The KeY Platform for Verification and Analysis of Java Programs

  • Wolfgang Ahrendt
  • Bernhard Beckert
  • Daniel BrunsEmail author
  • Richard Bubel
  • Christoph Gladisch
  • Sarah Grebing
  • Reiner Hähnle
  • Martin Hentschel
  • Mihai Herda
  • Vladimir Klebanov
  • Wojciech Mostowski
  • Christoph Scheben
  • Peter H. Schmitt
  • Mattias Ulbrich
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8471)


The KeY system offers a platform of software analysis tools for sequential Java. Foremost, this includes full functional verification against contracts written in the Java Modeling Language. But the approach is general enough to provide a basis for other methods and purposes: (i) complementary validation techniques to formal verification such as testing and debugging, (ii) methods that reduce the complexity of verification such as modularization and abstract interpretation, (iii) analyses of non-functional properties such as information flow security, and (iv) sound program transformation and code generation. We show that deductive technology that has been developed for full functional verification can be used as a basis and framework for other purposes than pure functional verification. We use the current release of the KeY system as an example to explain and prove this claim.


Abstract Interpretation Proof Obligation Symbolic Execution Satisfiability Modulo Theory Symbolic State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ahrendt, W.: Using KeY. In: Beckert, B., Hähnle, R., Schmitt, P.H. (eds.) Verification of Object-Oriented Software. LNCS (LNAI), vol. 4334, pp. 409–451. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., M. Leino, K.R.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Filliâtre, J.-C., Marché, C.: The Why/Krakatoa/Caduceus platform for deductive program verification. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 173–177. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Stenzel, K.: A formally verified calculus for full Java Card. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, pp. 491–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  6. 6.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580, 583 (1969)Google Scholar
  7. 7.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. SIGSOFT 31(3), 1–38 (2006)CrossRefGoogle Scholar
  8. 8.
    Weiß, B.: Deductive verification of object-oriented software: dynamic frames, dynamic logic and predicate abstraction. Ph.D. Thesis, Karlsruhe Institute of Technology (2011)Google Scholar
  9. 9.
    Bruns, D., Mostowski, W., Ulbrich M.: Implementation-level verification of algorithms with KeY. Softw. Tools Technol. Transf. (Springer, Heidelberg) to appear. DOI: 10.1007/s10009-013-0293-y
  10. 10.
    Meyer, B.: Applying “design by contract”. IEEE Comput. 25(10), 40–51 (1992)CrossRefGoogle Scholar
  11. 11.
    Kassios, I.T.: The dynamic frames theory. Form. Asp. Comput. 23(3), 267–288 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 348–370. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Schulte, W., Songtao, X., Smans, J., Piessens, F.: A glimpse of a verifying C compiler. In: C/C++ Verification Workshop (2007)Google Scholar
  15. 15.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Fourth ACM Symposium on Principles of Programming Language, Los Angeles, pp. 238–252. ACM Press, New York (1977)Google Scholar
  16. 16.
    Bubel, R., Hähnle, R., Weiß, B.: Abstract interpretation of symbolic execution with explicit state updates. In: de Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 247–277. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  18. 18.
    M. Leino, K.R., Logozzo, F.: Loop invariants on demand. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 119–134. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Graf, S., Saïdi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Engel, C., Hähnle, R.: Generating unit tests from formal proofs. In: Gurevich, Y., Meyer, B. (eds.) TAP 2007. LNCS, vol. 4454, pp. 169–188. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Beckert, B., Gladisch, C.: White-box testing by combining deduction-based specification extraction and black-box testing. In: Gurevich, Y., Meyer, B. (eds.) TAP 2007. LNCS, vol. 4454, pp. 207–216. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Petiot, G., Kosmatov, N., Giorgetti, A., Julliand, J.: How test generation helps software specification and deductive verification in Frama-C. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 204–211. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  23. 23.
    Cadar, C., Godefroid, P., Khurshid, S., Pasareanu, C.S., Sen, K., Tillmann, N., Visser, W.: Symbolic execution for software testing in practice: preliminary assessment. In: Taylor, R.N., Gall, H., Medvidovic, N. (eds.) ICSE, pp. 1066–1071. ACM (2011)Google Scholar
  24. 24.
    Hentschel, M., Bubel, R., Hähnle, R.: Symbolic execution debugger (SED). In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 255–262. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  25. 25.
    Hentschel, M., Hähnle, R., Bubel, R.: Visualizing unbounded symbolic execution. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 82–98. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  26. 26.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)CrossRefzbMATHGoogle Scholar
  27. 27.
    Dromey, R.G.: From requirements to design: Formalizing the key steps. In: 1st International Conference on Software Engineering and Formal Methods, SEFM, IEEE (2003)Google Scholar
  28. 28.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  29. 29.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Proceedings of the 17th IEEE workshop on Computer Security Foundations, CSFW ’04, Washington, USA, pp. 100–115. IEEE CS (2004)Google Scholar
  30. 30.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Scheben, C., Schmitt, P.H.: Efficient Self-composition for weakest precondition calculi. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 579–594. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  32. 32.
    Beckert, B., Bruns, D., Klebanov, V., Scheben, C., Schmitt, P.H., Ulbrich, M.: Information flow in object-oriented software. In: Gupta, G., Peña, R. (eds.) Logic-Based Program Synthesis and Transformation, pp.15–32 (2013)Google Scholar
  33. 33.
    Scheben, C., Schmitt, P.H.: Verification of information flow properties of Java programs without approximations. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 232–249. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  34. 34.
    van Delft, B.: Abstraction, objects and information flow analysis. Master’s Thesis, Institute for Computing and Information Science, Radboud Uni Nijmegen (2011)Google Scholar
  35. 35.
    Klebanov, V.: Precise quantitative information flow analysis: A symbolic approach. Theor. Comput. Sci. 538, 124–139 (2014). (to appear)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. Addison-Wesley, Boston (2000)Google Scholar
  37. 37.
    Oracle: Java Card 3 Platform Runtime Environment Specification, Classic Edition, Version 3.0.4., September 2012Google Scholar
  38. 38.
    Mostowski, W.: Formal reasoning about non-atomic Java Card methods in dynamic logic. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  39. 39.
    Marché, C., Rousset, N.: Verification of Java Card applets behavior with respect to transactions and card tears. In: Proceedings of Software Engineering and Formal Methods (SEFM), Pune, India. IEEE CS Press (2006)Google Scholar
  40. 40.
    Mostowski, W.: A case study in formal verification using multiple explicit heaps. In: Beyer, D., Boreale, M. (eds.) FORTE 2013 and FMOODS 2013. LNCS, vol. 7892, pp. 20–34. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Wolfgang Ahrendt
    • 1
  • Bernhard Beckert
    • 2
  • Daniel Bruns
    • 2
    Email author
  • Richard Bubel
    • 3
  • Christoph Gladisch
    • 2
  • Sarah Grebing
    • 2
  • Reiner Hähnle
    • 3
  • Martin Hentschel
    • 3
  • Mihai Herda
    • 2
  • Vladimir Klebanov
    • 2
  • Wojciech Mostowski
    • 4
  • Christoph Scheben
    • 2
  • Peter H. Schmitt
    • 2
  • Mattias Ulbrich
    • 2
  1. 1.Chalmers University of TechnologyGothenburgSweden
  2. 2.Karlsruhe Institute of TechnologyKarlsruheGermany
  3. 3.Technische Universität DarmstadtDarmstadtGermany
  4. 4.University of TwenteEnschedeThe Netherlands

Personalised recommendations