Results 11  20
of
60
Proof Checking Technology for Satisfiability Modulo Theories
"... A common proof format for solvers for Satisfiability Modulo Theories (SMT) is proposed, based on the Edinburgh Logical Framework (LF). Two problems arise: checking very large proofs, and keeping proofs compact in the presence of complex side conditions on rules. Incremental checking combines parsing ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
A common proof format for solvers for Satisfiability Modulo Theories (SMT) is proposed, based on the Edinburgh Logical Framework (LF). Two problems arise: checking very large proofs, and keeping proofs compact in the presence of complex side conditions on rules. Incremental checking combines parsing and proof checking in a single step, to avoid building inmemory representations of proof subterms. LF with Side Conditions (LFSC) extends LF to allow side conditions to be expressed using a simple firstorder functional programming language. Experimental data with an implementation show very good proof checking times and memory usage on benchmarks including the important example of resolution inferences.
Using Program Checking to Ensure the Correctness of Compiler Implementations
 Journal of Universal Computer Science (J.UCS
, 2003
"... Abstract: We evaluate the use of program checking to ensure the correctness of compiler implementations. Our contributions in this paper are threefold: Firstly, we extend the classical notion of blackbox program checking to program checking with certificates. Our checking approach with certificates ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract: We evaluate the use of program checking to ensure the correctness of compiler implementations. Our contributions in this paper are threefold: Firstly, we extend the classical notion of blackbox program checking to program checking with certificates. Our checking approach with certificates relies on the observation that the correctness of solutions of NPcomplete problems can be checked in polynomial time whereas their computation itself is believed to be much harder. Our second contribution is the application of program checking with certificates to optimizing compiler backends, in particular code generators, thus answering the open question of how program checking for such compiler backends can be achieved. In particular, we state a checking algorithm for code generation based on bottomup rewrite systems from static single assignment representations. We have implemented this algorithm in a checker for a code generator used in an industrial project. Our last contribution in this paper is an integrated view on all compiler passes, in particular a comparison between frontend and backend phases, with respect to the applicable methods of program checking.
A prooftheoretic foundation for tabled higherorder logic programming
 18th International Conference on Logic Programming
, 2002
"... logic programming ..."
(Show Context)
Small Witnesses for Abstract Interpretationbased Proofs
"... Abstract. Abstract interpretationbased proof carrying code uses postfixpoints of abstract interpretations to witness that a program respects a safety policy. Some witnesses carry more information than needed and are therefore unnecessarily large. We introduce a notion of size of a witness and propo ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Abstract interpretationbased proof carrying code uses postfixpoints of abstract interpretations to witness that a program respects a safety policy. Some witnesses carry more information than needed and are therefore unnecessarily large. We introduce a notion of size of a witness and propose techniques for reducing the size of such certificates. For distributive analyses, we show that a smallest witness exist and we give an iterative algorithm for computing it. For nondistributive analyes we propose a technique for pruning a witness and illustrate this pruning on a relational, polyhedrabased analysis. Finally, only the existence of a witness is needed to assure the code consumer of the safety of a given program. This makes possible a compression technique of witnesses where only part of a witness is sent together with an encoding of the iterative steps necessary to prove that it is part of a postfixpoint. 1
Reduced Certificates for AbstractionCarrying Code
 In Proc. of ICLP 2006
, 2005
"... Abstract. AbstractionCarrying Code (ACC) has recently been proposed as a framework for mobile code safety in which the code supplier provides a program together with an abstraction whose validity entails compliance with a predefined safety policy. The abstraction plays thus the role of safety certi ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. AbstractionCarrying Code (ACC) has recently been proposed as a framework for mobile code safety in which the code supplier provides a program together with an abstraction whose validity entails compliance with a predefined safety policy. The abstraction plays thus the role of safety certificate and its generation is carried out automatically by a fixedpoint analyzer. The advantage of providing a (fixedpoint) abstraction to the code consumer is that its validity is checked in a single pass of an abstract interpretationbased checker. A main challenge is to reduce the size of certificates as much as possible while at the same time not increasing checking time. We introduce the notion of reduced certificate which characterizes the subset of the abstraction which a checker needs in order to validate (and reconstruct) the full certificate in a single pass. Based on this notion, we instrument a generic analysis algorithm with the necessary extensions in order to identify the information relevant to the checker. We also provide a correct checking algorithm together with sufficient conditions for ensuring its completeness. The experimental results within the CiaoPP system show that our proposal is able to greatly reduce the size of certificates in practice. 1
Functional Pearl: Every Bit Counts
"... We show how the binary encoding and decoding of typed data and typed programs can be understood, programmed, and verified with the help of questionanswer games. The encoding of a value is determined by the yes/no answers to a sequence of questions about that value; conversely, decoding is the inter ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
We show how the binary encoding and decoding of typed data and typed programs can be understood, programmed, and verified with the help of questionanswer games. The encoding of a value is determined by the yes/no answers to a sequence of questions about that value; conversely, decoding is the interpretation of binary data as answers to the same question scheme. We introduce a general framework for writing and verifying gamebased codecs. We present games for structured, recursive, polymorphic, and indexed types, building up to a representation of welltyped terms in the simplytyped λcalculus. The framework makes novel use of isomorphisms between types in the definition of games. The definition of isomorphisms together with additional simple properties make it easy to prove that codecs derived from games never encode two distinct values using the same code, never decode two codes to the same value, and interpret any bit sequence as a valid code for a value or as a prefix of a valid code.
