Results 1  10
of
10
Formalizing the LLVM Intermediate Representation for Verified Program Transformations
 In 39th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL
, 2012
"... This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA form. The framework is built using the Coq interactive theorem prover. It includes multiple operational semantics and proves relations among them to facilitate different reasoning styles and proof techniques. To validate Vellvm’s design, we extract an interpreter from the Coq formal semantics that can execute programs from LLVM test suite and thus be compared against LLVM reference implementations. To demonstrate Vellvm’s practicality, we formalize and verify a previously proposed transformation that hardens C programs against spatial memory safety violations. Vellvm’s tools allow us to extract a new, verified implementation of the transformation pass that plugs into the real LLVM infrastructure; its performance is competitive with the nonverified, adhoc original. Categories and Subject Descriptors D.2.4 [Software Engineering]:
Machineverified network controllers
 In PLDI
, 2013
"... In many areas of computing, techniques ranging from testing to formal modeling to fullblown verification have been successfully used to help programmers build reliable systems. But although networks are critical infrastructure, they have largely resisted analysis using formal techniques. Softwared ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
In many areas of computing, techniques ranging from testing to formal modeling to fullblown verification have been successfully used to help programmers build reliable systems. But although networks are critical infrastructure, they have largely resisted analysis using formal techniques. Softwaredefined networking (SDN) is a new network architecture that has the potential to provide a foundation for network reasoning, by standardizing the interfaces used to express network programs and giving them a precise semantics. This paper describes the design and implementation of the first machineverified SDN controller. Starting from the foundations, we develop a detailed operational model for OpenFlow (the most popular SDN platform) and formalize it in the Coq proof assistant. We then use this model to develop a verified compiler and runtime system for a highlevel network programming language. We identify bugs in existing languages and tools built without formal foundations, and prove that these bugs are absent from our system. Finally, we describe our prototype implementation and our experiences using it to build practical applications.
Verified heap theorem prover by paramodulation. in preparation
, 2011
"... We present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [2], a provedsound Smallfootstyle program analysis for C minor, VeriStar demonstrates that fully machinechecked static analyses equipped with efficient theorem provers are now within ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [2], a provedsound Smallfootstyle program analysis for C minor, VeriStar demonstrates that fully machinechecked static analyses equipped with efficient theorem provers are now within the reach of formal methods. As a pair, VeriStar and VeriSmall represent the first application of the Verified Software Toolchain [3], a tightly integrated collection of machineverified program logics and compilers giving foundational correctness guarantees. VeriStar is (1) purely functional, (2) machinechecked, (3) endtoend, (4) efficient and (5) modular. By purely functional, we mean it is implemented in Gallina, the pure functional programming language embedded in the Coq theorem prover. By machinechecked, we mean it has a proof in Coq that when the prover says “valid”, the checked entailment holds in a provedsound separation logic for C minor. By endtoend, we mean that when the static analysis+theorem prover says a C minor program is safe, the program will be compiled to a semantically equivalent assembly program that runs on real hardware. By efficient, we mean that the prover implements a stateoftheart algorithm for deciding heap entailments and uses highly tuned verified functional data structures. By modular, we mean that VeriStar can be retrofitted to other static analyses as a plugcompatible entailment checker and its soundness proof can easily be ported to other separation logics.
Formal verification of a C value analysis based on abstract interpretation
 In Proc. of Static Analysis Symposium (SAS
, 2013
"... Abstract. Static analyzers based on abstract interpretation are complex pieces of software implementing delicate algorithms. Even if static analysis techniques are well understood, their implementation on real languages is still errorprone. This paper presents a formal verification using the Coq pr ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. Static analyzers based on abstract interpretation are complex pieces of software implementing delicate algorithms. Even if static analysis techniques are well understood, their implementation on real languages is still errorprone. This paper presents a formal verification using the Coq proof assistant: a formalization of a value analysis (based on abstract interpretation), and a soundness proof of the value analysis. The formalization relies on generic interfaces. The mechanized proof is facilitated by a translation validation of a Bourdoncle fixpoint iterator. The work has been integrated into the CompCert verified Ccompiler. Our verified analysis directly operates over an intermediate language of the compiler having the same expressiveness as C. The automatic extraction of our value analysis into OCaml yields a program with competitive results, obtained from experiments on a number of benchmarks and comparisons with the FramaC tool. 1
Endtoend multilevel hybrid information flow control  Coq development
, 2012
"... Abstract. We present models and soundness results for hybrid information flow, i.e. for mechanisms that enforce noninterferencestyle security guarantees using a combination of static analysis and dynamic taint tracking. Our analysis has the following characteristics: (i) we formulate hybrid informa ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We present models and soundness results for hybrid information flow, i.e. for mechanisms that enforce noninterferencestyle security guarantees using a combination of static analysis and dynamic taint tracking. Our analysis has the following characteristics: (i) we formulate hybrid information flow as an endtoend property, in contrast to disruptive monitors that prematurely terminate or otherwise alter an execution upon detecting a potentially illicit flow; (ii) our security notions capture the increased precision that is gained when static analysis is combined with dynamic enforcement; (iii) we introduce path tracking to incorporate a form of terminationsensitivity, and (iv) develop a novel variant of purely dynamic tracking that ignores indirect flows; (v) our work has been formally verified, by a comprehensive representation in the theorem prover Coq. 1
A Certificate Infrastructure for MachineChecked Proofs of Conditional Information Flow
"... Abstract. In previous work, we have proposed a compositional framework for stating and automatically verifying complex conditional information flow policies using a relational Hoare logic. The framework allows developers and verifiers to work directly with the source code using sourcelevel code con ..."
