copied from http://www.dwheeler.com/secure-class/presentations/Secure-Software-10-Formal-Methods.ppt

SWE 681 / ISA 681 Secure Software Design & Programming Lecture 10: Formal Methods

Dr. David A. Wheeler

2016-04-06

Formal methods (FM)

Introduction Notations Tools Specifications Verification (general & for proving programs) Open Proofs

Some portions © Institute for Defense Analyses

(the open proofs sections), used by permission.

This material is not intended to endorse particular suppliers or products.

2

Formal methods (FM)

Formal methods (FM) = the use of “mathematically rigorous techniques and tools for the specification, design and verification of software and hardware systems.” Can be applied to spec, actual software, or model Mathematically rigorous = “specifications are well-formed statements in a mathematical logic and that the formal verifications [if any] are rigorous deductions in that logic”

3

Source: “What is Formal Methods?” by Ricky W. Butler

http://shemesh.larc.nasa.gov/fm/fm-what.html

Why formal methods (FM)?

Imagine it’s critical that software meet some requirement E.G., “Never give secret information to unauthorized personnel” So important that it’s a disaster if requirement not met FM spec language can reduce requirement ambiguity You cannot get truly high confidence with just: Dynamic analysis (e.g., testing) – only tiny % of inputs Vulnerability scanners – only reports some defects In contrast, FM can prove “always” or “never” (!!!) Given some assumptions (& you decide what those will be)

4

Applying formal methods to security issues

To apply FM in general: Describe requirements using FM-based spec language If will verify, choose & apply FM verification approach(es) Thus, to directly apply FM to security: Must describe security requirements using FM-based spec language (and verify if applicable) Verification tool may predefine requirement (“no race condition”) - simplifies use, but limits usage & claim Verification must usually prove no undefined situation occurs, which by itself can reveal potential issues Some FM technologies can be “repurposed”

5

The idea of using logic to determine truth is an old one!

6

“The only way to rectify our reasonings is to make them as tangible as those of the Mathematicians, so... when there are disputes... we can simply say: Let us calculate... to see who is right.”

– Gottfried Leibniz, The Art of Discovery (1685)

Already achieved in certain areas Limitations exist, both in theory & practice A little history will help…

Some advances in logic & formalized (math) reasoning

Artistotle’s Organon, esp. “Analytica Priora” (Prior Analytics) – first work on logic (Aristotle lived 384-322 B.C.) Euclid’s Elements — oldest axiomatic deductive treatment of math (c. 300 BC) Non-Euclidean geometry (Lobachevsky 1829, Bolyai 1831, Gauss) Ancient assumptions might not necessarily hold! George Boole’s “An Investigation of the Laws of Thought…” (1854) — founded boolean algebraic logic (much work done since) Georg Cantor founded set theory (1874) Gottlob Frege’s Begriffsschrift… (1879) Added “quantified” variables (for-all & there-exists) Added more-general mechanisms to handle functions Peirce (1881), then Richard Dedekind & Giuseppe Peano (1888), formalized natural numbers

7

The foundational crisis of mathematics

Bertrand Russell discovers “Russell’s paradox” in 1901 Mailed to Frege 1902 Shows that naïve set theory leads to paradox, must fix somehow Let R be the set of all sets that are not members of themselves… is R a member of itself? “Foundational crisis of mathematics” – what is the proper foundation? Whitehead & Russell release Principia Mathematica (1910-1913) Goal: Describe axioms & inference rules from which all mathematical truths could in principle be proven (“logicism” school: Base all math on logic) Notation shift since (see Linsky’s “The Notation in Principia Mathematica”) Russell’s paradox solution (a hierarchy of types) unwieldy; today most fundamental math work based on Zermelo–Fraenkel set theory, often with the axiom of choice (ZFC) Various philosophical views emerged, including: Logicism (Russell) Intuitionism/Constructivism (Brouwer & Heyting) Formalism (Hilbert*)

8

- Hilbert was not a strict formalist, as he & many other formalists believed there was meaning and truth in mathematics

Logicomix

Logicomix: An Epic Search for Truth by Apostolos Doxiadis & Christos Papadimitriou Dramatizes some of the “foundational crisis of mathematics” (the early 20th century search for the proper foundations of mathematics), from the viewpoint of Bertrand Russell Dramatization - takes licenses with history Shows people talking when they really converse by letter or papers It oversimplifies many things In a few places reorders events Little coverage of constructivism/ intuitionism It’s excellent at explaining what people were doing, and why it mattered so much to them Best non-mathematical introduction to this important aspect of 20th century history Presents as story, not just dry history Russell and others desperately wanted absolute truth; their results were valuable, but not what they expected or exactly wanted

9

Most of modern mathematics is built on a small set of rules of reasoning & axioms

10

Classical propositional logic

(variables are true or false)

First-order predicate logic

(variables can be objects)

Second/higher-order predicate logic

(variables can be functions)†

Logic

Set Theory

Zermelo

Zermelo-Fraenkel (ZF)

Axiom of Choice (AC) †

(some controversy!)

ZFC

(most math

uses this as

its basis)

Numbers

Theories about numbers can be derived from lower-level axioms, then used as building blocks*

The division between “logic” & “set theory” isn’t as strict as implied by this figure Other axioms are sometimes added, e.g., Tarski's axiom, continuum hypothesis (CH) Different logics & axioms are in use, e.g., intuitionism subsets classical logic & rejects AC

- Like physics, mathematics has been “reverse engineering” math concepts into more elemental components; numbers turn out to be derivative

† Less commonly used

Mathematicians identify

rules of reasoning, axioms (assumptions), and derive proofs using them

Gödel’s incompleteness theorems

David Hilbert’s retirement address at 1930 Königsberg conference concluded with: “For the mathematician there is no Ignorabimus… in my opinion… there is no unsolvable problem. In contrast to the foolish Ignoramibus, our credo avers: We must know. We shall know!” (“Wir müssen wissen. Wir werden wissen!”) Gödel’s incompleteness theorems proved this is impossible: Two theorems proven & published by Kurt Gödel in 1931* First one was announced by Gödel at the same 1930 conference! Establishes fundamental limitations of mathematics First incompleteness theorem: No consistent system of axioms whose theorems can be listed by an “effective procedure” (e.g., computer program or algorithm) can prove all truths about the relations of the natural numbers (arithmetic) I.E.: There will always be statements about the natural numbers that are true but unprovable within a consistent system Second incompleteness theorem: Such a system cannot demonstrate its own consistency Note: Gödel proved a different “completeness theorem” in 1929 (as dissertation) In first-order logic (limited), all logically valid formulas can be formally proved in finite steps Not the same thing!

11

- In “On Formally Undecidable Propositions in

Principia Mathematica and Related Systems I”

(second part never written) as Theorems VI and XI

Halting Problem

Halting problem: Given a description of an arbitrary computer program, decide whether the program finishes running or continues to run forever (for some input) Alan Turing proved in 1936 that a general algorithm to solve the halting problem for all possible program-input pairs cannot exist Proof similar to Gödel’s incompleteness theorems Fundamental limit on computation

12

But within these theoretical limits,

a lot can be accomplished.