AbstractionCarrying Code: A Model for Mobile Code Safety
 New Generation Computing
, 2008
"... Abstract ProofCarrying Code (PCC) is a general approach to mobile code safety in which programs are augmented with a certificate (or proof). The intended benefit is that the program consumer can locally validate the certificate w.r.t. the “untrusted ” program by means of a certificate checker—a pro ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
(Show Context)
Abstract ProofCarrying Code (PCC) is a general approach to mobile code safety in which programs are augmented with a certificate (or proof). The intended benefit is that the program consumer can locally validate the certificate w.r.t. the “untrusted ” program by means of a certificate checker—a process which should be much simpler, efficient, and automatic than generating the original proof. The practical uptake of PCC greatly depends on the existence of a variety of enabling technologies which allow both proving programs correct and replacing a costly verification process by an efficient checking procedure on the consumer side. In this work we propose AbstractionCarrying Code (ACC), a novel approach which uses abstract interpretation as enabling technology. We argue that the large body of applications of abstract interpretation to program verification is amenable to the overall PCC scheme. In particular, we rely on an expressive class of safety policies which can be defined over different abstract domains. We use an abstraction (or abstract model) of the program computed by standard static analyzers as a certificate. The validity of the abstraction on the consumer side is checked in a single pass by a very efficient and specialized abstractinterpreter. We believe that ACC brings the expressiveness, flexibility and automation which is inherent in abstract interpretation techniques to the area of mobile code safety.
Verified heap theorem prover by paramodulation. in preparation
, 2011
"... We present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [2], a provedsound Smallfootstyle program analysis for C minor, VeriStar demonstrates that fully machinechecked static analyses equipped with efficient theorem provers are now within ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We present VeriStar, a verified theorem prover for a decidable subset of separation logic. Together with VeriSmall [2], a provedsound Smallfootstyle program analysis for C minor, VeriStar demonstrates that fully machinechecked static analyses equipped with efficient theorem provers are now within the reach of formal methods. As a pair, VeriStar and VeriSmall represent the first application of the Verified Software Toolchain [3], a tightly integrated collection of machineverified program logics and compilers giving foundational correctness guarantees. VeriStar is (1) purely functional, (2) machinechecked, (3) endtoend, (4) efficient and (5) modular. By purely functional, we mean it is implemented in Gallina, the pure functional programming language embedded in the Coq theorem prover. By machinechecked, we mean it has a proof in Coq that when the prover says “valid”, the checked entailment holds in a provedsound separation logic for C minor. By endtoend, we mean that when the static analysis+theorem prover says a C minor program is safe, the program will be compiled to a semantically equivalent assembly program that runs on real hardware. By efficient, we mean that the prover implements a stateoftheart algorithm for deciding heap entailments and uses highly tuned verified functional data structures. By modular, we mean that VeriStar can be retrofitted to other static analyses as a plugcompatible entailment checker and its soundness proof can easily be ported to other separation logics.
A costeffective foundational certified code system
, 2005
"... Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with pr ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with practicality along two dimensions — the intellectual effort to engineer the proofs, and the resource usage by the machine in verifying these proofs. Thus, we factor the proof that a particular program is safe to execute into two parts, a generic part and a program–specific part. These parts are linked by a mediating logic, typically a type system, which we call the safety condition. Consequently, we must prove that all programs that satisfy this condition are safe to execute, and then, we prove that the particular program satisfies this safety condition. Moreover, each of these proofs must be done in a cost–effective manner. In previous work, we have described a machine–checkable proof for the first part, based on defining an operational semantics in LF and using the Twelf metalogic. For the second part, experience has shown that proof terms for a reasonable logic, or type system, are too big to generate, send across the network, and check. We wish to check adherence to the safety condition by an untrusted functional program. It remains to prove (in a machine–checkable manner) that the program implements the logic specified in a LF signature. We propose to accomplish this by static typechecking. We have designed an expressive type system using dependent refinements for this purpose. 1
Formal Verification By Reverse Synthesis
"... Abstract. In this paper we describe Echo, a novel yet practical approach to the formal verification of implementations. Echo splits verification into two major parts. The first part verifies an implementation against a lowlevel specification. The second uses a technique called reverse synthesis to ..."
Abstract

Cited by 5 (5 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we describe Echo, a novel yet practical approach to the formal verification of implementations. Echo splits verification into two major parts. The first part verifies an implementation against a lowlevel specification. The second uses a technique called reverse synthesis to extract a highlevel specification from the lowlevel specification. The extracted specification is proved to imply the original system specification. Much of Echo is automated, and it reduces the verification burden by distributing it over separate tools and techniques. Reverse synthesis is achieved largely by mechanically applying a variety of semanticspreserving transformations, including complexityreducing transformations, which can be viewed as optimizing the program for verification rather than for size or speed. We give a detailed example of Echo, verifying an implementation of the Advanced Encryption Standard (AES) against the official specification of AES.