peck at a keyboard enough to post a submission.

Re:The Amiga Hand?

The missing word is formal.

They use a formal specification, which is then formally verified.

The overhead? It took something like 5 years for a 10,000 line program. The benefit is if the specification is right, the program should be right.

Other questions are answered in the FAQ linked in the summary and this page.

Re:The amiga hand?

[daveime]

CmdrTaco just takes any warm body that can hit CTRL-C and CTRL-V in quick succession. FTFY.

CmdrTaco just takes any warm body. FTFYA.

Re:The Amiga Hand?

[Tom]

How can you prove that that program is bug-free? How about conceptual bugs?

Formal verification does not tackle conceptual bugs. What it does is prove that the implementation conforms to the specification. If your specification is false, then it is false, but the implementation will correctly implement the false behaviour. In other words, this checks whether the house and the building plan are identical. If the plan has a window where there shouldn't be one, then that window will be there, because it's on the plan.

What overhead does this approach have? Are the benefits worth it?

RTFA. The amount of work required is staggering (four years, 200,000 theorems to prove) but since it's a verification of code, not additional testing code, there is zero overhead when the system is running.

Re:The Amiga Hand?

[feldicus]

"Easier to read" is subjective, and generally only applies if the reader has spent a fairly significant amount of time dealing with the syntax. Coming from years of C/C++/C#/Python, I can tell you that Haskell is about as easy to read as a set of VCR instructions written in Japanese and translated to English by a blind Venezuelan with Carpal Tunnel Syndrome.

Re:The Amiga Hand?

[speedtux]

The missing word is formal.

Because we all know that calling it "formal" makes it formal, just like calling something "healthy" or "a good deal" makes it so.

The overhead? It took something like 5 years for a 10,000 line program.

So, would you rather use a program that has been tested for 5 years and not "formally" verified, or a program that has been "formally" verified for 5 years but not tested?

Re:The Amiga Hand?

[Robb]

The methodology is the best you can do; proving anything is basically establishing that two descriptions are equivalent.

With formal systems you usually have one definition that written to make it obviously correct and another that is more "pragmatic". In the case of propositional logic the obviously correct formalization is truth tables which are completely untractable to work with for large numbers of variables but are very simple conceptually. The "pragmatic" formalization is the logical connectives like and, or, implication etc that we normally think of as propositional logic. When they prove that propositional logic is sound they mean that all propositions give the same result as a truth table when evaluated and when they prove it is complete they mean that all truth tables give the same result as a proposition and thus propositional logic and truth tables both formalize the same concept.

There is no concept of "correct" in formal systems because it is inherently an informal concept meaning it does what it is supposed to do.

Re:The Amiga Hand?

[Oewyn]

The Haskell code is called a "specfication", but if it is Haskell code, surely it should count as a _program_ already?

Usually formal specifications are denoted using some sort of semantics. Large step semantics defines how create a derivation tree. Basically, how is a large program broken up into steps and completed one step at a time. Small step semantics define how an instruction takes one step in a program. There are other various forms of semantics, but each one defines mathematical constructs like stores (mapping from program variables to values), and using these constructs, you can prove different properties about that specification.

.

How can you prove that that program is bug-free?

"bug-free" usually means there is nothing left up to the implementation of the formal specification. For example, in C/C++ dereferencing of null pointers left up to the implementation. This means that one implementation can seg fault because you tried to access invalid memory, and another could return a random value, while another could always return 1. All three of these fully implement the specification because the specification does not define what to do when dereferencing null pointers.

Using a strongly typed language such as Haskell, Ocaml, or most any other functional language helps to prevent cases where the specification doesn't explicitly define an action. For example what is True - 3. In a strongly typed language, this would never compile, so the specification doesn't have to define this case, however in C++ where bools are actually ints this can happen.

.

How about conceptual bugs?

If a conceptual bug is one where the specification is incorrect, then this proof technique will not catch those "bugs".

.

Was the toolchain verified?

Usually the first compiler for a language is proven to be correct, and then using this fact, all subsequent compilers can be compiled using the first compiler. For example (i'm going off of memory here) the first ocaml compiler was written in c/c++ and proven to be correct. Once it was proven to be correct, when further optimizations/modifications were needed, a new compiler was written in ocaml, then compiled using the first compiler. Since it is usually easier to prove the correctness of a functional program that is strongly typed, proving the next generation compiler is significantly easier than the first generation.

.

How about the hardware on which it runs?

I'm not sure about this. As i'm not familiar with the kernel, it may be that it doesn't interface with any of the hardware itself and interacts w/ the hardware through modules/drivers. If this is so, then the modules/drivers would need to be proven correct as well.

.

What overhead does this approach have? Are the benefits worth it?

The benefits are very large for certain situations. For example, when the nuclear reactor starts to overheat, you want to be able to say with 100% confidence there will not be a meltdown and it will automatically shut itself off. You would want to say (with 100% confidence) that while flying on autopilot, the aircraft will not suddenly decide to go into a nose dive, etc.

.

I'm not saying this is all bullshit, but it looks like me that they are pointing to one program, calling it a "specification", and then demonstrating machine translation / verification to a similar program. I'm not sure if I buy that methodology.

What i assume that they did was first create a formal specification(denotational semantics, etc) for the kernel, implemented it in Haskell then implemented it in C. They proved that the C implementation is a 1-1 mapping of the haskell program. I wasn't able to determine, but i assume they had already proven that the Haskell program is a correct implementation of the formal specification.

.

My apologies for the formatting.

Re:The Amiga Hand?

[ShakaUVM]

>>The benefit is if the specification is right, the program should be right.

You'd think, but I've had formally proven algorithms fail when they encounter the real world. Niggling things like floating point round-off errors, etc., means that you can't even prove x+x = 2x in floats.

Also, it doesn't mean that that it's immune, to, say, buffer overflows.

Re:The Amiga Hand?

[Hynee]

And what exactly do you mean by false? Do you mean, for example, if a word processing program were formally specified to print 2 character for every single keystroke that would be false? Or do you mean it would "lock up" and not work properly for a human? Or do you mean "generate non-existent instruction code and cause CPU to reset"?

I suspect the correct answer is the second example I give, but not exactly.

It does contain machine code however, so it could be #3 too.

Re:The Amiga Hand?

[Hynee]

What overhead does this approach have? Are the benefits worth it? link

RTFA. The amount of work required is staggering (four years, 200,000 theorems to prove) but since it's a verification of code, not additional testing code, there is zero overhead when the system is running. link

Yeah, it's not like debug code or something similar. The code is written and now it's trusted on a high level by theorists etc. It could be fast and highly reliable, as reliable as the theorists are.

Re:The Amiga Hand?

[kamatsu]

Do you know what "formal" means? It's talking about "formal" as in programs as formal systems, a branch of logicianship that allows you to reason about computation. I would much rather use a completely untested, but entirely formally proven operating environment than a long-lived unproven one. We just haven't gotten to the point where we have proved enough software yet.

Re:The Amiga Hand?

[kamatsu]

Buffer overflows would've been solved by the haskell implementation. Assuming each of their C translations are free of overflows, the whole thing should be overflow free.

Re:The Amiga Hand?

[TheLink]

Depends on the test results and the sorts of tests run.

If the 5 year tested program is still failing really badly, I'm going to wait for the formally verified program to be tested ;).

Re:The Amiga Hand?

[Tom]

Almost all of the serious problems we have these days are implementation bugs. Buffer overflows, race conditions, code injection, etc.

A couple of the "IE quirks" are intentional design bugs, for example, where the browser does not behave correctly (e.g. box model), but it does behave according to its specification.

There are unintentional design bugs as well, but I can't come up with one by heart.

Re:The Amiga Hand?

[Chris+Mattern]

The benefit is if the specification is right, the program should be right.

We'll have to prove the specification does what we want, then. Of course, then we have to make sure our conception of what we want is right...

Personally, I think it's elephants all the way down.

Re:The Amiga Hand?

[Just+Some+Guy]

In other words, this checks whether the house and the building plan are identical.

Car. Remember your audience.

Re:The Amiga Hand?

[ioshhdflwuegfh]

I'm sure it can be formally proved that a programmer with lots of experience in C/C++ and no knowledge of Haskell finds programs in Haskell hard to read.

Re:The Amiga Hand?

The Haskell code is called a "specfication", but if it is Haskell code, surely it should count as a _program_ already? How can you prove that that program is bug-free?

See Edsger W. Dijkstra's works and what followed from it, e.g.
the THE system (not on Wiki, but the Technische Hogeschool Eindhoven System developed by him) and Programming: The Derivation of Algorithms by Anne Kaldewaij (which basically follows Dijkstra's methodology).

Short short synopsis: you don't prove programs. You phrase the question to be addressed, and then you derive the correct program from that. (and then you profit ;)

Re:The Amiga Hand?

[feldicus]

My point was that just saying "Haskell is easier to read than C" is a specious statement. I don't know both languages, but I'm a programmer, and the syntax of Haskell (a language I don't know) is harder for me to figure out than Ruby (another language I don't know).

Re:The Amiga Hand?

[speedtux]

Do you know what "formal" means?

Yes.

It's talking about "formal" as in programs as formal systems, a branch of logicianship that allows you to reason about computation.

Yes. And like many mathematical terms, the terms "formal" and "correctness" in logic have little to do with their ordinary meanings when applied to software.

I would much rather use a completely untested, but entirely formally proven operating environment than a long-lived unproven one.

You're doing it too, by deliberately confusing the customary meaning of "unproven" with the logician's meaning of "lacking a proof".

"Formal methods" is basically a sham based on a misuse of mathematical language in ordinary speech. You can prove programs "correct" in the logician's sense, but that doesn't mean that the program is "correct" in the ordinary sense. The method can be "formal" in the logician's sense, but that doesn't mean that it is "formal" in the sense of being a justifiable application of mathematical principles to software.

Re:The Amiga Hand?

[Jeremi]

So, would you rather use a program that has been tested for 5 years and not "formally" verified, or a program that has been "formally" verified for 5 years but not tested

I'd rather have both, please.

Re:The Amiga Hand?

[kamatsu]

The program is formally proven to be correct, where "correct" is defined to mean conforms exactly to the specification.

The specification may not be useful, but it does exactly what the specification says it does.

If I have a detailed specification for an entire operating environment (which this is not) and it is all formally proven to conform to said specification, then I would happily use it over something that had been used alot and didn't crash often. If it doesn't do what I want, then that means my specification was inaccurate.

I think such an application is perfectly justified, but then again I teach postgraduate students how to write haskell in haskell.

Re:The Amiga Hand?

..."Haskell is easier to read than C" is a specious statement

That's a specious statement.

"Haskell is easier to read than C" may well be a perfectly valid statement, and for reasons entirely other than you cite. Say you were familiar with Haskell, and not just its syntax, but also the different structural mindset behind functional programming.

It's entirely possible that it'd be easier for you to comprehend a program written in Haskell because its logical structure is more apparent. This is independent of the syntax, and deals instead with the semantic structure of the language.

Note, I'm asserting this to be the case, merely that your objection is misguided and misses a significant chunk of the point.

Re:The Amiga Hand?

[feldicus]

Technically, saying "Haskell is easier to read than C" is a specious statement because it assumes that it's easier to read universally. I can find even one person for whom that's not true (I happen to be such a person).

Therefore, the statement is misleading, I win, and your children are ugly.

Re:The Amiga Hand?

[lennier]

"I've had formally proven algorithms fail when they encounter the real world. Niggling things like floating point round-off errors, etc., means that you can't even prove x+x = 2x in floats."

Well of course. That's the whole reason why we're skeptical of formal models. I mean, if you're assuming something like 'a float is a real', or even 'a machine int is an unbounded integer' then of course you'll get the wrong answer. Any axioms proven about a mathematical integer which don't take into account boundary conditions and representations - the REAL semantics of the machine object as opposed to the pretend play semantics of a simplified mathematical toy version - don't necessarily apply to an int16, an int32, or an int64. And that's where programming, as opposed to mathematics, comes into play.

So 1) why not model it correctly the first time?

2) can you prove the correctness of your formal model? If not, it's just another source of bugs.

3) therefore, isn't all this 'formal methods' jazz just shorthand for 'write the whole program in a pure-functional language and be done with it'?

So why not just do that instead?

Re:The Amiga Hand?

[lennier]

"Formal verification does not tackle conceptual bugs. What it does is prove that the implementation conforms to the specification."

I think I understand the concept, but what I don't get is why our compilers don't just do this already. Why do we tolerate toolchains which *aren't* trustworthy?

It seems to me that if we just moved to declarative languages - like, say, Prolog, or maybe a cleaned-up modern version - we could simply say 'a valid HTML conversation is: bla bla bla' and then just say 'an HTML conversation occurs here...' and the compiler can do the rest.

It doesn't seem to me to be rocket science. We seem to go out of our way to dump more work on the programmer than needed. Programming should be a matter of defining interfaces or constraints, surely.

Re:The Amiga Hand?

[ShakaUVM]

Any axioms proven about a mathematical integer which don't take into account boundary conditions and representations - the REAL semantics of the machine object as opposed to the pretend play semantics of a simplified mathematical toy version - don't necessarily apply to an int16, an int32, or an int64. And that's where programming, as opposed to mathematics, comes into play.

Absolutely. But that's why I tend to get annoyed when people get pretty high and mighty about formal proofs being the answer to anything. Rounding errors are very hard to deal with in formal proofs, since you don't know where they're going to come in. If you have an N-body simulation, for example, you'll violate conservation of momentum and energy unless you watch for that stuff, and somehow correct for it by injecting the missing energy back in. And practical stuff like that tends to make formal proofs explode.

Re:The Amiga Hand?

[sergueyz]

More than that, if specification is changed, so should the code.

And formal verification will point to all places where change should occur.

We lowly programmers often underestimate formal verification tools given to us as our languages type systems.

Re:The Amiga Hand?

[sergueyz]

It's a hierarchy of unverses. ;)

Re:The Amiga Hand?

Personally, I think it's elephants all the way down.

No. It's turtles all the way down.

Re:The Amiga Hand?

Thank you for correcting the original article about the "Amiga Hand". My Amiga may be long gone but I will never forget the Guru Meditation Errors. And yes an Amiga did occasionally crashed.

Re:The Amiga Hand?

The program is formally proven to be correct, where "correct" is defined to mean conforms exactly to the specification. The specification may not be useful, but it does exactly what the specification says it does.

Yes, and that is the at heart of the sham.

If I have a detailed specification for an entire operating environment (which this is not) and it is all formally proven to conform to said specification, then I would happily use it over something that had been used alot and didn't crash often.

In light of the fact that you yourself observed that you have no reason to believe that the specification itself is correct, that's pretty foolish.

I think such an application is perfectly justified, but then again I teach postgraduate students how to write haskell in haskell.

Yeah, I did that once, too. Fortunately, I have overcome such folly. Maybe in time you will, too.

Re:The Amiga Hand?

[badkarmadayaccount]

And I want to cuddle up with Avril Lavigne, and open up the code base to all MS products, and abolish software patents with a flick of my finger, but none of that's gonna happen.

Karlan Mitchell

Yet another abstraction layer, just what we need......pssha bullocks

Give me six lines of code...

[Joce640k]

"If you give me six lines of code written by the most diligent of programmers, I will surely find enough in them to crash the OS" - Cardinal Ritchielieu

Re:Give me six lines of code...

[Telecommando]

Every program contains at least one bug, and can be shortened by at least
one instruction. By induction, every program can be reduced to a single
instruction which doesn't work. /old, I know.

Re:Give me six lines of code...

