# **Modal Abstractions for OS Kernels**

Ph.D. Defense

Ismail Kuru

Department of Computer Science Drexel University

March 14, 2025

#### **Overview**

Part I: Modal Understanding of Location Virtualization

#### 1. Definitions

#### 2. Motivation

- 2.1 Sharing
- 2.2 Address-Space Agnostic Virtual Memory References

#### 3. Logic

- 3.1 A Quick Tour on Separation Logic (SL)
- 3.2 A Logic for Recovering the Soundness of Page-Table Traversal
- 3.3 A Logic of Agnostic Resources

#### 4. The Verification Effort

4.1 Design

#### 5. The Current and Future Directions & Conclusions

5.1 Modal Abstractions for Verification Patterns

#### **Overview**

Part II: Modal Understanding of Specification Evolution

#### 6. Definitions

#### 7. Motivation

7.1 Indistinguishability of Machines

#### 8. Logic

- 8.1 Iris STS Library
- 8.2 Understanding Bisimulations
- 8.3 Invariants

#### 9. The Current and Future Directions & Conclusions

#### Part I

# **Modal Understanding of Location Virtualization**

# The Essentials in Systems Programming

a supposedly allocated physical resource

pointer va := malloc (size)

a virtual reference

#### **Memory Location Virtualization**



Figure: Virtualization: The Deception of Abundance

#### **Memory Location Virtualization: Abstraction**

# An Address Space with Logical Name $\gamma$



Figure: Address-Spaces: Named Containers for Virtual Memory Mappings

#### A Program Named A Program Named

 $\gamma_n$   $\gamma_m$  pointer va := malloc(size) malloc(size)

- A program is abstracted as a named address-space
- A container of virtual-to-physical memory resource mappings

#### Memory Location Virtualization: Mechanism



Figure: Address-Translation: A Mechanism for Realizing Address Virtualization

# **Page Tables**



Figure: Page-Tables (PT): Data Structures for Address-Translation

#### A Complete Picture of Address-Space Abstraction



Figure: Depicting an Address-Space with its Essential Aspects

#### The Current View of Memory

The register cr<sub>3</sub> points to the current view of the memory, i.e., the loaded address space in the memory

# Virtual Memory Management (VMM)

#### **VMM** as a General Resource Provider

"the virtual memory sub-system can be considered the core of a Solaris instance, and the implementation of Solaris virtual memory affects just about every other subsystem in the operating system" [McDougall and Mauro(2006)]





Figure: Physical and Virtual Resources



```
static pte_t *pte_nxt_table (pte_t *entry){
    If not already present, try to allocate
   (!entry->present){
 if (!pte_alloc(&next)) {
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry\rightarrowpresent = 1;
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn);
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr);
   next = (pte_t *) next_virt_addr:
pte_t *walkpgdir(pte_t *I4, void *va){
```

Figure: Traversal Starts from the root



```
static pte_t *pte_nxt_table (pte_t *entry){
 pte_t *next:
    If not already present, try to allocate
 if (!entry->present){
  if (!pte_alloc(&next)) {
   return NULL:
  entry->pfn = PTE_PFN((uintptr_t) next);
  entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry -> pfn);
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr:
  return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t *|4_entry = &|4[L4I(va)];
```

Figure: Missing L4 Entry



```
static pte_t *pte_nxt_table (pte_t *entry){
 pte t *next:
    If not already present, try to allocate
    (!entry->present){
 if (!pte_alloc(&next)) {
   return NULL:
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn):
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr;
 return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t * | 4_entry = & | 4[L4](va) |:
```

Figure: A New L4 Entry



Figure: Accessing to Table L3



```
static pte_t *pte_nxt_table (pte_t *entry){
    If not already present, try to allocate
   (!entry->present){
 if (!pte_alloc(&next)) {
   return NULL:
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry -> pfn):
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr);
   next = (pte_t *) next_virt_addr;
 return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t *|4_{entry}| = &|4[L4I(va)]:
 pte_t *I3 = pte_nxt_table(I4_entry);
```

Figure: Missing L3 Entry



Figure: A New L3 Entry



Figure: Accessing to L2 Table



```
static pte_t *pte_nxt_table (pte_t *entry){
      pte t *next:
                       If not already present, try to allocate
                       (!entry->present){
            if (!pte_alloc(&next)) {
                  return NULL:
           entry->pfn = PTE_PFN((uintptr_t) next);
           entry \rightarrow present = 1:
            } else {
                  uintptr_t next_phys_addr =
                               PTE_PFN_TO_ADDR(entry -> pfn);
                  uintptr_t next_virt_addr = (uintptr_t)
                               P2V(next_phys_addr):
                  next = (pte_t *) next_virt_addr:
           return next:
pte_t *walkpgdir(pte_t *I4, void *va){
      pte_t * 14_entry = &14[L41(va)];
      pte_t * 13 = pte_n \times t_t = 0.01 \times 13 = 0
    pte_t *I3_entry = &I3[L3I(va)];
      pte_t *|2 = pte_nxt_table(|3_entry):
```

Figure: Missing L2 Entry



```
static pte_t *pte_nxt_table (pte_t *entry){
 pte_t *next:
   If not already present, try to allocate
   (!entry->present){
  if (!pte_alloc(&next)) {
   return NULL:
  entry->pfn = PTE-PFN((uintptr_t) next):
  entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn):
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr:
  return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t *I4_entry = &I4[L4I(va)];
 pte_t *|3 = pte_nxt_table(|4_entry):
 pte_t *I3_entry = &I3[L3I(va)];
 pte_t *|2 = pte_nxt_table(|3_entry):
 pte_t * |2_entry = &|3[L2](va)]:
```

