Results 1  10
of
151
Extending Sledgehammer with SMT Solvers
"... Abstract. Sledgehammer is a component of Isabelle/HOL that employs firstorder automatic theorem provers (ATPs) to discharge goals arising in interactive proofs. It heuristically selects relevant facts and, if an ATP is successful, produces a snippet that replays the proof in Isabelle. We extended Sl ..."
Abstract

Cited by 47 (11 self)
 Add to MetaCart
(Show Context)
Abstract. Sledgehammer is a component of Isabelle/HOL that employs firstorder automatic theorem provers (ATPs) to discharge goals arising in interactive proofs. It heuristically selects relevant facts and, if an ATP is successful, produces a snippet that replays the proof in Isabelle. We extended Sledgehammer to invoke satisfiability modulo theories (SMT) solvers as well, exploiting its relevance filter and parallel architecture. Isabelle users are now pleasantly surprised by SMT proofs for problems beyond the ATPs ’ reach. Remarkably, the best SMT solver performs better than the best ATP on most of our benchmarks. 1
Decision procedures for algebraic data types with abstractions
 IN 37TH ACM SIGACTSIGPLAN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL), 2010. DECISION PROCEDURES FOR ORDERED COLLECTIONS 15 SHE75. SAHARON SHELAH. THE MONADIC THEORY OF ORDER. THA ANNALS OF MATHEMATICS OF MATHEMATICS
, 2010
"... We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data ..."
Abstract

Cited by 36 (15 self)
 Add to MetaCart
(Show Context)
We describe a family of decision procedures that extend the decision procedure for quantifierfree constraints on recursive algebraic data types (term algebras) to support recursive abstraction functions. Our abstraction functions are catamorphisms (term algebra homomorphisms) mapping algebraic data type values into values in other decidable theories (e.g. sets, multisets, lists, integers, booleans). Each instance of our decision procedure family is sound; we identify a widely applicable manytoone condition on abstraction functions that implies the completeness. Complete instances of our decision procedure include the following correctness statements: 1) a functional data structure implementation satisfies a recursively specified invariant, 2) such data structure conforms to a contract given in terms of sets, multisets, lists, sizes, or heights, 3) a transformation of a formula (or lambda term) abstract syntax tree changes the set of free variables in the specified way.
Local Verification of Global Invariants in Concurrent Programs
, 2010
"... We describe a practical method for reasoning about realistic concurrent programs. Our method allows global twostate invariants that restrict update of shared state. We provide simple, sufficient conditions for checking those global invariants modularly. The method has been implemented in VCC 3, an ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
(Show Context)
We describe a practical method for reasoning about realistic concurrent programs. Our method allows global twostate invariants that restrict update of shared state. We provide simple, sufficient conditions for checking those global invariants modularly. The method has been implemented in VCC 3, an automatic, sound, modular verifier for concurrent C programs. VCC has been used to verify functional correctness of tens of thousands of lines of Microsoft’s HyperV virtualization platform 4 and of SYSGO’s embedded realtime operating system PikeOS.
Verification of Concurrent Programs with Chalice
, 2009
"... A program verifier is a tool that allows developers to prove that their code satisfies its specification for every possible input and every thread schedule. These lecture notes describe a verifier for concurrent programs called Chalice. Chalice’s verification methodology centers around permissions a ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
A program verifier is a tool that allows developers to prove that their code satisfies its specification for every possible input and every thread schedule. These lecture notes describe a verifier for concurrent programs called Chalice. Chalice’s verification methodology centers around permissions and permission transfer. In particular, a memory location may be accessed by a thread only if that thread has permission to do so. Proper use of permissions allows Chalice to deduce upper bounds on the set of locations modifiable by a method and guarantees the absence of data races for concurrent programs. The lecture notes informally explain how Chalice works through various examples.
