LFCS Seminar: Tuesday 14th April: Rini Banerjee Tue, 14 Apr, 4.10pm Venue: IF G.03 Remote participation: URL: https://ed-ac-uk.zoom.us/j/89292150989 Password: HjWE0rem Title: Gradual Assurance for Systems Software: A Separation-Logic Approach Abstract The conventional code-test-debug cycle is the de-facto methodologyfor building software systems, and while successful to an extent, itmanifestly fails to make these systems reliable enough. Variousapproaches have been explored over the past few decades to improve thereliability of these systems, from push-button static and dynamicanalysis tools to traditional formal verification via rich, explicitspecifications. These specifications require specialist expertiseto write and are therefore costly to produce and maintain, especiallyat scale. Testing specifications concretely at runtime — as they arebeing written — can alleviate this by making it possible to check anddebug in-progress, partial specifications in a lightweight manner,providing more gradual assurance. Unfortunately, the testing andproof communities have historically been largely disjoint, and muchof the existing work in these areas focuses on a single approach andtool. We propose a more flexible use of rich specifications, via a singlelanguage for specifications; these can be refined as they are writtenusing feedback from testing and property-based testing, and caneventually be used for proof, if desired [1]. We demonstrate ourapproach by applying this workflow to critical systems softwarewritten in C, using separation logic to capture the complex ownershipproperties present in such code. Concretely, we use the CN [2]separation-logic specification language; the Fulminate [3] runtimetesting tool, which translates CN specifications into C runtimechecks and checks ownership dynamically; the Darcy [1]property-based testing tool, which generates randomprecondition-satisfying inputs to drive Fulminate assertions; andthe CN proof tool. In this talk, I will discuss our experience applyingthis testing-first workflow to a fragment of real-world systems code(Google's pKVM hypervisor); our work in getting theFulminate-instrumented fragment running baremetal at thehypervisor privilege level as part of pKVM; and provide an overview ofthe tools we developed and improved in service of these. [1] Code-Specify-Test-Debug-Prove: Flexibly IntegratingSeparation Logic Specification into Conventional Workflows. Zain KAamer*, Rini Banerjee*, Hiroyuki Katsura*, DavidKaloper-Meršinjak*, Dimitrios J. Economou, Kayvan Memarian, DhruvMakwana, Neel Krishnaswami, Benjamin C Pierce, Christopher Pulte,Peter Sewell. To appear in PLDI 2026. *authors contributed equally [2] CN: Verifying Systems C Code with Separation-Logic RefinementTypes. Christopher Pulte, Dhruv C. Makwana, Thomas Sewell, KayvanMemarian, Peter Sewell, Neel Krishnaswami. POPL 2023. [3] Fulminate: Testing CN Separation-Logic Specifications in C. RiniBanerjee, Kayvan Memarian, Dhruv Makwana, Christopher Pulte, NeelKrishnaswami, and Peter Sewell. POPL 2025. Apr 14 2026 16.10 - 17.00 LFCS Seminar: Tuesday 14th April: Rini Banerjee Rini Banerjee, University of Cambridge https://rinibanerjee.com/ Informatics Forum, G.03
LFCS Seminar: Tuesday 14th April: Rini Banerjee Tue, 14 Apr, 4.10pm Venue: IF G.03 Remote participation: URL: https://ed-ac-uk.zoom.us/j/89292150989 Password: HjWE0rem Title: Gradual Assurance for Systems Software: A Separation-Logic Approach Abstract The conventional code-test-debug cycle is the de-facto methodologyfor building software systems, and while successful to an extent, itmanifestly fails to make these systems reliable enough. Variousapproaches have been explored over the past few decades to improve thereliability of these systems, from push-button static and dynamicanalysis tools to traditional formal verification via rich, explicitspecifications. These specifications require specialist expertiseto write and are therefore costly to produce and maintain, especiallyat scale. Testing specifications concretely at runtime — as they arebeing written — can alleviate this by making it possible to check anddebug in-progress, partial specifications in a lightweight manner,providing more gradual assurance. Unfortunately, the testing andproof communities have historically been largely disjoint, and muchof the existing work in these areas focuses on a single approach andtool. We propose a more flexible use of rich specifications, via a singlelanguage for specifications; these can be refined as they are writtenusing feedback from testing and property-based testing, and caneventually be used for proof, if desired [1]. We demonstrate ourapproach by applying this workflow to critical systems softwarewritten in C, using separation logic to capture the complex ownershipproperties present in such code. Concretely, we use the CN [2]separation-logic specification language; the Fulminate [3] runtimetesting tool, which translates CN specifications into C runtimechecks and checks ownership dynamically; the Darcy [1]property-based testing tool, which generates randomprecondition-satisfying inputs to drive Fulminate assertions; andthe CN proof tool. In this talk, I will discuss our experience applyingthis testing-first workflow to a fragment of real-world systems code(Google's pKVM hypervisor); our work in getting theFulminate-instrumented fragment running baremetal at thehypervisor privilege level as part of pKVM; and provide an overview ofthe tools we developed and improved in service of these. [1] Code-Specify-Test-Debug-Prove: Flexibly IntegratingSeparation Logic Specification into Conventional Workflows. Zain KAamer*, Rini Banerjee*, Hiroyuki Katsura*, DavidKaloper-Meršinjak*, Dimitrios J. Economou, Kayvan Memarian, DhruvMakwana, Neel Krishnaswami, Benjamin C Pierce, Christopher Pulte,Peter Sewell. To appear in PLDI 2026. *authors contributed equally [2] CN: Verifying Systems C Code with Separation-Logic RefinementTypes. Christopher Pulte, Dhruv C. Makwana, Thomas Sewell, KayvanMemarian, Peter Sewell, Neel Krishnaswami. POPL 2023. [3] Fulminate: Testing CN Separation-Logic Specifications in C. RiniBanerjee, Kayvan Memarian, Dhruv Makwana, Christopher Pulte, NeelKrishnaswami, and Peter Sewell. POPL 2025. Apr 14 2026 16.10 - 17.00 LFCS Seminar: Tuesday 14th April: Rini Banerjee Rini Banerjee, University of Cambridge https://rinibanerjee.com/ Informatics Forum, G.03
Apr 14 2026 16.10 - 17.00 LFCS Seminar: Tuesday 14th April: Rini Banerjee Rini Banerjee, University of Cambridge https://rinibanerjee.com/
