Simão Melo de Sousa | Universidade da Beira Interior (original) (raw)
Papers by Simão Melo de Sousa
Abstract: Difficulties in the multi platform deployment and use of pedagogical Virtual Machines c... more Abstract: Difficulties in the multi platform deployment and use of pedagogical Virtual Machines can have an annoying impact in the success of a compilers construction course. This paper introduces a compilers construction course support platform that tackles this issue. The proposed ...
JavaCard [22] is a dialect of Java that enables Java technology to run on new generation smart ca... more JavaCard [22] is a dialect of Java that enables Java technology to run on new generation smart cards and other devices with limited memory. As JavaCard is becomingincr easingly popular, there has been a strong interest, both from academics and industrials, to reason formally about the JavaCard platform.
Bytecode verification is one of the key security functions of the JavaCard architecture. Its corr... more Bytecode verification is one of the key security functions of the JavaCard architecture. Its correctness is often cast relatively to a defensive virtual machine that performs checks at run-time, and an offensive one that does not, and can be summarized as stating that the two machines coincide on programs that pass bytecode verification. We review the process of establishing such a correctness statement in a proof assistant, and focus in particular on the problemof automating the construction of an offensive virtual machine and a bytecode verifier from a defensive machine.
We present a formal executable specification of two crucial JavaCard platform components, namely ... more We present a formal executable specification of two crucial JavaCard platform components, namely the Java Card Virtual Machine (JCVM) and the ByteCode Verifier (BCV). Moreover, we relate both components by giving a proof of correctness of the ByteCode Verifier. Both formalisations and proofs have been machined-checked using the proof assistant Coq.
... An element of valu is a pair (t, v) where t is the type of the value v.*) Cases (Nth_func (op... more ... An element of valu is a pair (t, v) where t is the type of the value v.*) Cases (Nth_func (opstack h) nargs) of (value x)=> Cases x of (tx, vx)=> (* The nargth element must be a reference.*) Case tx of Ref=> (* This function raises a Null Pointer exception (Value NullPointer) if the ...
Journal of Automated Reasoning, 2005
Bytecode verification is one of the key security functions of several architectures for mobile an... more Bytecode verification is one of the key security functions of several architectures for mobile and embedded code, including Java, Java Card, and .NET. Over the past few years, its formal correctness has been studied extensively by academia and industry, using general-purpose theorem provers. The objective of our work is to facilitate such endeavors by providing a dedicated environment for establishing the correctness of bytecode verification within a proof assistant. The environment, called Jakarta, exploits a methodology that casts the correctness of bytecode verification relatively to a defensive virtual machine that performs checks at run-time and to an offensive one that does not; it can be summarized as stating that the two machines coincide on programs that pass bytecode verification. Such a methodology has been used successfully to prove the correctness of the Java Card bytecode verifier and may potentially be applied to many similar problems. One definite advantage of the methodology is that it is amenable to automation. Indeed, Jakarta automates the construction of an offensive virtual machine and a bytecode verifier from a defensive machine, and the proofs of correctness of the bytecode verifier. We illustrate the principles of Jakarta on a simple low-level language extended with subroutines and discuss its usefulness to proving the correctness of the Java Card platform.
This paper describes a tool-supported method for the formal verification of timed properties of H... more This paper describes a tool-supported method for the formal verification of timed properties of HTL programs, supported by the automated translation tool HTL2XTA, which extracts from a HTL program (i) an Uppaal model and (ii) a set of properties that state the compliance of the model with certain automatically inferred temporal constraints. These can be manually extended with other temporal properties provided by the user. The paper introduces the details of the proposed mechanisms as well as the results of our experimental validation.
First-order logic augments the expressive power of propositional logic as it links the logical as... more First-order logic augments the expressive power of propositional logic as it links the logical assertions to properties of objects of some non-empty universe: the domain of discourse. This is achieved by allowing the propositional symbols to take arguments that range over elements of the domain of discourse. These are now called predicate symbols and are interpreted as relations on the domain. Elements of the domain of discourse are denoted by terms built up from variables, constants, and functions applied to other terms. First-order logic also expands the lexicon of propositional logic with the quantifiers “for all” and “there exists” that are interpreted consistently with their natural language meaning. This chapter is devoted to classical first-order logic. Our presentation is similar to the one conducted for propositional logic. We first define the syntax of first-order logic, followed by its semantics. Next we define a proof system for it and present the fundamental theoretical results of soundness and completeness. We also discuss the decision problems related to this logic. The remaining sections of the chapter cover variations and extensions of first-order logic, as well as first-order theories.
