Formal Methods Research at SICS and KTH

2012

Security is notoriously di cult to sell as a feature in software products. In addition to meeting a set of security requirements, cryptographic software has to be cheap, fast, and use little resources. The development of cryptographic software is an area with specific needs in terms of software development processes and tools. In this thesis we explore how formal techniques, namely deductive verification techniques, can be used to increase the guarantees that cryptographic software implementations indeed work as prescribed. This thesis is organized in two parts. The first part is focused on the identification of relevant security policies that may be at play in cryptographic systems, as well as the language-based mechanisms that can be used to enforce such policies in those systems. We propose methodologies based on deductive verification to formalise and verify relevant security policies in cryptographic software. We also show the applicability of those methodologies by presenting some case studies using a deductive verification tool integrated in the Frama-c framework. In the second part we propose a deductive verification tool (CAOVerif) for a domainspecific language for cryptographic implementations (CAO). Our aim is to apply the methodologies proposed in the first part of this thesis work to verify the cryptographic implementations written in CAO. The design of CAOVerif follows the same approach used in other scenarios for general-propose languages and it is build on top of a plug-in from the Frama-c framework. At the very end, we conclude the work of this thesis by reasoning about the soundness of our verification tool. v vi Verificação Formal de Implementações de Software Criptográfico Resumo O software criptográfico possui requisitos específicos para garantir a segurança da informação que manipula. Além disso, este tipo de software necessita de ser barato, rápido e utilizar um número reduzido de recursos. Garantir a segurança da informação que é manipulada por tais sistemas é um grande desafio, sendo por isso de grande objecto de estudo actualmente. Nesta tese exploramos como as técnicas formais, nomeadamente as técnicas de verificação dedutiva, podem ser utilizadas por forma a garantir que as implementações de software criptográfico funcionam, de facto, como prescrito. O trabalho desta tese está organizado em duas partes. A primeira parte foca-se essencialmente na identificação de políticas de segurança relevantes nos sistemas criptográficos, bem como nos mecanismos baseados em linguagens que podem ser aplicados para garantir tais políticas. Neste contexto, propomos metodologias baseadas em verificação dedutiva para formalizar e verificar políticas de segurança. Mostramos também como essas metodologias podem ser aplicadas na verificação de casos de estudo reais, utilizando a ferramenta de verificação dedutiva integrada na ferramenta Frama-c. Na segunda parte, propomos uma ferramenta de verificação dedutiva (CAOVerif) para uma linguagem de domínio específico para implementações criptográficas (CAO). O desenvolvimento de tal ferramenta tem como objectivo aplicar as metodologias desenvolvidas na primeira parte deste trabalho às implementações criptográficas definidas em CAO. O desenho desta ferramenta segue a mesma aproximação de outras ferramentas de verificação dedutiva já existentes para outras linguagens. Concluímos o trabalho desenvolvido dando um prova formal da correcção da ferramenta. vii viii 1.3 Deductive program verification Program verification refers to obtaining assurance that a particular piece of software will display a particular property when it is executed. Program verification can be performed using di erent methodologies, with more or less support from development tools, and providing varying degrees of assurance. One can envision tool support for checking whether a particular property is present, and also tool support for enforcing a particular property. Verification can also be dy-1.5 Thesis organization Chapter 2 This chapter introduces the main theoretical concepts underlying the work presented in this thesis. More specifically, it describes two toy languages which capture the main features of CAO and Jessie, as well as the formalisms we have adopted to tackle the security properties addressed in this thesis. Part II-CAOVerif: A deductive verification tool for CAO Chapter 6 In this chapter we describe the design and implementation details of the deductive verification tool for CAO, named CAOVerif. We present the formalisation in first-order logic of the rich mathematical data types of this language and also demonstrate that the development time of such a complex verification tool can be greatly reduced by relying on the Jessie plug-in of the Frama-c framework as a back-end. The main results comprised in this chapter were published in [11]. 1.5 Thesis organization 9 Chapter 7 In this chapter we establish the correctness of our approach by giving a formal proof of the soundness of the CAOVerif tool, i.e., that it only allows to prove the correctness of programs that are indeed correct. Chapter 8 This chapter summarises the work presented in this thesis, by giving the main conclusions and presenting directions for future work.

