Certification of a Tool Chain for Deductive Program Verification

This thesis belongs to the domain of software verification. The goalof verifying software is to ensure that an implementation, a program,satisfies the requirements, the specification. This is especiallyimportant for critical computer programs, such as control systems forair planes, trains and power...

Full description

Bibliographic Details
Main Author: Herms, Paolo
Language:English
Published: Université Paris Sud - Paris XI 2013
Subjects:
Coq
C
Online Access:http://tel.archives-ouvertes.fr/tel-00789543
http://tel.archives-ouvertes.fr/docs/00/78/95/43/PDF/VD2_HERMS_PAOLO_14012013.pdf
id ndltd-CCSD-oai-tel.archives-ouvertes.fr-tel-00789543
record_format oai_dc
spelling ndltd-CCSD-oai-tel.archives-ouvertes.fr-tel-007895432014-10-14T03:26:27Z http://tel.archives-ouvertes.fr/tel-00789543 2013PA112006 http://tel.archives-ouvertes.fr/docs/00/78/95/43/PDF/VD2_HERMS_PAOLO_14012013.pdf Certification of a Tool Chain for Deductive Program Verification Herms, Paolo [INFO:INFO_OH] Computer Science/Other [INFO:INFO_OH] Informatique/Autre Formal verification Formal methods Proof assistant Proof of Programs Extraction Code analysis Coq C This thesis belongs to the domain of software verification. The goalof verifying software is to ensure that an implementation, a program,satisfies the requirements, the specification. This is especiallyimportant for critical computer programs, such as control systems forair planes, trains and power plants. Here a malfunctioning occurringduring operation would have catastrophic consequences. Software requirements can concern safety or functioning. Safetyrequirements, such as not accessing memory locations outside validbounds, are often implicit, in the sense that any implementation isexpected to be safe. On the other hand, functional requirementsspecify what the program is supposed to do. The specification of aprogram is often expressed informally by describing in English or someother natural language the mission of a part of the program code.Usually program verification is then done by manual code review,simulation and extensive testing. But this does not guarantee that allpossible execution cases are captured. Deductive program proving is a complete way to ensure soundness of theprogram. Here a program along with its specificationis a mathematical object and its desired properties are logicaltheorems to be formally proved. This way, if the underlying logicsystem is consistent, we can be absolutely sure that the provenproperty holds for the program in any case.Generation of verification conditions is a technique helpingthe programmer to prove the properties he wants about his programs.Here a VCG tool analyses a program and its formal specification andproduces a mathematical formula, whose validity implies the soundnessof the program with respect to its specification. This is particularlyinteresting when the generated formulas can be proved automatically byexternal SMT solvers.This approach is based on works of Hoare and Dijkstra and iswell-understood and shown correct in theory. Deductive verificationtools have nowadays reached a maturity allowing them to be used inindustrial context where a very high level of assurance isrequired. But implementations of this approach must deal with allkinds of language features and can therefore become quite complex andcontain errors -- in the worst case stating that a program correcteven if it is not. This raises the question of the level ofconfidence granted to these tools themselves. The aim of this thesis is to address this question. We develop, inthe Coq system, a certified verification-condition generator (VCG) forACSL-annotated C programs.Our first contribution is the formalisation of an executableVCG for the Whycert intermediate language,an imperative language with loops, exceptions and recursive functionsand its soundness proof with respect to the blocking big-step operational semantics of the language.A second contribution is the formalisation of the ACSL logicallanguage and the semantics of ACSL annotations of Compcert's Clight.From the compilation of ACSL annotated Clight programs to Whycertprograms and its semantics preservation proof combined with a Whycertaxiomatisation of the Compcert memory model results our maincontribution: an integrated certified tool chainfor verification of C~programs on top of Compcert. By combining oursoundness result with the soundness of the Compcert compiler we obtaina Coq theorem relating the validity of the generated proof obligationswith the safety of the compiled assembly code. 2013-01-14 eng PhD thesis Université Paris Sud - Paris XI
collection NDLTD
language English