Figure: A New L2 Entry



Figure: Accessing L1 Table

```
static pte_t *pte_nxt_table (pte_t *entry){
 pte_t *next;
    If not already present, try to allocate
   (!entry->present){
 if (!pte_alloc(&next)) {
   return NULL:
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn):
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr:
 return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t *|4_entry = &|4[L4I(va)]:
 pte_t *|3 = pte_nxt_table(|4_entry);
 pte_t *|3_entry = &|3[L31(va)];
 pte_t * 12 = pte_n \times t_t = 0:
 pte_t *|2_entry = &|3[L2|(va)];
 pte_t *|1 = pte_nxt_table(|2_entry):
```



Figure: Missing L1 Entry

```
static pte_t *pte_nxt_table (pte_t *entry){
 pte_t *next;
    If not already present, try to allocate
    (!entry->present){
 if (!pte_alloc(&next)) {
   return NULL:
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry \rightarrow present = 1:
  } else {
   uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn);
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr:
 return next:
pte_t *walkpgdir(pte_t *I4, void *va){
 pte_t *|4_{entry}| = &|4[L4I(va)]:
 pte_t *|3 = pte_nxt_table(|4_entry):
 pte_t *|3_entry = &|3[L3|(va)];
 pte_t * 12 = pte_n \times t_t = 0  (13_entry):
pte_t *12_entry = &13[L2I(va)];
 pte_t *|1 = pte_nxt_table(|2_entry);
```



static pte\_t \*pte\_nxt\_table (pte\_t \*entry){ pte\_t \*next: If not already present, try to allocate (!entry->present){ if (!pte\_alloc(&next)) { return NULL: entry->pfn = PTE\_PFN((uintptr\_t) next); entry $\rightarrow$ present = 1; } else { uintptr\_t next\_phys\_addr = PTE\_PFN\_TO\_ADDR(entry->pfn); uintptr\_t next\_virt\_addr = (uintptr\_t) P2V(next\_phys\_addr): next = (pte\_t \*) next\_virt\_addr: return next: pte\_t \*walkpgdir(pte\_t \*I4, void \*va){ pte\_t \* $|4_{entry} = &|4[L4](va)$ ]: pte\_t \*|3| = pte\_nxt\_table(|4|entrv):  $pte_t * 13_entry = &13[L3I(va)];$ pte\_t \*|2 = pte\_nxt\_table(|3\_entry); pte\_t \*|2\_entry = &|2[L2|(va)]; pte\_t \*|1 = pte\_nxt\_table(|2\_entry); pte\_t \*|1\_entry = &|1[L1|(va)]; return | 11\_entry

Figure: Accessing to the Page Referenced by L1 Entry

# **Breaking Soundness in Sharing**



Figure: Sharing Page-Tables under Updates to Page-Tables

## **Breaking Soundness in Sharing**





Figure: An Address Space with Unique Root Address root;



Figure: Two Address-Spaces with the Unique Root Addresses  $root_i$  and  $root_j$ 



Figure: Switching Address-Spaces



Figure: Switching Address-Spaces

# Referring to Agnostic Resources

Unless we bookkeep to which address-space each of these virtual-to-physical mappings belongs, which we never see in the practice of using virtual memory references, we need to figure out a way of referring to these mappings as they are only valid in their own address-spaces.

# **Specifying Programs**

 $\{P\} \subset \{Q\}$ 

# **Separation Logic: Separating Conjuction**

$$\frac{\{P\} \ e \ \{Q\}}{\{P*R\} \ e \ \{Q*R\}}$$

## **Separation Logic: Ownership**

- ullet Well-known points-to assertion, e.g., memory\_ref  $\mapsto_q$  val
- Regarding the logical machinery, Iris SL enables encoding a generalized form ownership of logical resources
- A fragmental  $[P]^{\gamma}$  ownership
  - Enabling coordinated access to logical resources
- Full  $P^{\gamma}$  ownership
  - Enabling access to *update* logical resources, presented as *invariants*

## **Separation Logic: Invariants**

$$\frac{\text{Inv}}{\left\{P*R\right\}\;\alpha\;\left\{P*Q\right\}_{\epsilon}\qquad\alpha\;\text{physically atomic}}{\left[P\right]^{n}\vdash\left\{R\right\}\;\alpha\;\left\{Q\right\}_{\epsilon\uplus\left\{n\right\}}}$$

## **Defining Some Ownersip Assertions**

- Expected to have register ownership to be defined : reg  $\mapsto_r$  reg\_val
- ullet Expected to have *physical memory* ownership defined: pa  $\mapsto_p$  val
- How about virtual memory references?

#### A Naive Attempt on Virtual-Pointsto

- Page and page table addresses are physical
- Purple (or red) path + bold black page references are *physical*
- Why don't we define *virtual* memory references in terms of the physical page-table and the final page references?