Distributed programs are notorious for subtle errors, requiring proofs to establish their correctness. Correctness proofs carried out on paper tend to be error-prone. This paper presents system Snap Simple Notion of Annotating Proofs being developed to validate correctness proofs in Linear Time Temporal Logic LTL. Snap supports forward p r oofs and can be used either interactively or in batch mode. The system validates proofs entered by users | in a representation close to handwritten proofs | by providing justi cations for every proof step. Justi cations are in essence theorems or meta rules in the system's rule-base; together with the proof, they constitute a proof annotation. Theorems proved elsewhere may be loaded into the system's rule-base without having to redo proofs, a mechanism to raise the abstraction level of proofs. Snap supports proofs of theorems and certain meta rules, all of which m a y be dynamically added to its rule-base. Since the design goal of Snap is to validate and annotate correctness proofs of programs, we h a ve sacri ced generality for e ciency and ease of use. For example, the system does not support higher-order logics.

Lecture Notes in Computer Science, 1995

In this paper we present an approach towards a framework based on the type theory ECC (Extended Calculus of Constructions) in which speci cations, programs and operators for modular development by stepwise re nement can be formally described and reasoned about. We demonstrate how generic software development steps can be expressed as higher-order functions and how proofs about their asserted e ects can be carried out in the underlying logical calculus. For formalizing transformations that require syntactic manipulation of objects, we introduce a two-level system combining a meta-level and an object level and show how to express and reason about transformations that faithfully represent object-level operators.

2000

Much research in computer science, ever since its inception, has been devoted the problem:���How can we be sure that a computer program is correct?��� The general problem is extremely difficult, and the enormous variety of computer software in use demands a corresponding variety of approaches: eg structured design methods [YC86], automated testing [Ber91] and model checking [GL94].

National Technical Infornation Servici U. S. DEPARTMENT OF COMMERCE ' ■ mim mCLAüüIl IED SECURITY CLASSIFICATION OF THIS PAGEfHT,», D.I. Enl.r.rfJ lhe_paper investigates msthods for applying an on-line interactive vtnlication system derigned to prove properties or PASCAL programs. The methodology is intended to provide techniques for developing a debugged and verified version startin,: from a program, that (a) is possibly unfinished in some respects, (b) may not satisfy the given specmcations, e.g., may contain bugs, (c) may have incomplete documentation, (d) may be written in non-standard ways, e.g.. may depend on user-defined data structures. The methodology involves (i) interactive application of a verification condition generator, an algebraic simplifier and a theorem-prcver; Uij techniques for describing data structures, type constraints, and properties of programs and subprograms (i.e. lower level procedures); [Hi the use of (abstract) data types in structuring programs and proofs. Within each unit (i.e. segment of a problem), the interactive use is aimea at reducing verification conditions to manageable proportions so that the non-trivial factors may be analysed. Analysis of verification conditions attempts to localize errors in the program logic, to extend assertions inside the program, to spotlight additional assumptions on program subfunctions (beyond those already specified oy the programmer), and to generate appropriate lemmas that allow a verification to be completed. Methods for structuring correctness proofs are discussed that are similar to those of "structured programming-, A detailed case study of a pattern matching algorithm illustrating the various aspects of the methodology (including the role played by the user) is given. ii UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGEfirh»n Oaf« Km.r.dJ " wmm'*^^*'*

Lecture Notes in Computer Science, 1999

This paper reports an industrial experiment of formal proof techniques applied to avionics software. This application became possible by using Caveat, a tool dedicated to assistance in comprehension and formal verification of safety critical applications written in C. With this approach it is possible to reduce significantly the actual verification effort (based on test) in achieving the verification objectives defined by the DO 178B [4]. 1.3. Proof of Property Property-or program-proof is a well known technique, based on Hoare's [1] or Dijkstra's [2] theories. An interesting characteristic of these theories is that they can be computer aided, i.e. a tool can be developed to help prove properties. In order to meet the objectives defined in section 1.1 the requirements for such a tool are listed below. Ability to prove avionics C code. This is the strongest requirement because formal verification is dedicated to real software products. Ease of learning and use. The main point, here, is the ability of the tool to be used by "standard" software developers, not only by a team of formal proof specialists. Early payback. Tool aided formal proof must be used in replacement (not in addition) of the most tedious and expensive phases of the testing process. Easy integration. The use of the tool should not break down the actual verification process and environment. A tool which meets this requirement is Caveat, developed by the French Commissariat à l'énergie atomique (CEA). This tool-evaluated by Aerospatiale during the European project LAW [3]-is a "verification assistant" able to perform proof of property. 1.4. Avionics Software Characteristics Functions. The different classes of functions of an avionics software product are numerical computation, hardware handling, communication protocols, security/protection mechanisms, fault-detection and recovery, Boolean computation. Properties. An avionics software must have the following types of property : functional, safety, robustness and temporal. Architecture and sizes. The design and coding rules of an avionics software lead to a modular architecture. They also limit the size and complexity of the individual modules. The size of an entire avionics software product may be up to 500,000 lines of code. Algorithms. From that point of view, avionics software is never very complicated. For instance, the loops are very simple (eg : array initialisation, search within an array). So one of the great difficulties of automatic property proof, i.e the analysis of loops, is simplified a lot.

