formal verication of software
TRANSCRIPT
![Page 1: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/1.jpg)
Formal Verification of Software
Bernhard Beckert
UNIVERSITÄT KOBLENZ-LANDAU
Summer Term 2006
Formal Verification of Software – p.1
![Page 2: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/2.jpg)
This Course / Web Page
Web page
All information relevant to this lecture can be found on the web page
www.uni-koblenz.de/˜beckert/Lehre/Verification
Make this a lively course
Ask questions!
Don’t fall asleep
Keep cool
Formal Verification of Software – p.2
![Page 3: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/3.jpg)
This Course / Web Page
Web page
All information relevant to this lecture can be found on the web page
www.uni-koblenz.de/˜beckert/Lehre/Verification
Make this a lively course
Ask questions!
Don’t fall asleep
Keep cool
Formal Verification of Software – p.2
![Page 4: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/4.jpg)
This Course / Web Page
Web page
All information relevant to this lecture can be found on the web page
www.uni-koblenz.de/˜beckert/Lehre/Verification
Make this a lively course
Ask questions!
Don’t fall asleep
Keep cool
Formal Verification of Software – p.2
![Page 5: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/5.jpg)
This Course / Web Page
Web page
All information relevant to this lecture can be found on the web page
www.uni-koblenz.de/˜beckert/Lehre/Verification
Make this a lively course
Ask questions!
Don’t fall asleep
Keep cool
Formal Verification of Software – p.2
![Page 6: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/6.jpg)
Contents
Why verification?Advantages and disadvantage. Costs and gains.
Basics of deductive program verification:Hoare Logic and Dynamic Logic
Deductive verification of object-oriented programming languages(using Java as an example)
Formal Verification of Software – p.3
![Page 7: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/7.jpg)
Contents
Why verification?Advantages and disadvantage. Costs and gains.
Basics of deductive program verification:Hoare Logic and Dynamic Logic
Deductive verification of object-oriented programming languages(using Java as an example)
Formal Verification of Software – p.3
![Page 8: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/8.jpg)
Contents
Why verification?Advantages and disadvantage. Costs and gains.
Basics of deductive program verification:Hoare Logic and Dynamic Logic
Deductive verification of object-oriented programming languages(using Java as an example)
Formal Verification of Software – p.3
![Page 9: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/9.jpg)
What are Formal Methodsn?
Software Development Methods
Analysis
Modelling (Specification)
Implementation
Validation (Verification, Testing)
. . . using . . .
Languages and notations with (mathematical) precise semantics
Logic-based techniques
Note
formal 6= theoretical
Formal Verification of Software – p.4
![Page 10: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/10.jpg)
What are Formal Methodsn?
Software Development Methods
Analysis
Modelling (Specification)
Implementation
Validation (Verification, Testing)
. . . using . . .
Languages and notations with (mathematical) precise semantics
Logic-based techniques
Note
formal 6= theoretical
Formal Verification of Software – p.4
![Page 11: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/11.jpg)
What are Formal Methodsn?
Software Development Methods
Analysis
Modelling (Specification)
Implementation
Validation (Verification, Testing)
. . . using . . .
Languages and notations with (mathematical) precise semantics
Logic-based techniques
Note
formal 6= theoretical
Formal Verification of Software – p.4
![Page 12: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/12.jpg)
Why Formal Methods?
Quality: Important for . . .
Safety-critical applications (railway switches)
Security-critical applications (access control, electronic banking)
Financial reasons (phone cards)
Legal reasons (electronic signature, EAL6/7 in Common Criteria)
Productivity: Important for . . .
Obvious reasons
Formal Verification of Software – p.5
![Page 13: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/13.jpg)
Why Formal Methods?
Quality: Important for . . .
Safety-critical applications (railway switches)
Security-critical applications (access control, electronic banking)
Financial reasons (phone cards)
Legal reasons (electronic signature, EAL6/7 in Common Criteria)
Productivity: Important for . . .
Obvious reasons
Formal Verification of Software – p.5
![Page 14: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/14.jpg)
Why Formal Methods?
Quality through . . .
Better and more precise understanding of model and implementation
Better written software (modularisation, information hiding, . . . )
Error detection with runtime checks
Test case generation
Static analysis
Deductive verification
Formal Verification of Software – p.6
![Page 15: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/15.jpg)
Why Formal Methods?
Productivity through
Error detection in early stages of development
Re-use of components (requires specification and validation)
Better documentation, maintenance
Test case generation
Knowledge about formal methods leads tobetter software development
Formal Verification of Software – p.7
![Page 16: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/16.jpg)
Testing
Run the system at chosen inputs and observe its behaviour
– Randomly chosen
– Intelligently chosen (by hand: expensive!)
– Automatically chosen (need formalized spec)
What about other inputs? (test coverage)
What about the observation? (test oracle)
Challenges can be addressed by/require formal methods
Formal Verification of Software – p.8
![Page 17: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/17.jpg)
Testing
Run the system at chosen inputs and observe its behaviour
– Randomly chosen
– Intelligently chosen (by hand: expensive!)
– Automatically chosen (need formalized spec)
What about other inputs? (test coverage)
What about the observation? (test oracle)
Challenges can be addressed by/require formal methods
Formal Verification of Software – p.8
![Page 18: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/18.jpg)
Testing
Run the system at chosen inputs and observe its behaviour
– Randomly chosen
– Intelligently chosen (by hand: expensive!)
– Automatically chosen (need formalized spec)
What about other inputs? (test coverage)
What about the observation? (test oracle)
Challenges can be addressed by/require formal methods
Formal Verification of Software – p.8
![Page 19: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/19.jpg)
Testing
Run the system at chosen inputs and observe its behaviour
– Randomly chosen
– Intelligently chosen (by hand: expensive!)
– Automatically chosen (need formalized spec)
What about other inputs? (test coverage)
What about the observation? (test oracle)
Challenges can be addressed by/require formal methods
Formal Verification of Software – p.8
![Page 20: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/20.jpg)
Favourable Development
Design and specification
Unified Modeling Language – UML
Graphical language for object-oriented modellingStandard of Object Management Group (OMG)
Object Constraint Language – OCL
Formal textual assertion languageUML Substandard
Consolidation and documentation of design knowledge
Patterns, idioms, architectures, frameworks, etc.
Industrial implementation languages
Java, C#
Formal Verification of Software – p.9
![Page 21: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/21.jpg)
Favourable Development
Design and specification
Unified Modeling Language – UML
Graphical language for object-oriented modellingStandard of Object Management Group (OMG)
Object Constraint Language – OCL
Formal textual assertion languageUML Substandard
Consolidation and documentation of design knowledge
Patterns, idioms, architectures, frameworks, etc.
Industrial implementation languages
Java, C#
Formal Verification of Software – p.9
![Page 22: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/22.jpg)
Favourable Development
Design and specification
Unified Modeling Language – UML
Graphical language for object-oriented modellingStandard of Object Management Group (OMG)
Object Constraint Language – OCL
Formal textual assertion languageUML Substandard
Consolidation and documentation of design knowledge
Patterns, idioms, architectures, frameworks, etc.
Industrial implementation languages
Java, C#Formal Verification of Software – p.9
![Page 23: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/23.jpg)
Types of Requirements
Types of Requirements
functional requirements
communication, protocols
real-time requirements
memory use
security
robustness
etc.
Different Formal Methods
deductive verification
model checking
static analysis
run-time checks(of formel specification)
Formal Verification of Software – p.10
![Page 24: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/24.jpg)
Types of Requirements
Types of Requirements
functional requirements
communication, protocols
real-time requirements
memory use
security
robustness
etc.
Different Formal Methods
deductive verification
model checking
static analysis
run-time checks(of formel specification)
Formal Verification of Software – p.10
![Page 25: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/25.jpg)
Types of Requirements
Types of Requirements
functional requirements
communication, protocols
real-time requirements
memory use
security
robustness
etc.
Different Formal Methods
deductive verification
model checking
static analysis
run-time checks(of formel specification)
Formal Verification of Software – p.10
![Page 26: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/26.jpg)
Limitations of Formal Methods
Possible reasons for errors
Program is not correct (does not satisfy the specification)Formal verification proves absence of this kind of error
Program is not adequate (error in specification)Formal specification/verification avoid/find this kind of error
Error in operating system, compiler, hardwareNot avoided (unless compiler etc. specified/verified)
No full specification/verification
In general, it is neither useful nor feasable to fully specify and verifylarge software systems. Then, formal methods are restricted to:
Important parts/modules
Important properties/requirements
Formal Verification of Software – p.11
![Page 27: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/27.jpg)
Limitations of Formal Methods
Possible reasons for errors
Program is not correct (does not satisfy the specification)Formal verification proves absence of this kind of error
Program is not adequate (error in specification)Formal specification/verification avoid/find this kind of error
Error in operating system, compiler, hardwareNot avoided (unless compiler etc. specified/verified)
No full specification/verification
In general, it is neither useful nor feasable to fully specify and verifylarge software systems. Then, formal methods are restricted to:
Important parts/modules
Important properties/requirementsFormal Verification of Software – p.11
![Page 28: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/28.jpg)
The Main Point of Formal Methods is Not
To show “correctness” of entire systems(What IS correctness? Always go for specific properties!)
