1,950 research outputs found
FoCaLiZe: Inside an F-IDE
For years, Integrated Development Environments have demonstrated their
usefulness in order to ease the development of software. High-level security or
safety systems require proofs of compliance to standards, based on analyses
such as code review and, increasingly nowadays, formal proofs of conformance to
specifications. This implies mixing computational and logical aspects all along
the development, which naturally raises the need for a notion of Formal IDE.
This paper examines the FoCaLiZe environment and explores the implementation
issues raised by the decision to provide a single language to express
specification properties, source code and machine-checked proofs while allowing
incremental development and code reusability. Such features create strong
dependencies between functions, properties and proofs, and impose an particular
compilation scheme, which is described here. The compilation results are
runnable OCaml code and a checkable Coq term. All these points are illustrated
through a running example.Comment: In Proceedings F-IDE 2014, arXiv:1404.578
A mechanized proof of loop freedom of the (untimed) AODV routing protocol
The Ad hoc On-demand Distance Vector (AODV) routing protocol allows the nodes
in a Mobile Ad hoc Network (MANET) or a Wireless Mesh Network (WMN) to know
where to forward data packets. Such a protocol is 'loop free' if it never leads
to routing decisions that forward packets in circles. This paper describes the
mechanization of an existing pen-and-paper proof of loop freedom of AODV in the
interactive theorem prover Isabelle/HOL. The mechanization relies on a novel
compositional approach for lifting invariants to networks of nodes. We exploit
the mechanization to analyse several improvements of AODV and show that
Isabelle/HOL can re-establish most proof obligations automatically and identify
exactly the steps that are no longer valid.Comment: The Isabelle/HOL source files, and a full proof document, are
available in the Archive of Formal Proofs, at
http://afp.sourceforge.net/entries/AODV.shtm
Logical Characterizations of Behavioral Relations on Transition Systems of Probability Distributions
Probabilistic nondeterministic processes are commonly modeled as probabilistic LTSs (PLTSs). A number of logical characterizations of the main behavioral relations on PLTSs have been studied. In particular, Parma and Segala [2007] and Hermanns et al. [2011] define a probabilistic Hennessy-Milner logic interpreted over probability distributions, whose corresponding logical equivalence/preorder when restricted to Dirac distributions coincide with standard bisimulation/simulation between the states of a PLTS. This result is here extended by studying the full logical equivalence/preorder between (possibly non-Dirac) distributions in terms of a notion of bisimulation/simulation defined on a LTS whose states are distributions (dLTS). We show that the well-known spectrum of behavioral relations on nonprobabilistic LTSs as well as their corresponding logical characterizations in terms of Hennessy-Milner logic scales to the probabilistic setting when considering dLTSs
Reusing Test-Cases on Different Levels of Abstraction in a Model Based Development Tool
Seamless model based development aims to use models during all phases of the
development process of a system. During the development process in a
component-based approach, components of a system are described at qualitatively
differing abstraction levels: during requirements engineering component models
are rather abstract high-level and underspecified, while during implementation
the component models are rather concrete and fully specified in order to enable
code generation. An important issue that arises is assuring that the concrete
models correspond to abstract models. In this paper, we propose a method to
assure that concrete models for system components refine more abstract models
for the same components. In particular we advocate a framework for reusing
testcases at different abstraction levels. Our approach, even if it cannot
completely prove the refinement, can be used to ensure confidence in the
development process. In particular we are targeting the refinement of
requirements which are represented as very abstract models. Besides a formal
model of our approach, we discuss our experiences with the development of an
Adaptive Cruise Control (ACC) system in a model driven development process.
This uses extensions which we implemented for our model-based development tool
and which are briefly presented in this paper.Comment: In Proceedings MBT 2012, arXiv:1202.582
Recommended from our members
Neurons and symbols: a manifesto
We discuss the purpose of neural-symbolic integration including its principles, mechanisms and applications. We outline a cognitive computational model for neural-symbolic integration, position the model in the broader context of multi-agent systems, machine learning and automated reasoning, and list some of the challenges for the area of
neural-symbolic computation to achieve the promise of effective integration of robust learning and expressive reasoning under uncertainty
A Constructive Framework for Galois Connections
Abstract interpretation-based static analyses rely on abstract domains of
program properties, such as intervals or congruences for integer variables.
Galois connections (GCs) between posets provide the most widespread and useful
formal tool for mathematically specifying abstract domains. Recently, Darais
and Van Horn [2016] put forward a notion of constructive Galois connection for
unordered sets (rather than posets), which allows to define abstract domains in
a so-called mechanized and calculational proof style and therefore enables the
use of proof assistants like Coq and Agda for automatically extracting verified
algorithms of static analysis. We show here that constructive GCs are
isomorphic, in a precise and comprehensive meaning including sound abstract
functions, to so-called partitioning GCs--an already known class of GCs which
allows to cast standard set partitions as an abstract domain. Darais and Van
Horn [2016] also provide a notion of constructive GC for posets, which we prove
to be isomorphic to plain GCs and therefore lose their constructive attribute.
Drawing on these findings, we put forward and advocate the use of purely
partitioning GCs, a novel class of constructive abstract domains for a
mechanized approach to abstract interpretation. We show that this class of
abstract domains allows us to represent a set partition with more flexibility
while retaining a constructive approach to Galois connections
Modal Abstractions for Virtualizing Memory Addresses
Operating system kernels employ virtual memory management (VMM) subsystems to
virtualize the addresses of memory regions in order to to isolate untrusted
processes, ensure process isolation and implement demand-paging and
copy-on-write behaviors for performance and resource controls. Bugs in these
systems can lead to kernel crashes. VMM code is a critical piece of
general-purpose OS kernels, but their verification is challenging due to the
hardware interface (mappings are updated via writes to memory locations, using
addresses which are themselves virtualized). Prior work on VMM verification has
either only handled a single address space, trusted significant pieces of
assembly code, or resorted to direct reasoning over machine semantics rather
than exposing a clean logical interface.
In this paper, we introduce a modal abstraction to describe the truth of
assertions relative to a specific virtual address space, allowing different
address spaces to refer to each other, and enabling verification of instruction
sequences manipulating multiple address spaces. Using them effectively requires
working with other assertions, such as points-to assertions in our separation
logic, as relative to a given address space. We therefore define virtual
points-to assertions, which mimic hardware address translation, relative to a
page table root. We demonstrate our approach with challenging fragments of VMM
code showing that our approach handles examples beyond what prior work can
address, including reasoning about a sequence of instructions as it changes
address spaces. All definitions and theorems mentioned in this paper including
the operational model of a RISC-like fragment of supervisor-mode x86-64, and a
logic as an instantiation of the Iris framework, are mechanized inside Coq
- …