 $L_{4}$ \_ $L_{1}$ \_PointsTo(va, I4e, I3e, I2e, I1e, paddr) +  $paddr \mapsto_{p} page_{val}$ 

#### **Tokens for Traversals**

$$\underbrace{\mathsf{va} \hookrightarrow_\mathsf{q}^\delta \mathsf{pa}}_{\mathsf{Ghost translation}} * \underbrace{\mathsf{pa} \mapsto_\mathsf{p} \{\mathsf{qfrac}\} \mathsf{val}}_{\mathsf{Physical location}}$$

- Abstract the purple and red segment of page-table traversal into logical summarization of the walk
- Distribute the fragmental ownersip of the logical page-table summarization to virtual memory ownership

#### A Candidate for Kernel Invariant

```
\mathcal{I}\mathsf{ASpace}(\theta,m) \stackrel{\triangle}{=} \mathsf{ASpace\_Lookup}(\theta,m) * \\ \qquad \qquad \qquad \exists \ (\mathsf{I4e} \ \mathsf{I3e} \ \mathsf{I2e}, \ \mathsf{I1e}, \ \mathsf{paddr}). \ \mathsf{L}_{\mathsf{4}\mathsf{L}\mathsf{L}_{\mathsf{1}}\mathsf{-}}\mathsf{PointsTo}(\mathsf{va}, \ \mathsf{I4e}, \ \mathsf{I3e}, \ \mathsf{I2e}, \ \mathsf{I1e}, \ \mathsf{paddr}) \\ \text{where} \\ \mathsf{ASpace\_Lookup}(\theta,m) \stackrel{\triangle}{=} \lambda \ \mathsf{cr3val}. \ \exists \delta \ . \ulcorner m \ !! \ \mathsf{cr3val} = \mathsf{Some} \ \delta \urcorner * \mathcal{A} \mathsf{bsPTableWalk}(\delta,\theta) \\ \mathsf{Figure:} \ \mathsf{Global} \ \mathsf{Address-Space} \ \mathsf{Invariant} \ \mathsf{with} \ \mathsf{a} \ \mathsf{fixed} \ \mathsf{global} \ \mathsf{map} \ \mathsf{of} \ \mathsf{address-space} \ \mathsf{names} \ m
```

#### A Candidate for Kernel Invariant

#### The Kernel Invariant in Action

How useful (complete) is this invariant?

### **Kernels Locating L1 Entries**



```
static pte_t *pte_nxt_table (pte_t *entry){
 pte_t *next:
    If not already present, try to allocate
   (!entry->present){
 if (!pte_alloc(&next)) {
   return NULL:
 entry->pfn = PTE_PFN((uintptr_t) next);
 entry\rightarrowpresent = 1;
  } else {
   \uintptr_t next_phys_addr =
     PTE_PFN_TO_ADDR(entry->pfn);
   uintptr_t next_virt_addr = (uintptr_t)
     P2V(next_phys_addr):
   next = (pte_t *) next_virt_addr;
 return next:
pte_t *walkpgdir(pte_t *I4. void *va){
 pte_t *|4_{entry}| = &|4[L4I(va)]:
 pte_t *|3 = pte_nxt_table(|4_entry):
 pte_t *I3_entry = &I3[L3I(va)];
 pte_t *|2 = pte_nxt_table(|3_entry):
pte_t *|2_entry = &|2[L2|(va)]:
 pte_t *|1 = pte_nxt_table(|2_entry):
 pte_t * |1_entry = &|1[L1|(va)]:
```

### **Incorporating P2V into the Kernel Invariant**

# Definition (The Kernel Invariant for Page-Table Traversal with Virtual Page-Table Pointers)

$$\begin{split} \mathcal{I} \mathsf{ASpace}_{\mathsf{id}}(\theta,\Xi,m) & \stackrel{\triangle}{=} \mathsf{ASpace\_Lookup}_{\mathsf{id}}(\theta,\Xi,m) * \mathsf{GhostMap}(\mathsf{id},\Xi) * \\ & \left( \begin{matrix} \bigstar & \exists \ (\mathsf{I4e},\ \mathsf{I3e},\ \mathsf{I2e},\ \mathsf{I1e},\ \mathsf{paddr}). \ \mathsf{L}_{\mathsf{4}\_\mathsf{L}_1\_\mathsf{PointsTo}}(\mathsf{va},\ \mathsf{I4e},\ \mathsf{I3e},\ \mathsf{I2e},\ \mathsf{I1e},\ \mathsf{paddr}) \right) * \\ & \bigstar & \exists \ (\mathsf{qfrac},\ \mathsf{q},\ \mathsf{val},\mathsf{va}). \ \lceil \mathsf{va} = \mathsf{pa} + \mathsf{KERNBASE}\ \mathsf{level} > 1 \rceil * \underbrace{\mathsf{va} \hookrightarrow_{\mathsf{q}}^{\delta} \mathsf{pa}}_{\mathsf{Ghost\ translation}} * \underbrace{\mathsf{pa} \mapsto_{\mathsf{p}} \{\mathsf{qfrac}\}\ \mathsf{val} * \\ \mathsf{physical\ location}}_{\mathsf{Physical\ location}} * \\ & \underbrace{\lceil \mathsf{qfrac} = 1 \leftrightarrow \neg \mathsf{entry\_present}\ (\mathsf{val}) \rceil}_{\mathsf{Entry\ validity}} * \\ & \underbrace{\lceil \mathsf{qfrac} = 1 \leftrightarrow \neg \mathsf{entry\_present}\ (\mathsf{val}) \rceil}_{\mathsf{Indexing\ into\ next\ level\ of\ tables}} * \\ & \mathsf{vhere} \\ & \mathsf{present\_L}(\mathsf{val},\mathsf{level}) \stackrel{\triangle}{=} \mathsf{entry\_present}(\mathsf{val}) \land \mathsf{level} > 0 \end{split}$$

