Formal Aspects of Computing

, Volume 24, Issue 1, pp 27–44 | Cite as

Formalizing a hierarchical file system

Open Access
Original Article


An abstract file system is defined here as a partial function from (absolute) paths to data. Such a file system determines the set of valid paths. It allows the file system to be read and written at a valid path, and it allows the system to be modified by the Unix operations for creation, removal, and moving of files and directories. We present abstract definitions (axioms) for these operations. This specification is refined towards a pointer implementation. The challenge is to have a natural abstraction function from the implementation to the specification, to define operations on the concrete store that behave exactly in the same way as the corresponding functions on the abstract store, and to prove these facts. To mitigate the problems attached to partial functions, we do this in two steps: first a refinement towards a pointer implementation with total functions, followed by one that allows partial functions. These two refinements are proved correct by means of a number of invariants. Indeed, the insights gained consist, on the one hand, of the invariants of the pointer implementation that are needed for the refinement functions, and on the other hand of the precise enabling conditions of the operations on the different levels of abstraction. Each of the three specification levels is enriched with a permission system for reading, writing, or executing, and the refinement relations between these permission systems are explored. Files and directories are distinguished from the outset, but this rarely affects our part of the specifications. All results have been verified with the proof assistant PVS, in particular, that the invariants are preserved by the operations, and that, where the invariants hold, the operations commute with the refinement functions.


File system Specification Verification Refinement Permission system Theorem proving 


Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.


