Robert Bellarmine Krug

Meta reasoning in ACL2

The ACL2 system is based upon a first-order logic and implements traditional first-order reasoning techniques, notably (conditional) rewriting, as well as extensions including mathematical induction and a “functional instantiation” capability for mimicking second-order reasoning. Additionally, one can engage in meta-reasoning — using ACL2 to reason, and prove theorems, about ACL2s logic from within ACL2. One can then use these theorems to augment ACL2s proof engine with custom extensions. ACL2 also supports forms of meta-level control of its rewriter. Relatively recent additions of these forms of control, as well as extensions to ACL2s long-standing meta-reasoning capability, allow a greater range of rules to be written than was possible before, allowing one to specify more comprehensive proof strategies.

Toward the Verification of a Simple Hypervisor

Virtualization promises significant benefits in security, e fficiency, dependability,and cost. Achievingthese benefits depends upon the reliability of the underlyin g virtual machine monitors (hypervisors).This paper describes an ongoing project to develop and verify MinVisor, a simple but functionalType-I x86 hypervisor, proving protection properties at the assembly level using ACL2. Originallybased on an existing research hypervisor, MinVisor provides protection of its own memory from amalicious guest. Our long-term goal is to fully verify MinVisor, providing a vehicle to investigatethe modeling and verification of hypervisors at the implemen tation level, and also a basis for furthersystems research. Functionalsegmentsofthe MinVisorC codebase aretranslatedintoY86assembly,and verified with respect to the Y86 model. The inductive asse rtions (also known as “compositionalcutpoints”) methodology is used to prove the correctness of the code. The proof of the code that setsup the nested page tables is described. We compare this project to related efforts in systems codeverification and outline some useful steps forward.

Mechanized Information Flow Analysis through Inductive Assertions

We present a method for verifying information flow properties of software programs using inductive assertions and theorem proving. Given a program annotated with information flow assertions at cutpoints, the method uses a theorem prover and operational semantics to generate and discharge verification conditions. This obviates the need to develop a verification condition generator (VCG) or a customized logic for information flow properties. The method is compositional: a subroutine needs to be analyzed once, rather than at each call site. The method is being mechanized in the ACL2 theorem prover, and we discuss initial results demonstrating its applicability.