### **Specifying P2V**

```
 \begin{cases} \text{$P*$ $\mathcal{I}$ ASpace}_{id}(\theta,\Xi\setminus\{\text{entry}\}), m)* \text{$r$ bp-8$} \mapsto_{v} \text{entry}* \text{$r$ cx} \mapsto_{r-}* \text{entry} \mapsto_{id} \_* \text{$r$ tv} \hookrightarrow^{\delta s} \delta \rbrace_{\text{rtv}} \\ \left\{ \text{entry+KERNBASE} \mapsto_{\text{vpte,qfrac}} (\text{pte\_initialized (entry\_val.pfn)})^{\gamma}_{\text{rtv}} \right. \\ \left\{ \text{$r$ bp-16$} \mapsto_{v} (\text{pte\_initialized (entry\_val.pfn)})) * \text{$r$ ax} \mapsto_{r} \text{ table\_root (pte\_initialize(entry\_val.pfn))} \rbrace_{\text{rtv}} \\ \left\{ \forall_{i \in 0 \dots 511} . ((\text{table\_root (pte\_initialized (entry\_val.pfn))}) + i*8 ) \hookrightarrow^{\text{id}} v-1 \right\} \\ \text{$;$ is uintptr\_t next\_virt\_addr} = (uintptr\_t) P2V(entry.pfn <<12); \\ \text{movabs KERNBASE, $r$ cx } \left\{ \dots * r \text{$cx} \mapsto_{r} \text{KERNBASE} * \dots \right\}_{\text{rtv}} \\ \text{add} \qquad \text{$r$ cx, $r$ ax} \\ \left\{ \dots * r \text{$ax} \mapsto_{r} \text{ table\_root (pte\_initialize(entry\_val.pfn))} + \text{KERNBASE} * \dots \right\}_{\text{rtv}} \\ \dots \; \text{$;$ clean up the stack and return the rax value} \end{cases}
```

Figure: Converting a physical address of a PTE to a virtual address (w/o instruction pointer or flag updates).

#### The Current Status of Machinery



Figure: x64-Iris

- Dumping .o files
- Manuel treatment on Xabs instructions and field access

# A Rough Quantification on the Current Status

Table: Line-of-Code Numbers for pte Verification

|                      | C LoC A | Assembly LoC | Roqc Proof LoC |
|----------------------|---------|--------------|----------------|
| pte_get_next_table   | 12      | 45           | 3200           |
| pte_walkpgdir        | 8       | 44           | 3200           |
| pte_p2v              | _       | 1            | 75             |
| pte_switch_addrspace | _       | 18           | 350            |
| pte_map_page         | 7       | 28           | 1750           |
| pte_initialize       | 4       | 20           | 700            |

Table: Line-of-Code Numbers for x64-Iris Logic

|                                                   | Roqc LoC |
|---------------------------------------------------|----------|
| Soundness of Instructions Mentioned in the Thesis | 50176    |
| VMM Related Logical Constructions                 | 5554     |
| Machine Model                                     | 6172     |

#### Modal Abstractions as Verification Patterns in Practice

|                                                                                                                                                                                                                                   | Resource Context                                                                                                     | Resource Elements                                                                                                                                                 | Nominalization                 | Resource Context Steps                                                                                                                   |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| Post-Crash Modality [Chajed(2022), Tej Chajed and contributors(2023), Chajed et al.(2019)]                                                                                                                                        | ◊ P                                                                                                                  | $\ell \mapsto_{n}^{\overline{\gamma}} v$                                                                                                                          | Strong                         | Crash Recovery                                                                                                                           |
| NextGen Modality [Vindum et al.(2025)]                                                                                                                                                                                            | $\stackrel{t}{\hookrightarrow}$ P                                                                                    | Own (t(a))                                                                                                                                                        | Strong                         | Determined Based on the Model*                                                                                                           |
| StackRegion Modality* [Vindum et al.(2025)] Memory-Fence Modality [Doko and Vafeiadis(2016), Doko and Vafeiadis(2017), Dang et al.(2019)] Address-Space Modality [Kuru and Gordon(2024)] Ref-Count Modality [Wagner et al.(2024)] | $egin{array}{c} \stackrel{I \subset ut^n}{\hookrightarrow} P \ 	riangle_{\pi} \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \$ | $ \begin{array}{c} \boxed{\textbf{n}} \; \ell \mapsto \textbf{v} \\ \ell \mapsto \textbf{v} \\ \ell \mapsto \textbf{v} \\ \ell_1 \mapsto \textbf{v} \end{array} $ | Strong<br>Weak<br>Weak<br>Weak | Alloc and Return to/from stack<br>Fence Acquire and Release<br>Address-Space Switch<br>Allocating, Dropping and Shar-<br>ing a Reference |

 The StackRegion Modality is an instance of NextGen (called the Independence Modality in [Vindum et al.(2025)]).

### Part II

# **Modal Understanding of Specification Evolution**

# **Specifying Protocols for Systems with STSes**



Figure: STS for Distributed File Protocol



Figure: STS for Traditional File Protocol

#### Interacting with **STS**es

Modelling interactions of a client with a state machine via token exchange

### **Defining STSes**

#### Definition (STS Definition following CaReSL's presentation [Turon et al.(2013)])

An STS  $\pi$  is given by:

- 1. a set of states S,
- 2. a map from a state set of tokens  $\mathcal{T}: \mathcal{S} \to \mathsf{TokSet}$ ,
- 3. a transition relation → on states, which is then lifted to pairs of a state and token set:

$$(s;T) \rightsquigarrow (s';T') \triangleq s \rightsquigarrow s' \land \mathcal{T}(s) \uplus T = \mathcal{T}(s') \uplus T'$$

4. an interpretation mapping states to state assertions  $\varphi: \mathcal{S} \to \mathsf{Prop}$ .