This is only a partial summary of formal methods

This is a summary; many important things omitted Have been decades of research (more than we can cover) Active research area (so expect changes/new approaches!) Presentation goal: awareness of key portions of field Omit details on how they work, but some info necessary to understand their capabilities & limitations Too many know little, & some courses only explain 1 tool Assume you know already how to develop software Especially note open source software & no-cost tools Identify things you can try & experiment with right now If you’re interested, whole classes & careers in this field Need math, especially discrete math & logic

13

Making formal methods affordable

Formal methods costly to apply today in many cases Many backoff approaches exist to limit costs: Level 0: Formal specification created, then program informally developed from it. “Formal methods lite” Level 1: Level 0, + prove some select properties or formal refinement from specification towards program Level 2: Fully prove claims, mechanically checked Any of the above can apply to a subset of components or properties E.G., specialized analysis tool to determine one specific (important) property. Narrow properties can be relatively affordable on big systems Tool support typically needed to scale up Different tools good for different things (combining may help) Choose specific toolsuite that meets goal, e.g., use weakest language Improvements: Increasing CPU power, improved algorithms, & OSS (speeding research, distribution, and multi-approach integration) We’ll discuss basics of FM notations, then tools/approaches

14

Formal methods: Notations

15

Quick review: Set notation

Set: a collection of elements or members Given sets S = {1, 2, 3} ; T = {1, 2}; R = {1, 5}; L = {a, b} Is member of: 1 S is true, 7 S is false, 7 S is true Is subset of: T S is true, R S is false Union: S R is {1,2,3,5} Intersection: S ∩ R is {1} Set difference: S \ R = S – R = {2,3} Cartesian Product: R x L = {(1,a),(1,b),(5,a),(5,b)} Common predefined sets (sometimes with blackboard bold): ∅ or {}: Empty set N: natural numbers {1, 2, 3, …} or {0, 1, 2, …}; ISO 31-11 includes 0 Z: integers (from Zahl, German for integer) {…, -2, -1, 0, 1, 2, …} Q: rational numbers (from quotient) R: real numbers C: complex numbers

16

Many whose “N” includes 0 may also append “*” superscript to any of the above letters to mean “except zero” [ISO 31-11; Gullberg, Mathematics: From the Birth of Numbers]

Set builder notation

Sets can be defined using set builder notation. A common format:

{ expression-using-variable

variable set ∧ condition} |

Can omit “variable set” if understood (e.g., pre-stated “universe”) Pronounciation: | is “where” or “such that” is “in” or “member of” (in Z notation, “:” used instead) ∧ is “and” (some notations use “&” or “,” instead) E.g., set1 = {x | x A ∧ p(x)} “set1 is the set of elements in A for which the proposition p(x) is true” List comprehensions of Python & Haskell are similar Python: [(x, y) for x in [1,2,3] for y in [3,1,4] if x != y] Haskell: [(k, x) | k <- ks, x <- xs, p x]

17

Many different languages for mathematical logic

Various math logic notations (weakest…strongest): Predicate logic (just boolean variables) First-order logic (FOL) (“all X..”, non-booleans, functions,…) Can add “theories” about integers, real numbers, etc. to FOL Higher-order logics (HOL) (+ functions can vary/be objects) Again, can add “theories” about integers, etc. to HOL Stronger logic notations provide more capability But tend to be harder to automatically analyze Often want “weakest” language that meets needs Can add “temporal logic” (“X will happen eventually”) Often computation tree logic (CTL) or linear temporal logic (LTL) These traditional math notations can be used directly or be part of a larger specification language

18

Predicate logic

Predicate logic – define expressions with just: Boolean variables Operators and, or, not Parentheses allowed Predicate logic too limited for many problems Useful in some cases, e.g., dependency analysis Can be used to implement more sophisticated systems

19

First-order logic (FOL)

FOL widely used mathematical logic Aka “first-order predicate logic” or “first-order predicate calculus” Basis of most FM software languages for specs Including “higher-order” logics that relax FOL restrictions May add “theories” to describe integers, real numbers, etc. In traditional FOL, every expression is either a: Term (an object / “non-boolean”): a variable, a constant, or a function f(term1, term2, …)

Typically there’s a “domain of discourse” (aka “universe”), the set of entities over which variables may range. E.G., “integers” or “real numbers”

Formula (a truth value / “boolean”): see next slide, includes predicates (“functions” that return truth value) Can have variables & constants (must distinguish) Prolog convention: Variable if begin with uppercase, else constant Math convention: Variables begin with w, x, y, z In FOL, functions & predicates can’t be variables

20

FOL formula notation

21

Traditional Notation

Alternate Notation

Meaning

¬A

-A, ~A

Not A. In classical (not intuitionist) logic, ¬¬A = A

A ∧ B

A & B

A and B. True iff both true

A ∨ B

A

B |

A or B. True iff at least one true

A → B

A -> B

A implies B. Aka “if A then B” (1-arm) Classically same as ¬A ∨ B

p(T1, T2, …)

Predicate p true when given those terms

T1 = T2

Term is equal to term. Not in traditional FOL but is a common FOL extension

∀ X …

forall X …

For all X, … is true

∃ X …

exists X …

There exists an X where … is true

A and B are formulas; X is a term variable; T1 & T2 are terms; iff = if and only if

Conventional FOL example

∀ X man(X) → mortal(X)

“For all X, if X is a man, then X is mortal”

I.E., “All men are mortal”

This uses Prolog naming convention (uppercase vars)

man(socrates)

“Socrates is a man”

mortal(socrates)

“Socrates is mortal”

This can be proven from the first two statements with appropriate rules for reasoning

22

More FOL examples

∃ X (bird(X) ∧ ¬fly(X)) “At least one bird can’t fly” ∀ X ∀ Y (mother(X, Y) → younger(Y, X)) “All children are younger than their own mother” ∀ X ∀ Y ((mother(X) ∧ child(Y)) → younger(Y, X)) “All children are younger than all mothers” (FALSE!) ∃ X (brother(X, bob) ∧ likes(alice, X)) “Bob has a brother that Alice likes” ∀ X (brother(X, bob) → likes(alice, X)) “Alice likes all of Bob’s brothers” ∀ X (man(X) → X = socrates) “All men are Socrates” (FALSE!)

23

(Most of these examples are based on Huth & Ryan “Logic in Computer Science” 2006)

Bugs possible in formal methods specifications!

