Abstract. This paper presents a mechanised Hoare-style programming logic framework for assembly level programs. The framework has been designed to fit on top of operational semantics of realistically modelled machine code. Many ad hoc restrictions and features present in real machine-code are handled, including finite memory, data and code in the same memory space, the behavior of status registers and hazards of corrupting special purpose registers (e.g. the program counter, procedure return register and stack pointer). Despite accurately modeling such low level details, the approach yields concise specifications for machinecode programs without using common simplifying assumptions (like an unbounded state space). The framework is based on a flexible state representation in which functional and resource usage specifications are written in a style inspired by separation logic. The presented work has been formalised in higher-order logic, mechanised in the HOL4 system and is currently being used to verify ARM machine-code implementations of arithmetic and cryptographic operations. 1

. We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstrate invariant performance by formalizing it in the logic of PVS for a simple yet realistic embedded system. 1 Introduction Integration of multiple real-time embedded applications onto a single processor is increasingly attractive because the capacity of computing devices continues to grow. The use of fewer devices reduces space and power consumption that can be very valuable in an embedded environment, and fewer device connections increase reliability. Greater integration can also simplify the development of fault-tolerant architectures. Integration of applications poses daunting challenges as well, because integrated applications may interact. Applications that share computing resources can...

Abstract. This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machinechecked code proofs, and describe two specific ongoing larger-scale verification projects in more detail.

Abstract. We relate two well-studied methodologies in deductive verification of operationally modeled sequential programs, namely the use of inductive invariants and clock functions. We show that the two methodologies are equivalent and one can mechanically transform a proof of a program in one methodology to a proof in the other. Both partial and total correctness are considered. This mechanical transformation is compositional; different parts of a program can be verified using different methodologies to achieve a complete proof of the entire program. The equivalence theorems have been mechanically checked by the ACL2 theorem prover and we implement automatic tools to carry out the transformation between the two methodologies in ACL2.

in this document are those of the author(s) and should not be interpreted as representing the official policies, either

This document presents the details of the FM9001 development, its specification, and its verification. 1 RESULTS

Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, and apply it to model and verify a wide variety of computing artifacts, usually modeled operationally within the functional programming language. Everything done in this approach is software verification since the models are runnable programs in a subset of an ANSI standard programming language (Common Lisp). But this approach is of interest to proponents of other approaches (e.g., verification of procedural programs or synthesis) because of the nature of the mathematics of computing. I summarize the progress so far using this approach, sketch the key research challenges ahead and describe my vision of the role and shape of a useful verification system. 1

The aim of this paper is to help formal methods practitioners deal with the formal proofs of elementary properties of data structures represented in a RAM-like memory. This problem commonly arises when dealing with proofs of microcode, machine code, assembly code and compiler correctness. We formalize a version of the problem in ACL2 and discuss how to prove several important properties. In particular, our data structures are typed but the type information is not recorded in the representation. Algorithms for manipulating the representation implicitly respect the declared types. We support arbitrarily many record types within the RAM. Each eld of each record is declared to contain either a data item or a pointer to a record of some xed type. It is possible for records to be overlaid on other records and for the pointer structures to be circular. We de ne an elementary generic algorithm that recursively \chases" pointers and writes \arbitrary" values to the elds declared to contain data. The formal expression of the algorithm is complicated by both mutual recursion and reexivity, which present technical challenges. We then consider certain \obvious" properties, especially the property that the algorithm does not modify addresses that are \unreachable" from the initial pointer. Because records may be overlaid in the RAM| causing a given address to be treated sometimes as data and other times as a pointer | these obvious properties are true under only certain restrictions. If the restrictions are stated in terms of reachability the proofs are complicated, if not blocked, by the technical issues above. To prove the properties we generalize them by introducing \memory taggings" and formalizing the idea that a given run of the algorithm treats addres...

Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies in the logic of the ACL2 theorem prover. Based on our formalization, we prove that each strategy is both sound and complete. The completeness result implies that given any proof of correctness of a sequential program one can derive a proof in each of the above strategies. The soundness and completeness theorems have been mechanically checked with ACL2.

Abstract not found