scispace - formally typeset
Search or ask a question
Author

Thomas Santen

Bio: Thomas Santen is an academic researcher from Microsoft. The author has contributed to research in topics: Software & Stream processing. The author has an hindex of 9, co-authored 12 publications receiving 1252 citations.

Papers
More filters
Book ChapterDOI
20 Aug 2009
TL;DR: This paper motivates VCC, describes the verification methodology, the architecture of VCC is described, and the experience using VCC to verify the Microsoft Hyper-V hypervisor is reported on.
Abstract: VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

584 citations

Journal ArticleDOI
TL;DR: A conceptual framework for security engineering is presented, with a strong focus on security requirements elicitation and analysis, that establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering.
Abstract: This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

237 citations

Book ChapterDOI
04 Nov 2009
TL;DR: A brief overview on the Hypervisor with a special focus on verification related challenges this kind of low-level software poses is given, and how the design of VCC addresses these challenges is discussed.
Abstract: VCC is an industrial-strength verification suite for the formal verification of concurrent, low-level C code. It is being developed by Microsoft Research, Redmond, and the European Microsoft Innovation Center, Aachen. The development is driven by two applications from the Verisoft XT project: the Microsoft Hyper-V Hypervisor and SYSGO's PikeOS micro kernel. This paper gives a brief overview on the Hypervisor with a special focus on verification related challenges this kind of low-level software poses. It discusses how the design of VCC addresses these challenges, and highlights some specific issues of the Hypervisor verification and how they can be solved with VCC.

147 citations

Proceedings ArticleDOI
Markus Dahlweid1, Michal Moskal1, Thomas Santen1, Stephan Tobies1, Wolfram Schulte1 
16 May 2009
TL;DR: Annotated C and the Verified C Compiler form the first modular sound verification methodology for concurrent C that scales to real-world production code.
Abstract: Most system level software is written in C and executed concurrently. Because such software is often critical for system reliability, it is an ideal target for formal verification. Annotated C and the Verified C Compiler (VCC) form the first modular sound verification methodology for concurrent C that scales to real-world production code. VCC is integrated in Microsoft Visual Studio and it comes with support for verification debugging: an explorer for counter-examples of failed proofs helps to find errors in code or specifications, and a prover log analyzer helps debugging proof attempts that exhaust available resources (memory, time). VCC is currently used to verify the core of Microsoft Hyper-V, consisting of 50,000 lines of system-level C code.

98 citations

Book ChapterDOI
15 Jun 2009
TL;DR: This paper argues that rights to access the state are really just sugar for knowledge that certain updates preserve certain invariants, and extends program assertions to include not just knowledge about the state, but rights toaccess the state.
Abstract: The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

97 citations


Cited by
More filters
Book
01 Jan 1996

1,170 citations

Book ChapterDOI
17 Jul 2002

1,123 citations

Book ChapterDOI
K. Rustan M. Leino1
25 Apr 2010
TL;DR: A tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs, is given and the full functional specification of the Schorr-Waite algorithm is shown.
Abstract: Traditionally, the full verification of a program's functional correctness has been obtained with pen and paper or with interactive proof assistants, whereas only reduced verification tasks, such as extended static checking, have enjoyed the automation offered by satisfiability-modulo-theories (SMT) solvers. More recently, powerful SMT solvers and well-designed program verifiers are starting to break that tradition, thus reducing the effort involved in doing full verification. This paper gives a tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs. The paper describes the features incorporated in Dafny, illustrating their use by small examples and giving a taste of how they are coded for an SMT solver. As a larger case study, the paper shows the full functional specification of the Schorr-Waite algorithm in Dafny.

899 citations