how much is a mechanized proof worth certification wise
play

How much is a mechanized proof worth, certification-wise? Xavier - PowerPoint PPT Presentation

Jun 13, 2023 •524 likes •890 views

How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice In this talk. . . Some feedback from the aircraft industry concerning the potential usefulness of the CompCert

  1. How much is a mechanized proof worth, certification-wise? Xavier Leroy Inria Paris-Rocquencourt PiP 2014: Principles in Practice

  2. In this talk. . . Some feedback from the aircraft industry concerning the potential usefulness of the CompCert formally-verified C compiler.

  3. The initial plan Executable model Model checking (Simulink, SCADE) code generator Program Source code (C) proof compiler Executable Static analysis machine code “Pitch” CompCert and its proof as a radical way to • establish confidence in the C → asm compilation process; • preserve guarantees obtained by C-level formal verification.

  4. Things not to say when pitching your research to the critical software industry “It’s obviously the right thing to do.” (So you say. Have you ever built an airplane?)

  5. Things not to say when pitching your research to the critical software industry “It’s obviously the right thing to do.” (So you say. Have you ever built an airplane?) “The maths are beautiful.” (We are into business, not aesthetics.)

  6. Things not to say when pitching your research to the critical software industry “It’s obviously the right thing to do.” (So you say. Have you ever built an airplane?) “The maths are beautiful.” (We are into business, not aesthetics.) “You’ll get stronger guarantees this way than by testing.” (Our avionics software has no known flaws.) (Besides, we perfected testing to an art.)

  7. From unit tests. . . double max(double x, double y) { if (x >= y) return x; else return y; } max(0,0) = 0 max(1,-1) = 1 max(0,1) = 1 max(1,3.14) = 3.14 max(0,-1) = 0 max(1,inf) = inf max(0,3.14) = 3.14 max(inf,0) = inf max(0,inf) = inf max(inf,-inf) = inf max(0,-inf) = 0 max(nan,0) = 0 max(1,0) = 1 max(0,nan) = nan max(1,1) = 1 (Note: this is where Airbus uses Caveat for “unit proofs”.)

  8. . . . to integration tests. . .

  9. . . . to exploration on an Iron Bird. . .

  10. . . . to test flights

  11. Things you might say when pitching your research to the critical software industry “You’ll get evidence that is complementary to testing.” (Asymmetric redundancy is good!)

  12. Things you might say when pitching your research to the critical software industry “You’ll get evidence that is complementary to testing.” (Asymmetric redundancy is good!) “You could save money on testing.” (Unit testing is costly, indeed.)

  13. Things you might say when pitching your research to the critical software industry “You’ll get evidence that is complementary to testing.” (Asymmetric redundancy is good!) “You could save money on testing.” (Unit testing is costly, indeed.) “You could save time on re-testing after changes” (We must sometimes react quicky, indeed.)

  14. Things you might say when pitching your research to the critical software industry “You’ll get evidence that is complementary to testing.” (Asymmetric redundancy is good!) “You could save money on testing.” (Unit testing is costly, indeed.) “You could save time on re-testing after changes” (We must sometimes react quicky, indeed.) “You could gain performance by using better algorithms that you could not test well enough.” (We have performance issues, indeed.)

  15. Things you will hear when pitching your research to the critical software industry Maybe your stuff has some value. But do you have a certification plan? Huh? It’s proved in Coq! A formal verification is not a certification.

  16. Certification Awarded by certification authorities (FAA, EASA) following domain-specific regulations, e.g. DO-178C for avionics ( Software Considerations in Airborne Systems and Equipment Certification ) . DO-178C specifies: • several levels of assurance; • the corresponding requirements to meet; • the verification activities to conduct; • but not any particular technology (prog. lang., tools, etc).

  17. DO-178C process and traceability ( c � Steven H. VanderLeest, CC-BY-SA 3.0)

  18. Verification techniques Three major kinds: • Reviews (qualitative) • Analyses (quantitative) • Testing. Analyses welcome maths & physics: • High levels: aerodynamics, control theory. • Low levels: use of software verification tools (e.g. static analyzers, deductive program provers). But: tools must be qualified to get certification credit.

  19. Tool qualification (DO-330) Purpose: obtain appropriate assurance that the tools are at least as dependable as the manual processes that they are replacing. • Criteria 1: a tool whose output is part of the airborne software and thus could insert an error. • Criteria 2: a tool that automates verification processes and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of other verification or development processes. • Criteria 3: a tool that could fail to detect an error. Determines how stringent the tool qualification is: Criteria Software Level 1 2 3 A TQL-1 TQL-4 TQL-5 B TQL-2 TQL-4 TQL-5 C TQL-3 TQL-5 TQL-5 D TQL-4 TQL-5 TQL-5

  20. How much is CompCert’s proof worth, certification/qualification-wise? (A very hypothetical question: qualification of a C compiler has never been attempted before, and might not be economically viable.) At first sight, a plausible match: Coq specifications ≈ parts of the high-level requirements Coq functions ≈ parts of the low-level requirements Coq proofs ≈ automated verification activity But this leaves many things unaccounted for. . .

