Reiner Hähnle,Marieke Huisman

DOI: https://doi.org/10.1007/978-3-319-91908-9_18

2019-01-01

Abstract:Deductive software verification aims at formally verifying that all possible behaviors of a given program satisfy formally defined, possibly complex properties, where the verification process is based on logical inference. We follow the trajectory of the field from its inception in the late 1960s via its current state to its promises for the future, from pen-and-paper proofs for programs written in small, idealized languages to highly automated proofs of complex library or system code written in mainstream languages. We take stock of the state-of-art and give a list of the most important challenges for the further development of the field of deductive software verification.

Dejanira Araiza-Illan,Kerstin Eder,Arthur Richards

DOI: https://doi.org/10.1109/CONTROL.2014.6915147

2014-06-08

Abstract:This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as theories and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.

Systems and Control,Logic in Computer Science

Ning Ge,Marc Pantel,Silvano Dal Zilio

DOI: https://doi.org/10.1109/TASE.2017.8285630

2017-01-01

Abstract:To ease the expression of real-time requirements, Dwyer, and then Konrad, studied a large collection of existing systems in order to identify a set of real-time property patterns covering most of the useful use cases. The goal was to provide a set of reusable patterns that system designers can instantiate to express requirements instead of using complex temporal logic formulas. A limitation of this approach is that the choice of patterns is more oriented towards expressiveness than efficiency; meaning that it does not take into account the computational complexity of checking patterns. For this purpose, we define a set of verification-dedicated, atomic property patterns for qualitative and quantitative real-time requirements. End-user requirements can then be expressed as a composition of these patterns using a predefined meta-model and a mapping library. These properties can be checked efficiently using a set of elementary observers and a model checking approach.

Paulius Stankaitis,Alexei Iliasov,David Adjepon-Yamoah,Alexander Romanovsky

DOI: https://doi.org/10.48550/arXiv.1611.02923

2016-11-09

Abstract:Event-B is one of more popular notations for model-based, proof driven specification. It offers a fairly high-level mathematical lan- guage based on FOL and ZF set theory and an economical yet expres- sive modelling notation. Model correctness is established by discharging proving a number conjectures constructed via a syntactic instantiation of schematic conditions. A large proportion of provable conjectures re- quires proof hints from a user. For larger models this becomes extremely onerous as identical or similar proofs have to be repeated over and over, especially after model refactoring stages. In the paper we briefly present a new Rodin Platform proof back-end based on the Why3 umbrella prover.

Software Engineering

Xingxin Wang,Shibo Tang,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031448

2022-01-01

Abstract:Formal verification is an emerging technique for validating the soundness of SoC designs and uncover design flaws. However, existing formal solutions heavily rely on verification engineers to manually specify assertion properties, which can be time-consuming but provides no guarantee on the quality or completeness of the property set. In this brief, we move a step towards automatic property generation for SoC security verification. We automatically extract invariant behaviors from functional and security simulation traces and specify them as assertions. We further prove the generated properties to search for property violations to identify design vulnerabilities. Experimental results show the effectiveness of our method in detecting timing channel and stealthy hardware Trojan.

Li Huang,Sophie Ebersold,Alexander Kogtenkov,Bertrand Meyer,Yinling Liu

2024-03-29

Abstract:The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools. Note: this version is the extended article, covering all the systems identified as relevant. A shorter version, covering only a selection, is also available.

Software Engineering

Jifeng He,Shengchao Qin,Adnan Sherif

DOI: https://doi.org/10.1007/11768173_6

2006-01-01

Abstract:This paper advocates a general approach to formal verification by constructing property-oriented models. We instantiate the approach using timing properties, and construct a heterogeneous untimed model in which time is abstracted away, so that we can verify timing properties in an untimed framework. The correctness of property-oriented model construction is ensured by the conformance of semantic and syntactic mappings.

