Joe Hurd

Probabilistic guarded commands mechanized in HOL

The probabilistic guarded-command language (pGCL) contains both demonic and probabilistic non-determinism, which makes it suitable for reasoning about distributed random algorithms. Proofs are based on weakest precondition semantics, using an underlying logic of real- (rather than Boolean-)valued functions.We present a mechanization of the quantitative logic for pGCL using the HOL theorem prover, including a proof that all pGCL commands, satisfy the new condition sublinearity, the quantitative generalization of conjunctivity for standard GCL.The mechanized theory also supports the creation of an automatic proof tool which takes as input an annotated pGCL program and its partial correctness specification, and derives from that a sufficient set of verification conditions. This is employed to verify the partial correctness of the probabilistic voting stage in Rabins mutual-exclusion algorithm.

Probabilistic Guarded Commands Mechanized in HOL

The probabilistic guarded-command language pGCL [Carroll Morgan, Annabelle McIver. pGCL: formal reasoning for random algorithms. South African Computer Journal (1999)] contains both demonic and probabilistic nondeterminism, which makes it suitable for reasoning about distributed random algorithms [Carroll Morgan. Proof rules for probabilistic loops. In Proceedings of the BCS-FACS 7th Refinement Workshop. He Jifeng, John Cooke and Peter Wallis (eds). Springer Verlag Workshops in Computing, 1996]. Proofs are based on weakest precondition semantics, using an underlying logic of real- (rather than Boolean-) valued functions. We present a mechanization of the quantitative logic for pGCL [Carroll Morgan, Annabelle McIver, and Karen Seidel, Probabilistic predicate transformers. ACM Transactions on Programming Languages and Systems, 18(3): 325-353, May 1996] using the HOL theorem prover [M.J.C. Gordon and T.F. Melham. Introduction to HOL (A theorem-proving environment for higher order logic). Cambridge University Press, 1993], including a proof that all pGCL commands satisfy the new condition sublinearity, the quantitative generalization of conjunctivity for standard GCL [E.W. Dijkstra. A Discipline of Programming. Prentice Hall, 1976]. The mechanized theory also supports the creation of an automatic proof tool which takes as input an annotated pGCL program and its partial correctness specification, and derives from that a sufficient set of verification conditions. This is employed to verify the partial correctness of the probabilistic voting stage in Rabins mutual-exclusion algorithm [Eyal Kushilevitz and Michael O. Rabin. Randomized mutual exclusion algorithms revisited. In Maurice Herlihy, editor, Proceedings of the 11th Annual Symposium on Principles of Distributed Computing, pages 275-283, Vancouver, BC, Canada, August 1992. ACM Press].

Functional correctness proofs of encryption algorithms

We discuss a collection of mechanized formal proofs of symmetric key block encryption algorithms (AES, MARS, Twofish, RC6, Serpent, IDEA, and TEA), performed in an implementation of higher order logic. For each algorithm, functional correctness, namely that decryption inverts encryption, is formally proved by a simple but effective proof methodology involving application of invertibility lemmas in the course of symbolic evaluation. Block ciphers are then lifted to the encryption of arbitrary datatypes by using modes of operation to encrypt lists of bits produced by a polytypic encoding method.

Theorem Proving in Higher Order Logics

Invited Papers.- On the Correctness of Operating System Kernels.- Alpha-Structural Recursion and Induction.- Regular Papers.- Shallow Lazy Proofs.- Mechanized Metatheory for the Masses: The PoplMark Challenge.- A Structured Set of Higher-Order Problems.- Formal Modeling of a Slicing Algorithm for Java Event Spaces in PVS.- Proving Equalities in a Commutative Ring Done Right in Coq.- A HOL Theory of Euclidean Space.- A Design Structure for Higher Order Quotients.- Axiomatic Constructor Classes in Isabelle/HOLCF.- Meta Reasoning in ACL2.- Reasoning About Java Programs with Aliasing and Frame Conditions.- Real Number Calculations and Theorem Proving.- Verifying a Secure Information Flow Analyzer.- Proving Bounds for Real Linear Programs in Isabelle/HOL.- Essential Incompleteness of Arithmetic Verified by Coq.- Verification of BDD Normalization.- Extensionality in the Calculus of Constructions.- A Mechanically Verified, Sound and Complete Theorem Prover for First Order Logic.- A Generic Network on Chip Model.- Formal Verification of a SHA-1 Circuit Core Using ACL2.- From PSL to LTL: A Formal Validation in HOL.- Proof Pearls.- Proof Pearl: A Formal Proof of Higmans Lemma in ACL2.- Proof Pearl: Dijkstras Shortest Path Algorithm Verified with ACL2.- Proof Pearl: Defining Functions over Finite Sets.- Proof Pearl: Using Combinators to Manipulate let-Expressions in Proof.

Proof pearl: the termination analysis of terminator

TERMINATOR is a static analysis tool developed by Microsoft Research for proving termination of Windows device drivers written in C. This proof pearl describes a formalization in higher order logic of the program analysis employed by Terminator, and verifies that if the analysis succeeds then program termination logically follows.

Computer Assisted Reasoning

Today’s increasingly computer-based society is dependent on the correctness and reliability of crucial infrastructure, such as programming languages, compilers, networks, and microprocessors. One important way to achieve the required level of assurance is to use formal specification and proof, and tool support for this approach has steadily grown to the point where the specification and verification of important system infrastructure is now feasible. To survey the state of the art and discuss future possibilities and challenges, a two day research meeting entitled Tools and Techniques for Verification of System Infrastructure1 was held in March 2008 at the Royal Society in London. The event was held in honour of Prof. Michael J. C. Gordon FRS on the occasion of his 60th birthday, and we are pleased to dedicate this special issue of the Journal of Automated Reasoning to him, which contains a selection of papers that followed from the meeting.