1,048 research outputs found
On the Use of Underspecified Data-Type Semantics for Type Safety in Low-Level Code
In recent projects on operating-system verification, C and C++ data types are
often formalized using a semantics that does not fully specify the precise byte
encoding of objects. It is well-known that such an underspecified data-type
semantics can be used to detect certain kinds of type errors. In general,
however, underspecified data-type semantics are unsound: they assign
well-defined meaning to programs that have undefined behavior according to the
C and C++ language standards.
A precise characterization of the type-correctness properties that can be
enforced with underspecified data-type semantics is still missing. In this
paper, we identify strengths and weaknesses of underspecified data-type
semantics for ensuring type safety of low-level systems code. We prove
sufficient conditions to detect certain classes of type errors and, finally,
identify a trade-off between the complexity of underspecified data-type
semantics and their type-checking capabilities.Comment: In Proceedings SSV 2012, arXiv:1211.587
A Formal Specification and Proof of System Safety Using the Schematic Protection Model
This research formally specifies the Schematic Protection Model (SPM) and provides a sound, flexible tool for reasoning formally about systems that implement a security model like SPM, to prove its ability to provide security services such as confidentiality and integrity. The theory described by the resultant model was logically proved in the Prototype Verification System (PVS), an automated prover. Each component of SPM was tested, as were several anomalous conditions, and each test produced results consistent with the model. The model is internally modular, and therefore easily extensible, yet cohesive since the theory to be proved encompasses the entire specification. This approach ensures the specification is flexible enough to incorporate any extensions that can be expressed algorithmically, such as the deontic logic properties of obligation, permission, possibility and necessity. Furthermore, the modularity enhances the robustness of the model to ensure that previously-proved fundamental properties are not lost in the process of adding functionality
Diagrammatic Languages and Formal Verification : A Tool-Based Approach
The importance of software correctness has been accentuated as a growing number of safety-critical systems have been developed relying on software operating these systems. One of the more prominent methods targeting the construction of a correct program is formal verification. Formal verification identifies a correct program as a program that satisfies its specification and is free of defects. While in theory formal verification guarantees a correct implementation with respect to the specification, applying formal verification techniques in practice has shown to be difficult and expensive. In response to these challenges, various support methods and tools have been suggested for all phases from program specification to proving the derived verification conditions. This thesis concerns practical verification methods applied to diagrammatic modeling languages.
While diagrammatic languages are widely used in communicating system design (e.g., UML) and behavior (e.g., state charts), most formal verification platforms require the specification to be written in a textual specification language or in the mathematical language of an underlying logical framework. One exception is invariant-based programming, in which programs together with their specifications are drawn as invariant diagrams, a type of state transition diagram annotated with intermediate assertions (preconditions, postconditions, invariants). Even though the allowed program statesâcalled situationsâare described diagrammatically, the intermediate assertions defining a situationâs meaning in the domain of the program are still written in conventional textual form. To explore the use of diagrams in expressing the intermediate assertions of invariant diagrams, we designed a pictorial language for expressing array properties. We further developed this notation into a diagrammatic domain-specific language (DSL) and implemented it as an extension to the Why3 platform. The DSL supports expression of array properties. The language is based on Reynoldsâs interval and partition diagrams and includes a construct for mapping array intervals to logic predicates.
Automated verification of a program is attained by generating the verification conditions and proving that they are true. In practice, full proof automation is not possible except for trivial programs and verifying even simple properties can require significant effort both in specification and proof stages. An animation tool which supports run-time evaluation of the program statements and intermediate assertions given any user-defined input can support this process. In particular, an execution trace leading up to a failed assertion constitutes a refutation of a verification condition that requires immediate attention. As an extension to Socos, a verificion tool for invariant diagrams built on top of the PVS proof system, we have developed an execution model where program statements and assertions can be evaluated in a given program state. A program is represented by an abstract datatype encoding the program state, together with a small-step state transition function encoding the evaluation of a single statement. This allows the programâs runtime behavior to be formally inspected during verification. We also implement animation and interactive debugging support for Socos.
