3,851 research outputs found
Ideas for a high-level proof strategy language
ABSTRACT Finding ways to prove theorems mechanically was one of the earliest challenges tackled by the AI community. Notable progress has been made but there is still always a limit to any set of heuristic search techniques. From a proof done by human users, we wish to find out whether AI techniques can also be used to learn from a human user. AI4FM (Artificial Intelligence for Formal Methods) is a four-year project that starts officially in April 2010 (see www.AI4FM.org). It focuses on helping users of "formal methods" many of which give rise to proof obligations that have to be (mechanically) verified (by a theorem prover). In industrial-sized developments, there are often a large number of proof obligations and, whilst many of them succumb to similar proof strategies, those that remain can hold up engineers trying to use formal methods. The goal of AI4FM is to learn enough from one manual proof, to discharge proof obligations automatically that yield to similar proof strategies. To achieve this, a high-level (proof) strategy language is required, and in this paper we outline some ideas of such language, and towards extracting them. * During this work Gudmund Grov has been employed jointly by University of Edinburgh and Newcastle University. and constrained use of Z [FW08] -is the so-called "posit and prove" approach: a designer posits development steps and then justifies that they satisfy earlier specifications by discharging (often automatically generated) proof obligations (POs). A large proportion of these POs can be discharged by automatic theorem provers but "some" proofs require user interaction. Quantifying "some" is hard since it depends on many factors such as the domain, technology and methodology used -it could be as little as 3% or as much as 40%. For example, the Paris Metro line 14, developed in the Bmethod, generated 27, 800 POs (of which around 2, 250 required user-interaction) [Abr07] -the need for interactive proofs is clearly still a bottleneck in industrial application of FM, notwithstanding high degree of automation. THE FORMAL METHODS PROBLE
The development and deployment of formal methods in the UK
UK researchers have made major contributions to the technical ideas
underpinning formal approaches to the specification and development of computer
systems. Perhaps as a consequence of this, some of the significant attempts to
deploy theoretical ideas into practical environments have taken place in the
UK. The authors of this paper have been involved in formal methods for many
years and both have tracked a significant proportion of the whole story. This
paper both lists key ideas and indicates where attempts were made to use the
ideas in practice. Not all of these deployment stories have been a complete
success and an attempt is made to tease out lessons that influence the
probability of long-term impact.Comment: This work has been submitted to the IEEE for possible publication.
Copyright may be transferred without notice, after which this version may no
longer be accessibl
A Rely-Guarantee Specification of Mixed-Criticality Scheduling
The application considered is mixed-criticality scheduling. The core formal
approaches used are Rely-Guarantee conditions and the Timeband framework; these
are applied to give a layered description of job scheduling which includes
resilience to jobs overrunning their expected execution time. A novel formal
modelling idea is proposed to handle the relationship between actual time and
its approximation in hardware clocks.Comment: This paper will appear in a Festschrift - on publication we will
insert a pointer to the boo
Using Rely/Guarantee to Pinpoint Assumptions underlying Security Protocols
The verification of security protocols is essential, in order to ensure the
absence of potential attacks. However, verification results are only valid with
respect to the assumptions under which the verification was performed. These
assumptions are often hidden and are difficult to identify, making it unclear
whether a given protocol is safe to deploy into a particular environment.
Rely/guarantee provides a mechanism for abstractly reasoning about the
interference from the environment. Using this approach, the assumptions are
made clear and precise. This paper investigates this approach on the
Needham-Schroeder Public Key protocol, showing that the technique can
effectively uncover the assumptions under which the protocol can withstand
attacks from intruders
- âŠ