From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification

Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.National Science Foundation (U.S.) (Grant CCF-1253229)United States. Defense Advanced Research Projects Agency (Agreement FA8750-12-2-0293

From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification

Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.National Science Foundation (U.S.) (NSF grant CCF-1253229)United States. Defense Advanced Research Projects Agency (DARPA, agreement number FA8750-12-2-0293

Interaction Trees: Representing Recursive and Impure Programs in Coq

"Interaction trees" (ITrees) are a general-purpose data structure for representing the behaviors of recursive programs that interact with their environments. A coinductive variant of "free monads," ITrees are built out of uninterpreted events and their continuations. They support compositional construction of interpreters from "event handlers", which give meaning to events by defining their semantics as monadic actions. ITrees are expressive enough to represent impure and potentially nonterminating, mutually recursive computations, while admitting a rich equational theory of equivalence up to weak bisimulation. In contrast to other approaches such as relationally specified operational semantics, ITrees are executable via code extraction, making them suitable for debugging, testing, and implementing software artifacts that are amenable to formal verification. We have implemented ITrees and their associated theory as a Coq library, mechanizing classic domain- and category-theoretic results about program semantics, iteration, monadic structures, and equational reasoning. Although the internals of the library rely heavily on coinductive proofs, the interface hides these details so that clients can use and reason about ITrees without explicit use of Coq's coinduction tactics. To showcase the utility of our theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given in an ITree-based denotational semantics. Unlike previous results using operational techniques, our bisimulation proof follows straightforwardly by structural induction and elementary rewriting via an equational theory of combinators for control-flow graphs.Comment: 28 pages, 4 pages references, published at POPL 202

Preliminary Design of the SAFE Platform

Safe is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices

Preliminary Design of the SAFE Platform

SAFE is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.Engineering and Applied Science

Cause of Death and Predictors of All-Cause Mortality in Anticoagulated Patients With Nonvalvular Atrial Fibrillation : Data From ROCKET AF

M. Kaste on työryhmän ROCKET AF Steering Comm jäsen.Background-Atrial fibrillation is associated with higher mortality. Identification of causes of death and contemporary risk factors for all-cause mortality may guide interventions. Methods and Results-In the Rivaroxaban Once Daily Oral Direct Factor Xa Inhibition Compared with Vitamin K Antagonism for Prevention of Stroke and Embolism Trial in Atrial Fibrillation (ROCKET AF) study, patients with nonvalvular atrial fibrillation were randomized to rivaroxaban or dose-adjusted warfarin. Cox proportional hazards regression with backward elimination identified factors at randomization that were independently associated with all-cause mortality in the 14 171 participants in the intention-to-treat population. The median age was 73 years, and the mean CHADS(2) score was 3.5. Over 1.9 years of median follow-up, 1214 (8.6%) patients died. Kaplan-Meier mortality rates were 4.2% at 1 year and 8.9% at 2 years. The majority of classified deaths (1081) were cardiovascular (72%), whereas only 6% were nonhemorrhagic stroke or systemic embolism. No significant difference in all-cause mortality was observed between the rivaroxaban and warfarin arms (P=0.15). Heart failure (hazard ratio 1.51, 95% CI 1.33-1.70, P= 75 years (hazard ratio 1.69, 95% CI 1.51-1.90, P Conclusions-In a large population of patients anticoagulated for nonvalvular atrial fibrillation, approximate to 7 in 10 deaths were cardiovascular, whereasPeer reviewe

SEX ROLE SOCIALIZATION IN PICTURE BOOKS: AN UPDATE

In a content analysis of children’s picture books, Weitzman et al, (1972) found females depicted far less often than males, and those females who were included tended to play traditional, stereotypical roles. The present study updates this research. Findings indicate that, while the ratio of females to males is now closer to parity, storybook characters continue to walk the well-worn paths of tradition