D. L. Clutterbuck and B. A. Carre. The verification of low-level code. Software Engineering Journal, 3(3):97--111, May 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... in the validation or verification of code in safety critical applications [5] In this setting, compilers may be considered inherently untrustworthy and it is important that low level object code should be checked, because this is the code that actually directs the operation of the processor [13]. Using a validated decompiler to automate the production of readable high level code, which then can be independently validated, offers a route to greatly increased confidence in the correctness of the application software. In the industrial environment in particular, the hard evidence provided ....

D.L. Clutterbuck and B.A. Carr'e, The verification of low-level code, IEE/BCS Software Engineering Journal Vol 3 No 3 (1988) pp 97--111 13

....code itself. Thus in the past, software safety standards and directives have normally insisted that all software is written in assembler that can be transliterated almost directly into machine code. Since this is the actual code that is executed, this is the code that needs to be verified [29]. However, this simply shifts the burden of responsibility, since the programmer must ensure that the assembler program meets its specification, and this is more difficult than the equivalent process for a high level program. Nowadays, safety standards are recognizing that programmers can produce ....

CLUTTERBUCK, D.L., and CARR ' E, B.A.: `The verification of low-level code', Software Engineering Journal,May1988,3, (3), pp. 97--111

....asserting the contents of the program segment. Hand proofs of a few very simple machine code programs executed on toy hardware were given there. Maurer [36] later developed an IBM 370 assembly language verifier, and used it to verify some simple programs such as GCD. Clutterbuck and Carr e in [13] argued for the importance of the verification of low level code, and, in a separate paper [26] reported their effort to analyze and verify the LUCOL assembly code modules used in the fuel control unit of the Rolls Royce RB211 524G jet engine designed for Boeing 747 400. Like most work on ....

D.L. Clutterbuck and B.A. Carr'e. The verification of low-level code. IEE Software Engineering Journal, May 1988.

....asserting the contents of the program segment. Hand proofs of a few very simple machine code programs executed on toy hardware were given there. Maurer [36] later developed an IBM 370 assembly language verifier, and used it to verify some simple programs such as GCD. Clutterbuck and Carr e in [13] argued for the importance of the verification of low level code, and, in a separate paper [26] reported their effort to analyze and verify the LUCOL assembly code modules used in the fuel control unit of the Rolls Royce RB211 524G jet engine designed for Boeing 747 400. Like most work on ....

D.L. Clutterbuck and B.A. Carr'e. The verification of low-level code. IEE Software Engineering Journal, May 1988.

....correctness address the machine code level for actually fabricated processors. To the best of our knowledge, Maurer [20, 19] was the first to consider the verification, with an automated reasoning system, of machine code programs for a fabricated microprocessor. Subsequently, Clutterbuck and Carr e[8] argued for the importance of the verification of low level code, and, in a separate paper [15] reported their effort to analyze and verify the LUCOL assembly code modules used in the fuel control unit of the Rolls Royce RB211 524G jet engine designed for Boeing 747 400. Like most work on ....

D.L. Clutterbuck and B.A. Carr'e. The verification of low-level code. IEE Software Engineering Journal, May 1988.

....from verified validated specifications, has failed in the past due to the lack of technology which could convincingly demonstrate to certification authorities the correctness of the generated code. Although there are many examples of compiler verification in the literature (See, for example, 1][2][3] and [4] the formal verification of industrial code generators is generally prohibitive due to their size. Another problem with compiler verification is that the formal verification freezes their designs, as each change to the code generators nullifies their previous correctness proof. ....

D.L. clutterbuck and B.A. Carre. The verification of low-level code. Software Engineering Journal, pages 97-111, 1998.

.... research was done as part of the ESPRIT project SACRES and was supported in part by the Minerva Foundation and an infra structure grant from the Israeli Ministry of Science and Art Preliminary versions of some parts of this paper were published before in [17] 19] and [20] for example, [5, 9, 10, 15, 12, 11, 14, 13]) the formal verification of industrial code generators is generally prohibitive due to their size. Another problem with compiler verification is that the formal verification freezes the design and evolution of the compiler, as each change to the code generators nullifies their previous ....

D.L. Clutterbuck and B.A. Carre. The verification of low-level code. Software Engineering Journal, pages 97--111, 1998.

