Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software
|
|
- Judith Allison
- 8 years ago
- Views:
Transcription
1 1 Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software Amy Felty University of Ottawa Introduction to CSI5110
2 2 The General Problem From Evan I. Schwartz, Trust Me, I m Your Software, Discover Magazine, May 1996: All very complex computer programs will, at some time, fail. How often? No one knows; the programs are too complex to test. So where should we use them? How about in planes, nuclear power plants, weaponry... From Edmund M. Clarke and Jeannette M. Wing, ACM Computing Surveys, Volume 28, December 1996: Hardware and software systems will inevitably grow in scale and functionality. Because of this increase in complexity, the likelihood of subtle errors is much greater. Moreover, some of these errors may cause catastrophic loss of money, time, or even human life.
3 3 A Potential Solution: Formal Methods Also from Clarke and Wing: A major goal of software engineering is to enable developers to construct systems that operate reliably despite this complexity. One way of achieving this goal is by using formal methods, which are mathematically-based languages, techniques, and tools for specifying and verifying such systems. Use of formal methods does not a priori guarantee correctness. However, they can greatly increase our understanding of a system by revealing inconsistencies, ambiguities, and incompletenesses that might otherwise go undetected. The use of formal methods can be integrated into the system development process, and used at some or all stages, and integrated with informal methods (such as testing). They have been most successful at the specification and verification stages. Further exploration is ongoing for other stages such as requirements analysis, refinement, and testing.
4 Example Applications Safety Critical: Darlington Nuclear Generating Station, near Toronto; applied to decision-making logic for the shutdown system implemented in software Commercial Applications: IBM Customer Information Control System (CICS); applied to large transaction processing system used by banks, insurance companies, manufacturing firms, airlines, and others Security Applications: see next page 4
5 Security Example Subject: [Coq-Club] Formal Methods in the industry - a successful story From: NGUYEN Quang-Huy at gemalto.com Date: Thu, 6 Sep 2007 Dear colleagues, We are proud to announce that we have just successfully completed a Common Criteria (CC) evaluation on a Java Card based commercial product. This evaluation will lead to the world s first CC certificate of a Java product involving EAL7 components. The specific feature of the evaluation is that all the CC requirements on the development of the product (the ADV class) have been fulfilled at their highest level thanks to the use of a formal tool (the Coq proof assistant)... From a more technical point of view, the formal models and proofs developed in this work ensure the safe execution of any bytecode-verified applet on the product... =============================== Formal Methods group Gemalto Technology & Innovation 5
6 6 Formalization Spectrum less formal natural language text description mathematical proof specification languages more formal specification + mathematical proof and/or automated tools model checking, automated deduction/theorem proving theorem proving with user interaction
7 7 Logic and Inference Rules If it is raining, then the ground is getting wet. It is raining. Therefore, the ground is getting wet. The modus ponens inference rule P Q Q P P := it is raining Q := the ground is getting wet
8 8 Another Example All humans are mortal. Socrates is human. Therefore, Socrates is mortal. Universal instantiation x.p(x) P(t) A proof that Socrates is mortal x.human(x) mortal(x) human(socrates) mortal(socrates) mortal(socrates) human(socrates)
9 9 Logics Come in Many Varieties Logics can be: specialized to express various notions, for example temporal logics: P, P programming logics: {x > 0} x := x + 1 {x > 1} more expressive less expressive
10 10 Natural Deduction Theorem Proving p, q p p, q q -I p, q q r -I p, q p (q r) -E p q p (q r) -I (p q) (p (q r)) theorem prover: a program for finding such proofs goal-directed = bottom-up search for proofs more expressive logics are harder to automate, e.g., propositional logic predicate logic quantification higher-order logic: allows quantification over predicates and functions, e.g., R.R(1, 2) interaction allows user to guide search + more powerful, general, flexible - requires sophisticated knowledge
11 11 Booleans and Negation bool = {true, false} b: the negation function maps true to false and conversely. Inductive bool : Set := true : bool false : bool. Definition neg (b:bool) := match b with true => false false => true end.
