Results 1 
9 of
9
A Mechanically Verified Language Implementation
 Journal of Automated Reasoning
, 1989
"... contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Defense Advanced Research Projects Agency or the U.S. Government. This paper briefly describes a programming language ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Defense Advanced Research Projects Agency or the U.S. Government. This paper briefly describes a programming language, its implementation on a microprocessor via a compiler and linkassembler, and the mechanically checked proof of the correctness of the implementation. The programming language, called Piton, is a highlevel assembly language designed for verified applications and as the target language for highlevel language compilers. It provides executeonly programs, recursive subroutine call and return, stack based parameter passing, local variables, global variables and arrays, a uservisible stack for intermediate results, and seven abstract data types including integers, data addresses, program addresses and subroutine names. Piton is formally specified by an interpreter written for it in the computational logic of Boyer and Moore. Piton has been implemented on the FM8502, a general purpose microprocessor whose gatelevel design has been mechanically proved to implement its machine code interpreter. The FM8502 implementation of Piton is via a function in the BoyerMoore logic which maps a Piton initial state into an FM8502 binary core image. The compiler and linkassembler are all defined as functions in the logic. The implementation requires approximately 36K bytes and 1,400 lines of prettyprinted source code in the Pure Lisplike syntax of the logic. The implementation has been mechanically proved correct. In particular, if a Piton state can be run to completion without error, then the final values of all the global data structures can be ascertained from an inspection of an FM8502 core image obtained by running the core image produced by the compiler and linkassembler. Thus, verified Piton programs running on FM8502 can be thought of as having been verified down to the gate level. 1.
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
A mechanically verified code generator
 Journal of Automated Reasoning
, 1989
"... in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of Computational
A Verified Operating System Kernel
 UNIVERSITY OF TEXAS AT AUSTIN
, 1987
"... We present a multitasking operating system kernel, called KIT, written in the machine language of a uniprocessor von Neumann computer. The kernel is proved to implement, on this shared computer, a fixed number of conceptually distributed communicating processes. In addition to implementing process ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
We present a multitasking operating system kernel, called KIT, written in the machine language of a uniprocessor von Neumann computer. The kernel is proved to implement, on this shared computer, a fixed number of conceptually distributed communicating processes. In addition to implementing processes, the kernel provides the following verified services: process scheduling, error handling, message passing, and an interface to asynchronous devices. The problem is stated in the BoyerMoore logic, and the proof is mechanically checked with the BoyerMoore theorem prover.
Modular Pluggable Analyses for Data Structure Consistency
 IEEE Transactions on Software Engineering
, 2006
"... We describe a technique that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures. Each a ..."
Abstract

Cited by 27 (9 self)
 Add to MetaCart
We describe a technique that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures. Each analysis verifies that the implementation of the module 1) preserves important internal data structure consistency properties and 2) correctly implements an interface that uses formulas in a set algebra to characterize the effects of operations on the encapsulated data structures. Collectively, the analyses use the set algebra to 1) characterize how objects participate in multiple data structures and to 2) enable the interanalysis communication required to verify properties that depend on multiple modules analyzed by different analyses.
A Verified Code Generator For A Subset Of Gypsy
, 1988
"... A VERIFIED CODE GENERATOR FOR A SUBSET OF GYPSY Publication No. William David Young, Ph.D. The University of Texas at Austin, 1988 Supervising Professors: Robert S. Boyer, J Strother Moore This report describes the specification and mechanical proof of a code generator for a subset of Gypsy 2.05 cal ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
A VERIFIED CODE GENERATOR FOR A SUBSET OF GYPSY Publication No. William David Young, Ph.D. The University of Texas at Austin, 1988 Supervising Professors: Robert S. Boyer, J Strother Moore This report describes the specification and mechanical proof of a code generator for a subset of Gypsy 2.05 called MicroGypsy. MicroGypsy is a highlevel language containing many of the Gypsy control structures, simple data types and arrays, and predefined and userdefined procedure definitions including recursive procedure definitions. The language is formally specified by a recognizer and interpreter written as functions in the BoyerMoore logic. The target language for the MicroGypsy code generator is the Piton highlevel assembly language verified by J Moore to be correctly implemented on the FM8502 hardware. The semantics of Piton is specified by another interpreter written in the logic. A BoyerMoore function maps a MicroGypsy state containing program and data structures into an initial Pit...
Comparing Gypsy and the BoyerMoore logic for specifying secure systems
, 1987
"... The Gypsy Verification Environment (GVE) [1, 2] is one of two systems endorsed by the National Computer Security Center for use in meeting the verification requirements for an A1 level evaluation as outlined in the Trusted Computer Systems Evaluation Criteria [3]. Gypsy has been used extensively in ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
The Gypsy Verification Environment (GVE) [1, 2] is one of two systems endorsed by the National Computer Security Center for use in meeting the verification requirements for an A1 level evaluation as outlined in the Trusted Computer Systems Evaluation Criteria [3]. Gypsy has been used extensively in secure systems specification and verification projects including the Encrypted Packet Interface [4], Message Flow Modulator [5], Honeywell SCOMP [6], Honeywell SAT [7], and ACCAT Guard [8]. The BoyerMoore theorem prover has also seen extensive use in the security arena. It has been used as a component of the HDM verification system [9] on KSOS [10], SCOMP, and SACDIN [11]. Yet the ways in which these two systems are currently used in secure system development efforts are quite different. The GVE is utilized as a fully integrated verification environment. The Gypsy language is used for constructing code and specification; verification conditions are generated and proved in the GVE proof checker; and, in some cases, the Gypsy code is compiled and run. The BoyerMoore system, on the other hand, is used only as the proof checker for verification conditions generated from specifications written in some high level language such as Special. This is true despite the fact that the BoyerMoore logic contains a fully executable functional programming language. The BoyerMoore system has been used not only to state and prove theorems in traditional mathematical domains such as number theory and recursive function theory, but also to specify and prove the
Comparing Specification Paradigms: Gypsy and Z
, 1989
"... This paper will be presented at the 12th National Computer ..."