## Verification Condition Generation via Theorem Proving (2006)

### Cached

### Download Links

- [www.cs.utexas.edu]
- [www.cse.ogi.edu]
- [web.cecs.pdx.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2006), Vol. 4246 of LNCS |

Citations: | 13 - 3 self |

### BibTeX

@INPROCEEDINGS{Matthews06verificationcondition,

author = {John Matthews and J Strother Moore and Ip Ray and Daron Vroon},

title = {Verification Condition Generation via Theorem Proving},

booktitle = {Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2006), Vol. 4246 of LNCS},

year = {2006},

pages = {362--376}

}

### OpenURL

### Abstract

Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an off-the-shelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover directly on the operational semantics to generate verification conditions analogous to those produced by a custom-built VCG. Thus no separate VCG is necessary, and the theorem prover can be employed both to generate and to discharge the verification conditions. The method handles both partial and total correctness. It is also compositional in that the correctness of a subroutine needs to be proved once, rather than at each call site. The method has been used to verify several machine-level programs using the ACL2 theorem prover. 1

### Citations

1469 | An Axiomatic Basis for Computer Programming
- Hoare
- 1969
(Show Context)
Citation Context ...n each transition or a clock function that precisely characterizes the number of machine steps to termination [1, 2]. Research in program verification has principally focused on assertional reasoning =-=[3, 4]-=-. Here a program is annotated with assertions at cutpoints. From these annotations, one derives a set of formulas or verification conditions, which guarantee that whenever program control reaches a cu... |

1155 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...composition or recursive procedures. Our work can be viewed as a unification and substantial extension of these efforts. There are parallels between our work and research on proof-carrying code (PCC) =-=[38]-=-. VCGs are the key trusted components in PCCs. Similar to our work, foundational PCC research [39] ensures reliability of verification condition generation by relying only on a general-purpose theorem... |

779 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...anized in the ACL2 theorem prover [11], and used to reason about several machine-level programs. The basic approach (i.e., without composition) has also been formalized in the Isabelle theorem prover =-=[12]-=-. The rest of the paper is organized as follows. We present the basic approach in Section 2. In Section 3, we discuss compositionality and means for handling recursive procedures. In Section 4, we pre... |

601 |
Assigning meanings to programs
- Floyd
(Show Context)
Citation Context ...and the JVM [21], and in PVS to model state chart languages [22].sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing [24], and made explicit in the classic works of Floyd =-=[3]-=-, Manna [6], Hoare [4], and Dijkstra [25]. King [26] wrote the first mechanized VCG. VCGs have been used extensively in practice, for example in the Extended Static Checker for Java (ESC/Java) [27], t... |

554 | Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...oyd [3], Manna [6], Hoare [4], and Dijkstra [25]. King [26] wrote the first mechanized VCG. VCGs have been used extensively in practice, for example in the Extended Static Checker for Java (ESC/Java) =-=[27]-=-, the Java certifying compiler [10], and the Praxis verification of Spark programs [28]. Several researchers have commented on the complexity of a practical VCG [29, 30]. There has also been significa... |

280 |
Computer-aided reasoning: an approach
- Kaufmann, Manolios, et al.
- 2000
(Show Context)
Citation Context ...total correctness, and recursive procedures. It is also compositional; subroutines can be verified separately rather than at every call site. The method has been mechanized in the ACL2 theorem prover =-=[11]-=-, and used to reason about several machine-level programs. The basic approach (i.e., without composition) has also been formalized in the Isabelle theorem prover [12]. The rest of the paper is organiz... |

237 | Foundational proof-carrying code
- Appel
(Show Context)
Citation Context ...sion of these efforts. There are parallels between our work and research on proof-carrying code (PCC) [38]. VCGs are the key trusted components in PCCs. Similar to our work, foundational PCC research =-=[39]-=- ensures reliability of verification condition generation by relying only on a general-purpose theorem prover and the operational semantics of a machine language. However, while PCCs focus on automati... |

