Tool-supported program abstraction for finite-state verification

2002

Automated verification tools vary widely in the types of properties they are able to analyze, the complexity of their algorithms, and the amount of necessary user involvement. In this paper we propose a framework for step-wise automatic verification and describe a lightweight scalable program analysis tool that combines abstraction and model checking. The tool guarantees that its True and False answers are sound with respect to the original system.

ACM SIGPLAN Notices, 2002

Software verification is an important and difficult problem. Many static checking techniques for software require annotations from the programmer in the form of method specifications and loop invariants. This annotation overhead, particularly of loop invariants, is a significant hurdle in the acceptance of static checking. We reduce the annotation burden by inferring loop invariants automatically.

Proceedings of the second …, 1998

Finite-state verification (e.g., model checking) provides a powerful means to detect errors that are often subtle and difficult to reproduce. Nevertheless, the transition of this technology from research to practice has been slow. While there are a number of potential causes for reluctance in adopting such formal methods in practice, we believe that a primary cause rests with the fact that practitioners are unfamiliar with specification processes, notations, and strategies. Recent years have seen growing success in leveraging experience with design and coding patterns.

Journal of Automated Reasoning, 2005

Bytecode verification is one of the key security functions of several architectures for mobile and embedded code, including Java, Java Card, and .NET. Over the past few years, its formal correctness has been studied extensively by academia and industry, using general-purpose theorem provers. The objective of our work is to facilitate such endeavors by providing a dedicated environment for establishing the correctness of bytecode verification within a proof assistant. The environment, called Jakarta, exploits a methodology that casts the correctness of bytecode verification relatively to a defensive virtual machine that performs checks at run-time and to an offensive one that does not; it can be summarized as stating that the two machines coincide on programs that pass bytecode verification. Such a methodology has been used successfully to prove the correctness of the Java Card bytecode verifier and may potentially be applied to many similar problems. One definite advantage of the methodology is that it is amenable to automation. Indeed, Jakarta automates the construction of an offensive virtual machine and a bytecode verifier from a defensive machine, and the proofs of correctness of the bytecode verifier. We illustrate the principles of Jakarta on a simple low-level language extended with subroutines and discuss its usefulness to proving the correctness of the Java Card platform.

Finite-state machines (FSMs) are among the oldest models employed in the formalization and analysis of both software and hardware. Owing to their simplicity, there exist various implementations to support their practical application in mainstream programming languages. Through such software libraries, programmers can explicitly define states, events and transitions in order to delegate the machine's execution to an underlying engine. However, as far as we know, no such library provides formal verification capabilities alongside its execution engine. That is to say, once an FSM is defined, the resulting program cannot be used as a formal specification to be subject to formal verification , thereby not making the analytical tractability of FSMs available. Formal verification, if any, is conducted in an independent model separate from the program, thus duplicating the information and creating the possibility of discrepancies between both. In this paper we show how to overcome this limitation. To this end, we present the Verum library, which allows the specification, execution and verification of FSMs in the Ruby language, largely bypassing the need to explicitly employ an additional modeling language. Formal verification is achieved by automatically translating the source program of the FSM into a Timed Automaton (TA) specification for the UPPAAL model checker. To illustrate the value of the approach, we present the industrial problem which inspired the creation of this tool and is currently using it, namely, a payment system. Besides the technical aspects of the tool, a number of practical lessons learned with this application are explored. Although we describe very concrete artifacts and applications, the overall approach is quite general.

Electron. Commun. Eur. Assoc. Softw. Sci. Technol., 2012

We propose an approach to formally verify Plural specifications of concurrent programs based on access permissions and typestates, by model-checking automatically generated abstract state-machines. Our approach captures all possible relevant behaviors of abstract concurrent programs implementing the specification. We describe the formal methodology employed in our technique and provide an example as proof of concept for the state-machine construction rules. We implemented the fully automated algorithm to generate and verify models as a freely available plug-in of the Plural tool, called Pulse. We tested Pulse on the full specification of a Multi Threaded Task Server commercial application and showed that this approach scales well and is efficient in finding errors in specifications that could not be previously detected with the Data Flow Analysis (DFA) capabilities of Plural.

National Technical Infornation Servici U. S. DEPARTMENT OF COMMERCE ' ■ mim mCLAüüIl IED SECURITY CLASSIFICATION OF THIS PAGEfHT,», D.I. Enl.r.rfJ lhe_paper investigates msthods for applying an on-line interactive vtnlication system derigned to prove properties or PASCAL programs. The methodology is intended to provide techniques for developing a debugged and verified version startin,: from a program, that (a) is possibly unfinished in some respects, (b) may not satisfy the given specmcations, e.g., may contain bugs, (c) may have incomplete documentation, (d) may be written in non-standard ways, e.g.. may depend on user-defined data structures. The methodology involves (i) interactive application of a verification condition generator, an algebraic simplifier and a theorem-prcver; Uij techniques for describing data structures, type constraints, and properties of programs and subprograms (i.e. lower level procedures); [Hi the use of (abstract) data types in structuring programs and proofs. Within each unit (i.e. segment of a problem), the interactive use is aimea at reducing verification conditions to manageable proportions so that the non-trivial factors may be analysed. Analysis of verification conditions attempts to localize errors in the program logic, to extend assertions inside the program, to spotlight additional assumptions on program subfunctions (beyond those already specified oy the programmer), and to generate appropriate lemmas that allow a verification to be completed. Methods for structuring correctness proofs are discussed that are similar to those of "structured programming-, A detailed case study of a pattern matching algorithm illustrating the various aspects of the methodology (including the role played by the user) is given. ii UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGEfirh»n Oaf« Km.r.dJ " wmm'*^^*'*

2004

Compositional verification and abstraction are the key tech- niques to address the state explosion problem associated with model checking of concurrent software. A promising compositional approach is to prove properties of a system by checking properties of its compo- nents in an assume-guarantee style. This article proposes a framework for performing abstraction and assume-guarantee reasoning of concurrent C code in an incremental and fully automated fashion. The framework uses predicate abstraction to extract and refine finite state models of software and it uses an automata learning algorithm to incrementally construct as- sumptions for the compositional verification of the abstract models. The framework can be instantiated with dierent assume-guarantee rules. We have implemented our approach in the ComFoRT reasoning framework and we show how ComFoRT out-performs several previous software model checking approaches when checking safety properties of non-trivial concurrent programs.

Lecture Notes in Computer Science, 1996

In [14], we proposed a framework for the automatic verification of reactive systems. Our main tool is a decision procedure, Mona, for Monadic Second-order Logic (M2L) on finite strings. Mona translates a formula in M2L into a finite-state automaton. We show in [14] how traces, i.e. finite executions, and their abstractions can be described behaviorally. These state-less descriptions can be formulated in terms of customized temporal logic operators or idioms. In the present paper, we give a self-contained, introductory account of our method applied to the RPC-memory specification problem of the 1994 Dagstuhl Seminar on Specification and Refinement of Reactive Systems. The purely behavioral descriptions that we formulate from the informal specifications are formulas that may span 10 pages or more. Such descriptions are a couple of magnitudes larger than usual temporal logic formulas found in the literature on verification. To securely write these formulas, we introduce Fido [16] as a reactive system description language. Fido is designed as a high-level symbolic language for expressing regular properties about recursive data structures. All of our descriptions have been verified automatically by Mona from M2L formulas generated by Fido. Our work shows that complex behaviors of reactive systems can be formulated and reasoned about without explicit state-based programming. With Fido, we can state temporal properties succinctly while enjoying automated analysis and verification. * Previously announced under the title: Using Monadic Second-Order Logic with Finite Domains for Specification and Verification.

1999

Finite-state verification provides software developers with a powerful tool to detect errors. Many different analysis techniques have been proposed and implemented, and the limited amount of empirical data available shows that the performance of these techniques varies enormously from system to system. Before this technology can be transferred from research to practice, the community must provide guidance to developers on which methods are best for different kinds of systems. We describe a substantial case study in which several finite-state verification tools were applied to verify properties of the Chiron user interface system, a real Ada program of substantial size. Our study provides important data comparing these different analysis methods, and points out a number of difficulties in conducting fair comparisons of finite-state verification tools.