Leonor Nieto - Academia.edu (original) (raw)

Papers by Leonor Nieto

Proceedings of the 2004 ACM workshop on Formal methods in security engineering - FMSE '04, 2004

Abstract Information flow type systems provide an elegant means to enforce confidentiality of pro... more Abstract Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani cite BC02: tcs, which defines an information flow type system for ...

Lecture Notes in Computer Science, 2003

We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. Thi... more We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. This method consists of a Hoarelike system of rules to verify concurrent imperative programs with shared variables in a compositional way. Syntax, semantics and proof rules are defined in higher-order logic. Soundness of the proof rules w.r.t. the semantics is proven mechanically. Also parameterized programs, where the number of parallel components is a parameter, are included in the programming language and thus can be verified directly in the system. We prove that the system is complete for parameterized programs. Finally, we show by an example how the formalization can be used for verifying concrete programs.

Abstract In the following theories a formalization of the Owicki-Gries and the rely- guarantee me... more Abstract In the following theories a formalization of the Owicki-Gries and the rely- guarantee methods is presented. These methods are widely used for cor- rectness proofs of parallel imperative programs with shared variables. We define syntax, semantics and proof rules in Isabelle/HOL. The proof rules also provide for programs parameterized in the number of parallel compo- nents. Their correctness w.r.t.

International Parallel and Distributed Processing Symposium/International Parallel Processing Symposium, 2001

Journal of Computer Security, 2007

Information flow type systems provide an elegant means to enforce confidentiality of programs. Us... more Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have specified an information flow type system for a concurrent language featuring primitives for scheduling, and shown that typable programs are non-interfering for a possibilistic notion of non-interference. The development, which constitutes to our best knowledge the first machine-checked account of non-interference for a concurrent language, takes advantage of the proof assistant facilities to structure the proofs about different views of the programming language and to identify the relationships among them and the type system.

... Study on Clock Synchronization Pascal Fontaine, Kamal Gupta, Jean-Yves Marion, Stephan Merz, ... more ... Study on Clock Synchronization Pascal Fontaine, Kamal Gupta, Jean-Yves Marion, Stephan Merz, Leonor Prensa Nieto and Alwen Tiu ... Proof assistants usually give a high level of confidence in their results, by using a well-defined and small kernel that “checks all proofs”. ...

Mathematical Foundations of Computer Science, 2000

Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain me... more Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain mechanized correctness proofs for two incremental garbage collection algorithms, the second one parametric in the number of mutators. The Owicki-Gries method allows to reason directly on the program code; it also splits the proof into many small goals, most of which are very simple, and can

Fundamental Approaches to Software Engineering, 1999

We present a formalization of the Gries/Owicki method for correctness proofs of concurrent impera... more We present a formalization of the Gries/Owicki method for correctness proofs of concurrent imperative programs with shared variables in the theorem prover Isabelle/HOL. Syntax, semantics and proof rules are defined in higher-order logic. The correctness of the proof rules w.r.t. the semantics is proved. The verification of some typical example programs like producer/consumer is presented.

... Further, I thank the (not yet mentioned) members and guests of the Isabelle working group and... more ... Further, I thank the (not yet mentioned) members and guests of the Isabelle working group and office mates Christine Röckl, John Harrison, Wolfgang Naraschewski, Stefan Berghofer, Bernd Grobauer, Gertrud Bauer, Gerwin Klein, Sebastian Skalberg, Martin Strecker, Norbert ...

European Symposium on Programming, 2003

We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. Thi... more We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. This method consists of a Hoarelike system of rules to verify concurrent imperative programs with shared variables in a compositional way. Syntax, semantics and proof rules are de.ned in higher-order logic. Soundness of the proof rules w.r.t. the semantics is proven mechanically. Also parameterized programs, where the number of parallel components is a parameter, are included in the programming language and thus can be verified directly in the system. We prove that the system is complete for parameterized programs. Finally, we show by an example how the formalization can be used for verifying concrete programs.