[Tenebrousedge]

Excellent line, but I don't think it really holds up. Certainly a literal reading could be a nontrivial problem, perhaps impossible, but even just assuming the general idea that app-level code can always be used to crash the underlying OS seems fraught with troubles.

Re:Give me six lines of code...

[ranulf]

> By induction, every program can be reduced to a single instruction which doesn't work.

HACF?

Re:Give me six lines of code...

/*
  *
  *
  *
  *
  */

Re:Give me six lines of code...

[Joce640k]

I guess you missed the cultural reference...

Re:Give me six lines of code...

[Hurricane78]

In PHP I once had a bug in the whitespace of a comment.
When I left the /* and */ away, and the comment just stood there as if it were code, it worked.
Go figure...

Re:Give me six lines of code...

[Rigrig]

Ok, it doesn't crash the OS, but it won't run properly either:
$ wspace sixlines.ws
wspace: Prelude.(!!): index too large

Re:Give me six lines of code...

[etwills]

In PHP I once had a bug in the whitespace of a comment. When I left the /* and */ away, and the comment just stood there as if it were code, it worked. Go figure...

Nested comments maybe? If you hadn't noticed the outer comment markers, you'd get something that "didn't" work with the inner markers in place and "did" work without.

(In PHP, attempting to nest comments leads to the second '/*' being considered as enveloped by the first '/*' and the first '*/', leading to the second '*/' being flagged as erroneous, and the interpreter bailing out)

// writing my first bit of non-trivial PHP _today_

Re:Give me six lines of code...

[vertinox]

Wut? I just compiled that on my Microsoft VBA .NET compiler and I got a bluescreen?

Re:Give me six lines of code...

[ceoyoyo]

By your first statement that one instruction, non-working program can be shortened by one instruction. Therefore, by induction any program can be reduced to zero instructions which still contains at least one bug.

Re:Give me six lines of code...

That's one line. The preprocessor removes useless whitespace.

Re:Give me six lines of code...

[Cormacus]

Thats nothing - I'm using a TCL interpreter that will interpret curly braces - even if they are commented out. The best part is that the error message isn't "You have an unmatched curly brace on such and such a line", its more like "there is something strange wrong with your script and I won't tell you where I barfed"

Re:Give me six lines of code...

[CnlPepper]

I hate TCL..... urgh. Needed to write a gui for scilab in tcl. I don't think I've ever been so irritable while coding. A language designed by a bastard.

Re:Give me six lines of code...

[CannonballHead]

Main class not found.

Re:Give me six lines of code...

[hyperion2010]

This man is a nihilist. Burn him.

Re:Give me six lines of code...

[Ant+P.]

Quantifier follows nothing in regex; marked by

Re:Give me six lines of code...

[Ant+P.]

Give Slashdot one line of text and it'll find some way to screw it up...

Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE>

Re:Give me six lines of code...

SYNTAX ERROR AT LINE 1

Re:Give me six lines of code...

[bbtom]

I'm not sure if I'm "the most diligent of programmers", but I'm pretty sure HelloWorldPrinter.java doesn't quite do enough to crash the OS:

class HelloWorldPrinter {
public static void main(String[] args) {
        System.out.println("You say 'Hello, world!'");
        System.out.println("The world sighs back.");
    }
}

Perhaps I'm not as imaginative as the Cardinal, but I cannot figure out how to crash the OS with just this code.

Unless, of course, you hand the code to someone else, alias their Java compiler or runtime to echo "The Java compiler needs root privileges due to a weird Debian [or your distro here] permissions problem." and then sudo rm -rf /

That requires you to think like a bastard though.

(Written in Java, because if I had written it in Smalltalk, Python, Ruby or Lisp or whatever, six lines of code would be enough to do something significantly cleverer than printing two lines.)

Re:Give me six lines of code...

There's an even better induction. From there, you can reduce the program to the empty file, which has the bug that it doesn't work. Now look at it backwards, and the act of writing code is the act of putting bugs in an empty file!

Still old, I know.

Re:Give me six lines of code...

/*

The amiga hand?

The "Amiga hand" is the Amiga bootscreen. Whoever wrote this probably meant "Guru Meditation".

Isn't being older than 14 (or knowing how to use wikipedia) required to be a slashdot editor?

Apps running on top will crash... so

[WiseOwl2001]

Even if we have a perfect kernel, it won't insulate us from bugs in the software running on top of that kernel, so do we really gain much? I guess for mission critical apps the answer could be yes... But for every-day computing?? On my desktop I have more trouble with Firefox crashing than I do the OS! (Yes I run linux).

Re:Apps running on top will crash... so

[John+Hasler]

> Even if we have a perfect kernel, it won't insulate us from bugs in the
> software running on top of that kernel, so do we really gain much?

Since a kernel crash kills all your applications and background processes, kills your network connection, requires you to reboot, and can scribble anywhere on the disk, yes.

Re:Apps running on top will crash... so

[PybusJ]

It's the other way round. Once you've formally proven things you care about for your application (security, correctness, whatever), and people are doing this though much less than they might. What do you run it on to maintain your guarantees, if there is no formally proven kernel?

So far the current answer seems to be you compile your code down to bare metal and run as an embedded app without an OS, but that only gets you so far. Mind you I can't see a fully fledged web browser based on formal methods coming along any time soon.

Re:Apps running on top will crash... so

[Fri13]

Well, kernel bug brings down whole OS and all the applications running top of it. But the kernel is usually most secure and stable. Most errors comes from drivers.

http://www.usenix.org/publications/login/2006-04/openpdfs/herder.pdf

And that is the problem with the monolithic OS's. One bug in the driver or any other part of the OS, brings it down. But even it is about monolithic OS, it can be as secure as microkernel-based OS's like Hurd, Minix or NT.

And I believe that the star of the next 10 years will come to be the MS Singularity.

Re:Apps running on top will crash... so

[Tom]

Yes, it gains you a lot.

Firefox crashing means your userland memory is fucked up and can't be trusted anymore. No problem, kill it, clean it and restart the application.

A kernel crash leads to undefined behaviour on the ring 0 level. You don't want that, it's where root exploits live.

Furthermore, we have a lot of really, really strong kernel-level security extensions, like SELinux, whose only two vulnerable spots are kernel-level exploits and weak security policies. If you can remove one of them, you've done a lot to improve security.

Re:Apps running on top will crash... so

[Arlet]

Firefox crashing means your userland memory is fucked up and can't be trusted anymore. No problem, kill it, clean it and restart the application.

If your filesystem task running on top of a proven kernel has a bug, it can still corrupt your disk.

Re:Apps running on top will crash... so

I accidentally read that as "and can scribble anywhere on the dick"

I am not sure which of these is worse.

Re:Apps running on top will crash... so

[digitig]

Even if we have a perfect kernel, it won't insulate us from bugs in the software running on top of that kernel, so do we really gain much? I guess for mission critical apps the answer could be yes... But for every-day computing?? On my desktop I have more trouble with Firefox crashing than I do the OS! (Yes I run linux).

The advantage for everyday computing is that because of its use in the mission critical software you survive your flight and can continue with your everyday computing.

Re:Apps running on top will crash... so

Don't build your house on sand.

Don't build your formally-proven app on a buggy kernel.

This is not a useful end-result in itself, but it is a good step towards a fully-proven device.

Re:Apps running on top will crash... so

[Balial]

But for every-day computing?? On my desktop I have more trouble with Firefox crashing than I do the OS! (Yes I run linux).

... and you know how that 100% these bugs are firefox itself, and not failures in the OS causing it to crash?

Re:Apps running on top will crash... so

[Bat+Country]

And I believe that the star of the next 10 years will come to be the MS Singularity.

Right, that's the point at which Microsoft becomes so attractive that ordinary laws no longer govern it?

Re:Apps running on top will crash... so

[Tom]

If your filesystem task running on top of a proven kernel has a bug, it can still corrupt your disk.

Yes. So?

Firefox can corrupt your browsing history, Mail.app can corrupt your stored mails.

What's that got to do with higher kernel reliability?

You're saying we don't need fences around our military bases because the oil drums inside could still explode. It doesn't make any sense.

Re:Apps running on top will crash... so

[Arlet]

What's that got to do with higher kernel reliability?

Nothing, of course. The point is that the end user doesn't care about kernel reliability, but about systems reliability. If I only use my computer to run firefox, there is no useful difference between firefox crashing, or the kernel crashing.

Re:Apps running on top will crash... so

[zzsmirkzz]

If I only use my computer to run firefox, there is no useful difference between firefox crashing, or the kernel crashing.

It's takes longer to reboot the system than it does to re-open firefox. So, yes there is a useful difference. It also makes it plainly clear that is it a bug with firefox (so you know who to complain to) and not of the kernel. And in today's society knowing who to blame is priority 1.

Re:Apps running on top will crash... so

[Arlet]

It's takes longer to reboot the system than it does to re-open firefox.

As you make the kernel smaller, and the user layer bigger, the difference between restarting all user processes or the whole system becomes trivial. If you're lucky you can save some time by only restarting user processes that have crashed, but that won't work for processes that share a lot of state, which is quite common for processes that are part of a traditional kernel. For instance, you can't really restart a file system, a virtual memory manager, or a network stack without restarting a lot of other applications.

Re:Apps running on top will crash... so

[Fri13]

Well, it does not matter what structure you have used to build your OS. It will come down if the kernel comes. The problem really is huge on monolithic OS's, like Linux and *BSD. One giant OS in kernel space what includes all drivers and other parts. The theory is that modular OS, build with microkernel would be much safer and stable. Idea is great but problem is that you can even do same kind things on monolithic OS to protect it's kernel and drivers from each other.

http://www.usenix.org/publications/login/2006-04/openpdfs/herder.pdf

Most OS crashes comes because the driver crash. Because monolithic OS has drivers inside itself. You are "totally" in deep shit. But if you get driver bugs cleaned away, no problems...

Re:Apps running on top will crash... so

[badkarmadayaccount]

Copy-on-write, my friend.

Knuth on proven correct:

[John+Hasler]

"Beware of bugs in the above code. I have only proven it correct, not tested it."

riight

[jointm1k]

World's First Formally-Proven OS Kernel

Beware of bugs in the above code; I have only proved it correct, not tried it.
--Donald Knuth

Empty promises...

You can't assure we'd never see a kernel fault again even using this. Most faults on most platforms are caused by hardware faults that even a formally proven OS cannot prevent. They also claim that something entirely on spec' has no bugs, which of course is laughable to anyone that has done any length of development. You just cannot account for everything that could happen within a complex system with maybe thousands of independant components.

Further more they claim in the article that software faults have caused plane crashes, when? Off the top of my head I cannot name a single instance when a software fault caused a plane crash (and yes, that includes the recent Air France crash).

Re:Empty promises...

[ezzzD55J]

Most faults on most platforms are caused by hardware faults

bullshit.

Re:Empty promises...

[Dog-Cow]

The article does not claim that software faults have caused plane crashes.

The article merely states: "Or, much scarier, you might be on a plane and there's a problem with the board computer."

Thus, I have proven that you have failed to understand simply English.

Re:Empty promises...

[CastrTroy]

I would very much have to agree with this. On almost any machine that I've seen that blue screened on a regular basis, the fault was bad memory, or some other bad piece of hardware. The other reasons seem to be buggy drivers, or tons of malware. So, even if your OS Kernel is provably correct, I don't think that machines would be crashing any less.

Re:Empty promises...

Thanks for quoting me entirely out of context.

Re:Empty promises...

Thanks for quoting me.

You're welcome. (I am not the poster you replied to, but you're full of shit)

Re:Empty promises...

[famebait]

Off the top of my head I cannot name a single instance when a software fault caused a plane crash

OK, I'm convinced. It can't possibly have happened, then.

Re:Empty promises...

[JKDguy82]

You gotta love how a single word "bullshit" response gets modded "Insightful".

Re:Empty promises...

[kamatsu]

Malware would have a much harder time making a root exploit in this case.

Re:Empty promises...

[Fmuctohekerr]

According to intel, asyncronous events at the chip level can be categorized like this:

• Interupts
• Exceptions (Traps, Faults, Aborts)

In this way, all "faults" are hardware faults. Now some "faults" - such as the "Double Fault" - can cause the OS to hang... windows for example will blue screen on a double fault. What is the "cause" of the Double Fault? Well, it's either a software error (kernel bug) or something physically wrong with the machine, such as bad memory. But I think by "fault" you mean something like the "blue screen of death." So are you saying "most blue screens are caused by physical hardware problems" or that "most blue screens are caused by microprocessor faults"? Because "most faults are hardware faults" is at best trivially true, at worst flat-out wrong because ALL faults are hardware faults by definition, i.e. being exceptions, raised by the microprocessor. I would suggest something like "while most kernel failures are caused by hardware faults (by definition), and a correct kernel could theoretically prevent 100% of failures caused by kernel bugs, there will always be kernel failures due to hardware issues that you cannot prevent with formal review." But I guess that's so obvious nobody would bother posting that. On the other hand, nobody will call "bullshit" either.

Re:Empty promises...

Off the top of my head I cannot name a single instance when a software fault caused a plane crash

"In one notorious 1992 crash near the Strasbourg airport, French investigators concluded that an Air Inter plane flew into a mountain several miles short of the runway because the pilots had incorrectly entered the plane's descent rate into the computer. The cockpit voice recorder showed that up until the moment of impact, the pilots had no idea of their mistake."

http://www.newsweek.com/id/85998

Now, you can call that 'pilot error' - but in fact the software 'fault' is poor design. The interface should not have allowed the pilots to make such a mistake and receive no warning.

Re:Empty promises...

[Wraithlyn]

The context of your full original post does not change the fact that you claim most faults are caused by hardware, which is the specific point he was disputing.

If you have something to strengthen your claim (from your original "context" or otherwise), present it. Otherwise, complaining about being quoted "out of context" is just rhetorical posturing.

Re:Empty promises...

bullshit.

Wrong. Try doing some coding once and awhile. Sure, the hardware may be fault proof for a given amount of time, but does it perform the same way, predictably, all the time, across multiple vendors and versions of each piece of hardware? (BIOS interfaces are a good example.)

Provable?

[tedgyz]

I thought any sufficiently complex system was impossible to prove correct.

Re:Provable?

[Prof.Phreak]

Well, one thing you can do is cut and paste your code into the specification. Now your code perfectly matches the specification---and is coded as specified.

They seem to be doing the same thing, except going about it some backwards way.

Re:Provable?

[jamesh]

I thought any sufficiently complex system was impossible to prove correct.

Then obviously this OS is not sufficiently complex.

Re:Provable?

[bramez]

only if you want to prove it automatically. this proof is constructed by hand, with some automatical steps in between, and then *verified* automatically. to manage the complexity of the proof, the proof is done in a more abstract formal specification language , then refined two times (haskel, C) . the correctness of the refinements are formally proven by the Isabelle system.

Re:Provable?

[mwvdlee]

Well, one thing you can do is cut and paste your code into the specification. Now your code perfectly matches the specification---and is coded as specified.

That would be doing it backwards...

They seem to be doing the same thing, except going about it some backwards way.

...and doing a backwards thing backwards would be the right way again.

Re:Provable?

[TheRaven64]

Well, there are some theoretical problems with this idea. The halting problem is trivial to prove insolvable, and it turns out that it's possible to generalise this proof and demonstrate that it's not possible to prove any complex properties of arbitrary programs. The key word here is arbitrary. You can, for example, trivially (algorithmically; the space / time requirements can be very large) solve the halting problem for any program that can be represented as a finite automaton. This includes any program that can run on a real computer. It is difficult to start from an existing program and prove things about it, but it's comparatively easy to write the program and the proof concurrently.

