35 research outputs found
Using ACL2 to Verify Loop Pipelining in Behavioral Synthesis
Behavioral synthesis involves compiling an Electronic System-Level (ESL)
design into its Register-Transfer Level (RTL) implementation. Loop pipelining
is one of the most critical and complex transformations employed in behavioral
synthesis. Certifying the loop pipelining algorithm is challenging because
there is a huge semantic gap between the input sequential design and the output
pipelined implementation making it infeasible to verify their equivalence with
automated sequential equivalence checking techniques. We discuss our ongoing
effort using ACL2 to certify loop pipelining transformation. The completion of
the proof is work in progress. However, some of the insights developed so far
may already be of value to the ACL2 community. In particular, we discuss the
key invariant we formalized, which is very different from that used in most
pipeline proofs. We discuss the needs for this invariant, its formalization in
ACL2, and our envisioned proof using the invariant. We also discuss some
trade-offs, challenges, and insights developed in course of the project.Comment: In Proceedings ACL2 2014, arXiv:1406.123
Applying Formal Methods to Networking: Theory, Techniques and Applications
Despite its great importance, modern network infrastructure is remarkable for
the lack of rigor in its engineering. The Internet which began as a research
experiment was never designed to handle the users and applications it hosts
today. The lack of formalization of the Internet architecture meant limited
abstractions and modularity, especially for the control and management planes,
thus requiring for every new need a new protocol built from scratch. This led
to an unwieldy ossified Internet architecture resistant to any attempts at
formal verification, and an Internet culture where expediency and pragmatism
are favored over formal correctness. Fortunately, recent work in the space of
clean slate Internet design---especially, the software defined networking (SDN)
paradigm---offers the Internet community another chance to develop the right
kind of architecture and abstractions. This has also led to a great resurgence
in interest of applying formal methods to specification, verification, and
synthesis of networking protocols and applications. In this paper, we present a
self-contained tutorial of the formidable amount of work that has been done in
formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial
Towards a formally verified microkernel using the VCC verifier
In this thesis we present the design by contract modular approach to formal verification of an industrial real-time microkernel which was not designed with formal verification in mind. The microkernel module targeted is a particular interrupt manager of xLuna Real Time Operating System (RTOS) for embedded systems built by Critical Software S.A. The annotations were verified automatically using the Microsoft Research Verified C Compiler (VCC) tool to reason about concurrency and safety properties of xLuna kernel. The specifications are based in Hoare-style pre- and post-conditions inlined with the real code.
xLuna is a microkernel based on the RTEMS Real-Time Operating System. xLuna
extends RTEMS for run a GNU/Linux Operating System, providing a runtime multitasking
environment for real-time (RTEMS) and non-real-time (Linux) applications.
xLuna runs in a preemptable and concurrent environment. Therefore, we use VCC for reasoning about concurrent executions and some functional and safety properties of
xLuna microkernel. VCC is an automated verifier for concurrent C programs that is being developed by Microsoft Research, Redmond, USA and European Microsoft Innovation Center (EMIC), Aachen, Germany. VCC is being built and used for operating system verification which makes it suitable for our verification work.
Specifications were added to xLuna code following a modular approach to the verification of a specific microkernel module, namely the Interrupt Request (IRQ) module.
The Verified C Compiler (VCC) annotations added cover approximately 80% of the IRQ
manager C code (the remaining 20% of the code are relative to auxiliary functions outside
the scope of our verification work). All the annotations were automatically verified and
proven to be correct
Formalizing Soundness Proofs of SNARKs
Succinct Non-interactive Arguments of Knowledge (SNARKs) have seen interest and development from the cryptographic community over recent years, and there are now constructions with very small proof size designed to work well in practice. A SNARK protocol can only be widely accepted as secure, however, if a rigorous proof of its security properties has been vetted by the community. Even then, it is sometimes the case that these security proofs are flawed, and it is then necessary for further research to identify these flaws and correct the record.
To increase the rigor of these proofs, we turn to formal methods. Focusing on the soundness aspect of a widespread class of SNARKs, we formalize proofs for six different constructions, including the well-known Groth \u2716. Our codebase is written in the Lean 3 theorem proving language, and uses a variety of techniques to simplify and automate these proofs as much as possible
Formally Verified Verifiable Electronic Voting Scheme
Since the introduction of secret ballots in Victoria, Australia in 1855, paper (ballots) are widely used around the world to record the preferences of eligible voters. Paper ballots provide three important ingredients: correctness, privacy, and verifiability. However, the paper ballot election brings various other challenges, e.g. it is slow for large democracies like India, error prone for complex voting method like single transferable vote, and poses operational challenges for large countries like Australia. In order to solve these problems and various others, many countries are adopting electronic voting. However, electronic voting has a whole new set of problems. In most cases, the software programs used to conduct the election have numerous problems, including, but not limited to, counting bugs, ballot identification, etc. Moreover, these software programs are treated as commercial in confidence and
are not allowed to be inspected by members of the public. As a consequence, the result produced by these software programs can not be substantiated.