12 12 Bit Strings Bit strings or boolean words are represented as lists of booleans. [true, false, true, false] Inductive word : Set := empty : word bit : bool -> word -> word. (bit true (bit false (bit true (bit false empty))))
13 Alternating Words A word w is alternating if for some bit b, w is of the form [b, b, b, b,...]. Inductive alt: bool -> word -> Prop := alt empty: forall (b:bool), alt b empty alt bit: forall (b:bool) (w:word), alt (neg b) w -> alt b (bit b w). A version without an explicit first bit. Inductive alternate (w:word): Prop := alter: forall (b:bool), alt b w -> alternate w. (alt b w) vs. (alternate w) 13
14 14 Paired Words A word w is said to be paired if it is of the form: [b 1, b 1, b 2, b 2,...]. Inductive paired: word -> Prop := paired empty: paired empty paired bit: forall (w:word) (b:bool), paired w -> paired (bit (neg b) (bit b w)).
15 15 Shuffle Shuffling u and v to obtain w: at each step a bit is taken from either u or v and put at the end of w. u v w Inductive shuffle: word -> word -> word -> Prop := shuffle empty: shuffle empty empty empty shuffle bit left: forall (u v w:word) (b:bool), shuffle u v w -> shuffle (bit b u) v (bit b w) shuffle bit right: forall (u v w:word) (b:bool), shuffle u v w -> shuffle u (bit b v) (bit b w).
16 The Card Trick Theorem Theorem: Let x be an alternating word of even length. Let u and v be two words such that their concatenation is x. Let w be a shuffling of u and v. If u and v begin with opposite bits, then w is paired. Otherwise the word obtained by moving the first bit of w to the end is paired. x u v w Theorem Gilbreath: forall x:word, even x -> alternate x -> forall u v:word, x=(append u v) -> forall w:word, shuffle u v w -> -> IF opposite u v then paired w else paired (rotate w). Note: The definitions and proofs require approx. 750 lines of input to the theorem prover. (Gérard Huet, The Gallina Specification Language: A case study, in Proceedings of the Twelfth Conference on Foundations of Software Technology and Theoretical Computer Science, 1992) 16
17 Verification of SRT Division Implemented by Intel Pentium chip with well-publicized division error Similar to the third grade division algorithm; 2 main differences. 1 Quotient digit is approximated by only considering the first few digits of divisor and dividend and using table look-up. 2 Partial remainder is computed by adding or subtracting depending upon whether the quotient digit is guessed correctly or overestimated by 1. Testing unlikely to catch error; caused by 5 wrong entries in look-up table Cost of error estimated to be almost $500 million. 17
18 18 3 Theorem Proving Verifications Verified after the fact using theorem proving systems by 3 research groups: Carnegie Mellon, SUNY Albany, and SRI Example: SRI 1 General math: Formalization of textbook knowledge of SRT division algorithm and proof of correctness. 2 Specific data-path circuit (bit-vector signals over time) to compute the partial remainder. 3 Specific look-up table. Missing table entries lead to subgoals that can t be proven.
19 Scalable Coherence Interface (SCI) IEEE standard for specifying communication between up to 64,000 multiprocessors in a shared memory network. A good representative of the kinds of protocols for which verification is important. Also representative of the level of complexity that can be handled by verification tools. 19
20 20 Cache Memory Memory Cache Memory Processor
21 21 Multiprocessor with Cache Memory Memory Cache Cache Cache Processor Processor Processor
22 22 SCI Cache Coherence Highlights of the Protocol Each processor keeps some local data indicating which parts of its own cache has the most up-to-date values, which memory locations it can write to, etc. Processors communicate information such as correct values, granting permission to write, etc., by sending messages back and forth. A doubly-linked list is used to keep track of the order in which processors request to read and write. Correctness expressed as 5 logical formulas stating, for example: There is always at most one processor with permission to write a particular memory location. Every processor that requests to write will eventually get a turn. Proof requires 14 lemmas including 8 fairly easy and 6 much harder.