Automating Induction with an SMT Solver
, 2011
"... Mechanical proof assistants have always had support for inductive proofs. Sometimes an alternative to proof assistants, satisfiability modulo theories (SMT) solvers bring the hope of a higher degree of automation. However, SMT solvers do not natively support induction, so inductive proofs require s ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
Mechanical proof assistants have always had support for inductive proofs. Sometimes an alternative to proof assistants, satisfiability modulo theories (SMT) solvers bring the hope of a higher degree of automation. However, SMT solvers do not natively support induction, so inductive proofs require some encoding into the SMT solver’s input. This paper shows a surprisingly simple tactic—a rewriting strategy and a heuristic for when to apply it—that has shown to be useful in verifying simple inductive theorems, like those that can occur during program verification. The paper describes the tactic and its implementation in a program verifier, and reports on the positive experience with using the tactic.
Efficient State Transfer for HypervisorBased Proactive Recovery
, 2008
"... Proactive recovery of replicated services is a novel approach that allows tolerating a potentially unlimited number of malicious faults during system lifetime by periodically restarting replicas from a correct state. Recovering a stateful replica requires a timeconsuming transfer and verification o ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Proactive recovery of replicated services is a novel approach that allows tolerating a potentially unlimited number of malicious faults during system lifetime by periodically restarting replicas from a correct state. Recovering a stateful replica requires a timeconsuming transfer and verification of the state. During this time, the replica usually is unable to handle client requests. Our VMFIT architecture harnesses virtualization to significantly reduce this service unavailability. Our approach allows recovery in parallel with service execution, and uses copyonwrite techniques and provides efficient state transfer support between virtual replicas on a host.
Guiding a generalpurpose C verifier to prove cryptographic protocols
 in IEEE Computer Security Foundations Symposium (CSF’11), 2011
, 2011
"... We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detec ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
(Show Context)
We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array; decoration of a crypto API with contracts based on symbolic terms; and expression of the attacker model in terms of C programs. We rely on the generalpurpose verifier VCC; we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC. 1
VACID0: Verification of Ample Correctness of Invariants of Datastructures, Edition 0
, 2010
"... This paper defines a suite of benchmark verification problems, to serve as an acid test for verification systems that reason about programs with nontrivial datastructure invariants. Solutions to the benchmarks can be used to understand similarities and differences between verification tools and t ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
This paper defines a suite of benchmark verification problems, to serve as an acid test for verification systems that reason about programs with nontrivial datastructure invariants. Solutions to the benchmarks can be used to understand similarities and differences between verification tools and techniques. The paper also gives a procedure for scoring the solutions.
Bridging the Gap: Automatic Verified Abstraction of C
"... Abstract. Before lowlevel imperative code can be reasoned about in an interactive theorem prover, it must first be converted into a logical representation in that theorem prover. Accurate translations of such code should be conservative, choosing safe representations over representations convenient ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Before lowlevel imperative code can be reasoned about in an interactive theorem prover, it must first be converted into a logical representation in that theorem prover. Accurate translations of such code should be conservative, choosing safe representations over representations convenient to reason about. This paper bridges the gap between conservative representation and convenient reasoning. We present a tool that automatically abstracts lowlevel C semantics into higher level specifications, while generating proofs of refinement in Isabelle/HOL for each translation step. The aim is to generate a verified, humanreadable specification, convenient for further reasoning. 1
E.: Automated verification of a small hypervisor
 In: Proceedings of VSTTE (2010
"... Abstract. Hypervisors are system software programs that virtualize the architecture they run on. They are typically small, safetycritical, and hard to debug, which makes them a feasible and interesting target for formal verification. Previous functional verifications of system software were all bas ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Hypervisors are system software programs that virtualize the architecture they run on. They are typically small, safetycritical, and hard to debug, which makes them a feasible and interesting target for formal verification. Previous functional verifications of system software were all based on interactive theorem proving, requiring substantial human effort complemented by expert prover knowledge. In this paper we present the first functional verification of a small hypervisor using VCC, an automatic verifier for (suitably annotated) C developed at Microsoft. To achieve this goal we introduce necessary system verification techniques, such as accurate modeling of software/hardware interaction and simulation proofs in a firstorder logic setting. 1