  1. AL96.
    Abrahams PW, Larson BR (1996) Unix for the impatient. Addison-Wesley, ReadingGoogle Scholar
  2. AZKR04.
    Arkoudas K, Zee K, Kuncak V, Rinard M (2004) Verifying a file system implementation. In: Sixth international conference on formal engineering methods (ICFEM04). LNCS, vol 3308, pp 8–12Google Scholar
  3. BCC+03.
    Burdy L, Cheon Y, Cok DR, Ernst MD, Kiniry JR, Leino GTKRM, Poll E (2003) An overview of jml tools and applications. Int J Softw Tools Technol Transf 7(3): 73–89Google Scholar
  4. BFW09.
    Butterfield A, Freitas L, Woodcock J (2009) Mechanising a formal model of flash memory. Sci Comput Programm 74: 219–237CrossRefMATHMathSciNetGoogle Scholar
  5. BGM87.
    Bidoit M, Gaudel M-C, Mauboussin A (1987) How to make algebraic specifications more understandable? In: Wirsing M, Bergstra JA (eds) Algebraic methods: theory, tools and applications. Lect. Notes in Computer Science, vol 394. pp 31–69Google Scholar
  6. DBA08.
    Damchoom K, Butler MJ, Abrial J-R (2008) Modelling and proof of a tree-structured file system in Event-B and Rodin. In: ICFEM, pp 25–44Google Scholar
  7. Fu06.
    Fu Z (2006) A refinement of the UNIX filing system using Z/Eves. Master’s thesis, University of York, October 2006Google Scholar
  8. FWB08.
    Freitas L, Woodcock J, Butterfield A (2008) POSIX and the verification grand challenge: A roadmap. In: ICECCS ’08: proceedings of the 13th IEEE international conference on engineering of complex computer systems. IEEE Computer Society, Washington, DC, pp 153–162Google Scholar
  9. FWF09.
    Freitas L, Woodcock J, Fu Z (2009) POSIX file store in Z/Eves: an experiment in the verified software repository. Sci Comput Program 74(4): 238–257CrossRefMATHMathSciNetGoogle Scholar
  10. GBM08.
    Geambasu R, Birrell A, MacCormick J (2008) Experiences with formal specification of fault-tolerant file systems. In: IEEE international conference on dependable systems and networks with FTCS and DCC, pp 96–101, June 2008Google Scholar
  11. GLMS09.
    Galloway A, Luttgen G, Muhlberg JT, Siminiceanu R (2009) Model-checking the Linux virtual file system. In: VMCAI, pp 74–88Google Scholar
  12. HL09a.
    Hesselink WH, Lali MI (2009) Formalizing a hierarchical file system. Electron Notes Theor Comput Sci 59: 67–85CrossRefGoogle Scholar
  13. HL09b.
    Hesselink WH, Lali MI (2009) PVS proof script of “file system formalization”.
  14. Hoa03.
    Hoare CAR (2003) The verifying compiler: A grand challenge for computing research. J ACM 50: 63–69CrossRefGoogle Scholar
  15. HR04.
    Huth M, Ryan M (2004) Logic in Computer Science: Modelling and reasoning about systems, 2nd ed. Cambridge University Press, LondonMATHGoogle Scholar
  16. Hug89.
    Hughes J (1989) Specifying a visual file system in Z. Technical report. Department of Computing Science, University of Glasgow, 3 pGoogle Scholar
  17. JH07.
    Joshi R, Holzmann GJ (2007) A Mini Challenge: build a verifiable filesystem. Formal Aspects Comput 19: 4CrossRefGoogle Scholar
  18. KJ08.
    Kang E, Jackson D (2008) Formal modeling and analysis of a flash filesystem in alloy. In: ABZ ’08: proceedings of the 1st international conference on abstract state machines, B and Z. Springer, Berlin, pp 294–308Google Scholar
  19. Lam93.
    Lamport L (1993) How to write a proof. Am Math Mon 102: 600–608CrossRefMathSciNetGoogle Scholar
  20. Lut93.
    Lutz R (1993) Analyzing software requirements errors in safety-critical embedded systems. In: IEEE international symposium on requirements engineering. CA, pp 126–133, January 1993Google Scholar
  21. MS84.
    Morgan C, Sufrin B (1984) Specification of the UNIX filing system. IEEE Trans Softw Eng SE-10: 128–142CrossRefGoogle Scholar
  22. OSRSC01.
    Owre S, Shankar N, Rushby JM, Stringer-Calvert DWJ (2001) PVS version 2.4. System Guide, Prover Guide, PVS Language Reference.
  23. Pec99.
    Pecheur C (1999) Advanced modelling and verification techniques applied to a cluster file system. In: Proceedings of the 14th IEEE international conference on automated software engineering. IEEE Computer Society, Washington, DC, USA, pp 119–126Google Scholar
  24. SSHR09.
    Schierl A, Schellhorn G, Haneberg D, Reif W (2009) Abstract specification of the UBIFS file system for flash memory. In: Cavalcanti A, Dams D (eds) FM. Lecture notes in computer science, vol 5850. Springer, Berlin, pp 190–206Google Scholar
  25. TP09.
    Taverne P, Pronk C (2009) RAFFS: Model checking a robust abstract flash file store. In: Breitman K, Cavalcanti A (eds) Formal methods and software engineering. 11th international conference on formal engineering methods. LNCS, vol 5885. ICFEM 2009, Springer, Berlin, pp 226–245, December 2009Google Scholar
  26. WB07.
    Woodcock J, Banach R (2007) The verification grand challenge. Comput Soc India Commun 661–668Google Scholar
  27. Wen01.
    Wenzel M (2001) Some aspects of Unix file-system security. Isabelle/Isar proof document. T.U. MunchenGoogle Scholar
  28. YTEM06.
    Yang J, Twohey P, Engler D, Musuvathi M (2006) Using model checking to find serious file system errors. ACM Trans Comput Syst 24(4): 393–423CrossRefGoogle Scholar

Copyright information

© The Author(s) 2010

Authors and Affiliations

  1. 1.Department of Computing ScienceUniversity of GroningenGroningenThe Netherlands
  2. 2.Department of Computer ScienceCOMSATS Institute of Information TechnologyIslamabadPakistan

Personalised recommendations