Electronic Notes in Theoretical Computer Science, 2006

We report on an experiment in combining the theorem prover Isabelle with automatic first-order ar... more We report on an experiment in combining the theorem prover Isabelle with automatic first-order arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider's generalized clock synchronization protocol [Schneider, F. B., Understanding protocols for Byzantine clock synchronization, Technical Report TR 87–859, Cornell University (1987). URL citeseer.ist.psu.edu/schneider87understanding.html] in Isabelle/HOL. Then, we verify that the convergence functions used in two clock synchronization algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [Lamport, L. and P. M. Melliar-Smith, Synchronizing clocks in the presence of faults, J. ACM 32 (1985), pp. 52–78] and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch [Lundelius, J. and N. Lynch, A new fault-tolerant algorithm for clock synchronization, in: Proceedings of PODC '84 (1984), pp. 75–88], satisfy Schneider's general conditions for correctness. The proofs are completely formalized in Isabelle/HOL. We identify the parts of the proofs which are not fully automatically proven by Isabelle built-in tactics and show that these proofs can be handled by automatic first-order provers with support for arithmetic like ICS and CVC Lite.

Lecture Notes in Computer Science, 2000

Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain me... more Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain mechanized correctness proofs for two incremental garbage collection algorithms, the second one parametric in the number of mutators. The Owicki-Gries method allows to reason directly on the program code; it also splits the proof into many small goals, most of which are very simple, and can

Lecture Notes in Computer Science, 2006

Formal system development needs expressive specification languages, but also calls for highly aut... more Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners.

Tools and Algorithms for Construction and Analysis of Systems, 2006

Formal system development needs expressive specification languages, but also calls for highly aut... more Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners.

ACM Conference on Computer and Communications Security, 2004

Abstract Information flow type systems provide an elegant means to enforce confidentiality of pro... more Abstract Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani cite BC02: tcs, which defines an information flow type system for ...

Allergy, 2005

Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant a... more Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant asthma (CVA) are not well established. Differences in location or degree of activation of eosinophils and allergic cytokines have been suggested as the likely causes. To address this issue, we have carried out a comparative study of airway inflammatory markers between patients with CVA and classic asthma (CA). The relationship between these markers with airway hyperresponsiveness (AHR) and cough sensitivity has also been studied.Methods: Twenty-seven non-smokers and steroid-naive patients with CVA (12) and CA (15) were examined. Capsaicin challenge, histamine bronchoprovocation test, nitric oxide levels in exhaled air and sputum induction were performed in all of them. Differential cell sputum recount and supernatant concentrations of eosinophil granule-derived cationic proteins (ECP), interleukin (IL)5, IL8 and tumour necrosis factor (TNF)-α were also measured.Results: There were no significant differences in either the inflammatory pattern of soluble markers or differential cell counts between CA and CVA. Histamine PC20 was correlated with IL-5 in CVA, whereas it was associated with sputum eosinophilia in CA. Cough sensitivity (log C5) and histamine PC20 were inversely related in CA.Conclusions: Although the pattern of inflammatory sputum markers in patients with asthma and cough-variant asthma is similar, its relation with bronchial hyperreactivity and cough sensitivity is different in each group.

Allergy, 2005

Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant a... more Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant asthma (CVA) are not well established. Differences in location or degree of activation of eosinophils and allergic cytokines have been suggested as the likely causes. To address this issue, we have carried out a comparative study of airway inflammatory markers between patients with CVA and classic asthma (CA). The relationship between these markers with airway hyperresponsiveness (AHR) and cough sensitivity has also been studied.Methods: Twenty-seven non-smokers and steroid-naive patients with CVA (12) and CA (15) were examined. Capsaicin challenge, histamine bronchoprovocation test, nitric oxide levels in exhaled air and sputum induction were performed in all of them. Differential cell sputum recount and supernatant concentrations of eosinophil granule-derived cationic proteins (ECP), interleukin (IL)5, IL8 and tumour necrosis factor (TNF)-α were also measured.Results: There were no significant differences in either the inflammatory pattern of soluble markers or differential cell counts between CA and CVA. Histamine PC20 was correlated with IL-5 in CVA, whereas it was associated with sputum eosinophilia in CA. Cough sensitivity (log C5) and histamine PC20 were inversely related in CA.Conclusions: Although the pattern of inflammatory sputum markers in patients with asthma and cough-variant asthma is similar, its relation with bronchial hyperreactivity and cough sensitivity is different in each group.

