ABSTRACT
Modern verification projects continue to offer new challenges for formal verification. One of them is the linked list module of Contiki, a popular open-source operating system for the Internet of Things. It has a rich API and uses a particular list representation that make it different from the classical linked list implementations. Being widely used in the OS, the list module is critical for reliability and security. A recent work verified the list module using ghost arrays.
This article reports on a new verification effort for this module. Realized in the Frama-C/Wp tool, the new approach relies on logic lists. A logic list provides a convenient high-level view of the linked list. The specifications of all functions are now proved faster and almost all automatically, only a small number of auxiliary lemmas and a couple of assertions being proved interactively in Coq. The proposed specifications are validated by proving a few client functions manipulating lists. During the verification, a more efficient implementation for one function was found and verified. We compare the new approach with the previous effort based on ghost arrays, and discuss the benefits and drawbacks of both techniques.
- Andrew W. Appel. 2011. Verified Software Toolchain. In Programming Languages and Systems (ESOP) (March 26-April 3) (LNCS), Gilles Barthe (Ed.), Vol. 6602. Springer, 1--17. Google ScholarDigital Library
- Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (April 2015), 7:1--7:31 pages. Google ScholarDigital Library
- Andrew W. Appel, Robert Dockins, Aquinas Hobor, Lennart Beringer, Josiah Dodds, Gordon Stewart, Sandrine Blazy, and Xavier Leroy. 2014. Program Logics for Certified Compilers. Cambridge University Press. Google ScholarDigital Library
- Patrick Baudin, Pascal Cuoq, Jean-Christophe Filliâtre, Claude Marché, Benjamin Monate, Yannick Moy, and Virgile Prevosto. 2018. ACSL: ANSI/ISO C Specification Language. http://frama-c.com/acsl.htmlGoogle Scholar
- Y. Bertot and P. Castéran. 2004. Interactive Theorem Proving and Program Development. Springer. Google ScholarDigital Library
- Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C. In Proc. of the 10th NASA Formal Methods Symposium (NFM 2018) (LNCS), Vol. 10811. Springer, 37--53.Google ScholarCross Ref
- Jochen Burghardt and Jens Gerlach. 2018. ACSL by Example. https://github.com/fraunhoferfokus/acsl-by-exampleGoogle Scholar
- Ádám Darvas and Peter Müller. 2010. Proving Consistency and Completeness of Model Classes Using Theory Interpretation. In Proc. of the 13th International Conference on Fundamental Approaches to Software Engineering (FASE 2010) (LNCS), Vol. 6013. Springer, 218--232. Google ScholarDigital Library
- Claire Dross and Yannick Moy. 2017. Auto-Active Proof of Red-Black Trees in SPARK. In NASA Formal Methods - 9th International Symposium, NFM 2017, Moffett Field, CA, USA, May 16--18, 2017, Proceedings. 68--83.Google Scholar
- Adam Dunkels, Bjorn Gronvall, and Thiemo Voigt. 2004. Contiki - A Lightweight and Flexible Operating System for Tiny Networked Sensors. In LCN 2014. IEEE. Google ScholarDigital Library
- Jean-Christophe Filliâtre and Andrei Paskevich. {n. d.}. Why3 - Where Programs Meet Provers. In ESOP 2013.Google Scholar
- Christoph Gladisch and Shmuel Tyszberowicz. 2015. Specifying linked data structures in JML for combining formal verification and testing. Science of Computer Programming 107--108 (2015), 19 -- 40. Google ScholarDigital Library
- Paolo Herms, Claude Marché, and Benjamin Monate. 2012. A Certified Multiprover Verification Condition Generator. In Verified Software: Theories, Tools, Experiments (VSTTE) (January 28--29) (LNCS), Vol. 7152. Springer, 2--17. Google ScholarDigital Library
