Results 11  20
of
26
Certification of Quantitative Properties of Programs
, 2003
"... In the context of mobile and global computing knowledge of quantitative properties of programs is particularly important. Here are some typical scenarios: • A provider of distributed computational power may only be willing to offer this service upon receiving dependable guarantees about the required ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
In the context of mobile and global computing knowledge of quantitative properties of programs is particularly important. Here are some typical scenarios: • A provider of distributed computational power may only be willing to offer this service upon receiving dependable guarantees about the required resource consumption. • A user of a handheld device, wearable computer, or smart card might want to know that a downloaded application will definitely run within the limited amount of memory available. • Thirdparty software updates for mobile phones, household appliances, or car electronics should come with a guarantee not to set system parameters beyond manufacturerspecified safe limits. Requiring certificates of specified resource consumption will also help to prevent mobile agents from performing denial of service attacks using bona fide host environments as a portal. These lecture notes describe how such quantitative resourcerelated properties can be inferred automatically using type systems and how the results of such analysis can be turned into unforgeable certificates using a proofcarrying code framework.
A Framework for Verifying BitLevel Pipelined Machines Based on Automated Deduction and Decision Procedures
 Journal of Automated Reasoning
, 2006
"... Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We describe an approach to verifying bitlevel pipelined machine models using a combination of deductive reasoning and decision procedures. While theorem proving systems such as ACL2 have been used to verify bitlevel designs, they typically require extensive expert user support. Decision procedures such as those implemented in UCLID can be used to automatically and efficiently verify termlevel pipelined machine models, but these models use numerous abstractions, implement a subset of the instruction set, and are far from executable. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bitlevel machine refines its instruction set architecture to a proof that a termlevel abstraction of the bitlevel machine refines the instruction set architecture, which is then handled automatically by UCLID. We demonstrate the efficiency of our approach by applying it to verify a complex seven stage bitlevel interface pipelined machine model that implements 593 instructions and has features such as branch prediction, exceptions, and predicated instruction execution. Such a proof is not possible using UCLID and would require prohibitively more effort using just ACL2.
A mechanical analysis of program verification strategies
 Journal of Automated Reasoning
, 2008
"... Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies i ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies in the logic of the ACL2 theorem prover. Based on our formalization, we prove that each strategy is both sound and complete. The completeness result implies that given any proof of correctness of a sequential program one can derive a proof in each of the above strategies. The soundness and completeness theorems have been mechanically checked with ACL2.
Attaching Efficient Executability to Partial Functions in ACL2
 5th International Workshop on the ACL2 Theorem Prover and Its Applications (ACL2 2004
, 2004
"... We describe a macro called defpunexec to attach executable bodies to partial functions in ACL2. The macro makes use of two features mbe and defexec introduced in ACL2 from version 2.8, that afford a clean separation of execution efficiency from logical elegance. 1 ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
We describe a macro called defpunexec to attach executable bodies to partial functions in ACL2. The macro makes use of two features mbe and defexec introduced in ACL2 from version 2.8, that afford a clean separation of execution efficiency from logical elegance. 1
Using Theorem Proving and Algorithmic Decision Procedures for LargeScale System Verification
, 2005
"... To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collaborators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collaborators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a person and as a scientist. First and foremost, I wish to thank my advisor J Strother Moore. J is an amazing advisor, a marvellous collaborator, an insightful researcher, an empathetic teacher, and a truly great human being. He gave me just the right balance of freedom, encouragement, and direction to guide the course of this research. My stimulating discussions with him made the act of research an experience of pure enjoyment, and helped pull me out of many low ebbs. At one point I used to believe that whenever I was stuck with a problem one meeting with J would get me back on track. Furthermore, my times together with J and Jo during Thanksgivings and other occasions always made me feel part of his family. There was no problem, technical or otherwise, that I could not discuss with J, and there was no time when
Theory for Software Verification
, 2009
"... Semantic models are the basis for specification and verification of software. Operational, denotational, and axiomatic or algebraic methods offer complementary insights and reasoning techniques which are surveyed here. Unifying theories are needed to link models. Also considered are selected program ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Semantic models are the basis for specification and verification of software. Operational, denotational, and axiomatic or algebraic methods offer complementary insights and reasoning techniques which are surveyed here. Unifying theories are needed to link models. Also considered are selected programming features for which new models are needed.
Toward the Verification of a Simple Hypervisor
"... Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but function ..."
Abstract
 Add to MetaCart
(Show Context)
Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but functional TypeI x86 hypervisor, proving protection properties at the assembly level using ACL2. Originally based on an existing research hypervisor, MinVisor provides protection of its own memory from a malicious guest. Our longterm goal is to fully verify MinVisor, providing a vehicle to investigate the modeling and verification of hypervisors at the implementation level, and also a basis for further systems research. Functional segments of the MinVisor C code base are translated into Y86 assembly, and verified with respect to the Y86 model. The inductive assertions (also known as “compositional cutpoints”) methodology is used to prove the correctness of the code. The proof of the code that sets up the nested page tables is described. We compare this project to related efforts in systems code verification and outline some useful steps forward. 1
Mechanized Operational Semantics: The M Story
"... In this paper we explain how to formalize an “operational” or “statetransition” semantics of a von Neumann programming language in a functional programming language. By adopting an “interpretive” style, one can execute the model in the functional language to “run” programs in the von Neumann langua ..."
Abstract
 Add to MetaCart
In this paper we explain how to formalize an “operational” or “statetransition” semantics of a von Neumann programming language in a functional programming language. By adopting an “interpretive” style, one can execute the model in the functional language to “run” programs in the von Neumann language. Given the ability to reason about the functional language, one can use the model to reason about programs in the von Neumann language. In theory at least, such a formal semantics thus has a dual use: as a simulation engine and as an axiomatic basis for code proofs. The beauty of this approach is that no more logical machinery is needed than to support execution and proof in a functional language: no new program logics and no new metalogical tools like “verification condition generators” are needed. In this paper we will illustrate the techniques by formalizing a simple programming language called “M1,” for “Machine (or Model) 1.” It is loosely based on the Java Virtual Machine but has been simplified for pedagogical purposes. We will demonstrate the executability of M1 models. We will develop several styles of code proofs, including direct (symbolic simulation) proofs based on BoyerMoore “clock functions” and FloydHoare inductive assertion proofs. We construct proofs only for the the simplest of programs, namely an iterative factorial example. But to illustrate a more realistic use of the model, we discuss the correctness proof for an M1 implementation of the BoyerMoore fast string searching algorithm. We also define a compiler for a higher level language called “J1” and show how to do proofs about J1 code without benefit of a formal semantics for that code. Throughout we use the ACL2 logic and theorem proving system.
A Program Logic for Resources
"... We introduce a reasoning infrastructure for proving statements on resource consumption in an abstract fragment of the Java Virtual Machine Language (JVML). The infrastructure is based on a small hierarchy of program logics, with increasing levels of abstraction: at the top there is a type system for ..."
Abstract
 Add to MetaCart
We introduce a reasoning infrastructure for proving statements on resource consumption in an abstract fragment of the Java Virtual Machine Language (JVML). The infrastructure is based on a small hierarchy of program logics, with increasing levels of abstraction: at the top there is a type system for a highlevel language that encodes resource consumption. The infrastructure is designed to be used in a proofcarrying code (PCC) scenario, where mobile programs can be equipped with formal evidence that they have good resource behaviour. This article presents the core logic in our infrastructure, a VDMstyle program logic for partial correctness, that can make statements about resource consumption in a general form. We establish some important results for this logic, including soundness and completeness with respect to a resourceaware operational semantics for the JVML. We also present a second logic built on top of the core logic, which is used to express termination; it is also shown to be sound and complete. The entire infrastructure has been formalised in the theorem prover Isabelle/HOL, both to enhance confidence in the metatheoretical results, and to provide a prototype implementation for PCC. We give examples to show the usefulness of this approach, including proofs of resource bounds on code resulting from compiling highlevel functional programs.
unknown title
"... This article was published in an Elsevier journal. The attached copy is furnished to the author for noncommercial research and education use, including for instruction at the author’s institution, sharing with colleagues and providing to institution administration. Other uses, including reproductio ..."
Abstract
 Add to MetaCart
(Show Context)
This article was published in an Elsevier journal. The attached copy is furnished to the author for noncommercial research and education use, including for instruction at the author’s institution, sharing with colleagues and providing to institution administration. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit: