research-article

Logic against ghosts: comparison of two proof approaches for a list module

Authors:
Allan Blanchard

Inria Lille, Villeneuve d'Ascq, France

Inria Lille, Villeneuve d'Ascq, France
View Profile

,
Nikolai Kosmatov

Software Reliability Lab, Gif-sur-Yvette, France

Software Reliability Lab, Gif-sur-Yvette, France
View Profile

,
Frédéric Loulergue

Northern Arizona University

Northern Arizona University
View Profile

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied ComputingApril 2019Pages 2186–2195https://doi.org/10.1145/3297280.3297495

Published:08 April 2019Publication History

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

Pages 2186–2195

ABSTRACT

Modern verification projects continue to offer new challenges for formal verification. One of them is the linked list module of Contiki, a popular open-source operating system for the Internet of Things. It has a rich API and uses a particular list representation that make it different from the classical linked list implementations. Being widely used in the OS, the list module is critical for reliability and security. A recent work verified the list module using ghost arrays.

This article reports on a new verification effort for this module. Realized in the Frama-C/Wp tool, the new approach relies on logic lists. A logic list provides a convenient high-level view of the linked list. The specifications of all functions are now proved faster and almost all automatically, only a small number of auxiliary lemmas and a couple of assertions being proved interactively in Coq. The proposed specifications are validated by proving a few client functions manipulating lists. During the verification, a more efficient implementation for one function was found and verified. We compare the new approach with the previous effort based on ghost arrays, and discuss the benefits and drawbacks of both techniques.

References

Andrew W. Appel. 2011. Verified Software Toolchain. In Programming Languages and Systems (ESOP) (March 26-April 3) (LNCS), Gilles Barthe (Ed.), Vol. 6602. Springer, 1--17. Google ScholarDigital Library
Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (April 2015), 7:1--7:31 pages. Google ScholarDigital Library
Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press. Google ScholarDigital Library
Patrick Baudin, Pascal Cuoq, Jean-Christophe Filliâtre, Claude Marché, Benjamin Monate, Yannick Moy, and Virgile Prevosto. 2018. ACSL: ANSI/ISO C Specification Language. http://frama-c.com/acsl.htmlGoogle Scholar
Y. Bertot and P. Castéran. 2004. Interactive Theorem Proving and Program Development. Springer. Google ScholarDigital Library
Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C. In Proc. of the 10th NASA Formal Methods Symposium (NFM 2018) (LNCS), Vol. 10811. Springer, 37--53.Google ScholarCross Ref
Jochen Burghardt and Jens Gerlach. 2018. ACSL by Example. https://github.com/fraunhoferfokus/acsl-by-exampleGoogle Scholar
Ádám Darvas and Peter Müller. 2010. Proving Consistency and Completeness of Model Classes Using Theory Interpretation. In Proc. of the 13th International Conference on Fundamental Approaches to Software Engineering (FASE 2010) (LNCS), Vol. 6013. Springer, 218--232. Google ScholarDigital Library
Claire Dross and Yannick Moy. 2017. Auto-Active Proof of Red-Black Trees in SPARK. In NASA Formal Methods - 9th International Symposium, NFM 2017, Moffett Field, CA, USA, May 16--18, 2017, Proceedings. 68--83.Google Scholar
Adam Dunkels, Bjorn Gronvall, and Thiemo Voigt. 2004. Contiki - A Lightweight and Flexible Operating System for Tiny Networked Sensors. In LCN 2014. IEEE. Google ScholarDigital Library
Jean-Christophe Filliâtre and Andrei Paskevich. {n. d.}. Why3 - Where Programs Meet Provers. In ESOP 2013.Google Scholar
Christoph Gladisch and Shmuel Tyszberowicz. 2015. Specifying linked data structures in JML for combining formal verification and testing. Science of Computer Programming 107--108 (2015), 19 -- 40. Google ScholarDigital Library
Paolo Herms, Claude Marché, and Benjamin Monate. 2012. A Certified Multiprover Verification Condition Generator. In Verified Software: Theories, Tools, Experiments (VSTTE) (January 28--29) (LNCS), Vol. 7152. Springer, 2--17. Google ScholarDigital Library
Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Franck Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In Nasa Formal Methods (NFM) (LNCS). Springer-Verlag, Berlin Heidelberg, 41--55. Google ScholarDigital Library
Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Asp. Comput. 27, 3 (2015), 573--609. http://frama-c.com Google ScholarDigital Library
Nikolai Kosmatov and Julien Signoles. 2013. A Lesson on Runtime Assertion Checking with Frama-C. In Runtime Verification (RV) (September 24--27) (LNCS), Vol. 8174. Springer, 386--399.Google Scholar
K. Rustan M. Leino and Michał Moskal. 2010. Usable Auto-Active Verification. http://fm.csl.sri.com/UV10/Google Scholar
Frédéric Loulergue, Allan Blanchard, and Nikolai Kosmatov. 2018. Ghosts for Lists: from Axiomatic to Executable Specifications. In Proc. of the 12th International Conference on Tests and Proofs (TAP 2018) (LNCS), Vol. 10889. Springer, 177--184.Google ScholarCross Ref
Frédéric Mangano, Simon Duquennoy, and Nikolai Kosmatov. 2016. A Memory Allocation Module of Contiki Formally Verified with Frama-C. A Case Study. In CRiSIS 2016 (LNCS), Vol. 10158. Springer.Google Scholar
William Mansky, Andrew W. Appel, and Aleksey Nogin. 2017. A Verified Messaging System. Proc. ACM Program. Lang. 1, OOPSLA, Article 87 (Oct. 2017), 28 pages. Google ScholarDigital Library
Alexandre Peyrard, Nikolai Kosmatov, Simon Duquennoy, and Shahid Raza. 2018. Towards Formal Verification of Contiki OS: Analysis of the AES-CCM<sup>*</sup> Modules with Frama-C. In RED-IoT 2018, co-located with EWSN 2018. ACM. Google ScholarDigital Library
Pieter Philippaerts, Jan Tobias Mühlberg, Willem Penninckx, Jan Smans, Bart Jacobs, and Frank Piessens. 2014. Software verification with VeriFast: Industrial case studies. Science of Computer Programming 82 (2014), 77--97. Google ScholarDigital Library
Nadia Polikarpova, Carlo A. Furia, and Bertrand Meyer. 2010. Specifying Reusable Components. In Proc. of the 3rd International Conference on Verified Software: Theories, Tools, Experiments (VSTTE 2010) (LNCS), Vol. 6217. Springer, 127--141. Google ScholarDigital Library
John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE Computer Society, 55--74. Google ScholarDigital Library
The Coq Development Team. {n. d.}. The Coq Proof Assistant. http://coq.inria.fr,.Google Scholar
Frédéric Vogels, Bart Jacobs, and Frank Piessens. 2015. Featherweight Veri-Fast. Logical Methods in Computer Science 11, 3 (2015).Google Scholar
Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of mbedTLS HMAC-DRBG. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, New York, NY, USA, 2007--2020. Google ScholarDigital Library

