QED at Large: A Survey of Engineering of Formally Verified Software

Optimizing Code Generation from SSA Form: A Comparison Between Two Formal Correctness Proofs in Isabelle/HOL

Formal methods are a key part of making sure that cryptographic systems are safe and reliable. For the purpose of checking security protocols, this paper looks into two well-known formal methods: model checking and theorem proving. When you do model checking, you go through all of a system's possible states to see if it meets certain criteria. On the other hand, theorem proving uses formal evidence and mathematical reasoning to show that protocols are correct. In the beginning of the paper, an outline of security protocols and the need for formal proof methods to make sure they are strong against possible threats is given. Then it goes into the ideas and methods behind model checking and shows how it can be used in security protocol analysis. Model checking lets you do automatic checks, which lets you look into all the possible states of a system and find any security holes. The study then looks at theorem proving as an alternative way to check protocols. Theorem proving uses mathematical thinking to make formal proofs that show protocols are right. Although theorem proving usually needs help from a person with the right knowledge, it gives more security by making sure everything is right using strong mathematical foundations. It is talked about what the pros and cons of each method are, taking things like scale, automation, and expression into account. It also talks about important improvements and new tools in each method, showing how people are still working to make security protocol testing techniques more efficient and effective. The last part of the paper compares model checking and theorem proving, focusing on how they work together and how important it is to use both to make sure the security of cryptographic protocols. Also, it shows how important it is to choose the right formal methods based on the needs and features of the protocol in question.

Instead of using program extraction mechanisms in various theorem provers, I suggest that users opt to create a database of formal proofs whose computational content is made explicit; this would be an alternative approach which, as libraries of formal mathematical proofs are constantly growing, would rely on future advances in automation and machine learning tools, so that as blocks of (sub)proofs get generated automatically, the preserved computational content would get recycled, recombined and would eventually manifest itself in different contexts. To this end, I do not suggest restricting to only constructive proofs, but I suggest that proof mined, possibly also non-constructive proofs with some explicit computational content should be preferable, if possible. To illustrate what kind of computational content in mathematical proofs may be of interest I give several very elementary examples (to be regarded as building blocks of proofs) and some samples of formalisations in Isabelle/HOL. Given the state of the art in automation and machine learning tools currently available for proof assistants, my suggestion is rather speculative, yet starting to build a database of formal proofs with explicit computational content would be a potentially useful first step.KeywordsProof assistantsComputational contentProof miningIsabelle/HOLProof theoryInteractive theorem proversFormalisationMachine learning

Automated deduction (AD) is one of the most advanced and technically deep of the many technologies that constitute computer science. AD software performs tasks ranging from the fast simple deductions of a type checker and the efficient exploration of models, to fully automated deduction and complex deductive interactions in high-level languages. The field lies at an interface with mathematics, logic, and computing theory, as well as with practice. It has contributed fundamental ideas to these fields as well as drawing heavily from them. AD has spawned useful tools and systems, and offers great promise for making substantial progress on some of the most challenging problems in computer science and engineering—-such as how to improve the reliability of systems, how to build secure software, and how to increase productivity in software production. In the mathematics world some previously unsolved problems have been solved by or with the assistance of an AD system. We use the term AD for automated theorem provers, counterexample (model) generation, and consequence generators, in both fully automated and interactive systems. We note that AD systems may establish truth of a statement by means other than a formal proof (a listing of steps that are given or follow from previous steps), for example by a decision procedure such as computing and comparing terms in an equation. Likewise, disproofs are frequently counter examples. This article is based on a report to the National Science Foundation (NSF), Division of Computer and Computation Research, on the future directions of the field of AD [4]. The genesis of the report is the Workshop on the Future Directions of AD held in Chicago on April 20–21, 1996, chaired by the report author and sponsored by the National Science Foundation. In addition to workshop input from 24 top U.S. researchers and users of the technology and systems, information was collected from the

Hammers are tools for employing external automated theorem provers (ATPs) to improve automation in formal proof assistants. Strong automation can greatly ease the task of developing formal proofs. An essential component of any hammer is the translation of the logic of a proof assistant to the format of an ATP. For- malisms of state-of-the-art ATPs are usually first-order, so some method for eliminating lambda-abstractions is needed. We present an experimental comparison of several combinatory abstraction al- gorithms for HOL(y)Hammer – a hammer for HOL Light. The al- gorithms are compared on problems involving non-trivial lambda- abstractions selected from the HOL Light core library and a library for multivariate analysis. We succeeded in developing algorithms which outperform both lambda-lifting and the simple Scho nfinkel’s algorithm used in Sledgehammer for Isabelle/HOL. This increases the ATPs’ success rate on translated problems, thus enhancing au- tomation in proof assistants.

If an access control policy promises that a resource is protected in a system, how do we know it is really protected? To give an answer we formalise in this paper the Role-Compatibility Model—a framework, introduced by Ott, in which access control policies can be expressed. We also give a dynamic model determining which security related events can happen while a system is running. We prove that if a policy in this framework ensures a resource is protected, then there is really no sequence of events that would compromise the security of this resource. We also prove the opposite: if a policy does not prevent a security compromise of a resource, then there is a sequence of events that will compromise it. Consequently, a static policy check is sufficient (sound and complete) in order to guarantee or expose the security of resources before running the system. Our formal model and correctness proof are mechanised in the Isabelle/HOL theorem prover using Paulson’s inductive method for reasoning about valid sequences of events. Our results apply to the Role-Compatibility Model, but can be readily adapted to other role-based access control models.