23 Invariant 13 (a) (status p = Off status p = Pending) cs p = invalid. status p = Inlist cs p invalid. status p = Purging (cs p = dirty succ p = nil). status p = Ftod (cs p = fresh pred p = m). status p = Inqueue (pred p = m succ p = nil). delrightq(q, r, cs) buf [p] (r nil cs invalid). (visiting(p) status q Delleft delrightq(p, r, cs) buf [q]) succ p = q. (visiting(p) delrightr(q, ok) buf [p]) succ p = q. (b) (status p Inqueue cs p = invalid) (pred p = nil succ p = nil). cs p invalid pred p nil. (c) head m = nil p P.(idle(p) leaving(p)). (d) (head m = p p nil) p is maximal ranked active processor. (e) (idle(p) entering(p) leaving(p) p is maximal ranked visiting processor) staying(q) succ q p purgeq(q) buf [p] purger(q, p) buf [r]. (f) (read cache freshr(m, q, cv, arg) buf [p] read cache goner(m, q, cv, arg) buf [p]) ((q = nil rank(p) = 0 q P. visiting(q )) (q P [entering(q) q is maximal ranked processor] rank(p) = rank(q)+1)) cv m = cv. (g) (visiting(p) status p Purging succ p = nil) rank(p) = 0. (h) (visiting(p) succ p = q q nil) (visiting(q) rank(p) = rank(q) + 1). (i) prependq(q) buf [p] rank(q) = rank(p) + 1 (entering(p) p is maximal ranked visiting processor). (j) (delleftq(q, r, cv) buf [p] visiting(q)) (succ q = r pred q = p). (k) prependr(q, q, ok, cv, cs) buf [p] q is maximal ranked visiting processor cs invalid pred q = p rank(p) = rank(q) + 1 (staying(p ) pred p m). (l) prependr(q, nil, ok, cv, cs) buf [p] p P. visiting(p ) rank(p) = 0 cs invalid. (m) prependr(q, r, retry, cv, cs) buf [p] (entering(r) r is maximal ranked visiting processor) rank(p) = rank(r) + 1 [(visiting(r) q r) q = r]. (n) purgeq(q) buf [p] (visiting(p) rank(q) = rank(p) + 1). (o) purger(q, r) buf [p] visiting(q) [(r = nil rank(p) = 0) (r nil rank(p) = rank(r) + 1 visiting(r))]. (p) (pred p = m staying(p)) p is maximal ranked staying processor. p is maximal ranked staying processor (pred p = m q.prependr(p, p, ok, cv, cs) buf [q]). delrightq(q, m, cs) buf [p] q is maximal ranked staying processor. (q) cs p invalid pred p = m [ q P. pred p = q cs q=invalid q is the smallest ranked entering or staying processor with rank(q)>rank(p))]. (visiting(q) delrightq(q, r, cs) buf [p]) r = m (r P cs r = invalid) (r P cs r invalid r is the smallest ranked entering or staying processor with rank(r)>rank(q)). 23
24 24 Design by Contract with Java Modeling Language Design by Contract (DBC) A contract between a class and its clients. A client must guarantee certain conditions before calling a method defined by the class (preconditions). A class guarantees properties that hold after execution of the method (postconditions). Contracts are executable, i.e., can be checked by tools. Java Modeling Language (JML) JML assertions are annotations in the Java code (seen as comments by Java). JML extends Java with keywords such as: requires for preconditions ensures for postconditions invariant for properties that hold at the beginning and end of all methods, and at the end of a constructor execution \result to denote the result of a method call
25 25 An Example: Computing Square Root public class SqrtExample { public final static double epsilon = ; } /*@ requires x ensures JMLDouble.approximatelyEqualTo(x, \result * \result, public static double sqrt(double x) { return Math.sqrt(x); }
26 26 The Problem: Code Safety Code Producer Code Consumer Source Program Compiler Native Code load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3,.-20 Execute Does no harm?
27 Proof-Carrying Code [Necula & Lee, 1997] Code Producer Implements a program and compiles it to native machine code C. The verification condition (safe C) is sent to a prover which proves it (automatically) and outputs a proof P. The compiler also sends hints to the prover. The code producer communicates the code and proof to the code consumer. Code Consumer Checks that P is a proof of (safe C). If successful, executes C as needed. Safety Policy Set ahead of time by the code consumer. Defined by a set of inference rules. 27
28 28 Proof-Carrying Code Code Producer Source Program Certifying Compiler Native Code C load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3,.-20 Code Consumer Execute Hints Safety Proof of safe(c) OK Trusted Code Base Prover -i( -i(... -r (...) ) ) Checker
29 29 Advantages of Proof-Carrying Code Trusted Computing Base is quite small: includes only the checker. No need to trust compiler or prover. The safety policy (meaning of safe) can be general and flexible. Can use types, dataflow, induction, or any other provable property. Automated proof is possible for a large class of properties. Safety properties of interest are relatively simple. Hints from the compiler provide help.
