This directory contains formal proofs of filesystem operations across 5 different proof assistants, establishing the MAA (Mutually Assured Accountability) framework with polyglot verification.
Statement: Creating a directory and then removing it returns the filesystem to its original state.
∀ path, fs.
(path doesn't exist in fs) ∧
(parent of path exists in fs) →
rmdir(path, mkdir(path, fs)) = fs
This is proven in 5 different logical foundations:
- Coq (Calculus of Inductive Constructions) -
coq/filesystem_model.v - Lean 4 (Dependent Type Theory) -
lean4/FilesystemModel.lean - Agda (Intensional Type Theory) -
agda/FilesystemModel.agda - Isabelle/HOL (Higher-Order Logic) -
isabelle/FilesystemModel.thy - Mizar (Tarski-Grothendieck Set Theory) -
mizar/filesystem_model.miz
Polyglot verification increases confidence by proving the same theorem in different logical foundations:
- Coq (CIC): Inductive constructions, extraction to OCaml
- Lean 4: Modern dependent types, tactics-based proving
- Agda: Pure dependent types, constructive mathematics
- Isabelle/HOL: Classical higher-order logic, Sledgehammer automation
- Mizar: Mathematical vernacular, MML library
If a theorem is proven in all 5 systems, it's extremely unlikely to be based on a foundation-specific bug or logical inconsistency.
- seL4 kernel: Proven in Isabelle/HOL
- CompCert compiler: Proven in Coq
- Fiat-Crypto: Proven in Coq with extraction
- Polyglot verification is the gold standard for critical systems
Each proof file contains:
- Paths as sequences of path components (strings)
- Parent path computation
- Path equality and comparison
- FSNodeType: File or Directory
- Permissions: readable, writable, executable
- FSNode: combines type and permissions
- Modeled as partial function:
Path → Option FSNode - Empty filesystem contains only root directory
- Functional updates (immutable)
Preconditions:
- Path does not exist
- Parent directory exists
- Parent is writable
Postconditions:
- Path exists in result
- Path is a directory
- Other paths unchanged
Preconditions:
- Path exists and is a directory
- Directory is empty
- Parent is writable
- Not root directory
Postconditions:
- Path does not exist in result
- Other paths unchanged
All proof files contain:
- ✅
mkdir_creates_directory: mkdir creates a directory at the specified path - ✅
mkdir_path_exists: path exists after mkdir - ✅
rmdir_removes_path: path doesn't exist after rmdir - ✅
mkdir_rmdir_reversible: The main reversibility theorem - ✅
mkdir_preserves_other_paths: mkdir doesn't affect other paths - ✅
rmdir_preserves_other_paths: rmdir doesn't affect other paths - ✅
mkdir_parent_still_exists: parent still exists after mkdir
- ✅ File content operations (read/write) with reversibility
- ✅ Copy/move operations (abstract model)
- ✅ Symlink create/unlink operations (abstract model)
- ✅ Content composition theorems (last-write-wins, commuting writes)
cd proofs/coq
coqc filesystem_model.v
# Produces: filesystem_model.vo (verified object file)cd proofs/lean4
lake build
# Or: lean FilesystemModel.leancd proofs/agda
agda FilesystemModel.agda
# Produces: FilesystemModel.agdaicd proofs/isabelle
isabelle build -D .
# Or: isabelle jedit FilesystemModel.thycd proofs/mizar
mizf filesystem_model.miz
# Produces verification output- ✅ Can prove directory creation is reversible
- ✅ Mathematical guarantee of state restoration
- ❌ Still need: file deletion proofs, secure wipe properties
- ✅ RMR (Remove-Match-Reverse) primitive proven
- ✅ Reversibility with mathematical certainty
- ❌ Still need: RMO (obliterative deletion), full POSIX model
- ✅ Formal specification complete
- ✅ Ready for extraction (Coq → OCaml)
- ❌ Still need: FFI to POSIX, verification of extracted code
- POSIX Error Conditions: Model EEXIST, ENOENT, EACCES, ENOTEMPTY
- Path Resolution: Prove symlink target traversal and .. handling
- Extraction: Coq → OCaml → POSIX FFI
- Extraction: Coq → OCaml → POSIX FFI
- Testing: Real POSIX tests against extracted code
- Elixir Verification: Prove Elixir implementation matches spec
- Full Shell: Command parsing, pipes, job control
- Performance: Zig fast path for simple operations
- MAA Auditing: Proof certificates for user operations
Theorem list_add_remove : ∀ x l,
remove x (add x l) = l.Problem: This is about abstract lists, not real filesystems.
Theorem mkdir_rmdir_reversible : ∀ path fs,
mkdir_precondition path fs →
rmdir path (mkdir path fs) = fs.Advancement: This is about filesystem operations with:
- Path structures (not just list elements)
- Preconditions (parent exists, permissions, etc.)
- Filesystem state (partial mappings)
- POSIX semantics (directories, files, permissions)
Gap Remaining: Still modeling filesystem abstractly. Need:
- Real POSIX syscall semantics
- Inode model
- Actual deletion (not just removal from mapping)
- Disk/memory persistence
- 5-way polyglot verification of directory reversibility
- Formal model of POSIX-like filesystem operations
- Proven correctness of mkdir/rmdir composition
- Foundation for verified shell implementation
- Specification ready for extraction
- GDPR compliance - only directory operations, not file deletion
- Verified executable - no extraction or testing yet
- Real POSIX - model is abstract, not connected to syscalls
- Secure deletion - no proof of data obliteration
- Production ready - research phase only
- Verdi (distributed systems in Coq)
- Fscq (verified file system in Coq)
- CertiKOS (verified OS kernel)
- seL4 (verified microkernel in Isabelle/HOL)
- CompCert (verified C compiler in Coq)
Our Contribution: First polyglot verification (5 systems) of shell filesystem operations for accountability framework.
To be added - see repository root
Status: Research phase - Formal specifications complete, extraction pending Last Updated: 2026-01-18