Thomas Santen

VCC: A Practical System for Verifying Concurrent C

VCC is an industrial-strength verification environment for low-level concurrent system code written in C. VCC takes a program (annotated with function contracts, state assertions, and type invariants) and attempts to prove the correctness of these annotations. It includes tools for monitoring proof attempts and constructing partial counterexample executions for failed proofs. This paper motivates VCC, describes our verification methodology, describes the architecture of VCC, and reports on our experience using VCC to verify the Microsoft Hyper-V hypervisor.

A comparison of security requirements engineering methods

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

Invariants, modularity, and rights

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

Verifying the Microsoft Hyper-V Hypervisor with VCC

VCC is an industrial-strength verification suite for the formal verification of concurrent, low-level C code. It is being developed by Microsoft Research, Redmond, and the European Microsoft Innovation Center, Aachen. The development is driven by two applications from the Verisoft XT project: the Microsoft Hyper-V Hypervisor and SYSGOs PikeOS micro kernel. This paper gives a brief overview on the Hypervisor with a special focus on verification related challenges this kind of low-level software poses. It discusses how the design of VCC addresses these challenges, and highlights some specific issues of the Hypervisor verification and how they can be solved with VCC.

A Structure Preserving Encoding of Z in Isabelle/HOL

We present a semantic representation of the core concepts of the specification language Z in higher-order logic. Although it is a “shallow embedding” like the one presented by Bowen and Gordon, our representation preserves the structure of a Z specification and avoids expanding Z schemas. The representation is implemented in the higher-order logic instance of the generic theorem prover Isabelle. Its parser can convert the concrete syntax of Z schemas into their semantic representation and thus spare users from having to deal with the representation explicitly. Our representation essentially conforms with the latest draft of the Z standard and may give both a clearer understanding of Z schemas and inspire the development of proof calculi for Z.

VCC: Contract-based modular verification of concurrent C

Most system level software is written in C and executed concurrently. Because such software is often critical for system reliability, it is an ideal target for formal verification. Annotated C and the Verified C Compiler (VCC) form the first modular sound verification methodology for concurrent C that scales to real-world production code. VCC is integrated in Microsoft Visual Studio and it comes with support for verification debugging: an explorer for counter-examples of failed proofs helps to find errors in code or specifications, and a prover log analyzer helps debugging proof attempts that exhaust available resources (memory, time). VCC is currently used to verify the core of Microsoft Hyper-V, consisting of 50,000 lines of system-level C code.

Automating Test Case Generation from Z Specifications with Isabelle

We use a structure preserving encoding of Z in the higher-order logic instance of the generic theorem prover Isabelle to derive test cases from Z specifications. This work shows how advanced theorem provers can be used with little effort to provide tool support for Z beyond mere type-checking. Experience with a non-trivial example shows that modular reasoning according to the structure of a specification is crucial to keep the proof-load manageable in practical applications. Support for modular reasoning can be based on higher-order equational reasoning as implemented in Isabelle.

Components, platforms and possibilities: towards generic automation for MDA

Model-driven architecture (MDA) is a model-based approach for engineering complex software systems. MDA is particularly attractive for designing embedded systems because models can be easily evolved as hardware and software requirements evolve. However, efforts to apply MDA in industrial settings expose several open problems surrounding tooling: Engineers need automated techniques that are scalable, general, and extensible. In this paper we describe the formula framework as a novel approach towards general automation for MDA. We develop a running example and benchmarks to compare our tools with other state-of-theart approaches.

Specifying and Composing Non-functional Requirements in Model-Based Development

Non-functional requirements encompass important design concerns such as schedulability, security, and communication constraints. In model-based development they non-locally impact admissible platform-mappings and design spaces. In this paper we present a novel and formal approach for specifying non-functional requirements as con straint-systems over the space of models. Our approach, based on structured logic programming, allows interacting requirements to be specified independently from each other and composed together. Correct-by- construction operators eliminate some composition mistakes. Our approach is implemented in our formal modeling tool FORMULA , which can analyze the impacts of interacting non-functional requirements on platform mappings and design spaces.

Encoding Object-Z in Isabelle/HOL

In this paper, we present a formalisation of the reference semantics of Object-Z in the higher-order logic (HOL) instantiation of the generic theorem prover Isabelle, Isabelle/HOL. This formalisation has the effect of both clarifying the semantics and providing the basis for a theorem prover for Object-Z. The work builds on an earlier encoding of a value semantics for object-oriented Z in Isabelle/HOL and a denotational semantics of Object-Z based on separating the internal and external effects of class methods.