### **Propositional Kripke Model**

#### Definition ((Propositional) Kripke Model [Hughes and Cresswell(1996)])

A Kripke model  $\mathfrak{M}$  is a triple (W, R, V) where

- W is a set of "worlds"
- $R \subseteq W \times W$  is a relation called the *accessibility* relation between worlds
- $V: \mathsf{PropVar} \to \mathcal{P}(W)$  gives for each propositional variable p a set of worlds V(p) where p is considered true

### Bisimulations over Kripke Models

### Definition ((Propositional) Bisimulation of Kripke Structures: $\mathfrak{M} \sim \mathfrak{M}'$ .)

A bisimulation between (multimodal) Kripke structures  $(W, R_{i \in I}, V)$  and  $(W', R'_{i \in I}, V')$  is a relation  $E \subseteq W \times W'$  satisfying:

- If w E w', then w and w' satisfy the same propositional variables.
- If w E w' and w Rv, then there exists  $v' \in W'$  such that v E v' and w' R' v'
- If w E w' and w' R' v', then there exists  $v \in W$  such that v R v' and w R v

#### Intuition on Bisimulations over STSes





- More than just relating **STS**es in representation invariants per state.
- Bisimilar states can have different representation invariants.
- Knowing the proof of a client against the right (target STS conventionally  $\pi'$ ) enables deducing the proof against the bisimilar on the left (source STS conventionally  $\pi$ ).

### A Quick Tour on STS Assertions

• Invariants  $\varphi_{\pi}^{\gamma}$ , client capability  $[s, T]^{\gamma}$ 

#### STSALLOC

$$\varphi(s) \Rightarrow \exists \gamma. \boxed{\varphi}_{\pi}^{\gamma} * \boxed{s; AllTokens} \backslash \overline{\mathcal{T}(s)}_{\gamma}^{\gamma}$$
STSOPEN

$$\frac{STSOPEN}{\left[\varphi\right]_{\pi}^{\gamma}*\left[\bar{s};\bar{T}\right]^{\gamma}} \Rightarrow \left(\exists \ s'. \lceil (s0,T) \stackrel{\mathsf{rely}^{*}}{\sqsubseteq}_{\pi} (s',T) \rceil * \varphi(s) * \forall sl', \ T'. \lceil (s',T) \stackrel{\mathsf{guar.}^{*}}{\sqsubseteq}_{\pi} (sl',T') \rceil * \varphi(sl') \Rightarrow \left[\bar{sl};\bar{T'}\right]^{\gamma}\right)}{\text{UPDISL}}$$

 $\alpha$  physically atomic

$$\frac{\forall s_0 . \ ((s;T) \overset{\mathsf{rely}^*}{\sqsubseteq}_{\pi} (s_0;T)) \vdash \{\varphi(s_0) * P\} \ \alpha \ \{\exists s', \mathsf{T}' . \ (s_0;\mathsf{T}) \overset{\mathsf{guar}^*}{\sqsubseteq}_{\pi} (s';\mathsf{T}') * \varphi(s') * Q\}}{[\varphi]_{\pi}^{\gamma} \vdash \{[\underline{s};\overline{\mathsf{T}}]^{\gamma} * P\} \ \alpha \ \{\exists s',\mathsf{T}' . [\underline{s'};\overline{\mathsf{T}'}]^{\gamma} * Q\}}$$

Figure: Iris STS Library [Jung et al.(2015)] simplified with later modality and invariant masks omitted

### **Decomposing Bisimilarity in STSes**

The bisimulation  $(\mathcal{M}(\pi, \pi', \varphi, \varphi', s, \mathsf{T}, \mathsf{U}))$  between two state machines,  $\pi$  and  $\pi'$  is composed of

- The source STS  $\pi$
- The target STS  $\pi'$
- The source STS's state interpretation function  $-\varphi$
- The target STS's state interpretation function  $-\varphi'$
- Token Embedding  $\epsilon_{\mathcal{S}}: \mathcal{S}(\pi) \mapsto \mathcal{S}(\pi')$
- State Embedding  $\epsilon_T$ :  $\mathcal{T}(\pi) \mapsto \mathcal{T}(\pi')$
- The Law of Rely
- The Law of Guarantee
- The Law of Tolerance
- The state of source STS from which bisimulation is considered against any client interference with the token set T

#### **Proof Translation**

Obtain a proof rule utilizing the bisimulation to translate proofs between bisimilar state machines!

### **Embeddings for Tokens**





- How to impose *indistinguishability* of behavior observed on *bisimilar* states
- How to impose indistinguishability over the steps taken between bisimilar states
- Make token exchange align with indistinguishability: Embedding tokens (lifted  $\epsilon_{\overline{T}}$ )  $T_1$ ,  $T_3$ , and  $T_2$  to  $T_5$ , and  $T_4$  to  $T_6$

### **Embeddings for State and Tokens**





 Setting client interference aside, we would consider opened and flushed of the left state machine to be bisimilar to opened of the right state machine

# A Quick Tour on the Represention of Laws - 1



# A Quick Tour on the Represention of Laws - 2



#### We Use This

#### UpdIsl

 $\alpha$  physically atomic

$$\frac{\forall s_0 . \ ((s;T) \stackrel{\mathsf{rely}^*}{\sqsubseteq_{\pi}} (s_0;T)) \vdash \{\varphi(s_0) * P\} \ \alpha \ \{\exists s' \ , \ \mathsf{T'} \ . \ (s_0;T) \stackrel{\mathsf{guar}^*}{\sqsubseteq_{\pi}} (s';\mathsf{T'}) * \varphi(s') * Q\}}{\varphi \cap_{\pi}^{\gamma} \vdash \{ [s;\mathsf{T}]_{\pi}^{\gamma}) * P\} \ \alpha \ \{\exists \ s',\mathsf{T'} . [s';\mathsf{T'}]_{\pi}^{\gamma} * Q\}}$$

