## Temporal-Safety Proofs for Systems Code (2002)

### Cached

### Download Links

- [www.cs.berkeley.edu]
- [www-cad.eecs.berkeley.edu]
- [www.cs.ucla.edu]
- [www.cs.berkeley.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 70 - 9 self |

### BibTeX

@MISC{Henzinger02temporal-safetyproofs,

author = {Thomas A. Henzinger and Ranjit Jhala and Rupak Majumdar and George C. Necula and Grégoire Sutre and Westley Weimer},

title = {Temporal-Safety Proofs for Systems Code},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a methodology and tool for verifying and certifying systems code. The veri cation is based on the lazy-abstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically re ne the abstraction based on counterexample analysis. The certi cation is based on the proof-carrying code paradigm. Lazy abstraction enables the automatic construction of small proof certi cates. The methodology is implemented in Blast, the Berkeley Lazy Abstraction Software veri cation Tool. We describe our experience applying Blast to Linux and Windows device drivers. Given the C code for a driver and for a temporal-safety monitor, Blast automatically generates an easily checkable correctness certi cate if the driver satis es the speci cation, and an error trace otherwise.

### Citations

1399 | A Discipline of Programming - Dijkstra - 1976 |

1093 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...e traditional abstract-verify-refine loop [3], and avoids the repetition of work in successive abstraction phases and in successive model-checking phases. For certification, proof-carrying code (PCC) =-=[18]-=- has been proposed as a mechanism for witnessing the correct behavior of untrusted code. Here, the code producer sends to the consumer the code annotated with loop invariants and function pre- and pos... |

696 | A Framework for Defining Logics
- Harper, Honsel, et al.
- 1993
(Show Context)
Citation Context ...to guide, during the construction of a safe reachability tree, the generation of the correctness proof. 4 Proof Generation Representing proofs. We encode the proof of the verification condition in LF =-=[14]-=-, so that proof checking reduces to a linear-time type-checking problem. 533sThe logic we encode in LF is first-order logic with equality and special relation and function symbols for arithmetic and m... |

599 | Construction of abstract state graphs with PVS
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ... predicate is used only in abstracting those portions of the state space where it is needed to rule out spurious counterexamples. This is unlike traditional predicate-abstraction based model checking =-=[13,8,1]-=-, which constructs a uniform predicate abstraction from a given system and a given set of predicates. The result is a nonuniform abstract model, which provides for every portion of the state space jus... |

597 | Counterexample-Guided Abstraction Refinement
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...space, and the resulting model may again be too large to be model checked. The technique of lazy abstraction [15] is an attempt to make counterexample-guided abstraction refinement for model checking =-=[6,3]-=- scalable by localizing the abstraction process and avoiding unnecessary work. Lazy abstraction builds an abstract model on-the-fly, during model checking, and on demand, so that each predicate is use... |

567 | Bandera: extracting finite-state models from java source code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ...is, of course, scalability. Recently, abstraction-refinement based techniques have been developed for (mostly) automatically constructing and model checking abstract models derived directly from code =-=[3,7,25,16]-=-. However, the main problem faced by such techniques is ⋆ This work was supported in part by the NSF ITR grants CCR-0085949,CCR0081588, the NSF Career grant CCR-9875171, the DARPA PCES grant F3361500-... |

463 | model checking programs
- Visser, Havelund, et al.
(Show Context)
Citation Context ...is, of course, scalability. Recently, abstraction-refinement based techniques have been developed for (mostly) automatically constructing and model checking abstract models derived directly from code =-=[3,7,25,16]-=-. However, the main problem faced by such techniques is ⋆ This work was supported in part by the NSF ITR grants CCR-0085949,CCR0081588, the NSF Career grant CCR-9875171, the DARPA PCES grant F3361500-... |

445 | G.: Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...systems and complicated specifications, the abstraction process can take too much time and space, and the resulting model may again be too large to be model checked. The technique of lazy abstraction =-=[15]-=- is an attempt to make counterexample-guided abstraction refinement for model checking [6,3] scalable by localizing the abstraction process and avoiding unnecessary work. Lazy abstraction builds an ab... |

408 | CIL: Intermediate language and tools for analysis and transformation of C programs - Necula, McPeak, et al. - 2002 |

393 | S.K.: Automatic predicate abstraction of c programs - Ball, Majumdar, et al. - 2001 |

370 | The SLAM project: debugging system software via static analysis - Ball, Rajamani - 2002 |

357 | A Theory of Type Qualifiers - Foster, Fähndrich, et al. - 1999 |

131 | Experience with predicate abstraction
- Das, Dill, et al.
- 1999
(Show Context)
Citation Context ... predicate is used only in abstracting those portions of the state space where it is needed to rule out spurious counterexamples. This is unlike traditional predicate-abstraction based model checking =-=[13,8,1]-=-, which constructs a uniform predicate abstraction from a given system and a given set of predicates. The result is a nonuniform abstract model, which provides for every portion of the state space jus... |

91 | Dynamically Discovering Likely Program Invariants
- Ernst
- 2000
(Show Context)
Citation Context ...ow loop invariants can be inferred automatically for proofs of type and memory safety, but the problem of inferring invariants for behavioral properties, such as temporal safety, remains largely open =-=[11]-=-. We show that lazy abstraction can be used naturally and efficiently to construct small correctness proofs for temporal-safety properties in a PCC based framework. The proof generation is intertwined... |

