ghosts for lists from axiomatic to executable
play

Ghosts for Lists: from Axiomatic to Executable Specifications - PowerPoint PPT Presentation

Dec 22, 2023 •423 likes •749 views

Ghosts for Lists: from Axiomatic to Executable Specifications Frdric Loulergue Allan Blanchard Nikolai Kosmatov June 29, 2018 @ Tests & Proofs 2018 0/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018 Contents 01.

  1. Ghosts for Lists: from Axiomatic to Executable Specifications Frédéric Loulergue Allan Blanchard Nikolai Kosmatov – June 29, 2018 @ Tests & Proofs 2018 0/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  2. Contents 01. Introduction 02. Ghosts for lists 03. Executable Specifications 04. Conclusion 1/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  3. 01 Introduction 1/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  4. https://vessedia.eu Introduction The Vessedia project EU H2020 Vessedia project aims at making formal methods more usable in the context of the IoT comprises use-cases to evaluate the efficiency of the developed tools and methods Contiki-OS one of the use-cases targeted in Vessedia a lightweight OS for IoT 2/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  5. Introduction A lightweight OS for IoT Contiki is a lightweight operating system for IoT It provides a lot of features: (rudimentary) memory and process management networking stack and cryptographic functions ... Typical hardware platform: 8, 16, or 32-bit MCU (little or big-endian), low-power radio, some sensors and actuators, ... ms Group Note for security: there is no memory protection unit. 3/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  6. Introduction Contiki and Formal Verification When started in 2003, no particular attention to security Later, communication security was added at different layers, via standard protocols such as IPsec or DTLS Security of the so�ware itself did not receive much attention Continuous integration system does not include formal verification > and unit tests are under-represented Today’s talk: the list module of Contiki a critical component of the core part of Contiki many client modules in the whole OS verification performed with Frama-C 4/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  7. Introduction Frama-C at a glance A Framework for Modular Analysis of C code Developed at CEA List Released under LGPL license ACSL annotation language Extensible plugin oriented platform > Collaboration of analyses over same code > Inter plugin communication through ACSL formulas > Adding specialized plugins is easy http://frama-c.com/ [Kirchner et al. FAC 2015] 5/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  8. \valid (p+0..2), \separated (p+0..2,q+0..5), \block_length (p) http://frama-c.com/acsl Introduction ACSL: ANSI/ISO C Specification Language Presentation Based on the notion of contract like in Eiffel, JML Allows users to specify functional properties of programs > Correctness of the specification is crucial > Attacks can exploit every single flaw ⇒ Complete proof is required! Basic Components First-order logic Pure C expressions C types + Z (integer) and R (real) Built-in predicates and logic functions particularly over pointers: \valid (p) , 6/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  9. Introduction Plugin Frama-C/WP WP: A plugin for deductive verification Based on Weakest Precondition calculus [Dijkstra, 1976] Goal: Prove that a given program respects its specification Requires formal specification Capable to formally prove that > each program function always respects its contract > each function call always respects the expected conditions on its inputs > each function call always gives enough guarantees to ensure the caller’s contract > common security related errors (e.g. buffer overflows) can never occur 7/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  10. Introduction Plugin Frama-C/E-ACSL E-ACSL: A plugin for dynamic verification Primary goal: runtime assertion checking Tranlate C + ACSL into C Violated assertion ⇒ generated program fails at runtime Preserves the semantics if all assertions are satisfied A executable subset of ACSL: > bounded quantification > finite ranges and set comprehensions > no inductive predicate > no axiomatic definitions > Not yet supported: - predicate definition - logical function definition - … 8/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  11. 