#### We Need This

#### UpdIsl

$$\frac{\alpha \text{ physically atomic}}{\forall s_0 \; . \; ((s;\mathsf{T}) \overset{\mathsf{rely}^*}{\sqsubseteq}_{\pi} \; (s_0;\mathsf{T})) \; \vdash \{\varphi(s_0) * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} \; . \; (s_0;\mathsf{T}) \overset{\mathsf{guar}^*}{\sqsubseteq}_{\pi} \; (s';\mathsf{T'}) * \varphi(s') * Q\} }{ \underbrace{\varphi}_{\pi}^{\gamma} \vdash \{ \underbrace{[s;\mathsf{T}]^{\gamma} * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} . \underbrace{[s';\mathsf{T'}]^{\gamma} * Q\} } }$$
 BISIM 
$$\frac{\pi \sim \pi' \qquad q \; \epsilon_{\mathcal{S}} \; s \qquad q' \; \epsilon_{\mathcal{S}} \; s' \qquad \{ \underbrace{[s;\epsilon_{\overline{T}}(\mathcal{T})]_{\pi'}^{\gamma} * P\} \; C \; \{ \underbrace{[s';\mathsf{T'}]_{\pi'}^{\gamma} * Q\} } }$$
 
$$\underbrace{\varphi}_{\pi}^{\gamma} \vdash \{ \underbrace{[q;\mathsf{T}]_{\pi}^{\gamma} * P\} \; C \; \{ \underbrace{[s';\mathsf{T'}]_{\pi'}^{\gamma} * Q\} } }$$

### How? Obligation - 1

#### UPDISL

### The Law of Rely

#### Theorem (The Law of Rely)

$$\forall s'.(s;T) \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi} (s';T) \leftrightarrow \\ (\forall_{s_1,s_1',T_1}.\,\epsilon_{\mathcal{S}}(s,s_1) \to \epsilon_{\mathcal{S}}(s',s_1') \to \epsilon_{\overline{\mathcal{T}}}(T,T_1) \to (s_1;T_1) \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi'} (s_1';T_1)$$

- We do not drop any client interference with capabilities T
- Indetification of the states that are tolerant to the client interference from which the STS can take steps (Guarantee)
- Bookkeeping of the client interference needed!
- Identifying the valid pre state

# The Law of Rely



Figure: Embedding The Client Interface

# The Law of Rely for a Bisimulation Instance



#### We Need This

#### UPDISL

$$\frac{\alpha \text{ physically atomic}}{\forall s_0 \; . \; ((s;\mathsf{T}) \overset{\mathsf{rely}^*}{\sqsubseteq}_{\pi} \; (s_0;\mathsf{T})) \; \vdash \{\varphi(s_0) * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} \; . \; (s_0;\mathsf{T}) \overset{\mathsf{guar}^*}{\sqsubseteq}_{\pi} \; (s';\mathsf{T'}) * \varphi(s') * Q\} }{ \underbrace{\varphi}_{\pi}^{\gamma} \vdash \{ \underbrace{[s;\mathsf{T}]_{\pi}^{\gamma} * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} . \underbrace{[s;\mathsf{T}]_{\pi}^{\gamma} * Q\} } }$$
 BISIM 
$$\frac{\pi \sim \pi' \qquad q \; \epsilon_{\mathcal{S}} \; s \qquad q' \; \epsilon_{\mathcal{S}} \; s' \qquad \{ \underbrace{[s;\epsilon_{\overline{T}}(\mathcal{T})]_{\pi'}^{\gamma} * P\} \; C \; \{ \underbrace{[s';\mathsf{T'}]_{\pi'}^{\gamma} * Q\} } }$$
 
$$\underbrace{\varphi}_{\pi}^{\gamma} \vdash \{ \underbrace{[q;\mathsf{T}]_{\pi}^{\gamma} * P\} \; C \; \{ \underbrace{[s';\mathsf{T'}]_{\pi'}^{\gamma} * Q\} } }$$

### How? Obligation - 2

UPDISL

#### The Law of Guarantee

#### Theorem (Guarantee Bisim without Invariants)

$$\forall_{q',q,T'}.\epsilon_{\overline{T}}(T) \equiv T' \to \epsilon_{\mathcal{S}}(s,q) \to (q;T') \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi'} (q';T') \to \\ \forall_{q'',T''}.(q';T') \stackrel{\mathsf{guar}}{\sqsubseteq}_{\pi'} (q'';T'') \to \\ \exists_{s',s'',T'_0,T''_0}.(s';T'_0) \stackrel{\mathsf{guar}}{\sqsubseteq}_{\pi} (s'';T''_0) \land \\ \epsilon_{\mathcal{S}}(s') = q' \land \epsilon_{\mathcal{S}}(s'') = q'' \land \epsilon_{\overline{T}}(T''_0) \equiv T' \land \epsilon_{\overline{T}}(T''_0) \equiv T''$$

- Under the embedded client interference, the steps taken by the target STS must be countered by a one in the source STS
- From target STS to source STS
- Identifying the valid post state