To replace testing entirely
To replace good design practices
There is no silver bullet that lets you get away without
writing crystal clear requirements and good design, in
particular, Formal Methods aren’t one
Formal Verification of Software – p.12
![Page 29: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/29.jpg)
But
Formal proof can replace many test cases
Formal methods can be used in automatic test case generation
Formal methods improve the quality of specifications
Formal Verification of Software – p.13
![Page 30: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/30.jpg)
A Fundamental Fact
Formalisation of system requirements is hard
Formal Verification of Software – p.14
![Page 31: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/31.jpg)
Difficulties in Creating Formal Models
Real
WorldAbstraction
Formal
Execution
Model
Formal
Requirements
Specification
Formal
Model
wrong assumption
eg, timing
missing requirement
eg, stack overflow
misunderstood problem
eg, wrong integer model
Formal Verification of Software – p.15
![Page 32: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/32.jpg)
Difficulties in Creating Formal Models
Real
World
Abstraction
Formal
Execution
Model
Formal
Requirements
Specification
Formal
Model
wrong assumption
eg, timing
missing requirement
eg, stack overflow
misunderstood problem
eg, wrong integer model
Formal Verification of Software – p.15
![Page 33: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/33.jpg)
Difficulties in Creating Formal Models
Real
World
Abstraction
Formal
Execution
Model
Formal
Requirements
Specification
Formal
Model
wrong assumption
eg, timing
missing requirement
eg, stack overflow
misunderstood problem
eg, wrong integer model
Formal Verification of Software – p.15
![Page 34: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/34.jpg)
Difficulties in Creating Formal Models
Real
World
Abstraction
Formal
Execution
Model
Formal
Requirements
Specification
Formal
Model
wrong assumption
eg, timing
missing requirement
eg, stack overflow
misunderstood problem
eg, wrong integer model
Formal Verification of Software – p.15
![Page 35: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/35.jpg)
Another Fundamental Fact
Proving properties of systems can be hard
Formal Verification of Software – p.16
![Page 36: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/36.jpg)
System Abstraction Level
Low level of abstraction
• Finitely many states
• Tedious to program, worse to maintain
• Automatic proofs are (in principle) possible
High level of abstraction
• Complex datatypes and control structures
• Easier to program
• Automatic proofs (in general) impossible!
Formal Verification of Software – p.17
![Page 37: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/37.jpg)
Specification Abstraction Level
Low level of abstraction
• Finitely many cases
• Approximation, low precision
• Automatic proofs are (in principle) possible
High level of abstraction
• General properties
• High precision, tight modeling
• Automatic proofs (in general) impossible!
Formal Verification of Software – p.18
![Page 38: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/38.jpg)
Main Approaches
High-level programs, High-level programs,
Complex properties Simple properties
Low-level programs, Low-level programs,
Complex properties Simple properties
Model
Checking
Formal Verification of Software – p.19
![Page 39: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/39.jpg)
Main Approaches
High-level programs, High-level programs,
Complex properties Simple properties
Low-level programs, Low-level programs,
Complex properties Simple properties
Model
Checking
Formal Verification of Software – p.19
![Page 40: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/40.jpg)
Main Approaches
KeY
System
High-level programs, High-level programs,
Complex properties Simple properties
Low-level programs, Low-level programs,
Complex properties Simple properties
Model
Checking
Formal Verification of Software – p.19
![Page 41: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/41.jpg)
Proof Automation
“Automatic” Proof
• No interaction
• Sometimes help is required anyway
• Formal specification still “by hand”
“Semi-Automatic” Proof
• Interaction may be required
• Very often proof tool suggests proof rules
• Proof is checked by tool
Formal Verification of Software – p.20
![Page 42: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/42.jpg)
SPIN at Bell Labs
Feature interaction for telephone call processing software
Tool works directly on C source code
Web interface to track properties
Work farmed out to large numbers of computers
Finds shortest possible error trace
18 months, 300 versions, 75 bugs found
Main burden: Defining meaningful properties
Formal Verification of Software – p.21
![Page 43: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/43.jpg)
SLAM at Microsoft
Device drivers running in “kernel mode” should respect API
Third-party device drivers that do not respect APIsresponsible for 90% of Windows crashes
SLAM inspects C code, builds a finite state machine,checks requirements
Being turned into a commercial tool right now
Formal Verification of Software – p.22
![Page 44: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/44.jpg)
Future Trends
Design for formal verification
Combining automatic methods with theorem provers
Combining static analysis of programswith automatic methods and with theorem provers
Combining test and formal verification
Integration of formal methods into SW development process
Integration of formal method tools into CASE tools
Formal Verification of Software – p.23
![Page 45: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/45.jpg)
Formal Methods
Are (more and more) used in practice
Can shorten development time
Can push the limits of feasible complexity
Can increase product quality
Those responsible for software management should consider
formal methods, in particular, where safety-critical,
security-critical, and cost-intensive software is concerned
Formal Verification of Software – p.24
![Page 46: Formal Verication of Software](https://reader036.vdocuments.us/reader036/viewer/2022071602/613d5a18736caf36b75c4eda/html5/thumbnails/46.jpg)
Formal Methods
Are (more and more) used in practice
Can shorten development time
Can push the limits of feasible complexity
Can increase product quality
Those responsible for software management should consider
formal methods, in particular, where safety-critical,
security-critical, and cost-intensive software is concerned
Formal Verification of Software – p.24