Efficient, formally verifiable data structures using ACL2 single-threaded objects for high-assurance systems

Abstract

Classical data structures such as stacks, queues, and double-ended queues (deques) find broad use in security-critical applications. At the highest Evaluation Assurance Level (EAL) of the Common Criteria, such data structures must be formally specified, and proven to meet their specifications. Formal verification systems can readily reason about unbounded, functional data structures. However, such data structures are in the main not appropriate for direct implementation in high-confidence software systems, both because of their unbounded nature, and also due to the complexity of the functional forms (e.g., the use of two lists, one reversed, to implement a deque). We will show how a formally verified data structure specified using the ACL2 single-threaded object facility can be much more readily translated into highassurance implementations expressed in conventional programming languages. Finally, we show how this translated data structure code can be compiled into efficient machine code for a common embedded microprocessor using a verified compiler, and executed on an EAL6+ verified operating system.