165 | Towards a mathematical science of computation
- McCarthy
- 1962
(Show Context)
Citation Context ... property for a practical block cipher, and “plug in” the cipher to obtain a proof of the corresponding unbounded bit-array encryption. 5 Related Work Operational semantics was introduced by McCarthy =-=[19]-=-, and has since been used extensively for mechanical verification of complex programs. In particular, ACL2 and its predecessor Nqthm have used such models extensively [1, 2, 8, 20]. Operational models... |

152 |
Applied cryptography (2nd ed
- Schneier
- 1995
(Show Context)
Citation Context ...cryption yields the original plaintext. Functional correctness of cryptographic protocols has received considerable attention recently in formal verification [16, 17]. We refer the reader to Schneier =-=[18]-=- for an overview of cryptosystems. Cryptographic protocols use a block cipher that encrypts and decrypts a fixed-size block of bits. We use blocks of 128 bits. Encryption and decryption of large data ... |

139 | A certifying compiler for Java
- Colby, Lee, et al.
(Show Context)
Citation Context ...on-the-fly simplifications to keep the generated formulas manageable. Implementing a practical VCG, let alone ensuring its correctness by verifying it against an operational semantics, is non-trivial =-=[10]-=-. In this paper, we present a technique to integrate assertional methods with operational semantics that is suitable for use with general-purpose theorem proving and does not depend on a trusted VCG. ... |

104 | Avoiding exponential explosion: Generating compact verification conditions
- Flanagan, Saxe
- 2001
(Show Context)
Citation Context ...Static Checker for Java (ESC/Java) [27], the Java certifying compiler [10], and the Praxis verification of Spark programs [28]. Several researchers have commented on the complexity of a practical VCG =-=[29, 30]-=-. There has also been significant research verifying VCGs via theorem proving [31–33]. In the context of theorem proving, assertions have also been used to verify C programs in HOL [34], and reason ab... |

80 | Automated proofs of object code for a widely used microprocessor
- Boyer, Yu
- 1996
(Show Context)
Citation Context ...s was introduced by McCarthy [19], and has since been used extensively for mechanical verification of complex programs. In particular, ACL2 and its predecessor Nqthm have used such models extensively =-=[1, 2, 8, 20]-=-. Operational models have also been used in Isabelle/HOL to formalize Java and the JVM [21], and in PVS to model state chart languages [22].sThe notion of assertions was used by Goldstein and von Neum... |

67 | C Formalised in HOL
- Norrish
- 1998
(Show Context)
Citation Context ...ctical VCG [29, 30]. There has also been significant research verifying VCGs via theorem proving [31–33]. In the context of theorem proving, assertions have also been used to verify C programs in HOL =-=[34]-=-, and reason about pointers and BDD normalization algorithms in Isabelle [35, 36]. This work is influenced by two earlier efforts in ACL2 by the individual authors, namely Moore [15] and Matthews and ... |

66 |
A program verifier
- King
- 1971
(Show Context)
Citation Context ...anguages [22].sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing [24], and made explicit in the classic works of Floyd [3], Manna [6], Hoare [4], and Dijkstra [25]. King =-=[26]-=- wrote the first mechanized VCG. VCGs have been used extensively in practice, for example in the Extended Static Checker for Java (ESC/Java) [27], the Java certifying compiler [10], and the Praxis ver... |

45 | A denotational semantics for Stateflow
- Hamon
- 2005
(Show Context)
Citation Context ...predecessor Nqthm have used such models extensively [1, 2, 8, 20]. Operational models have also been used in Isabelle/HOL to formalize Java and the JVM [21], and in PVS to model state chart languages =-=[22]-=-.sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing [24], and made explicit in the classic works of Floyd [3], Manna [6], Hoare [4], and Dijkstra [25]. King [26] wrote th... |