The thesis also explores visualization of system development in the context of model decomposition in Event-B. Decomposing a software system becomes increasingly critical as the system grows larger, since the workload on the theorem provers must be distributed effectively. Decomposition techniques have been suggested in several verification platforms to split the models into smaller units, each having fewer verification conditions and therefore imposing a lighter load on automatic theorem provers. In this work, we have investigated a refinement-based decomposition technique that makes the development process more resilient to change in specification and allows parallel development of sub-models by a team. As part of the research, we evaluated the technique on a small case study, a simplified version of a landing gear system verification presented by Boniol and Wiels, within the Event-B specification language.Vikten av programvaras korrekthet har accentuerats dÄ ett vÀxande antal sÀkerhetskritiska system, vilka Àr beroende av programvaran som styr dessa, har utvecklas. En av de mer framtrÀdande metoderna som riktar in sig pÄ utveckling av korrekt programvara Àr formell verifiering. Inom formell verifiering avses med ett korrekt program ett program som uppfyller sina specifikationer och som Àr fritt frÄn defekter. Medan formell verifiering teoretiskt sett kan garantera ett korrekt program med avseende pÄ specifikationerna, har tillÀmpligheten av formella verifieringsmetod visat sig i praktiken vara svÄr och dyr. Till svar pÄ dessa utmaningar har ett stort antal olika stödmetoder och automatiseringsverktyg föreslagits för samtliga faser frÄn specifikationen till bevisningen av de hÀrledda korrekthetsvillkoren. Denna avhandling behandlar praktiska verifieringsmetoder applicerade pÄ diagrambaserade modelleringssprÄk.
Medan diagrambaserade sprĂ„k ofta anvĂ€nds för kommunikation av programvarudesign (t.ex. UML) samt beteende (t.ex. tillstĂ„ndsdiagram), krĂ€ver de flesta verifieringsplattformar att specifikationen kodas medelst ett textuellt specifikationsspĂ„k eller i sprĂ„ket hos det underliggande logiska ramverket. Ett undantag Ă€r invariantbaserad programmering, inom vilken ett program tillsammans med dess specifikation ritas upp som sk. invariantdiagram, en typ av tillstĂ„ndstransitionsdiagram annoterade med mellanliggande logiska villkor (förvillkor, eftervillkor, invarianter). Ăven om de tillĂ„tna programtillstĂ„ndenâsk. situationerâbeskrivs diagrammatiskt Ă€r de logiska predikaten som beskriver en situations betydelse i programmets domĂ€n fortfarande skriven pĂ„ konventionell textuell form. För att vidare undersöka anvĂ€ndningen av diagram vid beskrivningen av mellanliggande villkor inom invariantbaserad programming, har vi konstruerat ett bildbaserat sprĂ„k för villkor över arrayer. Vi har dĂ€refter vidareutvecklat detta sprĂ„k till ett diagrambaserat domĂ€n-specifikt sprĂ„k (domain-specific language, DSL) och implementerat stöd för det i verifieringsplattformen Why3. SprĂ„ket lĂ„ter anvĂ€ndaren uttrycka egenskaper hos arrayer, och Ă€r baserat pĂ„ Reynolds intevall- och partitionsdiagram samt inbegriper en konstruktion för mappning av array-intervall till logiska predikat.
Automatisk verifiering av ett program uppnÄs genom generering av korrekthetsvillkor och Ätföljande bevisning av dessa. I praktiken kan full automatisering av bevis inte uppnÄs utom för trivial program, och Àven bevisning av enkla egenskaper kan krÀva betydande anstrÀngningar bÄde vid specifikations- och bevisfaserna. Ett animeringsverktyg som stöder exekvering av sÄvÀl programmets satser som mellanliggande villkor för godtycklig anvÀndarinput kan vara till hjÀlp i denna process. SÀrskilt ett exekveringspÄr som leder upp till ett falskt mellanliggande villkor utgör ett direkt vederlÀggande (refutation) av ett bevisvillkor, vilket krÀver omedelbar uppmÀrksamhet frÄn programmeraren. Som ett tillÀgg till Socos, ett verifieringsverktyg för invariantdiagram baserat pÄ bevissystemet PVS, har vi utvecklat en exekveringsmodell dÀr programmets satser och villkor kan evalueras i ett givet programtillstÄnd. Ett program representeras av en abstrakt datatyp för programmets tillstÄnd tillsammans med en small-step transitionsfunktion för evalueringen av en enskild programsats. Detta möjliggör att ett programs exekvering formellt kan analyseras under verifieringen. Vi har ocksÄ implementerat animation och interaktiv felsökning i Socos.
