towards secure things or how to verify iot software with
play

Towards Secure Things, or How to Verify IoT Software with Frama-C - PowerPoint PPT Presentation

Apr 28, 2023 •272 likes •1.79k views

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr,

  1. Verification of absence of runtime errors using EVA Presentation of EVA Value Analysis Overview Compute possible values of variables at each program point ◮ an automatic analysis ◮ based on abstract interpretation ◮ produces a correct over-approximation ◮ reports alarms for potentially invalid operations ◮ reports alarms for potentially invalid ACSL annotations ◮ can prove the absence of runtime errors ◮ graphical interface: displays the domains of each variable A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 16 / 115

  2. Verification of absence of runtime errors using EVA Presentation of EVA Domains of Value Analysis ◮ Historical domains ◮ small sets of integers, e.g. { 5 , 18 , 42 } ◮ reduced product of intervals: quick to compute, e.g. [1 .. 41] ◮ modulo: pretty good for arrays of structures, e.g. [1 .. 41] , 1%2 ◮ precise representation of pointers, e.g. 32-bit aligned offset from & t [0] ◮ initialization information ◮ Eva, Evolved Value Analysis ◮ more generic and extensible domains ◮ possible to add new, or combine domains A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 17 / 115

  3. Verification of absence of runtime errors using EVA Simple Examples Outline Introduction Verification of absence of runtime errors using EVA Presentation of EVA Simple Examples An application to Contiki Deductive verification using WP Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 18 / 115

  4. Verification of absence of runtime errors using EVA Simple Examples Example 1 Run Eva: frama-c-gui div1.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 0; }else{ x = 5; y = 5; } sum = x + y; // sum can be 0 result = 10/ sum; // risk of division by 0 return result; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 19 / 115

  5. Verification of absence of runtime errors using EVA Simple Examples Example 1 Run Eva: frama-c-gui div1.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 0; }else{ x = 5; y = 5; } sum = x + y; // sum can be 0 result = 10/ sum; // risk of division by 0 return result; } Risk of division by 0 is detected, it is real. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 19 / 115

  6. Verification of absence of runtime errors using EVA Simple Examples Example 2 Run Eva: frama-c-gui div2.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 5; }else{ x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/ sum; // no div. by 0 return result; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 20 / 115

  7. Verification of absence of runtime errors using EVA Simple Examples Example 2 Run Eva: frama-c-gui div2.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 5; }else{ x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/ sum; // no div. by 0 return result; } Risk of division by 0 is detected, but it is a false alarm. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 20 / 115

  8. Verification of absence of runtime errors using EVA Simple Examples Eva Parameterization ◮ Eva is automatic, but can be imprecise due to overapproximation ◮ a fine-tuned parameterization for a trade-off precision / efficiency ◮ One useful option: slevel n ◮ keep up to n states in parallel during the analysis ◮ different slevel’s can be set for specific functions or loops A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 21 / 115

  9. Verification of absence of runtime errors using EVA Simple Examples Example 2, cont’d Run Eva: frama-c-gui div2.c -val -main=f -slevel 2 int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 5; }else{ x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/ sum; // no div. by 0 return result; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 22 / 115

  10. Verification of absence of runtime errors using EVA Simple Examples Example 2, cont’d Run Eva: frama-c-gui div2.c -val -main=f -slevel 2 int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; y = 5; }else{ x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/ sum; // no div. by 0 return result; } Absence of division by 0 is proved, no false alarm. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 22 / 115

  11. Verification of absence of runtime errors using EVA Simple Examples Example 3 Run Eva: frama-c-gui div3.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; //y = 5; }else{ x = 5; y = 0; } sum = x + y; // y can be non -initialized result = 10/ sum; return result; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 23 / 115

  12. Verification of absence of runtime errors using EVA Simple Examples Example 3 Run Eva: frama-c-gui div3.c -val -main=f int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; //y = 5; }else{ x = 5; y = 0; } sum = x + y; // y can be non -initialized result = 10/ sum; return result; } Alarm on initialization of y is reported. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 23 / 115

  13. Verification of absence of runtime errors using EVA Simple Examples Example 3, cont’d Run Eva: frama-c-gui div3.c -val -main=f -slevel 2 int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; //y = 5; }else{ x = 5; y = 0; } sum = x + y; // y can be non -initialized result = 10/ sum; return result; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 24 / 115

