Parameterized conditional specifications : sufficient completeness and implicit induction

Theorem proving in parameterized specifications allows for shorter and more structured proofs. Moreover, a generic proof can be given just once and reused for each instantiation of the parameters. We present procedures to test sufficient completeness and to prove and disprove inductive properties automatically in parameterized conditional specifications. Our method relies on the notion of test set, which can be seen as a well-suited induction scheme. Previously, we could only compute a test set for conditional specifications if the constructors were free. Here, we give a new definition of test sets and an algorithm to compute them even if the constructors are not free. The method uses a new notion of provable inconsistency which allows us to refute more false conjrectures than with previous approaches. This new method when limited to non parameterized conditional specifications, can refute general clauses, refutational completeness is also preserved for boolean ground convergent rewrite systems with completely defined functions even if the constructors are not free. The method has been implemented in the prover SPIKE. Based on computer experiments, the method appears to be more practical and efficient than inductive theorem proving in non-parameterized specifications

Fundamental Results on Automated Theorem Proving by Test Set Induction

We present in this paper a general scheme for test set induction procedure and describe a simple technique to prove the correctness of this procedure. Previously, we could only compute a test set for a conditional specification if the constructors were free. Here, we give a new definition of test sets and a procedure to compute them even if the constructors are not free. The method uses a new notion of provable inconsistency and induction prositions (that need to be instantiated by induction schemes) which allows us to refute more false conjectures than with previous approaches. We also present an algorithm to compute all the induction positions of a conditional specification. Finally, we propose an induction procedure which is refutationally complete for conditional specifications (not restricted to boolean specifications) in that it refutes any conjecture which is not an inductive theorem. The method has been implemented in SPIKE. Based on computer experiments, SPIKE appears to be more practical and efficient than related systems

Implicit induction in conditional theories

We propose a new procedure for proof by induction in conditional theories where case analysis is simulated by term rewriting. This technique reduces considerably the number ofvariables of a conjecture to be considered for applying induction schemes (inductive positions). Our procedure is presented as a set of inference rules whose correctness has been formally proved. Moreover, when the axioms are ground convergent it is possible to apply the system for refuting conjectures. The procedure is even refutationally complete for conditional equations with boolean preconditions over free constructors (under the same hypotheses). The method is entirely implemented in the prover SPIKE. This system has proved interesting examples in a completely automatic way, that is, without interaction with the user and without ad-hoc heuristics. It has also proved the challenging Gilbreath card trick, with only 2 easy lemmas

Automatic Verification of Sufficient Completeness for Conditional Constrained Term Rewriting Systems

We present a procedure for checking sufficient completeness for conditional and constrained term rewriting systems with axioms for constructors which may be constrained (by e.g. equalities, disequalities, ordering, membership...). Such axioms allow to specify complex data structures like e.g. sets, sorted lists or powerlists. Our method is integrated in a framework for inductive theorem proving based on tree grammars with constraints, a formalism which permits an exact representation of languages of ground constructor terms in normal form. The procedure is sound and complete. It has been successfully applied, yielding very natural proofs and, in case of negative answer, a counter example suggesting how to complete the specification. Moreover, it is a decision procedure when the TRS is unconditional but constrained, for a large class of constrained constructor axioms

Security Protocol Verification with Implicit Induction and Explicit Destructors

International audienceWe present a new method for automatic implicit induction theorem proving, and its application for the verification of a key distribution cryptographic protocol. The method can handle axioms between constructor terms, a feature generally not supported by other induction procedure. We use such axioms in order to specify explicit destructors representing cryptographic operators

Automated mathematical induction

Projet EURECAProofs by induction are important in many computer science and artifical intelligence applications, in particular, in program verification and specification systems. We present a new method to prove (and disprove) automatically inductives properties. Given a set of axioms, a well-suited induction scheme is constructed automatically. We call such and induction scheme a test set. Then, for proving a property, we just instantiate it with terms from the test set and apply pure algebraic simplifications to the result. This method needs no completion and explicit induction. However it retains their positive features, namely, the completeness of the former and the robustness of the latter. It has been implemented in the theorem-prover SPIKE

Automated mathematical induction

This is a new version of Technical Report 1663, INRIA, 1992.Proofs by induction are important in many computer science and artificial intelligence applications, in particular, in program verification and specification systems. We present a new method to prove (and disprove) automatically inductive properties. Given a set of axioms, a well-suited induction scheme is construted automatically. We call such an induction scheme a test set. Then, for proving a property, we just instantiate it with terms from the test set and apply pure algebraic simplification to the result. This method needs no completion and explicit induction. However it retains their positive features, namely, the completeness of the former and the robustness of the latter. It has been implemented in the theorem-prover SPIKE

Detection of firewall configuration errors with updatable tree

International audienceThe fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file