Machine-checked proofs of the design and implementation of a fault-tolerant circuit

A formally verified implementation of the 'oral messages' algorithm of Pease, Shostak, and Lamport is described. An abstract implementation of the algorithm is verified to achieve interactive consistency in the presence of faults. This abstract characterization is then mapped down to a hardware level implementation which inherits the fault-tolerant characteristics of the abstract version. All steps in the proof were checked with the Boyer-Moore theorem prover. A significant results is the demonstration of a fault-tolerant device that is formally specified and whose implementation is proved correct with respect to this specification. A significant simplifying assumption is that the redundant processors behave synchronously. A mechanically checked proof that the oral messages algorithm is 'optimal' in the sense that no algorithm which achieves agreement via similar message passing can tolerate a larger proportion of faulty processor is also described

The design and proof of correctness of a fault-tolerant circuit

The flowing achievements are presented in view graph form: (1) a formal statement of interactive consistency conditions in the Boyer-Moore logic; (2) a formal statement of the oral messages (OM) algorithm in the Boyer-Moore logic; (3) a mechanically checked proof that OM satisfies the interactive consistency conditions; (4) a mechanically checked proof of the optimality result--no algorithm can tolerate fewer faults than OM yet still achieve interactive consistency; (5) the use of OM in a functional specification for a fault-tolerant device; (6) a formal description of the design of the device; (7) a mechanically checked proof that the device design satisfies the specification; and (8) an implementation of the design in programmable logic arrays

A Verified Operating System Kernel

Kernel Layer The task layer defines the communication transitions in which a task may engage, but says nothing of how tasks are activated. The abstract kernel layer defines a scheme for activating a finite set of tasks. The distinction between a task and an I/O device is made more concrete. Each task has a state known completely to the abstract kernel, while the state of an I/O device is unspecified. Devices communicate with the kernel only through shared ports. A number of task management operations are specified, including time slicing, scheduling and error handling. The state space of the abstract kernel is described by the shell AK which defines a 10-tuple. The AK-PSTATES field is a fixed-size array of the private states of tasks. The private state of a task is easily proved to be isolated from the others by virtue of the properties of array access. The fields AK-IBUFFERS, AK-OBUFFERS and AK-MBUFFERS contain the shared state and, when grouped into a list, are identical to the chann..

Naval Warfare Systems Command under Contract

Government. The views and conclusions contained in thi