Systems Correctness Practices at AWS: Leveraging Formal and Semi-Formal Methods

(queue.acm.org)

167 points yarapavan | 2 comments | 01 Apr 25 14:59 UTC | HN request time: 0.541s | source

Show context

gqgs ◴[01 Apr 25 19:17 UTC] No.43550402[source]▶

A key concern I've consistently had regarding formal verification systems is: how does one confirm the accuracy of the verifier itself?

This issue appears to present an intrinsically unsolvable problem, implying that a formally verified system could still contain bugs due to potential issues in the verification software.

While this perspective doesn't necessarily render formal verification impractical, it does introduce certain caveats that, in my experience, are not frequently addressed in discussions about these systems.

replies(8): >>43550610 #>>43550706 #>>43550740 #>>43552467 #>>43553529 #>>43553826 #>>43554265 #>>43558410 #

1. alexisread ◴[01 Apr 25 19:53 UTC] No.43550706[source]▶

>>43550402 #

I'd guess the best approach is similar to security - minimal TCB (trusted computing base) that you can verify by hand, and then construct your proof checker on top, and have it verify itself. Proof and type checkers have a lot of overlap, so you can gain coverage via the language types.

I can't recall exactly, but I think CakeML (https://cakeml.org/jfp14.pdf) had a precursor lisp prover, written in a verified lisp, so would be amenable to this approach.

EDIT: think it was this one https://www.schemeworkshop.org/2016/verified-lisp-2016-schem...

replies(1): >>43551066 #

2. guerrilla ◴[01 Apr 25 20:36 UTC] No.43551066[source]▶

>>43550706 (TP) #

This is correct. That's why you have core type theories. Very small, easy to understand and implement in a canonocal way. Other languages can be compiled to them.

↑