Gerhard Schellhorn

Formal System Development with KIV

KIV is a tool for formal systems development. It can be employed, e.g., — for the development of safety critical systems from formal requirements specifications to executable code, including the verification of safety requirements and the correctness of implementations, — for semantical foundations of programming languages from a specification of the semantics to a verified compiler, — for building security models and architectural models as they are needed for high level ITSEC [7] or CC [1] evaluations.

Structured Specifications and Interactive Proofs with KIV

The aim of this chapter is to describe the integrated specification- and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports: hierarchical formal specification of software and system designs specification of safety/security models proving properties of specifications modular implementation of specification components modular verification of implementations incremental verification and error correction reuse of specifications, proofs, and verified components

Verification of a Formal Security Model for Multiapplicative Smart Cards

We present a generic formal security model for operating systems of multiapplicative smart cards. The model formalizes the main security aspects of secrecy, integrity, secure communication between applications and secure downloading of new applications. The model satisfies a security policy consisting of authentication and intransitive noninterference. The model extends the classical security models of Bell/LaPadula and Biba, but avoids the need for trusted processes, which are not subject to the security policy by incorporating such processes directly in the model itself. The correctness of the security policy has been formally proven with the VSE II system.

ASM Refinement and generalizations of forward simulation in data refinement: a comparison

In (J. Universal Comput. Sci. 7 (2001) 952), we have formalized Borgers refinement notion for Abstract State Machines (ASMs). The formalization was based on transition systems and verification conditions were expressed in Dynamic Logic.In this paper, the relation between ASM refinement and data refinement is explored. Data refinement expresses operations and verification conditions using relational calculus.We show how to bridge the gap between the different notations, and that forward simulation in the behavioral approach to data refinement can be viewed as a specific instance of ASM refinement with 1:1 diagrams, where control structure is not refined.We also prove that two recent generalizations of data refinement, weak refinement and coupled refinement can be derived from ASM refinement.

Formal Fault Tree Analysis - Practical Experiences

Safety is an important requirement for many modern systems. To ensure safety of complex critical systems, well-known safety analysis methods have been formalized. This holds in particular for automation sytsems and transportation systems. In this paper we present the formalization of one of the most wide spread safety analysis methods: fault tree analysis (FTA). Formal FTA allows to rigorously reason about completeness of a faulty tree. This means it is possible to prove whether a certain combination of component failures is critical for system failure or not. This is a big step forward as informal reasoning on cause-consequence relations is very error-prone. We report on our experiences with a real world case study from the domain of railroads. The here presented case study is - to our knowledge - the first complete formal fault tree analysis for an infinite state system. Until now only finite state systems have been analyzed with formal FTA by using model checking.

Mechanically verified proof obligations for linearizability

Concurrent objects are inherently complex to verify. In the late 80s and early 90s, Herlihy and Wing proposed linearizability as a correctness condition for concurrent objects, which, once proven, allows us to reason about concurrent objects using pre- and postconditions only. A concurrent object is linearizable if all of its operations appear to take effect instantaneously some time between their invocation and return. In this article we define simulation-based proof conditions for linearizability and apply them to two concurrent implementations, a lock-free stack and a set with lock-coupling. Similar to other approaches, we employ a theorem prover (here, KIV) to mechanize our proofs. Contrary to other approaches, we also use the prover to mechanically check that our proof obligations actually guarantee linearizability. This check employs the original ideas of Herlihy and Wing of verifying linearizability via possibilities.

Theorem proving in large theories

The motivation behind this chapter is the question: how can formal software verification benefit from automated first-order theorem proving? To answer the question we used the software verification tool KIV (Reif et al., 1995), (Reif, 1995), (Reif et al., 1997) as a test environment. We did comparative experiments with five automated theorem provers as dedicated subsystems for the non-inductive first-order goals that showed up during proofs of specification- and program properties in KIV. The five provers were Otter (Wos et al., 1992), Protein (Baumgartner and Furbach, 1994), SETHEO (Goller et al., 1994), Spass (Weidenbach et al., 1996) and 3 T A P (Beckert et al., 1996). The experiments were performed in the context of a joint project between the research groups of 3 T A P and KIV at the Universities of Karlsruhe and Ulm on the conceptual integration of interactive and automated theorem proving. In this project we use KIV and 3 T A P as an experimental platform (for other results of this project, see Chapter II.1.4). Therefore, 3 T A P could be called from inside KIV, whereas for the other provers the problems had to be transferred by hand.

Interactive Verification of Statecharts

In this paper, we present an approach to the interactive verification of statecharts. We use STATEMATE statecharts for the formal specification of safety critical systems and Interval Temporal Logic to formalize the proof conditions. To handle infinite data, complex functions and predicates, we use algebraic specifications.

How to prove algorithms linearisable

Linearisability is the standard correctness criterion for concurrent data structures. In this paper, we present a sound and complete proof technique for linearisability based on backward simulations. We exemplify this technique by a linearisability proof of the queue algorithm presented in Herlihy and Wings landmark paper. Except for the manual proof by them, none of the many other current approaches to checking linearisability has successfully treated this intricate example. Our approach is grounded on complete mechanisation: the proof obligations for the queue are verified using the interactive prover KIV, and so is the general soundness and completeness result for our proof technique.

Proving linearizability with temporal logic

Linearizability is a global correctness criterion for concurrent systems. One technique to prove linearizability is applying a composition theorem which reduces the proof of a property of the overall system to sufficient rely-guarantee conditions for single processes. In this paper, we describe how the temporal logic framework implemented in the KIV interactive theorem prover can be used to model concurrent systems and to prove such a composition theorem. Finally, we show how this generic theorem can be instantiated to prove linearizability of two classic lock-free implementations: a Treiber-like stack and a slightly improved version of Michael and Scott’s queue.