  21. The formally-verified part of CompCert type elimination side-effects out CompCert C Clight C # minor of expressions loop simplifications stack allocation Optimizations: constant prop., CSE, of “&” variables inlining, tail calls CFG construction instruction RTL CminorSel Cminor expr. decomp. selection register allocation (IRC) calling conventions linearization layout of LTL Linear Mach of the CFG stack frames asm code generation Asm x86 Asm ARM Asm PPC

  22. The formally-verified part of CompCert The high-level specifications comprise: • Operational semantics of CompCert C (big, complex) • Operational semantics of PowerPC Asm (large, simple) • The statement of semantic preservation: simulation diagram or (simpler) inclusion between whole-program behaviors. • Supporting theories: machine integers, floats, memory model, I/O model.

  23. The formally-verified part of CompCert Thanks to the proof, no need to talk about: • Intermediate languages. • Compilation algorithms. • Optimizations and their supporting static analyses. (Note: optimizations, being context-dependent, cannot be validated by traditional testing.) “Draw me a compiler.” “The compiler is in this box.”

  24. Validating an operational semantics Most plausible approach: testing on an executable form of the semantics. The CompCert C reference interpreter: Coq functions that are proved equivalent to one-step transitions. (Approach suggested by Brian Campbell.) Other techniques: PLT Redex, Ott, Jakarta, . . . Example of use: 3-way differential random testing with Csmith (CompCert interpreter / CompCert compiler / GCC). (But: no value for certification.)

  25. The full CompCert compiler preprocessing, parsing, construction of an AST C source AST C elaboration, type-checking, de-sugaring Verified compiler Type reconstruction Register allocation Code linearization heuristics assembling printing of Assembly Executable AST Asm asm syntax linking Not proved Proved in Coq Verification needed (hand-written in Caml) (extracted to Caml) No verification needed

  26. What to do with the unproved parts? Assembly and linking: • An unverified validation tool that matches the ELF executable against the Asm AST. From C source to CompCert C AST: • Testing? (mostly compositional transformations) • Proving more things? (e.g. lexing and parsing) • Lack of high-level formal specifications.

  27. When spec = implementation. . . Example: interpreting the “tag soup” (G. Necula). volatile long unsigned inline long static * const f(void) { ... } → Function declaration: name: f storage class: static inline: true result type: TPtr(TInt(IULongLong, volatile), const) parameters: none varargs: no body: . . .

  28. Trusting Coq As a verification tool: • The “de Bruijn” architecture is appreciated (production of independently-checkable proof terms). • Multiple independent checkers would be a big plus (e.g. coqchk that works and is developed independently). As a code generation tool: (extraction) • Highly suspect. • Manual review of extracted Caml code probably needed. Doubts on the OCaml compiler and runtime: • A simplified version used in Scade KCG6, passed level-A qualification. • Multiple implementations could help (e.g. OCamlJava, F#).

  29. Various cognitive dissonances DO-178 traceability = refinement ∧ no additional functionality. vs. Soundness proofs cannot show that no dead code was introduced.

  30. Various cognitive dissonances DO-178 traceability = refinement ∧ no additional functionality. vs. Soundness proofs cannot show that no dead code was introduced. Good mathematical style: define things then immediately prove some properties about them. vs. Orthodox V&V practice: development and verification are distinct activities, preferably done by different teams.

  31. Concluding remarks A formal verification is not a certification.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How much is CompCerts proof worth, qualification-wise? Xavier Leroy Inria Paris-Rocquencourt

How much is CompCerts proof worth, qualification-wise? Xavier Leroy Inria Paris-Rocquencourt

How much is CompCerts proof worth, qualification-wise? Xavier Leroy Inria Paris-Rocquencourt Dagstuhl seminar Qualification of FM tools, April 2015 1 / 29 In this talk Some thoughts on taking advantage of CompCerts correctness

348 views • 32 slides
A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A. Papakyriakou Prodromos E. Gerakios Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering

613 views • 39 slides
A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of

A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of

A Mechanized Proof of Higmans Lemma by Open Induction Christian Sternagel University of Innsbruck, Austria January 18, 2016 Dagstuhl Seminar 16031 Well-Quasi-Orders in Computer Science Supported by the Austrian Science Fund (FWF):

833 views • 69 slides
A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben

A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben

A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben Gamboa ACL2 Workshop 2017 May 23, 2017 Theory L n i =1 | P i P i 1 | Deriving length of a continuously differentiable curve n L =

