Hostname: page-component-586b7cd67f-rcrh6 Total loading time: 0 Render date: 2024-11-28T22:26:42.808Z Has data issue: false hasContentIssue false

Modular development of certified program verifiers with a proof assistant1,2

Published online by Cambridge University Press:  15 August 2008

ADAM CHLIPALA*
Affiliation:
University of California, Berkeley, CA, USA (e-mail: adamc@cs.berkeley.edu)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

We report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. We take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it is possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

Type
Articles
Copyright
Copyright © Cambridge University Press 2008

Footnotes

1

This is a revised and extended version of the paper that appeared in the 11th ACM SIGPLAN International Conference on Functional Programming (ICFP'06) (Chlipala 2006).

2

This research was supported in part by a National Defense Science and Engineering Graduate Fellowship and National Science Foundation Grants CCF-0524784, CCR-0234689, CNS-0509544, and CCR-0225610.

References

Appel, Andrew W. (2001) Foundational proof-carrying code. In LICS '01: Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science. Boston, MA, USA, pp. 247256.CrossRefGoogle Scholar
Bertot, Yves. (2001) Formalizing a JVML verifier for initialization in a theorem prover. In CAV '01: Proceedings of the 13th International Conference on Computer Aided Verification. Paris, France, pp. 14–24.Google Scholar
Bertot, Yves & Castéran, Pierre. (2004) Interactive Theorem Proving and Program Development. Coq'Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer Verlag, Berlin.Google Scholar
Besson, Frée}déeric, Jensen, Thomas & Pichardie, David. (2006) Proof-carrying code from certified abstract interpretation and fixpoint compression. Theor. Comput. Sci. 364 (3), 273291.Google Scholar
Chang, Bor-Yuh Evan, Chlipala, Adam, Necula, George C. & Schneck, Robert R. (January 2005) The {open} {verifier framework for foundational verifiers. In TLDI'05: Proceedings of the 2nd ACM Workshop on Types in Language Design and Implementation, Long Beach, CA, USA.CrossRefGoogle Scholar
Cachera, David, Jensen, Thomas, Pichardie, David & Rusu, Vlad. (2005) Extracting a data flow analyser in constructive logic. Theor. Comput. Sci., 342 (1), 5678.CrossRefGoogle Scholar
Chang, Bor-Yuh Evan, Chlipala, Adam & Necula, George C. (2006) A framework for certified program analysis and its applications to mobile-code safety. In VMCAI '06: Proceedings of the Seventh International Conference on Verification, Model Checking, and Abstract Interpretation. Charleston, South Carolina, USA, pp. 174–189.Google Scholar
Chen, Chiyan & Xi, Hongwei. (2005) Combining programming with theorem proving. In ICFP '05: Proceedings of the Tenth ACM SIGPLAN International Conference on Functional Programming. Tallinn, Estonia, pp. 66–77.CrossRefGoogle Scholar
Chlipala, Adam. (2006) Modular development of certified program verifiers with a proof assistant. In ICFP '06: Proceedings of the Eleventh ACM SIGPLAN International Conference on Functional Programming. Portland, OR, USA, pp. 160–171.CrossRefGoogle Scholar
Cousot, Patrick & Cousot, Radhia. (1977) Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL'77: Proceedings of the 4th ACM Symposium on Principles of Programming Languages. Los Angeles, CA, USA, pp. 234–252.Google Scholar
Crary, Karl. (2003) Toward a foundational typed assembly language. In POPL '03: Proceedings of the 30th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. New Orleans, LA, USA, pp. 198–212.CrossRefGoogle Scholar
Delahaye, David. (2000) A tactic language for the system Coq. In LPAR '00: Proceedings of the 7th International Conference on Logic for Programming and Automated Reasoning. Reunion Island, France, pp. 85–95.CrossRefGoogle Scholar
Detlefs, David L., Leino, K. Rustan, M., Nelson, Greg & Saxe, James B. (1998) Extended static checking. In SRC Research Report 159. Compaq Systems Research Center, Palo Alto.Google Scholar
Dijkstra, Edsger W. (1976) A Discipline of Programming. Englewood Cliffs, NJ: Prentice Hall PTR.Google Scholar
Feng, Xinyu, Ni, Zhaozhong, Shao, Zhong & Guo, Yu. (January 2007) An open framework for foundational proof-carrying code. In TLDI'07: Proceedings of the 2007 ACM SIGPLAN International Workshop on Types in Language Design and Implementation. Nice, France, pp. 67–78.CrossRefGoogle Scholar