  14. Verification of absence of runtime errors using EVA Simple Examples Example 3, cont’d Run Eva: frama-c-gui div3.c -val -main=f -slevel 2 int f ( int a ) { int x, y; int sum , result; if(a == 0){ x = 0; //y = 5; }else{ x = 5; y = 0; } sum = x + y; // y can be non -initialized result = 10/ sum; return result; } Alarm on initialization of y is reported, even with a bigger slevel A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 24 / 115

  15. Verification of absence of runtime errors using EVA Simple Examples Example 4 Run Eva: frama-c-gui sqrt.c -val #include ” f c b u i l t i n . h” i n t A, B; i n t root ( i n t N) { i n t R = 0; while ( ( (R+1) ∗ (R+1)) < = N) { R = R + 1; } return R; } void main ( void ) { A = F r a m a C i n t e r v a l ( 0 , 6 4 ) ; B = root (A) ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 25 / 115

  16. Verification of absence of runtime errors using EVA Simple Examples Example 4 Run Eva: frama-c-gui sqrt.c -val #include ” f c b u i l t i n . h” i n t A, B; i n t root ( i n t N) { i n t R = 0; while ( ( (R+1) ∗ (R+1)) < = N) { R = R + 1; } return R; } void main ( void ) { A = F r a m a C i n t e r v a l ( 0 , 6 4 ) ; B = root (A) ; } Risk of arithmetic overflows is reported A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 25 / 115

  17. Verification of absence of runtime errors using EVA Simple Examples Example 4, cont’d Run Eva: frama-c-gui sqrt.c -val -slevel 8 #include ” f c b u i l t i n . h” i n t A, B; i n t root ( i n t N) { i n t R = 0; while ( ( (R+1) ∗ (R+1)) < = N) { R = R + 1; } return R; } void main ( void ) { A = F r a m a C i n t e r v a l ( 0 , 6 4 ) ; B = root (A) ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 26 / 115

  18. Verification of absence of runtime errors using EVA Simple Examples Example 4, cont’d Run Eva: frama-c-gui sqrt.c -val -slevel 8 #include ” f c b u i l t i n . h” i n t A, B; i n t root ( i n t N) { i n t R = 0; while ( ( (R+1) ∗ (R+1)) < = N) { R = R + 1; } return R; } void main ( void ) { A = F r a m a C i n t e r v a l ( 0 , 6 4 ) ; B = root (A) ; } Absence of overflows is proved with a bigger slevel A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 26 / 115

  19. Verification of absence of runtime errors using EVA Simple Examples Example 5 Run Eva: frama-c-gui pointer1.c -val #include ” s t d l i b . h” int main(void ){ int *p; if( p ) *p = 10; return 0; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 27 / 115

  20. Verification of absence of runtime errors using EVA Simple Examples Example 5 Run Eva: frama-c-gui pointer1.c -val #include ” s t d l i b . h” int main(void ){ int *p; if( p ) *p = 10; return 0; } Alarm on initialization of p is reported A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 27 / 115

  21. Verification of absence of runtime errors using EVA Simple Examples Example 6 Run Eva: frama-c-gui pointer2.c -val #include ” s t d l i b . h” int main(void ){ int * p = (int*) malloc(sizeof(int )); *p = 10; return 0; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 28 / 115

  22. Verification of absence of runtime errors using EVA Simple Examples Example 6 Run Eva: frama-c-gui pointer2.c -val #include ” s t d l i b . h” int main(void ){ int * p = (int*) malloc(sizeof(int )); *p = 10; return 0; } Alarm on validity of p is reported A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 28 / 115

  23. Verification of absence of runtime errors using EVA Simple Examples Example 7 Run Eva: frama-c-gui pointer3.c -val #include ” s t d l i b . h” int main(void ){ int * p = (int*) malloc(sizeof(int )); if( p ) *p = 10; return 0; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 29 / 115

  24. Verification of absence of runtime errors using EVA Simple Examples Example 7 Run Eva: frama-c-gui pointer3.c -val #include ” s t d l i b . h” int main(void ){ int * p = (int*) malloc(sizeof(int )); if( p ) *p = 10; return 0; } Absence of runtime errors is proved A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 29 / 115

  25. Verification of absence of runtime errors using EVA An application to Contiki Outline Introduction Verification of absence of runtime errors using EVA Presentation of EVA Simple Examples An application to Contiki Deductive verification using WP Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 30 / 115

