research-article

Public Access

Planning for change in a formal verification of the raft consensus protocol

Authors:

James R. Wilcox,

Zachary Tatlock,

Michael D. Ernst,

Thomas AndersonAuthors Info & Claims

CPP 2016: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs

Pages 154 - 165

https://doi.org/10.1145/2854065.2854081

Published: 18 January 2016 Publication History

Abstract

We present the first formal verification of state machine safety for the Raft consensus protocol, a critical component of many distributed systems. We connected our proof to previous work to establish an end-to-end guarantee that our implementation provides linearizable state machine replication. This proof required iteratively discovering and proving 90 system invariants. Our verified implementation is extracted to OCaml and runs on real networks. The primary challenge we faced during the verification process was proof maintenance, since proving one invariant often required strengthening and updating other parts of our proof. To address this challenge, we propose a methodology of planning for change during verification. Our methodology adapts classical information hiding techniques to the context of proof assistants, factors out common invariant-strengthening patterns into custom induction principles, proves higher-order lemmas that show any property proved about a particular component implies analogous properties about related components, and makes proofs robust to change using structural tactics. We also discuss how our methodology may be applied to systems verification more broadly.

References

[1]

A. W. Appel, R. Dockins, A. Hobor, L. Beringer, J. Dodds, G. Stewart, S. Blazy, and X. Leroy. Program Logics for Certified Compilers. Cambridge University Press, 2014.

Digital Library

[2]

B. Barras, C. Tankink, and E. Tassi. Asynchronous processing of Coq documents: from the kernel up to the user interface. In ITP, 2015.

[3]

J. Bengtson, J. B. Jensen, and L. Birkedal. Charge! - A framework for higher-order separation logic in coq. In ITP, 2012.

[4]

M. Bickford, R. L. Constable, and V. Rahli. Logic of events, a framework to reason about distributed systems. In LADA, 2012.

[5]

T. D. Chandra, R. Griesemer, and J. Redstone. Paxos made live: An engineering perspective. In PODC, Aug. 2007.

Digital Library

[6]

A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. In PLDI, June 2011.

Digital Library

[7]

A. Chlipala. Certified Programming with Dependent Types. MIT Press, Dec. 2013.

Digital Library

[8]

R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing Mathematics with The Nuprl Proof Development System. Prentice Hall, 1986.

Digital Library

[9]

Coq Development Team. The Coq Reference Manual, version 8.4, Aug. 2012. http://coq.inria.fr/doc.

[10]

Data Center Knowledge. etcd: the Not-so-Secret Sauce in Google’s Kubernetes and Pivotal’s Cloud Foundry, 2014. http://www.datacenterknowledge.com/archives/2014/07/16/etcdsecret-sauce-googles-kubernetes-pivotals-cloud-foundry/.

[11]

M. J. Fischer, N. A. Lynch, and M. Paterson. Impossibility of distributed consensus with one faulty process. J. ACM, 32(2), 1985.

Digital Library

[12]

F. Garillot, G. Gonthier, A. Mahboubi, and L. Rideau. Packaging mathematical structures. In TPHOLs, 2009.

Digital Library

[13]

G. Gonthier, A. Mahboubi, and E. Tassi. A Small Scale Reflection Extension for the Coq System. Technical Report 645, Microsoft Research - Inria Joint Centre, 2009.

[14]

G. Gonthier, B. Ziliani, A. Nanevski, and D. Dreyer. How to make ad hoc proof automation less ad hoc. In ICFP, 2011.

Digital Library

[15]

Greg Morrisett. Certified Programming and State, June 2014.

[16]

https://www.cs.uoregon.edu/research/summerschool/summer14/ curriculum.html.

[17]

C. Hawblitzel, J. Howell, M. Kapritsos, J. R. Lorch, B. Parno, M. L. Roberts, S. Setty, and B. Zill. Ironfleet: Proving practical distributed systems correct. In SOSP, Oct. 2015.