40 | Efficient weakest preconditions
- Leino
- 2005
(Show Context)
Citation Context ...Static Checker for Java (ESC/Java) [27], the Java certifying compiler [10], and the Praxis verification of Spark programs [28]. Several researchers have commented on the complexity of a practical VCG =-=[29, 30]-=-. There has also been significant research verifying VCGs via theorem proving [31–33]. In the context of theorem proving, assertions have also been used to verify C programs in HOL [34], and reason ab... |

32 | Partial functions in ACL2
- Manolios, Moore
(Show Context)
Citation Context ...ble in theorem provers whose logics support Hilbert’s choice operator; the defining axiom can be witnessed by a total function that returns an arbitrary constant when the recursion does not terminate =-=[13]-=-[12, §9.2.3]. We now formalize the notion of “next cutpoint”. Fix a state d such that cut(d) ⇔ (∀s : cut(s)). State d can be defined with a choice operator. Then nextc(s) returns the first reachable c... |

30 | Is Proof More Cost- Effective Than Testing
- King, Hammond, et al.
- 2000
(Show Context)
Citation Context ...VCG. VCGs have been used extensively in practice, for example in the Extended Static Checker for Java (ESC/Java) [27], the Java certifying compiler [10], and the Praxis verification of Spark programs =-=[28]-=-. Several researchers have commented on the complexity of a practical VCG [29, 30]. There has also been significant research verifying VCGs via theorem proving [31–33]. In the context of theorem provi... |

29 | Formal Verification of a Java Compiler in Isabelle
- Strecker
(Show Context)
Citation Context ...f complex programs. In particular, ACL2 and its predecessor Nqthm have used such models extensively [1, 2, 8, 20]. Operational models have also been used in Isabelle/HOL to formalize Java and the JVM =-=[21]-=-, and in PVS to model state chart languages [22].sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing [24], and made explicit in the classic works of Floyd [3], Manna [6], ... |

28 | Mechanized formal reasoning about programs and computing machines
- Boyer, Moore
- 1996
(Show Context)
Citation Context ... tedious and complex, requiring the user to define global invariants which are preserved on each transition or a clock function that precisely characterizes the number of machine steps to termination =-=[1, 2]-=-. Research in program verification has principally focused on assertional reasoning [3, 4]. Here a program is annotated with assertions at cutpoints. From these annotations, one derives a set of formu... |

26 | High-speed analyzable simulators
- Greve, Wilding, et al.
- 1987
(Show Context)
Citation Context ...l semantics and assertional methods have complementary strengths. Operational models have been lauded for clarity and concreteness [1, 7], and facilitate the validation of formal models by simulation =-=[7, 8]-=-. However, performing code proofs with such models is cumbersome: defining an appropriate global invariant or clock function requires understanding of the effect of each transition on the machine stat... |

26 | Inductive assertions and operational semantics
- Moore
- 2003
(Show Context)
Citation Context ...ips past the call (inferring the postcondition for the recursive call) and continues until the procedure exits. This stands in stark contrast to all the previously published ACL2 proofs of the method =-=[2, 15]-=-, which require complex assertions to characterize each recursive frame in the call stack. 4.3 CBC-mode Encryption and Decryption Our third example is a more elaborate proof of functional correctness ... |

24 | A Verification Environment for Sequential Imperative Programs in Isabelle/HOL - Schirmer |

22 |
Checking a large routine. Report of a Conference of High Speed Automatic Calculating Machines pp.67–69
- Turing
- 1949
(Show Context)
Citation Context ...have also been used in Isabelle/HOL to formalize Java and the JVM [21], and in PVS to model state chart languages [22].sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing =-=[24]-=-, and made explicit in the classic works of Floyd [3], Manna [6], Hoare [4], and Dijkstra [25]. King [26] wrote the first mechanized VCG. VCGs have been used extensively in practice, for example in th... |

20 | Functional Instantiation in First Order Logic
- Boyer, Goldshlag, et al.
- 1991
(Show Context)
Citation Context ...programs by instantiating the correctness theorems with the corresponding functions for the concrete machine model. In ACL2, we make use of a derived rule of inference called functional instantiation =-=[14]-=-, which enables instantiation of theoremssabout constrained functions with concrete functions satisfying the constraints. In particular, we have used constrained functions pre, post, next, etc., axiom... |