30 30 Some Current and Future Uses of Theorem Proving Software, Hardware, and Protocol Correctness Safety and Security of Mobile Code web browsers executing applets from foreign sites As Specification Languages As Teaching Tools for Logic for Mathematics Tools for Mathematicians
Automated Theorem Proving - summary of lecture 1
Automated Theorem Proving - summary of lecture 1 1 Introduction Automated Theorem Proving (ATP) deals with the development of computer programs that show that some statement is a logical consequence of
More informationModel Checking: An Introduction
Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI
More informationRigorous Software Engineering Hoare Logic and Design by Contracts
Rigorous Software Engineering Hoare Logic and Design by Contracts Simão Melo de Sousa RELEASE (UBI), LIACC (Porto) Computer Science Department University of Beira Interior, Portugal 2010-2011 S. Melo de
More informationTermination Checking: Comparing Structural Recursion and Sized Types by Examples
Termination Checking: Comparing Structural Recursion and Sized Types by Examples David Thibodeau Decemer 3, 2011 Abstract Termination is an important property for programs and is necessary for formal proofs
More informationStatic Program Transformations for Efficient Software Model Checking
Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major
More informationFrom Program Verification to Certified Binaries
From Program Verification to Certified Binaries The Quest for the Holy Grail of Software Engineering Angelos Manousaridis, Michalis A. Papakyriakou, and Nikolaos S. Papaspyrou National Technical University
More informationModel Checking based Software Verification
Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24
More informationOUTILS DE DÉMONSTRATION
OUTILS DE DÉMONSTRATION AUTOMATIQUE ET PREUVE DE CIRCUITS ÉLECTRONIQUES Laurence Pierre Laboratoire TIMA, Grenoble PREAMBLE Design/validation of embedded applications: Design/validation for the system
More informationT-79.186 Reactive Systems: Introduction and Finite State Automata
T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software
More informationLecture 13 of 41. More Propositional and Predicate Logic
Lecture 13 of 41 More Propositional and Predicate Logic Monday, 20 September 2004 William H. Hsu, KSU http://www.kddresearch.org http://www.cis.ksu.edu/~bhsu Reading: Sections 8.1-8.3, Russell and Norvig
More information6.080/6.089 GITCS Feb 12, 2008. Lecture 3
6.8/6.89 GITCS Feb 2, 28 Lecturer: Scott Aaronson Lecture 3 Scribe: Adam Rogal Administrivia. Scribe notes The purpose of scribe notes is to transcribe our lectures. Although I have formal notes of my
More informationTowards practical reactive security audit using extended static checkers 1
Towards practical reactive security audit using extended static checkers 1 Julien Vanegue 1 Shuvendu K. Lahiri 2 1 Bloomberg LP, New York 2 Microsoft Research, Redmond May 20, 2013 1 The work was conducted
More informationRigorous Software Development CSCI-GA 3033-009
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical
More informationIntroducing Formal Methods. Software Engineering and Formal Methods
Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended
More informationStaRVOOrS: A Tool for Combined Static and Runtime Verification of Java
StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java Jesús Mauricio Chimento 1, Wolfgang Ahrendt 1, Gordon J. Pace 2, and Gerardo Schneider 3 1 Chalmers University of Technology, Sweden.
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview
More informationModel Checking of Software
Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving
More informationVerifying security protocols using theorem provers
1562 2007 79-86 79 Verifying security protocols using theorem provers Miki Tanaka National Institute of Information and Communications Technology Koganei, Tokyo 184-8795, Japan Email: miki.tanaka@nict.go.jp
More informationCSE 459/598: Logic for Computer Scientists (Spring 2012)
CSE 459/598: Logic for Computer Scientists (Spring 2012) Time and Place: T Th 10:30-11:45 a.m., M1-09 Instructor: Joohyung Lee (joolee@asu.edu) Instructor s Office Hours: T Th 4:30-5:30 p.m. and by appointment
More informationFoundational Proof Certificates
An application of proof theory to computer science INRIA-Saclay & LIX, École Polytechnique CUSO Winter School, Proof and Computation 30 January 2013 Can we standardize, communicate, and trust formal proofs?
