Vladimir Klebanov

The 1st verified software competition: experience report

We, the organizers and participants, report our experiences from the 1st Verified Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conference.

The KeY Platform for Verification and Analysis of Java Programs

The KeY system offers a platform of software analysis tools for sequential Java. Foremost, this includes full functional verification against contracts written in the Java Modeling Language. But the approach is general enough to provide a basis for other methods and purposes: (i) complementary validation techniques to formal verification such as testing and debugging, (ii) methods that reduce the complexity of verification such as modularization and abstract interpretation, (iii) analyses of non-functional properties such as information flow security, and (iv) sound program transformation and code generation. We show that deductive technology that has been developed for full functional verification can be used as a basis and framework for other purposes than pure functional verification. We use the current release of the KeY system as an example to explain and prove this claim.

Verification of software product lines with delta-oriented slicing

Software product line (SPL) engineering is a well-known approach to develop industry-size adaptable software systems. SPL are often used in domains where high-quality software is desirable; the overwhelming product diversity, however, remains a challenge for assuring correctness. In this paper, we present delta-oriented slicing, an approach to reduce the deductive verification effort across an SPL where individual products are Java programs and their relations are described by deltas. On the specification side, we extend the delta language to deal with formal specifications. On the verification side, we combine proof slicing and similarity-guided proof reuse to ease the verification process.

SAT-Based analysis and quantification of information flow in programs

Quantitative information flow analysis (QIF) is a portfolio of security techniques quantifying the flow of confidential information to public ports. In this paper, we advance the state of the art in QIF for imperative programs. We present both an abstract formulation of the analysis in terms of verification condition generation, logical projection and model counting, and an efficient concrete implementation targeting ANSI C programs. The implementation combines various novel and existing SAT-based tools for bounded model checking, #SAT solving in presence of projection, and SAT preprocessing. We evaluate the technique on synthetic and semi-realistic benchmarks.

Proof reuse for deductive program verification

We present a proof reuse mechanism for deductive program verification calculi. After a program amendment, it reuses a previous proof incrementally (one proof step at a time), employing a similarity measure for the points (formulas, terms, programs) where a rule is applied The method is flexible, as the reuse mechanism does not need knowledge about particularities of the target programming language or individual calculus rules. It also allows reuse of proof steps even if the situation in the new proof is merely similar but not identical to the template. Upon reaching a significant change in the program, the reuse process stops, and genuinely new proof steps have to be provided Reuse resumes automatically if another (unaffected) part of the proof template becomes pertinent. Our method has been successfully implemented within the KeY system to reuse correctness proofs for Java programs.

The COST IC0701 verification competition 2011

This paper reports on the experiences with the program verification competition held during the FoVeOOS conference in October 2011. There were 6 teams participating in this competition. We discuss the three different challenges that were posed and the solutions developed by the teams. We conclude with a discussion about the value of such competitions and lessons learned from them.

Information Flow in Object-Oriented Software

This paper contributes to the investigation of object-sensitive information flow properties for sequential Java, i.e., properties that take into account information leakage through objects, as opposed to primitive values. We present two improvements to a popular object-sensitive non-interference property. Both reduce the burden on analysis and monitoring tools. We present a formalization of this property in a program logic – JavaDL in our case – which allows using an existing tool without requiring program modification. The third contribution is a novel fine-grained specification methodology. In our approach, arbitrary JavaDL terms (read ‘side-effect-free Java expressions’) may be assigned a security level – in contrast to security labels being attached to fields and variables only.

Precise quantitative information flow analysis— a symbolic approach

Abstract Quantitative information flow analysis (QIF) is a portfolio of software security assessment techniques measuring the amount of confidential information leaked by a program to its public outputs. In this paper, we extend the scope of precise QIF for deterministic imperative programs where information flow can be described with linear integer arithmetic. We propose two novel QIF analyses that precisely measure both residual Shannon entropy and min-entropy of the secret and that feature improved tolerance to large leaks and large input domains. For this purpose, we investigate the use of program specifications in QIF. We present criteria for specification admissibility and a program analysis that replaces exhaustive program exploration with symbolic execution, while incorporating user-supplied (but machine-checked) specifications. This kind of program analysis allows to trade automation for scalability, e.g., to programs with unbounded loops. Furthermore, we show how symbolic projection and counting, based in this instance on symbolic manipulation of polyhedra, avoid subsequent leak enumeration and enable precise QIF for programs with large leaks.

VerifyThis 2012

VerifyThis 2012 was a 2-day verification competition that took place as part of the International Symposium on Formal Methods (FM 2012) on August 30–31, 2012, in Paris, France. It was the second installment in the VerifyThis series. After the competition, an open call solicited contributions related to the VerifyThis 2012 challenges and overall goals. As a result, seven papers were submitted and, after review and revision, included in this special issue. In this introduction to the special issue, we provide an overview of the VerifyThis competition series, an account of related activities in the area, and an overview of solutions submitted to the organizers both during and after the 2012 competition. We conclude with a summary of results and some remarks concerning future installments of VerifyThis.

Integrating verification and testing of object-oriented software

Formal methods can only gain widespread use in industrial software development if they are integrated into software development techniques, tools, and languages used in practice. A symbiosis of software testing and verification techniques is a highly desired goal, but at the current state of the art most available tools are dedicated to just one of the two tasks: verification or testing. We use the KeY verification system (developed by the tutorial presenters) to demonstrate our approach in combining both.We introduce an aspect-oriented reformulation of reference-counting that is particularly well-suited to Java applications and does not share the error-prone characteristic of manual, user-driven reference counting. We present our method in the context of the real-time specification for Java and demonstrate that it can recycle dead objects in bounded time. We apply partial evaluation to specialize the aspect-generated code, which substantially reduces the reference-counting overhead.