 Hi, my name is Dejun Park. I'm going to talk about the K beacon chain So so far people were talking about how to and what they implement the clients and network But now I'm going to talk about a little bit different which is about how to formally verify the beacon chain especially states to engine function so Before we go. This is our awesome team did this project We all at the runtime verification Do formal verification for any safety critical systems like smart contract consensus algorithm And now we are really excited to work on this formal verification of the beacon chain implementation so The K beacon chain is a an executable formal model of the beacon chain written in the formal language called K For the purpose of verifying the important properties, which is called Accountable safety and the plaza liveness of the beacon chain implementation How many those of you know the K language? Oh Okay, awesome. So those of you don't know about the K The K is a formal the language in Which we actually specify the EVM Semantics called K EVM, which we use to verify many high-profile smart contract using that KVM specification so Including the recently we verify the if 2.0 departure contract as well using that so K is kind of really like formal language You can use any formal thing in this domain So let me go to some big picture about what we where we are and what we are going to do next so We have the K beacon chain is a formal model Which actually formalize the Python Formal spec of the beacon chain So we faithfully formalize the whatever the the Python spec into our K formal language and that we have a deformer model and As I said the the one of the benefit of using K language is that anything is modeled in the K language is executable which means that it's not just more than the paper just you can actually Execute and you run this model so we can actually even test so what you are doing what we've done so far is we Write down this model We run the exactly same test the conformance test suite you run in the clients to make sure that you all agree on that So you run the same test and and and we make sure the old pet test passed so we have a fairly high confidence that our model actually faithfully captures whatever the Spec and also implementation So I will get to that how what it looks like the KB content model is but So but right now we finish the KB content model And then next thing we want to do is using that model to prove the safety and liveness proofs on that model and Once we've done these things we really have a high confidence that your actual client implementation Also satisfy this nice two properties as long as you follow the right of the spec Is that any question at this point? Okay, awesome. So now I'm going to show you how these formal model looks like so We actually Decided to have really the model that the very similar to the Spec to minimize the potential mistakes that made we Write down this formal model. The reason that this is because because this is important because if our formal model has some differences from whatever spec or implementations Even if you prove these things they meant may not hold in the actual implementation unless we verify again same thing over those implementation as the whatever the Lighthouse talks as I said, right? So We actually have very similar formal model that looks like almost one-to-one correspondence to the spec So I will give you some example how it looks like so here the left-hand side We have a Python spec especially for the big contain state definition So you have your content spit definition the user Python that are structured. There were many things here and The right-hand side is our K called K configuration, which is a mathematical object of the same exact Because change state and we have really similar structure that we can even follow the each one-to-one line Drawing that the slot maybe the same it's one data and so on this force So make sure that they are very similar and make sure that you are not missing any important thing. That's the one thing Next thing is we have a bunch of the functions in the Python specs, right? So each function we have K called rules so you can think about rule as a like function the Python So in the function we have left-hand side is called Process Apple we have like called bunch of function in sequence And then in the K model we have same thing we these cardio means that it calls followed by This and followed by that so you can see also very similar The only difference is made is they have with the state is Explained mention is here and no state mentioned that Many because that state actually is already global which can be Accessed which isn't the next example. So for example, if your function Access any state like state dot slot In our K model, we can simply mention those slot these called configuration You just mentioned that that means you just match that so match the current state and then you can just use that whatever match there in your Like function body like this instead of say say that slot can just mention the state slot Yeah, there you go and Then if you have any if statement and like assert which can be described as our requires Close so it pretty much very similar. You can see this, right? So one thing is like formal model is not really like Different thing or like things you can even write it From in the case as long as you know how to write our interpreter or writing the Python code So that's that but the there is an exception that we are not really similar In the case that we have Python least comprehension. So in this case this We have these get matching target attestation which simply filtering out Whatever the target is not matched and then Python using this risk comprehension, which is really succinct and needs to read But we decided to not using these risk comprehension and similar syntax because we think that it's more I mean, it's better to express to specify what's going on here using the traditional iteration approach. So we have like Like defining filter function and filter function is simply trade each The attestation risk and then if the targets match then it includes otherwise filtering out So this is kind of exception that that two models are a bit different, but it's but essentially they are same so That is how this formal model looks like and then We already have a good confidence that I mean these two are very similar But we want to do more so as I said we run all the tests and make sure the old test passed but In addition to that we also measure the test coverage which means that How many are formal? I mean how much part of formal model actually exercised by those tests and you know what actually we realized We found that actually some tests amiss for example It's a same program. I mean same thing example. Sorry this one So that is Python coverage to report where You have this list comprehension and then this list comprehension can be I mean you have a full 100% state coverage if you have only one single Test because it's single line whatever your one test It just executed and then you just you cover But but but the things that this is filtering function So you'd have at least few tests like whether filtering whether it's filtering out I mean some every elements or filtering out only some of the element or nothing so Since we already specified that explicitly those iteration we found that the existing test only Test None of them is filtered out everything is just our targets matched So we found that something isn't filtering out case is not Covered so we wrote down each additional test So we found another similar the missing test and we propose and I write more tests And then I think which that will be included in the next release So yeah, we not only have a formal model, but also we hope improving the test suite So that's what we have so far We have a formal model which is very similar to the specification Python specification It passed all the tests. So we have a very high confidence that that captures whatever spec and implementation And then our next goal as I said is to now prove the safety and liveness in That model and then once they have that we are very high confident that clients are secure. I mean safe and life Thank you