90 research outputs found
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.National Science Foundation (U.S.) (Grant CCF-1253229)United States. Defense Advanced Research Projects Agency (Agreement FA8750-12-2-0293
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.National Science Foundation (U.S.) (NSF grant CCF-1253229)United States. Defense Advanced Research Projects Agency (DARPA, agreement number FA8750-12-2-0293
Interaction Trees: Representing Recursive and Impure Programs in Coq
"Interaction trees" (ITrees) are a general-purpose data structure for
representing the behaviors of recursive programs that interact with their
environments. A coinductive variant of "free monads," ITrees are built out of
uninterpreted events and their continuations. They support compositional
construction of interpreters from "event handlers", which give meaning to
events by defining their semantics as monadic actions. ITrees are expressive
enough to represent impure and potentially nonterminating, mutually recursive
computations, while admitting a rich equational theory of equivalence up to
weak bisimulation. In contrast to other approaches such as relationally
specified operational semantics, ITrees are executable via code extraction,
making them suitable for debugging, testing, and implementing software
artifacts that are amenable to formal verification.
We have implemented ITrees and their associated theory as a Coq library,
mechanizing classic domain- and category-theoretic results about program
semantics, iteration, monadic structures, and equational reasoning. Although
the internals of the library rely heavily on coinductive proofs, the interface
hides these details so that clients can use and reason about ITrees without
explicit use of Coq's coinduction tactics.
To showcase the utility of our theory, we prove the termination-sensitive
correctness of a compiler from a simple imperative source language to an
assembly-like target whose meanings are given in an ITree-based denotational
semantics. Unlike previous results using operational techniques, our
bisimulation proof follows straightforwardly by structural induction and
elementary rewriting via an equational theory of combinators for control-flow
graphs.Comment: 28 pages, 4 pages references, published at POPL 202
Preliminary Design of the SAFE Platform
Safe is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices
Recommended from our members
Preliminary Design of the SAFE Platform
SAFE is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.Engineering and Applied Science
Recommended from our members
Cause of Death and Predictors of All-Cause Mortality in Anticoagulated Patients With Nonvalvular Atrial Fibrillation : Data From ROCKET AF
M. Kaste on työryhmän ROCKET AF Steering Comm jäsen.Background-Atrial fibrillation is associated with higher mortality. Identification of causes of death and contemporary risk factors for all-cause mortality may guide interventions. Methods and Results-In the Rivaroxaban Once Daily Oral Direct Factor Xa Inhibition Compared with Vitamin K Antagonism for Prevention of Stroke and Embolism Trial in Atrial Fibrillation (ROCKET AF) study, patients with nonvalvular atrial fibrillation were randomized to rivaroxaban or dose-adjusted warfarin. Cox proportional hazards regression with backward elimination identified factors at randomization that were independently associated with all-cause mortality in the 14 171 participants in the intention-to-treat population. The median age was 73 years, and the mean CHADS(2) score was 3.5. Over 1.9 years of median follow-up, 1214 (8.6%) patients died. Kaplan-Meier mortality rates were 4.2% at 1 year and 8.9% at 2 years. The majority of classified deaths (1081) were cardiovascular (72%), whereas only 6% were nonhemorrhagic stroke or systemic embolism. No significant difference in all-cause mortality was observed between the rivaroxaban and warfarin arms (P=0.15). Heart failure (hazard ratio 1.51, 95% CI 1.33-1.70, P= 75 years (hazard ratio 1.69, 95% CI 1.51-1.90, P Conclusions-In a large population of patients anticoagulated for nonvalvular atrial fibrillation, approximate to 7 in 10 deaths were cardiovascular, whereasPeer reviewe
Peralkaline felsic magmatism at the Nemrut volcano, Turkey: impact of volcanism on the evolution of Lake Van (Anatolia) IV
SEX ROLE SOCIALIZATION IN PICTURE BOOKS: AN UPDATE
In a content analysis of children’s picture books, Weitzman et al, (1972) found females depicted far less often than males, and those females who were included tended to play traditional, stereotypical roles. The present study updates this research. Findings indicate that, while the ratio of females to males is now closer to parity, storybook characters continue to walk the well-worn paths of tradition
- …