Abstract
 Add to MetaCart
Abstract. In previous work, we have proposed a compositional framework for stating and automatically verifying complex conditional information flow policies using a relational Hoare logic. The framework allows developers and verifiers to work directly with the source code using sourcelevel code contracts. In this work, we extend that approach so that the algorithm for verifying code compliance to an information flow contract emits formal certificates of correctness that are checked in the Coq proof assistant. This framework is implemented in the context of SPARK – a subset of Ada that has been used in a number of industrial contexts for implementing certified safety and security critical systems. 1
Constructing Hereditary Worlds Within Worlds
"... Abstract. Although they appear unrelated, the type system of the polymorphic λcalculus with references and the assertions of concurrent separation logic with firstclass locks share a critical feature: an unsound contravariant circularity in their naïve semantic model. We developed indirection theo ..."
Abstract
 Add to MetaCart
Abstract. Although they appear unrelated, the type system of the polymorphic λcalculus with references and the assertions of concurrent separation logic with firstclass locks share a critical feature: an unsound contravariant circularity in their naïve semantic model. We developed indirection theory to automatically construct, and cleanly axiomatize, stepindexed approximations to these naïve models, as well as a large number of others [HDA10b]. Unfortunately, the previous axiomatization had a flaw. One is usually only interested in using hereditary predicates: those which are closed under the action of approximation. As previously presented, indirection theory allows nonhereditary predicates to exist in certain parts of the construction. Although not fatal, this flaw requires workarounds that are not entirely obvious to the uninitiated. We correct this flaw by presenting a new axiomatization of indirection theory that only permits heredity predicates and show that the new interface is sound by constructing a model. The new axiomatization is somewhat more subtle than the previous one, but it retains the same flavor, cleanliness, and metatheoretic properties. In contrast, the new construction is markedly more complex, especially in a mechanized context. Indeed, our Coq mechanization is one of our key contributions, and accordingly we present it in considerable detail. 1
VeriSmall: Verified Smallfoot Shape Analysis
, 2011
"... Abstract. We have implemented a version of the Smallfoot shape analyzer, calling upon a paramodulationbased heap theorem prover. Our implementation is done in Coq and is extractable to an efficient ML program. The program is verified correct in Coq with respect to our Separation Logic for C minor; ..."
Abstract
 Add to MetaCart
Abstract. We have implemented a version of the Smallfoot shape analyzer, calling upon a paramodulationbased heap theorem prover. Our implementation is done in Coq and is extractable to an efficient ML program. The program is verified correct in Coq with respect to our Separation Logic for C minor; this in turn is proved correct in Coq w.r.t. Leroy’s operational semantics for C minor. Thus when our VeriSmall static analyzer claims some shape property of a program, an endtoend machinechecked proof guarantees that the assembly language of the compiled program will actually have that property. A static analysis algorithm or type checker takes as input a program, and checks that the program satisfies a certain assertion—or in some cases calculates an appropriate assertion. A static analysis algorithm is sound if, whenever it calculates syntactically that the program satisfies a certain assertion, then the corresponding property really does hold on executions of the program. One way to prove soundness is to demonstrate that whenever the static analysis makes a claim, then there is a derivation tree in a given program logic that the assertion is valid for the program. Some implementations of
Guiding a General Purpose C Verifier to Prove . . .
"... We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detec ..."
Abstract
 Add to MetaCart
We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array; decoration of a crypto API with contracts based on symbolic terms; and expression of the attacker model in terms of C programs. We rely on the generalpurpose verifier VCC; we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC.
Mostly Sound Type System Improves a Foundational Program Verifier
"... Abstract. We integrate a verified typechecker with a verified program logic for the C language, proved sound with respect to the operational semantics of the CompCert verified optimizing C compiler. The C language is known to not be typesafe but we show the value of a provably mostly sound type sys ..."
Abstract
 Add to MetaCart
Abstract. We integrate a verified typechecker with a verified program logic for the C language, proved sound with respect to the operational semantics of the CompCert verified optimizing C compiler. The C language is known to not be typesafe but we show the value of a provably mostly sound type system: integrating the typechecker with the program logic makes the logic significantly more usable. The computational nature of our typechecker (within Coq) makes program proof much more efficient. We structure the system so that symbolic execution—even tactical (nonreflective) symbolic execution—can keep the type context and typechecking always in reified form, to avoid expensive rereification. 1