In this paper we present a computer assisted proof of the correctness of a partial derivative aut... more In this paper we present a computer assisted proof of the correctness of a partial derivative automata construction from a regular expression within the Coq proof assistant. This proof is part of a formalization of Kleene algebra and regular languages in Coq towards their usage in program certification.
The presence of sub-routines is as important as it is challenging from the point of view of verif... more The presence of sub-routines is as important as it is challenging from the point of view of verification. In this chapter we study a form of program logic that is adequate for reasoning about programs with procedures, and moreover it is adequate for motivating the principles that are used in practice by program verification tools and standard annotation languages, as illustrated in Chaps. 9 and 10. The material studied in the present chapter covers the interprocedural level, but at the intraprocedural level the code in the body of procedures still needs to be verified; the inference systems presented in this chapter are thus meant as extensions of systems studied previously. The chapter starts with an overview of some of the issues involved in reasoning about procedures. Subsequent sections cover in turn inference rules and verification conditions for programs consisting of mutually recursive parameterless procedures; frame conditions; procedures with parameters; and finally return values and functions.
Propositional logic is the basis for any study of logic. The sentences of propositional logic are... more Propositional logic is the basis for any study of logic. The sentences of propositional logic are built from a set of unstructured atomic propositions that are combined using a number of logical connectives. Logical connectives are Boolean operators whose names come from natural language, such as “not”, “and”, “or” and “implies”, and they are given a formal meaning that mimics its usage in natural language. This chapter is devoted to the study of classical propositional logic. The chapter starts with a presentation of both the syntax and the semantics of propositional logic. In other words, we describe both the set of sentences of the language of propositional logic, and characterise the meaning of those sentences (i.e. which sentences are valid or not). The notion of proof derivation is then introduced as a syntactic characterisation of logical inference, and the interplay between provability and validity is established. The chapter concludes with a discussion of the decision problem of checking whether a propositional formula is valid or not.
In this chapter we shift the focus of our study to programs written in a realistic programming la... more In this chapter we shift the focus of our study to programs written in a realistic programming language. In particular, we focus on the ANSI/ISO C Specification Language (ACSL), which is an annotation language for C programs. ACSL has scope for frame conditions, loop invariants and variants, predicates and logic functions (either defined or specified by axioms), and a state label mechanism. In the previous chapter we have introduced contracts and the principles of contract-based verification. ACSL adheres to these principles: each C function in a program is annotated with an ACSL specification—the function’s contract. Verification of a program consisting of a number of mutually-recursive functions is completely modular: each function is verified against its own contract, assuming that all other functions are correct. The program is correct if all functions are correct.
The goal of this chapter is to give an overview of the different approaches and tools pertaining ... more The goal of this chapter is to give an overview of the different approaches and tools pertaining to formal methods. We do not attempt to be exhaustive, but focus instead on the main approaches (formal specification, formal verification and proofs, transformation, and formal development). A consise introduction to basic logic concepts and methods is also provided. After reading the chapter the reader will be familiar with the terminology of the area, as well as with the most important concepts and techniques. Moreover the chapter will allow the reader to contextualise and put into perspective the topics that are covered in detail in the book.
Computing Research Repository, 2008
Traditional PCC architectures center their certificate generation mechanisms on the output of the... more Traditional PCC architectures center their certificate generation mechanisms on the output of the compilation. Along the lines of recent projects, we believe that there are strong benefits in moving the certificate generation to the source code level. Because there exist good tools for source code verification and for formal verification in general, it is a feature of the Lissom platform that existing tools are used as much as possible at key points of its infrastructure.
In this chapter we consider the problem of mechanising the construction of derivations in Hoare l... more In this chapter we consider the problem of mechanising the construction of derivations in Hoare logic having a given Hoare triple as conclusion. We are thus concerned with the backwards application of rules of the logic, which will eventually produce a derivation, i.e. a tree in which all leaves correspond to instances of axioms, and all side conditions hold. The goal of this chapter is to show that there exists a strategy for conducting the proofs such that, if some of the side conditions required do not hold, then no derivation exists for the goal at hand. This strategy results in the definition of what is usually known as a verification conditions generator.