  26. Verification of absence of runtime errors using EVA An application to Contiki Overview of the aes-ccm Modules ◮ Critical! – Used for communication security ◮ end-to-end confidentiality and integrity ◮ Advanced Encryption Standard (AES): a symmetric encryption algo. ◮ AES replaced in 2002 Data Encryption Standard (DES) ◮ Modular API – independent from the OS ◮ Two modules: ◮ AES-128 ◮ AES-CCM* block cypher mode ◮ A few hundreds of LoC ◮ High complexity crypto code ◮ Intensive integer arithmetics ◮ Intricate indexing ◮ based on multiplication over finite field GF (2 8 ) A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 31 / 115

  27. Verification of absence of runtime errors using EVA An application to Contiki Examples 8, 9, 10 Analyze three versions of a part of the aes module Explore and explain the results Ex.8. Run Eva: frama-c-gui aes1.c -val Ex.9. Run Eva: frama-c-gui aes2.c -val Ex.10. Run Eva: frama-c-gui aes3.c -val A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 32 / 115

  28. Verification of absence of runtime errors using EVA An application to Contiki Examples 11, 12, 13, 14 Analyze three versions of a part of the ccm module Explore and explain the results Ex.11. Run Eva: frama-c-gui ccm1.c -val Ex.12. Run Eva: frama-c-gui ccm1.c -val -slevel 50 Ex.13. Run Eva: frama-c-gui ccm2.c -val -slevel 50 Ex.14. Run Eva: frama-c-gui ccm3.c -val -slevel 50 A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 33 / 115

  29. Deductive verification using WP Outline Introduction Verification of absence of runtime errors using EVA Deductive verification using WP Overview of ACSL and WP Function contracts Programs with loops An application to Contiki My proof fails... What to do? Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 34 / 115

  30. Deductive verification using WP Objectives of Deductive Verification Rigorous, mathematical proof of semantic properties of a program ◮ functional properties ◮ safety: ◮ all memory accesses are valid, ◮ no arithmetic overflow, ◮ no division by zero, . . . ◮ termination A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 35 / 115

  31. Deductive verification using WP Overview of ACSL and WP Outline Introduction Verification of absence of runtime errors using EVA Deductive verification using WP Overview of ACSL and WP Function contracts Programs with loops An application to Contiki My proof fails... What to do? Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 36 / 115

  32. Deductive verification using WP Overview of ACSL and WP ACSL: ANSI/ISO C Specification Language Presentation ◮ Based on the notion of contract, like in Eiffel, JML ◮ Allows users to specify functional properties of programs ◮ Allows communication between various plugins ◮ Independent from a particular analysis ◮ Manual at http://frama-c.com/acsl Basic Components ◮ Typed first-order logic ◮ Pure C expressions ◮ C types + Z (integer) and R (real) ◮ Built-ins predicates and logic functions, particularly over pointers: \valid(p) , \valid(p+0..2), \separated(p+0..2,q+0..5), \block_length(p) A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 37 / 115

  33. Deductive verification using WP Overview of ACSL and WP WP plugin ◮ Hoare-logic based plugin, developed at CEA List ◮ Proof of semantic properties of the program ◮ Modular verification (function by function) ◮ Input: a program and its specification in ACSL ◮ WP generates verification conditions (VCs) ◮ Relies on Automatic Theorem Provers to discharge the VCs ◮ Alt-Ergo, Z3, CVC3, CVC4, Yices, Simplify . . . ◮ WP manual at http://frama-c.com/wp.html ◮ If all VCs are proved, the program respects the given specification ◮ Does it mean that the program is correct? A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 38 / 115

  34. Deductive verification using WP Overview of ACSL and WP WP plugin ◮ Hoare-logic based plugin, developed at CEA List ◮ Proof of semantic properties of the program ◮ Modular verification (function by function) ◮ Input: a program and its specification in ACSL ◮ WP generates verification conditions (VCs) ◮ Relies on Automatic Theorem Provers to discharge the VCs ◮ Alt-Ergo, Z3, CVC3, CVC4, Yices, Simplify . . . ◮ WP manual at http://frama-c.com/wp.html ◮ If all VCs are proved, the program respects the given specification ◮ Does it mean that the program is correct? ◮ NO! If the specification is wrong, the program can be wrong! A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 38 / 115

  35. Deductive verification using WP Function contracts Outline Introduction Verification of absence of runtime errors using EVA Deductive verification using WP Overview of ACSL and WP Function contracts Programs with loops An application to Contiki My proof fails... What to do? Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 39 / 115

