l4v
FStar
l4v | FStar | |
---|---|---|
15 | 44 | |
490 | 2,615 | |
1.0% | 2.3% | |
9.6 | 9.9 | |
16 days ago | 7 days ago | |
Isabelle | F* | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
l4v
-
Rewrite the VP9 codec library in Rust
> C/C++ can be made memory safe
.. but it's much harder to prove your work is memory safe. sel4 is memory safe C, for example. The safety is achieved by a large external theorem prover and a synced copy written in Haskell. https://github.com/seL4/l4v
Typechecks are form of proof. It's easier to write provably safe Rust than provably safe C because the proofs and checker are integrated.
-
CVE-2023-4863: Heap buffer overflow in WebP (Chrome)
You can't really retrofit safety to C. The best that can be achieved is sel4, which while it is written in C has a separate proof of its correctness: https://github.com/seL4/l4v
The proof is much, much more work than the microkernel itself. A proof for something as large as webP might take decades.
- SeL4 Specification and Proofs
-
What in the name of all that's holy is going on with software ?
When something like the seL4 microkernel is formally verified, the remaining bugs should only be bugs in the specification, not the implementation.
-
Elimination of programmers
seL4 specifications and proofs are not a programming language.
-
Google Announces KataOS and Sparrow
Yes, especially 'logically impossible' when you dig into the details. From the blogpost:
> and the kernel modifications to seL4 that can reclaim the memory used by the rootserver.
MMMMMMMMMMMkkkkkk. So you then have to ask: were these changes also formally verified? There's a metric ton of kernel changes here: https://github.com/AmbiML/sparrow-kernel/commits/sparrow but I don't see a fork of https://github.com/seL4/l4v anywhere inside AmbiML.
I mean, it does also claim to be "almost entirely written in Rust", which is true if you ignore almost the entire OS part of the OS (the kernel and the minimal seL4 runtime).
-
A 24-year-old bug in the Linux Kernel (2021)
Probably the only way to prevent this type of issue in an automated fashion is to change your perspective from proving that a bug exists, to proving that it doesn't exist. That is, you define some properties that your program must satisfy to be considered correct. Then, when you make optimizations such as bulk receiver fast-path, you must prove (to the static analysis tool) that your optimizations to not break any of the required properties. You also need to properly specify the required properties in a way that they are actually useful for what people want the code to do.
All of this is incredibly difficult, and an open area of research. Probably the biggest example of this approach is the Sel4 microkernel. To put the difficulty in perspective, I checkout out some of the sel4 repositories did a quick line count.
The repository for the microkernel itself [0] has 276,541
The testsuite [1] has 26,397
The formal verification repo [2] has 1,583,410, over 5 times as much as the source code.
That is not to say that formal verification takes 5x the work. You also have to write your source-code in such a way that it is ammenable to being formally verified, which makes it more difficult to write, and limits what you can reasonably do.
Having said that, this approach can be done in a less severe way. For instance, type systems are essentially a simple form of formal verification. There are entire classes of bugs that are simply impossible in a properly typed programs; and more advanced type systems can eliminate a larger class of bugs. Although, to get the full benefit, you still need to go out of your way to encode some invariant into the type system. You also find that mainstream languages that try to go in this direction always contain some sort of escape hatch to let the programmer assert a portion of code is correct without needing to convince the verifier.
[0] https://github.com/seL4/seL4
[1] https://github.com/seL4/sel4test
[2] https://github.com/seL4/l4v
-
Formally Proven Binary Format Parsers
I mean, just look at the commits with "fix" in the specs folder: https://github.com/seL4/l4v/commits/master?after=4f0bbd4fcbc...
- Proofs and specifications
FStar
- Lean4 helped Terence Tao discover a small bug in his recent paper
-
The Deep Link Equating Math Proofs and Computer Programs
I don't think something that specific exists. There are a very large number of formal methods tools, each with different specialties / domains.
For verification with proof assistants, [Software Foundations](https://softwarefoundations.cis.upenn.edu/) and [Concrete Semantics](http://concrete-semantics.org/) are both solid.
