© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.

Slides:



Advertisements
Similar presentations
Demand-driven inference of loop invariants in a theorem prover
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Language Specfication and Implementation - PART II: Semantics of Procedural Programming Languages Lee McCluskey Department of Computing and Mathematical.
Building Reliable Software Requirements and Methods.
VIDE Integrated Environment for Development and Verification of Programs.
CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
10 th January QinetiQ in confidence © Copyright QinetiQ 1.
A Type System for Expressive Security Policies David Walker Cornell University.
Overview of the Multos construction process Chad R. Meiners.
Describing Syntax and Semantics
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Mathematics throughout the CS Curriculum Support by NSF #
Software Testing.
Lecture 16 March 22, 2011 Formal Methods CS 315 Spring Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
25 November 2002 DeSIRE, Pisa Methods and Tools for Formal Design and Validation Michael Butler University of Southampton
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
High Integrity Ada in a UML and C world Peter Amey, Neil White Presented by Liping Cai.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
Slide: 1 Copyright © 2009 AdaCore GeneAuto for Ada and SPARK A verifying model compiler GeneAuto2 meeting (Toulouse) September 2009 Matteo Bordin
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Chapter 3 Part II Describing Syntax and Semantics.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.
Access Control for Dynamic Virtual Organisations Duncan Russell, Peter Dew & Karim Djemame University of Leeds.
System Monitoring using Constraint Checking as part of Model Based System Management 2007 Monitoring using Constraint Checking as part.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
A Review of Software Testing - P. David Coward
SDN Network Updates Minimum updates within a single switch
Formal Methods in Software Engineering 1
Automating Induction for Solving Horn Clauses
Levels of Software Assurance in SPARK
Cooperative Reasoning for Automatic Software Verification
AdaCore Technologies for Cyber Security
A Verification Condition Visualizer
Proof Automation for the SPARK Approach to High Integrity Ada
Automatic Software Verification: A Renaissance
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

© Andrew IrelandDependable Systems Group

© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering Heriot-Watt Univeristy Edinburgh

© Andrew IrelandDependable Systems Group Executive Summary Funded by the EPSRC Critical Systems programme ( GR/R24081 ) in collaboration with Praxis Critical Systems Julian Richardson (Co-investigator) and Bill Ellis (Research Associate) Investigate the role of proof planning within the SPARK approach to high integrity Ada

© Andrew IrelandDependable Systems Group Outline Background and basic approach Proposed verification architecture Initial investigation into proof automation Future work

© Andrew IrelandDependable Systems Group Program Verification Long history dating back to 70s, Wegbreit, German, Katz & Manna, … Theorem proving and heuristic components were kept separate Adopting a proof planning approach integrates high-level theorem proving and heuristic components

© Andrew IrelandDependable Systems Group Ada Verification Systems ANNA: Stanford University PAVG Penelope: Odyssey Research Associates MALPAS: TA Group (RSRE Malvern) SPARK: Praxis Critical Systems (PVL)

© Andrew IrelandDependable Systems Group Praxis Critical Systems Internationally leading within the sector Aerospace, Defence, Transportation, Finance, Energy and Utilities. Boeing, Lockheed-Martin, CAA, FAA, QinetiQ (DERA), Westinghouse Signals, MONDEX,...

© Andrew IrelandDependable Systems Group SPARK Projects SHOLIS: Ship Helicopter Operating Limits Instrumentation System, UK MoD’s first Def Standard project C130J: Lockheed Martin military transport aircraft MONDEX: International smart card security, developed to ITSEC E6 standard

© Andrew IrelandDependable Systems Group The SPARK Language A subset of Ada that eliminates potential ambiguities and insecurities Specification supported via code level annotations

© Andrew IrelandDependable Systems Group Static Analysis Data flow analysis: checks basic integrity constraints, e.g. definition-usage Information flow analysis: checks various interdependencies via program annotations Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics

© Andrew IrelandDependable Systems Group The SPARK Tools SPADE Simplifier SPARK Examiner SPADE Proof Checker proof code VCs user rules (lemmas) path functions flow analysis feedback

© Andrew IrelandDependable Systems Group Clam-Oyster plannerchecker tactic conjectures theory proof user

© Andrew IrelandDependable Systems Group NuSPADE plannerchecker cmd VCs conjectures theory proof user

© Andrew IrelandDependable Systems Group NuSPADE: High-Level Aims Integrity: only modify the SPADE proof state via SPADE commands Compatibility: preserve SPADE at its core Transparency: provide users with the look- and-feel of a SPADE session

© Andrew IrelandDependable Systems Group Proof Plans ripple fertilize simplify induction ripple fertilize simplify tautology ind-stratinv-strat

© Andrew IrelandDependable Systems Group Polish Flag Problem --# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White)) --# post for some P in Integer range (Flag'First).. (Flag'Last+1) => --# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));

© Andrew IrelandDependable Systems Group Loop Invariant --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); IFlag'FirstFlag'LastJ

© Andrew IrelandDependable Systems Group SPARK Code procedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First.. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section loop … if … else J:=J-1; T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; Flag(I)=White

© Andrew IrelandDependable Systems Group procedure_partition_section_3. H1: indexrange__first <= i. H2: j <= indexrange__last + 1. H3: i <= j. H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ (element(flag, [q_]) = red)). H5: for_all (r_: integer, ((r_ >= j) and (r_ (element(flag, [r_]) = white)). H6: not (i = j). H7: not (element(flag, [i]) = red). -> C1: indexrange__first <= i. C2: j - 1 <= indexrange__last + 1. C3: i <= j - 1. C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)). C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)). Verification Condition

© Andrew IrelandDependable Systems Group Given Goal Ripple plan+ reduction= difference identification

© Andrew IrelandDependable Systems Group

© Andrew IrelandDependable Systems Group

© Andrew IrelandDependable Systems Group

© Andrew IrelandDependable Systems Group Rewrite Rules

© Andrew IrelandDependable Systems Group 1.there exists a subterm T of the goal formula that contains a wave-front 2.there exists a wave-rule that matches T 3.any wave-rule conditions follow from the proof context 4.Resulting inward directed wave-fronts are potentially cancellable Ripple Preconditions Note: Stronger decision procedure required for 3

© Andrew IrelandDependable Systems Group Speculative Loop Invariant --# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)); PFlag'FirstFlag'Last

© Andrew IrelandDependable Systems Group Proof Failure Given Goal

© Andrew IrelandDependable Systems Group Failure Analysis Blocked wave-front Failed precondition Matching wave-rule 3. any wave-rule conditions follow from the proof context

© Andrew IrelandDependable Systems Group Productive Use Of Failure Generalization Case split Revise Induction Lemma speculation Precondition Patch X X X X 4321

© Andrew IrelandDependable Systems Group Proof Patch Find minimal instantiation for P such that i and (j-1) lie out side r, i.e. P becomes j Ripple plan applicable to revised invariant conjecture

© Andrew IrelandDependable Systems Group Range Splitting Proof Critic While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i This inconsistency suggests the required 3-way range split, i.e. i j

© Andrew IrelandDependable Systems Group Extending Critics Mechanism Build upon current capability to analyse failures over multiple branches Integrate a constraint solving capability Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.

© Andrew IrelandDependable Systems Group Future Work Complete first prototype of NuSPADE Adapt existing proof plans for SPADE Develop corresponding generic proof cmd templates (tactics) Extend critics mechanism Address proof management issues Investigate industrial strength case studies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.