#### The Law of Guarantee



Figure: Embedding the Guarantee Steps of Target STS

#### The Law of Guarantee for the Bisimulation Instance



#### The Law of Guarantee for the Bisimulation Instance



#### We Need This

#### UPDISL

$$\frac{\alpha \text{ physically atomic}}{\forall s_0 \; . \; ((s;\mathsf{T}) \overset{\mathsf{rely}^*}{\sqsubseteq}_{\pi} \; (s_0;\mathsf{T})) \; \vdash \{\varphi(s_0) * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} \; . \; (s_0;\mathsf{T}) \overset{\mathsf{guar}^*}{\sqsubseteq}_{\pi} \; (s';\mathsf{T'}) * \varphi(s') * Q\}}{ \underbrace{\varphi}_{\pi}^{\gamma} \vdash \{ \underbrace{[s;\mathsf{T}]_{\pi}^{\gamma} * P\} \; \alpha \; \{\exists s' \; , \; \mathsf{T'} . \underbrace{[s';\mathsf{T'}]_{\pi}^{\gamma} * Q\}}}_{\mathsf{S}} \; \mathsf{BISIM} \\ \underbrace{\frac{\pi \sim \pi'}{\pi} \; q \; \epsilon_{\mathcal{S}} \; s \; q' \; \epsilon_{\mathcal{S}} \; s' \quad \{ \underbrace{[s;\epsilon_{\overline{T}}(\mathcal{T})]_{\pi'}^{\gamma} * P\} \; C \; \{ \underbrace{[s';\mathsf{T'}]_{\pi'}^{\gamma} * Q\}}_{\mathsf{T'}} \; \underbrace{\varphi}_{\mathsf{T'}} \; \underbrace{[s;\mathsf{T'}]_{\pi'}^{\gamma} * Q\}}_{\mathsf{T'}} \; \underbrace{\varphi}_{\mathsf{T'}} \; \underbrace{$$

### How? Obligation - 3

### How? Obligation - 4

#### How? Intuition on Invariants in Bisimulation

UPDISL

$$\begin{array}{c} \alpha \text{ physically atomic} \\ \forall s_0 \; . \; ((s;\mathsf{T}) \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi} \; (s_0;\mathsf{T})) \; \vdash \; \left\{ \begin{array}{c} \varphi(s_0) \\ \end{array} \right. * P \right\} \; \alpha \; \{\exists s' \; , \; \mathsf{T}' \; . \; (s_0;\mathsf{T}) \stackrel{\mathsf{guar}^*}{\sqsubseteq}_{\pi} \; (s';\mathsf{T}') * \\ \hline \\ \varphi \bigcap_{\pi}' \vdash \{ \underbrace{[s;\mathsf{T}]^{\gamma}}_{} * P \} \; \alpha \; \{\exists s' \; , \; \mathsf{T}' \; . \underbrace{[s';\mathsf{T}]^{\gamma}}_{} * Q \} \\ \\ BISIM \\ \underline{\pi \sim \pi'} \quad q \; \epsilon_{\mathcal{S}} \; s \quad q' \; \epsilon_{\mathcal{S}} \; s' \quad \{ \underbrace{[s;\epsilon_{\overline{\mathcal{T}}}(\mathsf{T})]^{\gamma}}_{\pi'} * P \} \; C \; \{ \underbrace{[s';\mathsf{T}']^{\gamma}}_{\pi'} * Q \} \\ \hline \\ \varphi \bigcap_{\pi}' \vdash \{ \underbrace{[q;\mathsf{T}]^{\gamma}}_{\pi} * P \} \; C \; \{ \underbrace{[q';\mathsf{T}]^{\gamma}}_{\pi'} * Q \} \end{array}$$

- The post condition of the target state machine  $\pi'$  implies the post condition of the source state machine  $\pi$ , e.g., opened
- Applying UPDISL would give
  - $\varphi'(\epsilon_{\mathcal{S}}(s0)) \vdash \exists s' . \varphi(s')$
  - and precondition in the source STS  $-\varphi(s0)$
- To obtain  $\exists s' . \varphi(s')$

#### Invariants of File Protocols

#### Definition (File Protocol Invariants)

$$\varphi_{\mathsf{distributedfile}} (\ \ell \ , \ \mathsf{R} \ ) (\ s \ ) \triangleq \left\{ \begin{array}{l} \mathsf{match} \ \mathsf{s} \ \mathsf{with} \\ \mathsf{to} - \mathsf{flush} \Rightarrow & \mathsf{R} \ast \exists \ \mathsf{fs.} \ \mathsf{isValidDirty}(\mathsf{fs}) \ast \\ & \ell \mapsto (\mathsf{fs.} \mathit{id}, \mathsf{fs.status} = \mathsf{dirty}) \\ \mathsf{opened} \Rightarrow & \mathsf{R} \ast \exists \ \mathsf{fs.} \ \mathsf{isValid}(\mathsf{fs}) \ast \\ & \ell \mapsto (\mathsf{fs.} \mathit{id}, \mathsf{fs.status} = \mathsf{clean}) \\ \mathsf{closed} \Rightarrow & \exists \ \mathsf{fs.} \ \mathsf{isValidClosed}(\mathsf{fs}) \ast \\ & \ell \mapsto (\mathsf{fs.} \mathit{id}, \mathsf{fs.status} = \mathsf{closed}) \\ \end{array} \right\}$$

$$\varphi_{\mathsf{file}} \ \ell \ \mathsf{R} \ \mathsf{s} \triangleq \left\{ \begin{array}{l} \mathsf{match} \ \mathsf{s} \ \mathsf{with} \\ \mathsf{opened} \Rightarrow \\ \mathsf{closed} \Rightarrow & \mathsf{R} \ast \exists \ \mathsf{fs.} \ \mathsf{isValid}(\mathsf{fs}) \ast \ell \mapsto (\mathsf{fs.} \mathit{id}, \mathsf{fs.status} = \mathsf{clean} \lor \mathsf{dirty}) \\ \mathsf{closed} \Rightarrow & \exists \ \mathsf{fs.} \ \mathsf{isValidClosed}(\mathsf{fs}) \ast \ell \mapsto (\mathsf{fs.} \mathit{id}, \mathsf{fs.status} = \mathsf{closed}) \\ \end{array} \right\}$$