This chapter considers a method for dealing statically with the occurrence of errors during the e... more This chapter considers a method for dealing statically with the occurrence of errors during the execution of programs. Recall that to this point we have been considering that evaluation of an expression could never go wrong, and neither could the execution of a command. This is clearly unsatisfying since in real-world languages runtime errors do occur, and one of the main uses of verification methods is precisely to ensure the safety of programs, i.e. the absence of such error situations. This chapter presents a general framework for reasoning with errors and safety.
Hoare logic is the fundamental formalism introduced by C.A.R. Hoare in 1969 for reasoning about t... more Hoare logic is the fundamental formalism introduced by C.A.R. Hoare in 1969 for reasoning about the correctness of imperative programs, building on first-order logic. In this chapter we study a program logic which is a variant of Hoare logic for programs containing user-provided annotations. The logic deals with the notion of correctness vis a vis a specification that consists of a precondition and a postcondition. The correctness of a program with respect to a given specification is asserted by constructing a derivation in the inference system of Hoare logic. While doing so, one must identify an invariant for every loop in the program. This chapter also discusses the important problem of adaptation of specifications, since it has major implications on the design of practical verification systems based on Hoare logic.
In this chapter we study a verification tool, called Frama-C, for ACSL-annotated C programs. In f... more In this chapter we study a verification tool, called Frama-C, for ACSL-annotated C programs. In fact Frama-C is much more than a verification tool: it is a general, plug-in-based program analysis tool, designed to be used in practice in industrial projects. The program verification functionality of Frama-C used in the present chapter is provided by the Jessie plug-in. Jessie in turn relies on the use of a multi-prover VCGen tool that can export verification conditions to many different proof tools, including for instance the Simplify and Z3 automatic provers, and proof assistants like Coq. Our approach in the present chapter is to start from an algorithm for which only an informal specification is given. We annotate the C code of this function as we go along, starting with the minimal annotations required for verification of safety, followed later by other functional properties.
Abstract: Difficulties in the multi platform deployment and use of pedagogical Virtual Machines c... more Abstract: Difficulties in the multi platform deployment and use of pedagogical Virtual Machines can have an annoying impact in the success of a compilers construction course. This paper introduces a compilers construction course support platform that tackles this issue. The proposed ...
JavaCard [22] is a dialect of Java that enables Java technology to run on new generation smart ca... more JavaCard [22] is a dialect of Java that enables Java technology to run on new generation smart cards and other devices with limited memory. As JavaCard is becomingincr easingly popular, there has been a strong interest, both from academics and industrials, to reason formally about the JavaCard platform.
Bytecode verification is one of the key security functions of the JavaCard architecture. Its corr... more Bytecode verification is one of the key security functions of the JavaCard architecture. Its correctness is often cast relatively to a defensive virtual machine that performs checks at run-time, and an offensive one that does not, and can be summarized as stating that the two machines coincide on programs that pass bytecode verification. We review the process of establishing such a correctness statement in a proof assistant, and focus in particular on the problemof automating the construction of an offensive virtual machine and a bytecode verifier from a defensive machine.
We present a formal executable specification of two crucial JavaCard platform components, namely ... more We present a formal executable specification of two crucial JavaCard platform components, namely the Java Card Virtual Machine (JCVM) and the ByteCode Verifier (BCV). Moreover, we relate both components by giving a proof of correctness of the ByteCode Verifier. Both formalisations and proofs have been machined-checked using the proof assistant Coq.
... An element of valu is a pair (t, v) where t is the type of the value v.*) Cases (Nth_func (op... more ... An element of valu is a pair (t, v) where t is the type of the value v.*) Cases (Nth_func (opstack h) nargs) of (value x)=> Cases x of (tx, vx)=> (* The nargth element must be a reference.*) Case tx of Ref=> (* This function raises a Null Pointer exception (Value NullPointer) if the ...