sources NDLTD
topic [INFO:INFO_OH] Computer Science/Other
[INFO:INFO_OH] Informatique/Autre
Formal verification
Formal methods
Proof assistant
Proof of Programs
Extraction
Code analysis
Coq
C
spellingShingle [INFO:INFO_OH] Computer Science/Other
[INFO:INFO_OH] Informatique/Autre
Formal verification
Formal methods
Proof assistant
Proof of Programs
Extraction
Code analysis
Coq
C
Herms, Paolo
Certification of a Tool Chain for Deductive Program Verification
description This thesis belongs to the domain of software verification. The goalof verifying software is to ensure that an implementation, a program,satisfies the requirements, the specification. This is especiallyimportant for critical computer programs, such as control systems forair planes, trains and power plants. Here a malfunctioning occurringduring operation would have catastrophic consequences. Software requirements can concern safety or functioning. Safetyrequirements, such as not accessing memory locations outside validbounds, are often implicit, in the sense that any implementation isexpected to be safe. On the other hand, functional requirementsspecify what the program is supposed to do. The specification of aprogram is often expressed informally by describing in English or someother natural language the mission of a part of the program code.Usually program verification is then done by manual code review,simulation and extensive testing. But this does not guarantee that allpossible execution cases are captured. Deductive program proving is a complete way to ensure soundness of theprogram. Here a program along with its specificationis a mathematical object and its desired properties are logicaltheorems to be formally proved. This way, if the underlying logicsystem is consistent, we can be absolutely sure that the provenproperty holds for the program in any case.Generation of verification conditions is a technique helpingthe programmer to prove the properties he wants about his programs.Here a VCG tool analyses a program and its formal specification andproduces a mathematical formula, whose validity implies the soundnessof the program with respect to its specification. This is particularlyinteresting when the generated formulas can be proved automatically byexternal SMT solvers.This approach is based on works of Hoare and Dijkstra and iswell-understood and shown correct in theory. Deductive verificationtools have nowadays reached a maturity allowing them to be used inindustrial context where a very high level of assurance isrequired. But implementations of this approach must deal with allkinds of language features and can therefore become quite complex andcontain errors -- in the worst case stating that a program correcteven if it is not. This raises the question of the level ofconfidence granted to these tools themselves. The aim of this thesis is to address this question. We develop, inthe Coq system, a certified verification-condition generator (VCG) forACSL-annotated C programs.Our first contribution is the formalisation of an executableVCG for the Whycert intermediate language,an imperative language with loops, exceptions and recursive functionsand its soundness proof with respect to the blocking big-step operational semantics of the language.A second contribution is the formalisation of the ACSL logicallanguage and the semantics of ACSL annotations of Compcert's Clight.From the compilation of ACSL annotated Clight programs to Whycertprograms and its semantics preservation proof combined with a Whycertaxiomatisation of the Compcert memory model results our maincontribution: an integrated certified tool chainfor verification of C~programs on top of Compcert. By combining oursoundness result with the soundness of the Compcert compiler we obtaina Coq theorem relating the validity of the generated proof obligationswith the safety of the compiled assembly code.
author Herms, Paolo
author_facet Herms, Paolo
author_sort Herms, Paolo
title Certification of a Tool Chain for Deductive Program Verification
title_short Certification of a Tool Chain for Deductive Program Verification
title_full Certification of a Tool Chain for Deductive Program Verification
title_fullStr Certification of a Tool Chain for Deductive Program Verification
title_full_unstemmed Certification of a Tool Chain for Deductive Program Verification
title_sort certification of a tool chain for deductive program verification
publisher Université Paris Sud - Paris XI
publishDate 2013
url http://tel.archives-ouvertes.fr/tel-00789543
http://tel.archives-ouvertes.fr/docs/00/78/95/43/PDF/VD2_HERMS_PAOLO_14012013.pdf
work_keys_str_mv AT hermspaolo certificationofatoolchainfordeductiveprogramverification
_version_ 1716716665416187904