Results 1  10
of
43
seL4: Formal Verification of an OS Kernel
 ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES
, 2009
"... Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machinechecked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of ..."
Abstract

Cited by 268 (45 self)
 Add to MetaCart
(Show Context)
Complete formal verification is the only known way to guarantee that a system is free of programming errors. We present our experience in performing the formal, machinechecked verification of the seL4 microkernel from an abstract specification down to its C implementation. We assume correctness of compiler, assembly code, and hardware, and we used a unique design approach that fuses formal and operating systems techniques. To our knowledge, this is the first formal proof of functional correctness of a complete, generalpurpose operatingsystem kernel. Functional correctness means here that the implementation always strictly follows our highlevel abstract specification of kernel behaviour. This encompasses traditional design and implementation safety properties such as the kernel will never crash, and it will never perform an unsafe operation. It also proves much more: we can predict precisely how the kernel will behave in every possible situation. seL4, a thirdgeneration microkernel of L4 provenance, comprises 8,700 lines of C code and 600 lines of assembler. Its performance is comparable to other highperformance L4 kernels.
Types and HigherOrder Recursion Schemes for Verification of HigherOrder Programs
, 2009
"... We propose a new verification method for temporal properties of higherorder functional programs, which takes advantage of Ong’s recent result on the decidability of the modelchecking problem for higherorder recursion schemes (HORS’s). A program is transformed to an HORS that generates a tree repr ..."
Abstract

Cited by 55 (15 self)
 Add to MetaCart
We propose a new verification method for temporal properties of higherorder functional programs, which takes advantage of Ong’s recent result on the decidability of the modelchecking problem for higherorder recursion schemes (HORS’s). A program is transformed to an HORS that generates a tree representing all the possible event sequences of the program, and then the HORS is modelchecked. Unlike most of the previous methods for verification of higherorder programs, our verification method is sound and complete. Moreover, this new verification framework allows a smooth integration of abstract model checking techniques into verification of higherorder programs. We also present a typebased verification algorithm for HORS’s. The algorithm can deal with only a fragment of the properties expressed by modal μcalculus, but the algorithm and its correctness proof are (arguably) much simpler than those of Ong’s gamesemanticsbased algorithm. Moreover, while the HORS model checking problem is nEXPTIME in general, our algorithm is linear in the size of HORS, under the assumption that the sizes of types and specifications are bounded by a constant.
The VeriFast Program Verifier
, 2008
"... This note describes a separationlogicbased approach for the specification and verification of safety properties of pointermanipulating imperative programs. The programmer may declare inductive datatypes and primitive recursive functions for specification. Verification proceeds by symbolic executi ..."
Abstract