02 Ghosts for lists 8/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  12. Ghosts for lists The LIST module - Overview Provides a generic API for linked lists about 176 LOC (excl. MACROS) required by 32 modules of Contiki more than 250 calls in the core part of Contiki Some special features no dynamic allocation does not allow cycles maintain item unicity 9/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  13. struct list { void * list_pop (list_t pLst); void list_copy(list_t dest, list_t src); void list_insert(list_t pLst, void *previtem, void *newitem); void list_remove(list_t pLst, void *item); void list_add(list_t pLst, void *item); struct list *next; void list_push(list_t pLst, void *item); void * list_chop(list_t pLst); void * list_item_next(void *item); void * list_tail(list_t pLst); void * list_head(list_t pLst); list_length(list_t pLst); int void list_init(list_t pLst); typedef struct list ** list_t; }; Ghosts for lists The LIST module - A rich API Observers Update list beginning Update list end Update list anywhere 10/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  14. Ghosts for lists Formalization approach - Overview We maintain a ghost array that stores the addresses of the different list elements. Ghost code index index+n-1 cArr &A &B &C &D &E A pLst root B C D E &root &A &B &C &D &E bound Actual code 11/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  15. } linked_n(root, cArr, index, n, bound); linked_n(root->next, cArr, index + 1, n - 1, bound) ==> /*indexes properties*/ ==> \valid(root) ==> root == cArr[index] ==> \forall struct list *root, **cArr, *bound, integer index, n; case linked_n_cons{L}: // ... integer index, integer n, struct list *bound) { inductive linked_n{L}(struct list *root, struct list **cArr, Ghosts for lists Formalization approach - Induction Ghost code index cArr &A &B &C &D &E root A B C D E &A &B &C &D &E bound Actual code 12/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  16. integer index, integer n, struct list *bound) { inductive linked_n{L}(struct list *root, struct list **cArr, case linked_n_bound{L}: \forall struct list **cArr, *bound, integer index; 0 <= index <= MAX_SIZE ==> linked_n(bound, cArr, index, 0, bound); // ... } Ghosts for lists Formalization approach - Base case Ghost code cArr root bound Actual code 13/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  17. predicate unchanged{L1,L2}(struct list **array, int idx, int sz)= \forall integer i ; idx <= i < idx+sz ==> \at(array[i]->next, L1) == \at(array[i]->next, L2); Ghosts for lists Formalization approach - Advantages As long as we maintain the linked_n invariant, we can easily reason about the content of the list: While we have to update the array accordingly when the list is modified Set of lemmas (proved in Coq) to leverage automated verification 14/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  18. Ghosts for lists Results Written specification and ghost code > 46 lines for ghost functions > 500 lines for contracts > 240 lines for logic definitions and lemmas > 650 lines of other annotations It generates 798 proof obligations > 772 (96.7%) are automatically discharged by SMT solvers > 24 are lemmas proved with Coq > 2 assertions proved with Coq > 2 assertions proved using TIP Bug found More details: NFM’18 doi:10.1007/978-3-319-77935-5_3 Problem: not executable 15/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  19. 03 Executable Specifications 15/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  20. Executable Specifications Main Idea Remove ACSL features that are not supported by E-ACSL Replace it with semantically equivalent (in principle) supported ones Workaround for features not completely supported 16/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  21. Executable Specifications Constraints for Execution E-ACSL subset of ACSL No inductive predicates: linked_N is inductive No axiomatic function: index_of is axiomatic E-ACSL subset not supported and workarounds Non inductive predicates: inlining is a workaround Functions: > inlining is Ok for non recursive functions > C assertions added in the code for recursive functions as a workaround 17/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