Index Terms

Logic against ghosts: comparison of two proof approaches for a list module

Recommendations

RPP: Automatic Proof of Relational Properties by Self-composition
Proceedings, Part I, of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 10205

Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs in secure dataflow properties, code ...
Read More
Verification of Operating System Monolithic Kernels Without Extensions
Leveraging Applications of Formal Methods, Verification and Validation. Industrial Practice
Abstract
Most widely used, general-purpose operating systems are built on top of monolithic kernels to achieve maximum performance. These monolithic kernels are written in the C/C++ programming language primarily and they may exceed one million lines of ...
Read More
Three-valued logic in bounded model checking
MEMOCODE '05: Proceedings of the 2nd ACM/IEEE International Conference on Formal Methods and Models for Co-Design

In principle, bounded model checking (BMC) leads to semi-decision procedures that can be used to verify liveness properties and to falsify safety properties. If the procedures fail, there is usually no information about the validity of the considered ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing
April 2019
2682 pages
ISBN:9781450359337
DOI:10.1145/3297280
Conference Chairs:
Chih-Cheng Hung
Kennesaw State University, Marietta, Georgia
,
George A. Papadopoulos
University of Cyprus, Nicosia, Cyprus
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 April 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Best Paper
Author Tags
Frama-C
deductive verification
formal specification
internet of things
linked lists
operating system
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 96
  Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Logic against ghosts: comparison of two proof approaches for a list module

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

RPP: Automatic Proof of Relational Properties by Self-composition

Verification of Operating System Monolithic Kernels Without Extensions

Three-valued logic in bounded model checking