2. Formal Verificationā¦
āā¦is the act of proving or disproving the correctness of
intended algorithms underlying a system in respect to a
certain formal specification or property, using formal
methods of mathematicsā ā Wikipedia
4. Why
ā¢ find more bugs in design
and implementation
ā¢ prove correctness
ā¢ cut down testing and
maintenance cost
ā¢ Common Criteria (ISO
15408), FIPS-140-2 āØ
Level 4,ā¦
ā¢ build high-assurance
systems
5. Formal Verification of Design
ā¢ Make a formal design by using a specification
language etc.
ā¢ Define and formalize desired properties
ā¢ Verify that the chosen formal property holds for
the formal design
!
describe ā design ā formalise ā verify
6. Formal Verification of Design
ā¢ Making formal design is (mostly) not fun
ā¢ May not be enough details for interesting
properties
ā¢ Far away from actual implementation
7. Formal Verification of Program
ā¢ Use code as formal design document
ā¢ Easier to combine with debugging and testing
ā¢ Closer to actual implementation
ā¢ Can benefit from additional methods like static
program analysis etc.
8. Code to Model Example
#include <stdio.h>
#include <stdlib.h>
!
int main(int argc, const char* argv[])
{
FILE* f;
int c, n = 0, w = 0;
!
if (argc < 2)
{
printf("Filename?n");
return 1;
}
!
f = fopen(argv[1], "r");
if (f == NULL)
{
printf("open error:%sn", argv[1]);
return 1;
}
!
!
!
!
!
while ((c = fgetc(f)) != -1)
{
if (!isspace(c))
{
if (!w)
++n, w = 1;
else
w = 0;
}
}
printf("Word count: %dn", n);
!
fclose(f);
return 0;
}
9. Code to Model Example
#include <stdio.h>
#include <stdlib.h>
!
int main(int argc, const char* argv[])
{
FILE* f;
int c, n = 0, w = 0;
!
if (argc < 2)
{
printf("Filename?n");
return 1;
}
!
f = fopen(argv[1], "r");
if (f == NULL)
{
printf("open error:%sn", argv[1]);
return 1;
}
!
!
!
!
!
while ((c = fgetc(f)) != -1)
{
if (!isspace(c))
{
if (!w)
++n, w = 1;
else
w = 0;
}
}
printf("Word count: %dn", n);
!
fclose(f);
return 0;
}
10. Code to Model Example
#include <stdio.h>
#include <stdlib.h>
!
int main(int argc, const char* argv[])
{
FILE* f;
int c, n = 0, w = 0;
!
if (argc < 2)
{
printf("Filename?n");
return 1;
}
!
f = fopen(argv[1], "r");
if (f == NULL)
{
printf("open error:%sn", argv[1]);
return 1;
}
!
!
!
!
!
while ((c = fgetc(f)) != -1)
{
if (!isspace(c))
{
if (!w)
++n, w = 1;
else
w = 0;
}
}
printf("Word count: %dn", n);
!
fclose(f);
return 0;
}
11. Code to Model Example
#include <stdio.h>
#include <stdlib.h>
!
int main()
{
FILE* f;
int c, n = 0, w = 0;
enum {FALSE,TRUE} B1;
!
if (B1 = any())
{
return 1;
}
!
f = fopen(āsampleā, "r");
if (f == NULL)
{
return 1;
}
!
!
!
!
!
while ((c = fgetc(f)) != -1)
{
if (!isspace(c))
{
if (!w)
++n, w = 1;
else
w = 0;
}
}
fclose(f);
return 0;
}
12. Code to Model Example
#include <stdio.h>
#include <stdlib.h>
!
int main()
{
FILE* f;
int w = 0;
enum {FALSE,TRUE} B1, B2, B3;
!
if (B1 = any())
{
return 1;
}
!
f = fopen(āsampleā, "r");
if (f == NULL)
{
return 1;
}
!
!
!
!
!
while (B2 = any())
{
if (B3 = any())
{
if (!w)
w = 1;
else
w = 0;
}
}
fclose(f);
return 0;
}
13. Code to Model Example
int main()
{
enum {FALSE,TRUE} B1, B2, B3;
enum {FCLOSED, FOPEN, FERROR} fileState;
enum {V0, V1} W = V0;
fileState = FCLOSED;
!
if (B1 = any())
{
return 1;
}
if (any())
{
fileState = FOPEN;
}
else
{
fileState = FERROR;
}
if (fileState == FERROR)
{
return 1;
}
!
!
!
!
!
while (B2 = any())
{
if (B3 = any())
{
if (!w)
W = V1;
else
W = V0;
}
}
fileState = FCLOSED;
return 0;
}
14. Code to Model Example
int main()
{
enum {FCLOSED, FOPEN, FERROR} fileState;
!
fileState = FCLOSED;
!
if (any())
{
fileState = FERROR;
}
else if (any())
{
fileState = FOPEN;
while (any());
fileState = FCLOSED;
}
return 0;
}
!
entry
FCLOSED1
FERROR FOPEN
FCLOSED2
exit
15. Formal Verification Techniques
ā¢ Theorem Proving
ā¢ Model Checking
ā¢ Ad hoc voodoo magic
!
!
!
!
!
Although these appear to be contradictory approaches, there has been considerable
effort to incorporate theorem proving and model checking
16. Theorem Proving
ā¢ Logical deduction at the intersection of
mathematics and logics
ā¢ Prove that implementation satisfies specification
by mathematical reasoning
ā¢ implementation and specification as formulae in a some
formal logic
ā¢ required relationship (equivalence/implication) as a
theorem to prove by using a set of axioms and inference
rules (simplification, induction, etc.)