English “and” & “or” often don’t translate exactly “Or” may mean inclusive (either-or-both) or exclusive (only-one) Common mistake: Empty sets used with forall ∀ X martian(X) → green(X) Means “All Martians are green” ∀ X martian(X) → ¬green(X) Means “All Martians are not green” If there are no Martians, both expressions are true Different from non-expert expectations & Aristotelian logic Though there are good reasons for it Can easily fix “empty sets” issue once you know about it, e.g.: (∃ X martian(X)) ∧ (∀ X martian(X) → green(X)) Some notations make this easier & less error-prone Common mistake: ∃…→… (usually wrong, use ∧ not →) ∃ X (a(X) → b(X)) means ∃ X (¬a(X) ∨ b(X)). Instead try ∃ X (a(X) ∧ b(X))

24

Tips on how to create accurate translations to math notations

“Translation Tips” by Peter Suber http://www.earlham.edu/~peters/courses/log/transtip.htm “First-Order Logic” by C. R. Dyer http://pages.cs.wisc.edu/~dyer/cs540/notes/fopc.html “Guide to Axiomatizing Domains in First-Order Logic” by Ernest Davis http://cs.nyu.edu/faculty/davise/guide.html “Logic in Computer Science” by Michael Huth and Mark Ryan (Cambridge University Press)

25

FOL extensions

“Traditional” FOL comes from mathematics Many notations in practice add extensions: Equality (“=”) is extremely common Notation for constant “true” & “false” If-then-else: ite(condition, true-term, false-term) Traditionally functions can’t accept formulas (booleans) Various work-arounds exist, but nicer to have it Allow formulas (booleans) as parameters F1 ↔ F2, an abbreviation of ((F1 → F2) ∧ (F2 → F1)) Add types/sorts (integers, reals, etc.) Add “Theories” (e.g., about integers, etc.) Resulting notations are still first-order Ways to structure/organize groups of statements

26

Beyond FOL

“Second-order” logics & “Higher-order” logics Enable functions & predicates to themselves be variables More flexible as a notation… But harder to automatically verify Support tools tend to be interactive

27

Some approaches for analyzing programs using logic

Hoare logic Predicate transformer semantics (including weakest precondition) Separation logic

28

Hoare logic (aka Hoare-Floyd logic)

Created by Sir C.A.R. “Tony” Hoare, based on Floyd Hoare triples: {P} C {Q} P=precondition, C=Command/code, Q=postcondition Examples of rules:

29

P is

“loop invariant”

Key:

Premises

Conclusion

Predicate transformer semantics (weakest preconditions)

Dijkstra “Guarded commands, nondeterminacy and formal derivation of programs” Assign every language statement a “predicate transformer” from one predicate to another Weakest-precondition for statement S maps any postcondition to a (weakest) precondition. Go backwards Strongest-postcondition, map precondition to postcondition. Go forwards Actual transformers based on Hoare logic E.G., wp(if E then S1 else S2 end, R) = (E → wp(S1, R)) ∧ (¬E → wp(S2, R))

30

Separation logic

Extension of Hoare logic developed by John C. Reynolds, Peter O'Hearn, Samin Ishtiaq and Hongseok Yang Describes “states” consisting of a: store (“stack-oriented variables”) and a heap (“dynamically-allocated objects”) Defines a set of operations about them “Frame rule” enables local reasoning A program that executes safely in a small state can also execute in any bigger state and that its execution will not affect the additional part of the state when certain conditions proved E.G., Coq “Ynot” library implements separation logic Can apply separation logic concepts using traditional FOL E.g., Jessie; see Francois Bobot and Jean-Christophe Filliatre. “Separation Predicates: a Taste of Separation Logic in First-Order Logic”. 14th International Conference on Formal Engineering Methods (ICFEM), Nov 2012

31

Beware of math vs. real world

Mathematical models are not the real world They are simplified models of the real world Common issue: Math numbers ≠ computer numbers In math, infinite number of integers & reals Computers always finite; cannot exactly represent all numbers, and integers/reals often fixed size Common issue: Assumptions or goals are wrong Wrong assumptions can lead to wrong conclusions If you didn’t ask for it, you might not get it Testing, inspection, & peer review can help Models can be vitally useful Be wary of their limitations

32

Formal Methods: Tools

33

Types of formal methods tools

Formal specification tools Without necessarily verifying Verification tools Major verification approaches include: Theorem-provers: Automated & interactive Satisfiability (SAT) solvers: Boolean-only or modulo theories Model-checkers Abstract interpretation / symbolic execution (for programs) First discuss in general (e.g., verifying models) Then, how to verify program meets spec (some dups) Formalizing & verifying mathematical theorems (not code) This is just my grouping & is approximate Active research areas, annual competitions

34

Formal specifications of systems (e.g., for level 0)

Any FM-based language can be used for specification Including PVS, Isabelle/HOL, Coq, ACL2, & many others (we’ll see later) Many formal specification languages often used for specification without (significant) verification Language examples: Z, Object-Z (Z+classes), VDM, B, Unified Modeling Language (UML) Object Constraint Language (OCL), Alloy There’s an ISO standard for Z, but “the version described in Mike Spivey’s book continues to be the most popular” [Jackson] Each has various tools to help write specs Goal is often to eliminate unintentional ambiguity “Alloy” OSS tool is unusual & interesting (Daniel Jackson, MIT) Relatively easy & unique spec language Parts loosely based on Z, includes “transitive closure” operator Includes “checker” to quickly find counter-examples Not a prover, but easy-to-use & much more rigorous than just reviewing text Could send to theorem prover (Kelloy->KeY, Prioni->Athena/Otter)

35

Z example (birthday book)

36

Source: The Z Notation: A Reference Manual, Second Edition

by J. M. Spivey (University of Oxford)

Schemas

(state space & operation)

Alloy: Sample Screenshot

37

Source:

Alloy: File system example

File System Model (I)

* A file system object in the file system*

sig FSObject { parent: lone Dir }

* A directory in the file system*

sig Dir extends FSObject { contents: set FSObject }

* A file in the file system*

sig File extends FSObject { }

* A directory is the parent of its contents*

fact { all d: Dir, o: d.contents

o.parent = d } |

* All FSOs are either files or directories*

fact { File + Dir = FSObject }

* There exists a root*

one sig Root extends Dir { } { no parent }

* File system is connected*

fact { FSObject in Root.*contents }

* The contents path is acyclic*

assert acyclic { no d: Dir

d in d.^contents } |

* Now check it for a scope of 5*

check acyclic for 5

* File system has one root*

assert oneRoot { one d: Dir

no d.parent } |

* Now check it for a scope of 5*

check oneRoot for 5

* Every fs object is in at most one directory*

assert oneLocation { all o: FSObject

lone d: Dir | o in d.contents } |

* Now check it for a scope of 5*

check oneLocation for 5

38

Source: Alloy tutorial, http://alloy.mit.edu/alloy/tutorials/online/frame-FS-1.html

Alloy notation ~subset of Z, not as pretty or rich But its special closure operators useful Can compute & display counter-example(s); “refuter” not “prover”

Theorem provers

Theorem prover Accepts assumptions (“givens”) & goal in some notation Tries to produce proof of goal, starting from assumptions… Using only a sequence of allowed inference rules & theorems Many different possible inference rules, e.g.:

Modus ponens: Modus tollens:

Formal proof: Every step fully justified by accepted rule “Proof checker” can verify proof - easy to build, enabling separate third-party verification. Supports “Proof carrying code” Theorem proving tools may be either: Automated Interactive (“proof assistant”)

39

P, P→Q?