More informationTesting & Verification of Digital Circuits ECE/CS 5745/6745. Hardware Verification using Symbolic Computation
Testing & Verification of Digital Circuits ECE/CS 5745/6745 Hardware Verification using Symbolic Computation Instructor: Priyank Kalla (kalla@ece.utah.edu) 3 Credits Mon, Wed, 1:25-2:45pm, WEB L105 Office
More informationCS510 Software Engineering
CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se
More informationSpecification and Analysis of Contracts Lecture 1 Introduction
Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.
More informationFormal Verification of Software
Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification
More informationPredicate Logic. Increasing Trustworthiness: Lecture 7 Aquinas Hobor and Martin Henz 1
Network Security Analysis via Predicate Logic & Increasing Trustworthiness: A case study in Theorem Prover Design CS3234 Lecture 7 Aquinas Hobor and Martin Henz 1 Network Security Analysis via Predicate
More informationHarmless Advice. Daniel S Dantas Princeton University. with David Walker
Harmless Advice Daniel S Dantas Princeton University with David Walker Aspect Oriented Programming Aspect Oriented Programming IBM - 2004 IBM reports positive results in aspect-oriented programming experiments
More information= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that
Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without
More informationTEACHING MODEL CHECKING TO UNDERGRADUATES
STUDIA UNIV. BABEŞ BOLYAI, INFORMATICA, Volume LV, Number 3, 2010 TEACHING MODEL CHECKING TO UNDERGRADUATES A.VESCAN AND M. FRENŢIU Abstract. The way program verification is taught in our faculty is firstly
More informationCHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs
CHAPTER 3 Methods of Proofs 1. Logical Arguments and Formal Proofs 1.1. Basic Terminology. An axiom is a statement that is given to be true. A rule of inference is a logical rule that is used to deduce
More informationAURA: A language with authorization and audit
AURA: A language with authorization and audit Steve Zdancewic University of Pennsylvania WG 2.8 2008 Security-oriented Languages Limin Jia, Karl Mazurak, Jeff Vaughan, Jianzhou Zhao Joey Schorr and Luke
More informationLoop Invariants and Binary Search
Loop Invariants and Binary Search Chapter 4.3.3 and 9.3.1-1 - Outline Ø Iterative Algorithms, Assertions and Proofs of Correctness Ø Binary Search: A Case Study - 2 - Outline Ø Iterative Algorithms, Assertions
More informationRegression Verification: Status Report
Regression Verification: Status Report Presentation by Dennis Felsing within the Projektgruppe Formale Methoden der Softwareentwicklung 2013-12-11 1/22 Introduction How to prevent regressions in software
More informationProgramming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions
COMP209 Object Oriented Programming Designing Classes 2 Mark Hall Programming by Contract (adapted from slides by Mark Utting) Preconditions Postconditions Class invariants Programming by Contract An agreement
More informationVerification of Imperative Programs in Theorema
Verification of Imperative Programs in Theorema Laura Ildikó Kovács, Nikolaj Popov, Tudor Jebelean 1 Research Institute for Symbolic Computation, Johannes Kepler University, A-4040 Linz, Austria Institute
More informationKnow or Go Practical Quest for Reliable Software
Know or Go Practical Quest for Reliable Software Dr.-Ing. Jörg Barrho Dr.-Ing. Ulrich Wünsche AVACS Project meeting 25.09.2014 2014 Rolls-Royce Power Systems AG The information in this document is the
More informationAutomatic Assessment of Programming assignment
Automatic Assessment of Programming assignment Surendra Gupta 1 and Shiv Kumar Dubey 2 Department of Computer Engineering Shri G. S. Institute of Technology & Science 23, Park Road Indore 452003 (MP) India
More informationSystem-on-Chip Design Verification: Challenges and State-of-the-art
System-on-Chip Design Verification: Challenges and State-of-the-art Prof. Sofiène Tahar Hardware Verification Group Concordia University Montréal, QC, CANADA MCSOC 12 Aizu-Wakamatsu, Fukushima, Japan September
More informationONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises
ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises Daniel Baudisch, Manuel Gesell and Klaus Schneider Embedded Systems Group, University of Kaiserslautern,
More informationDepartment of Computing Science and Mathematics University of Stirling
Department of Computing Science and Mathematics University of Stirling Push-Button Tools for Application Developers, Full Formal Verification for Component Vendors Thomas Wilson, Savi Maharaj, Robert G.