That said, I'm surprised by the claim that this is the first formally verified kernel. I was under the impression that someone at Cambridge had written and verified a kernel in Ocaml back around 2006 (not sure what the status of it is, but it was being considered as a domain 0 OS for Xen for a while).

Oh, and the other problem with this model is the concept of the trusted computing base. If the kernel is written in a high-level language, then the compiler also needs to be verified for the verification to be worthwhile.

Re:Provable?

I thought any sufficiently complex system was impossible to prove correct.

Actually, any sufficiently complex system will be on the final exam.

Re:Provable?

[Madsy]

That's true, and is due to the Halting problem: http://en.wikipedia.org/wiki/Halting_problem

Re:Provable?

It's a microkernel. From memory L4 (not seL4, but pretty damn similar) had on the order of 6 entire function calls accessible from applications on top. Only the bare necessity to actually ensure processes could be kept seperate. It's not this layer which worries me, it's the layers on top which actually /do/ something. I had a few lectures under some of the NICTA guys who worked on this, and what I got out of the formal methods stuff was that: yes, you can prove that it adheres to a spec. But fucked if the end code is actually going to actually accomplish anything. That said, it looks pretty awesome for smaller, or critical systems.

Re:Provable?

[dzfoo]

No no, it's just magic. Provable magic, though.

        -dZ.

Re:Provable?

No one has ever proved that.

Re:Provable?

[digitig]

Well, there are some theoretical problems with this idea. The halting problem is trivial to prove insolvable, and it turns out that it's possible to generalise this proof and demonstrate that it's not possible to prove any complex properties of arbitrary programs.

Irrelevant. This is not an arbitrary program, this is one that has been specifically written to be provable, and there have been techniques for doing that for at least 20 years, because I was taught them 20 years ago. If every loop has a loop variant specified -- a finite positive integer that is proven to decrease on every pass of the loop -- then all loops are guaranteed to terminate (the variant can't go on decreasing indefinitely) and so the program is guaranteed to halt. Given an arbitrary program you might not be able to work out loop variants, but if you only write code for which you have worked out the loop invariants then the halting problem does not apply to your code. As you say:

it's comparatively easy to write the program and the proof concurrently.

...which is what they will have done, so the halting problem won't be a problem in this case. (Of course, as an OS Kernel it presumably has an outer loop that isn't supposed to terminate, but you need to make sure that everything operating within that loop does terminate).

Oh, and the other problem with this model is the concept of the trusted computing base. If the kernel is written in a high-level language, then the compiler also needs to be verified for the verification to be worthwhile.

Yes, this one is an issue -- and what do you verify the compiler against, if the language doesn't have formally defined semantics.

Re:Provable?

[digitig]

Nope. The halting problem only applies to arbitrary programs. It's simple to write programs of arbitrary complexity that are guaranteed to halt (as long as what you want to do is algorithmic), it just isn't simple to tell if the program you have been given is one of those programs unless you can see the evidence that the programmer has done that.

Re:Provable?

[aminorex]

It may be; I'm no expert. But if you are refering to the omega-incompleteness of Peano arithmetic, that only shows that for a certain class of complexity (that required to do Peano arithmetic) there exist some true theorems of that system which have no proof in the system. In fact, those true but unprovable theorems are about transfinite numbers. Various generalizations of this fact are often bandied about, but most of them are unproven.

Re:Provable?

[zes]

Are you thinking of Gödel's incompleteness theorem?
A sufficiently complex formal system either has unprovable truths or is inconsistent. I am not sure this qualifies for this theorem and if it does all it's saying is that there might be behaviour that isn't specified, but that all specified behaviour is correct.
Or maybe someone with a better mathematical mind than mine can elaborate on this?

Re:Provable?

[Keynan]

A sufficiently complex system is only unlikely to be proven to be correct as the number of edge cases rises several orders of magnitude higher.

Godel's Incompleteness Theorem?

[wisebabo]

As a once (very long ago!) C.S. major, I'm curious to know how they got around Godel's Incompleteness Theorem. While their system is certainly not "complete" if someone can explain (in advanced layman's terms!) what they left out and how that allowed them to formally prove the correctness of their kernel, it would be much appreciated. (Is it because, as an AC wrote, the spec was written in C? Does this "hide" the parts which are unprovable?)

Re:Godel's Incompleteness Theorem?

[achten]

They are not trying to prove theorems written within the specified system. Hence not constrained by GIT.

Re:Godel's Incompleteness Theorem?

What is there to get around? GÃdel says that not every true statement is provable. They have not proven every true statement. Just one, that their kernel is correct.

Re:Godel's Incompleteness Theorem?

[TheSunborn]

Godel's Incompleteness Theorem just say(In this context) that there exists infinite many kernels that are correct but which can not be proven correct. It does not say that no kernel can be proven correct.

So they just happen to write one of the kernels that could be proven.

Re:Godel's Incompleteness Theorem?

I don't mean to be pedantic, but the Godel Incompleteness Theorem(s) apply to formal axiomatic systems of a certain minimal complexity (sufficient for elementary arithmetic, in the case of the first theorem; sufficient for elementary arithmetic, plus some metalogical notions like provability, in the case of the second), not computers. Given this, the Incompleteness Theorems only have implications for the theory of computation via the Church-Turning thesis, which states that any computable function is equivalent to a general recursive function (hence the connection to elementary arithmetic), and anything which can be done via a general recursive function can be done via a Turing machine.

And therein lies the answer to your question: although it's common to model computers as Turing machines, that is only a convenient idealisation. A Turing machine has an infinite tape. Real computers, given their finite memory and finite storage, are nothing more than (very large) finite state machines. And those are much more theoretically tractable beasts.

Re:Godel's Incompleteness Theorem?

[Desler]

Except that the only "proved" that their Haskell specification was correct, not the C translation.

Re:Godel's Incompleteness Theorem?

[bramez]

you dont have to "get around Godel's Incompleteness Theorem". (from wikipedia:): "Any effectively generated theory capable of expressing elementary arithmetic cannot be both consistent and complete. In particular, for any consistent, effectively generated formal theory that proves certain basic arithmetic truths, there is an arithmetical statement that is true, but not provable in the theory". it says "a statement" not "every statement". So, you can make formal theories where a lot of statements are provable, including a large class of computer programs.

Re:Godel's Incompleteness Theorem?

[maxwell+demon]

What is there to get around? GÃfdel says that not every true statement is provable. They have not proven every true statement. Just one, that their kernel is correct.

No. They didn't prove that their kernel is correct. Just that their C code and their formalization of the specification share the same set of bugs.

Re:Godel's Incompleteness Theorem?

[dmbasso]

Godel found that, within a system of axioms, there are questions you can't answer using only those axioms. The specification of an OS, although extensive, is not composed of "hard" questions. You don't need to prove P=NP for an OS to work.

Re:Godel's Incompleteness Theorem?

[TapeCutter]

Incomplete != incorrect.

Re:Godel's Incompleteness Theorem?

[hasdikarlsam]

Goedel's theorem simply states that you cannot prove a system in itself, for any sufficiently interesting system.. not repeating the definition of /that/ one here. In any case, this kernel qualifies.

But that doesn't at all prevent you from proving it in a higher-level system, such as the theorem prover they used. Um, though it would cause trouble if you want to prove the /prover/ correct...

Re:Godel's Incompleteness Theorem?

Or, in simplest terms: "The bag cannot hold itself."

Re:Godel's Incompleteness Theorem?

[Hurricane78]

Uuum, I know Haskell, and you can easily formally verify Haskell code. So did they not do that, or did you just not know Haskell from C?

Re:Godel's Incompleteness Theorem?

From a touchy-feely, non-mathematical, wholly-bastardized perspective, Godel's Incompleteness Theorem basically says:

You can try to make the perfect platform for solving problems, but, one way or another, it's going to suck, and teh suck is provable.

Now we have some researchers who say:

We made a platform for solving problems, and we proved that it is not teh suck.

Will the dispute come to fisticuffs or bruised egos? Of course not. In the first statement, "platform" is a set of axioms of mathematical logic. In the second statement, "platform" is a service providing IPC and mediated access to hardware resources (e.g. CPU, RAM).

I expect (and hope) that the API provided by _any_ OS kernel is too constrained to merit a rigorous examination from Godel's perspective. Instead, Godel's Incompleteness Theorem would be more applicable in understanding the utility of an instruction-set or a programming-language.

Re:Godel's Incompleteness Theorem?

[nizo]

Even better, how about a car analogy for the rest of us?

Re:Godel's Incompleteness Theorem?

[maxwell+demon]

They had threee things: A formal specification, Haskell code and C code. They verified the C code against the formal specification by first verifying the Haskell code against the formal specification, and then the C code against the Haskell code. But that still only tells you that the formal specification, the Haskell code and the C code all three share the same set of bugs. I omitted the Haskell intermediate step because it doesn't give anything new.

Re:Godel's Incompleteness Theorem?

[DMUTPeregrine]

No, they proved that the C translation matched the haskell specification. If the haskell was wrong, the C is wrong, but would be proven "correct" in that it will operate in the same manner as the haskell.

Re:Godel's Incompleteness Theorem?

[digitig]

At least one of the formal specification languages (can't remember whether it's Z or VDM) is based on Russel & Whitehead's theory of types, which isn't omega complete. That prevents the possibility of self-reference which would lead it to fall foul of Godel's incompleteness theorem. It makes the expression of certain propositions impossible (For example, you can't construct "the set of all sets that don't contain themselves" because types are heirarchical, so the type of the members of the set would be different from the type of the set that contains them. You'd have to construct "the set2 of all set1s that don't contain themselves" and asking if the set is a member of itself would be a type error -- it's a set2, and can only contain set1s).

The theory of types turned out to be too weak to build mathematics on, but it turns out to be plenty strong enough for any real-world program specifications.

Re:Godel's Incompleteness Theorem?

[konohitowa]

Gödel applies to all* formal systems. Thus, the same questions could be raised against any mathematical proof. Although I'm initially skeptical about what Slashdot claims that NICTA claims to have done, I'll hold off judgement until I've read more (a shame I'm not as close to Big Sky as I once was -- this might be a cool presentation to attend).

*All non-trivial systems anyway -- which includes any system powerful enough to prove anything meaningful.

Re:Godel's Incompleteness Theorem?

Background on Gödel's first incompleteness theorem

Gödel's first incompleteness theorem states that:
Any effectively generated theory capable of expressing

Re:Godel's Incompleteness Theorem?

Any effectively generated theory capable of expressing elementary arithmetic cannot be both consistent and complete

reflecting the second order nature of the language in question. How would an appropriately extended first order language for a computer look like?

Re:Godel's Incompleteness Theorem?

[yoris]

Hey, as a once (medium long ago) CS major myself, I'd like to comment on your question. I think you're not really referring to Godel's Incompleteness Theorem, which relates more to axiomatic systems then it does to computer programs / algorithms, but to Turing's proof that the halting problem is algorithmically undecidable. The halting problem here is the problem of deciding whether a certain algorithm will run forever or ever halt. Algorithmically undecidable here means that it is impossible for you to build an algorithm such that for any given input program P, your algorithm will say whether or not the program P will ever halt. Important remark: this does not mean that it is impossible for you to prove that a specific program P1 halts or doesn't halt. It just means that it is impossible to write down an algorithm for doing it in all cases. It is even impossible to decide for which cases it is possible and for which not.

A consequence (or more generalized version if you will) of the fact that the halting problem is algorithmically undecidable is that the static analysis problem is also algorithmically undecidable. Static analysis here is the task of deciding whether a program P satisifies a specification S. You can not write an algorithm such that for any combination (S,P) the algorithm will tell you whether the program satisfies the spec or not. That again does not mean that it is impossible to prove that an individual program P1 satisfies an individual specification S1, which appears to be the case here.

To quote wikipedia on the halting problem:
http://en.wikipedia.org/wiki/Halting_problem
While Turing's proof shows that there can be no general method or algorithm to determine whether algorithms halt, individual instances of that problem may very well be susceptible to attack. Given a specific algorithm, one can often show that it must halt for any input, and in fact computer scientists often do just that as part of a correctness proof. But each proof has to be developed specifically for the algorithm at hand; there is no mechanical, general way to determine whether algorithms on a Turing machine halt. However, there are some heuristics that can be used in an automated fashion to attempt to construct a proof, which succeed frequently on typical programs. This field of research is known as automated termination analysis.

Re:Godel's Incompleteness Theorem?

[Tweenk]

Not even that: it says that you can't write a halting problem solver that always gives either a "true" or "false" for programs of length n that is itself shorter than n. In particular, you *can* write a halting problem solver for arbitrary programs of length n, but the checker will always be longer than n.

In fact, you can even write a halting problem solver for programs of arbitrary length, as long as the computer has finite memory and therefore a finite number of states.

Re:Godel's Incompleteness Theorem?

[aminorex]

Nicely put. But there are some problems with this mapping to Godel that occur to me: Firstly, in the first incompleteness theorem, the identity of the formal system of the proof with the system of the theorem is assumed, while in this application, Godel does not seem to apply, because the system of the proof (Isabelle) is a meta-language to the system of the theorem (Haskell). Because the languages are not the same, there is no way to diagonalize the theorems, as in in Godel's construction, so it is not in any way obvious how to recover the result in this case.

Re:Godel's Incompleteness Theorem?

[Prune]

There cannot be infinite many kernels (whether correct or not) unless the kernels can be of infinite size (because you're dealing with discrete systems).

Re:Godel's Incompleteness Theorem?

[TheSunborn]

Let me try to turn the argument around.

There are no specific limit to the size of a kernel. This mean that I can always make a kernel that is larger then the largest existing kernel. This kernel will de unique(Because it's larger then any other kernels).

As I can thus always make a new unique kernel the number of different kernels are not finite. So it must be infinite.

Re:Godel's Incompleteness Theorem?

[TheSunborn]

In particular, you *can* write a halting problem solver for arbitrary programs of length n

For this to be true i think n should be the size of the state space, not the size of the initial program. The complexity does not really depend
on the size of the start program, but the size of the state space.

Just think of something simple like "Game of life". The program itself is small, but the state space is large.

Re:Godel's Incompleteness Theorem?

[Prune]

You cannot keep on making larger kernels because you have a finite number of distinguishable quantum states within your Hubble volume.

Re:Godel's Incompleteness Theorem?

[Prune]

Obviously I'm assuming that accelerating expansion is the correct cosmological model, as the preponderance of evidence implies.

Formal Methods vs Time

[ShipIt]

I had a professor in college, along with several colleagues and students, working on a formal proof for nuclear power plant control software. They had been been working for 5 years and, at the time, were about 10% complete.

Obviously, at that rate, the time to complete the formal proof is probably longer than the lifetime of the particular control system they were targeting.

Hopefully Formal Methods have come a long way since I last studied them 10 years ago. In any case, congratulations to this team of researchers at NICTA.

Re:Formal Methods vs Time

[kamatsu]

Thanks!

Then a driver blows it all up..

[tjstork]

Suddenly after that, the proven kernel will be brought to its knees when someone adds a driver for an old graphics card.

Re:Then a driver blows it all up..

Obviously we need proven graphics drivers. Maybe we need a pop up window saying, "Warning: About to execute Unproven Driver!"

I have no idea if I am joking or not.

Re:Then a driver blows it all up..

seL4 is a microkernel so all drivers run in isolated domains and cannot affect the kernel - so if you have a bug in a driver, all that happens is the driver crashes and the rest of the kernel (and other drivers) keep on running - unlike Linux or Window which are monoliths and a bug in a single driver can bring down the whole kernel.

Re:Then a driver blows it all up..

[maxwell+demon]

Well, the bug in the driver might in principle cause the hardware to fail, and thus kill the kernel.

Re:Then a driver blows it all up..