Filliatre, Jean-Christophe & Letouzey, Pierre. (2004) Functors for proofs and programs. In ESOP '04: Proceedings of the 13th European Symposium on Programming. Barcelona, Spain, pp. 370–384.CrossRefGoogle Scholar
Giménez, Eduardo. (1995) Codifying guarded definitions with recursive schemes. In TYPES '94: Selected Papers from the International Workshop on Types for Proofs and Programs, Båstad, Sweden, pp. 39–59.Google Scholar
Hamid, Nadeem A., Shao, Zhong, Trifonov, Valery, Monnier, Stefan & Ni, Zhaozhong. (2003) A syntactic approach to foundational proof-carrying code. J. Automated Reasoning 31 (3–4), 191229.Google Scholar
Intel. (2006) IA-32 Intel Architecture Software Developer's Manual, Vol. 2: Instruction set reference.Google Scholar
Klein, Gerwin & Nipkow, Tobias. (2001) Verified lightweight bytecode verification. Concurrency – Practice and Experience 13 (1), 11331151.CrossRefGoogle Scholar
Lerner, Sorin, Millstein, Todd, Rice, Erika & Chambers, Craig. (2005) Automated soundness proofs for dataflow analyses and transformations via local rules. In POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Long Beach, CA, USA, pp. 364–377.Google Scholar
Leroy, Xavier. (2006a) Coinductive big-step operational semantics. In ESOP '06: Proceedings of the 15th European Symposium on Programming. Vienna, Austria, pp. 54–68.CrossRefGoogle Scholar
Leroy, Xavier. (2006b) Formal certification of a compiler back-end or: Programming a compiler with a proof assistant. In POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Charleston, SC, USA, pp. 42–54.CrossRefGoogle Scholar
MacQueen, David. (1984) Modules for standard ML. In LFP '84: Proceedings of the 1984 ACM Symposium on LISP and Functional Programming. Austin, TX, USA, pp. 198–207.Google Scholar
Martin-Löf, Per. (1996) On the meanings of the logical constants and the justifications of the logical laws. Nordic J. Philos. Logic 1 (1), 1160.Google Scholar
McBride, Conor & McKinna, James. (2004) The view from the left. J. Funct. Programming 14 (1), 69111.CrossRefGoogle Scholar
Morrisett, Greg, Crary, Karl, Glew, Neal, Grossman, Dan, Samuels, Richard, Smith, Frederick, Walker, David, Weirich, Stephanie & Zdancewic, Steve. (1999b) TALx86: A realistic typed assembly language. In Proceedings of the 1999 ACM SIGPLAN Workshop on Compiler Support for System Software. Atlanta, GA, USA, pp. 25–35.Google Scholar
Morrisett, Greg, Crary, Karl, Glew, Neal & Walker, David. (2003) Stack-based typed assembly language. J. Funct. Programming 13 (5), 957959.CrossRefGoogle Scholar
Morrisett, Greg, Walker, David, Crary, Karl & Glew, Neal. (1999a) From system F to typed assembly language. ACM Trans. Programming Languages Syst. 21 (3), 527568.CrossRefGoogle Scholar
Necula, George C. (1997) Proof-carrying code. In POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Paris, France, pp. 106–119.CrossRefGoogle Scholar
Necula, George C. & Lee, Peter. (1998) The design and implementation of a certifying compiler. In PLDI '98: Proceedings of the ACM SIGPLAN 1998 Conference on Programming Language Design and Implementation. Montreal, Quebec, Canada, pp. 333–344.CrossRefGoogle Scholar
Sheard, Tim. (2004) Languages of the future. In OOPSLA '04: Companion to the 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications. Vancouver, BC, Canada, pp. 116–119.CrossRefGoogle Scholar
Smith, Frederick, Walker, David & Morrisett, J. Gregory. (2000) Alias types. In ESOP '00: Proceedings of the 9th European Symposium on Programming. Berlin, Germany, pp. 366–381.CrossRefGoogle Scholar
Wadler, Philip. (1992) The essence of functional programming. In POPL '92: Proceedings of the 19th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Albuquerque, NM, USA, pp. 1–14.CrossRefGoogle Scholar
Westbrook, Edwin, Stump, Aaron & Wehrman, Ian. (2005) A language-based approach to functionally correct imperative programming. In ICFP '05: Proceedings of the Tenth ACM SIGPLAN International Conference on Functional Programming. Tallinn, Estonia, pp. 268–279.CrossRefGoogle Scholar
Wu, Dinghao, Appel, Andrew W. & Stump, Aaron. (2003) Foundational proof checkers with small witnesses. In PPDP '03: Proceedings of the 5th ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming. Uppsala, Sweden, pp. 264–274.CrossRefGoogle Scholar
Supplementary material: File

Chlipala Supplementary Material

Supplementary.zip

Download Chlipala Supplementary Material(File)
File 532.3 KB
Submit a response

Discussions

No Discussions have been published for this article.