Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C

  • Allan BlanchardEmail author
  • Nikolai Kosmatov
  • Frédéric Loulergue
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10811)


Internet of Things (IoT) applications are becoming increasingly critical and require rigorous formal verification. In this paper we target Contiki, a widely used open-source OS for IoT, and present a verification case study of one of its most critical modules: that of linked lists. Its API and list representation differ from the classical linked list implementations, and are particularly challenging for deductive verification. The proposed verification technique relies on a parallel view of a list through a companion ghost array. This approach makes it possible to perform most proofs automatically using the Frama-C/WP tool, only a small number of auxiliary lemmas being proved interactively in the Coq proof assistant. We present an elegant segment-based reasoning over the companion array developed for the proof. Finally, we validate the proposed specification by proving a few functions manipulating lists.


Linked lists Deductive verification Operating system Internet of Things Frama-C 



This work was partially supported by a grant from CPER DATA and the project VESSEDIA, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731453. The authors thank the Frama-C team for providing the tools and support, as well as Patrick Baudin, François Bobot and Loïc Correnson for many fruitful discussions and advice. Many thanks to the anonymous referees for their helpful comments.


  1. 1.
    Appel, A.W.: Verified software toolchain. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 1–17. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  2. 2.
    Appel, A.W.: Verification of a cryptographic primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37(2), 7:1–7:31 (2015)CrossRefGoogle Scholar
  3. 3.
    Appel, A.W., Dockins, R., Hobor, A., Beringer, L., Dodds, J., Stewart, G., Blazy, S., Leroy, X.: Program Logics for Certified Compilers. Cambridge University Press, Cambridge (2014)CrossRefzbMATHGoogle Scholar
  4. 4.
    Baudin, P., Cuoq, P., Filliâtre, J.C., Marché, C., Monate, B., Moy, Y., Prevosto, V.: ACSL: ANSI/ISO C Specification Language.
  5. 5.
    Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development. Springer, Heidelberg (2004). CrossRefzbMATHGoogle Scholar
  6. 6.
    Blanchard, A., Kosmatov, N., Lemerre, M., Loulergue, F.: A case study on formal verification of the anaxagoros hypervisor paging system with Frama-C. In: Núñez, M., Güdemann, M. (eds.) FMICS 2015. LNCS, vol. 9128, pp. 15–30. Springer, Cham (2015). CrossRefGoogle Scholar
  7. 7.
    Brookes, S., O’Hearn, P.W.: Concurrent separation logic. ACM SIGLOG News 3(3), 47–65 (2016)Google Scholar
  8. 8.
    Clarke, L.A., Rosenblum, D.S.: A historical perspective on runtime assertion checking in software development. SIGSOFT Softw. Eng. Notes 31(3), 25–37 (2006)CrossRefGoogle Scholar
  9. 9.
    Dross, C., Moy, Y.: Auto-active proof of red-black trees in SPARK. In: Barrett, C., Davies, M., Kahsai, T. (eds.) NFM 2017. LNCS, vol. 10227, pp. 68–83. Springer, Cham (2017). CrossRefGoogle Scholar
  10. 10.
    Dunkels, A., Gronvall, B., Voigt, T.: Contiki – a lightweight and flexible operating system for tiny networked sensors. In: LCN 2014. IEEE (2004)Google Scholar
  11. 11.
    Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  12. 12.
    Gladisch, C., Tyszberowicz, S.: Specifying linked data structures in JML for combining formal verification and testing. Sci. Comput. Program. 107–108, 19–40 (2015)CrossRefzbMATHGoogle Scholar
  13. 13.
    Herms, P., Marché, C., Monate, B.: A certified multi-prover verification condition generator. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 2–17. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  14. 14.
    Hobor, A., Appel, A.W., Nardelli, F.Z.: Oracle semantics for concurrent separation logic. In: Drossopoulou, S. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 353–367. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  15. 15.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  16. 16.
    Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. Formal Asp. Comput. 27(3), 573–609 (2015). MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kosmatov, N., Signoles, J.: A lesson on runtime assertion checking with Frama-C. In: Legay, A., Bensalem, S. (eds.) RV 2013. LNCS, vol. 8174, pp. 386–399. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  18. 18.
    Leino, K.R.M., Moskal, M.: Usable auto-active verification (2010).
  19. 19.
    Mangano, F., Duquennoy, S., Kosmatov, N.: Formal verification of a memory allocation module of Contiki with Frama-C: a case study. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 114–120. Springer, Cham (2017). CrossRefGoogle Scholar
  20. 20.
    Mansky, W., Appel, A.W., Nogin, A.: A verified messaging system. Proc. ACM Program. Lang. 1(OOPSLA), 871–8728 (2017)CrossRefGoogle Scholar
  21. 21.
    Peyrard, A., Duquennoy, S., Kosmatov, N., Raza, S.: Towards formal verification of Contiki: analysis of the AES-CCM* modules with Frama-C. In: RED-IoT 2018, Co-located with EWSN 2018. ACM (2018, to appear)Google Scholar
  22. 22.
    Philippaerts, P., Mühlberg, J.T., Penninckx, W., Smans, J., Jacobs, B., Piessens, F.: Software verification with VeriFast: industrial case studies. Sci. Comput. Program. 82, 77–97 (2014)CrossRefGoogle Scholar
  23. 23.
    Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS), pp. 55–74. IEEE Computer Society (2002)Google Scholar
  24. 24.
    The Coq Development Team: The Coq proof assistant.
  25. 25.
    Vogels, F., Jacobs, B., Piessens, F.: Featherweight VeriFast. Log. Methods Comput. Sci. 11(3), 1–57 (2015)MathSciNetzbMATHGoogle Scholar
  26. 26.
    Ye, K.Q., Green, M., Sanguansin, N., Beringer, L., Petcher, A., Appel, A.W.: Verified correctness and security of mbedTLS HMAC-DRBG. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2007–2020. ACM, New York (2017)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Inria Lille — Nord EuropeVilleneuve d’AscqFrance
  2. 2.CEA, List, Software Reliability and Security Laboratory, PC 174Gif-sur-YvetteFrance
  3. 3.School of Informatics Computing and Cyber SystemsNorthern Arizona UniversityFlagstaffUSA

Personalised recommendations