[Arlet]

Because a microkernel doesn't do much, nearly all functionality has to be implemented by user processes. In a complex system, these processes will depend on each other, so if one has a bug, it has the potential to disrupt another process. If the memory management process dies, the rest of the system won't keep on running.

Re:Then a driver blows it all up..

[kamatsu]

It would only kill the hardware it's dealing with, likely, so the kernel might still keep on chugging. All the kernel needs is memory and cpu after all :)

Re:Then a driver blows it all up..

[kamatsu]

L4 doesn't delegate memory management to a process, that is impossible, because it would then have to manage memory for the memory management process.

Re:Then a driver blows it all up..

[maxwell+demon]

Well, just initiate a DMA onto some memory the kernel uses, and you're toast.

Re:Then a driver blows it all up..

[rhyre417]

Which is EXACTLY why you don't let device drivers run in the same ring/priviledge space as the OS kernel.
Microkernels (in the early days) didn't have device drivers build in - they just provided a message passing layer
that ran in the priviledged space, while other systems services (file systems, the BSD operating system services, etc)
ran in user space.

Nice try, though.

Re:Then a driver blows it all up..

[kamatsu]

In a hypervisor system, not even sure if that's possible.

Re:Then a driver blows it all up..

[Arlet]

The L4 kernel only does the low-level part of memory management, such as managing the page tables. It still relies on a process to do the higher level stuff, such as swapping and (demand) paging.

Idiot poster

every respectable geek knows the amiga hand is not an indication the system crashed, but the hardware asking for its OS.

Nope, the amiga crashes are known for the guru meditation, where the screen goes black and displays a BLINKING RED text.
Most amiga users have jumped out of their seat at least once or twice out of sheer surprise...

But...

[TheDarkMaster]

... we will lost all the fun for Blue Screens and Kernel Panics!

Singularity

[Vahokif]

What about Microsoft Research's Singularity? AFAIK its kernel is written in a contract-based version of C# and can be proven correct.

Re:Singularity

[ledow]

I think the relevant word is "can", not "has". It has the potential to do the same thing but doesn't seem to have made it that far. Provable but not proven?

And besides that, from the very article you linked to, I can spot a number of problems - such that isn't just written in one language and translated to a final, provable "one language + assembly" like the main article, but several (and a lot more than the bare minimum necessary to boot a kernel, it seems). It's kind of mid-way to what the main article has achieved.

Re:Singularity

[bramez]

Singularity (or better, sing#) formally describes the communication between subsystems. At the code level there are still "black boxes" of code that are not specified or verified.

Who proved the proof-checker?

[Dr.+Manhattan]

Recursion (n): see recursion.

Re:Who proved the proof-checker?

> Who proved the proof-checker?

You just run the proof-checker on itself, of course!

It's turtles all the way down.

(Disclaimer: Only for some definitions of "down." Certain exclusions may apply. See store for details.)

Re:Who proved the proof-checker?

[Lord+Ender]

If he were being honest, he would say that recursion is a just convoluted, unnecessarily confusing method of doing iteration. That's not what it means in mathematics, but it is what it means in computer science.

Re:Who proved the proof-checker?

Recursion (n): see recursion.

And this is how the questioning student reacts: "oh...Oh!"

Re:Who proved the proof-checker?

Infinite Loop (n): see Loop, Infinite
.
.
.
Loop, Infinite (n): see Infinite Loop

Re:Who proved the proof-checker?

That's not what it means in mathematics, but it is what it means in computer science.

Sorry, what is your definition of "recursion in mathematics"? It's definition in both mathematics and computer science, as I've learned them, is a function which defines values for its domain inductively via the function's value.

For those who understand functional notation, it is easier to say that "doing iteration" is an obfuscated method of specifying induction.

Re:Who proved the proof-checker?

[Kerrigann]

How would you implement an algorithm that is O(2^n) then?

I wrote a template library for arbitrary dimensional matrix math and interpolation, and since many operations were O(2^n) for matrix rank (like linear interpolation), the *only* sane way to implement them was using dual-recursion.

Anything else, though, and I'd probably agree with you. It's easier probably easier to read a loop than it is to read a tail recursive algorithm for anything but purely mathematical problems.

Re:Who proved the proof-checker?

[Bat+Country]

I'll pass that on to all twelve of them so that they can nod sagely and approve of you.

Re:Who proved the proof-checker?

[Lord+Ender]

Look at it this way: Compile your recursive code into machine instructions, then step through those instructions in your head. There is nothing "special" going on; it's just fancy-pants notation for iteration.

Re:Who proved the proof-checker?

[konohitowa]

I'm confused. Are you saying that the compiler converts recursion into iterative machine code? When I compile recursive code, my compiler doesn't know how to "unroll" that particular type of "loop". Stepping through, piece by piece, in machine is exactly the same as the source -- except the stack frames are explicitly set up, whereas in the source, they're implicitly declared via scoping rules.

I suppose you could make the argument that certain RISC architectures don't set up a stack frame so much as walk the register set through memory, but the whole thing is still recursive.

Re:Who proved the proof-checker?

[Kerrigann]

I'm not saying it's impossible, just that it's *much* harder to understand than simply writing it recursively.

Let me put it this way... suppose in C++ you have a template instantiation defined dimension matrix...

In order to do operations on the matrix, you have to iterate through an arbitrary number of dimensions, then loop over (a subset of) the length of the matrix in that dimension. It's like a for loop inside a for loop, but the number of for loops deep has to be *runtime defined* (well, in my case template defined, but you get the idea). Without recursion you end up either writing gotos, or some other funky math where you determine the overall size of the n-dimensional matrix (dimensions multiplied together) and then loop through that index, and figure out the actual n-dimensional coordinates as you go (messy).

Here it is in code...

        template<typename OpType>
        inline Array& eval(OpType op, IndexType index = IndexType(),
                        size_t dim = 0) {
                for(size_t i = 0; i < extent(dim); ++i) {
                        index[dim] = i;
                        if(dim == Dimension - 1)
                                operator()(index) = op(index);
                        else
                                eval(op, index, dim+1);
                }
                return *this;
        }

where IndexType is some vector unsigneds of size Dimension, extent is a member function that returns the size of the array in that dimension, and operator() retrieves the value at the given location.

This is a (modified for clarity) member function of a class I have called Array, that has template defined dimension. I'm filling the Array by calling the passed in function on every location in the Array, and assigning the result to the location.

You *can* write it without recursion, but it's even more confusing than what I wrote.

There are probably better examples of exponential time algorithms that are clearer, but they make my head hurt.

By the way, at my old job, our simulation had to interpolate lots and lots and lots of experimentally gathered data in big tables (like an 11 dimensional table for infrared signature data). Writing an arbitrary dimensional interpolation library was the *simplest* option :)

Re:Who proved the proof-checker?

[immakiku]

Computer Science is about "adding layers of abstraction". Perhaps nobody has proved the prover, but we only have to put our confidence in one central place now.

Re:Who proved the proof-checker?

[dumael]

Compilers that implement something called Tail Call Optimization can convert recursive functions into iterative equivalents. This relies on the function either: returning a value *or* the result of a call to another function with new parameters. (it can be the same or different function) e.g. a way to do it in C would look like:

f(int x){
.. some code ..

if( cond )
return 0;
else
return f( x + y);
}

Although in C it can look very ugly, for functional languages such as Haskell or Erlang, it is required as you have to express loops through recursion due to only being able to assign to variables once. In these langauges, it looks a lot better as you can pattern match on the value of arguments, allowing you to concisely deal with obvious error or base cases, leaving you to handle the generic cases without worrying about those cases. Scheme implementations are required to implement tail call optimization.

Re:Who proved the proof-checker?

[Jeremi]

If he were being honest, he would say that recursion is a just convoluted, unnecessarily confusing method of doing iteration

Some would say that iteration is just a convoluted, unnecessarily confusing method of doing recursion.

For example, try iterating over all the nodes in a tree without using recursion. It's doable, but more complicated and error-prone than the recursive method.

Re:Who proved the proof-checker?

[badkarmadayaccount]

This is precisely why I prefer stack machines. Built-in recursion basics.

Beware of bugs

[mrjb]

``Beware of bugs in the above code; I have only proved it correct, not tried it.''

Proven?

[mseeger]

There is an old corollary that says, you cannot get from the informal to the formal by formal means. All they have proven is, that two specifications contain the same bugs. Both specification were formal (Haskell, C). This is the same as having Perl and Python code and you to prove they implement the same functionality. Neither is a proof, it is bug free (informal definition of bug, not if a bug is specified it isn't a bug).

Re:Proven?

[Coryoth]

This is the same as having Perl and Python code and you to prove they implement the same functionality. Neither is a proof, it is bug free

A specification is not an implementation (or, at least, shouldn't be). I can write a specification for a square root function (that the result squared is within the error tolerance of the input) that is certainly not an implementation of finding a square root. The specification should be higher level describing what is supposed to happen, while the implementation is more detailed and low level, describing how to make that happen. This means the specification is simpler and easier to analyse. In the case of a formal specification you can use theorem provers to prove properties of the specification (for instance using CSP, a language for specifying concurrent systems, you can prove that the specification will not result in deadlock ever -- and than as long as your code is verfied against the spec, your code cannot deadlock). This is signficantly better than just having two implementations of the same functionality. It is not, as you suggest, a proof that it is bug free (at least not for any reasonable definition of bug), but it can certainly be a proof that certain bugs will not and cannot occur, which is quite a significant thing.

Re:Proven?

[Balial]

I think you're missing the specifics of Haskell. Unlike Python, Perl, or whatever other commodity language, Haskell is designed with a well defined set of mathematical semantics. You're correct that proving a piece of Python code is the same as a pieces of Perl code is useless. But, if I prove Python, C or Perl is the same as (the researchers' subset of) Haskell, I can use this to mathematically reason about properties of the system. Haskell allows you more than just a translation. It means there are things you can know and prove with 100% certainty. Using your example, if you prove a bug does not exist in the Haskell version (which you can), then you've proven it for the other language.

Re:Proven?

[jhol13]

"All they have proven"

It is bloody fucking lot more than anybody else can claim.

To put it in current perspective: they have 100% vaccination against all viruses - past, present and future. Others are might get "soon" hopefully-working for H1N1.

Re:Proven?

[mseeger]

A specification is not an implementation

To prove that a specification matches an implementation 100%, the specification needs to be highly formalized. In this case it was Haskell, which is a functional programming language. It may be not as similar as Perl and Python are, but my statement still stands.

Sincerely yours, Martin

Re:Proven?

[mseeger]

All they have proven

It is bloody fucking lot more than anybody else can claim.

While this is still an achievement and i can honor the amount of work involved (i worked myself silly by proving 7 lines of code during my university times), my comment refers to the phrase "World's First Formally-Proven OS Kernel". Most people think of "proven" as "proven to be correct" (which isn't the same as i tried to point out). Indeed in the university, we had a project at which was named "Procos" (Proven correct systems) to which i always referred to "Probably corrects systems". While i believe that a "proven" system will be of a higher quality than an unproven system, the costs involved usually are to high for the amount of quality increase. My impression is, that the same quality increase can be obtained at much lower cost.

But my philosophical concerns go even deeper. As in this case, software is used to prove the code. In which case, the process of proving is a glorified version of compiling. You start out with a formalized spec and a piece of code. By proving you eliminate the differences between them. Which means you're using software to make sure the output matches the specs. Which is what a compiler does. I'm aware that this is oversimplifying. But proving is (in my eyes) compiling with a manual two way crosscheck of dubious parts.

CU, Martin

P.S. I'm licensing all spelling errors under the conditions of the LGPL.

Re:Proven?

[jhol13]

It *IS* proven to be correct!
It is very, very, minor point to argue what is "correct".

My point is exactly this - everybody else is "light years" away.

I agree, proven systems will be of higher quality than others. The costs? Just a few computer hours so I disagree heavily - we have seen far, far too many failures in _every_ un-proven OS there is. So unless you have counter example - I disagree.

Your equating this to compiler is so huge oversimplification that I must assume you really do think I have no clue. Therefore perhaps it is best to say - "HAND".

I'll have an another beer - licence my errors to that.

what if you made a kernel so perfect

[FudRucker]

the kernel was so perfect that it thought it was god and it condemned the rest of the OS to hell

Re:what if you made a kernel so perfect

[jamesh]

the kernel was so perfect that it thought it was god and it condemned the rest of the OS to hell

Windows is a good example of an OS that _thinks_ it is perfect. Fortunately Microsoft's idea of hell is my idea of heaven :)

Sounds like automated unit test generation to me

Most large scale commercial software that is worth anything has massive batches of automated unit and functional tests applied to it - How does this differ? Are they automatically generating their "formal proof" code (unit tests I assume). If so, how do the automatically generated tests stack up against manually generated versions? I would imagine said tests can catch a variety of bugs, but as regards insisting that a program has been verified "bug free" - I will believe it when I see it.

And that instruction is...

[camperdave]

Every program contains at least one bug, and can be shortened by at least one instruction. By induction, every program can be reduced to a single instruction which doesn't work.

And that instruction is...

HCF.

World's First Formally-Proven OS Kernel - NOT

[neongenesis]

Do some research Guys...

Honywell SCOMP Early 1980s Was intended to me a secure front-end to Multics.

Verified by NSA et all as part of the first Orange-book A1 level certification.

For the time it was a magnificent bit of work.

Re:World's First Formally-Proven OS Kernel - NOT

[TheRaven64]

Thanks, I was surprised by this claim too. I remember hearing back in 2007 about a formally-verified kernel written in Ocaml that some people at Cambridge had written, and they weren't claiming that theirs was the first (although it may have been the first to run on commodity x86 hardware).

Re:World's First Formally-Proven OS Kernel - NOT

[the_fat_kid]

yes, but did it have a spell checker?

Re:World's First Formally-Proven OS Kernel - NOT

You might want to check your facts:

http://www2.computer.org/portal/web/csdl/doi/10.1109/SP.1985.10010

SCOMP wasn't a general purpose OS, and there wasn't a formal proof either.

Still a very cool piece of work for the time.

Re:World's First Formally-Proven OS Kernel - NOT

[ojustgiveitup]

Sounds impressive, but "part of the first Orange-book A1 level certification" != "formally proven".

Re:World's First Formally-Proven OS Kernel - NOT

[neongenesis]

Back At-cha

Virgil's paper talks about the HARDWARE verification (also important, but...) not the software verification.

The SCOMP OS was general purpose. It had a Unix emulation layer over its kernel similar to BSD over Mach. And the kernel WAS verified. The Unix System-call layer was modelled and verified against a security model. They have 10000 theorems, we had about 3500. They use Isabell, we used Boyer-Moore. Sounds like a fairly similar approach.

And you are right: It was a very cool piece of work for the time. I am not trying to denigrate the referenced paper. It sounds wonderful and I look forward to reading it. I just object to terms like "unique" and "first".

Too late

[lisaparratt]

I was fairly sure the OS running on the MONDEX smartcards was formally proven.

Re:Too late

[CortoMaltese]

I was fairly sure the OS running on the MONDEX smartcards was formally proven.

Can't be bothered to look it up in the MONDEX case, but usually only parts of the smart card operating systems are formally proven; it's too costly to cover the whole system. Often it can be (semi-)formally proven that certain security irrelevant parts do not affect the areas being evaluated. (There's a paper on the MONDEX certification for those interested.)

Also, from TFA:

Formal proofs for specific properties have been conducted for smaller kernels, but what we have done is a general, functional correctness proof, which has never before been achieved for real-world, high-performance software of this complexity or size.

Admittedly, smart card kernels can't be referred to as "smaller kernels" if what they have is 7500 lines.