Cited by 51 (7 self)
 Add to MetaCart
(Show Context)
This note describes a separationlogicbased approach for the specification and verification of safety properties of pointermanipulating imperative programs. The programmer may declare inductive datatypes and primitive recursive functions for specification. Verification proceeds by symbolic execution using an abstract representation of memory as a separation logic assertion. Folding or unfolding abstract predicate assertions is performed through explicit ghost statements. Lemma functions enable inductive proofs of memory representation equivalences and facts about the primitive recursive functions. An SMT solver is used to solve queries over data values; an algorithm is described that prevents nontermination of the SMT solver while enabling reduction of any ground term. Since no significant search is performed by either the verifier or the SMT solver, verification time is predictable and low.
Proving That NonBlocking Algorithms Don’t Block
"... A concurrent datastructure implementation is considered nonblocking if it meets one of three following liveness criteria: waitfreedom, lockfreedom,orobstructionfreedom. Developers of nonblocking algorithms aim to meet these criteria. However, to date their proofs for nontrivial algorithms have b ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
A concurrent datastructure implementation is considered nonblocking if it meets one of three following liveness criteria: waitfreedom, lockfreedom,orobstructionfreedom. Developers of nonblocking algorithms aim to meet these criteria. However, to date their proofs for nontrivial algorithms have been only manual pencilandpaper semiformal proofs. This paper proposes the first fully automatic tool that allows developers to ensure that their algorithms are indeed nonblocking. Our tool uses relyguarantee reasoning while overcoming the technical challenge of sound reasoning in the presence of interdependent liveness properties.
Proving Conditional Termination
"... Abstract. We describe a method for synthesizing reasonable underapproximations to weakest preconditions for termination—a longstanding open problem. The paper provides experimental evidence to demonstrate the usefulness of the new procedure. 1 ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a method for synthesizing reasonable underapproximations to weakest preconditions for termination—a longstanding open problem. The paper provides experimental evidence to demonstrate the usefulness of the new procedure. 1
Automatically proving program termination
 In CAV
, 2007
"... Our goal in this book is to build sofware tools that automatically search for proofs of program termination in mathematical logic. However, before delving directly into strategies for automation, we must first introduce some notation and establish a basic foundation in the areas of program semantics ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Our goal in this book is to build sofware tools that automatically search for proofs of program termination in mathematical logic. However, before delving directly into strategies for automation, we must first introduce some notation and establish a basic foundation in the areas of program semantics, logic and set theory. We must also discuss how programs can be proved terminating using manual techniques. The concepts and notation introduced in this chapter will be used throughout the remainder of the book. 1.1 Program termination and wellfounded relations For the purpose of this book it is convenient to think of the text of a computer program as representing a relation that specifies the possible transitions that the program can make between configurations during execution. We call this the program’s transition relation. Program executions can be thought of as traversals starting from a starting configuration and then moving from configuration to configuration as allowed by the transition relation. A program is called terminating if all the executions allowed by the transition relation are finite. We call a program nonterminating if the transition relation allows for at least one infinite execution. Treating programs as relations is conveinant for our purpose, as in this setting proving program termination is equivliant to proving the program’s transition relation wellfounded — thus giving us access to the numerous well established techniques from mathematical logic used to establish wellfoundedness. In the next few sections we define some notation, discuss our representation for program configurations, and give some basic results related 3 4
A hybrid type system for lockfreedom of mobile processes
, 2008
"... We propose a type system for lockfreedom in the πcalculus, which guarantees that certain communications will eventually succeed. Distinguishing features of our type system are: it can verify lockfreedom of concurrent programs that have sophisticated recursive communication structures; it can be ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
We propose a type system for lockfreedom in the πcalculus, which guarantees that certain communications will eventually succeed. Distinguishing features of our type system are: it can verify lockfreedom of concurrent programs that have sophisticated recursive communication structures; it can be fully automated; it is hybrid, in that it combines a type system for lockfreedom with local reasoning about deadlockfreedom, termination, and confluence analyses. Moreover, the type system is parameterized by deadlockfreedom/termination/confluence analyses, so that any methods (e.g. type systems and model checking) can be used for those analyses. A lockfreedom analysis tool has been implemented based on the proposed type system, and tested for nontrivial programs.
HardtoAnswer Questions about Code
"... To build new tools and programming languages that make it easier for professional software developers to create, debug, and understand code, it is helpful to better understand the questions that developers ask during coding activities. We surveyed professional software developers and asked them to l ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
(Show Context)
To build new tools and programming languages that make it easier for professional software developers to create, debug, and understand code, it is helpful to better understand the questions that developers ask during coding activities. We surveyed professional software developers and asked them to list hardtoanswer questions that they had recently asked about code. 179 respondents reported 371 questions. We then clustered these questions into 21 categories and 94 distinct questions. The most frequently reported categories dealt with intent and rationale – what does this code do, what is it intended to do, and why was it done this way? Many questions described very specific situations – e.g., what does the code do when an error occurs, how to refactor without breaking callers, or the implications of a specific change on security. These questions revealed opportunities for both existing research tools to help developers and for developing new languages and tools that make answering these questions easier.
Making Prophecies with Decision Predicates
"... We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LT ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
We describe a new algorithm for proving temporal properties expressed in LTL of infinitestate programs. Our approach takes advantage of the fact that LTL properties can often be proved more efficiently using techniques usually associated with the branchingtime logic CTL than they can with native LTL tools. The caveat is that, in certain instances, nondeterminism in the system’s transition relation can cause CTL methods to report counterexamples that are spurious with respect to the original LTL formula. To address this problem we describe an algorithm that, as it attempts to apply CTL proof methods, finds and then removes problematic nondeterminism via an analysis on the potentially spurious counterexamples. Problematic nondeterminism is characterized using decision predicates, and removed using a partial and symbolic determinization procedure that introduces new prophecy variables to predict the future outcome of these decisions. We demonstrate—using examples taken from the PostgreSQL database server, Apache web server, and Windows OS kernel—that our method can yield enormous performance improvements in comparison to known tools, allowing us to automatically prove properties of programs where we could not prove them before. 1.
Reasoning about nondeterminism in programs
"... Branchingtime temporal logics (e.g. CTL, CTL ∗ , or the modal µcalculus) allow us to ask sophisticated questions about the nondeterminism that appears in systems. Applications of this type of reasoning include planning, games, security analysis, disproving, precondition synthesis, environment synt ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Branchingtime temporal logics (e.g. CTL, CTL ∗ , or the modal µcalculus) allow us to ask sophisticated questions about the nondeterminism that appears in systems. Applications of this type of reasoning include planning, games, security analysis, disproving, precondition synthesis, environment synthesis, etc. Unfortunately, existing automatic branchingtime verification tools have limitions that have traditionally restricted their applicability (e.g. pushdown systems only, universal path quantifiers only, etc). In this paper we introduce an automation strategy that lifts many of these previous restrictions. Our method works reliably for properties with nontrivial mixtures of universal and existential modal operators. Furthermore, our approach supports (possibly infinitestate) programs. The basis of our approach is the observation that existential reasoning can be reduced to universal reasoning if the system’s statespace is appropriately restricted. This restriction on the statespace must meet a constraint derived from recent work on proving nontermination. The observation leads to a new route for implementation based on existing tools. To demonstrate the practical viability of our approach, we report on the results applying our preliminary implementation to a set of benchmarks drawn from the Windows operating system, the PostgreSQL database server, SoftUpdates patching system, as well as other handcrafted examples. 1.