In this thesis, we address the three main concerns posed by electronic voting, i.e. correctness, privacy, and verifiability. We address the correctness concern by using theorem prover to implement the vote counting algorithm,
privacy concern by using cryptography, and verifiability concern by generating a independently checkable scrutiny sheet (certificate). Our work has been carried out in the Coq theorem prover
Recommended from our members
Report on the NSF Workshop on Formal Methods for Security
The NSF workshop on Security and Formal Methods, held 19--20 November 2015, brought together developers of formal methods, researchers exploring how to apply formal methods to various kinds of systems, and people familiar with the security problem space.Engineering and Applied Science
Doctor of Philosophy
dissertationTrusted computing base (TCB) of a computer system comprises components that must be trusted in order to support its security policy. Research communities have identified the well-known minimal TCB principle, namely, the TCB of a system should be as small as possible, so that it can be thoroughly examined and verified. This dissertation is an experiment showing how small the TCB for an isolation service is based on software fault isolation (SFI) for small multitasking embedded systems. The TCB achieved by this dissertation includes just the formal definitions of isolation properties, instruction semantics, program logic, and a proof assistant, besides hardware. There is not a compiler, an assembler, a verifier, a rewriter, or an operating system in the TCB. To the best of my knowledge, this is the smallest TCB that has ever been shown for guaranteeing nontrivial properties of real binary programs on real hardware. This is accomplished by combining SFI techniques and high-confidence formal verification. An SFI implementation inserts dynamic checks before dangerous operations, and these checks provide necessary invariants needed by the formal verification to prove theorems about the isolation properties of ARM binary programs. The high-confidence assurance of the formal verification comes from two facts. First, the verification is based on an existing realistic semantics of the ARM ISA that is independently developed by Cambridge researchers. Second, the verification is conducted in a higher-order proof assistant-the HOL theorem prover, which mechanically checks every verification step by rigorous logic. In addition, the entire verification process, including both specification generation and verification, is automatic. To support proof automation, a novel program logic has been designed, and an automatic reasoning framework for verifying shallow safety properties has been developed. The program logic integrates Hoare-style reasoning and Floyd's inductive assertion reasoning together in a small set of definitions, which overcomes shortcomings of Hoare logic and facilitates proof automation. All inference rules of the logic are proven based on the instruction semantics and the logic definitions. The framework leverages abstract interpretation to automatically find function specifications required by the program logic. The results of the abstract interpretation are used to construct the function specifications automatically, and the specifications are proven without human interaction by utilizing intermediate theorems generated during the abstract interpretation. All these work in concert to create the very small TCB
Recommended from our members
Establishing Flight Software Reliability: Testing, Model Checking, Constraint-Solving, Monitoring and Learning
In this paper we discuss the application of a range of techniques to the
verification of mission-critical flight software at NASA’s Jet Propulsion Laboratory.
For this type of application we want to achieve a higher level of confidence than can
be achieved through standard software testing. Unfortunately, given the current state
of the art, especially when efforts are constrained by the tight deadlines and resource
limitations of a flight project, it is not feasible to produce a rigorous formal proof of
correctness of even a well-specified stand-alone module such as a file system (much less
more tightly coupled or difficult-to-specify modules). This means that we must look for
a practical alternative in the area between traditional testing and proof, as we attempt
to optimize rigor and coverage. The approaches we describe here are based on testing,
model checking, constraint-solving, monitoring, and finite-state machine learning, in
addition to static code analysis. The results we have obtained in the domain of file systems
are encouraging, and suggest that for more complex properties of programs with
complex data structures, it is possibly more beneficial to use constraint solvers to guide
and analyze execution (i.e., as in testing, even if performed by a model checking tool)
than to translate the program and property into a set of constraints, as in abstraction-based
and bounded model checkers. Our experience with non-file-system flight software
modules shows that methods even further removed from traditional static formal methods
can be assisted by formal approaches, yet readily adopted by test engineers and
software developers, even as the key problem shifts from test generation and selection
to test evaluation.Keywords: Verification, Formal proof, Flight software, File systems, Model checking, Testin