17. Theorem Proving
by hand ā classic approach
ā¢ human errors (similar to programming)
ā¢ unsuitable for verifying large software and
hardware systems
18. Theorem Proving
with some machine support ā machine
checks the syntax, fixes layout, translates into
different (meta)languages
ā¢ less errors, readable consistent statements
ā¢ still unsuitable for verifying large software and
hardware systems
19. Theorem Proving
interactive ā proofs are fully checked by machine
based on proof steps provided by user
ā¢ guaranteed correctness (if the prover is correct)
ā¢ can prove everything that is provable by hand
20. Theorem Proving
automated ā theorem is shown by machine; user
must state it in a proper form so that the prover can
solve the problem within reasonable amount of
time
ā¢ may be used by non-specialists
ā¢ may be faster than interactive proving
ā¢ many problems cannot be proved automatically
ā¢ can often deal only with finite problems
21. Limitations of Theorem Proving
ā¢ Large manpower investment to prove small
theorems, difficult to prove large or hard
theorems
ā¢ Usable only by experts, requires deep
understanding of both the system design and
proving methodology
ā¢ Automated for narrow class of system designs
22. Model Checking
Automated technique that, given a finite-state
model of a system and a formal property,
systematically checks whether this property holds
for (a given state in) that model.
!
Modelling ā Running ā Analysing
23. Modelling
ā¢ Model the system under consideration using the
model description language of the model
checker at hand
ā¢ As a first sanity check and quick assessment of
the model perform some simulations
ā¢ Formalise the property to be checked using the
property specification language.
24. Running
ā¢ Run the model checker to check the validity of
the property in the system model.
25. Analysis
ā¢ Property satisfied?
ā¢ Check next property (if any)
ā¢ Property violated?
ā¢ Analyse generated counterexample by simulation
ā¢ Refine the model, design, or property
ā¢ Repeat the entire procedure.
ā¢ Out of memory?
ā¢ Try to reduce the model and try again.
26. Temporal Logic Model Checking
ā¢ Specifications are written in propositional
temporal logic to specify time related system
behaviour properties either in absolute time or
in terms of sequences of state transitions
ā¢ Verification is an exhaustive search of the state
space of the design
27. Basic Temporal Operators
Let p be an atomic proposition, e.g. device_Enabled
ā¢ Xp ā p holds next time
ā¢ Fp ā p holds sometime in a future
ā¢ Gp ā p holds globally in a future (always)
ā¢ pUq ā p holds until another atomic proposition
q holds
!
Use with Ā¬ā§āØ etc. to form temporal logic formulae
28. Temporal Logic Formula Example
The microwave oven does not heat up until
the door is closed
!
Not heat_up holds until door_closed
!
(Ā¬heat_up) U door_closed
29. Temporal Logic Formula Example
The microwave oven does not heat up until
the door is closed
!
Not heat_up holds until door_closed
!
(Ā¬heat_up) U (door_closed ā§ powered_on)
30. Temporal Logic Model Checking Goals
Safety āĀ something bad will never happen.āØ
To satisfy, the system must not demonstrate
forbidden behaviour
!
Liveness ā something good will happen in future.āØ
To satisfy, the system must demonstrate desired
behaviour
31. Model Checking: Older Approaches
ā¢ Construct a model of a system in terms of a
finite state machine
ā¢ Choose a property, express it in some sort of
temporal logic and use a tool to explore the
state space and to check if the property holds
ā¢ Explicit-state checker enumerates all possible states
[SPIN]
ā¢ Symbolic checker uses binary decision diagram (BDD) to
encode the state transition function [NuSMV etc.]
32. Model Checking: Older Approaches
ā¢ Good for liveness and safety properties
ā¢ āis a state with property p reachable?ā
ā¢ āif I see x, will I eventually see y?ā
ā¢ āis property p true for all states?ā
ā¢ Ill-suitable for functional properties
ā¢ ādoes this function compute AES-256?ā
33. Model Checking: Newer Approaches
SAT-based model checkers
ā¢ Bounded model-checking (BMC) ā an otherwise
large or even infinite-state FSM can be analysed
by checking a finite number of state transitions
ā¢ Property directed reachability (PDR) ā combination
of induction, over-approximation and SAT
solving
34. Model Checking: Newer Approaches
Going into details of SAT and SMT solvers is
probably too much to handle for this session.
!
X(explain_sat ā§ explain_smt)
35. Model Checking Strengths
ā¢ General verification approach that is applicable
to a wide range of systems
ā¢ Supports partial verification (properties can be
checked individually, essential ones first)
ā¢ Provides diagnostic information in case a
property is invalidated (useful for debugging)
36. Model Checking Strengths (cont.)
ā¢ Requires neither a high degree of user
interaction nor a high degree of expertise
ā¢ Can be easily integrated in existing
development cycles
ā¢ Sound mathematical underpinning, based on
theory of graph algorithms, data structures,
logic etc.
37. Model Checking Weaknesses
ā¢ Mainly for control-intensive systems, less
suitable for data-intensive ones
ā¢ Verifies a model and not the actual system itself;
complimentary techniques are needed (testing
etc.)
ā¢ Check only stated requirements, completeness is
not guaranteed
38. Model Checking Weaknesses (cont.)
ā¢ Suffers from the state-space explosion problem
ā¢ Requires some expertise in finding appropriate
abstractions to obtain smaller system models
and to state properties in the logical formalism
used
ā¢ Does not allow checking generalisations
ā¢ A model checker may contain software defects
41. Thank you
This presentation is based on materials provided courtesy of and various publicly available Internet sources.
All grammar and syntax errors are, letās say, for watermarking purposesāØ
2013