More informationContinued Fractions and the Euclidean Algorithm
Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction
More informationFROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)
FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST) M loc 12 ONBOARD SOFTWARE SIZE 10 Volt (2011) F-35 (2012) 8 6 787 (2010) F-35 (2010) 4 2 F-22 (2005) 0 WHY DO WE TRUST
More informationCode Generation for High-Assurance Java Card Applets
Code Generation for High-Assurance Java Card Applets Alessandro Coglio Kestrel Institute 3260 Hillview Avenue, Palo Alto, CA 94304, USA Ph. +1-650-493-6871 Fax +1-650-424-1807 http://www.kestrel.edu/ coglio
More informationRegular Languages and Finite Automata
Regular Languages and Finite Automata 1 Introduction Hing Leung Department of Computer Science New Mexico State University Sep 16, 2010 In 1943, McCulloch and Pitts [4] published a pioneering work on a
More informationMatita 0.99.1. Andrea Asperti (Wilmer Ricciotti, Claudio Sacerdoti Coen)
Matita 0.99.1 Andrea Asperti (Wilmer Ricciotti, Claudio Sacerdoti Coen) Department of Computer Science, University of Bologna Mura Anteo Zamboni 7, 40127, Bologna, ITALY asperti@cs.unibo.it Foundation
More informationhttp://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86
Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy
More informationA Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation
PLDI 03 A Static Analyzer for Large Safety-Critical Software B. Blanchet, P. Cousot, R. Cousot, J. Feret L. Mauborgne, A. Miné, D. Monniaux,. Rival CNRS École normale supérieure École polytechnique Paris
More informationFormal Verification and Linear-time Model Checking
Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging
More informationSoftware Engineering
Software Engineering Lecture 04: The B Specification Method Peter Thiemann University of Freiburg, Germany SS 2013 Peter Thiemann (Univ. Freiburg) Software Engineering SWT 1 / 50 The B specification method
More informationComputing exponents modulo a number: Repeated squaring
Computing exponents modulo a number: Repeated squaring How do you compute (1415) 13 mod 2537 = 2182 using just a calculator? Or how do you check that 2 340 mod 341 = 1? You can do this using the method
More informationThe Course. http://www.cse.unsw.edu.au/~cs3153/
The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,
More informationRigorous Software Development CSCI-GA 3033-009
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally developed by Joseph Kiniry, Gary Leavens, Erik Poll,
More informationApplications of formal verification for secure Cloud environments at CEA LIST
Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,... SEC2, Lille, June 30 th, 2015 N. Kosmatov (CEA LIST) Formal
More informationSoftware Verification and System Assurance
Software Verification and System Assurance John Rushby Based on joint work with Bev Littlewood (City University UK) Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Verification
More informationIntroduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm
Introduction to Formal Methods Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Outline Introduction Formal Specification Formal Verification Model Checking Theorem Proving Introduction Good papers to
More informationSoftware testing. Objectives
Software testing cmsc435-1 Objectives To discuss the distinctions between validation testing and defect testing To describe the principles of system and component testing To describe strategies for generating
More informationCHAPTER 7 GENERAL PROOF SYSTEMS
CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes
More informationSoftware Engineering Techniques
Software Engineering Techniques Low level design issues for programming-in-the-large. Software Quality Design by contract Pre- and post conditions Class invariants Ten do Ten do nots Another type of summary
More informationPolynomials. Dr. philippe B. laval Kennesaw State University. April 3, 2005
Polynomials Dr. philippe B. laval Kennesaw State University April 3, 2005 Abstract Handout on polynomials. The following topics are covered: Polynomial Functions End behavior Extrema Polynomial Division
More informationElementary Number Theory and Methods of Proof. CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.
