© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
LIFE CYCLE MODELS FORMAL TRANSFORMATION
The ideal of program correctness Tony Hoare BudapestSeptember 2006.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.
ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
Safety as a Software Metric Matthias Felleisen and Robert Corky Cartwright Rice University.
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Overview of the Multos construction process Chad R. Meiners.
Describing Syntax and Semantics
The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Mathematics throughout the CS Curriculum Support by NSF #
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
Software Debugging, Testing, and Verification Presented by Chris Hundersmarck November 10, 2004 Dr. Bi’s SE516.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
Lectures 2 & 3: Software Process Models Neelam Gupta.
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Interface specifications At the core of each Larch interface language is a model of the state manipulated by the associated programming language. Each.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
Matching Logic An Alternative to Hoare/Floyd Logic
Automating Induction for Solving Horn Clauses
Levels of Software Assurance in SPARK
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Cooperative Reasoning for Automatic Software Verification
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
A Verification Condition Visualizer
Programming Languages 2nd edition Tucker and Noonan
Andrew Ireland Dependable Systems Group
Department of Computer Science Abdul Wali Khan University Mardan
Proof Automation for the SPARK Approach to High Integrity Ada
Automatic Software Verification: A Renaissance
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

© Andrew IrelandDependable Systems Group Outline Cooperative reasoning & proof planning NuSPADE project CORE Project

© Andrew IrelandDependable Systems Group Cooperative Reasoning +=

© Andrew IrelandDependable Systems Group Cooperative Reasoning +=

© Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses

© Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration

© Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction (Boulton, Bundy, Gordon, Slind ) –SPADEase: program analysis & proof planning for SPARK

© Andrew IrelandDependable Systems Group The SPARK Approach A subset of Ada that eliminates potential ambiguities and insecurities (PRAXIS) Expressive enough for industrial applications, but restrictive enough to support rigorous analysis SPARK toolset supports data & information flow analysis and formal verification Partial correctness & exception freedom proof, e.g. proving code is free from buffer overflows, range violations, division by zero.

© Andrew IrelandDependable Systems Group SPARK Applications Advanced avionics (Eurofighter Typhoon), transportation, air traffic control, security (MONDEX) Ship Helicopter Operating Limits Information System (SHOLIS): first system developed to meet UK MOD Defence Standard Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (NSA) as one of three software development processes that can deliver sufficient assurance for security critical systems

© Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker VCs Cmds Unproven VCs  SPARK code Proofs

© Andrew IrelandDependable Systems Group NuSPADE Project SPARK Examiner SPADE Simplifier SPADE Proof Checker Bill J. Ellis (RA) EPSRC Critical Systems programme (GR/R24081) EPSRC RAIS Scheme (GR/T11289) VCs Cmds Unproven VCs  Refinement Abstraction SPADEase SPARK code Proofs

© Andrew IrelandDependable Systems Group SPADEase Program Analysis Proof Planning Exception freedom proofs Automatic loop invariant discovery

© Andrew IrelandDependable Systems Group NuSPADE Results Our evaluation was based upon examples drawn from industrial data provided by Praxis, e.g. SHOLIS SPADE Simplifier is very effective on exception freedom VC, i.e. typical hit-rate of 92% SPADEase targeted the VCs which the SPADE Simplifier failed to prove, i.e. loop-based code While critical software is engineered to minimize the number and complexity of loops, we found that 80% of the loops we encountered were provable using SPADEase

© Andrew IrelandDependable Systems Group Program AnalysisProof Planning constraints not available post-VCGen soundness equational reasoning extensibility Compensating for Weaknesses?

© Andrew IrelandDependable Systems Group CORE Project Proof automation for separation logic Project details: Ewen Maclean & Ianthe Hind EPSRC EP/F Focus on proof automation challenges

© Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp  Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery

© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape

© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) shape

© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) content

© Andrew IrelandDependable Systems Group Cooperative Approach Build upon the Smallfoot family of program analysis tools, i.e. use SmallfootRG to generate shape invariants (Matthew Parkinson) Adapt and extend existing proof plans for use within separation logic, in particular the proof patching capabilities Specification = shape + content

© Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?

© Andrew IrelandDependable Systems Group Conclusion Proof planning is a powerful technique for exploiting common patterns of reasoning, i.e. – searching for proofs and – analyzing & patching failed-proofs Proof planning provides a natural level for combining multiple reasoning processes, e.g. reasoning about shape and content Separation logic provides opportunities and challenges for automated reasoning and program analysis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.