#### The Law of Tolerance



Figure: The Law of Tolerance for a Valid Pre-Condition

#### Theorem (The Law of Tolerance)

$$orall \ s' \ . \ (s \ \mathsf{T}) \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi} \ (s'; \mathsf{T}) \leftrightarrow \qquad \varphi(s') \ dash \ \varphi'(\epsilon_{\mathcal{S}}(s'))$$

- The source STS's precondition for the embedded states is stronger
- $\varphi(\text{flushed})$  of  $\pi$  or  $\varphi(\text{opened})$  of  $\pi$  implies  $\varphi'(\text{opened})$  of  $\pi'$

## Revisiting the Law of Guarantee for Invariants

#### Theorem (The Law of Guarantee with Invariants)

$$\forall \ q' \ . \ (\epsilon_{\mathcal{S}}(s); \epsilon_{\overline{\mathcal{T}}}(\mathsf{T})) \stackrel{\mathsf{rely}^*}{\sqsubseteq}_{\pi'} (\epsilon_{\mathcal{S}}(q'); \epsilon_{\overline{\mathcal{T}}}(\mathsf{T})) \rightarrow \\ \forall \ q'', \ \mathsf{T''} \ . \ (q'; \epsilon_{\overline{\mathcal{T}}}(\mathsf{T})) \stackrel{\mathsf{guar}^*}{\sqsubseteq}_{\pi'} (q''; \mathsf{T''}) \rightarrow \\ \exists \ s' \ s'' \ \mathsf{T0'}' \ \mathsf{T0''} \ . \ (s'; \mathsf{T0'}) \stackrel{\mathsf{guar}^*}{\sqsubseteq}_{\pi} (s''; \mathsf{T0''}) \land \\ \epsilon_{\mathcal{S}}(s') = q' \land \epsilon_{\mathcal{S}}(s'') = q'' \land \\ (\epsilon_{\overline{\mathcal{T}}}(\mathsf{T0'})) = (\epsilon_{\overline{\mathcal{T}}}(\mathsf{T})) \land (\epsilon_{\mathcal{T}}(\mathsf{T0'})) = \mathsf{T''} \land \\ \varphi'(q'') \vdash \varphi(s'')$$

## **Revisiting the Law of Guarantee for Invariants**



#### **Soundness**

## Theorem (Soundness)

The updated state from  $\operatorname{UPD} \operatorname{ISL}$  is preserved by the bisimulation.

## **Soundness**



79 / 84

# **Keeping Promises**

TRANSFER FILE WRITE 
$$\pi \sim \pi' \quad \text{opened } \epsilon_{\mathcal{S}} \ s \quad q' \ \epsilon_{\mathcal{S}} \ s' \\ \{ s' \in_{\overline{T}}(\overline{T}) |_{\pi'}^{\gamma} * P \} \text{ write } \ell \text{ new\_val } \{ s' \in_{\pi'}^{\gamma} : T' |_{\pi'}^{\gamma} * Q \}$$

$$\boxed{\varphi_{\text{distributedfile}}}_{\pi} \vdash \{ \text{opened}; T |_{\pi}^{\gamma} * P \} \ C \{ q' \in_{\pi'}^{\gamma} : T' |_{\pi}^{\gamma} * Q \}$$

# **On-going Work**

- Bisimulation over Restricted Submodels
  - We need to strengthen the bisimulation
  - What is this strength?
    - Guarantee steps taken at the target machine with  $T\setminus U$  has to be indistinguishable (entail) the ones taken with T
    - The Law of Abduction: Knowing more about U and capabilities dropped with the absence of it.
- Extending Rules for the Complete Iris HEAPLANG
- An abstract framework with relational *embeddings* is finished and written.
  - Subjectively more promising!
  - We need to justify concretely via an example, that is, an example exposes incapability
    of current non-relational embeddings of states and tokens

#### The Future Directions

- Exploit obvious application fields, e.g., device drivers
- Only Iris pluggable?

#### References



Tej Chajed. 2022.

Verifying a concurrent, crash-safe file system with sequential reasoning.

Ph.D. Dissertation. Machetutes Institute of Technology, Cambridge, MA. Available at https://dspace.mit.edu/handle/1721.1/144578.



Tej Chajed, Joseph Tassarotti, M. Frans Kaashoek, and Nickolai Zeldovich. 2019.

Verifying concurrent, crash-safe systems with Perennial. In *Proceedings of the 27th ACM Symposium on Operating Systems Principles* (Huntsville, Ontario, Canada) (SOSP '19). Association for Computing Machinery, New York, NY, USA, 243–258. https://doi.org/10.1145/3341301.3359632



Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2019.

RustBelt meets relaxed memory.

Proc. ACM Program. Lang. 4, POPL, Article 34 (Dec. 2019), 29 pages. https://doi.org/10.1145/3371102



Marko Doko and Viktor Vafeiadis. 2016.

A Program Logic for C11 Memory Fences. In *Proceedings of the 17th International Conference on Verification, Model Checking, and Abstract Interpretation - Volume 9583* (St. Petersburg, FL, USA) (VMCAI 2016). Springer-Verlag, Berlin, Heidelberg, 413–430. https://doi.org/10.1007/978-3-662-49122-5\_20



Marko Doko and Viktor Vafeiadis. 2017.

Tackling Real-Life Relaxed Concurrency with FSL++. In *Programming Languages and Systems: 26th* 

# The End