  36. Deductive verification using WP Function contracts Contracts ◮ Goal: specification of imperative functions ◮ Approach: give assertions (i.e. properties) about the functions ◮ Precondition is supposed to be true on entry (ensured by the caller) ◮ Postcondition must be true on exit (ensured by the function) ◮ Nothing is guaranteed when the precondition is not satisfied ◮ Termination may be guaranteed or not (total or partial correctness) Primary role of contracts ◮ Must reflect the informal specification ◮ Should not be modified just to suit the verification tasks A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 40 / 115

  37. Deductive verification using WP Function contracts Example 1 Specify and prove the following program: // returns the absolute value of x int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } Try to prove with Frama-C/WP using the basic command ◮ frama-c-gui -wp file.c A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 41 / 115

  38. Deductive verification using WP Function contracts Example 1 (Continued) The basic proof succeeds for the following program: /*@ ensures (x >= 0 ==> \result == x) && (x < 0 ==> \result == -x); */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } ◮ The returned value is not always as expected. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 42 / 115

  39. Deductive verification using WP Function contracts Example 1 (Continued) The basic proof succeeds for the following program: /*@ ensures (x >= 0 ==> \result == x) && (x < 0 ==> \result == -x); */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } ◮ The returned value is not always as expected. ◮ For x=INT_MIN, -x cannot be represented by an int and overflows ◮ Example: on 32-bit, INT_MIN = − 2 31 while INT_MAX = 2 31 − 1 A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 42 / 115

  40. Deductive verification using WP Function contracts Safety warnings: arithmetic overflows Absence of arithmetic overflows can be important to check ◮ A sad example: crash of Ariane 5 in 1996 WP can automatically check the absence of runtime errors ◮ Use the command frama-c-gui -wp -wp-rte file.c ◮ It generates VCs to ensure that runtime errors do not occur ◮ in particular, arithmetic operations do not overflow ◮ If not proved, an error may occur. A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 43 / 115

  41. Deductive verification using WP Function contracts Example 1 (Continued) - Solution This is the completely specified program: #include <limits.h> /*@ requires x > INT_MIN; ensures (x >= 0 ==> \result == x) && (x < 0 ==> \result == -x); assigns \nothing; */ int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 44 / 115

  42. Deductive verification using WP Function contracts Example 2 Specify and prove the following program: // returns the maximum of a and b int max ( int a, int b ) { if ( a > b ) return a ; return b ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 45 / 115

  43. Deductive verification using WP Function contracts Example 2 (Continued) - Find the error The following program is proved. Do you see any error? /*@ ensures \result >= a && \result >= b; */ int max ( int a, int b ) { if ( a >= b ) return a ; return b ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 46 / 115

  44. Deductive verification using WP Function contracts Example 2 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? #include <limits.h> /*@ ensures \result >= a && \result >= b; */ int max ( int a, int b ) { return INT_MAX ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 47 / 115

  45. Deductive verification using WP Function contracts Example 2 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? #include <limits.h> /*@ ensures \result >= a && \result >= b; */ int max ( int a, int b ) { return INT_MAX ; } ◮ Our specification is incomplete ◮ Should say that the returned value is one of the arguments A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 47 / 115

  46. Deductive verification using WP Function contracts Example 2 (Continued) - Find another error The following program is proved. Do you see any error? /*@ ensures \result >= a && \result >= b; ensures \result == a || \result == b ; */ int max ( int a, int b ) { if ( a >= b ) return a ; return b ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 48 / 115

  47. Deductive verification using WP Function contracts Example 2 (Continued) - a wrong version With this specification, we cannot prove the following program. Why? /*@ ensures \result >= a && \result >= b ; ensures \result == a || \result == b ; */ int max(int a, int b); extern int v ; int main (){ v = 3; int r = max (4 ,2); //@ assert v == 3 ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 49 / 115

  48. Deductive verification using WP Function contracts Example 2 (Continued) - a wrong version With this specification, we cannot prove the following program. Why? /*@ ensures \result >= a && \result >= b ; ensures \result == a || \result == b ; */ int max(int a, int b); extern int v ; int main (){ v = 3; int r = max (4 ,2); //@ assert v == 3 ; } ◮ Again, our specification is incomplete ◮ Should say that we do not modify any memory location A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 49 / 115