Min Zhang,Toshiaki Aoki,Yueying He

DOI: https://doi.org/10.1016/j.jisa.2016.05.002

IF: 4.96

2016-01-01

Journal of Information Security and Applications

Abstract:Formalization and verification of a system usually are not one time tasks due to the increasing complexity of software systems. The relation between formalization and verification should not be sequential but iterative in that verification follows formalization and in turn helps validate and refine formalization. The iteration is a spiral process with a formal model being incrementally developed and more properties being verified. In this paper, we present such a spiral process of doing formalization and verification with a concrete case study to demonstrate how we formalize and verify in the spiral manner a scheduling mechanism and Priority Ceiling Protocol (PCP) of an industrial automobile standard called OSEK/VDX. We choose an algebraic formal language called CafeOBJ for its features of modularity and interactive theorem proving functionality. We start with a prototypical model of the scheduling mechanism, validate and refine it based on verification results. By theorem proving, it reinforces our understanding of the specifications and their gap with the specified problem domains. The formal model is refined until all these properties are successfully proved. We incrementally extend it to formalize PCP and verify more properties such as deadlock freedom and priority inversion freedom.

Andreas Katis,Andrew Gacek,Michael W. Whalen

DOI: https://doi.org/10.48550/arXiv.1502.01292

2015-11-18

Abstract:Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions, assume/guarantee contracts, and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. For these proofs to be meaningful, each leaf-level component contract must be realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. We have recently proposed (in [1]) a contract-based realizability checking algorithm for assume/guarantee contracts over infinite theories supported by SMT solvers such as linear integer/real arithmetic and uninterpreted functions. In that work, we used an SMT solver and an algorithm similar to k-induction to establish the realizability of a contract, and justified our approach via a hand proof. Given the central importance of realizability to our virtual integration approach, we wanted additional confidence that our approach was sound. This paper describes a complete formalization of the approach in the Coq proof and specification language. During formalization, we found several small mistakes and missing assumptions in our reasoning. Although these did not compromise the correctness of the algorithm used in the checking tools, they point to the value of machine-checked formalization. In addition, we believe this is the first machine-checked formalization for a realizability algorithm.

Software Engineering

Bernd Finkbeiner,Geguang Pu,Lijun Zhang

DOI: https://doi.org/10.1007/978-3-319-24953-7

2015-01-01

Abstract:Computer hardware and software can be modeled precisely in mathematical logic. If expressed appropriately, these models can be executable, i.e., run on concrete data. This allows them to be used as simulation engines or rapid prototypes. But because they are formal they can be manipulated by symbolic means: theorems can be proved about them, directly, with mechanical theorem provers. But how practical is this vision of machines reasoning about machines? In this highly personal talk, I will describe the 45 year history of the “Boyer-Moore theorem prover,” starting with its use in Edinburgh, Scotland, to prove simple list processing theorems by mathematical induction (e.g., the reverse of the reverse of x is x) to its routine commercial use in the microprocessor industry (e.g., the floating point operations of the Via Nano 64-bit X86 microprocessor are compliant with the IEEE standard). Along the way we will see applications in program verification, models of instruction set architectures including the JVM, and security and information flow. I then list some reasons this project has been successful. The paper also serves as an annotated bibliography of the key stepping stones in the applications of the prover.

Andrew Gacek,Andreas Katis,Michael W. Whalen,John Backes,Darren Cofer

DOI: https://doi.org/10.48550/arXiv.1502.03005

2015-02-11

Abstract:Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. Such proofs build from "leaf-level" assume/guarantee component contracts through architectural layers towards top-level safety properties. The proofs are built upon the premise that each leaf-level component contract is realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. Without engineering support it is all too easy to write leaf-level components that can't be realized. Realizability checking for propositional contracts has been well-studied for many years, both for component synthesis and checking correctness of temporal logic requirements. However, checking realizability for contracts involving infinite theories is still an open problem. In this paper, we describe a new approach for checking realizability of contracts involving theories and demonstrate its usefulness on several examples.