Journal of Automated Reasoning, 2005
Bytecode verification is one of the key security functions of several architectures for mobile an... more Bytecode verification is one of the key security functions of several architectures for mobile and embedded code, including Java, Java Card, and .NET. Over the past few years, its formal correctness has been studied extensively by academia and industry, using general-purpose theorem provers. The objective of our work is to facilitate such endeavors by providing a dedicated environment for establishing the correctness of bytecode verification within a proof assistant. The environment, called Jakarta, exploits a methodology that casts the correctness of bytecode verification relatively to a defensive virtual machine that performs checks at run-time and to an offensive one that does not; it can be summarized as stating that the two machines coincide on programs that pass bytecode verification. Such a methodology has been used successfully to prove the correctness of the Java Card bytecode verifier and may potentially be applied to many similar problems. One definite advantage of the methodology is that it is amenable to automation. Indeed, Jakarta automates the construction of an offensive virtual machine and a bytecode verifier from a defensive machine, and the proofs of correctness of the bytecode verifier. We illustrate the principles of Jakarta on a simple low-level language extended with subroutines and discuss its usefulness to proving the correctness of the Java Card platform.
This paper describes a tool-supported method for the formal verification of timed properties of H... more This paper describes a tool-supported method for the formal verification of timed properties of HTL programs, supported by the automated translation tool HTL2XTA, which extracts from a HTL program (i) an Uppaal model and (ii) a set of properties that state the compliance of the model with certain automatically inferred temporal constraints. These can be manually extended with other temporal properties provided by the user. The paper introduces the details of the proposed mechanisms as well as the results of our experimental validation.
First-order logic augments the expressive power of propositional logic as it links the logical as... more First-order logic augments the expressive power of propositional logic as it links the logical assertions to properties of objects of some non-empty universe: the domain of discourse. This is achieved by allowing the propositional symbols to take arguments that range over elements of the domain of discourse. These are now called predicate symbols and are interpreted as relations on the domain. Elements of the domain of discourse are denoted by terms built up from variables, constants, and functions applied to other terms. First-order logic also expands the lexicon of propositional logic with the quantifiers “for all” and “there exists” that are interpreted consistently with their natural language meaning. This chapter is devoted to classical first-order logic. Our presentation is similar to the one conducted for propositional logic. We first define the syntax of first-order logic, followed by its semantics. Next we define a proof system for it and present the fundamental theoretical results of soundness and completeness. We also discuss the decision problems related to this logic. The remaining sections of the chapter cover variations and extensions of first-order logic, as well as first-order theories.
In this paper we present a computer assisted proof of the correctness of a partial derivative aut... more In this paper we present a computer assisted proof of the correctness of a partial derivative automata construction from a regular expression within the Coq proof assistant. This proof is part of a formalization of Kleene algebra and regular languages in Coq towards their usage in program certification.
The presence of sub-routines is as important as it is challenging from the point of view of verif... more The presence of sub-routines is as important as it is challenging from the point of view of verification. In this chapter we study a form of program logic that is adequate for reasoning about programs with procedures, and moreover it is adequate for motivating the principles that are used in practice by program verification tools and standard annotation languages, as illustrated in Chaps. 9 and 10. The material studied in the present chapter covers the interprocedural level, but at the intraprocedural level the code in the body of procedures still needs to be verified; the inference systems presented in this chapter are thus meant as extensions of systems studied previously. The chapter starts with an overview of some of the issues involved in reasoning about procedures. Subsequent sections cover in turn inference rules and verification conditions for programs consisting of mutually recursive parameterless procedures; frame conditions; procedures with parameters; and finally return values and functions.
Propositional logic is the basis for any study of logic. The sentences of propositional logic are... more Propositional logic is the basis for any study of logic. The sentences of propositional logic are built from a set of unstructured atomic propositions that are combined using a number of logical connectives. Logical connectives are Boolean operators whose names come from natural language, such as “not”, “and”, “or” and “implies”, and they are given a formal meaning that mimics its usage in natural language. This chapter is devoted to the study of classical propositional logic. The chapter starts with a presentation of both the syntax and the semantics of propositional logic. In other words, we describe both the set of sentences of the language of propositional logic, and characterise the meaning of those sentences (i.e. which sentences are valid or not). The notion of proof derivation is then introduced as a syntactic characterisation of logical inference, and the interplay between provability and validity is established. The chapter concludes with a discussion of the decision problem of checking whether a propositional formula is valid or not.
In this chapter we shift the focus of our study to programs written in a realistic programming la... more In this chapter we shift the focus of our study to programs written in a realistic programming language. In particular, we focus on the ANSI/ISO C Specification Language (ACSL), which is an annotation language for C programs. ACSL has scope for frame conditions, loop invariants and variants, predicates and logic functions (either defined or specified by axioms), and a state label mechanism. In the previous chapter we have introduced contracts and the principles of contract-based verification. ACSL adheres to these principles: each C function in a program is annotated with an ACSL specification—the function’s contract. Verification of a program consisting of a number of mutually-recursive functions is completely modular: each function is verified against its own contract, assuming that all other functions are correct. The program is correct if all functions are correct.
The goal of this chapter is to give an overview of the different approaches and tools pertaining ... more The goal of this chapter is to give an overview of the different approaches and tools pertaining to formal methods. We do not attempt to be exhaustive, but focus instead on the main approaches (formal specification, formal verification and proofs, transformation, and formal development). A consise introduction to basic logic concepts and methods is also provided. After reading the chapter the reader will be familiar with the terminology of the area, as well as with the most important concepts and techniques. Moreover the chapter will allow the reader to contextualise and put into perspective the topics that are covered in detail in the book.
Computing Research Repository, 2008
Traditional PCC architectures center their certificate generation mechanisms on the output of the... more Traditional PCC architectures center their certificate generation mechanisms on the output of the compilation. Along the lines of recent projects, we believe that there are strong benefits in moving the certificate generation to the source code level. Because there exist good tools for source code verification and for formal verification in general, it is a feature of the Lissom platform that existing tools are used as much as possible at key points of its infrastructure.
In this chapter we consider the problem of mechanising the construction of derivations in Hoare l... more In this chapter we consider the problem of mechanising the construction of derivations in Hoare logic having a given Hoare triple as conclusion. We are thus concerned with the backwards application of rules of the logic, which will eventually produce a derivation, i.e. a tree in which all leaves correspond to instances of axioms, and all side conditions hold. The goal of this chapter is to show that there exists a strategy for conducting the proofs such that, if some of the side conditions required do not hold, then no derivation exists for the goal at hand. This strategy results in the definition of what is usually known as a verification conditions generator.
This chapter considers a method for dealing statically with the occurrence of errors during the e... more This chapter considers a method for dealing statically with the occurrence of errors during the execution of programs. Recall that to this point we have been considering that evaluation of an expression could never go wrong, and neither could the execution of a command. This is clearly unsatisfying since in real-world languages runtime errors do occur, and one of the main uses of verification methods is precisely to ensure the safety of programs, i.e. the absence of such error situations. This chapter presents a general framework for reasoning with errors and safety.
Hoare logic is the fundamental formalism introduced by C.A.R. Hoare in 1969 for reasoning about t... more Hoare logic is the fundamental formalism introduced by C.A.R. Hoare in 1969 for reasoning about the correctness of imperative programs, building on first-order logic. In this chapter we study a program logic which is a variant of Hoare logic for programs containing user-provided annotations. The logic deals with the notion of correctness vis a vis a specification that consists of a precondition and a postcondition. The correctness of a program with respect to a given specification is asserted by constructing a derivation in the inference system of Hoare logic. While doing so, one must identify an invariant for every loop in the program. This chapter also discusses the important problem of adaptation of specifications, since it has major implications on the design of practical verification systems based on Hoare logic.
In this chapter we study a verification tool, called Frama-C, for ACSL-annotated C programs. In f... more In this chapter we study a verification tool, called Frama-C, for ACSL-annotated C programs. In fact Frama-C is much more than a verification tool: it is a general, plug-in-based program analysis tool, designed to be used in practice in industrial projects. The program verification functionality of Frama-C used in the present chapter is provided by the Jessie plug-in. Jessie in turn relies on the use of a multi-prover VCGen tool that can export verification conditions to many different proof tools, including for instance the Simplify and Z3 automatic provers, and proof assistants like Coq. Our approach in the present chapter is to start from an algorithm for which only an informal specification is given. We annotate the C code of this function as we go along, starting with the minimal annotations required for verification of safety, followed later by other functional properties.