Hawaii International Conference on System Sciences

House of Quality

http://user.it.uu.se/~jarst116/slides/week4.pdf

Graph-Based Algorithms for Boolean Function Manipulation

Traditionally, the full verification of a program's functional correctness has been obtained with pen and paper or with interactive proof assistants, whereas only reduced verification tasks, such as extended static checking, have enjoyed the automation offered by satisfiability-modulo-theories (SMT) solvers. More recently, powerful SMT solvers and well-designed program verifiers are starting to break that tradition, thus reducing the effort involved in doing full verification.

This paper gives a tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs. The paper describes the features incorporated in Dafny, illustrating their use by small examples and giving a taste of how they are coded for an SMT solver. As a larger case study, the paper shows the full functional specification of the Schorr-Waite algorithm in Dafny.

/pdf/dafny-an-automatic-program-verifier-for-functional-2trag0l49s.pdf

Dafny: an automatic program verifier for functional correctness

https://onlinelibrary.wiley.com/doi/pdf/10.1002/stvr.247

Problem frames: analyzing and structuring software development problems. By Michael Jackson. Published by Addison‐Wesley, Boston, Massachusetts, U.S.A., ACM Press Series, 2001. ISBN: 0‐201‐59627‐X, 390 pages. Price: U.K. ?32.95, U.S.A. $49.99, soft cover.

VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

/pdf/vcc-a-practical-system-for-verifying-concurrent-c-5015oi9z23.pdf

VCC: A Practical System for Verifying Concurrent C

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

/pdf/a-comparison-of-security-requirements-engineering-methods-3f9j2skva9.pdf

A comparison of security requirements engineering methods

VCC is an industrial-strength verification suite for the formal verification of concurrent, low-level C code. It is being developed by Microsoft Research, Redmond, and the European Microsoft Innovation Center, Aachen. The development is driven by two applications from the Verisoft XT project: the Microsoft Hyper-V Hypervisor and SYSGO's PikeOS micro kernel.

This paper gives a brief overview on the Hypervisor with a special focus on verification related challenges this kind of low-level software poses. It discusses how the design of VCC addresses these challenges, and highlights some specific issues of the Hypervisor verification and how they can be solved with VCC.

Verifying the Microsoft Hyper-V Hypervisor with VCC

Most system level software is written in C and executed concurrently. Because such software is often critical for system reliability, it is an ideal target for formal verification. Annotated C and the Verified C Compiler (VCC) form the first modular sound verification methodology for concurrent C that scales to real-world production code. VCC is integrated in Microsoft Visual Studio and it comes with support for verification debugging: an explorer for counter-examples of failed proofs helps to find errors in code or specifications, and a prover log analyzer helps debugging proof attempts that exhaust available resources (memory, time). VCC is currently used to verify the core of Microsoft Hyper-V, consisting of 50,000 lines of system-level C code.

/pdf/vcc-contract-based-modular-verification-of-concurrent-c-5e3sd4chix.pdf

VCC: Contract-based modular verification of concurrent C

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

/pdf/invariants-modularity-and-rights-1iqtkjupom.pdf

Thomas Santen

Papers

VCC: A Practical System for Verifying Concurrent C

A comparison of security requirements engineering methods

Verifying the Microsoft Hyper-V Hypervisor with VCC

VCC: Contract-based modular verification of concurrent C

Invariants, modularity, and rights