Results 1  10
of
32
ACL2: An Industrial Strength Version of Nqthm
, 1996
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the BoyerMoore system, Nqthm [8, 12], and its interactive enhancement, PcNqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...
Metatheory and Reflection in Theorem Proving: A Survey and Critique
, 1995
"... One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an appro ..."
Abstract

Cited by 57 (2 self)
 Add to MetaCart
One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an approach will never be efficient enough for large, complex proofs. One alternative, commonly called reflection, is to analyze proofs using a second layer of logic, a metalogic, and so justify abbreviating or simplifying proofs, making the kinds of shortcuts humans often do or appealing to specialized decision algorithms. In this paper we contrast the fullyexpansive LCF approach with the use of reflection. We put forward arguments to suggest that the inadequacy of the LCF approach has not been adequately demonstrated, and neither has the practical utility of reflection (notwithstanding its undoubted intellectual interest). The LCF system with which we are most concerned is the HOL proof ...
VLISP: A verified implementation of Scheme
 Lisp and Symbolic Computation
, 1995
"... VLISP has produced a rigorously verified compiler from Scheme to byte codes, and a verified interpreter for the resulting byte codes. The official denotational semantics for Scheme provides the main criterion of correctness. The WandClinger technique was used to prove correctness of the main compil ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
VLISP has produced a rigorously verified compiler from Scheme to byte codes, and a verified interpreter for the resulting byte codes. The official denotational semantics for Scheme provides the main criterion of correctness. The WandClinger technique was used to prove correctness of the main compiler step. Then a state machine operational semantics is proved to be faithful to the denotational semantics. The remainder of the implementation is verified by a succession of state machine refinement proofs. These include proofs that garbage collection is a sound implementation strategy,
Design Goals for ACL2
, 1994
"... ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among th ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semiautonomous workers on different parts of a verifica...
A Trustworthy Proof Checker
 IN ILIANO CERVESATO, EDITOR, WORKSHOP ON THE FOUNDATIONS OF COMPUTER SECURITY
, 2002
"... ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predic ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.
A Provably Correct Embedded Verifier for the Certification of Safety . . .
, 1997
"... vframe is one of Ansaldo's software driven vital architectures for safety critical products. This paper describes a project whose result is the development of an "embedded verifier", i.e. a system integrated within vframe and able to certify the correctness of one of vframe component ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
vframe is one of Ansaldo's software driven vital architectures for safety critical products. This paper describes a project whose result is the development of an "embedded verifier", i.e. a system integrated within vframe and able to certify the correctness of one of vframe components, a compiler. The embedded verifier satisfies two precise requirements. First, the compiler must be certified in a fully automatic and efficient way. Second, the embedded verifier must be itself certified, in a way which can be easily understood and validated by end users.
Formalizing and verifying semantic type soundness for a simple compiler
, 2007
"... We describe a semantic type soundness result, formalized in the Coq proof assistant, for a compiler from a simple imperative language with heapallocated data into an idealized assembly language. Types in the highlevel language are interpreted as binary relations, built using both secondorder quan ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
We describe a semantic type soundness result, formalized in the Coq proof assistant, for a compiler from a simple imperative language with heapallocated data into an idealized assembly language. Types in the highlevel language are interpreted as binary relations, built using both secondorder quantification and a form of separation structure, over stores and code pointers in the lowlevel machine.
Vx86: x86 assembler simulated in C powered by automated theorem proving
 IN 12TH INTERNATIONAL CONFERENCE ON ALGEBRAIC METHODOLOGY AND SOFTWARE TECHNOLOGY (AMAST 2008), LNCS 5140
, 2008
"... Vx86 is the first static analyzer for sequential Intel x86 assembler code using automated deductive verification. It proves the correctness of assembler code against function contracts, which are expressed in terms of pre, post, and frame conditions using firstorder predicates. Vx86 takes the a ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Vx86 is the first static analyzer for sequential Intel x86 assembler code using automated deductive verification. It proves the correctness of assembler code against function contracts, which are expressed in terms of pre, post, and frame conditions using firstorder predicates. Vx86 takes the annotated assembler code, translates it into C code simulating the processor, and then uses an existing C verifier to either prove the correctness of the assembler program or find errors in it. First experiments on applying Vx86 on the Windows Hypervisor code base are encouraging. Vx86 verified the Windows Hypervisor’s memory safety, arithmetic safety, call safety and interrupt safety.