Elementary Number Theory and Methods of Proof CSE 215, Foundations of Computer Science Stony Brook University http://www.cs.stonybrook.edu/~cse215 1 Number theory Properties: 2 Properties of integers (whole
More informationThe Model Checker SPIN
The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(
More informationInvGen: An Efficient Invariant Generator
InvGen: An Efficient Invariant Generator Ashutosh Gupta and Andrey Rybalchenko Max Planck Institute for Software Systems (MPI-SWS) Abstract. In this paper we present InvGen, an automatic linear arithmetic
More informationMath Workshop October 2010 Fractions and Repeating Decimals
Math Workshop October 2010 Fractions and Repeating Decimals This evening we will investigate the patterns that arise when converting fractions to decimals. As an example of what we will be looking at,
More informationLecture Notes in Discrete Mathematics. Marcel B. Finan Arkansas Tech University c All Rights Reserved
Lecture Notes in Discrete Mathematics Marcel B. Finan Arkansas Tech University c All Rights Reserved 2 Preface This book is designed for a one semester course in discrete mathematics for sophomore or junior
More information8 Primes and Modular Arithmetic
8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.
More informationAdvances in Programming Languages
Advances in Programming Languages Lecture 13: Certifying Correctness Ian Stark School of Informatics The University of Edinburgh Tuesday 4 November 2014 Semester 1 Week 8 http://www.inf.ed.ac.uk/teaching/courses/apl
More informationA Reasoning Concept Inventory for Computer Science
A Reasoning Concept Inventory for Computer Science Joan Krone, Joseph E. Hollingsworth, Murali Sitaraman, and Jason O. Hallstrom Technical Report RSRG-09-01 School of Computing 100 McAdams Clemson University
More informationFormal Methods at Intel An Overview
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:00 10:00) 0 Table of contents Intel s diverse verification
More informationSoftware Engineering Reference Framework
Software Engineering Reference Framework Michel Chaudron, Jan Friso Groote, Kees van Hee, Kees Hemerik, Lou Somers, Tom Verhoeff. Department of Mathematics and Computer Science Eindhoven University of
More informationMATH10040 Chapter 2: Prime and relatively prime numbers
MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive
More informationNumber Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition
More informationAutomated Formal Analysis of Internet Routing Systems
Automated Formal Analysis of Internet Routing Systems Boon Thau Loo University of Pennsylvania [Joint work with Anduo Wang (Penn -> UIUC), Wenchao Zhou (Georgetown), Andre Scedrov (Penn), Limin Jia (CMU),
More informationCoverability for Parallel Programs
2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique
More informationHow To Make A Correct Multiprocess Program Execute Correctly On A Multiprocedor
How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996
More informationMoving from CS 61A Scheme to CS 61B Java
Moving from CS 61A Scheme to CS 61B Java Introduction Java is an object-oriented language. This document describes some of the differences between object-oriented programming in Scheme (which we hope you
More informationCS422 - Programming Language Design
1 CS422 - Programming Language Design General Information and Introduction Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 General Information Class Webpage and
More informationIntroduction to Automata Theory. Reading: Chapter 1
Introduction to Automata Theory Reading: Chapter 1 1 What is Automata Theory? Study of abstract computing devices, or machines Automaton = an abstract computing device Note: A device need not even be a
More informationSafe Object-Oriented Software: The Verified Design-By-Contract Paradigm
Safe Object-Oriented Software: The Verified Design-By-Contract Paradigm David Crocker Escher Technologies Ltd. Aldershot, United Kingdom dcrocker@eschertech.com Abstract. In recent years, large sectors
More informationProperties of Stabilizing Computations
Theory and Applications of Mathematics & Computer Science 5 (1) (2015) 71 93 Properties of Stabilizing Computations Mark Burgin a a University of California, Los Angeles 405 Hilgard Ave. Los Angeles, CA
More informationFormal Verification Coverage: Computing the Coverage Gap between Temporal Specifications
Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering
More informationOnline Supplement for Maximizing throughput in zero-buffer tandem lines with dedicated and flexible servers by Mohammad H. Yarmand and Douglas G.