Interactive theorem provers (ITPs) are computer programs in which axioms and a conjecture are stated in a formal language, and a user provides the ITP with relatively high-level steps of a formal proof for the conjecture. Then, by invoking automated theorem provers, the ITP tries to generate low-level steps that fill the gaps between the steps provided by the user, thus forming a complete formal proof of the conjecture. The ITP also checks the entire formal proof against the axioms, thus confirming the soundness of all derivations in the formal proof. In this talk, I will discuss the existing opportunities and potential benefits to applying ITPs to reason about and verify AI concepts, algorithms, and software. I will also discuss the challenges we have to being able to apply ITPs in AI and reap those benefits. I will do so by discussing a number of my previous projects on the application of ITPs to different AI concepts, algorithms, and software systems. These projects span different areas of planning (classical planning, temporal planning, and planning under uncertainty) as well as algorithms with applications in algorithmic game theory, like general graph matching and online matching.

agile information systems, flexible information systems development, distributed information systems development, global software development, software development, special issue

This paper presents the architecture of a system for automatically assessing the answers of elementary algebra proving problems. The system parses the answer given by the student, which is written in Chinese, and constructs its corresponding formal proof in a theorem proving system. Then the correctness of the formal proof, which is the semantic of the original answer, can be verified in the theorem proving system automatically.

Formal proofs provide detailed justification for the validity of claims and are widely used in formal software development methods. However, they are often complex and difficult to understand, because the formalism in which they are constructed and encoded is usually machine-oriented, and they may also be based on assumptions that are not justified. This causes concerns about the trustworthiness of using formal proofs as arguments in safety-critical applications. Here, we present an approach to develop safety cases that correspond to formal proofs found by automated theorem provers and reveal the underlying argumentation structure and top-level assumptions. We concentrate on natural deduction style proofs, which are closer to human reasoning than resolution proofs, and show how to construct the safety cases by covering the natural deduction proof tree with corresponding safety case fragments. We also abstract away logical book-keeping steps, which reduces the size of the constructed safety cases. We show how the approach can be applied to the proofs found by the Muscadet prover.

Organizations adapt and implement different strategies and practices in order to improve and enhance its performance and competitiveness in the marketplace. This study investigates the impact of organizational empowerment practices and learning organization on organizational performance of Abu Dhabi National Oil Company (ADNOC) in the UAE. The study contributes to the knowledge by investigating empirical data about organizational empowerment practices, learning organization, and organizational performance and elaborating it in the context of the oil industry in the UAE. The study adopted the quantitative approach and explored participants from different managerial levels. A total number of 212 valid questionnaires were used for analysis. Further, appropriate statistical tests were used to examine the model validation and hypotheses verification. The literature findings suggest that organization performance and organizational commitment increase as the organization invests in training its employees. The study concluded that an increase in communication, rewards, stimulus culture, and sharing of vision among managers, supervisors, or mid-managers could positively impact the performance of ADNOC.

VERUS is a design specification and verification system developed by Compion Corporation. Design verification is the analysis of the interaction of a computer system's primitives to show that the system meets certain correctness requirements. The system to be verified is described in a formal specification, which includes statements of the correctness requirements. VERUS is a general-purpose eystem, but its primary application has been to verify systeme modeled as state machines. This paper describes the VERUS approach to state machine specifications by developing a simple security example. VERUS software consists primarily of a pareer and a theorem prover. A specification and proof outlines are converted by the pareer into a form usable by the prover. The proof outlines guide the prover in its search for complete, formal proofs. The parser and theorem prover are used together with a good text editor in a tight, quick loop.

From a HDL Description to Formal Proof Systems: Principles and Mechanization

For critical software development, containers such as lists, vectors, sets or maps are an attractive alternative to ad-hoc data structures based on pointers. As standards like DO-178C put formal verification and testing on an equal footing, it is important to give users the ability to apply both to the verification of code using containers. In this paper, we present a definition of containers whose aim is to facilitate their use in certified software, using modern proof technology and novel specification languages. Correct usage of containers and user-provided correctness properties can be checked either by execution during testing or by formal proof with an automatic prover. We present a formal semantics for containers and an axiomatization of this semantics targeted at automatic provers. We have proved in Coq that the formal semantics is consistent and that the axiomatization thereof is correct.

The use of interactive theorem provers to establish the correctness of critical parts of a software development or for formalizing mathematics is becoming more common and feasible in practice. However, most mature theorem provers lack a direct treatment of partial and general recursive functions; overcoming this weakness has been the objective of intensive research during the last decades. In this article, we review several techniques that have been proposed in the literature to simplify the formalization of partial and general recursive functions in interactive theorem provers. Moreover, we classify the techniques according to their theoretical basis and their practical use. This uniform presentation of the different techniques facilitates the comparison and highlights their commonalities and differences, as well as their relative advantages and limitations. We focus on theorem provers based on constructive type theory (in particular, Agda and Coq) and higher-order logic (in particular Isabelle/HOL). Other systems and logics are covered to a certain extent, but not exhaustively. In addition to the description of the techniques, we also demonstrate tools which facilitate working with the problematic functions in particular theorem provers.