For verification via model checking, you can check out [Learn TLA+](https://learntla.com/), and the more theoretical [Specifying Systems](https://lamport.azurewebsites.net/tla/book-02-08-08.pdf).
For more theory, check out [Formal Reasoning About Programs](http://adam.chlipala.net/frap/).
And for general projects look at [F*](https://www.fstar-lang.org/) and [Dafny](https://dafny.org/).
-
If You've Got Enough Money, It's All 'Lawful'
Don't get me wrong, there are times when Microsoft got it right the first time that was technically far superior to their competitors. Windows IOCP was theoretically capable of doing C10K as far back in 1994-95 when there wasn't any hardware support yet and UNIX world was bickering over how to do asynchronous I/O. Years later POSIX came up with select which was a shoddy little shit in comparison. Linux caved in finally only as recently as 2019 and implemented io_uring. Microsoft research has contributed some very interesting things to computer science like Z3 SAT solver and in collaboration with INRIA made languages like F* and Low* for formal specification and verification. But all this dwarfs in comparison to all the harm they did.
-
What are the current hot topics in type theory and static analysis?
Most of the proof assistants out there: Lean, Coq, Dafny, Isabelle, F*, Idris 2, and Agda. And the main concepts are dependent types, Homotopy Type Theory AKA HoTT, and Category Theory. Warning: HoTT and Category Theory are really dense, you're going to really need to research them.
-
Why is there no simple C-like functional programming language?
F* is a dependently typed language that can be transpiled to idiomatic C via the KReMLin compiler. It’s very ML-ish to write and you can leave out some proofs. It also has the benefit of being used to write a formally verified TLS implementation that’s in wide use throughout industry.
-
[Media] Genetic algorithm simulation - Smart rockets (code link in comments)
As I said, dependent types attempt to solve this problem. F* is a language where you can express complex logic as a type. The catch is, these types are checked by an SMT solver. If the solver can satisfy the type checking, then great, and you move on. If it can’t, you have no idea why, and either have to guess or manually write the proof anyway. Contrast this with Standard ML which has a proof of the soundness of its type system.
-
Prop v0.42 released! Don't panic! The answer is... support for dependent types :)
So kind of like F*? https://www.fstar-lang.org/
-
old languages compilers
F*
-
Pegasus spyware was used to hack reporters’ phones. I’m suing its creators; When you’re infected by Pegasus, spies effectively hold a clone of your phone – we’re fighting back.
Nevermind that academia has come up with far safer ways to do a few things but social norms & inertia prevent their wider adoption (well okay, it also has a barrier to entry in the education required to use it but I don't think someone with the knowledge to meaningfully contribute to an OS kernel can be considered uneducated nor unable to learn).
-
[Hobby] Amateur Generalist Programmer Seeking to Put Bugfixing Skills to Good Use
Maybe that's a little off topic here, but if you like fixing bugs, i suspect you might also enjoy showing that there are no bugs at all. Check out languages like F* https://www.fstar-lang.org/ It's a proof-oriented programming language. You can use it to write code that has no bugs at all. And you once you're done, can convert F* to C or other languages.
What are some alternatives?
seL4 - The seL4 microkernel
coq - Coq is a formal proof management system. It provides a formal language to write mathematical definitions, executable algorithms and theorems together with an environment for semi-interactive development of machine-checked proofs.
hubris - A lightweight, memory-protected, message-passing kernel for deeply embedded systems.
lean - Lean Theorem Prover
agda-stdlib - The Agda standard library
dafny - Dafny is a verification-aware programming language
creusot - Creusot helps you prove your code is correct in an automated fashion. [Moved to: https://github.com/creusot-rs/creusot]
koka - Koka language compiler and interpreter
cryptography - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
VisualFSharp - The F# compiler, F# core library, F# language service, and F# tooling integration for Visual Studio
codeball-action - 🔮 Codeball – AI Code Review that finds bugs and fast-tracks your code
stepmania - Advanced rhythm game for Windows, Linux and OS X. Designed for both home and arcade use.