Proceedings of the 2004 ACM workshop on Formal methods in security engineering - FMSE '04, 2004

Abstract Information flow type systems provide an elegant means to enforce confidentiality of pro... more Abstract Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani cite BC02: tcs, which defines an information flow type system for ...

Lecture Notes in Computer Science, 2003

We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. Thi... more We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. This method consists of a Hoarelike system of rules to verify concurrent imperative programs with shared variables in a compositional way. Syntax, semantics and proof rules are defined in higher-order logic. Soundness of the proof rules w.r.t. the semantics is proven mechanically. Also parameterized programs, where the number of parallel components is a parameter, are included in the programming language and thus can be verified directly in the system. We prove that the system is complete for parameterized programs. Finally, we show by an example how the formalization can be used for verifying concrete programs.

Abstract In the following theories a formalization of the Owicki-Gries and the rely- guarantee me... more Abstract In the following theories a formalization of the Owicki-Gries and the rely- guarantee methods is presented. These methods are widely used for cor- rectness proofs of parallel imperative programs with shared variables. We define syntax, semantics and proof rules in Isabelle/HOL. The proof rules also provide for programs parameterized in the number of parallel compo- nents. Their correctness w.r.t.

International Parallel and Distributed Processing Symposium/International Parallel Processing Symposium, 2001

Journal of Computer Security, 2007

Information flow type systems provide an elegant means to enforce confidentiality of programs. Us... more Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have specified an information flow type system for a concurrent language featuring primitives for scheduling, and shown that typable programs are non-interfering for a possibilistic notion of non-interference. The development, which constitutes to our best knowledge the first machine-checked account of non-interference for a concurrent language, takes advantage of the proof assistant facilities to structure the proofs about different views of the programming language and to identify the relationships among them and the type system.

... Study on Clock Synchronization Pascal Fontaine, Kamal Gupta, Jean-Yves Marion, Stephan Merz, ... more ... Study on Clock Synchronization Pascal Fontaine, Kamal Gupta, Jean-Yves Marion, Stephan Merz, Leonor Prensa Nieto and Alwen Tiu ... Proof assistants usually give a high level of confidence in their results, by using a well-defined and small kernel that “checks all proofs”. ...

Mathematical Foundations of Computer Science, 2000

Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain me... more Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain mechanized correctness proofs for two incremental garbage collection algorithms, the second one parametric in the number of mutators. The Owicki-Gries method allows to reason directly on the program code; it also splits the proof into many small goals, most of which are very simple, and can

Fundamental Approaches to Software Engineering, 1999

We present a formalization of the Gries/Owicki method for correctness proofs of concurrent impera... more We present a formalization of the Gries/Owicki method for correctness proofs of concurrent imperative programs with shared variables in the theorem prover Isabelle/HOL. Syntax, semantics and proof rules are defined in higher-order logic. The correctness of the proof rules w.r.t. the semantics is proved. The verification of some typical example programs like producer/consumer is presented.

... Further, I thank the (not yet mentioned) members and guests of the Isabelle working group and... more ... Further, I thank the (not yet mentioned) members and guests of the Isabelle working group and office mates Christine Röckl, John Harrison, Wolfgang Naraschewski, Stefan Berghofer, Bernd Grobauer, Gertrud Bauer, Gerwin Klein, Sebastian Skalberg, Martin Strecker, Norbert ...

European Symposium on Programming, 2003

We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. Thi... more We present the formalization of the rely-guarantee method in the theorem prover Isabelle/HOL. This method consists of a Hoarelike system of rules to verify concurrent imperative programs with shared variables in a compositional way. Syntax, semantics and proof rules are de.ned in higher-order logic. Soundness of the proof rules w.r.t. the semantics is proven mechanically. Also parameterized programs, where the number of parallel components is a parameter, are included in the programming language and thus can be verified directly in the system. We prove that the system is complete for parameterized programs. Finally, we show by an example how the formalization can be used for verifying concrete programs.