  22. Executable Specifications Main Idea in Practice Replace inductive predicate by: > a non inductive predicate > using a recursive logical function Replace axiomatic functions by logical functions Write a non logical C function expected to be equivalent Prove the equivalence with non logical C functions Inline the non inductive predicate hand coded calls to the C functions 18/21 - F.Loulergue, A.Blanchard, N.Kosmatov - June 29, 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard Nikolai Kosmatov Frdric Loulergue April 10, 2019 @ SAC-SVT 2019 0/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019 Motivation

831 views • 31 slides
EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and

EXECUTABLE UML AND MBSE What Executable UML does, how it is totally di ff erent from UML, and how it fits with other Executable languages Leon Starr leon_starr@modelint.com MODEL INTEGRATION LLC www.modelint.com 1 LiU Seminar xUML MBSE -

527 views • 39 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
9 Axiomatic semantics 9 .1 OVERVIEW As introduced in chapter 4, the axiomatic method expresses

9 Axiomatic semantics 9 .1 OVERVIEW As introduced in chapter 4, the axiomatic method expresses

9 Axiomatic semantics 9 .1 OVERVIEW As introduced in chapter 4, the axiomatic method expresses the semantics of a programming language by associating with the language a mathematical theory fo r p roving properties of programs written in

1.02k views • 98 slides
Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of

Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of

Impacting Culture through Communication Saft World Class Strategy 1. Overcoming Ghosts of the Past Misconceptions, Misunderstandings &amp; Myths 2. Lean Reawakening 3. Nurturing Lean Growth 2 New mention Ghosts of the

383 views • 26 slides
GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3

GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3

Quantifying the Faint Outskirts of GHOSTS M101 using Resolved Stars 70 kpc g =30 mag/'' 2 F9 F8 F5 F1 F4 F7 F6 F2 F3 g-band, Dragonfly array In Sung Jang (AIP) Roelof de Jong Benne Holwerda Antonela Monachesi Eric Bell Jeremy

298 views • 5 slides
People with Pain are like Ghosts None see them and None see their Disability WHO

People with Pain are like Ghosts None see them and None see their Disability WHO

There is an Epidemic Morbus named Chronic Pain But People with Pain are like Ghosts None see them and None see their Disability WHO declaration,1948 Health is not merely the absence of disease

265 views • 14 slides
More lists Readings: HtDP , sections 11, 12, 13 (Intermezzo 2). Topics: Sorting a list List

More lists Readings: HtDP , sections 11, 12, 13 (Intermezzo 2). Topics: Sorting a list List

More lists Readings: HtDP , sections 11, 12, 13 (Intermezzo 2). Topics: Sorting a list List abbreviations Lists containing lists Dictionaries and association lists Lists of lists as 2D data Processing two lists simultaneously Consuming a

712 views • 25 slides
The manifestation of Hilberts Nullstellensatz in Lawveres Axiomatic Cohesion Mat as

The manifestation of Hilberts Nullstellensatz in Lawveres Axiomatic Cohesion Mat as

The manifestation of Hilberts Nullstellensatz in Lawveres Axiomatic Cohesion Mat as Menni Conicet and Universidad Nacional de La Plata - Argentina The Nullstellenzatz in Axiomatic Cohesion p. 1/17 A science of cohesion An

940 views • 59 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
O. Kosmachev INTRODUCTION Necessity of conversion to axiomatics. What means axiomatic-like

O. Kosmachev INTRODUCTION Necessity of conversion to axiomatics. What means axiomatic-like

THE LEPTON SECTOR AS AN AXIOMATIC-LIKE CONSTRUCTION O. Kosmachev INTRODUCTION Necessity of conversion to axiomatics. What means axiomatic-like construction? Unique approach and unification of mathematical formalism. STABLE LEPTONS

164 views • 15 slides
Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models For design, prototyping, analysis. To clarify ideas, squash insidious bugs early on many bugs / flaws can be found by just formalizing

669 views • 50 slides
An axiomatic divisibility theory for commutative rings .c Pha .m Ngo Anh R enyi

An axiomatic divisibility theory for commutative rings .c Pha .m Ngo Anh R enyi

Motivation and Aim Divisibility theory and unique generation Bezout monoids as an axiomatic divisibility theory Representation theo An axiomatic divisibility theory for commutative rings .c Pha .m Ngo Anh R enyi Institute, Hungary

527 views • 36 slides
Red Lists and Red Books in Poland Main characteristics: 1. Red Lists lists of species with

Red Lists and Red Books in Poland Main characteristics: 1. Red Lists lists of species with

Red Lists and Red Books in Poland Main characteristics: 1. Red Lists lists of species with threat category 2. Red Books list of species with much more information on the species (distribution, habitat, morphology, ecology, maps etc.) 3.