Avhandlingen undersöker ocksÄ visualisering av systemutveckling i samband med modelluppdelning inom Event-B. Uppdelning av en systemmodell blir allt mer kritisk dÄ ett systemet vÀxer sig större, emedan belastningen pÄ underliggande teorembe visare mÄste fördelas effektivt. Uppdelningstekniker har föreslagits inom mÄnga olika verifieringsplattformar för att dela in modellerna i mindre enheter, sÄ att varje enhet har fÀrre verifieringsvillkor och dÀrmed innebÀr en mindre belastning pÄ de automatiska teorembevisarna. I detta arbete har vi undersökt en refinement-baserad uppdelningsteknik som gör utvecklingsprocessen mer kapabel att hantera förÀndringar hos specifikationen och som tillÄter parallell utveckling av delmodellerna inom ett team. Som en del av forskningen har vi utvÀrderat tekniken pÄ en liten fallstudie: en förenklad modell av automationen hos ett landningsstÀll av Boniol and Wiels, uttryckt i Event-B-specifikationsprÄket
Extending and Relating Semantic Models of Compensating CSP
Business transactions involve multiple partners coordinating and interacting with each other. These transactions have hierarchies of activities which need to be orchestrated. Usual database approaches (e.g.,checkpoint, rollback) are not applicable to handle faults in a long running transaction due to interaction with multiple partners. The compensation mechanism handles faults that can arise in a long running transaction. Based on the framework of Hoare's CSP process algebra, Butler et al introduced Compensating CSP (cCSP), a language to model long-running transactions. The language introduces a method to declare a transaction as a process and it has constructs for orchestration of compensation. Butler et al also defines a trace semantics for cCSP. In this thesis, the semantic models of compensating CSP are extended by defining an operational semantics, describing how the state of a program changes during its execution. The semantics is encoded into Prolog to animate the specification. The semantic models are further extended to define the synchronisation of processes. The notion of partial behaviour is defined to model the behaviour of deadlock that arises during process synchronisation. A correspondence relationship is then defined between the semantic models and proved by using structural induction. Proving the correspondence means that any of the presentation can be accepted as a primary definition of the meaning of the language and each definition can be used correctly at different times, and for different purposes. The semantic models and their relationships are mechanised by using the theorem prover PVS. The semantic models are embedded in PVS by using Shallow embedding. The relationships between semantic models are proved by mutual structural induction. The mechanisation overcomes the problems in hand proofs and improves the scalability of the approach
A Proof Strategy Language and Proof Script Generation for Isabelle/HOL
We introduce a language, PSL, designed to capture high level proof strategies
in Isabelle/HOL. Given a strategy and a proof obligation, PSL's runtime system
generates and combines various tactics to explore a large search space with low
memory usage. Upon success, PSL generates an efficient proof script, which
bypasses a large part of the proof search. We also present PSL's monadic
interpreter to show that the underlying idea of PSL is transferable to other
ITPs.Comment: This paper has been submitted to CADE2
Recommended from our members
Tactics From Proofs
Proof guarantees the correctness of a formal specification with respect to formal requirements, and of an implementation with respect to a specification, and so provides valuable verification methods in high integrity system development. However, proof development by hand tends to be an erudite, error-prone and seemingly interminable task.
Tactics are programs that drive theorem-provers, thus automating proof development and alleviating some of the problems mentioned above. The development of tactics for a particular application domain also extends the domain of application of the theorem-prover. A LCF-tactic is safe in that if it fails to be applicable to a particular conjecture, then it will not produce an incorrect proof.
The current construction of tactics from proofs does not yield sufficiently robust tactics. Proofs tend to be specific to the details of a specification and so are not reusable in general, e.g. the same proof may not work when the definition of a conjecture is changed. The major challenges in proof development are deciding which proof rule and instantiations to apply in order to prove a conjecture.
Discerning patterns in formal interactive proof development facilitates the construction of robust tactics that can withstand definitional changes in conjectures. Having developed an interactive proof for a conjecture, we develop the necessary abstractions of the proof steps used, to construct a tactic th at can be applicable to other conjectures in that domain. By so doing we encode human expertise used in the proof development, and make proofs robust and thus generally reusable.
We apply our theory on the proofs of conjectures involving some set theory operators, and on the proof obligations that arise in the formal development of numerical specifications using the retrenchment method under the IEEE-854 floating-point standard in the PVS theorem-prover/proof-checker
- âŠ