Q

P→Q?, ¬Q

¬P

Premises

Conclusion

You’ve already done this manually in high school Geometry…

Automated theorem provers

Automatically prove goal, given assumptions Often like chess programs; try many options & guided by algorithm/heuristics Many let humans provide guiding “hints” Many good theorem provers for traditional FOL Harder to do as add theories or move to a HOL Annual CADE ATP System Competition (CASC) Uses subsets of TPTP Problem Library Example automated theorem provers for traditional FOL with equality: Prover9 (William McCune, University of New Mexico) (GPLv2). E theorem prover (aka “Eprover”) (Stephan Schulz, TU Munich) (GPLv2) Other examples of automated theorem provers: Princess: FOL, linear + integer arithmetic (no general multiplication) (GPLv3) gappa: Tool to analyze numerical calculation bounds (CeCILL or GPL) Uses interval arithmetic and forward error analysis to bound math expressions Generates a theorem and its proof for each verified enclosure Satallax: HOL (Church's simple type theory+ extensionality + choice) (MIT)

40

Prover9

Created by William McCune, University of New Mexico Descended from “Otter” prover Supports FOL with equality, plus list operations Approach: Starts with assumptions & negated goal Transitively generates all facts it can If it finds a contradiction, reports that chain as a proof Also supports: mace4 (tries to find counter-example) ivy - proof-checker (checks output—counters tool error)

41

Prover9 example – prove square root of 2 is irrational

formulas(assumptions). % Note: Universe = integers > 0, “forall” assumed

1*x = x. % identity

x*1 = x.

x*(y*z) = (x*y)*z. % associativity

x*y = y*x. % commutativity

(x*y = x*z) -> y = z. % cancellation (0 is not allowed, so x!=0).

% divides(x,y) true iff x divides y. E.G., divides(2,6) is true because 2*3=6.

divides(x,y) <-> (exists z x*z = y).

divides(2,x*y) -> (divides(2,x)

divides(2,y)). % If 2 divides x*y, it divides x or y. |

2 != 1. % Original author almost forgot this. Wheeler thinks needing it is a bug.

% Now, assert that we can have a rational fraction for sqrt(2), reduced

% to lowest terms (this will fail, and that's the point of the proof):

a*a = (2*(b*b)). % a/b = sqrt(2), so a^2 = 2 * b^2.

(x != 1) -> -(divides(x,a) & divides(x,b)). % a/b is in lowest terms

end_of_list. % Will show proof by contradiction.

42

Source: “The Seventeen Provers of the World” compiled by Freek Wiedijk. Otter/Ivy section. Original proof created by Larry Wos, Michael Beeson, and William McCune?. Heavily modified/simplified by David A. Wheeler. Note: Prover9 descends from “Otter”

Interactive theorem provers (proof assistants)

Humans enter symbol-manipulation commands to derive goals from assumptions Tend to support richer notations, e.g., rich theories and/or HOL and/or… But require expert human guidance proof in non-trivial cases Sample tools: PVS (by S. Owre, N. Shankar, & J. M. Rushby at SRI) LCF-style family (HOL 4, HOL Light, Isabelle/HOL) Coq (will discuss later)

43

PVS Example #1

mortality: THEORY

BEGIN

man: TYPE+ % The "+" means there's at least one man.

mortal(m: man): bool % Returns True if m is mortal.

% Socrates is a man.

Socrates: man

% All men are mortal.

all_men_mortal: AXIOM FORALL (m: man): mortal(m)

% Socrates is mortal.

socrates_mortal: CLAIM mortal(Socrates)

END mortality

44

In normal PVS use it'd be better

to omit the axiom and say:

mortal(m: man): bool = true

but this tries to stay close

to the traditional example.

Prove using: (rewrite "all_men_mortal") or (grind :rewrites ("all_men_mortal"))

PVS Example #2

Phone_4 : THEORY

BEGIN

N: TYPE % names

P: TYPE % phone numbers

B: TYPE = [N -> setof[P]] % phone books

VB: TYPE = {b:B | (FORALL (x,y:N): x /= y => disjoint?(b(x), b(y)))}

nm, x: VAR N

pn: VAR P

bk: VAR VB

FindPhone(bk,nm): setof[P] = bk(nm)

UnusedPhoneNum(bk,pn): bool = (FORALL nm: NOT member(pn, FindPhone(bk,nm)))

AddPhone(bk,nm,pn): VB =

IF UnusedPhoneNumb(bk,pn) THEN bk WITH [(nm) := add(pn, bk(nm))]

ELSE bk

ENDIF

…

45

Source: PhoneBook? Example, John Rushby

http://www.csl.sri.com/papers/wift-tutorial/

Logic for Computable Functions (LCF)-Style

Family of interactive theorem provers Based on concepts of LCF (Robin Milner et al 1972), which used general-purpose programming language ML to allow users to write theorem-proving tactics Library implements an abstract data type of proven theorems - new objects of this type can only be created using the functions which correspond to inference rules If these functions are correctly implemented, all theorems proven in the system must be valid Large system can be built on top of a small trusted kernel with “tactics” that automate many tasks Includes HOL 4, HOL Light, Isabelle/HOL Isabelle/HOL used to prove seL4 operating system kernel

46

Isabelle/HOL proved a microkernel

“In 2009, the L4.verified project at NICTA produced the first formal proof of functional correctness of a general-purpose operating system kernel: the seL4 (secure embedded L4) microkernel. The proof is constructed and checked in Isabelle/HOL and comprises over 200,000 lines of proof script to verify 8,700 lines of C and 600 lines of assembler. The verification covers code, design, and implementation, and the main theorem states that the C code correctly implements the formal specification of the kernel. The proof uncovered 160 bugs in the C code of the seL4 kernel, and about 150 issues in each of design and specification.”

Source: Gerwin Klein et al, "seL4: Formal verification of an OS kernel". 22nd ACM Symposium on Operating System Principles. October 2009

47

Isabelle/HOL sample

lemma prime-not-square:

p prime (k: 0 < k m * m ≠ p * (k * k))

apply (induct m rule: nat-less-induct)

apply clarify

apply (frule prime-dvd-other-side; assumption)

apply (erule dvdE)

apply (simp add: nat-mult-eq-cancel-disj prime-nonzero)

apply (blast dest: rearrange reduction)

done

48

Source: “The Seventeen Provers of the World”

compiled by Freek Wiedijk (Isabelle/HOL script version)

(great for comparing some prover notations!)