20 |
Guarded commands, non-determinacy and a calculus for the derivation of programs
- Dijkstra
- 1975
(Show Context)
Citation Context ...ate chart languages [22].sThe notion of assertions was used by Goldstein and von Neumann [23], and Turing [24], and made explicit in the classic works of Floyd [3], Manna [6], Hoare [4], and Dijkstra =-=[25]-=-. King [26] wrote the first mechanized VCG. VCGs have been used extensively in practice, for example in the Extended Static Checker for Java (ESC/Java) [27], the Java certifying compiler [10], and the... |

20 | A summary of intrinsic partitioning verification
- Greve, Richards, et al.
- 2004
(Show Context)
Citation Context ...mmunicated to the authors independent endeavors applying and extending the method. At Galois Connections Inc., Pike has applied the macro to verify programs on the Rockwell Collins AAMP7 TM processor =-=[40]-=-. At the National Security Agency, Legato has used it to verify an assembly language multiplier for the Mostek 6502 microprocessor. At Rockwell Collins Inc., Hardin et al. are independently extending ... |

19 | Proving theorems about Java and the JVM with ACL2
- Moore
- 2003
(Show Context)
Citation Context ... tedious and complex, requiring the user to define global invariants which are preserved on each transition or a clock function that precisely characterizes the number of machine steps to termination =-=[1, 2]-=-. Research in program verification has principally focused on assertional reasoning [3, 4]. Here a program is annotated with assertions at cutpoints. From these annotations, one derives a set of formu... |

19 |
The Correctness of Programs
- Manna
- 1969
(Show Context)
Citation Context ...ansformed into the other. Assertional methods are based on annotating a program with assertions at certain control points called cutpoints that typically include loop tests and program entry and exit =-=[3, 6]-=-. To formalize this, assume that we have two predicates cut and assert, where cut recognizes the cutpoints and assert specifies the assertions at each cutpoint. Commonly cut is a predicate on the pc v... |

19 | A mechanically verified verification condition generator - Homeier, Martin - 1995 |

15 | A verifying core for a cryptographic language compiler
- Pike, Shields, et al.
- 2006
(Show Context)
Citation Context ...ls. A target application is the verifying compiler being developed at Galois Connections and Rockwell Collins, Inc. to compile programs in the Cryptol TM language into code for the AAMP7 TM processor =-=[43]-=-. The goal is to generate, in addition to object code, a proof to certify that the code implements the source program semantics, and our macro can be used with the existing ACL2 model of the AAMP7 [40... |

13 |
Machine-checking the Java specification: Proving type-safety
- Oheimb, Nipkow
(Show Context)
Citation Context ...ather than to every state. 1.2 Contributions of this Paper Operational semantics and assertional methods have complementary strengths. Operational models have been lauded for clarity and concreteness =-=[1, 7]-=-, and facilitate the validation of formal models by simulation [7, 8]. However, performing code proofs with such models is cumbersome: defining an appropriate global invariant or clock function requir... |

13 | A robust machine code proof framework for highly secure applications,” in ACL2 ’06
- Hardin, Smith, et al.
- 2012
(Show Context)
Citation Context ...ify an assembly language multiplier for the Mostek 6502 microprocessor. At Rockwell Collins Inc., Hardin et al. are independently extending the method and using it for AAMP7 and JVM code verification =-=[41]-=-. Fox has formalized the method in HOL4 and is applying it on ARM assembly language programs. 6 Summary and Conclusion We have presented a method to apply assertional reasoning for verifying sequentia... |

9 | Machine-assisted verification using theorem proving and model checking
- Shankar
- 1997
(Show Context)
Citation Context ...However, performing code proofs with such models is cumbersome: defining an appropriate global invariant or clock function requires understanding of the effect of each transition on the machine state =-=[1, 9, 2]-=-. Assertional methods factor out verification complexity by restricting user focus to cutpoints, but require a VCG which must be trusted. A VCG encodes the language semantics as formula transformation... |

