Results 1 
9 of
9
Natural Proofs for Structure, Data, and Separation
"... We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely autom ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely automated reasoning, that provide sound but incomplete procedures, and that capture common reasoning tactics in program verification. We develop a dialect of separation logic over heaps, called Dryad, with recursive definitions that avoids explicit quantification. We develop ways to reason with heaplets using classical logic over the theory of sets, and develop natural proofs for reasoning using proof tactics involving disciplined unfoldings and formula abstractions. Natural proofs are encoded into decidable theories of firstorder logic so as to be discharged using SMT solvers. We also implement the technique and show that a large class of more than 100 correct programs that manipulate datastructures are amenable to full functional correctness using the proposed natural proof method. These programs are drawn from a variety of sources including standard datastructures, the SchorrWaite algorithm for garbage collection, a large number of lowlevel C routines from the Glib library and OpenBSD library, the Linux kernel, and routines from a secure verified OSbrowser project. Our work is the first that we know of that can handle such a wide range of full functional verification properties of heaps automatically, given pre/post and loop invariant annotations. We believe that this work paves the way for deductive verification technology to be used by programmers who do not (and need not) understand the internals of the underlying logic solvers, significantly increasing their applicability in building reliable systems.
Verifying security invariants in ExpressOS
 In ASPLOS
, 2013
"... Security for applications running on mobile devices is important. In this paper we present ExpressOS, a new OS for enabling highassurance applications to run on commodity mobile devices securely. Our main contributions are a new OS architecture and our use of formal methods for proving key security ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Security for applications running on mobile devices is important. In this paper we present ExpressOS, a new OS for enabling highassurance applications to run on commodity mobile devices securely. Our main contributions are a new OS architecture and our use of formal methods for proving key security invariants about our implementation. In our use of formal methods, we focus solely on proving that our OS implements our security invariants correctly, rather than striving for full functional correctness, requiring significantly less verification effort while still proving the security relevant aspects of our system. We built ExpressOS, analyzed its security, and tested its performance. Our evaluation shows that the performance of ExpressOS is comparable to an Androidbased system. In one test, we ran the same web browser on ExpressOS and on an Androidbased system, and found that ExpressOS adds 16 % overhead on average to the page load latency time for nine popular web sites.
Accurate invariant checking for programs manipulating lists and arrays with infinite data
, 2011
"... Abstract. We propose a logicbased framework for automated reasoning about sequential programs manipulating singlylinked lists and arrays with unbounded data. We introduce the logic SLAD, which allows combining shape constraints, written in a fragment of Separation Logic, with data and size constra ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a logicbased framework for automated reasoning about sequential programs manipulating singlylinked lists and arrays with unbounded data. We introduce the logic SLAD, which allows combining shape constraints, written in a fragment of Separation Logic, with data and size constraints. We address the problem of checking the entailment between SLAD formulas, which is crucial in performing prepost condition reasoning. Although this problem is undecidable in general for SLAD, we propose a sound and powerful procedure that is able to solve this problem for a large class of formulas, beyond the capabilities of existing techniques and tools. We prove that this procedure is complete, i.e., it is actually a decision procedure for this problem, for an important fragment of SLAD including known decidable logics. We implemented this procedure and shown its preciseness and its efficiency on a significant benchmark of formulas. 1
Natural Proofs for Data Structure Manipulation in C using Separation Logic
"... The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking c ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
The natural proof technique for heap verification developed by Qiu et al. [32] provides a platform for powerful sound reasoning for specifications written in a dialect of separation logic called Dryad. Natural proofs are proof tactics that enable automated reasoning exploiting recursion, mimicking common patterns found in human proofs. However, these proofs are known to work only for a simple toy language [32]. In this work, we develop a framework called VCDRYAD that extends the VCC framework [9] to provide an automated deductive framework against separation logic specifications for C programs based on natural proofs. We develop several new techniques to build this framework, including (a) a novel tool architecture that allows encoding natural proofs at a higher level in order to use the existing VCC framework (including its intricate memory model, the underlying typechecker, and the SMTbased verification infrastructure), and (b) a synthesis of ghostcode annotations that captures natural proof tactics, in essence forcing VCC to find natural proofs using primarily decidable theories. We evaluate our tool extensively, on more than 150 programs, ranging from code manipulating standard data structures, wellknown open source library routines (Glib, OpenBSD), Linux kernel routines, customized OS data structures, etc. We show that all these C programs can be fully automatically verified using natural proofs (given pre/post conditions and loop invariants) without any userprovided proof tactics. VCDRYAD is perhaps the first deductive verification framework for heapmanipulating programs in a real language that can prove such a wide variety of programs automatically.