Coq

Proof assistant for a higher-order logic (HOL), developed in France Can define computational function in special language Coq’s spec language is called “Gallina” Coq can generate OCaml code from it Rich type system Uses “calculus of inductive constructions” (a HOL) Native support for inductive datatypes + “calculus of constructions” (a higher-order typed lambda calculus by Thierry Coquand from ~1986) Based on intuitionist logic (Brouwer et al) – must be able to construct. In intuitionist logic, “A ∨ ¬A” (law of excluded middle) is not an axiom. Can import “Classical” library 5 is an instance of the type “Z” (math integers) Specification is a type for a program If prove program of that type, then program meets spec Defines a large set of “tactics” Successes: Java Card EAL7 certified, CompCert C verified compiler Gerard P Huet won 2013 ACM Software System Award for Coq http://awards.acm.org/award_winners/huet_1246701.cfm

49

Coq example

Lemma foo : ∀n, ble_nat 0 n = true. (* ∀n : naturals, 0 ≤ n *) Proof. intros. destruct n. (* Leaves two subgoals, which are discharged identically... *) Case "n=0". simpl. reflexivity. Case "n=Sn'". simpl. reflexivity. Qed.

50

Source: Benjamin C. Pierce et al., “Software Foundations”

http://www.cis.upenn.edu/~bcpierce/sf/Imp.html

Boolean satisfiability (SAT) solvers

Boolean SAT solvers are automated tools that: Given predicate logic expressions (boolean variables, and, or, not)… Find variable assignments to make true OR report unsatisfiable Proven to be an NP-complete problem (first known example) Cook, S.A., 1971, “The complexity of theorem proving procedures”, Proceedings Third Annual ACM Symp. on the Theory of Computing, pp. 151-158 But multiple algorithm breakthroughs (e.g., Chaff in 2001) now make SAT solvers remarkably fast for most real problems Many good ones free & available as OSS Other tools can be built on these or their approaches Annual SAT competition; many use DIMACS CNF input format Sample tools: Chaff*, MiniSAT, Sat4j, PicoSAT, … (*=not OSS)

51

The rise of practical SAT solvers is a key technological breakthrough;

many tools have been rewritten to use SAT solvers.

DIMACS CNF format for Boolean SAT Solvers

Every propositional formula can be converted to conjunctive normal form (CNF): An expression = 1+ clauses connected by “AND” A clause = 1+ non-repeated terms connected with “OR” A term = A boolean variable, possibly negated DIMACS CNF represents CNF Line-oriented, initial c=comment First non-comment line is “problem”: p FORMAT #VARIABLES #CLAUSES Lines represent clauses with whitespace-separated terms (number=boolean term) For example, given this CNF expression:

(x1 | -x5 | x4) &

(-x1 | x5 | x3 | x4) &

(-x3 | x4).

Its DIMACS CNF form could be:

c Here is a comment.

p cnf 5 3

1 -5 4 0

-1 5 3 4 0

-3 -4 0

52

DIMACS=Center for

Discrete Mathematics &

Theoretical Computer Science,

an NSF S&T center

More info here:

ftp://dimacs.rutgers.edu/pub/ challenge/satisfiability/doc/

Satisfiability Modulo Theories (SMT) solvers

SMT solvers are also automated tools Given expressions in richer notation beyond predicate logic Typically FOL + “theories” (variables may be integers, reals, etc.) E.g., (x+y ≥ 0) ∧ (y > 0) is satisfiable with integers x=1,y=2 Reports satisfiable (“sat”) (maybe with satisfying variables) or “unsat” or “unknown” (e.g., ran out of time/memory) To determine if “X is always true”, supply “not X”… returns unsat Some can also provide proof (if can’t, how verify results?) Internally similar to SAT solvers, may be built on one Tools often theory-specific & restrict input language Less flexible & more efficient vs. general theorem provers Annual competition SMT-COMP, SMT-LIB input format Sample tools: CVC4 (successor to CVC3), alt-ergo, STP, OpenSMT, Z3, Yices* (*=not OSS)

53

SMT-LIB version 2 example (1 of 2)

> (set-logic QF_LIA) ; Basic arithmetic on integers

> (declare-fun x () Int) ; Functions x & y return Int

> (declare-fun y () Int)

> (assert (= (+ x (* 2 y)) 20)) ; Assert x+2*y = 20

> (assert (= (- x y) 2)) ; Assert x-y = 2

> (check-sat) ; Is this satisfiable?

sat ; Yes, it is.

> (get-value (x y)) ; What’s an example?

((x 8)(y 6)) ; Here’s one of many examples.

Source: David R. Cok, “The SMT-LIB v2 Language and Tools: A Tutorial”.

The “success” replies are omitted. The initial “>” is a prompt.

54

SMT-LIB version 2 example (2 of 2)

> (set-logic QF_UF)

> (declare-fun p () Bool)

> (declare-fun q () Bool)

> (declare-fun r () Bool)

> (assert (=> p q)) ; p -> q

> (assert (=> q r)) ; q -> r. This means p-> r.

> (assert (not (=> p r))) ; !(p -> r)

> (check-sat)

unsat ; Not possible given the previous assertions

Source: David R. Cok, “The SMT-LIB v2 Language and Tools: A Tutorial”

The “success” replies are omitted. The initial “>” is a prompt.

55

Model-checkers (aka property checkers)

Given a system model, exhaustively check if meets a given requirement Requirement is often narrow property, often temporal requirement System is represented as a finite-state machine (FSM) Exhaustively explore state (conceptually) Clever approaches orders-of-magnitude faster vs. brute force. E.g.: Symbolically represent FSM, e.g., using binary decision diagrams (BDDs) Abstraction (simplify system for this specific property) Bounded model checking - unroll FSM for fixed number of steps (build on SAT) Only shows true/false for that many steps!! Counterexample guided abstraction refinement (CEGAR) Pros: Fully automated & easy-to-use (compared to theorem-provers) Cons: Can quickly become infeasible & often limited to narrow properties Eventually state explosion can overwhelm clever optimizations Model-checkers (excluding code analysis – discuss separately): SPIN – verify distributed systems, Promela language (license probably not OSS) Gerard Holzmann created of SPIN, won 2001 ACM Software System Award DiVinE: Distributed execution, can accept C/C++ too (BSD 3-clause) Others include NuSMV 2 (LGPL 2.1)

56

A low-level data structure: Binary decision diagrams (BDDs)

BDD = data structure, can represent a Boolean function in compressed form

Can perform operations directly on BDDs Easily determine equivalence & combine boolean functions Variable order matters, heuristics help determine order Some tools use BDDs to compute in reasonable time Don Knuth: “one of the only really fundamental data structures that came out in the last twenty-five years”

57

Source: Images from Wikipedia. Key paper: Randal E. Bryant. "Graph-Based Algorithms for

Boolean Function Manipulation". IEEE Transactions on Computers, C-35(8):677–691, 1986 (widely cited)

Promela: Mars Pathfinder model

Promela = Notation of the SPIN model-checker Next slide shows Promela model of Mars Pathfinder scheduling algorithm (from SPIN source code) Explains recurring reset problem during mission on Mars Situation: High priority process that consumes data produced by a low priority process Data consumption and production happens under the protection of a mutex lock Mutex lock conflicts with the scheduling priorities, can deadlock the system if high() starts up while low() has the lock set This is called “priority inversion” Model has 12 reachable states in the full (non-reduced) state space - two of which are deadlock states

58

Promela: Mars Pathfinder example

mtype = { free, busy, idle, waiting, running };

show mtype h_state = idle;

show mtype l_state = idle;

show mtype mutex = free;

active proctype high() { /* can run any time */

end: do

:: h_state = waiting;

atomic { mutex == free -> mutex = busy };

h_state = running;

/* critical section - consume data */

atomic { h_state = idle; mutex = free }

od

}

active proctype low() provided (h_state == idle) { /* Note scheduling rule */

end: do

:: l_state = waiting;

atomic { mutex == free -> mutex = busy};

l_state = running;

/* critical section - produce data */

atomic { l_state = idle; mutex = free }

od

}

59

Source: SPIN source Version 6.2.5 (4 May 2013), file Test/pathfinder.pml

Abstract interpretation & symbolic execution

Abstract interpretation = sound approximation programs. I.E., a partial execution without performing all calculations In some definitions, must be based on monotonic functions over ordered sets E.G., track “is variable +, 0, or –”… that’s enough to determine signs from multiplication (without overflow) Symbolic execution = analyze program by tracking symbolic rather than actual values

60

So you want to prove that a program meets a specification…

61

So you want to prove that a program meets a specification…

Often must write program with that goal in mind Challenges: Pointers & threads Variable assignment can be handled, but complicates Loops can be handled, but complicates (loop invariants) Functional languages common (at least underneath), including Lisp, ML, OCaml, Haskell Various tools exist that can be used to do this Already seen tools that can prove programs, including PVS, HOL4, Isabelle/HOL, HOL Light, Coq Following are some tools (and notations) specifically for it E.g., ACL2, Toccata/ProVal (Why3), Frama-C + (Jessie or WP), JML (supported by many tools), SPARK, model-checking As with everything else here, omits much

62

ACL2

Automated theorem-prover (BSD 3-clause) But often must guide via lemmas (“waypoints”) Models programs in Lisp-based language Can be used to model other implementations & hardware Specializes in automatic proofs of recursive programs “Industrial strength” version of Boyer–Moore theorem prover NQTHM Given large set of proven patterns, repeatedly substitute Creators Robert S. Boyer, Matt Kaufmann, & J. Strother Moore won 2005 ACM Software System Award (began in Edinburgh, Scotland, later at University of Texas, Austin) Many successes, esp. hardware / microprocessor design (division, multiplication, etc.), proof of ivy

63

ACL2 examples (1 of 2)

(defun factorial (n) ; Trivial factorial implementation

(if (zp n)

1

(* n (factorial (- n 1)))))

(thm (> (factorial n) 0)) ; Prove that factorial always produces >0

; Prove that append is associative, that is, that

; (append (append xs ys) zs) equals (append xs (append ys zs))

(thm (equal (append (append xs ys) zs)

(append xs (append ys zs))))

Source: http://tryacl2.org/

64

ACL2 examples (2 of 2)

(defun rev (xs) ; Return list in reverse order

(if (endp xs) nil

(append (rev (rest xs)) (list (first xs)))))

(defthm rev-rev ; Prove reverse(reverse(x))=x

(implies (true-listp xs)

(equal (rev (rev xs)) xs)))

Source: http://tryacl2.org/

65

Toccata (née ProVal?) approach

66

Krakatoa with

Jessie

WP

JML-annotated

Java

ACSL-annotated C

Why3

Eprover

CVC4

Automated

provers

Interactive

provers

Coq

PVS

…

…

Why3 can compute goals needed to

prove the code implements spec.

Encodes to & manages tools to prove goals.

Alt-Ergo

Isabelle/HOL

Z3

SPARK 2014

tools

gappa

Annotated

SPARK Ada

Specialty prover

for floating point

WhyML? program + spec

…

veriT

WP has short-circuits

for alt-ergo & Coq

Jessie

Frama-C

…

Plug-ins

Why3 Proof Session Example

67

Source: “Why3: Shepherd Your Herd of Provers” by Bobot et al.

Java Modeling Language (JML) example

public class BankingExample?{

/*@ spec_public */ private Integer balance;

//@ invariant balance != null

//@ invariant 0 <= balance && balance <= MAX_BALANCE

//@ ensures this.balance = 0

public BankingExample { balance = 0; }

//@ requires amount != null

//@ requires 0 < amount && amount + balance < MAX_BALANCE

//@ modifies balance

//@ ensures this.balance = \old(this.balance) + amount

public void credit(Integer amount) {...}

}

68

Source: “Automated Program Verification” 2011,

https://courses.cs.washington.edu/courses/cse331/11wi/lectures/lect20-program-verification.pdf

Many tools support JML, both for dynamic (run-time) checking & formal proofs, including

Krakatoa (with Jessie/Why3), OpenJML?, KeY?, Sireum/Kiasan, TACO, ESC/Java2..

Okay to refer to private data

in publicly-viewable spec

JML uses Hoare-style preconditions, post-conditions, and invariants. JML supports the design by contract paradigm, & builds on ideas from Eiffel, Larch, & Refinement Calculus.

ACSL (C) example: Swap

* File swap.c:*

/*@ requires \valid(a) && \valid(b);

@ ensures A: *a == \old(*b) ;

@ ensures B: *b == \old(*a) ;

@ assigns *a,*b ;

@*/

void swap(int *a,int *b)

{

int tmp = *a ;

- a = *b ;
- b = tmp ;

return ;

}

69

Source: http://frama-c.com/wp.html

Precondition

Postconditions

ACSL = “ANSI/ISO C Specification Language”,

created for & used by Frama-C for C.

It’s inspired by the Java Modeling Language (JML)

used by many tools for Java.

ACSL (C) example: Binary search

/*@ requires n >= 0 && \valid (t+(0..n -1));

@ assigns \nothing ;

@ ensures -1 <= \result <= n -1;

@ behavior success:

@ ensures \result >= 0 ==> t[ \result ] == v;

@ behavior failure:

@ assumes t_is_sorted: \forall integer k1 , int k2;

@ 0 <= k1 <= k2 <= n -1 ==> t[k1] <= t[k2];

@ ensures \result == -1 ==>

@ \forall integer k; 0 <= k < n ==> t[k] != v;

@*/

int bsearch ( double t[], int n, double v) {

int l = 0, u = n -1;

/*@ loop invariant 0 <= l && u <= n -1;

@ for failure: loop invariant

@ \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;

@*/

while (l <= u ) {

int m = l + (u-l )/2; // better than (l+u)/2

if (t[m] < v) l = m + 1;

else if (t[m] > v) u = m - 1;

else return m;

}

return -1;

}

70

Source: Baudin et al, “ACSL: ANSI/ISO C Specification Language Version 1.6” Example 2.23

Jessie vs. WP

Same purpose & general approach Accept C+ACSL annotations, create proofs, apply weakest precondition (WP) approach, use Why/Why3 Different memory modeling of C in math Jessie uses separation predicates inspired by separation logic WP focuses on memory model parameterization Different implementation approach Jessie translates C directly into Why3’s language WP designed to cooperate with other Frama-C plug-ins such as the value analysis plug-in WP presumes there are no run-time errors (RTEs); use a separate plug-in (e.g., rte generation) to check for RTEs

71

Some key WP options

Memory model (how map C memory values to math) Hoare model: C variables mapped directly to logical variables. Very efficient, easy & concise proofs. Can’t use heap or pointer read/write Typed model*: Heap values stored in separated, one for each atomic type. Pointers are indexes into these arrays Bytes model: Heap is array of bytes, pointers are memory addresses. Very precise, but proof obligations hard to discharge automatically

“Use the simpler models whenever… possible, and [use] more involved models on the remaining more complex parts”

Arithmetics models (how to model C arithmetic in math) Natural Model*: Integer operations use mathematical integers Machine Integer Model: Integer operations performed modulo; proof obligations hard to discharge Real Model*: Floating-point operations have no rounding (unsound) Float Model: Floating-point operations are mathematical with rounding, consistent with IEEE. Most automated provers can’t handle; use gappa

72

- = Defaults of WP plug-in

Sample GUI: Frama-C and WP

73

Source: “WP 0.8” on Frama-C website

SPARK (Ada)

Designed for high-reliability applications Originally targeted at highly constrained run-time environments Pre-2014 version was subset/superset of Ada. Pre-2014 version: No dynamic memory allocation Until recently, no threads (has added Ravenscar) Adds specification language in comments Developed by Bernard Carré and Trevor Jennings; much done by Rod Chapman, principal engineer of Altran Exploits Ada’s subtyping to automate many proofs Ada’s strict typing & additional information on ranges makes proof automation easier than for some alternative implementation languages; often can enumerate all cases Speed of C, but its strong typing counters errors & simplifies proofs Successes reported, “Tokeneer” public, US lunar project “CubeSat” SPARK 2014 version changes & relaxes many restrictions Uses Ada 2012 aspect notation (instead of specially formatted comments) Integrates with testing - contracts be proved, or they can be compiled and executed as run-time assertations Bigger subset: Adds bounded types with dynamic bounds, recursion, etc. SPARK 2014 has switched to Why3/Toccata approach – multi-prover support

Source: http://www.spark-2014.org

74

SPARK 2014 Example Spec (1 of 2)

pragma SPARK_Mode;

package Search is

type Index is range 1 .. 10;

type Element is new Integer;

type Arr is array (Index) of Element;

type Search_Result (Found : Boolean := False) is record

case Found is

when True =>

At_Index : Index;

when False =>

null;

end case;

end record;

function Value_Found_In_Range(A : Arr;

Val : Element; Low, Up : Index) return Boolean

is (for some J in Low .. Up => A(J) = Val);

75

SPARK 2014 Example Spec (2 of 2)

function Linear_Search(A : Arr; Val : Element) return Search_Result

with

Pre => Val >= 0,

Post => (if Linear_Search'Result.Found then

A (Linear_Search'Result.At_Index) = Val),

Contract_Cases =>

(A(1) = Val =>

Linear_Search'Result.At_Index = 1,

A(1) /= Val and then Value_Found_In_Range (A, Val, 2, 10) =>

Linear_Search'Result.Found,

(for all J in Arr'Range => A(J) /= Val) =>

not Linear_Search'Result.Found);

end Search;

76

SPARK 2014 Example Body

pragma SPARK_Mode;

package body Search is

function Linear_Search(A : Arr; Val : Element) return Search_Result is

Pos : Index'Base := A'First;

Res : Search_Result;

begin

while Pos <= A'Last loop

if A(Pos) = Val then

Res := (Found => True, At_Index => Pos);

return Res;

end if;

pragma Loop_Invariant(Pos in A'Range and then not Value_Found_In_Range(A, Val, A'First, Pos));

pragma Loop_Variant (Increases => Pos);

Pos := Pos + 1;

end loop;

Res := (Found => False);

return Res;

end Linear_Search;

end Search;

77

Source for SPARK 2014 example: SPARK 2014 Tutorial,

http://docs.adacore.com/spark2014-docs/html/ug/tutorial.html

Some other toolsuites

Dafny (Microsoft Research) Programming language with built-in specification constructs Dafny verifier is run as part of the compiler to verify functional correctness Dafny compiler produces code for .NET platform Appears to be OSS: Dafny & underlying Boogie are Microsoft Public License; Z3 is MIT license KeY (http://www.key-project.org/) Proofs of Java programs annotated with JML OSS (GPL) OpenJML (http://jmlspecs.sourceforge.net/) Proofs of Java programs annotated with JML Translates into SMT-LIB format, passes to backend SMT solvers OSS (GPLv2) KIV system Specs can refine down to Java Proprietary, free for noncommercial use

78

Model-checking FM tools for programs (code analysis)

Model-checking can be applied to code, too: In practice, often limited to looking for specific properties/defects (e.g., TOCTOU, temp files) Approximations – can be sound (always finds problem under certain assumptions) but with false positives Java PathFinder (NASA) State software model checker for Java™ bytecode Weird NASA license MOPS – Analyze for very specific security vulnerabilities For C, has analyzed Linux kernel & even Linux distro! [Benjamin Schwarz et al, “Model Checking An Entire Linux Distribution for Security Violations” – 6 vulnerability patterns] DiVinE (BSD 3-clause; accepts C/C++, builds on LLVM) Other tools: BLAST, CPAchecker (Apache 2.0), Microsoft SLAM*, …

79

MOPS – Checking a Linux distribution

“Model Checking An Entire Linux Distribution for Security Violations” by Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison*, Jacob West*, Jeremy Lin, Wei Tu (*=Fortify, rest are UC Berkeley); ACSAC 2005 Did software model checking for security properties on big scale Entire Linux distro, 839 packages, 60 million LOC Discovered 108 exploitable bugs “MOPS errs on the conservative side: MOPS will catch all the bugs for a property (… it is sound, subject to certain requirements), but it [reports] spurious warnings.” Looked for: TOCTTOU (filesystem race), Standard File Descriptors, Temporary Files, strncpy (misuse), Chroot Jails, Format String

80

Abstract interpretation & symbolic execution

Example: Kestrell CodeHawk C Analyzer* Given targeted (critical) vulnerability types… Tries to mathematically prove the absence of those vulnerabilities in all relevant code, using abstract interpretation If cannot prove it, warning issued with remaining proof obligations GrammaTech CodeSonar* Has built-in set of (critical) vulnerability types Uses symbolic execution engine to explore program paths, reasoning about program variables & relations Dataflow analysis prunes infeasible program paths Procedure summaries are refined and compacted as-go

81

- Proprietary programs

Formalizing & verifying mathematical theorems (not code)

Mathematicians can make mistakes Euclidean geometry: Omission of Pasch's axiom went unnoticed for 2000 years Mathematicians normally “sketch” a proof without details We can formalize math itself so it’s mechanically proved at every step Freek Wiedijk has compiled info on several math formalization tools “Formalizing 100 theorems” lists tools used to formalize math, & some theorems they’ve formalized - http://www.cs.ru.nl/~freek/100/ “The Seventeen Provers of the World” demos 17 tools in more detail Many different tools Some tools for formalizing math can also prove programs/specs, e.g., HOL Light, Isabelle, Coq, ACL2 Some specialized for just math proofs, e.g., Mizar & Metamath Formalized math can sometimes be a basis for proving specs/programs

82

Mizar & Metamath (tools for formalizing math)

Mizar (proprietary program, OSS theorems) Notation designed to be similar to traditional math notation Publish a math journal focused on formalization Metamath (OSS programs, public domain theorems) – (I find this one intriguing!) Only 1 built-in logic rule (substitution), ability to define axioms & proofs Tiny kernel (can verify proofs with ~350 lines of Python) Very general logic system, can then specify axioms & proofs to build up from there Designed to be easier for non-mathematician (esp. computer-literate) to follow steps Founded on a Alfred Tarski formalization exactly equivalent to traditional textbook formalization, but without “proper substitution” and “free variable” (eases mechanization) Includes a modern “Principia Mathematica”-like set of proofs that’s easier to read than P.M. States a very few axioms (sets & logic), e.g., modus ponens Grows from there, e.g., proves basics about numbers & their properties Proves 2+2=4 in 10 steps, transitively uses 2,452 subtheorems & 25,933 steps http://us.metamath.org/mpegif/2p2e4.html You can learn a lot about math from its documentation! Esp. “Metamath” book and “Metamath Proof Explorer” http://us.metamath.org Both Mizar & Metamath’s set.mm use ZFC + Tarski’s axiom (for category theory) Both provide little automation for proof creation Don’t handle goal change well Makes them much less applicable to software, which does change But again, some of their math results may be useful in computing

83

General caveats when considering formal methods

Many approaches require significant math knowledge Education needed (comparable to engineers) Some exceptions (e.g., sometimes model-checking & abstract interpretation, where spec can be pre-canned) Typically must apply during development To reduce requirements ambiguity – need to apply when creating requirements All tools have limits – write so can easily apply to them Only proves what you ask (“it doesn’t answer questions you don’t ask”†) Only as good as their assumptions – are they justifiable?

84

† Credit: Paul E. Black, “A Brief Introduction to Formal Methods”

Current status of formal methods

Formal methods already useful & used in some circumstances Tool problems (often hard-to-use/outdated UI, lack of integration/standards, …) Handling scale – full “level 2” rigor historically small programs Can get larger by only applying at requirement level, analyzing models (e.g., design), just specialized properties, dropping soundness – useful! Improved algorithms, more CPU power, combining algorithms, OSS, & more research have potential for scaling up in future Hybrid approaches seem promising, e.g., the Toccata (ProVal) suite You’ve sampled some the FM notations/tools available, e.g.: Z, Alloy; Prover9, E theorem prover; Coq, HOL4, HOL Light, Isabelle/HOL, PVS; CVC4, alt-ergo; SPIN; ACL2, SPARK, Toccata (ProVal) Valuable for high-assurance security & in some cases today With potential for far larger applications Tools/techniques can be repurposed, e.g., to increase assurance

85

Open Proofs

86

What’s slowing FM maturation?

Much research & some use, but FM tools are often: Hard to install, hard to learn to use Hard to use, time-consuming, & don’t scale Poorly integrate with other tools/existing environments Need to mature FM if they’re to be broadly used Hard problem, relatively few research $ ... but decades? FM maturation hindered by “culture of secrecy” Details of FM use often unpublished, classified Details of FM tools (& the tools!) often unshared/lost Result (broadly stated): Researchers/toolmakers receive inadequate feedback From developers & other researchers/toolmakers Researchers/toolmakers waste time/$ rebuilding tools Educators difficulty explaining (esp. without examples) Developers don’t understand, uncertain value Evaluators/end-users don’t know what to look for

87

Over-generalized

Researchers/toolmakers need more than papers: LIMMAT to NANOSAT

Researchers/toolmakers suffer from lack of information

LIMMAT/NANOSAT developers: “From the publications alone, without access to the source code, various details were still unclear... what we did not realize, and which hardly could be deduced from the literature, was [an optimization] employed in GRASP and CHAFF [was critically important]... Only [when CHAFF's source code became available did] our unfortunate design decision became clear... The lesson learned is, that important details are often omitted in publications and can only be extracted from source code. It can be argued, that making source code of SAT solvers available is as important to the advancement of the field as publications”

- [Biere, “The Evolution from LIMMAT to NANOSAT”, Apr 2004]

88

Need: Working ecosystem

Researchers/Toolmakers/Educators Learn details from others (papers often inadequate) – share code!! Build on/experiment with existing tools (vs. rebuilding) Developers of implementations to be proved Learn from other developers Build on/experiment with proven systems/components Share issues with toolmakers (so tools can improve) Evaluators/End-users Evaluate evidence (determine adequacy, give feedback) Evaluate other systems based on this experience

89

Researchers/

Toolmakers/

Educators

Developers

Evaluators/

End-users

“Open proof” idea

“Open proof” (new term): Source code, proofs, and required tools: OSS Anyone can examine/critique, improve upon, collaborate with others for improvements Not just software, but what’s proved & tools Example for training, or as useful component Extends OSS idea for high assurance Enables legal collaboration Similar to mathematics field Method for speeding up tech transition Encourage/require government-funded results be open proofs By default – evaluate exceptions Application of “open access” applied broadly See: http://www.phdcomics.com/comics/archive.php?comicid=1533 Goal: Make supplier identity irrelevant Don’t need everything to be an open proof Examples & building blocks (inc. standards’ API)

90

Some open proofs

“Tokeneer” (SPARK Ada) seL4 microkernel (Isabelle/HOL) ACL2 library (ACL2)

More info:

91

Released under CC BY-SA 3.0

This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy, distribute and transmit the work to Remix — to adapt the work to make commercial use of the work Under the following conditions: Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work) Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one These conditions can be waived by permission from the copyright holder dwheeler at dwheeler dot com Details at: http://creativecommons.org/licenses/by-sa/3.0/ Attribute as “David A. Wheeler and the Institute for Defense Analyses”

92