Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science.

Published byLucy Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science."— Presentation transcript:

1 A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science

2 Configurations of Features decrypt encrypt auto-respond filter signing forward verify signature mailhost remail addressbook [Hall, 2000]

3 Feature-Oriented Design Modules encapsulate features, not objects Command loop User Pref Database Incoming Messages Outgoing Messages auto-reply set-msg, enable response check/send reply encryption set-key, enable key check encrypted encrypt message Components FeaturesFeatures

4 Feature-Rich Systems Telecommunications industry Telecommunications industry NASA’s next-generation software base NASA’s next-generation software base Symbian Symbian Aspects Aspects Still greatly lacking in verification tools

5 Verification Challenges Exponential number of possible products! Exponential number of possible products! –verify individual features once –verify compositions cheaply Feature interactions Feature interactions –does voice mail always engage after 4 rings? Features can share data Features can share data

6 The Case Study Model an email system with four features Model an email system with four features –Host/postmaster (report unknown users) –Auto-response (aka vacation) –Encryption –Decryption Determine lemmas to modularly Determine lemmas to modularly –prove properties of individual features –confirm properties and detect interactions

7 A Basic Email System simulate-network (hostenv, userenv, actions) do-actions (…)do-mail

8 Modeling Features One function for each extension to the system add new actions add new actions add user info add user info add processing on incoming messages add processing on incoming messages add processing on outgoing messages add processing on outgoing messages Command loop User Pref Database Incoming Messages Outgoing Messages auto-reply set-msg, enable response check/send reply encryption set-key, enable key check encrypted encrypt message

9 A Basic Email System simulate-network (hostenv, userenv, actions) do-actions (…)do-mail do-initdo-senddo-deliverdo-command email-auto-initemail-auto-incoming …… host-incoming

10 Customizing Products (defconst *features-present* '(auto encrypt)) (defund do-init (user) (let-seq user (let-seq user (fif encrypt (email-encrypt-init user) user) (fif encrypt (email-encrypt-init user) user) (fif decrypt (email-decrypt-init user) user) (fif decrypt (email-decrypt-init user) user) (fif auto (email-auto-init user) user) (fif auto (email-auto-init user) user) user)) user))

11 Verifying Features Needs –init and -incoming functions Needs –init and -incoming functions Verify against product containing base system and auto-response feature Verify against product containing base system and auto-response feature –theorem refers to simulate-network –not really modular If user has auto-response enabled and sender not in prev-recip list, send message

12 Lightweight Product Verification Add host to product with auto-response: prove auto-response property still holds build (new) product including host feature build (new) product including host feature prove simulate-network theorem again prove simulate-network theorem again Lightweight means proof shouldn’t require unanticipated lemmas Ideally warn of likely feature interactions

13 Detecting Feature Interactions Sample interaction: Sample interaction: Auto-reply message sent to postmaster Often violates no properties of features Often violates no properties of features Incompleteness makes more difficult Incompleteness makes more difficult Capture interaction as theorem, determine lemmas needed to confirm Capture interaction as theorem, determine lemmas needed to confirm –Hope: failure to prove under lemmas indicates likely interaction

14 Supporting Modular Verification Lemmas about individual features crucial Lemmas about individual features crucial –make product verification lightweight –help detect feature interactions Four kinds of lemmas helpful Four kinds of lemmas helpful –type/format of inputs and outputs –environment info that might/won’t change –conditions characterizing changes –lifting lemmas through call-graph hierarchy Ideally automate lemma creation Ideally automate lemma creation

15 Why Modularity? Reviewer: modularity irrelevant for ACL2 We disagree modularity key part of design process modularity key part of design process features provide new form of modularity features provide new form of modularity Research goal goes beyond ACL2 Research goal goes beyond ACL2

16 Reflections on ACL2 Procedural-style natural match for features Procedural-style natural match for features –features capture functional/behavioral information First-order limitation inhibits plug-and-play First-order limitation inhibits plug-and-play –Implementations use higher-order functions/classes Macros crucial Macros crucial –generate products and standard lemmas Books too restrictive for some feature lemmas Books too restrictive for some feature lemmas Hands-off and disable hints simulate modular environment Hands-off and disable hints simulate modular environment

17 Questions for Experts Better way to achieve plug-and-play? Better way to achieve plug-and-play? Way to use books for all feature lemmas? Way to use books for all feature lemmas? Results on lemma generation that we should know about? Results on lemma generation that we should know about?

Download ppt "A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science."

Similar presentations

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.

Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.

Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Lesson 7: Business, , & Personal Information Management

Lesson 7: Business, , & Personal Information Management
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Decentralized Information Spaces for Composition and Unification of Services (DISCUS)  Successor to OzWeb  Builds on WebServices  (Relatively) Static.

Decentralized Information Spaces for Composition and Unification of Services (DISCUS)  Successor to OzWeb  Builds on WebServices  (Relatively) Static.
Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY 11973 Software testing is a difficult, time-consuming.

Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY Software testing is a difficult, time-consuming.
Email By Laura Trawin.

By Laura Trawin.
INFO EMPIRE COMMERCE Shopping Carts Gateways Merchant Accounts & Email Marketing Platforms.

INFO EMPIRE COMMERCE Shopping Carts Gateways Merchant Accounts & Marketing Platforms.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.
Using PATLive to Expand Your Business. What is PATLive PATLive is a powerful business tool that provides you with all the business telecommunications.

Using PATLive to Expand Your Business. What is PATLive PATLive is a powerful business tool that provides you with all the business telecommunications.
» Explain the way that electronic mail (e-mail) works » Configure an e-mail client » Identify e-mail message components » Create and send e-mail messages.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.

Similar presentations

Ads by Google