Temporal-Safety Proofs for Systems Code
We present a methodology and tool for verifying and certifying systems code. The verification is based on the lazy-abstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically refine the abstraction based on counterexample analysis. The certification is based on the proof-carrying code paradigm. Lazy abstraction enables the automatic construction of small proof certificates. The methodology is implemented in Blast, the Berkeley Lazy Abstraction Software verification Tool. We describe our experience applying Blast to Linux and Windows device drivers. Given the C code for a driver and for a temporal-safety monitor, Blast automatically generates an easily checkable correctness certificate if the driver satisfies the specification, and an error trace otherwise.
KeywordsModel Check Proof Obligation Device Driver Speci Cation Reachable Region
- 1.T. Ball, R. Majumdar, T. Millstein, and S.K. Rajamani. Automatic predicate abstraction of C programs. Conf. Programming Language Design and Implementation, pp. 203–213. ACM, 2001.Google Scholar
- 2.T. Ball and S.K. Rajamani. Personal communication.Google Scholar
- 3.T. Ball and S.K. Rajamani. The Slast project: debugging system software via static analysis. Symp. Principles of Programming Languages, pp. 1–3. ACM, 2002.Google Scholar
- 4.D. Blei, C. Harrelson, R. Jhala, R. Majumdar, G.C. Necula, S.P. Rahul, W. Weimer, and D. Weitz. Vampyre: A Proof-generating Theorem Prover. http://www.eecs.berkeley.edu/~rupak/Vampyre.
- 5.A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating system bugs. Symp. Operating System Principles, pp. 78–81. ACM, 2001.Google Scholar
- 7.J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: extracting finite-state models from Java source code. Int. Conf. Software Engineering, pp. 439–448. ACM, 2000.Google Scholar
- 9.D. Detlefs, G. Nelson, and J. Saxe. The Simplify Theorem Prover. http://research.compaq.com/SRC/esc/Simplify.html.
- 10.E. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.Google Scholar
- 11.M.D. Ernst. Dynamically Discovering Likely Program Invariants. Ph.D. Thesis. University of Washington, Seattle, 2000.Google Scholar
- 12.J.S. Foster, T. Terauchi, and A. Aiken. Flow sensitive type qualifiers. Conf. Programming Languages Design and Implementation (to appear), ACM, 2002.Google Scholar
- 13.S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. Computer-Aided Verification, LNCS 1254, pp. 72–83. Springer-Verlag, 1997.Google Scholar
- 15.T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. Symp. Principles of Programming Languages, pp. 58–70. ACM, 2002.Google Scholar
- 16.G. Holzmann. Logic verification of ANSI-C code with Spin. SPIN Workshop, LNCS 1885, pp. 131–147. Springer-Verlag, 2000.Google Scholar
- 17.K. Namjoshi. Certifying model checkers. Computer-Aided Verification, LNCS 2102, pp. 2–13. Springer-Verlag, 2001.Google Scholar
- 18.G.C. Necula. Proof carrying code. Symp. Principles of Programming Languages, pp. 106–119. ACM, 1997.Google Scholar
- 19.G. Necula and S.P. Rahul. Oracle-based checking of untrusted software. Symp. Principles of Programming Languages, pp. 142–154. ACM, 2001.Google Scholar
- 20.G.C. Necula and P. Lee. Efficient representation and validation of proofs. Symp. Logic in Computer Science, pp. 93–104. IEEE Computer Society, 1998.Google Scholar
- 22.D. Peled and L. Zuck. From model checking to a temporal proof. SPIN Workshop, LNCS 2057, pp. 1–14. Springer-Verlag, 2001.Google Scholar
- 23.F. Pfenning. Computation and Deduction. Lecture notes, CMU, 1997.Google Scholar
- 24.F. Somenzi. Colorado University Decision Diagram Package. http://vlsi.colorado.edu/pub.
- 25.W. Visser, K. Havelund, G. Brat, and S. Park. Model Checking Programs. Conf. Automated Software Engineering, pp. 3–12. IEEE, 2000.Google Scholar