Formal VerificationSlide 2Formal ApproachVerification techniques – Criteria for classifyingPropositional logicSlide 6Inductive verificationModel-checkingFormal Verification: ComponentsSpecification LanguagesSlide 11Example: SPECIALExample: Enhanced Hierarchical Development MethodologySlide 14Levels of AbstractionHDM VerificationBoyer-Moore Theorem ProverSlide 18Gypsy verification environment (GVE)Other ExamplesSlide 21Protocol VerificationFormal VerificationLecture 11Formal VerificationFormal verification relies onDescriptions of the properties or requirementsDescriptions of systems to be analyzed, andVerification techniques showing requirements are met by system descriptionRely on underlying mathematical logic system and the proof theory of that systemFormal ApproachFormal Models use language of mathematicsSpecification languagesFor policies, models and system descriptionsWell-defined syntax and semantics – based on mathsCurrent trends - two general categoriesInductive techniquesModel checking techniquesDifferences based onIntended use, degree of automation, underlying logic systems, etc.Verification techniques – Criteria for classifyingProof-based vs model-basedProof: Formula define premises / conclusionsProof shows how to reach conclusions from premisesModel-based: Premises and conclusions have same truth tablesDegree of automationmanual or automated (degree)Propositional logicVerification techniques – Criteria for classifyingFull verification vs property verificationDoes methodology model full system?Or just prove certain key properties?Examples?Intended domain of applicationHW/SW, reactive, concurrentPredevelopment vs post developmentAs design aid or after designInductive verificationTypically more generalUses theorem proversE.g., uses predicate calculusA sequence of proof steps starting with premises of the formula and eventually reaching a conclusionMay be used To find flaws in designTo verify the properties of computer programsModel-checkingSystems modeled as state transition systemsFormula may be true in some states and false in othersFormulas may change values as systems evolveProperties are formulas in logicTruth values are dynamicShow: Model and the desired properties are semantically equivalentModel and properties express the same truth tableOften used after development is complete but before a product is released to the general marketPrimarily for reactive, concurrent systemsFormal Verification:ComponentsFormal Specification defined in unambiguous (mathematical) languageRestricted syntax, and well-defined semantics based on established mathematical conceptsExample:?Implementation LanguageGenerally somewhat constrainedFormal Semantics relating the twoMethodology to ensure implementation ensures specifications metSpecification LanguagesSpecify WHAT, not HOWValid states of systemPost-conditions of operationsNon-ProceduralTypical Examples:Propositional / Predicate LogicTemporal Logic (supports before/after conditions)Set-based models (e.g., formal Bell-LaPadula)Specification LanguagesMust support machine processingStrong typingModel input/output/errorsExample: SPECIALFirst order logic basedStrongly typedVFUN: describes variables (state)OFUN/OVFUN: describe state transitionsExample: SPECIALMODULE Bell_LaPadula_Model Give_readTypesSubject_ID: DESIGNATOR;Object_ID: DESIGNATOR;Access_Mode: {READ, APPEND, WRITE};Access: STRUCT_OF(Subject_ID subject; Object_ID object; Access_Mode mode);FunctionsVFUN active (Object_ID object) -> BOOLEAN active: HIDDEN; INITIALLY TRUE;VFUN access_matrix() -> Accesses accesses: HIDDEN;INITIALLY FORALL Access a: a INSET accesses => active(a.object);OFUN give_access(Subject_ID giver; Access access);ASSERTIONS active(access.object) = TRUE;EFFECTS `access_matrix() = access_matrix() UNION (access);END_MODULEExample: Enhanced Hierarchical Development MethodologyBased on HDMA general purpose design and implementation methodologyGoal wasTo mechanize and formalize the entire development processDesign specification and verification + implementation specification and verificationProof-based methodUses Boyer-Moore Theorem ProverExample: Enhanced Hierarchical Development MethodologyHierarchical approachAbstract Machines defined at each levelspecification written in SPECIALMapping Specifications define functionality in terms of machines at higher layersConsistency Checker validates mappings “match”Compiler that maps a program into a theorem-prover understood formSuccessfully used on MLS systemsFew formal policy specifications outside MLS domainLevels of AbstractionHDM VerificationBoyer-Moore Theorem ProverFully automatedNo interface for comments or directionsUser provides all the theorems, axioms, lemmata, assertionsLISP like notationVery difficult for proving complex theoremsKey ideaUsed extended propositional calculusEfficiency – to find a proof.Boyer-Moore Theorem ProverSteps:Simplify the formulaReformulate the formula with equivalent termsSubstitute equalitiesGeneralize the formula by introducing variablesEliminate irrelevant termsInduct to proveGypsy verification environment (GVE)Based on PascalFormal proof and runtime validation supportSpecifications defined on proceduresEntry conditions, Exit conditions, AssertionsProof techniques ensure exit conditions / assertions met given entry conditionsAlso run-time checkingExamples:Gypsy (in book) – uses theorem proverCLUEiffel (and derivatives) – run-time checksOther ExamplesPrototype Verification System (PVS)Based on EHDMInteractive theorem-proverSymbolic Model VerifierTemporal logic basedNotion of “path” – program represented as treeStatements that condition must hold at a future state, all future states, all states on one path, etc.Other ExamplesFormal verification of protocolsKey managementProtocol developmentVerification of librariesEntire system not verifiedBut components known okayHigh risk subsystemsProtocol VerificationGenerating protocols that meet security specificationsAssumes cryptography secureBut cryptography is not
View Full Document