60 | Efficient representation and validation of proofs
- Necula, Lee
- 1998
(Show Context)
Citation Context ...d in natural deduction with hypothetical judgments [23], together with special rules for equality, arithmetic, and memory operations. In Blast, proofs are represented in binary form using Implicit LF =-=[20]-=-. We use the proof encoding and checking mechanism of an existing PCC implementation to convert proofs from a textual representation to binary, and to check proofs. Generating proofs. Given a safe rea... |

57 | A framework for de logics - Harper, Honsell, et al. - 1993 |

55 | Oracle-based checking of untrusted software
- Necula, Rahul
- 2001
(Show Context)
Citation Context ... computation significantly. 6 While our running times and proof sizes are encouraging, we feel there is a lot of room for improvement. We are transitioning to an oracle-based representation of proofs =-=[19]-=-, which we expect, based on previous experience, to further reduce the size of the proofs by an order of magnitude. The times taken by the counterexample analysis often dominates the verification time... |

55 |
CUDD: Colorado University Decision Diagram package. Available: http://vlsi.colorado.edu/ fabio/CUDD
- Somenzi
(Show Context)
Citation Context ... Hence, we do not model pointer arithmetic precisely. Blast makes use of several existing tools. We use the CIL compiler infrastructure [21] to construct CFAs from C programs. We use the CUDD package =-=[24]-=- to represent regions as BDDs over sets of abstraction predicates. Finally, we use the theorem prover Simplify [9] for abstract-successor computations and inclusion checks, and the (slower) proof-gene... |

44 | Logic verification of ANSI-C code with SPIN - Holzmann |

34 | Certifying model checkers
- Namjoshi
- 2001
(Show Context)
Citation Context ...ng the model checker to guide the proof generation eliminates the need for backtracking, e.g., in the proof of disjunctions. Our strategy to generate proofs from model-checking runs is different from =-=[17,22]-=-. We exploit the structure of sequential code so that the proof is an invariant for every control location, along with local checks for every edge of the control-flow graph that the invariants are sou... |

30 | Computation and Deduction
- Pfenning
- 2000
(Show Context)
Citation Context ...,18], and is omitted. The inference rules of the proof system include the standard introduction and elimination rules for the boolean connectives used in natural deduction with hypothetical judgments =-=[23]-=-, together with special rules for equality, arithmetic, and memory operations. In Blast, proofs are represented in binary form using Implicit LF [20]. We use the proof encoding and checking mechanism ... |

24 | Bandera: Extracting models from java source code - Corbett, Dwyer, et al. - 2000 |

20 | Counterexample-guided abstraction re - Clarke, Grumberg, et al. |

16 | Flow-sensitive type quali - Foster, Terauchi, et al. - 2002 |

12 | From model checking to a temporal proof
- Peled, Zuck
- 2001
(Show Context)
Citation Context ...ng the model checker to guide the proof generation eliminates the need for backtracking, e.g., in the proof of disjunctions. Our strategy to generate proofs from model-checking runs is different from =-=[17,22]-=-. We exploit the structure of sequential code so that the proof is an invariant for every control location, along with local checks for every edge of the control-flow graph that the invariants are sou... |

10 |
Simplify theorem prover. http://research.compaq.com/SRC/esc/simplify.html
- Detlefs, Nelson, et al.
(Show Context)
Citation Context ...piler infrastructure [21] to construct CFAs from C programs. We use the CUDD package [24] to represent regions as BDDs over sets of abstraction predicates. Finally, we use the theorem prover Simplify =-=[9]-=- for abstract-successor computations and inclusion checks, and the (slower) proof-generating theorem prover Vampyre [4] where proofs are required. The cost of verification and certification is dominat... |

7 |
Vampyre: A proof generating theorem prover — http://www.eecs.berkeley.edu/ rupak/vampyre
- Blei
(Show Context)
Citation Context ...over sets of abstraction predicates. Finally, we use the theorem prover Simplify [9] for abstract-successor computations and inclusion checks, and the (slower) proof-generating theorem prover Vampyre =-=[4]-=- where proofs are required. The cost of verification and certification is dominated by the cost of theorem proving, so we incorporate automatic lemma extraction by caching theorem prover calls. Our ex... |

7 | Logic veri of ANSI-C code with Spin - Holzmann - 2000 |

3 | Bandera: extracting finite-state models from Java source code. Int - Das, Dill, et al. - 1999 |

2 |
An empirical study of operating system bugs
- Chou, Yang, et al.
- 2001
(Show Context)
Citation Context ...rrect functioning of modern computer systems, but are written by untrusted third-party vendors. Some studies show that device drivers typically contain 7 times as many bugs as the rest of the OS code =-=[5]-=-. Using Blast, we have run 10 examples of Linux and Windows device drivers, of up to 60K lines of C code. We have been able to discover several errors, and construct, fully automatically, small proofs... |

1 | Programming Languages Design and Implementation (to appear - Graf, Saidi - 1997 |

1 | Efficient representation and validation of proofs. Symp - Necula, Lee |