Results 1  10
of
13
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Verified JustInTime Compiler on x86
"... This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics inclu ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics includes a model of the instruction cache. Two versions of the verified JIT compiler are presented: one generates all of the machine code at once, the other one is incremental i.e. produces code ondemand. All proofs have been performed inside the HOL4 theorem prover.
Machinecode verification for multiple architectures: An application of decompilation into logic
 In Formal Methods in Computer Aided Design (FMCAD
, 2008
"... Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusin ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusing proofs of the same algorithm implemented in different machine languages. We describe an approach, based on proofproducing decompilation, which both makes machinecode verification tractable and supports proof reuse between different languages. We briefly present examples based on detailed models of machine code for ARM, PowerPC and x86. The theories and tools have been implemented in the HOL4 system. I.
A verifying core for a cryptographic language compiler
 In Manolios, P., Wilding, M., eds.: 6th ACL2 Workshop. (2006
, 2006
"... A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 micropr ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sublanguage of µCryptol that begin after “higherorder ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutuallyrecursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at
A Robust Machine Code Proof Framework for Highly Secure Applications
 In Proceedings of the 2006 ACL2 Workshop
, 2006
"... Securitycritical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of c ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Securitycritical applications at the highest Evaluation Assurance Levels (EAL) require formal proofs of correctness in order to achieve certification. To support secure application development at the highest EALs, we have developed techniques to largely automate the process of producing proofs of correctness of machine code. As part of the Secure, HighAssurance Development Environment program, we have produced in ACL2 an executable formal model of the Rockwell Collins AAMP7G microprocessor at the instruction set level, in order to facilitate proofs of correctness about that processor’s machine code. The AAMP7G, currently in use in Rockwell Collins secure system products, supports strict time and space partitioning in hardware, and has received a U.S. National Security Agency (NSA) Multiple Independent Levels of Security (MILS) certificate based in part on a formal proof of correctness of its separation kernel microcode. Proofs of correctness of AAMP7G machine code are accomplished using the method of “compositional cutpoints”, which requires neither traditional clock functions nor a Verification Condition Generator (VCG). In this paper, we will summarize the AAMP7G architecture, detail our ACL2 model of the processor, and describe our development of the compositional cutpoint method into a robust machine code proof framework.
Structure of a proofproducing compiler for a subset of higher order logic
 16th European Symposium on Programming (ESOP’07
, 2007
"... Abstract. We give an overview of a proofproducing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler ..."
Abstract

Cited by 10 (7 self)
 Add to MetaCart
Abstract. We give an overview of a proofproducing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler and its mechanical verification are implemented in the same logic framework.
Transforming programs into recursive functions
 In Brazilian Symposium on Formal Methods (SBMF 2008), volume 240 of ENTCS
, 2009
"... This paper presents a new proofassistant based approach to program verification: programs are translated, via fullyautomatic deduction, into tailrecursive function defined in the logic of a theorem prover. This approach improves on wellestablished methods based on Hoare logic and verification co ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
This paper presents a new proofassistant based approach to program verification: programs are translated, via fullyautomatic deduction, into tailrecursive function defined in the logic of a theorem prover. This approach improves on wellestablished methods based on Hoare logic and verification condition generation (VCG) by removing the need to annotate programs with assertions, making the proof natural to the theorem prover and being easier to implement than a trusted VCG. Our tool has been implemented in the HOL4 theorem prover. Keywords: program verification, theorem proving. 1
A mechanical analysis of program verification strategies
 Journal of Automated Reasoning
, 2008
"... Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies i ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies in the logic of the ACL2 theorem prover. Based on our formalization, we prove that each strategy is both sound and complete. The completeness result implies that given any proof of correctness of a sequential program one can derive a proof in each of the above strategies. The soundness and completeness theorems have been mechanically checked with ACL2.
Towards a Formalization of the X86 Instruction Set Architecture
"... We present a preliminary approach to defining a formal specification of the semantics of the X86 Instruction Set Architecture. The goal of the formalization is to support the dual requirements of analyzing the correctness of binaries executing on the architecture and investigating different safety a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present a preliminary approach to defining a formal specification of the semantics of the X86 Instruction Set Architecture. The goal of the formalization is to support the dual requirements of analyzing the correctness of binaries executing on the architecture and investigating different safety and security properties of the architecture itself. In particular, we focus on the security properties of protection rings available in the X86. A simplified version of the specification has been developed in the formal logic of the ACL2 theorem prover together with a generic approach to operationally define security policies. we discuss the use of our approach in developing trusted applications. 1
Decompilation into Logic — Improved
"... Abstract—This paper presents improvements to a technique which aids verification of machinecode programs. This technique, called decompilation into logic, allows the verifier to only deal with tractable extracted models of the machine code rather than the concrete code itself. Our improvements make ..."
Abstract
 Add to MetaCart
Abstract—This paper presents improvements to a technique which aids verification of machinecode programs. This technique, called decompilation into logic, allows the verifier to only deal with tractable extracted models of the machine code rather than the concrete code itself. Our improvements make decompilation simpler, faster and more generally applicable. In particular, the new technique allows the verifier to avoid tedious reasoning directly in the underlying machinecode Hoare logic or the model of the instruction set architecture. The method described in this paper has been implemented in the HOL4 theorem prover. I.