9 | Verification of BDD Normalization
- Ortner, Schirmer
- 2005
(Show Context)
Citation Context ...via theorem proving [31–33]. In the context of theorem proving, assertions have also been used to verify C programs in HOL [34], and reason about pointers and BDD normalization algorithms in Isabelle =-=[35, 36]-=-. This work is influenced by two earlier efforts in ACL2 by the individual authors, namely Moore [15] and Matthews and Vroon [37], to emulate VCG reasoning with a theorem prover. Moore defines a tail-... |

6 |
Meta Reasoning in ACL2
- Hunt, Kaufmann, et al.
- 2005
(Show Context)
Citation Context ...case blow-up [29]. To emulate them with a theorem prover, the simplification engine and lemma libraries must be powerful enough to encode such transformations. ACL2 provides a meta reasoning facility =-=[42]-=-, allowing the user to augment its native simplification heuristics. We are investigating its use to encode the analysis performed by a practical VCG. We are working on making our ACL2 macro more effi... |

5 | Applications of Polytypism in Theorem Proving
- Slind, Hurd
- 2003
(Show Context)
Citation Context ... that the composition of encryption and decryption yields the original plaintext. Functional correctness of cryptographic protocols has received considerable attention recently in formal verification =-=[16, 17]-=-. We refer the reader to Schneier [18] for an overview of cryptosystems. Cryptographic protocols use a block cipher that encrypts and decrypts a fixed-size block of bits. We use blocks of 128 bits. En... |

4 |
von Neumann: Planning and Coding Problems for an Electronic Computing Instrument
- Goldstein, J
- 1961
(Show Context)
Citation Context ...erational models have also been used in Isabelle/HOL to formalize Java and the JVM [21], and in PVS to model state chart languages [22].sThe notion of assertions was used by Goldstein and von Neumann =-=[23]-=-, and Turing [24], and made explicit in the classic works of Floyd [3], Manna [6], Hoare [4], and Dijkstra [25]. King [26] wrote the first mechanized VCG. VCGs have been used extensively in practice, ... |

4 | D.: Partial Clock Functions in ACL2
- Matthews, Vroon
- 2004
(Show Context)
Citation Context ...reason about pointers and BDD normalization algorithms in Isabelle [35, 36]. This work is influenced by two earlier efforts in ACL2 by the individual authors, namely Moore [15] and Matthews and Vroon =-=[37]-=-, to emulate VCG reasoning with a theorem prover. Moore defines a tail-recursive predicate inv such that the proof of invariance of inv reduces to showing that each cutpoint satisfies assertions. Howe... |

3 |
D.: Formal verification of a SHA-1 circuit core using ACL2
- Toma, Borrione
- 2005
(Show Context)
Citation Context ... that the composition of encryption and decryption yields the original plaintext. Functional correctness of cryptographic protocols has received considerable attention recently in formal verification =-=[16, 17]-=-. We refer the reader to Schneier [18] for an overview of cryptosystems. Cryptographic protocols use a block cipher that encrypts and decrypts a fixed-size block of bits. We use blocks of 128 bits. En... |

3 | Imperative Program Verification in PVS. Technical report, École Nationale Supérieure Électronique, Informatique et Radiocommunications de bordeaux - Gloess - 1999 |

3 |
T.: Proving Pointer Programs in Higher Order Logic
- Mehta, Nipkow
- 2003
(Show Context)
Citation Context ...via theorem proving [31–33]. In the context of theorem proving, assertions have also been used to verify C programs in HOL [34], and reason about pointers and BDD normalization algorithms in Isabelle =-=[35, 36]-=-. This work is influenced by two earlier efforts in ACL2 by the individual authors, namely Moore [15] and Matthews and Vroon [37], to emulate VCG reasoning with a theorem prover. Moore defines a tail-... |