....must be correct. Proving that the source program satisfies a specification is not sufficient. We really wish to know that the object code satisfies the specification. Formally verified object code can be obtained in several ways. The low level version of the program can be validated directly [4]. A high level version of the program can be formally verified and then shown to be equivalent to the low level code in a one off proof [2] Object code can be decompiled to a high level version, and verification performed on the resulting program [7] 1] The compiler can be formally verified. ....

D.L. Clutterbuck and B.A. Carr'e. The verification of low level code. Software Engineering Journal, pages 97--111, May 1988.

....asserting the contents of the program segment. Hand proofs of a few very simple machine code programs executed on toy hardware were given there. Maurer [35] later developed an IBM 370 assembly language verifier, and used it to verify some simple programs such as GCD. Clutterbuck and Carr e in [12] argued for the importance of the verification of low level code, and, in a separate paper [25] reported their effort to analyze and verify the LUCOL assembly code modules used in the fuel control unit of the Rolls Royce RB211 524G jet engine designed for Boeing 747 400. Like most work on ....

D.L. Clutterbuck and B.A. Carr'e. The verification of low-level code. IEE Software Engineering Journal, May 1988.

....to verify IBM 370 code and code for the Litton C4000 airborne computer. Lamb also used it in his Intel 8080 Assembly Language Verifier [36] More recently it has been embodied in the SPADE verification environment. SPADE has been used in the verification of assembly code for the Intel 8080 [11], and also of Z8002 code used in the fuel control unit of the RB211 524G jet engine [43] Verification of bit level code has typically been based around an operational semantics of the host machine and the use of formal symbolic simulation techniques. MCS was an early system which took this ....

D. L. Clutterbuck and B. A. Carr'e. The verification of low level code. Software Engineering Journal, pages 97--111, May 1988.

.... approach of Proof Carrying Code (PCC) 26] which suggests that a program be shipped with a proof of safety: essentially the set of loop invariants along with the proofs of the particular implication propositions needed for an automatic Floyd style verification of that program [12, 13, 20] as in [4, 5]. An advantage of this technique is that after the overhead of verification, the program executes with no run time penalty at all. A disadvantage is that the program must be supplied with the certification. Also, if the safety policy ever changes, this certification must also change; thus it is ....

D. L. Clutterbuck and B. A. Carr'e. The verification of low-level code. IEE/BCS Software Engineering Journal, 3(3):97--111, May 1988.

.... in the validation or verification of code in safety critical applications [5] In this setting, compilers may be considered inherently untrustworthy and it is important that low level object code should be checked, because this is the code that actually directs the operation of the processor [13]. Using a validated decompiler to automate the production of readable high level code, which then can be independently validated, offers a route to greatly increased confidence in the correctness of the application software. In the industrial environment in particular, the hard evidence provided ....

D.L. Clutterbuck and B.A. Carr'e, The verification of low-level code, IEE/BCS Software Engineering Journal Vol 3 No 3 (1988) pp 97--111

....exist for building such proofs. Our technique is based on Floyd s verification conditions [6] because they are powerful enough to deal with unstructured assembly language programs and a broad range of safety invariants. Similar techniques have been used before to verify assembly language programs [2, 3]. Certification of programs involves two steps: 1. Compute the safety predicate for the program. This essentially encodes the semantic meaning of the program in logical form and constitutes a formal statement that the program, when executed, will not violate any typing assertions. 2. Generate a ....

....to use standard verification techniques to check type safety at the assembly language level. This is important for certifying extensions to safe programming languages and as a main building block in constructing certifying compilers. Similar techniques have been applied to assembly language before [2, 3] but neither as a basis for creating safety proofs nor for checking type safety. We show an encoding of safety proofs as first order logic derivations in LF. Our contribution in this area is to identify a fragment of LF which is both sufficient for many applications of PCC and also admits a simple ....

Clutterbuck, D., and Carr' e, B. The verification of low-level code. IEEE Software Engineering Journal 3, 3 (May 1988), 97--111.

