A mechanized process algebra for verification of device synchronization protocols

We describe the formalization of a process algebra based on CCS within the Higher Order Logic (HOL) theorem-proving system. The representation of four types of device interactions and a correctness proof of the communication between a microprocessor and MMU is presented

Non-primitive Recursive Function Definitions

This paper presents an approach to the problem of introducingnon-primitive recursive function definitions in higher order logic. Arecursive specification is translated into a domain theory version, wherethe recursive calls are treated as potentially non-terminating. Once wehave proved termination, the original specification can be derived easily.A collection of algorithms are presented which hide the domain theoryfrom a user. Hence, the derivation of a domain theory specificationhas been automated completely, and for well-founded recursive functionspecifications the process of deriving the original specification from thedomain theory one has been automated as well, though a user mustsupply a well-founded relation and prove certain termination propertiesof the specification. There are constructions for building well-foundedrelations easily

A practical logic framework for verifying safety properties of executables

ManuscriptWe present a novel program logic, Lf , which is designed on top of a Hoare logic, but is simpler, more flexible and more scalable. Based on Lf , we develop a framework for automatically verifying safety properties of executables. It utilizes a whole-program interprocedural abstract interpretation to automatically discover the specifications needed by Lf to prove a program judgment. We implemented Lf and the framework in the HOL theorem prover

Formal mechanization of device interactions with a process algebra

The principle emphasis is to develop a methodology to formally verify correct synchronization communication of devices in a composed hardware system. Previous system integration efforts have focused on vertical integration of one layer on top of another. This task examines 'horizontal' integration of peer devices. To formally reason about communication, we mechanize a process algebra in the Higher Order Logic (HOL) theorem proving system. Using this formalization we show how four types of device interactions can be represented and verified to behave as specified. The report also describes the specification of a system consisting of an AVM-1 microprocessor and a memory management unit which were verified in previous work. A proof of correct communication is presented, and the extensions to the system specification to add a direct memory device are discussed

ARMor: fully verified software fault isolation

ManuscriptWe have designed and implemented ARMor, a system that uses software fault isolation (SFI) to sandbox application code running on small embedded processors. Sandboxing can be used to protect components such as the RTOS and critical control loops from other, less-trusted components. ARMor guarantees memory safety and control flow integrity; it works by rewriting a binary to put a check in front of every potentially dangerous operation. We formally and automatically verify that an ARMored application respects the SFI safety properties using the HOL theorem prover. Thus, ARMor provides strong isolation guarantees and has an exceptionally small trusted computing base-there is no trusted compiler, binary rewriter, verifier, or operating system

Doctor of Philosophy

dissertationTrusted computing base (TCB) of a computer system comprises components that must be trusted in order to support its security policy. Research communities have identified the well-known minimal TCB principle, namely, the TCB of a system should be as small as possible, so that it can be thoroughly examined and verified. This dissertation is an experiment showing how small the TCB for an isolation service is based on software fault isolation (SFI) for small multitasking embedded systems. The TCB achieved by this dissertation includes just the formal definitions of isolation properties, instruction semantics, program logic, and a proof assistant, besides hardware. There is not a compiler, an assembler, a verifier, a rewriter, or an operating system in the TCB. To the best of my knowledge, this is the smallest TCB that has ever been shown for guaranteeing nontrivial properties of real binary programs on real hardware. This is accomplished by combining SFI techniques and high-confidence formal verification. An SFI implementation inserts dynamic checks before dangerous operations, and these checks provide necessary invariants needed by the formal verification to prove theorems about the isolation properties of ARM binary programs. The high-confidence assurance of the formal verification comes from two facts. First, the verification is based on an existing realistic semantics of the ARM ISA that is independently developed by Cambridge researchers. Second, the verification is conducted in a higher-order proof assistant-the HOL theorem prover, which mechanically checks every verification step by rigorous logic. In addition, the entire verification process, including both specification generation and verification, is automatic. To support proof automation, a novel program logic has been designed, and an automatic reasoning framework for verifying shallow safety properties has been developed. The program logic integrates Hoare-style reasoning and Floyd's inductive assertion reasoning together in a small set of definitions, which overcomes shortcomings of Hoare logic and facilitates proof automation. All inference rules of the logic are proven based on the instruction semantics and the logic definitions. The framework leverages abstract interpretation to automatically find function specifications required by the program logic. The results of the abstract interpretation are used to construct the function specifications automatically, and the specifications are proven without human interaction by utilizing intermediate theorems generated during the abstract interpretation. All these work in concert to create the very small TCB

Unique solutions of contractions, CCS, and their HOL formalisation

International audienceThe unique solution of contractions is a proof technique for (weak) bisimilarity that overcomes certainsyntactic limitations of Milner’s “unique solution of equations” theorem. This paper presents an overview ofa comprehensive formalisation of Milner’s Calculus of Communicating Systems (CCS) in the HOL theoremprover (HOL4), with a focus towards the theory of unique solutions of equations and contractions. Theformalisation consists of about 24,000 lines (1MB) of code in total. Some refinements of the “unique solutionof contractions” theory itself are obtained. In particular we remove the constraints on summation, whichmust be guarded, by moving from contraction to rooted contraction. We prove the “unique solution ofrooted contractions” theorem and show that rooted contraction is the coarsest precongruence contained inthe contraction preorder

A formalization of unique solutions of equations in process algebra

In this thesis, a comprehensive formalization of Milner's Calculus of Communicating Systems (also known as CCS) has been done in HOL theorem prover (HOL4), based on an old work in HOL88. This includes all classical properties of strong/weak bisimulation equivalences and observation congruence, a theory of congruence for CCS, various versions of ``bisimulation up to'' techniques, and several deep theorems, namely the ``coarsest congruence contained in weak equivalence'', and three versions of the ``unique solution of equations'' theorem in Milner's book. This work is further extended to support recent developments in Concurrency Theory, namely the ``contraction'' relation and the related ``unique solutions of contractions'' theorem found by Prof. Davide Sangiorgi, University of Bologna. As a result, a rather complete theory of ``contraction'' (and a similar relation called ``expansion'') for CCS is also formalized in this thesis. Further more, a new variant of contraction called ``observational contraction'' was found by the author during this work, based on existing contraction relation. It's formally proved that, this new relation is preserved by direct sums of CCS processes, and has a more elegant form of the ``unique solutions of contractions'' theorem without any restriction on the CCS grammar. The contribution of this thesis project is at least threefold: First, it can be seen as a formal verification of the core results in Prof.\ Sangiorgi's paper, and it provides all details for the informal proof sketches given in the paper. Second, a large piece of old proof scripts from the time of Hol88 (1990s) has been ported to HOL4 and made available to all its users. Third, it's a proof engineering research by itself on the correct formalization of process algebra, because the work has made extensive uses of some new features (e.g. coinductive relation) provided in recent versions of HOL4 (Kananaskis-11 and later)

A Package for Inductive Relation Definitions in HOL

This paper describes a set of theorem proving tools based on a new derived principle of definition in HOL, namely the introduction of relations inductively defined by a set of rules. Such inductive definitions abound in computer science. Example application areas include reasoning about structured operational semantics, type judgements, transition relations for process algebras, reduction relations, and compositional proof systems. The package described in this paper automates the derivation of certain inductive definitions involved in these applications and provides the basic tools needed for reasoning about the relations introduced by them. 1 Introduction The HOL user community has a strong tradition of taking a purely definitional approach to using higher order logic. That is, the syntax of the logic is extended with new notation not simply by postulating axioms to give meaning to it, but rather by defining it in terms of existing expressions of the logic that already have the requ..