ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language --- namely, a large applicative subset of Common Lisp --- while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.

A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections between strands of different kinds.

not be interpreted as representing the o cial policies, either expressed or implied, of NSF or the U.S. Government. This thesis describes the design of a meta-logical framework that supports the representation and veri cation of deductive systems, its implementation as an automated theorem prover, and experimental results related to the areas of programming languages, type theory, and logics. Design: The meta-logical framework extends the logical framework LF [HHP93] by a meta-logic M + 2. This design is novel and unique since it allows higher-order encodings of deductive systems and induction principles to coexist. On the one hand, higher-order representation techniques lead to concise and direct encodings of programming languages and logic calculi. Inductive de nitions on the other hand allow the formalization of properties about deductive systems, such as the proof that an operational semantics preserves types or the proof that a logic is is a proof calculus whose proof terms are recursive functions that may be consistent.M +

Component software means reuse and separate marketing of pre-manufactured binary components. This requires components from different vendors to be composed very late, possibly by end users at run time as in compound-document frameworks. To this aim, we propose generic wrappers, a new language construct for stronglytyped class-based languages. With generic wrappers, objects can be aggregated at run time. The aggregate belongs to a subtype of the actual type of the wrapped object. A lower bound for the type of the wrapped object is fixed at compile time. Generic wrappers are type safe and support modular reasoning. This feature combination is required for true component software but not achieved by known wrapping and combination techniques, such as the wrapper pattern or mix-ins. We analyze the design space for generic wrappers, e.g. overriding, forwarding vs. delegation, and snappy binding of the wrapped object. As a proof of concept, we add generic wrappers to Java and report on a mechanized type soundness proof of the latter.

This paper presents a particular approach to the design and verification of large sequential systems. It is based on structured algebraic specifications and stepwise refinement by program modules. The approach is implemented in Kiv (Karlsruhe Interactive Verifier), and supports the entire design process starting from formal specifications and ending with verified code. Its main characteristics are a strict decompositional design discipline for modular systems, a powerful proof component, and an evolutionary verification model supporting incremental error correction and verification. We present the design methodology for modular systems, a feasible verification method for single modules, and an evolutionary verification technique based on reuse of proofs. We report on the current performance of the system, compare it to others in the field, and discuss future perspectives.

. We present a semantic representation of the core concepts of the specification language Z in higher-order logic. Although it is a "shallow embedding" like the one presented by Bowen and Gordon, our representation preserves the structure of a Z specification and avoids expanding Z schemas. The representation is implemented in the higherorder logic instance of the generic theorem prover Isabelle. Its parser can convert the concrete syntax of Z schemas into their semantic representation and thus spare users from having to deal with the representation explicitly. Our representation essentially conforms with the latest draft of the Z standard and may give both a clearer understanding of Z schemas and inspire the development of proof calculi for Z. 1 Introduction Implementations of proof support for Z [Spi 92, Nic 95] can roughly be divided into two categories. In direct implementations, the rules of the logic are directly represented by functions of the prover's implementation...

We present a new data structure that enables to store three-dimensional proof objects in a proof development environment. The aim is to handle calculus level proofs as well as abstract proof plans together with information of their correspondences in a single structure. This enables not only different means of the proof development environment (e.g., rule- and tactic-based theorem proving, or proof planning) to act directly on the same proof object but it also allows for easy presentation of proofs on different levels of abstraction. However, the three-dimensional structure requires adjustment of the regular techniques for addition and deletion of proof lines and backtracking of the proof planner.

Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. In this paper we present the VFiasco (Verified Fiasco) project, in which we apply source-code verification to a complete operating-system kernel written in C++. The aim of the VFiasco project is to establish security relevant properties of the Fiasco microkernel using source code verification. The project's main challenges are to develop a clean semantics for the subset of C++ used by the kernel and to enable high-level reasoning about typed data starting from only low-level knowledge about the hardware. In this paper we present our ideas for tackling these challenges. We sketch a semantics of C++ and develop a type-safe object store for reasoning about C++ programs. This object store is based on a hardware model that closely resembles the IA32 virtual-memory architecture, and on guarantees provided by the kernel itself.

The Sematic Web is vitally dependant on a formal meaning for the constructs of its languages. For Semantic Web languages to work well together their formal meanings must employ a common view (or thesis) of representation, otherwise it will not be possible to reconcile documents written in different languages. The thesis of representation underlying RDF and RDFS is particularly troublesome in this regard, as it has several unusual aspects, both semantic and syntactic. A more-standard thesis of representation would result in the ability to reuse existing results and tools in the Semantic Web.

Abstract We describe an approach for combining theorem proving techniques with static analysis to analyze data structure consistency for programs that manipulate heterogeneous data structures. Our system uses interactive theorem proving and shape analysis to verify that data structure implementations conform to set interfaces. A simpler static analysis then uses the verified set interfaces to verify properties that characterize how shared objects participate in multiple data structures. We have successfully applied this technique to several programs and found that theorem proving within circumscribed regions of the program combined with static analysis enables the verification of large-scale program properties.