Re:Too late

[lisaparratt]

I'm mostly working from the lectures I had at York on formal verification.

I half reckon they only did it because the students had hacked the previous version of the system to trick the snack machines into giving you free pound coins. Paid for many a CompScis boozy evening ;)

Yeah, but...

does it ru... uhhh... never mind.

excellent news

[Tom]

This should once and for all silence the people who claim that it's impossible to formally verify any non-trivial code.

Oh, what am I dreaming. They won't shut up, but maybe now they'll die out.

Re:excellent news

[Desler]

No, what people claimed was that to formally verify any non-trivial code that it would take a long time to do. This announcement proves that. It took them 5 years to verify 10,000 lines of code for something that isn't even that complex of a piece of code. Come back to us when you can formally verify a sufficiently complex kernel that can actually be put into production in less time and we'll talk.

Re:excellent news

[Tom]

You may have missed that part, but this is not a research kernel, it's an embedded kernel that's actually being used in production.

Yes, it took a long time. It always does, the first time around.

Re:excellent news

[Desler]

Yes, it took a long time. It always does, the first time around.

This isn't the first time around for someone to do this it's just the only one to ever actually finish. Secondly, a kernel used for desktop/server OSes is going to contain a few more magnitudes of code than this thing, so they are going to have to improve substantially in their proving if they are going to be doing this on anything larger scale than a picokernel.

If anything ever replaces the Linux kernel...

I would expect it to be something designed and built along these formal lines. So far, feature set has been the main driver for software development, with robustness coming second. The emphasis seems to be very slowly shifting, as some relatively high level feature sets are reaching a stable point.

In the case of single core CPUs, we do actually seem to have reached a fairly stable performance point now. The way things are pushing forward is with mult-core CPUs, which requires a different mindset of design previously restricted to high end supercomputer and cluster programming. Now even desktop machines will need to start worrying about multi-core related design issues.

This is a more complex sort of programming, and most of the work being done today seems to be more about making existing abilities work faster (naturally, as that's the highest immediate productivity payoff). Which is not to say there won't be a stream of new ideas that continues to flow - what I do mean is that increasingly high level features of operating systems and even system libraries will become "standard" and be worth putting the extra work in for provably correct behavior, particularly in the complex world of ubiquitous multi-core hardware. If you ALWAYS have to implement feature X to support existing design paradigms and tools, and the expected behavior of feature X is well defined de-facto, then it begins to make sense to define it formally as well and insofar as possible forever eliminate it as a source of ANY bugs. This will subsequently free the human resources to concentrate on other problems.

It remains to be seen if the admittedly severe demands of provable software design and development (toolchain, programmer discipline and background knowledge, etc.) can be supported by the broader (non-academic-based) open source community, but given all that it has achieved and the open source tools available in the proof software domain there are definitely some interesting possibilities. Certainly the potential payoffs are exciting! Interesting times.

Hm I thought they proved the mapping

[Nicolas+MONNET]

Hm I thought they proved the mapping from Haskell to C was correct, as well. At lest, so far, for the ARM version.

Wish I had mod points

[Viol8]

This is something that people who bang on about formal proofs conveniently forget - all it does is move the bugs from the source code to the formal specification. And if the spec is detailed enough to be useful it effectively becomes code anyway so you might just as well write the actual code and debug *that* instead.

Re:Wish I had mod points

[TheRaven64]

This is what executable specification languages, like Maude, actually do. I'm still not convinced by the approach, and I did my PhD in a department full of people working on formal specification, because it seems like they end up reinventing programming languages. That's not to say that they don't have some good ideas which can be used to extend programming languages, but starting by discarding 60 years of programming language research doesn't seem like a good model.

Re:Wish I had mod points

That this moves the bugs to the formal specification is true, but that therefore you might just as well write the actual code is an invalid derivation. Formal specification languages are designed with the idea that one should be able to reason about them in mind (be it manually or with the help of automatic/interactive theorem proving, model checking). This typically leads to a language in which systems can be expressed on a higher level, because performance issues are not important: the specification does not need to be executed. Due to this higher level and the fact that they are easier to reason about with tool support, it is easier to find a bug in a formal specification than it is in programming language code.

Re:Wish I had mod points

Is this really true?

Here's a semi-formal (easily formalizable) specification of the function "sort":

For all lists L, for all x,y in sort(L), ( if x <= y then index(x, sort(L)) <= index(y, sort(L)) )

Is this an implementation of the function sort?

Re:Wish I had mod points

[ralphbecket]

I don't thinks that's fair: the spec. just says *what* properties the system should have; the implementation says *how* those properties are provided. Where you can do it, denotational semantics (the spec.) let you say a lot more than you can with operational semantics (the code).

Of course, your argument also suffers from circularity: to debug code you have to have a spec. in the first place to tell you when the implementation is doing the wrong thing.

Re:Wish I had mod points

[Balial]

This is something that people who bang on about formal proofs conveniently forget - all it does is move the bugs from the source code to the formal specification.

Correct!

And if the spec is detailed enough to be useful it effectively becomes code anyway so you might just as well write the actual code and debug *that* instead.

Wrong! The whole point of the spec is that it can be formally checked for bugs. You can prove that the spec no longer contains buffer overflow vulnerabilities, and be sure the code matches it. If all you're doing is hacking on code, you can't prove anything.

Re:Wish I had mod points

Fixing bugs earlier is cheaper than fixing them later.
Formal methods is one particular way of finding bugs at an early stage of the development cycle.

Of course, never fixing the bug leads to an even cheaper development cycle.

Re:Wish I had mod points

[jhol13]

all it does is move the bugs from the source code to the formal specification.

This is like saying "all it does is to to move bugs by entering binary numbers to entering Haskell (or any high level language)".

I.e. bullshit.

Re:Wish I had mod points

[m50d]

Wrong! The whole point of the spec is that it can be formally checked for bugs. You can prove that the spec no longer contains buffer overflow vulnerabilities, and be sure the code matches it. If all you're doing is hacking on code, you can't prove anything.

What good does your proof do you though? You have no way of being sure it's correct. The best you can do is have you or someone else read it - which you could've done with the code.

Re:Wish I had mod points

[Balial]

*blink*

What good does your proof do you though? You have no way of being sure it's correct.

Wait, what? What is it you think you do with a proof?

Re:Wish I had mod points

[lennier]

"Formal specification languages are designed with the idea that one should be able to reason about them in mind "

And why are our general-purpose programming languages NOT designed to be reasoned about?

That's a bug, surely. Why do we put up with it?

Re:Wish I had mod points

[m50d]

Wait, what? What is it you think you do with a proof?

Normally, examine it carefully, publish it if possible, and if no-one notices anything wrong with it, say it's good enough. But you could do all that with the code anyway.

OK, you had me going there for a while...

[pedantic+bore]

This is a nice accomplishment, but L4 is such a minimal kernel that some folks argue that it's not even a microkernel. It's a picokernel.

It's a lot easier to get the kernel right when it only has twelve entry points...

Re:OK, you had me going there for a while...

[noz]

This is a nice accomplishment, but L4 is such a minimal kernel that some folks argue that it's not even a microkernel. It's a picokernel.

Microkernels provde:

• address spaces
• threads
• IPC

L4 checks these boxes. Nanokernel and picokernel are poorly defined, emotive terms. Not reasonable criticism.

Re:OK, you had me going there for a while...

[Balial]

It's a lot easier to get the kernel right when it only has twelve entry points...

That's an incredibly good summary of why microkernels such as L4 are good for security. Keep the pieces small and manageable, and you can even formally prove that your components are correct.
Don't be fooled into thinking this makes it a useless toy, however.

kernel on a kernel?

[gbelteshazzar]

sorry, but they mention that they have linux running on top of their kernel? how can you run a kernel on top of a another kernel?

Not very useful...

[jamesivie]

In addition to what's already been pointed out about formal vs. informal specifications,

1. Running Linux on top of this is no more safe than running Linux directly on the hardware--it's Linux that crashes (though not very often!)

2. Running this on a CPU that has not been formally proven is nearly useless because only part of the system has been proven, which results in an overall system that is unproven.

Re:Not very useful...

[TheRaven64]

That depends. You can run multiple instances of Linux on it, for example, and have it isolate them. A privilege escalation vulnerability in Linux will only compromise that instance of Linux and (at least in theory) there should be no vulnerabilities in the microkernel that would allow the attacker to escape that instance. You could, for example, run an instance of Linux for normal use, an instance of Linux for internet banking, and an instance of Linux for normal web browsing and have them completely isolated. And you can run non-Linux code in another server on the microkernel, of course.

Good News and Bad News

[Jacques+Chester]

First off, as an Australian and a nerd, I am very proud.

Now.

Good news: there is now a formally verified microkernel. 8,700 lines of C and 600 odd lines of ARM assembly. Awesome.

Bad news: it took 200,000 lines of manually-generated proof and approximately 25 person-years by PhDs to verify the aforementioned microkernel.

Conclusion: formal verification of software is not going to take off any time soon.

Re:Good News and Bad News

[jeffasselin]

At the speed commercial IT moves right now? No.

Eventually? I think it would be in the best interest of everyone to work toward making this the normal operation in CS.

Re:Good News and Bad News

What are the chances there's no bug in the 200,000 lines of proof code?

Re:Good News and Bad News

[ClosedSource]

"Bad news: it took 200,000 lines of manually-generated proof and approximately 25 person-years by PhDs to verify the aforementioned microkernel."

Of course I didn't read the article. When you use the phrase "manually-generated proof" does that imply that some of the proving was done by humans? If so, how do we know those PhDs didn't make a mistake?

Re:Good News and Bad News

[immakiku]

He is not correct to say "manual". Those are generated by the machine provers.

Re:Good News and Bad News

[aminorex]

Wrong conclusion that. Right conclusion: Automating this shite is a hella business op.

Re:Good News and Bad News

[evilviper]

Conclusion: formal verification of software is not going to take off any time soon.

Better Conclusion: Assuming the price is reasonable, the world will never need another one... You can run all the buggy and un-verified code you want on top of this kernel, and at worse, that code will need to be (automatically, and very quickly) torn down and restarted when it starts to misbehave.

Re:Good News and Bad News

Good news: there is now a formally verified microkernel. 8,700 lines of C and 600 odd lines of ARM assembly. Awesome.

Bad news: it took 200,000 lines of manually-generated proof and approximately 25 person-years by PhDs to verify the aforementioned microkernel.

Conclusion: formal verification of software is not going to take off any time soon.

Corollary: neither is genome sequencing.

Re:Good News and Bad News

[awolk]

First off, as an Australian and a nerd, I am very proud.

Now.

Good news: there is now a formally verified microkernel. 8,700 lines of C and 600 odd lines of ARM assembly. Awesome.

Bad news: it took 200,000 lines of manually-generated proof and approximately 25 person-years by PhDs to verify the aforementioned microkernel.

Conclusion: formal verification of software is not going to take off any time soon.

25 man-years is not that much, if we really valued it. If the process is modular, 100 persons do 25 man-years in 3 months. Now, I have no idea by what method this was performed, but surely it has to at least be modular over different programs, so that we could, if we really cared about it, have a formally proven whole distribution in a few years.

It is by no means out of reach.

But you are right that it would take all the required man-years away from developing time, so we can be quite confident that it will not be adopted, it would slow down developing time too much to justify the cost for most developers.

Conflicting Theories

[crrkrieger]

Isn't there a theory that if we ever get a formally proven OS that all OSs will instantly vanish and be replaced by something more complex? I think there is a corallary that says this has already happened. Obviously, the proof referred to must be mistaken as my OS is still running as I typ

Re:Conflicting Theories

You forgot that Windows 7 launch is around the corner...

Re:Sounds like automated unit test generation to m

[maxwell+demon]

Formal proofs are not unit tests. Unit tests test that certain values work correctly. Formal proofs show that the code works to the specification in all cases (modulo errors in the proof, of course). They of course cannot find bugs in the specification (which unit tests might, if they test what you thought the specification said, instead of what the specification really said).

Um, maybe I'm missing why this is such a big deal

[idiotnot]

Okay, so you have a proven kernel. But it's L4. L4 provides nearly nothing in the way of functionality, just thread scheduling, and very rudimentary IPC.

Yes, an L4 kernel can be written in anything. Most variants have been written in C, but L4-Pistachio was written in C++. Anything that adheres to the L4 specification works. So it could be written in pretty much anything that doesn't require significant runtime libraries (and the associated overhead for filesystem handling, etc.).

Someone care to enlighten me?

All this talk about Amiga?

I was born in 1989, you insensitive clod.

And if the spec has bugs the program will have bug

[Viol8]

So who gets to prove the spec then?

Formally proven software

[jdimarco]

In layman's terms, formally proven software is software written twice, once as a formal specification, and once as code, and then the two are proven to be equivalent. This is a labour-intensive way to write software, and it makes bugs much less likely, but it's not perfect: there can be corresponding errors in both the code and the specification, and there can be errors in the proof too. But nothing is perfect, and this certainly can be a good approach to write code that is as close as possible to bug-free.

Re:Formally proven software

One important point of their approach is that errors in the proof are actually not possible. Now, philosphically, a 100% proof is not possible. But, would I bet my life on the fact that their PROOF (note, I am not talking about the spec, just about the proof) is correct? Well, people bet their lifes for a lot less, for example when they enter a plane to fly into their holidays.

If Donald Knuth wrote it...

[hubert.lepicki]

he would probably say:

"Please be aware of bugs. I just proven this kernel to be correct, didn't actually run it" ;)

Haskell actually does something useful?

[gestalt_n_pepper]

That would seem to be the bigger story. Up to now, it's looked like some form of mental masturbation popular only with computer science professors in academia and kids living in Mom's basement.

Great work, but...

[Salamander]

...there are two caveats. One is that "executable specification in Haskell" is a bit of a dodge. It means that they have effectively verified the translation from Haskell to C, but if there are bugs in the Haskell then there will be bugs in the C as well (in fact this is part of what they've proven). They admit as much at the very top of http://ertos.nicta.com.au/research/l4.verified/proof.pml, but it still leaves the question of why this is any better than simply rewriting the microkernel in Haskell. If the benefit of a concise and abstract specification is lost, what's left?

The second major caveat is that they had to leave out some features that they couldn't verify. Most significant is that they didn't verify multi-core - by which it seems they mean multi-processor, but "multi-core" is the much hipper word. Since even laptops are multi-processor now, this limits applicability until they take the next step. With all of these shortcuts, though, if you look at the list of what they did manage to verify - mostly pointer errors and overflows - it's not clear that it couldn't have been done with a more real-code-oriented tool such as the Stanford Checker or sparse.

Re:Great work, but...

If you read further, you will see that they derived (and proved) the Haskell code from formal specification too. This was a previous step.
Also, the work is interesting because the C implementation is not a direct translation from the Haskell specification, but a reasonable performant optimized one.
Finally, saying they "mostly" managed to verify there are not pointer errors or overflows is falling really short. They claim to have proved that the C code does what the formal specification says it has to do. It's a much broader statement.

Re:Great work, but...

it still leaves the question of why this is any better than simply rewriting the microkernel in Haskell.

Do you know how big the Haskell runtime is? Good luck proving anything about it. Not to mention achieving good real-time performance in the presence of a garbage collector.

it's not clear that it couldn't have been done with a more real-code-oriented tool such as the Stanford Checker or sparse.

... the reason they don't just run one of these static analysis tools on the C code is that they work on a much shallower level than a formal proof, so they have a limited view of the high-level semantics of the code. For example, they can't show that the kernel will never panic or loop forever because one of its internal data structures is malformed. The formal proof can, and does (assuming that there are no random bit-flips due to cosmic rays, of course).

Re:Great work, but...