Online Supplement for Maximizing throughput in zero-buffer tandem lines with dedicated and flexible servers by Mohammad H Yarmand and Douglas G Down Appendix A Lemma 1 - the remaining cases In this appendix,
More informationStatically Checking API Protocol Conformance with Mined Multi-Object Specifications Companion Report
Statically Checking API Protocol Conformance with Mined Multi-Object Specifications Companion Report Michael Pradel 1, Ciera Jaspan 2, Jonathan Aldrich 2, and Thomas R. Gross 1 1 Department of Computer
More informationThe Eighth International Conference INCOSE_IL 2015. Formal Methods Security Tools in the Service of Cyber Security
The Eighth International Conference INCOSE_IL 2015 כלים ובדיקות Formal Methods Security Tools in the Service of Cyber Security Dr. Michael J. May Kinneret College on the Sea of Galilee 1 כלים ובדיקות /
More informationNew Methodologies in Smart Card Security Design. Y.GRESSUS Methodology and Secure ASIC development manager, Bull CP8
New Methodologies in Smart Card Security Design Y.GRESSUS Methodology and Secure ASIC development manager, Bull CP8 Japan Security Conference Page 2 Trends Opportunities New methodologies Summary Concurrent
More informationMath Content by Strand 1
Math Content by Strand 1 Number and Operations with Whole Numbers Multiplication and Division Grade 3 In Grade 3, students investigate the properties of multiplication and division, including the inverse
More informationCOMPUTER SCIENCE TRIPOS
CST.98.5.1 COMPUTER SCIENCE TRIPOS Part IB Wednesday 3 June 1998 1.30 to 4.30 Paper 5 Answer five questions. No more than two questions from any one section are to be answered. Submit the answers in five
More informationThe finite field with 2 elements The simplest finite field is
The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0
More informationPredicate logic Proofs Artificial intelligence. Predicate logic. SET07106 Mathematics for Software Engineering
Predicate logic SET07106 Mathematics for Software Engineering School of Computing Edinburgh Napier University Module Leader: Uta Priss 2010 Copyright Edinburgh Napier University Predicate logic Slide 1/24
More informationWHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?
WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly
More informationTrust but Verify: Authorization for Web Services. The University of Vermont
Trust but Verify: Authorization for Web Services Christian Skalka X. Sean Wang The University of Vermont Trust but Verify (TbV) Reliable, practical authorization for web service invocation. Securing complex
More informationStructure of Presentation. Stages in Teaching Formal Methods. Motivation (1) Motivation (2) The Scope of Formal Methods (1)
Stages in Teaching Formal Methods A. J. Cowling Structure of Presentation Introduction to Issues Motivation for this work. Analysis of the Role of Formal Methods Define their scope; Review their treatment
More informationEastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students
Eastern Washington University Department of Computer Science Questionnaire for Prospective Masters in Computer Science Students I. Personal Information Name: Last First M.I. Mailing Address: Permanent
More informationC H A P T E R Regular Expressions regular expression
7 CHAPTER Regular Expressions Most programmers and other power-users of computer systems have used tools that match text patterns. You may have used a Web search engine with a pattern like travel cancun
More informationWriting in the Computer Science Major
Writing in the Computer Science Major Table of Contents Introduction... 2 Statement of Purpose... 2 Revision History... 2 Writing Tasks in Computer Science... 3 Documentation... 3 Planning to Program:
More informationComputer Programming I
Computer Programming I COP 2210 Syllabus Spring Semester 2012 Instructor: Greg Shaw Office: ECS 313 (Engineering and Computer Science Bldg) Office Hours: Tuesday: 2:50 4:50, 7:45 8:30 Thursday: 2:50 4:50,
More informationAutomata and Formal Languages
Automata and Formal Languages Winter 2009-2010 Yacov Hel-Or 1 What this course is all about This course is about mathematical models of computation We ll study different machine models (finite automata,
More informationDesign by Contract beyond class modelling
Design by Contract beyond class modelling Introduction Design by Contract (DbC) or Programming by Contract is an approach to designing software. It says that designers should define precise and verifiable
More informationThe History of Logic. Aristotle (384 322 BC) invented logic.
The History of Logic Aristotle (384 322 BC) invented logic. Predecessors: Fred Flintstone, geometry, sophists, pre-socratic philosophers, Socrates & Plato. Syllogistic logic, laws of non-contradiction
More informationVerication by Finitary Abstraction Weizmann Institute of Sciences and Universite Joseph Fourier, Grenoble Fourth International Spin Workshop (SPIN'98) Paris 2.11.98 Joint work with: Y. Kesten Ben Gurion
More informationMathematical Reasoning in Software Engineering Education. Peter B. Henderson Butler University
Mathematical Reasoning in Software Engineering Education Peter B. Henderson Butler University Introduction Engineering is a bridge between science and mathematics, and the technological needs of mankind.
More informationModel Checking II Temporal Logic Model Checking
1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:
More information