Software Engineering

Yuzhou Liu,Lei Liu,Huaxiao Liu,Hongji Yang

DOI: https://doi.org/10.1109/access.2018.2836342

IF: 3.9

2018-01-01

IEEE Access

Abstract:Software verification can ensure the software quality by inspecting the properties of program. A key issue for software verification is to check whether the software can meet user requirements especially when the requirements change frequently. To tackle this problem, we propose an approach to verify the program by inspecting the internal relations with the user requirements. In the approach, the constraints in the requirements are represented by a concern-based model defined in our previous work by Liu et al. and the internal relations of program are extracted based on static analysis methods; then, a framework of verification system is defined to inspect whether the program can satisfy the constraints for discovering the errors with their locations. The main contribution of this paper includes: 1) kinds of internal relations of program are defined and their calculation methods are given to transform the source codes to a formalized model, which is taken as the object to be verified and 2) formal description of verification system framework is given to support the automation of verification process. Since the verification tasks can be set freely based on the requirements in the system, the proposed approach can help developers to cope with the change of requirements better.

Vincent Cheval,Caroline Fontaine

2024-10-20

Abstract:Computer-aided analysis of security protocols heavily relies on equational theories to model cryptographic primitives. Most automated verifiers for security protocols focus on equational theories that satisfy the Finite Variant Property (FVP), for which solving unification is decidable. However, they either require to prove FVP by hand or at least to provide a representation as an E-convergent rewrite system, usually E being at most the equational theory for an associative and commutative function symbol (AC). The verifier ProVerif is probably the only exception amongst these tools as it automatically proves FVP without requiring a representation, but on a small class of equational theories. In this work, we propose a novel semi-decision procedure for proving FVP, without the need for a specific representation, and for a class of theories that goes beyond the ones expressed by an E-convergent rewrite system. We implemented a prototype and successfully applied it on several theories from the literature.

Cryptography and Security

Mario Gleirscher,Rehab Massoud,Dieter Hutter,Christoph Lüth

2024-04-17

Abstract:Mathematical proofs are a cornerstone of control theory, and it is important to get them right. Deduction systems can help with this by mechanically checking the proofs. However, the structure and level of detail at which a proof is represented in a deduction system differ significantly from a proof read and written by mathematicians and engineers, hampering understanding and adoption of these systems.

Systems and Control

Yasushi Umezawa,Takeshi Shimizu

DOI: https://doi.org/10.48550/arXiv.0710.4848

2007-10-25

Logic in Computer Science

Abstract:Formal verification techniques have been playing an important role in pre-silicon validation processes. One of the most important points considered in performing formal verification is to define good verification scopes; we should define clearly what to be verified formally upon designs under tests. We considered the following three practical requirements when we defined the scope of formal verification. They are (a) hard to verify (b) small to handle, and (c) easy to understand. Our novel approach is to break down generic properties for system into stereotype properties in block level and to define requirements for Verifiable RTL. Consequently, each designer instead of verification experts can describe properties of the design easily, and formal model checking can be applied systematically and thoroughly to all the leaf modules. During the development of a component chip for server platforms, we focused on RAS (Reliability, Availability, and Serviceability) features and described more than 2000 properties in PSL. As a result of the formal verification, we found several critical logic bugs in a short time with limited resources, and successfully verified all of them. This paper presents a study of the functional verification methodology.

A. H. M. ter Hofstede,M. E. Orlowska,J. Rajapakse

DOI: https://doi.org/10.1016/s0169-023x(97)00032-3

1996-01-01

Abstract:Most of today's business requirements can only be accomplished through integration of various autonomous systems which were initially designed to serve the needs of particular applications. In the literature workflows are proposed to design these kinds of applications. The key tool for designing such applications is a powerful conceptual specification language. Such a language should be capable of capturing interactions and cooperation between component tasks of workflows among others. These include sequential execution, iteration, choice, parallelism and synchronisation. The central focus of this paper is the verification of such process control aspects in conceptual workflow specifications. As is generally agreed upon, that the later in the software development process an error is detected, the more it will cost to correct it; it is thus of vital importance to detect errors as early as possible in the systems-development process. In this paper some typical verification problems in workflow specifications are identified and their complexity is addressed. It will be proven that some fundamental problems are not tractable and we will show what restriction is needed to allow termination problems to be recognized in polynomial time.