[kamatsu]

Haskell's garbage collection works (or should work) based on formal inference -- seeing as they translated the haskell to C manually, they would have proved the garbage collection as part of the deal. Also, haskell's prelude and basic libraries have already been formally proven.

Because of formal inference, a good Haskell compiler knows exactly when and what will be garbage collected at compile time - there is no mark-and-sweep approach like Java. It's no worse that manually freeing stuff in C, in fact it's substantially better.

Re:Great work, but...

Or if one wonders if an automated Haskell to C compiler could have done the job too; proove that is correct and bug free and off you go. Saves even *having* the C code lying around!

(The issue then becomes 'proving your C compiler is bug free'...)

(Ah, I see the issue. I think the issue is the haskell definition may not detail how to implement the operations suffiently that can be easily detailed in C. I think the argument runs, "It's possible to prove the C written implementation 'conforms' to the Haskell definition; but the Haskell definition doesn't detail enough to implement it on a real-world processor like C can." Writing an automated Haskell-to-C compiler would entail embedding a lot of the implementation details in the compiler; which becomes difficult to prove. For example, I guess the Haskell doesn't say *how* to disable interrupts; merely 'disable interrupts'. The C code has to do the actual work.

Plus, Haskell is functional, not procedual.)

I guess the other thing is the 'automated theorm proover' - if this could be automated, imagine the level of reliablity we'd get. Write the Haskell, write the C implementation.. automatically proove the C conforms to the Haskell.)

Re:Great work, but...

but it still leaves the question of why this is any better than simply rewriting the microkernel in Haskell. If the benefit of a concise and abstract specification is lost, what's left?

Because running arbitrarily programs in Haskell on a bare CPU is probably a bigger work than writing a pico-kernel - if it is at all possible: you have to write many parts of Haskell-OS, most precisely you have to implement all the dynamic memory management (and prove that you never run out of memory - good luck)

It mostly defeats the point of having a pico-kernel.

congratulations!

[speedtux]

The kernel has now been proven to implement buggy specifications precisely!

Undecidability?

[allcaps]

Wait, what if there is a bug in the Isabelle Theorem Prover...? I think Godel just turned in his grave.

You mean they aren't all tested like this?

[Remus+Shepherd]

As someone who does not work in IT, count me as surprised that not all OSes are tested this rigorously.

Re:You mean they aren't all tested like this?

[maxwell+demon]

Linux has more than ten million lines of code. Given that they needed 5 years for 12 persons to verify ten thousand lines of code, this means verifying the Linux kernel would give an estimated cost of 60,000 man-years. So even if they got a thousand people doing nothing else but verifying the Linux kernel, it would take then 60 years to finish.

Re:You mean they aren't all tested like this?

[DerekLyons]

That more like "not only doesn't work in IT, but doesn't know of or understand the theory". No slam, just the facts.
 
Seriously, the reason all OSes aren't tested this vigorously is that the time/amount of work needed to do so rises exponentially with the size/complexity of the OS. Not only does that imply the OS would take years to bring to market, but also that said OS would incredibly expensive. Worse yet, after all that time and expense, all you've actually proven is that your running code matches your specification - you're protected against errors arising from faulty programming, but not from errors arising from conceptual errors in the spec or from incorrect algorithms embedded in the spec.

Re:You mean they aren't all tested like this?

Someone with mod points mod the OP funny.

Re:You mean they aren't all tested like this?

[evanbd]

After seeing how most modern OSes behave, this surprises you? Seriously? I can understand thinking they should be, but not that they are. Also note, this isn't a test methodology, it's a design methodology. As someone who has worked in CS, I'm inclined to think OSes and programs should be held to this standard in a very small number of cases — namely life support applications and some avionics applications. But for most other things, it's too expensive. (That's not to say that most programs shouldn't use better design and coding techniques to reduce the bug count / severity, but rather that there's a huge gap between normal practice and formally correct in which "better" resides.)

Re:You mean they aren't all tested like this?

As someone who does work in IT, count me surprised that somebody is surprised that not all OSes are tested this rigorously. I guess I take it for granted that even the most basic of programs are too complex to prove or test completely.

Re:You mean they aren't all tested like this?

[PCM2]

...give or take the fallacy of the mythical man-month.

Re:You mean they aren't all tested like this?

[ojustgiveitup]

tested rigorously != formally proven

Re:You mean they aren't all tested like this?

...count me as surprised that not all OSes are tested this rigorously.

Well, maybe that not are rigorously tested like this but some are. For example two I know that were rigorously tested using such methods were Windows millenium and Windows Vista.

Re:You mean they aren't all tested like this?

hey it compiles! let's ship it!

Re:You mean they aren't all tested like this?

[lawpoop]

this means verifying the Linux kernel would give an estimated cost of 60,000 man-years.

I take it you've never read _The Mythical Man Moth_, starring Richard Gere.

It might take 60,000 man-years, or it just might take 2 years of one talented, bright, but a bit stuck up and condescending hacker.

Re:You mean they aren't all tested like this?

[lennier]

"So even if they got a thousand people doing nothing else but verifying the Linux kernel, it would take then 60 years to finish."

And all the time lots of highly motivated black hats are banging on that code looking for holes, and while the 'good guys' have to be right in every one of those 10,000,000 lines, the bad guys have to only find ONE flaw.

So the probability of anyone running Linux getting 0-day pwned is... ?

Sorry, this cowboy approach of unverifiable code just isn't acceptable any more. We need to do better.

The words

[AP31R0N]

KLAATU!
BARADA!
NICTA!

T800 Transputer

[RoccamOccam]

Inmos use formal systems to assist in the design of the T800 transputer's floating-point unit. This happened about the same time as the 486 floating-point failures were getting publicity. Inmos claimed that they had been able to develop the unit so quickly because of their approach. As I recall, they first proved that their occam implementation of the floating-point spec was correct (done for an integer-only transputer) and then used automated translation to convert the code into Z (a machine-description language). The T800 was a remarkable microprocessor for its time.

Re:T800 Transputer

[Burnhard]

I did a course in formal specification using Z at University. It was pretty straightforward but the problem comes when the programmer has to interpret the Z into some language. This was 15 years ago; I guess there are proofing tools available now that will look at your code and decide whether or not it's consistent with the Z specification. As long as there are no bugs in the proofing tool that is. There's no way of proving that the entire tool chain is correct, so there's not a 100% certainty that the specification matches the executable as the example above seems to imply.

Halting Problem?

[internic]

I'm not a computer scientist, so this may be obvious, but how does the halting problem come into this? I mean, the summary suggests that you know this OS won't crash, but wouldn't a general method for proving that be solving the halting problem? I'm guessing that the answer is that they've just proved it meets the spec, and the spec cannot be proved not to crash. Or perhaps it's that they've proved that this program won't crash by a method that's not generally applicable to all problems, so they would not have solved the halting problem. Okay CS people, what's the answer?

Re:Halting Problem?

[Diss+Champ]

The halting problem basically says you can't write something that will take in every arbitrary program and prove that each will halt. It does NOT say that there exist no programs that can be proven to halt. All the research shows is that a particular program adheres to a particular specification.
Note that the halting problem basically means that when analyzing an arbitrary program, one possibility is that the analysis fails to be conclusive in bounded time.

Add appropriate definition of 'halt' if pendantic, I'm just trying to get across the idea.

Re:Halting Problem?

[internic]

So the point is that the method they're using is not general?

Re:Halting Problem?

[Diss+Champ]

Yes. Or the point is that they only applied the method to one particular program in this case.

There is plenty of good software made using formal methods, but it is much more expensive to develop formally proven software, and not all software is formally provable as correct or incorrect. One has to be careful with the specifications and implementation (for reasons including the halting problem) for the problem to be tractable or economically reasonable. Most software using formal methods is for things were something going wrong is very very bad. There is a lot of interesting work going on in trying to set up a good formal chain- I was reading an article on a formally proven compiler for a subset of the C language the other day. As some others have pointed out, if you can't trust your compiler, it doesn't matter if your spec and source code are equivalent. Likewise, if you can't trust you OS, which is what is nice about having even a little kernal proved is helpful for as a building block.

Most commercial software operates on the principle that it only has to be good enough to convince the customer to pay for it. In that sense, the degree to which a given piece of software sucks is very much the customer's fault, as unfair as that may sound. We vote with our wallets.

Now all we need....

[Clairvoyant]

Now all NICTA needs is an aproved website!

I don't trust authorities that talk about quality and standards while not supporting them themselves.

W3C on their http://nicta.com.au/:

Errors found while checking this document as XHTML 1.0 Transitional!
Result: 72 Errors, 1 warning(s)

Re:Now all we need....

[kamatsu]

I work at NICTA from time to time. Will raise this with them.

GL

[fulldecent]

Good luck with that EAL7 certification.

Oh, and Integrity is only EAL6+

http://www.ghs.com/products/rtos/integrity.html

It's paravirtualization

[Lemming+Mark]

Disclaimer: my background is on working on Xen but I have a research interest in L4, amongst other things. Should also note that I've not yet RTFA'd but I will do as it sounds awesome.

Paravirtualization is where you modify a kernel so that it can run on something other than "bare hardware". Often in this situation you call the kernel that *does* run on bare hardware the "hypervisor" to distinguish it from the Linux (or whatever) kernel running on top. In this case Linux is running on top of their L4 kernel as a userspace program - instead of accessing parts of the hardware to get its job done it uses L4 system calls. This is basically the same as what Xen does, with L4 taking the role of the hypervisor. Researchers working on L4 have been playing with Linux-on-L4 for many years - longer than Xen has been about, AFAIK.

One nice trick you get, in this case, is that you have the ability to run Linux programs on your nice, formally-proven microkernel. But alongside that you can still run programs *directly* on the L4 kernel, independently of Linux (or with some controlled interaction with it). So, say you have some untrusted code you want to sandbox - you can run it directly on L4, which (now) has proven security properties. Or perhaps you have a crypto app which you want to isolate from Linux in case a root exploit leaves it vulnerable - you can run it directly on L4, outside Linux. You could potentially do similar things for programs that need realtime guarantees - let normal applications get scheduled by Linux's scheduler and realtime apps run directly on L4.

Basically, having L4 there is giving you an ability to start other "virtual machines" running paravirtualised OSes or high assurance applications. It's always been part of the goal that because L4 is simpler than Linux you get to have high assurance that it'll do what it's supposed to. Now a derivative has been formally proven the guarantees could potentially be even better.

The TUD:OS demo CD website has some interesting information about a real-world system that mixes the ability to run (multiple) Linux virtual machines, plus isolated secure applications, all under a security-oriented GUI. It's a pretty cool demo and you can run it as a LiveCD: http://demo.tudos.org/

condescension

[fortunatus]

I really hope that the marketing folks at that company know what they are doing, because I found the voice used in their web site and white papers really condescending. There seems to be an assumption that the reader is utterly surprised that formal proof techniques exist, and also there seems to be an assumption that the reader will be bored by meaninful details - like "take our word for it, because you'd fall asleep or wander away if we really tried to explain it".

Odd, because on the other hand, they seem to be trying to be up front about the boundaries of their proof. I just think it is possible to layer a presentation to different degrees of interest without comming off so jerky.

What's an "Amiga Hand?"

[kriston]

What's an "Amiga Hand?"
I think you meant "Guru Meditation."
The "Amiga Hand," as you call it, is the boot menu on the first floppy-disk Amigas.

Re:What's an "Amiga Hand?"

[aminorex]

Talk to the guru.

There's no foundation.

[russotto]

Q: How do you know the theorem prover is correct? Have you verified it?
A: We have not formally verified the theorem prover (you could, but note the potential for an infinite conversation if we said yes here). It is a so-called LCF-system that constrains any correctness-critical problems to a very small part of the prover. We have strong confidence in this small core.

IMO, they've got nothing until they've verified the prover. I don't really think their confidence makes the correctness of the prover axiomatic.

Re:There's no foundation.

The prover is Isabelle. The confidence that Isabelle is correct comes from the fact, that Isabelle itself is built on a very small proof-kernel, which can be checked by manual inspection of the code. Of course, in the end, there is no absolute proof. On the other hand, if I have an Isabelle proof that Mac OS X meets its specification (is there one :-)), then I surely have much more than NOTHING ... In fact, if I could do that in a weeks worth or so, and would become an instant billionaire. So your NOTHING is pretty much SOMETHING.

Not so useful?

[ivoras]

"Formally proving" a kernel is something like formally proving your memory allocation algorithm will never fail, providing there's infinite memory available, proving your IO is perfect, providing there's 0 latency, infinite bandwidth and storage, and your security is unbreakable, providing absolutely everything is protected by one-time pads.

In real life, the situation is best described by the old saying: no battle plan survives first contact with the enemy. Kernel bugs are surely not uncommon but at most contribute to about 50% of the system (in)stability - the other half being the "real world" with which the kernel interacts: hardware, its greater environment (e.g. the network) and users. The kernel might be perfect, but at the same time can very elegantly go to pieces the first time it receives an invalid ATA response due to a flaky cable or it misses and interrupt timing because memory allocation algorithms take a little bit too long to defragment or find free space, or the users sets the root password to "god" and leaves a root-login-enabled sshd running. Even CPUs themselves have bugs.

In short, it's nice but the world will not suffer much if other popular kernel don't ever get to be formally proven.

Re:Not so useful?

"Formally proving" a kernel is something like formally proving your memory allocation algorithm will never fail, providing there's infinite memory available, proving your IO is perfect, providing there's 0 latency, infinite bandwidth and storage, and your security is unbreakable, providing absolutely everything is protected by one-time pads.

Is it, or are you guessing it is?

Checking Consistency

[Robb]

A machine-checked proof means they are checking that the implementation in C is consistent with the specification written in Haskell. Your confidence that the kernel is correct is exactly your confidence that the specification in Haskell is correct. The C code is 7500 lines, I wonder how big the Haskell code is. This has nothing to do with Godel's incompleteness theorem as correct doesn't mean anything even close the formal definition of complete.

Re:Um, maybe I'm missing why this is such a big de

[Lemming+Mark]

Disclaimer: my background is on working on Xen but I have a research interest in L4, amongst other things. Should also note that I've not yet RTFA'd but I will do as it sounds awesome.

Well, for one thing you can use L4 as a hypervisor. L4 doesn't provide much in the way of high-level functionality - but neither does hardware. It can act as a hypervisor for running Linux VMs on. Bang, you've just formally proven a hypervisor so you can - hopefully - make precise guarantees about security between VMs, etc. In reality the picture is unlikely to be quite so rosy, since you still need to provide virtual devices to your VMs and there are potential security holes in paravirtualised device drivers. Still, it's a step in the right direction - the direction being that we can be *really* certain about how isolated VMs are, despite sharing the same hardware. And that isolation is, after all, part of the core purpose of virtualisation.

Going a bit more futuristic / researchy, there's been various work on running special high-assurance applications directly on L4 *alongside* Linux. So, for instance, modified versions of your crypto apps can be protected from Linux kernel exploits by running them outside Linux on L4 and using a very narrow communications channel to minimise the available vectors for an attacker. Or, conversely, you could distributed untrusted "applet" code to people that can be run directly on L4 - then they can run it outside Linux so they don't have to trust it as much.

Some of these concepts are demonstrated on a (separate) L4-based demo OS here, which is pretty cool: http://demo.tudos.org/

Didn't Alan Turing prove this is impossible?

[David7]

From Wikipedia:

He went on to prove that there was no solution to the Entscheidungsproblem by first showing that the halting problem for Turing machines is undecidable: it is not possible to decide, in general, algorithmically whether a given Turing machine will ever halt.

