Results 11  20
of
124
On the Need for Practical Formal Methods
 In Formal Techniques in RealTime and RealTime FaultTolerant Systems, Proc., 5th Intern. Symposium (FTRTFT'98
, 1998
"... A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method. A fundamental assumption of this paper is that formal methods research has produced several classes of analysis that can prov ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
(Show Context)
A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method. A fundamental assumption of this paper is that formal methods research has produced several classes of analysis that can prove useful in software development. However, to be useful to software practitioners, most of whom lack advanced mathematical training and theorem proving skills, current formal methods need a number of additional attributes, including more userfriendly notations, completely automatic (i.e., pushbutton) analysis, and useful, easy to understand feedback. Moreover, formal methods need to be integrated into a standard development process. I discuss additional research and engineering that is needed to make the current set of formal methods more practical. To illustrate the ideas, I present several examples, many taken from the SCR (Software Cost Reduction) requirements method, a formal method th...
Symbolic Simulation: an ACL2 Approach
 Proceedings of the Second International Conference on Formal Methods in ComputerAided Design (FMCAD'98), volume LNCS 1522
, 1998
"... . Executable formal specification can allow engineers to test (or simulate) the specified system on concrete data before the system is implemented. This is beginning to gain acceptance and is just the formal analogue of the standard practice of building simulators in conventional programming languag ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
. Executable formal specification can allow engineers to test (or simulate) the specified system on concrete data before the system is implemented. This is beginning to gain acceptance and is just the formal analogue of the standard practice of building simulators in conventional programming languages such as C. A largely unexplored but potentially very useful next step is symbolic simulation, the "execution" of the formal specification on indeterminant data. With the right interface, this need not require much additional training of the engineers using the tool. It allows many tests to be collapsed into one. Furthermore, it familiarizes the working engineer with the abstractions and notation used in the design, thus allowing team members to speak clearly to one another. We illustrate these ideas with a formal specification of a simple computing machine in ACL2. We sketch some requirements on the interface, which we call a symbolic spreadsheet. 1 Introduction The use of formal methods...
Trusting Trusted Hardware: Towards a Formal Model for Programmable Secure Coprocessors
, 1998
"... Secure coprocessors provide a foundation for many exciting electronic commerce applications, as previous work [20, 21] has demonstrated. As our recent work [6, 13, 14] has explored, building a highend secure coprocessor that can be easily programmed and deployed by a wide range of third parties can ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
Secure coprocessors provide a foundation for many exciting electronic commerce applications, as previous work [20, 21] has demonstrated. As our recent work [6, 13, 14] has explored, building a highend secure coprocessor that can be easily programmed and deployed by a wide range of third parties can be an important step toward realizing this promise. But this step requires trusting trusted hardware  and achieving this trust can be difficult in the face of a problem and solution space that can be surprisingly complex and subtle. Formal methods provide one means to express, verify, and analyze such solutions (and would be required for such a solution to be certified at FIPS 1401 Level 4). This paper discusses our current efforts to apply these principles to the architecture of our secure coprocessor. We present formal statements of the security goals our architecture needs to provide; we argue for correctness by enumerating the architectural properties from which these goals can be proven; we argue for conciseness by showing how eliminating properties causes the goals to fail; but we discuss how simpler versions of the architecture can satisfy weaker security goals. We view this work as the beginning of developing formal models to address the trust challenges arising from using trusted hardware for electronic commerce.
Refinement strategies for verification methods based on datapath abstraction
 In Asia South Pacific Design Automation Conference (ASPDAC
, 2006
"... Abstract—In this paper we explore the application of CounterexampleGuided ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
(Show Context)
Abstract—In this paper we explore the application of CounterexampleGuided
The Isabelle Collections Framework
"... The Isabelle Collections Framework (ICF) provides a unified framework for using verified collection data structures in Isabelle/HOL formalizations and generating efficient functional code in ML, Haskell, and OCaml. Thanks to its modularity, it is easily extensible and supports switching to differen ..."
Abstract

Cited by 18 (10 self)
 Add to MetaCart
(Show Context)
The Isabelle Collections Framework (ICF) provides a unified framework for using verified collection data structures in Isabelle/HOL formalizations and generating efficient functional code in ML, Haskell, and OCaml. Thanks to its modularity, it is easily extensible and supports switching to different data structures any time. For good integration with applications, a data refinement approach separates the correctness proofs from implementation details. The generated code based on the ICF lies in better complexity classes than the one that uses Isabelle’s default setup (logarithmic vs. linear time). In a case study with tree automata, we demonstrate that the ICF is easy to use and efficient: An ICF based, verified tree automata library outperforms the unverified Timbuk/Taml library by a factor of 14.
Automatic Abstraction and Verification of Verilog Models
, 2004
"... Abstraction plays a critical role in verifying complex systems. A number of languages have been proposed to model hardware systems by, primarily, abstracting away their wide datapaths while keeping the lowlevel details of their control logic. This leads to a significant reduction in the size of the ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstraction plays a critical role in verifying complex systems. A number of languages have been proposed to model hardware systems by, primarily, abstracting away their wide datapaths while keeping the lowlevel details of their control logic. This leads to a significant reduction in the size of the state space and makes it possible to verify intricate control interactions formally. These languages, however, require that the abstraction be done manually, a tedious and errorprone process. In this paper we describe Vapor, a tool that automatically abstracts behavioral RTL Verilog to the CLU language used by the UCLID system. Vapor performs a sound abstraction with emphasis on minimizing false errors. Our method is fast, systematic, and complements UCLID by serving as a backend for dealing with UCLID counterexamples. Preliminary results show the feasibility of automatic abstraction and its utility in formal verification.
The Science of Deriving Dense Linear Algebra Algorithms
, 2002
"... In this paper we present a systematic approach to the derivation of families of highperformance algorithms for a large set of frequently encountered dense linear algebra operations. As part of the derivation a constructive proof of the correctness of the algorithm is given. The paper is structured ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
In this paper we present a systematic approach to the derivation of families of highperformance algorithms for a large set of frequently encountered dense linear algebra operations. As part of the derivation a constructive proof of the correctness of the algorithm is given. The paper is structured so that it can be used as a tutorial for novices. However, the method has been shown to yield new, highperformance algorithms for wellstudied linear algebra operations and should also be of interest to the "high priests of high performance."
An empirical evaluation of automated theorem provers in software certification
 International Journal of AI tools
, 2004
"... We describe a system for the automated certification of safety properties of NASA software. The system uses Hoarestyle program verification technology to generate proof obligations which are then processed by an automated firstorder theorem prover (ATP). We discuss the unique requirements this app ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
(Show Context)
We describe a system for the automated certification of safety properties of NASA software. The system uses Hoarestyle program verification technology to generate proof obligations which are then processed by an automated firstorder theorem prover (ATP). We discuss the unique requirements this application places on the ATPs, focusing on automation, proof checking, and usability. For full automation, however, the obligations must be aggressively preprocessed and simplified, and we demonstrate how the individual simplification stages, which are implemented by rewriting, influence the ability of the ATPs to solve the proof tasks. Our results are based on 13 certification experiments that lead to more than 25,000 proof tasks which have each been attempted by Vampire, Spass, esetheo, and Otter. The proofs found by Otter have been proofchecked by IVY. 1