Nan Zhang,Zhenhua Duan,Cong Tian,Hongwei Du

DOI: https://doi.org/10.1007/978-3-030-04618-7_7

2018-01-01

Abstract:This paper proposes an approach to verifying context free properties of programs. In this approach, the system to be verified is modeled as a program m in Modeling, Simulation and Verification Language (MSVL), and the desired property is also specified by an MSVL program m′. Then program m and formula ¬m′ are interpreted by means of executing programs m and m′. If an acceptable execution path is generated, a counterexample is found, otherwise the property is valid. To show how the proposed approach works, an example is given.

WAN Liang,SHI Wen-chang,FENG Hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.10.031

2013-01-01

Computer Science

Abstract:With the popularity of multi-core,multi-thread and parallel execution,there is an increasing demand for formal verification of parallel programs.The uncertainty of execution flows in parallel program verification makes it difficult to determine the relation between verification contents and targets.Verifying directly from the parallel programs will lead to large-scale verification.To this end,we proposed a new verification method based on separation logic.On the basis of the feature that the semantics of separation logic's programming language are both interpretive and axiomatic,our method transforms the property formulae to be verified into logical composition expression,and reforms and simplifies them.Then separation logic's axiom system is used to verify the expression and calculate the value of property formulae with verified assertions.Case studies further illustrate that the proposed method is effective and can reduce verification scales.

Raven Beutner

2024-03-06

Abstract:Hyperproperties relate multiple executions of a program and are commonly used to specify security and information-flow policies. Most existing work has focused on the verification of $k$-safety properties, i.e., properties that state that all $k$-tuples of execution traces satisfy a given property. In this paper, we study the automated verification of richer properties that combine universal and existential quantification over executions. Concretely, we consider $\forall^k\exists^l$ properties, which state that for all $k$ executions, there exist $l$ executions that, together, satisfy a property. This captures important non-$k$-safety requirements, including hyperliveness properties such as generalized non-interference, opacity, refinement, and robustness. We design an automated constraint-based algorithm for the verification of $\forall^k\exists^l$ properties. Our algorithm leverages a sound-and-complete program logic and a (parameterized) strongest postcondition computation. We implement our algorithm in a tool called ForEx and report on encouraging experimental results.

Logic in Computer Science,Programming Languages

Shuvendu K. Lahiri

DOI: https://doi.org/10.34727/2024/isbn.978-3-85448-065-5_19

2024-10-16

Abstract:Verification-aware programming languages such as Dafny and F* provide means to formally specify and prove properties of a program. Although the problem of checking an implementation against a specification can be defined mechanically, there is no algorithmic way of ensuring the correctness of the {\it user-intent formalization for programs}, expressed as a formal specification. This is because intent or requirement is expressed {\it informally} in natural language and the specification is a formal artefact. Despite, the advent of large language models (LLMs) has made tremendous strides bridging the gap between informal intent and formal program implementations recently, driven in large parts by benchmarks and automated metrics for evaluation. Recent work has proposed a framework for evaluating the {\it user-intent formalization} problem for mainstream programming languages~\cite{endres-fse24}. However, such an approach does not readily extend to verification-aware languages that support rich specifications (using quantifiers and ghost variables) that cannot be evaluated through dynamic execution. Previous work also required generating program mutants using LLMs to create the benchmark. We advocate an alternate, perhaps simpler approach of {\it symbolically testing specifications} to provide an intuitive metric for evaluating the quality of specifications for verification-aware languages. We demonstrate that our automated metric agrees closely on a human-labeled dataset of Dafny specifications for the popular MBPP code-generation benchmark, yet demonstrates cases where the human labeling is not perfect. We also outline formal verification challenges that need to be addressed to apply the technique more widely. We believe our work provides a stepping stone to enable the establishment of a benchmark and research agenda for the problem of user-intent formalization for programs.

Programming Languages,Machine Learning,Software Engineering