A link to the Wikipedia article: http://en.wikipedia.org/wiki/Alan_turing

Amiga Guru Meditation/Grim Reaper

[amigabill]

Uhm, the Amiga Hand is not a bug or crash screen. That's the ROM telling you the floppy drive is empty and it wants some bootable media. It would pretty much never be seen with a hard drive system.

The Amiga crash screen is called the Guru Meditiation. It's either a red or yelow blinking box with some cryptic text inside, which only a developer would try to understand. Red is crash, yellow is "recoverable alert", which may leave the computer running but a crash is frequently soon to happen after a yellow guru. Earlier AmigaOS versions only had red, yellow was added sometime in 2.x or 3.x versions.

I think for the much more recent 4.x versions of AmigaOS, it's been changed to the Grim Reaper, and it's more of a window than a black screen with a blinking thing in it. Chances of recovering and continuing use are much better now.

NOT TRUE: Remeber Dijkstra & THE?

[fortunatus]

In the 1960's Edsger Dijkstra (arguably one the founding fathers of "Computer Science", at least as a university subject) led a group at Eindhoven to develop a multiprocessing OS called "THE". The kernal was formally proven BY HAND .

I daresay the folks who have made this recent excellent achievement are likely well aware of THE, and therefore are being specious in claiming to be the world's first at doing this.

Re:NOT TRUE: Remeber Dijkstra & THE?

[BlueSpam]

Mod parent up. Dijkstra's paper on THE was the first paper I read in my grad OS class, and he was an ardent supporter that ALL computer programs should be formally proven. Now whether you could actually call THE an OS, in the modern sense, could be debated...

Re:NOT TRUE: Remeber Dijkstra & THE?

The same Dijkstra who claimed that students should not be allowed to as much as touch a computer at school until they approach it with their homeworks completed, coded on paper *and* formally proven? God luck with that in the hacker community! ;-)

Re:NOT TRUE: Remeber Dijkstra & THE?

[fortunatus]

The proof claimed in the preset work covers only the microkernel part of a full OS. This is a similar level of complexity to the lower levels of THE, even to the point that virtual memory was excluded from both proofs. In the case of THE, the hardware did not support it. In the case of the present work, the authors of the web site listed virtual memory as specifically excluded from the proof.
 
(THE had a software segmentation scheme, assisted by the compiler.)

Re:And if the spec has bugs the program will have

[digitig]

Prove the spec against what? The spec just says "This is what the kernel does". It's up to the client to decide whether what the kernel does is any use for them.

Re:And if the spec has bugs the program will have

[Viol8]

A spec that high level is useless for properly proving a program.

Re:slow peice of crap

[Lord+Bitman]

most modern languages attempt to get speed boosts by abstracting-away low-level stuff and providing mechanisms to specify or ensure the exact constraints of a system, so that optimizations can be made.

C still gets all its speed boost from having no abstraction, forcing the programmer to hand-optimize everything, or to format code in such a way that the compiler can make a few sloppy guesses about when optimizations should be made (the "can be made" thing isn't really worth mentioning, since C doesn't allow enough type-constraints to let the compiler make anything resembling an intelligent decision, so all optimizations are pretty much "does this get used this way right here? No? Okay then, I can do this...", always lowest-common-denominator stuff- pretty much just glorified macros ("I've seen that pattern before, You seem to be looping through every element of an array and copying everything.. I'll just change that to a re-implementation of memcpy for you...")

Low-level optimizations and hand-optimizing things will only go so far- yeah, we can all just switch to assembly and get a minor speed-boost by hand-optimizing everything, but nobody does that (for speed) anymore. Eventually, being able to say "This loop is safe to run in parallel" or "just give me the first match, I don't care how you do it", is going to be faster than "loop through this. I've given you all the pointer offsets in advance, so you can skip a dereference step!" or "Let me tell you exactly how you should find a match...."

Re:And if the spec has bugs the program will have

[maxwell+demon]

Prove the spec against what?

Against whatever those who wrote the spec intended it to say.

A truly marvelous

[autophile]

I have written a truly marvelous bug-free operating system, however there is not enough space on this disk to include it here.

Re:And if the spec has bugs the program will have

[Chelloveck]

So who gets to prove the spec then?

It's proven by the program that conforms to it. Duh!

Re: most faults hardware faults

[neonsignal]

You're one of those overclockers aren't you... I can tell...

Relation to UCLA work from the 1970s

[ljosa]

How is this different from what Walker, Kemmerer and Popek did in the 1970s with the UCLA Unix security kernel? See their 1980 paper.

Re:Um, maybe I'm missing why this is such a big de

[idiotnot]

Okay, I understand that. My past with L4 has been more varied. I've played around with L4-Linux and DROPS, as well as the beginnings of the GNU/Hurd port.

But I can definitely see the benefit of sandboxing applications separate from Linux. Particularly applications that don't do a lot of direct filesystem or hardware access. Still a lot of work to be done, however. :-)

(Of course, this sounds a hell of a lot like what you're supposed to be able to do with native Hurd applications, where you could theoretically do most operations through native IPC, whether that's Mach or L4 or Coyotos or whatever)

It helps.

The important point is: Specifications should be easier to read and understand than code generated from it. (I don't want to enter a discussion whether specifications /are/ easier to read, nowadays.)

And they proved that their translation process is sound, so its reliable.

Interestingly, they didnt say how many lines of code they had to write in Haskell.

It a bit more complex so don't get too excited

[mikefocke]

One: they appear to have evaluated/proven their own work, always a dangerous thing.

Two: they claim to exceed Common Criteria requirements but don't claim Common Criteria evaluation successfully completed which would require a third party evaluation of their methodologies, designs and code against a Protection Profile. This a is a wonderfully complex process usually involving the developer organization, the evaluators and a national standards body empowered to oversee the effort, make their own tests and ultimately grant formal Common Criteria evaluation. In an effort I participated in, it took at least a dozen documents, millions of dollars and dozens of months to get a robust OS through an evaluation. This was done by a very talented group that had more than a dozen years experience providing evaluated products and getting them approved. And such evaluations are country specific as the spook agencies in each country want to have their own look and say.

Three: what is left out of this OS is what makes an OS usable in the real world to do real things that people want to do...like work over a network or work with files.

Re:It a bit more complex so don't get too excited

[kamatsu]

Three: what is left out of this OS is what makes an OS usable in the real world to do real things that people want to do...like work over a network or work with files.

Do you know what a microkernel is, and why they are so forcefully advocated?

Re:And if the spec has bugs the program will have

[digitig]

Why so? They have precisely specified what the kernel is to do, and have proven that it does it. Whether it's what you want it to do isn't their question, it's yours.

Re:And if the spec has bugs the program will have

[digitig]

Who cares what they intended? All the users of the kernel care about is what is actually specified. This isn't a top-level application where there's a mapping to real world intentions ("prevent the aircraft from crashing"), this is a building block, and the builders need to decide whether it's the right size and shape for whatever they are building.

It's formal, but is it correct and bug free?

[uarch]

Just because someone did a formal proof doesn't mean it's correct, bug-free, etc. That's obviously the intention but just as people make mistakes when writing the initial code, people also make mistakes when doing the formal proofs.

Formal has been used for various pieces of hardware verification for a while. It's fairly easy to find examples of very real bugs that made it past formal.

The most famous one is probably the old, infamous Intel FDIV bug. Bob Colwell (PPro, P2, P3, P4 Chief-Architect) gave a talk at Stanford back in 2004 and one of the interesting slides brought up the FDIV bug and how it was "formally proven" but the formal proof was wrong.... Oops.

(You can find video of the talk online - great talk - check it out)

Microsoft will never use such a technology!

[wprowe]

Microsoft will never use such a technology. Imagine how long it would take for the next release of Windows if Microsoft had to prove it met all of its specifications as documented? Oh, and imagine if Microsoft actually had to prove that they implemented a standard as specified by an authoritative, recognized standards body (i.e. LDAP, HTML5, JavaScript, etc)? I think this is great for embedded systems where failure can equal catastrophe. How long will it take to apply this formal methodology to an end-user operating system like OS X, Linux or Windows?

Re:Um, maybe I'm missing why this is such a big de

[Lemming+Mark]

Btw, sorry if I repeated anything you already knew / had thought of.

Your original point was, I should say, highly valid in the sense that this isn't going to affect any of our desktop / server OSes very soon. But it's promising as an advance in the state of the art nonetheless. Also, I guess if they'd written "formally proven hypervisor", that sounds more useful and is also somewhat accurate - although I don't think anyone uses L4 commercially as a hypervisor. Another spanner any hypervisor will need some kind of device driver virtualisation which can often be a means of increasing the amount of trusted code (e.g. on Xen you basically trust all of the dom0 VM - including Linux - to do the right thing since it has IO privileges, even though the hypervisor itself is quite small).

The TUD:OS demo CD includes (IIRC) some sandboxed applications, such as some port of gpg to L4. It also features a minimal secure GUI that runs outside of Linux and can be used to isolate things - pretty cool.

GNU/Hurd always seems like a really awesome system to me. But last I read they had decided that L4 doesn't suit them and that they want to write a new microkernel. Disappointing :-( I really want to be able to use (and hack on) that thing but I'd like the project to look a little more well-defined first!

Re:slow peice of crap

You really think C has *no* abstraction? So when you define a variable, you define the memory address for it then? You choose which registers to use in calculations? Look, even ASSEMBLY uses some abstraction; only machine language does not.

Re:Um, maybe I'm missing why this is such a big de

[idiotnot]

Nono...you helped me look at it a different way! :-)

any hypervisor will need some kind of device driver virtualisation which can often be a means of increasing the amount of trusted code (e.g. on Xen you basically trust all of the dom0 VM - including Linux - to do the right thing since it has IO privileges, even though the hypervisor itself is quite small).

Right. And you're still at the mercy of whatever drivers on dom0 might be flaky. Something like a network device driver that's susceptible to a DoS attack....that can be exploited by anything running in a domU, and the entire host goes kaboom. I'm not sure if virtualizing the driver is enough, because it still reveals the underlying hardware. I understand there's a performance hit, but if every NIC in the world is an e100, well, you have only one flaky driver to worry about with the domUs, while the dom0 might be running a Marvell gigabit or whatever.

The TUD:OS demo CD includes (IIRC) some sandboxed applications, such as some port of gpg to L4. It also features a minimal secure GUI that runs outside of Linux and can be used to isolate things - pretty cool.

I'll have to take a look!

GNU/Hurd always seems like a really awesome system to me. But last I read they had decided that L4 doesn't suit them and that they want to write a new microkernel. Disappointing :-( I really want to be able to use (and hack on) that thing but I'd like the project to look a little more well-defined first!

I haven't followed nearly as closely as I used to. I guess the bigger point with them is the longer they go without a compelling release, the more difficult it becomes for them to release anything people would want/need. I think that might have been some of the impetus behind the eventual Minix-3 release; let's get something out that proves our point. It doesn't have to beat Linux or BSD, but has to have something else compelling, and enough of a framework that shows potential for future growth.

I've also wondered if they might be able to look at seeing what they can do with either NetBSD or DragonFlyBSD's kernels. NetBSD, of course, gives you Mach compatibility, a halfway decently-performing FFS driver, etc. DragonFly's LWKTs might be a more hospitable environment for HURD daemon porting from Mach. Use it to strip down to just what you need, much the way they did between Mach releases. 2.5, 3.0, and 4.0 are all very different from each other.

Useful proof, makes bug finding easier

[Killotron]

Doing formal software verification on any non-trivial sized code quickly devolves into a nightmare. Proofs like this have long been the goal of the software verification community, and it's good to see this positive result. Regarding the verification, it's actually quite useful. If you run into a bug, it's because you're using the kernel incorrectly or the kernel has been improperly specified. This verification eliminates the need to search for bugs within the kernel itself. Its behaviour has been verified as exactly meeting the specification.

actually....

[JustNiz]

>> "Operating systems usually have bugs -- the 'blue screen of death,' the Amiga Hand,..."

Not to be a nerd but the function of the Amiga hand is only indicate that you need to insert a bootable floppy.
Actually the Amiga euqivalent of the blue screen of death is the Guru Mediatation, which in early Amigas is a red flashing box. In later Amigas it became a dialog box.

Re:And if the spec has bugs the program will have

[maxwell+demon]

Well, for one, they claim to implement an L4 kernel. Now I don't know exactly what it takes for a kernel to be an L4 kernel, but certainly it means certain behaviour can be expected. So if their spec makes the kernel not behave like an L4 kernel, it is buggy.

Re:And if the spec has bugs the program will have

[digitig]

Well, ok, so it has to provide address spaces, threads, scheduling, and synchronous inter-process communication (but not in any particular way, AIUI). I think that checking that those are included in the spec could be pretty reliably assured by review, don't you?

Re:Um, maybe I'm missing why this is such a big de

[Lemming+Mark]

By running device drivers in isolated virtual machines *and* using an IOMMU (for which you need suitable hardware, obviously) you can substantially reduce the harm device drivers can do ... They won't be able to abuse DMA hardware to write to any memory locations they want, they're stuck with writing to memory that guests provide them with. If the guests do crypto / checksumming then that could in principle cut down device drivers' ability to do harm to a "mere" denial-of-service.

If you can do this then you could probably engineer a system with a relatively small trusted base. There's been an ongoing conversation about "dom0 disaggregation" under Xen, which I believe is aiming to do something like this - that would remove having an entirely Linux distro as part of the trusted computing base, which would be A Good Thing ;-)

Although I'm discussing Xen, there's no reason that L4 or some other system could not use the same hardware to get the same effect. There have been various projects using L4 to isolate Linux or Linux drivers in VMs, so it's a logical thing for them to do too.

Re HURD - indeed, it would be nice if they had a release. The Mach version had things like userspace filesystems years before Linux has FUSE. Always struck me as a system with lots of benefits - and it would be nice to see the GNU project finally become a "complete" UNIX replacement. I was hopeful about their use of L4, as its known to be (capable of being) very fast. I'm really not sure where (if anywhere) they're going now; they do seem to lack a strong lead / direction, which like everything has both benefits and costs.

I didn't know NetBSD had Mach compatibility - do you mean it can run on top of Mach? That's cool. I don't, to be honest, know a whole lot about Mach - and to make things more complicated I have the impression there are several versions floating around out there. Minix is another OS that I've not become very familiar with.

DragonflyBSD is a very cool OS that I've been watching with enthusiasm for some time. I think it's a shame that they've not been able to complete their original SMP scalability work yet, as it was one of their original goals. But most of the other stuff they've been doing - HAMMERFS, SYSLINK, etc - are quite interesting. There's not been enough that's different about DragonflyBSD to get me running it just yet but that may change.

Limb mismatch error

[Lemming+Mark]

The Amiga Hand was the boot screen, not an error screen.

But ... but ... you can't wear a boot on your hand!

Offtopic

Your signature scares me. Not that I'm surprised, just... wow.

Formal proof?

[micromuncher]

Wow. How can you prove something like this... I know mathematical induction and various finite automata tests were used in my old school days to prove software worked... but something as complicated as this.

In any event, an inductive hypothesis in software is tripe. Unless you can formally describe all states, you usually have an unbounded problem, and people test (and prove) positive case. There are just way too many states.

Just like Bjarne said Proof by analogy is fraud... and induction is akin to analogy.

Missing the point

[immakiku]

Just because the specifications could be bugged does not mean this is not useful. Going from a low level implementation to a higher level abstraction or design is always useful. This is partly why we have comments, assertions, and specifications in the first place. At the higher levels, it's easier to check for intentional behavior (the bugs in the spec is easier to find than the bugs in the code). It is also easier to add new constraints.