294 views • 4 slides
WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our

WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our

WELCOME!! GHOSTS AND GOBLINS ARE SC SCAR ARY. QUICKBOOKS DOESNT HAVE TO BE! Presented by our QuickBooks experts Becky Miller, Anne Becker, Lauren Brothen, and Christina Hess J AMES H AMLIN&amp; C O .,P .C. CPAs &amp; Business Advisors

473 views • 29 slides
Lecture 2: Axiomatic semantics Reading assignment for next week Ariane paper and response (see

Lecture 2: Axiomatic semantics Reading assignment for next week Ariane paper and response (see

Chair of Software Engineering Trusted Components Prof. Dr. Bertrand Meyer Lecture 2: Axiomatic semantics Reading assignment for next week Ariane paper and response (see course page) Axiomatic semantics chapter in Introduction to the

628 views • 30 slides
JML Model Fields Christian Engel ITI, Universit at Karlsruhe 08. Juni 2005 Christian Engel

JML Model Fields Christian Engel ITI, Universit at Karlsruhe 08. Juni 2005 Christian Engel

JML What are model fields? Translation to JavaDL Demo JML Model Fields Christian Engel ITI, Universit at Karlsruhe 08. Juni 2005 Christian Engel JML Model Fields JML What are model fields? Translation to JavaDL Demo Outline JML 1

563 views • 29 slides
Justification Logic Who? Natalia Kotsani - based on the work of S. Artemov (The Logic of

Justification Logic Who? Natalia Kotsani - based on the work of S. Artemov (The Logic of

Justification Logic Who? Natalia Kotsani - based on the work of S. Artemov (The Logic of Justification, 2008) When? 28 November 2012 Table of contents 3.Basic Systems Justification Logic J 0 Logical Awareness Constants Specification Basic

293 views • 15 slides
Formal Specification with Z ch ? = right arrow Software Engineering Software Engineering right

Formal Specification with Z ch ? = right arrow Software Engineering Software Engineering right

These slides are based on Jonathan Jackys The Way of Z Forward Editor ch ? : CHAR Formal Specification with Z ch ? = right arrow Software Engineering Software Engineering right = Andreas Zeller Saarland University

417 views • 24 slides
Techniques for the system requirements unambiguous To describe the use of algebraic

Techniques for the system requirements unambiguous To describe the use of algebraic

Formal Specification Objectives To explain why formal specification techniques help discover problems in Techniques for the system requirements unambiguous To describe the use of algebraic techniques for interface specification of

69 views • 6 slides
An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer

An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer

An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer Computer Science Department, Carnegie Mellon University FM, 10th Oct 2019 1 Outline Motivation 1 Logical Approach to ODE Liveness 2 Concrete

1.09k views • 63 slides
Operational Semantics This course Why semantics? y := 1; precise specification of software

Operational Semantics This course Why semantics? y := 1; precise specification of software

Operational Semantics This course Why semantics? y := 1; precise specification of software and while ( x = 1) do ( y := x y ; x := x 1) hardware First we assign 1 to y , then we test whether facilitate reasoning about systems:

355 views • 10 slides
Programming Language Elements for Correctness Proofs Gergely Dvai ELTE University, Budapest

Programming Language Elements for Correctness Proofs Gergely Dvai ELTE University, Budapest

Programming Language Elements for Correctness Proofs Gergely Dvai ELTE University, Budapest Department of Programming Languages and Compilers Supervisor: Dr. Zoltn Csrnyei Motivation A considerable part of software products' life

204 views • 19 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides

More recommend