Programming with abstract data types
Proceedings of the ACM SIGPLAN symposium on Very high level languages
Secure Microkernels, State Monads and Scalable Refinement
TPHOLs '08 Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics
On Refinement-Closed Security Properties and Nondeterministic Compositions
Electronic Notes in Theoretical Computer Science (ENTCS)
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Supporting Reuse of Event-B Developments through Generic Instantiation
ICFEM '09 Proceedings of the 11th International Conference on Formal Engineering Methods: Formal Methods and Software Engineering
Reuse of specification patterns with the B method
ZB'03 Proceedings of the 3rd international conference on Formal specification and development in Z and B
Provable Security: how feasible is it?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
ITP'11 Proceedings of the Second international conference on Interactive theorem proving
Noninterference for operating system kernels
CPP'12 Proceedings of the Second international conference on Certified Programs and Proofs
Practical probability: applying pGCL to lattice scheduling
ITP'13 Proceedings of the 4th international conference on Interactive Theorem Proving
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
One way to reduce the cost of formally verifying a large program is to perform proofs over a specification of its behaviour, which its implementation refines. However, interesting programs must often satisfy multiple properties. Ideally, each property should be proved against the most abstract specification for which it holds. This simplifies reasoning and increases the property's robustness against later tweaks to the program's implementation. We introduce extensible specifications, a lightweight technique for constructing a specification that can be instantiated and reasoned about at multiple levels of abstraction. This avoids having to write and maintain a different specification for each property being proved whilst still allowing properties to be proved at the highest levels of abstraction. Importantly, properties proved of an extensible specification hold automatically for all instantiations of it, avoiding unnecessary proof duplication. We explain how we applied this idea in the context of verifying confidentiality enforcement for the seL4 microkernel, saving us significant proof and code duplication.