Some people have mentioned that this is just a verification of the Haskell to C layer. I might be mistaken, but their site shows that they have multiple layers and most of them are formally verified. As well, this does a bit better than just a Haskell to C translator because this allows for hand optimized code (site mentions that their process accounts for things like pointer arithmetic). In addition, even if you used a Haskell implementation, you still have to verify that.

Isn't it still a step in the right direction?

[JSBiff]

I understand that people, such as the parent, are worried that people might put "too much" stock in a formal verification, but I would still think it's better than *no* verification? Ok, most of the time - if people insist that something has been proven 'correct' when it, in fact, is not correct, that could be a serious problem, because then the problem might not get fixed, but I'd rather be flying in an airplane in which someone at least tried to prove the software correct, than one in which it has not been, in the general case. Sure, they could still both malfunction, but I bet the unproven software would be more *likely* to fail.

Re:Isn't it still a step in the right direction?

[uarch]

Where did you see a suggestion there should be no software verification? Surely not in the parent. The question of the degree to which software verification is needed is entirely different than the question of whether "formal verification" is as effective as people who haven't worked with it believe.

I'm simply stating that formal verification isn't perfect. Having worked with it personally I have seen the majority of people simply take what it says on faith because they don't understand the process. Simple rules of thumb that people use to attenuate their "normal" verification expectations are often thrown out the window the first time they work with "formal" verification. A frequent reason is because they hear that it uses math - despite the fact that many forms of it use no more math than any other form of verification - and of course "math can't be wrong" when you're an engineer.

Formal is simply another tool in the toolbox. As with the rest of the tools there are certain instances in which it makes a lot of sense and others where there is something better. Having worked with it in the past I see a story claiming that an entire kernel was "formally verified" and the first thing that comes to mind is a question of how many bugs they missed by not using all their tools.

a^n + b^n funny, or c^n funny for short.

[Lemming+Mark]

You made an awesome reference. You don't deserve to be languishing down here at +2. Still, you made me happy!

Marginalia

[GammaRay+Rob]

"I have discovered a truly marvellous formal proof of this OS, which this sig is too narrow to contain"

The specification may be buggy in itself...

[rnbc]

In the few programs I've made that had to be secure, by all means, bugs in the specification were found, years later, that allowed system compromise. Assumptions were made about other systems (that allowed us to authenticate users, validate user-classes, etc) that were false under some circumstances, for example, making a break-in possible even if the core itself was not buggy in itself. It would, essentially, maintain it's integrity but be fooled by others...

This is just like in cryptography: a secure algorithm does not guarantee whole system security.

Still a great achievement!

Re:Um, maybe I'm missing why this is such a big de

[idiotnot]

There have been various projects using L4 to isolate Linux or Linux drivers in VMs, so it's a logical thing for them to do too.

Cool. FWIW, the situation is much worse with Hyper-V than it is Xen. :-)

I was hopeful about their use of L4, as its known to be (capable of being) very fast. I'm really not sure where (if anywhere) they're going now; they do seem to lack a strong lead / direction, which like everything has both benefits and costs.

Yeah, IIRC, they ran into a major show-stopper with L4 and the current design that put things on hold. Some of the developers were working with Jonathan Shapiro on the Coyotos project at CMU; I'm not sure anything concrete came of that. Might be a moot point, anyway, since Shap's off to Redmond.

I didn't know NetBSD had Mach compatibility - do you mean it can run on top of Mach? That's cool. I don't, to be honest, know a whole lot about Mach - and to make things more complicated I have the impression there are several versions floating around out there.

COMPAT_DARWIN

Not sure how close this is to being production-ready with the ongoing enhancements in OS X, but they'd made pretty good progress around the 10.3 stage. Much of the NeXTstep model used Mach IPC for message passing (think about how ObjC works!). NetBSD had to emulate the Mach facilities in-kernel to build this in. If someone cared, they could probably do a COMPAT_NEXT for m68k, etc. Not sure how many of the features would need to be added to support the Hurd daemons.

There's not been enough that's different about DragonflyBSD to get me running it just yet but that may change.

I played around with some of the early versions, but haven't touched it much lately to try out the nifty new features. Most of the things I used BSD for I converted from FreeBSD to NetBSD around the time that Matt stood up DF. Probably would have been easier in hindsight, especially the community machine I help maintain, but I didn't think it was quite ready for primetime back then. Been very, very pleased with NetBSD, however. Certainly much better quality in my experience than FreeBSD later than version 4.

Disappointment..

[Phaid]

And here I thought this was going to be an article about Linux 1.2.13.

Written in Haskell?

[93+Escort+Wagon]

Oh, great. Sure, this kernel is all well-behaved and meets its spec - as long as Mr. or Mrs. Cleaver are around. But the minute they turn their backs, who knows WHAT scheme this kernel is going to pull!

Not the first by a long way

[karl.auerbach]

We were doing formal proof of correctness of kernels back in the 1970's at System Development Corporation (SDC) in Santa Monica.

"Correctness" means correct with regard to a criteria, it doesn't mean that the system didn't have flaws outside of the criteria or that it worked or worked efficiently.

I personally worked with UCLA Data Secure Unix and SRI's PSOS (Provably Secure OS) and a couple of other systems.

One cool aspect was that in those days we had some machine architectures that had hardware support for "capabilities".

Generating the correctness criteria was very, very hard.

As for Haskell - we tended to use Pascal via a Pascal to C compiler.

don't be angry

[j1m+5n0w]

Before you get angry, I suggest you go read the page what we prove and what we assume. The researchers are not claiming the kernel is bug-free. They are saying that certain parts of the kernel are free from certain classes of errors so long as the rest of the system (the C compiler, the linker, the hardware, the boot code, assembly code related to direct hardware access, etc..) is working as designed.

As someone who has been doing Linux kernel programming for about 8 years, I enthusiastically support efforts to make a more robust operating system. Just being able to say "this chunk of C code doesn't have any null pointer dereferences" is a significant achievement (and incidentally, it's one of the reasons why I do all my "for fun" programming in Haskell and not in C; life is too short to spend tracking down type errors that would never have gotten past a decent compiler).

7500 lines of code is actually quite a lot. Mainstream OSes like Linux have much bigger code bases, but that's because they need to support as many hardware devices as possible, dozens of filesystems, many cpu architectures, work equally well on embedded devices and many-cpu NUMA machines, and support any feature anyone happens to want. If you just want a system that can run particular applications on a particular hardware platform, a significant amount of functionality can fit in 7500 lines of code.

Re:How's that warrantless wiretapping program goin

[pnewhook]

why does it take 6 months for Barack Obama to choose a dog, but he's wants to cram stimulus and healthcare legislation through without anyone reading or understanding it?

How exactly is it Obama's fault that you are too stupid to read and understand something?

more than just bug free

[kwikrick]

A lot of people here are saying: duh, they only proved that the C code has the same bugs as the formal specification.

But the researchers did consider that. The formal specification also allows them to prove important properties of the L4 kernel.

See the researcher's website: http://ertos.nicta.com.au/research/l4.verified/proof.pml

From the website:

Here, the absence of such bugs is just a useful by-product of the proof. To be able to complete our proof of functional correctness, we also prove a large number of so-called invariants: properties that we know to always be true when the kernel runs.

Re:slow peice of crap

[Lunzo]

Mod AC up. GP doesn't know what he's talking about.

WTF!?

Who is this idiot?! First of all, the Amiga Hand was not a bug! It was the indicator that a disk had to be inserted! Also, Guru Meditation Error was not a bug, nor is the Blue Screen of Death! These are crash handlers! Plonkers!

Re:Sounds like automated unit test generation to m

[ioshhdflwuegfh]

Unit tests test that certain values work correctly.

What if the test has passed because of the faulty/unspecified/specific implementation of the specification?

My experience with formally proven OS in the 80's

[chongo]

This Slashdot article, referring to the so called "World's First Formally-Proven OS Kernel",was brought to my attention by a colleague who is aware of my experience with formally proven OS' in the 1980's. What follows is my response to the claim of being first, and the value of proving the correctness of an OS:

I am aware of at least two instances of operating system kernels that were built in the late 1970's / early 1980's using formal proofs of correctness. I will talk about my experience with one of them.

One of them, produced in the late 1970's was a kernel designed for a specialized environment. This kernel/OS was a reasonably functional kernel complete with multiprocessing, time-sharing, file systems, etc. Unfortunately while the formal proof for this kernel was solid, the axiomatic set on which this formal proof was based did not perfectly match its operating environment. This mismatch proved to be fatal to the OS security.

This formally proven OS took years to create and prove its correctness. Those who developed and maintained the OS were very proud of their work. There were plans underway to create a commercial version of their work and to market it through a certain hardware vendor on which their OS ran.

When I was a student intern working for the organization where that developed this OS worked, I worked in their OS environment from time to time. I came in from the outside where my OS experience was with a wide variety OS' such as MVS, NOS, KRONOS, TOPS-10, RSTS/E, VMS, Multics, and Unix (5th/6th/7th edition). I had enough experience in jumping into new OS environments that I felt comfortable as a user in this one, even though it was unusual.

An important point to observe here is I was one of the first people who enter this OS environment from the outside. I was not steeped in the development world of the OS. I brought with me, ideas that differed from the OS developers. As a young student, I believed that the OS should work for me instead of getting in my way. To help come up to speed, I ported over my collection of OS-independent tools and soon began coding away on my assigned tasks.

Then one day, working within my OS-independent tools, something very odd happened. By mistake, I did something that produced an unusual result. I quickly realized that something was very wrong because the result was "impossible" according to the formal proof of OS correctness. Under the rules set down by my employer I immediately contacted the appropriate security officer and the next thing I knew, I was in a long sequence of meetings with people trying to figure out what in the hell happened.

In the first meeting after my mistake, I learned that I had been reassigned to a new team. I was assured that I was not being disciplined, far from it: I had made a number of people very happy and they moved paperwork mountains to move me into their team. This team was given a task of attempting to repeat my previous "mistake" as well as to discover if exploits that are more general were possible against this OS. We were assigned to work âoeundercoverâ as developers under test/QA installations using this OS. In the end, the team was successful in discovering a much more general form of the OS hole I accidentally found.

What went wrong with the OS formal proof? Well the mapping from the formal logic world to the real world of hardware, physics, people, and the environment was flawed. In other words, when you added in the "real-world", the proof was incomplete. Attempts by the OS developers to expand their proof to address the "real-world" only produced a set of inconsistent theorems. I believe the OS project was abandoned after the OS developers failed multiple times to expand their formal proof to deal with âoereal-worldâ environments.

During this experience I was introduced to two "Security Camps": One, "the absolutists" as they called themselves, included people who worked on this formally proven OS. The opposing camp called the

Similiar Projects

[Martin+Hecker]

There is a good overview of the topic on the authors page, at http://ertos.nicta.com.au/publications/papers/Klein_09.pdf. It specifically mentions "the other" big Project in this field, the VeriSoft project ( http://www.verisoft.de/ ). VeriSoft is broader in scope (covering the translation of programs down to machine code level, and also aiming to verify properties of user-space programs), but uses a simpler implementation Language lacking C-pointers, called "C0". C0 is extended with limited support for inline-assembly code for the compilation of the OS ( http://www-wjp.cs.uni-sb.de/publikationen/GHLP05.pdf ).

Re:Sounds like automated unit test generation to m

It's more like automatic debugging, if you ask me.

It allows you to code, then check that what you coded is according to the spec. If it isn't, at least, you now have a formal description of what isn't right, which should be simple in principle to trace back to the root cause, either the code or the spec.

Re:slow peice of crap

[Lord+Bitman]

C gets its speed boost from having no abstraction. The things which are abstracted are trivial substitutions and do not provide a speed boost. C has no speed-optimizing abstractions.

When you define a variable in C, you very well CAN define the memory address for it, rather than telling something else to do it for you. But this makes things slower, not faster.

C does not provide any abstraction which says something like "This variable should have all of its possible values processed simultaneously", and only very primitive ways of defining what those values are (from which, as far as I am aware, no speed boost can be claimed, as it is only done to prevent error)

So, yes, C has no abstractions in the context of the sentence right above it.

C not CO in Verisoft XT (Re:Similiar Projects)

[Holger+Blasum]

Actually in Verisoft XT the successor of Verisoft now real C code is verified, including e.g. PikeOS with PowerPC assembly in a system developed to DO-178B airplane verification. In that project an important tool for C code verification is VCC developed by Microsoft Research, source included at that site.

Re:C not CO in Verisoft XT (Re:Similiar Projects)

[Holger+Blasum]

(Or more generally see the main Verisoft page. When posting on C verification perhaps one also should mention Caduceus)

On the parlance of economy

[jonaskoelker]

And they have just finished proving that first few lines of code they wrote. In another five decades they hope to be able to have Notepad proven and ready to run so you can actually get some work done!

I completely agree with your sentiment here (somewhat sadly, I might add; it would be nice to have a provably correct linux/gcc/glibc/emacs/firefox/nethack).

People have seen the value of [formal verification, I assume] since the first days of programming. In fact, the value is so enormous that no one can afford it...

That is [in my economics dictionary] a contradiction in terms.

People finding something valuable can be understood as them being willing to give up a lot of resources, i.e. forgo a lot of alternative uses of the resources, i.e. pay a lot of money, to get it.

So you're saying because people are so eager to pay for it, no one can, right? i.e. the market price exceeds the willingness to pay of the highest (potentially-)paying customer. That doesn't make sense.

What does make sense is that the process of formal verification is so labor-consuming that the value it can generate (even if high) is less than the value of at least one thing the same (large) amount of labor could be spent to generate, i.e. people's time is better spent fixing bugs or adding features. At least according to what the market prices say. [we can then discuss whether the market for kernels works as it should.]

(When can then go on to discuss value in use vs. value in exchange vs. the value of research to increase further value in use which probably increases value in exchange and... you know, all of economics... :)]

Does this test qualify as "verified design"? apk

http://74.125.47.132/search?q=cache:yBRVrk6qteIJ:www.cl.cam.ac.uk/teaching/0708/IntroSec/slides-4up.pdf+%22Verified+Design%22+and+%22Operating+System%22+and+%22security+design%22&cd=44&hl=en&ct=clnk&gl=us

PERTINENT QUOTE EXCERPT:

----

"Class A1: Verified design adds formal model for security pol-
icy, formal description of TCB must be proved to match the
implementation, strict protection of source code against unau-
thorised modification"

----

This is in regards to the Operating System being of "verified design", the reason I ask this is simple: Years ago when I was first getting into the Operating System security world (where you hear rating terms like "C2" from the "Orange Book" etc. et al), there were NO SUCH ANIMALS (OS' of "verified design") @ that point, & I have heard of a "Green Hills OS" that supposedly had been granted such status...

APK

P.S.=> (I did not read the article in its entirety yet, so, to save time? I am asking - STILL HAVING COFFEE THIS A.M., so, if reading the article would have satisfied this question, disregard please... thanks for your time!)... apk

Is the Kernel Open Source to FOSS interpretations

[lsatenstein]

If this kernel is as great as professed, then the compiler that was used to create it is likewise. And it would be great to perhaps port this kernel to replace the linux kernel. One way, I suppose, to make use of it in FOSS, is to use this kernel as the microcode that drives a Linux kernel surrounding it. I think of this architecture as the hub of a wheel, and the Linux kernel as the rim. Just my rambling thoughts

What about KIT?

[ghettoimp]

What about Bevier's 1987 dissertation, "A Verified Operating System Kernel." ftp://ftp.cs.utexas.edu/pub/boyer/diss/bevier.pdf

Re:slow peice of crap

[Lord+Bitman]

*note that the "makes things slower, not faster", is just a consequence of the way memory tends to be allocated when doing things "by hand"- it is not a result of optimized abstractions