  49. Deductive verification using WP Function contracts Assigns clause The clause assigns v1, v2, ... , vN; ◮ Part of the postcondition ◮ Specifies which (non local) variables can be modified by the function ◮ If nothing can be modified, specify assigns \nothing A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 50 / 115

  50. Deductive verification using WP Function contracts Example 2 (Continued) - Solution This is the completely specified program: /*@ ensures \result >= a && \result >= b; ensures \result == a || \result == b; assigns \nothing; */ int max ( int a, int b ) { if ( a >= b ) return a ; return b ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 51 / 115

  51. Deductive verification using WP Function contracts Example 3 Specify and prove the following program: // returns the maximum of *p and *q int max_ptr ( int *p, int *q ) { if ( *p >= *q ) return *p ; return *q ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 52 / 115

  52. Deductive verification using WP Function contracts Example 3 (Continued) - Explain the proof failure Explain the proof failure with the option -wp-rte for the program: /*@ ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; */ int max_ptr ( int *p, int *q ) { if ( *p >= *q ) return *p ; return *q ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 53 / 115

  53. Deductive verification using WP Function contracts Example 3 (Continued) - Explain the proof failure Explain the proof failure with the option -wp-rte for the program: /*@ ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; */ int max_ptr ( int *p, int *q ) { if ( *p >= *q ) return *p ; return *q ; } ◮ Nothing ensures that pointers p, q are valid ◮ It must be ensured either by the function, or by its precondition A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 53 / 115

  54. Deductive verification using WP Function contracts Safety warnings: invalid memory accesses An invalid pointer or array access may result in a segmentation fault or memory corruption. ◮ WP can automatically generate VCs to check memory access validity ◮ use the command frama-c-gui -wp -wp-rte file.c ◮ They ensure that each pointer (array) access has a valid offset (index) ◮ If the function assumes that an input pointer is valid, it must be stated in its precondition, e.g. ◮ \valid(p) for one pointer p ◮ \valid(p+0..2) for a range of offsets p, p+1, p+2 A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 54 / 115

  55. Deductive verification using WP Function contracts Example 3 (Continued) - Find the error The following program is proved. Do you see any error? /*@ requires \valid(p) && \valid(q); ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; */ int max_ptr ( int *p, int *q ) { if ( *p >= *q ) return *p ; return *q ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 55 / 115

  56. Deductive verification using WP Function contracts Example 3 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? /*@ requires \valid(p) && \valid(q); ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; */ int max_ptr ( int *p, int *q ) { *p = 0; *q = 0; return 0 ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 56 / 115

  57. Deductive verification using WP Function contracts Example 3 (Continued) - a wrong version This is a wrong implementation that is also proved. Why? /*@ requires \valid(p) && \valid(q); ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; */ int max_ptr ( int *p, int *q ) { *p = 0; *q = 0; return 0 ; } ◮ Our specification is incomplete ◮ Should say that the function cannot modify *p and *q A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 56 / 115

  58. Deductive verification using WP Function contracts Assigns clause The clause assigns v1, v2, ... , vN; ◮ Part of the postcondition ◮ Specifies which (non local) variables can be modified by the function ◮ If nothing can be modified, specify assigns \nothing A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 57 / 115

  59. Deductive verification using WP Function contracts Assigns clause The clause assigns v1, v2, ... , vN; ◮ Part of the postcondition ◮ Specifies which (non local) variables can be modified by the function ◮ If nothing can be modified, specify assigns \nothing ◮ Avoids to state for all unchanged global variables v : ensures \old(v) == v; ◮ Avoids to forget one of them: explicit permission is required A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 57 / 115

  60. Deductive verification using WP Function contracts Example 3 (Continued) - Solution This is the completely specified program: /*@ requires \valid(p) && \valid(q); ensures \result >= *p && \result >= *q; ensures \result == *p || \result == *q; assigns \nothing; */ int max_ptr ( int *p, int *q ) { if ( *p >= *q ) return *p ; return *q ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 58 / 115

  61. Deductive verification using WP Function contracts Example 4 Specify and prove the following program: /* swaps two pointed values */ void swap(int *a, int *b){ int tmp = *a ; *a = *b ; *b = tmp ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 59 / 115

  62. Deductive verification using WP Function contracts Example 4 - Solution This is the completely specified program: /*@ requires \valid(a) && \valid(b); requires \separated(a,b); assigns *a, *b; ensures *a == \old (*b) && *b == \old (*a); */ void swap(int *a, int *b){ int tmp = *a ; *a = *b ; *b = tmp ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 60 / 115

