30,831 research outputs found
Deductive verification of cryptographic software
We apply state-of-the art deductive verification tools to check security-relevant properties of cryptographic software, including safety, absence of error propagation, and correctness with respect to reference implementations. We also develop techniques to help us in our task, focusing on methods oriented towards increased levels of automation, in scenarios where there are clear obvious limits to such automation. These techniques allow us to integrate automatic proof tools with an interactive proof assistant, where the latter is used off-line to prove once-and-for-all fundamental lemmas about properties of programs. The techniques developed have independent interest for practical deductive verification in general.Fundação para a Ciência e a Tecnologia (FCT
Automatic Error Localization for Software using Deductive Verification
Even competent programmers make mistakes. Automatic verification can detect
errors, but leaves the frustrating task of finding the erroneous line of code
to the user. This paper presents an automatic approach for identifying
potential error locations in software. It is based on a deductive verification
engine, which detects errors in functions annotated with pre- and
post-conditions. Using an automatic theorem prover, our approach finds
expressions in the code that can be modified such that the program satisfies
its specification. Scalability is achieved by analyzing each function in
isolation. We have implemented our approach in the widely used Frama-C
framework and present first experimental results. This is an extended version
of [8], featuring an additional appendix.Comment: This is an extended version of [8], featuring an additional appendi
Deductive Verification of Cryptographic Software
We report on the application of an off-the-shelf verification platform to the RC4 stream cipher cryptographic software implementation (as available in the openSSL library), and introduce a deductive verification technique based on self-composition for proving the absence of error propagation
Sciduction: Combining Induction, Deduction, and Structure for Verification and Synthesis
Even with impressive advances in automated formal methods, certain problems
in system verification and synthesis remain challenging. Examples include the
verification of quantitative properties of software involving constraints on
timing and energy consumption, and the automatic synthesis of systems from
specifications. The major challenges include environment modeling,
incompleteness in specifications, and the complexity of underlying decision
problems.
This position paper proposes sciduction, an approach to tackle these
challenges by integrating inductive inference, deductive reasoning, and
structure hypotheses. Deductive reasoning, which leads from general rules or
concepts to conclusions about specific problem instances, includes techniques
such as logical inference and constraint solving. Inductive inference, which
generalizes from specific instances to yield a concept, includes algorithmic
learning from examples. Structure hypotheses are used to define the class of
artifacts, such as invariants or program fragments, generated during
verification or synthesis. Sciduction constrains inductive and deductive
reasoning using structure hypotheses, and actively combines inductive and
deductive reasoning: for instance, deductive techniques generate examples for
learning, and inductive reasoning is used to guide the deductive engines.
We illustrate this approach with three applications: (i) timing analysis of
software; (ii) synthesis of loop-free programs, and (iii) controller synthesis
for hybrid systems. Some future applications are also discussed
Verification-based software-fault detection
Software is used in many safety- and security-critical systems. Software development is, however, an error-prone task. In this work new techniques for the detection of software faults (or software "bugs") are described which are based on a formal deductive verification technology. The described techniques take advantage of information obtained during verification and combine verification technology with deductive fault detection and test generation in a very unified way
Verification-based Software-fault Detection
Software is used in many safety- and security-critical systems. Software development is, however, an error-prone task. In this dissertation new techniques for the detection of software faults (or software "bugs") are described which are based on a formal deductive verification technology. The described techniques take advantage of information obtained during verification and combine verification technology with deductive fault detection and test generation in a very unified way
A deductive verification platform for cryptographic software
In this paper we describe a deductive verification platform for the CAO language. CAO is a domain-specific language for cryptography. We show that this language presents interesting challenges for formal verification, not only in the rich mathematical type system that it introduces, but also in the cryptography-oriented language constructions that it offers. We describe how we tackle these problems, and also demonstrate that, by relying on the Jessie plug-in included in the Frama-C framework, the development time of such a complex verification tool could be greatly reduced. We base our presentation on real-world examples of CAO code, extracted from the open-source code of the NaCl cryptographic library, and illustrate how various cryptography-relevant security properties can be verified.(undefined
A Deductive Verification Platform for Cryptographic Software
In this paper we describe a deductive verification platform for the CAO language. CAO is a domain-specific language for cryptography. We show that this language presents interesting challenges for formal verification, not only in the rich mathematical type system that it introduces, but also in the cryptography-oriented language constructions that it offers. We describe how we tackle these problems, and also demonstrate that, by relying on the Jessie plug-in included in the Frama-C framework, the development time of such a complex verification tool could be greatly reduced. We base our presentation on real-world examples of CAO code, extracted from the open-source code of the NaCl cryptographic library, and illustrate how various cryptography-relevant security properties can be verified
Deductive Verification of Unmodified Linux Kernel Library Functions
This paper presents results from the development and evaluation of a
deductive verification benchmark consisting of 26 unmodified Linux kernel
library functions implementing conventional memory and string operations. The
formal contract of the functions was extracted from their source code and was
represented in the form of preconditions and postconditions. The correctness of
23 functions was completely proved using AstraVer toolset, although success for
11 functions was achieved using 2 new specification language constructs.
Another 2 functions were proved after a minor modification of their source
code, while the final one cannot be completely proved using the existing memory
model. The benchmark can be used for the testing and evaluation of deductive
verification tools and as a starting point for verifying other parts of the
Linux kernel.Comment: 18 pages, 2 tables, 6 listings. Accepted to ISoLA 2018 conference.
Evaluating Tools for Software Verification trac
- …