The Matrix Reproved (Verification Pearl)

International audienceIn this paper we describe a complete solution for the first challenge of the VerifyThis 2016 competition held at the 18th ETAPS Forum. We present the proof of two variants for the multiplication of matrices: a naive version using three nested loops and the Strassen's algorithm. The proofs are conducted using the Why3 platform for deductive program verification, and automated theorem provers to discharge proof obligations. In order to specify and prove the two multiplication algorithms , we develop a new Why3 theory of matrices and apply the proof by reflection methodology

Deductive Verification of Unmodified Linux Kernel Library Functions

This paper presents results from the development and evaluation of a deductive verification benchmark consisting of 26 unmodified Linux kernel library functions implementing conventional memory and string operations. The formal contract of the functions was extracted from their source code and was represented in the form of preconditions and postconditions. The correctness of 23 functions was completely proved using AstraVer toolset, although success for 11 functions was achieved using 2 new specification language constructs. Another 2 functions were proved after a minor modification of their source code, while the final one cannot be completely proved using the existing memory model. The benchmark can be used for the testing and evaluation of deductive verification tools and as a starting point for verifying other parts of the Linux kernel.Comment: 18 pages, 2 tables, 6 listings. Accepted to ISoLA 2018 conference. Evaluating Tools for Software Verification trac

Practical realisation and elimination of an ECC-related software bug attack

We analyse and exploit implementation features in OpenSSL version 0.9.8g which permit an attack against ECDH-based functionality. The attack, although more general, can recover the entire (static) private key from an associated SSL server via $633$ adaptive queries when the NIST curve P-256 is used. One can view it as a software-oriented analogue of the bug attack concept due to Biham et al. and, consequently, as the first bug attack to be successfully applied against a real-world system. In addition to the attack and a posteriori countermeasures, we show that formal verification, while rarely used at present, is a viable means of detecting the features which the attack hinges on. Based on the security implications of the attack and the extra justification posed by the possibility of intentionally incorrect implementations in collaborative software development, we conclude that applying and extending the coverage of formal verification to augment existing test strategies for OpenSSL-like software should be deemed a worthwhile, long-term challenge.This work has been supported in part by EPSRC via grant EP/H001689/1 and by project SMART, funded by ENIAC Joint Undertaking (GA 120224)

Engineering a static verification tool for GPU kernels

We report on practical experiences over the last 2.5 years related to the engineering of GPUVerify, a static verification tool for OpenCL and CUDA GPU kernels, plotting the progress of GPUVerify from a prototype to a fully functional and relatively efficient analysis tool. Our hope is that this experience report will serve the verification community by helping to inform future tooling efforts. © 2014 Springer International Publishing

The International Cancer Expert Corps: A Unique Approach for Sustainable Cancer Care in Low and Lower-Middle Income Countries

The growing burden of non-communicable diseases including cancer in low- and lower-middle income countries (LMICs) and in geographic-access limited settings within resource-rich countries requires effective and sustainable solutions. The International Cancer Expert Corps (ICEC) is pioneering a novel global mentorship–partnership model to address workforce capability and capacity within cancer disparities regions built on the requirement for local investment in personnel and infrastructure. Radiation oncology will be a key component given its efficacy for cure even for the advanced stages of disease often encountered and for palliation. The goal for an ICEC Center within these health disparities settings is to develop and retain a high-quality sustainable workforce who can provide the best possible cancer care, conduct research, and become a regional center of excellence. The ICEC Center can also serve as a focal point for economic, social, and healthcare system improvement. ICEC is establishing teams of Experts with expertise to mentor in the broad range of subjects required to establish and sustain cancer care programs. The Hubs are cancer centers or other groups and professional societies in resource-rich settings that will comprise the global infrastructure coordinated by ICEC Central. A transformational tenet of ICEC is that altruistic, human-service activity should be an integral part of a healthcare career. To achieve a critical mass of mentors ICEC is working with three groups: academia, private practice, and senior mentors/retirees. While in-kind support will be important, ICEC seeks support for the career time dedicated to this activity through grants, government support, industry, and philanthropy. Providing care for people with cancer in LMICs has been a recalcitrant problem. The alarming increase in the global burden of cancer in LMICs underscores the urgency and makes this an opportune time fornovel and sustainable solutions to transform cancer care globally

Moving from Specifications to Contracts in Component-Based Design

Abstract. Program properties that are automatically inferred by static analysis tools are generally not considered to be completely trustworthy, unless the tool implementation or the results are formally verified. Here we focus on the formal verification of resource guarantees inferred by automatic cost analysis. Resource guarantees ensure that programs run within the indicated amount of resources which may refer to memory consumption, to number of instructions executed, etc. In previous work we studied formal verification of inferred resource guarantees that depend only on integer data. In realistic programs, however, resource consumption is often bounded by the size of heap-allocated data structures. Bounding their size requires to perform a number of structural heap analyses. The contributions of this paper are (i) to identify what exactly needs to be verified to guarantee sound analysis of heap manipulating programs, (ii) to provide a suitable extension of the program logic used for verification to handle structural heap properties in the context of resource guarantees, and (iii) to improve the underlying theorem prover so that proof obligations can be automatically discharged.

An open extensible tool environment for Event-B

Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods.

Collaborative Verification and Testing with Explicit Assumptions

Many mainstream static code checkers make a number of compromises to improve automation, performance, and accuracy. These compromises include not checking certain program properties as well as making implicit, unsound assumptions. Consequently, the results of such static checkers do not provide definite guarantees about program correctness, which makes it unclear which properties remain to be tested. We propose a technique for collaborative verification and testing that makes compromises of static checkers explicit such that they can be compensated for by complementary checkers or testing. Our experiments suggest that our technique finds more errors and proves more properties than static checking alone, testing alone, and combinations that do not explicitly document the compromises made by static checkers. Our technique is also useful to obtain small test suites for partially-verified programs

Ilinva: Using Abduction to Generate Loop Invariants

International audienceWe describe a system to prove properties of programs. The key feature of this approach is a method to automatically synthesize in-ductive invariants of the loops contained in the program. The method is generic, i.e., it applies to a large set of programming languages and application domains; and lazy, in the sense that it only generates invariants that allow one to derive the required properties. It relies on an existing system called GPiD for abductive reasoning modulo theories [14], and on the platform for program verification Why3 [16]. Experiments show evidence of the practical relevance of our approach