Compositional Invariant Checking for Overlaid and Nested Linked Lists
, 2012
"... Abstract. We introduce a fragment of separation logic, called NOLL, for automated reasoning about programs manipulating overlaid and nested linked lists, where overlaid means that the lists may share the same set of objects. The distinguishing features of NOLL are: (1) it is parametrized by a set of ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a fragment of separation logic, called NOLL, for automated reasoning about programs manipulating overlaid and nested linked lists, where overlaid means that the lists may share the same set of objects. The distinguishing features of NOLL are: (1) it is parametrized by a set of userdefined predicates specifying nested linked list segments, (2) a “perfield ” version of the separating conjunction allowing to share locations but not fields, and (3) it can express sharing constraints between list segments. We prove that checking the entailment between two NOLL formulas is coNP complete. For this result, the decision procedure for entailment is based on a small model property. We also provide an effective procedure for checking entailment in NOLL, which first constructs a Boolean abstraction of the two formulas, in order to infer all the implicit constraints, and then, it checks the existence of a homomorphism between the two formulas, viewed as graphs. We have implemented this procedure and applied it on verification conditions generated from several interesting case studies that manipulate overlaid and nested data structures. 1
Verification Condition Generation for Permission Logics with Abstract Predicates and Abstraction Functions
"... Abstract predicates are the primary abstraction mechanism for program logics based on access permissions, such as separation logic and implicit dynamic frames. In addition to abstract predicates, it is useful to also support classical abstraction functions, for instance, to encode sideeffectfree ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract predicates are the primary abstraction mechanism for program logics based on access permissions, such as separation logic and implicit dynamic frames. In addition to abstract predicates, it is useful to also support classical abstraction functions, for instance, to encode sideeffectfree methods of the program and use them in specifications. However, combining abstract predicates and abstraction functions in a verification condition generator leads to subtle interactions, which complicate reasoning about heap modifications. Such complications may compromise soundness or cause divergence of the prover in the context of predicates and abstraction functions in the verification condition generator Boogie. Our encoding is sound and handles recursion in a way that is suitable for automatic verification using SMT solvers. It is implemented in the automatic verifier Chalice.
Natural Proofs for Asynchronous Programs using AlmostSynchronous Reductions
"... We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buf ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of provably verifying that an asynchronous messagepassing system satisfies its local assertions. We present a novel reduction scheme for asynchronous eventdriven programs that finds almostsynchronous invariants — invariants consisting of global states where message buffers are close to empty. The reduction finds almostsynchronous invariants and simultaneously argues that they cover all local states. We show that asynchronous programs often have almostsynchronous invariants and that we can exploit this to build natural proofs that they are correct. We implement our reduction strategy, which is sound and complete, and show that it is more effective in proving programs correct as well as more efficient in finding bugs in several programs, compared to current search strategies which almost always diverge. The high point of our experiments is that our technique can prove the Windows Phone USB Driver written in P [9] correct for the responsiveness property, which was hitherto not provable using stateoftheart modelcheckers.
Automating proofs of datastructure properties in imperative programs
 CoRR
"... We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterp ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We consider the problem of automated reasoning about dynamically manipulated data structures. The stateoftheart methods are limited to the unfoldandmatch (U+M) paradigm, where predicates are transformed via (un)folding operations induced from their definitions before being treated as uninterpreted. However, proof obligations from verifying programs with iterative loops and multiple function calls often do not succumb to this paradigm. Our contribution is a proof method which – beyond U+M – performs automatic formula rewriting by treating previously encountered obligations in each proof path as possible induction hypotheses. This enables us, for the first time, to systematically reason about a wide range of obligations, arising from practical program verification. We demonstrate the power of our proof rules on commonly used lemmas, thereby close the remaining gaps in existing stateoftheart systems. Another impact, probably more important, is that our method regains the power of compositional reasoning, and shows that the usage of userprovided lemmas is no longer needed for the existing set of benchmarks. This not only removes the burden of coming up with the appropriate lemmas, but also significantly boosts up the verification process, since lemma applications, coupled with unfolding, often induce very large search space. 1.
AUTOMATIC TECHNIQUES FOR PROVING CORRECTNESS OF HEAPMANIPULATING PROGRAMS
, 2013
"... Reliability is critical for system software, such as OS kernels, mobile browsers, embedded systems and cloud systems. The correctness of these programs, especially for security, is highly desirable, as they should provide a trustworthy platform for higherlevel applications and the endusers. Unfor ..."
Abstract
 Add to MetaCart
(Show Context)
Reliability is critical for system software, such as OS kernels, mobile browsers, embedded systems and cloud systems. The correctness of these programs, especially for security, is highly desirable, as they should provide a trustworthy platform for higherlevel applications and the endusers. Unfortunately, due to its inherent complexity, the verification process of these programs is typically manual/semiautomatic, tedious, and painful. Automating the reasoning behind these verification tasks and decreasing the dependence on manual help is one of the greatest challenges in software verification. This dissertation presents two logicbased automatic software verification systems, namely Strand and Dryad, that help in the task of verification of heapmanipulating programs, which is one of the most complex aspects of modern software that eludes automatic verification. Strand is a logic that combines an expressive heaplogic with an arbitrary datalogic and admits several powerful decidable fragments. The general decision procedures can be used in not only proving programs correct but also in software analysis and testing. Dryad is a family of logics, including Dryadtree as a firstorder logic for trees and Dryadsep as a dialect of separation logic. Both the two logics are amenable to automated reasoning using the natural proof strategy, a radically new approach to software verification. Dryad and the natural proof techniques are so far the most efficient logicbased approach that can verify the full correctness of a wide variety of challenging programs, including a large number of programs from various opensource libraries. They hold promise of hatching the nextgeneration automatic verification techniques.