....use standard verification techniques to check type safety at the assemblylanguage level. This is important for certifying extensions to safe programming languages and as a main building block in constructing certifying compilers. Similar techniques have been applied to assembly lan10 guage before [2, 3] but neither as a basis for creating safety proofs nor for checking type safety. We show an encoding of safety proofs as first order logic derivations in LF. Our contribution in this area is to identify a fragment of LF which is both sufficient for many applications of PCC and also admits a simple ....

Clutterbuck, D., and Carr' e, B. The verification of low-level code. IEEE Software Engineering Journal 3, 3 (May 1988), 97--111.

....code itself. Thus in the past, software safety standards and directives have normally insisted that all software is written in assembler that can be transliterated almost directly into machine code. Since this is the actual code that is executed, this is the code that needs to be verified [29]. However, this simply shifts the burden of responsibility, since the programmer must ensure that the assembler program meets its specification, and this is more difficult than the equivalent process for a high level program. Nowadays, safety standards are recognizing that programmers can produce ....

CLUTTERBUCK, D.L., and CARR ' E, B.A.: `The verification of low-level code', Software Engineering Journal, May 1988, 3, (3), pp. 97--111

....to verify IBM 370 code and code for the Litton C4000 airborne computer. Lamb also used it in his Intel 8080 Assembly Language Verifier [24] More recently it has been embodied in the SPADE verification environment. SPADE has been used in the verification of assembly code for the Intel 8080 [10], and also of Z8002 code used in the fuel control unit of the RB211 524G jet engine [29] Verification of bit level code has typically been based around an operational semantics of the host machine and the use of formal symbolic simulation techniques. MCS was an early system which took this ....

D. L. Clutterbuck and B. A. Carr'e. The verification of low level code. Software Engineering Journal, pages 97--111, 1988.

....exist for building such proofs. Our technique is based on Floyd s verification conditions [6] because they are powerful enough to deal with unstructured assembly language programs and a broad range of safety invariants. Similar techniques have been used before to verify assembly language programs [2, 3]. Certification of programs involves two steps: 1. Compute the safety predicate for the program. This essentially encodes the semantic meaning of the program in logical form and constitutes a formal statement that the program, when executed, will not violate any safety checks. 2. Generate a proof ....

Clutterbuck, D., and Carr' e, B. The verification of low-level code. IEEE Software Engineering Journal 3, 3 (May 1988), 97--111.

.... in the validation or verification of code in safetycritical applications [7] In this setting, compilers may be considered inherently untrustworthy and it is important that low level object code should be checked, because this is the code that actually directs the operation of the processor [20]. Using a validated decompiler to automate the production of readable high level code, which then can be independently validated, offers a route to greatly increased confidence in the correctness of critical application code. In the industrial environment in particular, the hard evidence provided ....

D.L. Clutterbuck and B.A. Carre, The verification of low-level code, IEE/BCS Software Engineering Journal Vol 3 No 3 (1988) pp 97--111

.... maintenance process (e.g. see [37] or in the verification of compiled object code, which is regarded as particularly important for safety critical systems [9] Since the object code is the actual code running on the computer, it is desirable to verify this rather than just the high level code [14]. A high level representation also helps in checking its consistency with the original highlevel code. Decompilation has already been used for this reason by NASA for the space shuttle [33] and by the UK nuclear industry [32] Fortunately, because of safety considerations, such systems tend not to ....

D.L. Clutterbuck and B.A. Carr'e, The verification of low-level code, BCS/IEE Software Engineering Journal 3(3), 97--111, 1988.

....simple tool when compared to a high level language compiler. These features are clearly important for the licensing of safety critical software based systems. For some years PVL has been carrying out proofs of correctness of sections of assembly code programs used in safety critical applications [6, 15] using the SPADE Proof Checker 5 . 4 LUCOL is a registered trademark of Lucas Industries plc. 4 This work is often retrospective and whilst successful, further benefits may be achieved with more extensive application of formal methods. Improvement in our ability to specify, formally develop ....

Clutterbuck, D.L. and Carri, B. A., The Verification of Low-level Code. IEE Software Engineering Journal, May 1988.

No context found.

D. L. Clutterbuck and B. A. Carre. The verification of low-level code. Software Engineering Journal, 3(3):97--111, May 1988.

No context found.

D.L. Clutterbuck and B.A. Carr'e. The verification of low-level code. IEE Software Engineering Journal, May 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC