Abstract. We develop a general language model for sequential imperative programs together with a Hoare logic. We instantiate the framework with common programming language constructs and integrate it into Isabelle/HOL, to gain a usable and sound verification environment. 1

Abstract. We describe a system for the automated certification of safety properties of NASA software. The system uses Hoare-style program verification technology to generate proof obligations which are then processed by an automated first-order theorem prover (ATP). For full automation, however, the obligations must be aggressively preprocessed and simplified. We describe the unique requirements this places on the ATP and demonstrate how the individual simplification stages, which are implemented by rewriting, influence the ability of the ATP to solve the proof tasks. Experiments on more than 25,000 tasks were carried out using Vampire, Spass, and e-setheo. 1

Abstract. Much of the work on verifying software has been done on simple, often artificial, languages or subsets of existing languages to avoid difficult details. In trying to verify a secure application written in C, we have encountered and overcome some semantically complicated uses of the language. We present inference rules for assignment statements with pre- and postevaluation side effects and while loops with arbitrary pre-evaluation side effects in the test expression. We also discuss the need to abstract the semantics of program functions and present an inference rule for abstraction.

We describe a system for the automated certification of safety properties of NASA software. The system uses Hoare-style program verification technology to generate proof obligations which are then processed by an automated first-order theorem prover (ATP). We discuss the unique requirements this application places on the ATPs, focusing on automation, proof checking, and usability. For full automation, however, the obligations must be aggressively preprocessed and simplified, and we demonstrate how the individual simplification stages, which are implemented by rewriting, influence the ability of the ATPs to solve the proof tasks. Our results are based on 13 certification experiments that lead to more than 25,000 proof tasks which have each been attempted by Vampire, Spass, e-setheo, and Otter. The proofs found by Otter have been proof-checked by IVY. 1

Abstract not found

We discuss ideas for using the Higher-Order Logic (HOL) theorem-proving system as an infrastructure for programs that reference or carry proofs of their correctness. Such programs, which we call Proof-Referencing Code (PRC), could be useful or even essential for applications where security of mobile code is important, but where authentication is impractical and runtime checking is expensive. We propose an experiment to determine if PRC can be used to provide a flexible approach to providing security and performance in a more general context than has been shown before. Our goal is to develop a new kind of runtime system based on PRC. 1 Trust but Verify A key collection of trade-offs for mobile code concerns the over-head involved in locally executing programs that are potentially untrusted. There are three possible approaches: (1) trust anyone, (2) trust only your friends, and (3) (trust but) verify. In general the first option will make sense only when a community is small (for instan...

We formally verify that a particular web server written in C is secure, that is, a remote user cannot get files he shouldn't or change the server's files. Although the code was thoroughly reviewed and tested, the verification located some heretofore unknown behavioral weaknesses. To verify this code, we invented new inference rules for reasoning about expressions with side effects, which occur often in C. We also formalized aspects of Unix file systems and processes, operating system and library calls, parts of the C language, and security properties. We propose an architecture for a software verification system which could be widely useful, and argue that our proof demonstrates that real world software written in real world languages can be verified.

This paper describes a technique that combines algebraic specifications and monads to build derivative verification condition generators (VCGs) by extending a base VCG. Extensions are compositional and can be stacked while the base VCG is left unchanged. The technique can be used to build a set of weaker VCGs, which are useful to support light weight verification. Moreover, it enables us to add an ability to generate validation traces. The paper explains the technique through an example that extends a simple language L0 with new constructs to handle exceptions. To deal with exceptions, not only that the logic of L0 has to be extended with new rules, its structure also needs to be changed. We show that using our technique the extension can be implemented in a simple and compositional way, without any change to the underlying logic. 1

Introduction The goal of this project was to demonstrate the feasibility of the independent and trusted validation of the proofs generated by existing theorem provers. Our intention was to design, implement and formally verify a proof checking program for HOL [5] generated proofs. A proof checker can be much simpler than a full theorem prover such as HOL as it is only concerned with checking existing proofs rather than searching for or generating them. Our work has clearly demonstrated the feasibility of this approach. In particular, the main achievements of the project are as follows. ffl We have developed a computer representation suitable for communicating large, formal, machine generated proofs. ffl We have modified the HOL system to allow primitive inference proofs to be recorded in the above format. ffl We have formalised, within the HOL theorem proving system, theories of higher-order logic, Hilb

Much software is written in industry standard programming languages, but these languages often have complex semantics making them hard to formalize. For example, the use of expressions with side effects is common in C programs. We present new inference rules for conditional (if) statements and looping constructs (while) with pre- and postevaluation side effects in their test expressions. These inference rules allow us to formally reason about the security properties of programs. We maintain that formal verification of secure programs written in common languages is feasible and can be worthwhile. To support our claim, we give an example of how our verification of a secure web server uncovered some previously unknown problems. Automated theorem proving assistants can help deal with complex inference rules, but many components must be brought together to make a broadly useful system. We propose elements of a formal verification system which could be widely useful. 1. Introduction We ...