Digital Library

[18]

M. P. Herlihy and J. M. Wing. Linearizability: A correctness condition for concurrent objects. TOPLAS, 12(3), 1990.

Digital Library

[19]

J. Kirsch and Y. Amir. Paxos for system builders. Dept. of CS, Johns Hopkins University, Tech. Rep, 2008.

[20]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, M. Norrish, R. Kolanski, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In SOSP, Oct. 2009.

Digital Library

[21]

G. Klein, J. Andronick, K. Elphinstone, T. C. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst., 32(1), 2014.

Digital Library

[22]

L. Lamport. The part-time parliament. TOCS, 16(2), 1998.

Digital Library

[23]

L. Lamport. Paxos made simple. ACM Sigact News, 32(4), 2001.

[24]

B. W. Lampson. The ABCD’s of Paxos. In PODC, Aug. 2001.

[25]

X. Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7), July 2009.

Digital Library

[26]

G. Malecha. coq-ext-lib. https://github.com/coq-ext-lib/coq-extlib.

[27]

D. Mazieres. Paxos made practical, 2007. http://www.scs.stanford. edu/~dm/home/papers.

[28]

A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: Dependent types for imperative programs. In ICFP, Sept. 2008.

Digital Library

[29]

NYTimes. The Stock Market Bell Rings, Computers Fail, Wall Street Cringes, July 2015. http://www.nytimes.com/2015/07/09/business/ dealbook/new-york-stock-exchange-suspends-trading.html.

[30]

B. M. Oki and B. H. Liskov. Viewstamped replication: A new primary copy method to support highly-available distributed systems. In PODC, Aug. 1988.

Digital Library

[31]

D. Ongaro. Consensus: Bridging Theory and Practice. PhD thesis, Stanford University, Aug. 2014.

[32]

D. Ongaro. The Raft consensus website, Nov. 2014. http://raft.github.io/.

[33]

D. Ongaro and J. Ousterhout. In search of an understandable consensus algorithm. In USENIX ATC, June 2014.

Digital Library

[34]

D. L. Parnas. On the criteria to be used in decomposing systems into modules. Commun. ACM, 15(12), Dec. 1972.

Digital Library

[35]

B. C. Pierce. Types and Programming Languages. MIT Press, 2002.

Digital Library

[36]

V. Rahli. Interfacing with proof assistants for domain specific programming using EventML. In UITP, July 2012.

[37]

V. Rahli, D. Guaspari, M. Bickford, and R. L. Constable. Formal specification, verification, and implementation of fault-tolerant systems using EventML. In AVOCS, Sept. 2015.

[38]

N. Schiper, V. Rahli, R. van Renesse, M. Bickford, and R. L. Constable. Developing correctly replicated databases using formal tools. In DSN, June 2014.

Digital Library

[39]

R. Van Renesse. Paxos made moderately complex. ACM Computing Surveys, 47(3), 2011.

Digital Library

[40]

J. R. Wilcox, D. Woos, P. Panchekha, Z. Tatlock, X. Wang, M. D. Ernst, and T. Anderson. Verdi: A framework for implementing and verifying distributed systems. In PLDI 2015, June 2015.

Digital Library

Cited By

Bora PMinh PWillemse T(2024)Modelling the Raft Distributed Consensus Protocol in mCRL2Electronic Proceedings in Theoretical Computer Science10.4204/EPTCS.399.4399(7-20)Online publication date: 27-Mar-2024
https://doi.org/10.4204/EPTCS.399.4
Yang DTsai W(2024)Linear Consensus Protocol Based on Vague Sets and Multi-Attribute Decision-Making MethodsElectronics10.3390/electronics1313246113:13(2461)Online publication date: 24-Jun-2024
https://doi.org/10.3390/electronics13132461
Qiu LKim YShin JKim JHonoré WShao Z(2024)LiDO: Linearizable Byzantine Distributed Objects with Refinement-Based Liveness ProofsProceedings of the ACM on Programming Languages10.1145/36564238:PLDI(1140-1164)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656423
Show More Cited By

Index Terms

Planning for change in a formal verification of the raft consensus protocol
1. Theory of computation
  1. Logic
  2. Semantics and reasoning
    1. Program reasoning

Recommendations

Verdi: a framework for implementing and formally verifying distributed systems
PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

