Stephan Tobies

VCC: A Practical System for Verifying Concurrent C

VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

Invariants, modularity, and rights

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

VCC: Contract-based modular verification of concurrent C

Most system level software is written in C and executed concurrently. Because such software is often critical for system reliability, it is an ideal target for formal verification. Annotated C and the Verified C Compiler (VCC) form the first modular sound verification methodology for concurrent C that scales to real-world production code. VCC is integrated in Microsoft Visual Studio and it comes with support for verification debugging: an explorer for counter-examples of failed proofs helps to find errors in code or specifications, and a prover log analyzer helps debugging proof attempts that exhaust available resources (memory, time). VCC is currently used to verify the core of Microsoft Hyper-V, consisting of 50,000 lines of system-level C code.

A Precise Yet Efficient Memory Model For C

Verification for OO programs typically starts from a strongly typed object model in which distinct objects/fields are guaranteed not to overlap. This model simplifies verification by eliminating all uninteresting aliasing and allowing the use of more efficient frame axioms. Unfortunately, this model is unsound and incomplete for languages like C, where objects can overlap almost arbitrarily. Sound verification for C therefore typically starts from an untyped memory model, where memory is just an array of bytes. The untyped model, however, adds substantial annotation burden, and reasoning in the untyped model is computationally expensive. We propose a sound, typed semantics for C that provides the annotational and computational advantages of the typed object model while remaining sound and complete for C. We maintain a predicate identifying where the valid objects are, and introduce invariants and proof obligations that guarantee that the valid objects are suitably antialiased, and that (almost) all objects appearing in the program are valid. We describe the implementation of this approach in VCC (a sound verifier for C being used to verify the Microsoft Hypervisor) and the resulting performance gains.

The 1st verified software competition: experience report

We, the organizers and participants, report our experiences from the 1st Verified Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conference.

Local verification of global invariants in concurrent programs

We describe a practical method for reasoning about realistic concurrent programs Our method allows global two-state invariants that restrict update of shared state We provide simple, sufficient conditions for checking those global invariants modularly The method has been implemented in VCC, an automatic, sound, modular verifier for concurrent C programs VCC has been used to verify functional correctness of tens of thousands of lines of Microsofts Hyper-V virtualization platform and of SYSGOs embedded real-time operating system PikeOS.

Sharing Intelligent Services between Homes

The user’s environment is increasingly enriched with computing devices that offer services that aid users in their daily activities. Current use of these services is either public (i.e. unrestricted), or requires explicit registration. In the first case, user control and security are sacrificed whilst in the second ease of use and flexibility is limited. In this paper, we extend the perspective of user-centric computing in offering guests a simple and transparent way to access their home services from a visited intelligent environment. We provide the users with a Personal Access Device (PAD) that facilitates creation of trust between the user’s own home and a visited intelligent environment. This enables seamless access to home services from the visited environment.