  63. Deductive verification using WP Function contracts Behaviors Specification by cases ◮ Global precondition ( requires ) applies to all cases ◮ Global postcondition ( ensures, assigns ) applies to all cases ◮ Behaviors define contracts (refine global contract) in particular cases ◮ For each case (each behavior ) ◮ the subdomain is defined by assumes clause ◮ the behavior’s precondition is defined by requires clauses ◮ it is supposed to be true whenever assumes condition is true ◮ the behavior’s postcondition is defined by ensures, assigns clauses ◮ it must be ensured whenever assumes condition is true ◮ complete behaviors states that given behaviors cover all cases ◮ disjoint behaviors states that given behaviors do not overlap A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 61 / 115

  64. Deductive verification using WP Function contracts Example 5 Specify using behaviors and prove the function abs : // returns the absolute value of x int abs ( int x ) { if ( x >=0 ) return x ; return -x ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 62 / 115

  65. Deductive verification using WP Function contracts Example 5 (Continued) - Solution #include < l i m i t s . h > / ∗ @ r e q u i r e s x > INT MIN ; \ nothing ; assigns pos : behavior assumes x > = 0; \ r e s u l t == x ; ensures neg : behavior assumes x < 0; ensures \ r e s u l t == − x ; complete behaviors ; d i s j o i n t behaviors ; ∗ / i n t abs ( i n t x ) { i f ( x > =0 ) return x ; return − x ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 63 / 115

  66. Deductive verification using WP Function contracts Contracts and function calls Pre/post of the caller and of the callee have dual roles in the caller’s proof ◮ Pre of the caller is assumed, Post of the caller must be ensured ◮ Pre of the callee must be ensured, Post of the callee is assumed A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 64 / 115

  67. Deductive verification using WP Function contracts Example 6 Specify and prove the function max_abs int abs ( int x ); int max ( int x, int y ); // returns maximum of absolute values of x and y int max_abs( int x, int y ) { x=abs(x); y=abs(y); return max(x,y); } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 65 / 115

  68. Deductive verification using WP Function contracts Example 6 (Continued) - Explain the proof failure for #include < l i m i t s . h > / ∗ @ r e q u i r e s x > INT MIN ; ensures ( x > = 0 == > \ r e s u l t == x ) && ( x < 0 == > \ r e s u l t == − x ) ; a s s i g n s \ nothing ; ∗ / i n t abs ( i n t x ) ; / ∗ @ ensures \ r e s u l t > = x && \ r e s u l t > = y ; \ r e s u l t == x | | \ r e s u l t == y ; ensures a s s i g n s \ nothing ; ∗ / max ( x , y ) ; i n t i n t i n t / ∗ @ ensures \ r e s u l t > = x && \ r e s u l t > = − x && \ r e s u l t > = y && \ r e s u l t > = − y ; \ r e s u l t == x | | \ r e s u l t == − x | | ensures \ r e s u l t == y | | \ r e s u l t == − y ; a s s i g n s \ nothing ; ∗ / i n t max abs ( i n t x , i n t y ) { x=abs ( x ) ; y=abs ( y ) ; return max( x , y ) ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 66 / 115

  69. Deductive verification using WP Function contracts Example 6 (Continued) - Explain the proof failure for #include < l i m i t s . h > / ∗ @ r e q u i r e s x > INT MIN ; ensures ( x > = 0 == > \ r e s u l t == x ) && ( x < 0 == > \ r e s u l t == − x ) ; a s s i g n s \ nothing ; ∗ / i n t abs ( i n t x ) ; / ∗ @ ensures \ r e s u l t > = x && \ r e s u l t > = y ; \ nothing ; ∗ / a s s i g n s i n t max ( i n t x , i n t y ) ; / ∗ @ r e q u i r e s x > INT MIN ; y > INT MIN ; r e q u i r e s ensures \ r e s u l t > = x && \ r e s u l t > = − x && \ r e s u l t > = y && \ r e s u l t > = − y ; ensures \ r e s u l t == x | | \ r e s u l t == − x | | \ r e s u l t == y | | \ r e s u l t == − y ; a s s i g n s \ nothing ; ∗ / i n t max abs ( i n t x , i n t y ) { x=abs ( x ) ; y=abs ( y ) ; max( x , y ) ; return } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 67 / 115