Electronic Notes in Theoretical Computer Science, 2006

We report on an experiment in combining the theorem prover Isabelle with automatic first-order ar... more We report on an experiment in combining the theorem prover Isabelle with automatic first-order arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider's generalized clock synchronization protocol [Schneider, F. B., Understanding protocols for Byzantine clock synchronization, Technical Report TR 87–859, Cornell University (1987). URL citeseer.ist.psu.edu/schneider87understanding.html] in Isabelle/HOL. Then, we verify that the convergence functions used in two clock synchronization algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [Lamport, L. and P. M. Melliar-Smith, Synchronizing clocks in the presence of faults, J. ACM 32 (1985), pp. 52–78] and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch [Lundelius, J. and N. Lynch, A new fault-tolerant algorithm for clock synchronization, in: Proceedings of PODC '84 (1984), pp. 75–88], satisfy Schneider's general conditions for correctness. The proofs are completely formalized in Isabelle/HOL. We identify the parts of the proofs which are not fully automatically proven by Isabelle built-in tactics and show that these proofs can be handled by automatic first-order provers with support for arithmetic like ICS and CVC Lite.

Lecture Notes in Computer Science, 2000

Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain me... more Using a formalization of the Owicki-Gries method in the theorem prover Isabelle/HOL, we obtain mechanized correctness proofs for two incremental garbage collection algorithms, the second one parametric in the number of mutators. The Owicki-Gries method allows to reason directly on the program code; it also splits the proof into many small goals, most of which are very simple, and can

Lecture Notes in Computer Science, 2006

Formal system development needs expressive specification languages, but also calls for highly aut... more Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners.

Tools and Algorithms for Construction and Analysis of Systems, 2006

Formal system development needs expressive specification languages, but also calls for highly aut... more Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners.

ACM Conference on Computer and Communications Security, 2004

Abstract Information flow type systems provide an elegant means to enforce confidentiality of pro... more Abstract Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani cite BC02: tcs, which defines an information flow type system for ...

Allergy, 2005

Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant a... more Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant asthma (CVA) are not well established. Differences in location or degree of activation of eosinophils and allergic cytokines have been suggested as the likely causes. To address this issue, we have carried out a comparative study of airway inflammatory markers between patients with CVA and classic asthma (CA). The relationship between these markers with airway hyperresponsiveness (AHR) and cough sensitivity has also been studied.Methods: Twenty-seven non-smokers and steroid-naive patients with CVA (12) and CA (15) were examined. Capsaicin challenge, histamine bronchoprovocation test, nitric oxide levels in exhaled air and sputum induction were performed in all of them. Differential cell sputum recount and supernatant concentrations of eosinophil granule-derived cationic proteins (ECP), interleukin (IL)5, IL8 and tumour necrosis factor (TNF)-α were also measured.Results: There were no significant differences in either the inflammatory pattern of soluble markers or differential cell counts between CA and CVA. Histamine PC20 was correlated with IL-5 in CVA, whereas it was associated with sputum eosinophilia in CA. Cough sensitivity (log C5) and histamine PC20 were inversely related in CA.Conclusions: Although the pattern of inflammatory sputum markers in patients with asthma and cough-variant asthma is similar, its relation with bronchial hyperreactivity and cough sensitivity is different in each group.

Allergy, 2005

Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant a... more Background: Mechanisms underlying cough and bronchoconstriction in patients with cough-variant asthma (CVA) are not well established. Differences in location or degree of activation of eosinophils and allergic cytokines have been suggested as the likely causes. To address this issue, we have carried out a comparative study of airway inflammatory markers between patients with CVA and classic asthma (CA). The relationship between these markers with airway hyperresponsiveness (AHR) and cough sensitivity has also been studied.Methods: Twenty-seven non-smokers and steroid-naive patients with CVA (12) and CA (15) were examined. Capsaicin challenge, histamine bronchoprovocation test, nitric oxide levels in exhaled air and sputum induction were performed in all of them. Differential cell sputum recount and supernatant concentrations of eosinophil granule-derived cationic proteins (ECP), interleukin (IL)5, IL8 and tumour necrosis factor (TNF)-α were also measured.Results: There were no significant differences in either the inflammatory pattern of soluble markers or differential cell counts between CA and CVA. Histamine PC20 was correlated with IL-5 in CVA, whereas it was associated with sputum eosinophilia in CA. Cough sensitivity (log C5) and histamine PC20 were inversely related in CA.Conclusions: Although the pattern of inflammatory sputum markers in patients with asthma and cough-variant asthma is similar, its relation with bronchial hyperreactivity and cough sensitivity is different in each group.