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Franck Piessens. 2011. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In Nasa Formal Methods (NFM) (LNCS). Springer-Verlag, Berlin Heidelberg, 41--55. Google ScholarDigital Library
- Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2015. Frama-C: A software analysis perspective. Formal Asp. Comput. 27, 3 (2015), 573--609. http://frama-c.com Google ScholarDigital Library
- Nikolai Kosmatov and Julien Signoles. 2013. A Lesson on Runtime Assertion Checking with Frama-C. In Runtime Verification (RV) (September 24--27) (LNCS), Vol. 8174. Springer, 386--399.Google Scholar
- K. Rustan M. Leino and Michał Moskal. 2010. Usable Auto-Active Verification. http://fm.csl.sri.com/UV10/Google Scholar
- Frédéric Loulergue, Allan Blanchard, and Nikolai Kosmatov. 2018. Ghosts for Lists: from Axiomatic to Executable Specifications. In Proc. of the 12th International Conference on Tests and Proofs (TAP 2018) (LNCS), Vol. 10889. Springer, 177--184.Google ScholarCross Ref
- Frédéric Mangano, Simon Duquennoy, and Nikolai Kosmatov. 2016. A Memory Allocation Module of Contiki Formally Verified with Frama-C. A Case Study. In CRiSIS 2016 (LNCS), Vol. 10158. Springer.Google Scholar
- William Mansky, Andrew W. Appel, and Aleksey Nogin. 2017. A Verified Messaging System. Proc. ACM Program. Lang. 1, OOPSLA, Article 87 (Oct. 2017), 28 pages. Google ScholarDigital Library
- Alexandre Peyrard, Nikolai Kosmatov, Simon Duquennoy, and Shahid Raza. 2018. Towards Formal Verification of Contiki OS: Analysis of the AES-CCM<sup>*</sup> Modules with Frama-C. In RED-IoT 2018, co-located with EWSN 2018. ACM. Google ScholarDigital Library
- Pieter Philippaerts, Jan Tobias Mühlberg, Willem Penninckx, Jan Smans, Bart Jacobs, and Frank Piessens. 2014. Software verification with VeriFast: Industrial case studies. Science of Computer Programming 82 (2014), 77--97. Google ScholarDigital Library
- Nadia Polikarpova, Carlo A. Furia, and Bertrand Meyer. 2010. Specifying Reusable Components. In Proc. of the 3rd International Conference on Verified Software: Theories, Tools, Experiments (VSTTE 2010) (LNCS), Vol. 6217. Springer, 127--141. Google ScholarDigital Library
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE Computer Society, 55--74. Google ScholarDigital Library
- The Coq Development Team. {n. d.}. The Coq Proof Assistant. http://coq.inria.fr,.Google Scholar
- Frédéric Vogels, Bart Jacobs, and Frank Piessens. 2015. Featherweight Veri-Fast. Logical Methods in Computer Science 11, 3 (2015).Google Scholar
- Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of mbedTLS HMAC-DRBG. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, New York, NY, USA, 2007--2020. Google ScholarDigital Library
Index Terms
- Logic against ghosts: comparison of two proof approaches for a list module
Recommendations
RPP: Automatic Proof of Relational Properties by Self-composition
Proceedings, Part I, of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 10205Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs in secure dataflow properties, code ...
Verification of Operating System Monolithic Kernels Without Extensions
Leveraging Applications of Formal Methods, Verification and Validation. Industrial PracticeAbstractMost widely used, general-purpose operating systems are built on top of monolithic kernels to achieve maximum performance. These monolithic kernels are written in the C/C++ programming language primarily and they may exceed one million lines of ...
Three-valued logic in bounded model checking
MEMOCODE '05: Proceedings of the 2nd ACM/IEEE International Conference on Formal Methods and Models for Co-DesignIn principle, bounded model checking (BMC) leads to semi-decision procedures that can be used to verify liveness properties and to falsify safety properties. If the procedures fail, there is usually no information about the validity of the considered ...
Comments