Proceedings of the Thirty-First Hawaii International Conference on System Sciences, 1998

Much software is written in industry standard p r ogramming languages, but these languages often have complex semantics making them hard to formalize. For example, the use of expressions with side eects is common in C programs. We present new inference rules for conditional (if) statements and looping constructs (while) with pre-and postevaluation side effects in their test expressions. These inference rules allow us to formally reason about the security properties of programs. We maintain that formal verication of secure p r ograms written in common languages is feasible and can be worthwhile. To support our claim, we give an example of how our verication of a secure web server uncovered some previously unknown problems. Automated theorem proving assistants can help deal with complex inference rules, but many components must be b r ought together to make a broadly useful system. We propose elements of a formal verication system which could be widely useful.

1973

Defining the semantics of programming languages by axioms and rules of inference yields a deduction system within which proofs may be given that programs satisfy specifications. The deduction system herein is shown to be consistent and also deduction complete with respect to Hoare's system. A subgoaler for the deduction system is described whose input is a significant subset of Pascal programs plus inductive assertions. The output is a set of verification conditions or lemmas to be proved. Several non-trivial arithmetic and sorting programs have been shown to satisfy specifications by using an interactive theorem prover to automatically generate proofs of the verification conditions. Additional components for a more powerful verification system are under construction. * This research is supported by the Advanced Research Projects Agency under Contracts SD-183 and DAHC t5-72-C-0308, and by the National Aeronautics and Space Administration under Contract NSR 05-020-500. t 46 S. Igarashi et al. ASSERTIONS. A documented program is, for us, a Pascal program in which assertions have been placed between its statements at certain points. We refer to such programs with documentation as ASSERTED PROGRAMS. The general idea of how to go about verifying an asserted program is to reduce this problem to questions about whether certain associated logical conditions (henceforth called VERIFICATION CONDITIONS) are true of (i.e. theorems ill) various standard first-order theories. The usual method of reduction [4] involves enumerating all possible paths between assertions in the program and then computing a verification condition for each path in terms of operations and assertions on that path; these verification conditions must then be proved. See [t t ] for a bibliography of existing programs for generating verification conditions. However, in the case of Pascal, a rigorous definition of the semantics has been given in terms of axioms and rules of inference that must be valid for each syntactic cofistructor; this is contained in the recent work of Hoare and Wirth [9]. This approach to defining the semantics of a programming language fields a deduction system in which proofs that programs satisfy specifications may be given (see Hoare [6, 7]). Such proofs, of course, depend on the truth of first-order conditions, or to put it another way. standard first-order theories are subsystems of the deduction system for Pascal. For the sake of illustration, Example I shows a proof in Hoare's system that the program in step t3 computes the quotient q and remainder r of the inputs x and y. The rules of inference used here are the rules in Table t (Section 3.t) and the iteration rule below. The logical conditions assumed by this proof are labeled "lemma".

Lecture Notes in Computer Science, 2014

Alloy is a relational specification language with a built-in transitive closure operator which makes it particularly suitable for writing concise specifications of linked data structures. Several tools support Alloy specifications for Java programs. However, they can only check the validity of those specifications with respect to a bounded domain, and thus, in general, cannot provide correctness proofs. This paper presents JKelloy, a tool for deductive verification of Java programs with Alloy specifications. It includes automatically-generated coupling axioms that bridge between specifications and Java states, and two sets of calculus rules that (1) generate verification conditions in relational logic and (2) simplify reasoning about them. All rules have been proved correct. To increase automation capabilities, proof strategies are introduced that control the application of those rules. Our experiments on linked lists and binary graphs show the feasibility of the approach.