Distributed systems are difficult to implement correctly because they must handle both concurrency and failures: machines may crash at arbitrary points and networks may reorder, drop, or duplicate packets. Further, their behavior is often too complex ...
Verdi: a framework for implementing and formally verifying distributed systems
PLDI '15

Distributed systems are difficult to implement correctly because they must handle both concurrency and failures: machines may crash at arbitrary points and networks may reorder, drop, or duplicate packets. Further, their behavior is often too complex ...
Modularity for decidability of deductive verification with applications to distributed systems
PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

Proof automation can substantially increase productivity in formal verification of complex systems. However, unpredictablility of automated provers in handling quantified formulas presents a major hurdle to usability of these tools. We propose to solve ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPP 2016: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs

January 2016

196 pages

ISBN:9781450341271

DOI:10.1145/2854065

Program Chairs:
Jeremy Avigad
Carnegie Mellon University, USA
,
Adam Chlipala
MIT, USA

Copyright © 2016 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

In-Cooperation

SIGLOG: ACM Special Interest Group on Logic and Computation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 January 2016

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CPP 2016

Sponsor:

SIGPLAN

CPP 2016: Certified Proofs and Programs

January 18 - 19, 2016

FL, St. Petersburg, USA

Acceptance Rates

Overall Acceptance Rate 18 of 26 submissions, 69%

Upcoming Conference

POPL '25

Sponsor:
sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

93
Total Citations
View Citations
2,136
Total Downloads

Downloads (Last 12 months)491
Downloads (Last 6 weeks)42

Reflects downloads up to 06 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bora PMinh PWillemse T(2024)Modelling the Raft Distributed Consensus Protocol in mCRL2Electronic Proceedings in Theoretical Computer Science10.4204/EPTCS.399.4399(7-20)Online publication date: 27-Mar-2024
https://doi.org/10.4204/EPTCS.399.4
Yang DTsai W(2024)Linear Consensus Protocol Based on Vague Sets and Multi-Attribute Decision-Making MethodsElectronics10.3390/electronics1313246113:13(2461)Online publication date: 24-Jun-2024
https://doi.org/10.3390/electronics13132461
Qiu LKim YShin JKim JHonoré WShao Z(2024)LiDO: Linearizable Byzantine Distributed Objects with Refinement-Based Liveness ProofsProceedings of the ACM on Programming Languages10.1145/36564238:PLDI(1140-1164)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656423
Honoré WQiu LKim YShin JKim JShao Z(2024)AdoB: Bridging Benign and Byzantine Consensus with Atomic Distributed ObjectsProceedings of the ACM on Programming Languages10.1145/36498268:OOPSLA1(419-448)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649826
Yao JTao RGu RNieh J(2024)Mostly Automated Verification of Liveness Properties for Distributed Protocols with Ranking FunctionsProceedings of the ACM on Programming Languages10.1145/36328778:POPL(1028-1059)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1145/3632877
Kim JGu RShao Z(2024) SimplMMJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103049147:COnline publication date: 17-Apr-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103049
Sachtleben R(2024)Unifying Frameworks for Complete Test StrategiesScience of Computer Programming10.1016/j.scico.2024.103135(103135)Online publication date: Apr-2024
https://doi.org/10.1016/j.scico.2024.103135
Wang WNiu JReiter MZhang Y(2024)Formally Verifying a Rollback-Prevention Protocol for TEEsFormal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-62645-6_9(155-173)Online publication date: 13-Jun-2024
https://doi.org/10.1007/978-3-031-62645-6_9
Nagasamudram RBeringer LBirman KMilano MNaumann D(2024)Verifying a C Implementation of Derecho’s Coordination Mechanism Using VST and CoqNASA Formal Methods10.1007/978-3-031-60698-4_6(99-117)Online publication date: 26-May-2024
https://doi.org/10.1007/978-3-031-60698-4_6
Kumar AHippel MManolios PNita-Rotaru C(2023)Verification of GossipSub in ACL2sElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.393.10393(113-132)Online publication date: 14-Nov-2023
https://doi.org/10.4204/EPTCS.393.10
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents