Results 1 
7 of
7
A Trustworthy Proof Checker
 IN ILIANO CERVESATO, EDITOR, WORKSHOP ON THE FOUNDATIONS OF COMPUTER SECURITY
, 2002
"... ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predic ..."
Abstract

Cited by 31 (7 self)
 Add to MetaCart
ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.
Coinductive Axiomatization of a Synchronous Language
 In Proceedings of Theorem Proving in Higher Order Logics (TPHOLs'98), number 1479 in LNCS
, 1998
"... Over the last decade, the increasing demand for the validation of safety critical systems lead to the development of domainspecific programming languages (e.g. synchronous languages) and automatic verification tools (e.g. model checkers). Conventionally, the verification of a reactive system is imp ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Over the last decade, the increasing demand for the validation of safety critical systems lead to the development of domainspecific programming languages (e.g. synchronous languages) and automatic verification tools (e.g. model checkers). Conventionally, the verification of a reactive system is implemented by specifying a discrete model of the system (i.e. a finitestate machine) and then checking this model against temporal properties (e.g. using an automatabased tool). We investigate the use of a theorem prover, Coq, for the specification of infinite state systems and for the verification of coinductive properties.
Mizar Light for HOL Light
 Theorem Proving in Higher Order Logics: TPHOLs 2001, LNCS 2152
, 2001
"... There are two dierent approaches to formalizing proofs in a computer: the procedural approach (which is the one of the HOL system) and the declarative approach (which is the one of the Mizar system). ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
There are two dierent approaches to formalizing proofs in a computer: the procedural approach (which is the one of the HOL system) and the declarative approach (which is the one of the Mizar system).
Internal Program Extraction in the Calculus of Inductive Constructions
 In 6th Argentinian Workshop in Theoretical Computer Science (WAIT'02), 31st JAIIO
, 2002
"... Based on the Calculus of Constructions extended with inductive definitions we present a Theory of Specifications with rules for simultaneously constructing programs and their correctness proofs. The theory contains types for representing specifications, whose corresponding notion of implementation i ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Based on the Calculus of Constructions extended with inductive definitions we present a Theory of Specifications with rules for simultaneously constructing programs and their correctness proofs. The theory contains types for representing specifications, whose corresponding notion of implementation is that of a pair formed by a program and a correctness proof. The rules of the theory are such that in implementations the program parts appear mixed together with the proof parts. A reduction relation performs the task of separating programs from proofs. Consequently, every implementation computes to a pair composed of a program and a proof of its correctness, and so the program extraction procedure is immediate. 1
The Proof Monad ✩
"... A formalism for expressing the operational semantics of proof languages used in procedural theorem provers is proposed. It is argued that this formalism provides an elegant way to describe the computational features of proof languages, such as side effects, exception handling, and backtracking. The ..."
Abstract
 Add to MetaCart
(Show Context)
A formalism for expressing the operational semantics of proof languages used in procedural theorem provers is proposed. It is argued that this formalism provides an elegant way to describe the computational features of proof languages, such as side effects, exception handling, and backtracking. The formalism, called proof monads, finds its roots in category theory, and in particular satisfies the monad laws. It is shown that the framework’s monadic operators are related to fundamental tactics and strategies in procedural theorem provers. Finally, the paper illustrates how proof monads can be used to implement semantically clean control structure mechanisms in actual proof languages. Keywords: structures
The Steam Boiler Controller Problem in SignalCoq
, 1999
"... Among the various formalisms for the design of reactive systems, the SignalCoq formal approach, i.e. the combined use of the synchronous dataflow language Signal and the proof assistant Coq, seems to be especially suited and practical. Indeed, the deterministic concurrency implied by the synchronou ..."
Abstract
 Add to MetaCart
(Show Context)
Among the various formalisms for the design of reactive systems, the SignalCoq formal approach, i.e. the combined use of the synchronous dataflow language Signal and the proof assistant Coq, seems to be especially suited and practical. Indeed, the deterministic concurrency implied by the synchronous model on which Signal is founded strongly simplifies the specification and the verification of such systems. Moreover, Coq is not limited to some kind of properties and so, its use enables to disregard what can be checked during the specification stage. In this article, we underline the various features of this SignalCoq formal approach with a large scale case study, namely the Steam Boiler problem.
Coercive Subtyping in LambdaFree Logical Frameworks
"... Abstract. Coercive subtyping is a powerful approach to subtyping in dependent type theories, but its theoretical properties are often difficult to prove. Lambdafree logical frameworks such as TF have shown themselves to be a powerful tool for investigating the theory of logical frameworks, thanks t ..."
Abstract
 Add to MetaCart
Abstract. Coercive subtyping is a powerful approach to subtyping in dependent type theories, but its theoretical properties are often difficult to prove. Lambdafree logical frameworks such as TF have shown themselves to be a powerful tool for investigating the theory of logical frameworks, thanks to the close correspondance between a lambdafree frame and a traditional framework such as LF. We show how a type theory with coercive subtyping may be defined within TF. An operation of typecasting plays the role that coercive application plays in LF. We show that the resulting systems in TF and LF are equivalent, and how several results may be proven more easily in TF and then lifted to LF.