  70. Deductive verification using WP Function contracts Example 6 (Continued) - Solution #include < l i m i t s . h > / ∗ @ r e q u i r e s x > INT MIN ; ( x > = 0 == > \ r e s u l t == x ) && ( x < 0 == > \ r e s u l t == − x ) ; ensures a s s i g n s \ nothing ; ∗ / i n t abs ( i n t x ) ; / ∗ @ ensures \ r e s u l t > = x && \ r e s u l t > = y ; ensures \ r e s u l t == x | | \ r e s u l t == y ; a s s i g n s \ nothing ; ∗ / i n t max ( i n t x , i n t y ) ; / ∗ @ r e q u i r e s x > INT MIN ; r e q u i r e s y > INT MIN ; \ r e s u l t > = x && \ r e s u l t > = − x && ensures \ r e s u l t > = y && \ r e s u l t > = − y ; \ r e s u l t == x | | \ r e s u l t == − x | | ensures \ r e s u l t == y | | \ r e s u l t == − y ; \ nothing ; ∗ / a s s i g n s i n t max abs ( i n t x , i n t y ) { x=abs ( x ) ; y=abs ( y ) ; return max( x , y ) ; } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 68 / 115

  71. Deductive verification using WP Programs with loops Outline Introduction Verification of absence of runtime errors using EVA Deductive verification using WP Overview of ACSL and WP Function contracts Programs with loops An application to Contiki My proof fails... What to do? Runtime Verification using E-ACSL Conclusion A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 69 / 115

  72. Deductive verification using WP Programs with loops Loops and automatic proof ◮ What is the issue with loops? Unknown, variable number of iterations ◮ The only possible way to handle loops: proof by induction ◮ Induction needs a suitable inductive property, that is proved to be ◮ satisfied just before the loop, and ◮ satisfied after k + 1 iterations whenever it is satisfied after k ≥ 0 iterations ◮ Such inductive property is called loop invariant ◮ The verification conditions for a loop invariant include two parts ◮ loop invariant initially holds ◮ loop invariant is preserved by any iteration A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 70 / 115

  73. Deductive verification using WP Programs with loops Loop invariants - some hints How to find a suitable loop invariant? Consider two aspects: ◮ identify variables modified in the loop ◮ variable number of iterations prevents from deducing their values (relationships with other variables) ◮ define their possible value intervals (relationships) after k iterations ◮ use loop assigns clause to list variables that (might) have been assigned so far after k iterations ◮ identify realized actions, or properties already ensured by the loop ◮ what part of the job already realized after k iterations? ◮ what part of the expected loop results already ensured after k iterations? ◮ why the next iteration can proceed as it does? . . . A stronger property on each iteration may be required to prove the final result of the loop Some experience may be necessary to find appropriate loop invariants A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 71 / 115

  74. Deductive verification using WP Programs with loops Loop invariants - more hints Remember: a loop invariant must be true ◮ before (the first iteration of) the loop, even if no iteration is possible ◮ after any complete iteration even if no more iterations are possible ◮ in other words, any time before the loop condition check In particular, a for loop for ( i =0; i < n ; i++) { / ∗ body ∗ / } should be seen as i =0; // a c t i o n b ef or e the f i r s t i t e r a t i o n while ( i < n ) // an i t e r a t i o n s t a r t s by the c o n d i t i o n check { / ∗ body ∗ / i ++; // l a s t a c t i o n in an i t e r a t i o n } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 72 / 115

  75. Deductive verification using WP Programs with loops Loop termination ◮ Program termination is undecidable ◮ A tool cannot deduce neither the exact number of iterations, nor even an upper bound ◮ If an upper bound is given, a tool can check it by induction ◮ An upper bound on the number of remaining loop iterations is the key idea behind the loop variant Terminology ◮ Partial correctness: if the function terminates, it respects its specification ◮ Total correctness: the function terminates, and it respects its specification A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 73 / 115

  76. Deductive verification using WP Programs with loops Loop variants - some hints ◮ Unlike an invariant, a loop variant is an integer expression, not a predicate ◮ Loop variant is not unique: if V works, V + 1 works as well ◮ No need to find a precise bound, any working loop variant is OK ◮ To find a variant, look at the loop condition ◮ For the loop while(exp1 > exp2 ) , try loop variant exp1-exp2; ◮ In more complex cases: ask yourself why the loop terminates, and try to give an integer upper bound on the number of remaining loop iterations A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 74 / 115

  77. Deductive verification using WP Programs with loops Example 7 Specify and prove the function reset_array : // writes 0 in each cell of the // array a of len integers void reset_array(int* a, int len){ for(int i = 0 ; i < len ; ++i){ a[i] = 0 ; } } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 75 / 115

  78. Deductive verification using WP Programs with loops Example 7 (Continued) - Solution / ∗ @ requires 0 < = l e n ; \ valid ( a + (0 . . len − 1)); requires assigns a [0 . . len − 1]; \ f o r a l l i ; 0 < = i < l e n == > a [ i ] == 0; ensures integer ∗ / r e s e t a r r a y ( int ∗ a , l e n ) { void int / ∗ @ invariant 0 < = i < = l e n ; loop loop invariant \ f o r a l l integer j ; 0 < = j < i == > a [ j ] == 0 ; loop assigns i , a [0 . . len − 1]; loop variant l e n − i ; ∗ / for ( int i = 0 ; i < l e n ; ++i ) { a [ i ] = 0 ; } } A. Blanchard, N. Kosmatov, F.Loulergue How to Verify IoT Software with Frama-C 2018-05-30 76 / 115

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan

Secure Your Things: Verification of IoT Software with Frama-C Tutorial at HPCS 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr, nikolai.kosmatov@cea.fr,

1.52k views • 151 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Four steps in an effective workflow... 1. Cleaning data Things to do: Verify your data are

Four steps in an effective workflow... 1. Cleaning data Things to do: Verify your data are

WS_Workflow_Presentation Outline Part 1 Krista K. Payne July 24, 2017 Four steps in an effective workflow... 1. Cleaning data Things to do: Verify your data are accurate Variables should be well named Variables should be properly

148 views • 10 slides
Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019 &lt;https://fosdem.org/2019/schedule/event/project_things&gt; Speakers Dipesh Monga @ Mozilla Techspeakers Philippe Coval @ Samsung OpenSource 2 The hidden

558 views • 28 slides
How Were Failing To Secure The Internet Of Things Mark Stanislav

How Were Failing To Secure The Internet Of Things Mark Stanislav

How Were Failing To Secure The Internet Of Things Mark Stanislav &lt;mstanislav@duosecurity.com&gt; About The Internet Of Things The Internet of Things is the network of physical objects that contain embedded technology to

519 views • 25 slides
CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be applicants eligibility from Homeland Security, IRS and Social Security systems, in real time, plus enroll members electronically to any

346 views • 8 slides
Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a tutorial prepared with Frdric Loulergue) Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Deductive

694 views • 58 slides
on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which objects in the physical world can be connected to the Internet by sensors and actuators (coined 1999 by Kevin Ashton) Key aspects: E2E

343 views • 10 slides
Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

2019 CALENDAR YEAR-END CLOSING PROCEDURES 1 USAS-R CYE Procedures Verify 1099 Data Month End Close Calendar Year End Close 1099 Procedures TR1099 Program 2 2 Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors

357 views • 8 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S. Meyers 1 In-Person Procedures When you enter/leave the classroom: Grab a towel and wipe down your work station

299 views • 10 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

753 views • 30 slides
Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Networks, Cryptography, and You Most application developers Dont implement networking

333 views • 30 slides
Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the Programatica team WG2.8 08 1 Functional Languages for High- Assurance Applications Goal: rely on properties of functional languages to

774 views • 59 slides
Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre

Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre

Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre Krakatoa/Caduceus working group December 15th, 2006 Jean-Christophe Filli atre Queens on a Chessboard Krakatoa/Caduceus WG Introduction challenge for

569 views • 35 slides
The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli atre CNRS Universit e Paris Sud TYPES Summer School August 30th, 2007 TYPES Summer School August 30th, 2007 Jean-Christophe Filli

2.04k views • 181 slides
Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Existing tools Model and specification of FP numbers Examples Conclusion Motivations

410 views • 39 slides
Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March e Christine Paulin Jean-Christophe

636 views • 31 slides
Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France

Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France

Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France FTfJP2008 Ownership, Pointer Arithmetic, and Memory Separation 1 / 32 Introduction Jessie Ownership and Invariants Problems Our Approach Core Language

497 views • 32 slides
Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1

Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1

Formal Proof of conjugate function Butelle Hivert Mayero Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1 Frama-C Franck Butelle 1 Florent Hivert 2 Some combi- Frdric Toumazet 3 natorial

403 views • 28 slides
From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering Software Engineering Laboratory

360 views • 32 slides

More recommend