568 views • 24 slides
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

972 views • 78 slides
Combination and certification of proof tools John Harrison Intel Corporation 30th October 2013

Combination and certification of proof tools John Harrison Intel Corporation 30th October 2013

Combination and certification of proof tools John Harrison Intel Corporation 30th October 2013 (11:0012:00) Summary of talk Motivation for combining proof tools Intel verification work The Flyspeck project Combining tools and

670 views • 51 slides
Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Masters Thesis Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of Freiburg Department of Computer Science Programming Languages Chair September 1, 2019 Hannes Saffrich Mechanized Type

1.03k views • 39 slides
Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics L. De Mol Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for Logic and Philosophy of Science, Belgium elizabeth.demol@ugent.be

969 views • 57 slides
Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SRI Mechanized Analysis: 1

433 views • 20 slides
WE ARE ASEFA 2 ASEFA A SEFA is internationally recognized Certification Body for

WE ARE ASEFA 2 ASEFA A SEFA is internationally recognized Certification Body for

1 WE ARE ASEFA 2 ASEFA A SEFA is internationally recognized Certification Body for certification of your electrical products. ASEFA can satisfy all your needs by providing you a solid proof of quality and conformity of your products thanks

361 views • 23 slides
The Design and Implementation of the WISE Science Data System Roc Cutri and the IPAC/WISE Team The

The Design and Implementation of the WISE Science Data System Roc Cutri and the IPAC/WISE Team The

The Design and Implementation of the WISE Science Data System Roc Cutri and the IPAC/WISE Team The IPAC WISE/NEOWISE/IRSA Team Jennifer Herstein Ramon Rey Rosemary Alles Doug Hoffman Trey Roby James Bauer Tom Jarrett Scott Terek Ron Beck Davy

574 views • 32 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA

Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA

Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA established by City Ordinance in 2001 Funded by 2% of Bond Programs (Streets and Transportation 1%) City Council-appointed Fort Worth Art Commission

163 views • 15 slides
Water Wise NOLA Water Wise NOLA works in collaboration to advance Green Infrastructure by

Water Wise NOLA Water Wise NOLA works in collaboration to advance Green Infrastructure by

Water Wise NOLA Water Wise NOLA works in collaboration to advance Green Infrastructure by promoting awareness and opportunities through educational, experiential, community-driven design and DIY-based applications. Representatives of Water Wise

401 views • 18 slides
Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological Argument John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mechanized Ontological Argument

764 views • 42 slides
IO monad Imperative programming in Haskell Deian Stefan (adopted from my & Edward Yangs

IO monad Imperative programming in Haskell Deian Stefan (adopted from my & Edward Yangs

IO monad Imperative programming in Haskell Deian Stefan (adopted from my & Edward Yangs CSE242 slides) Can we do IO as usual? ls :: [(), ()] ls = [putChar x, putChar y] Is this okay? A: yes, B: no Laziness gets in the way?

200 views • 18 slides
Metaprogramming November 29, 2017 Todays goals Seeing the diversity of tools for

Metaprogramming November 29, 2017 Todays goals Seeing the diversity of tools for

CS 242 Metaprogramming November 29, 2017 Todays goals Seeing the diversity of tools for generating code Understanding the use cases for metaprogramming Formalizing a structured taxonomy of metaprogramming CODE is DATA

517 views • 18 slides
strt t rs

strt t rs

strt t rs t t rst st rtr P

2.23k views • 198 slides
Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects:

Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects:

Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects: Use closures as objects Use tables as objects Closures as Objects Datatype name Datatype fields function myObject (field1, field2,

265 views • 10 slides
Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work

Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work

Restoring Natural Language as a Computerised Mathematics Input Method Robert Lamar joint work with Fairouz Kamareddine Manuel Maarek J. B. Wells ULTRA group, Heriot-Watt University http://www.macs.hw.ac.uk/ultra/ 30 June 2007 Mathematical

752 views • 43 slides
Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA

Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA

Validating LR (1) parsers Jacques-Henri Jourdan Fran cois Pottier Xavier Leroy INRIA Paris-Rocquencourt, projet Gallium IFIP WG 2.8, Nov 2012 Parsing: recap text abstract or syntax tree token stream 1 + 2 3 + 1 2 3

658 views • 34 slides
Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its

Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its

Monads in Scala 1 / 13 Functors A functor is a container type that supports map ping over its contents. 1 List is functor: 1 List(1, 2, 3).map((x: Int) => x.toString) == List("1", "2", "3") As a conceptual

243 views • 13 slides
Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier

Trust in programming tools: the formal verification of compilers and static analysers Xavier Leroy Inria Paris Verified trustworthy software systems, April 2016 X. Leroy (Inria) Trust in tools 2016-04-05 1 / 35 Tool-assisted formal

731 views • 52 slides

More recommend