This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial ... more This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with rational coefficients to the generalized eigenvector problem. Also, we prove the existence of such certificates for any transformation with integer coefficients, which is not the case with rational coefficients.
While a wide range of different, sometimes heterogeneous test coverage criteria have been propose... more While a wide range of different, sometimes heterogeneous test coverage criteria have been proposed, there exists no generic formalism to describe them, and available test automation tools usually support only a small subset of them. We introduce a unified specification language, called HTOL, providing a powerful generic mechanism to define test objectives, which permits encoding numerous existing criteria and supporting them in a unified way. HTOL comes with a formal semantics and can express complex requirements over several executions (using a novel notion of hyperlabels), as well as alternative requirements or requirements over a whole program execution. A novel classification of a large class of existing criteria is proposed. Finally, a coverage measurement tool for HTOL objectives has been implemented. Initial experiments suggest that the proposed approach is both efficient and practical.
This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE c... more This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE contract 2005/973. 2 ANSI/ISO C Specification Language
FoC is a computer algebra library with a strong emphasis on formal certification of its algorithm... more FoC is a computer algebra library with a strong emphasis on formal certification of its algorithms. We present in this article our work on the link between the FoC language and OMDoc, an emerging XML standard to represent and share mathematical contents. On the one hand, we focus on the elaboration of the documentation system FoCDoc. After an analysis of an OMDoc approach of the documentation we present our own XML implementation (FoCDoc) and how we generate, from a FoC program, documentation files in HTML (MathML), LaTEX and OMDoc. On the other
This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE c... more This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE contract 2005/973. 2
The focal language (formerly Foc) allows a programmer to incrementally build mathematical structu... more The focal language (formerly Foc) allows a programmer to incrementally build mathematical structures and to formally prove their correctness. focal encourages a development process by refinement, de- riving step-by-step implementations from specifications. This refinement process is realized using an inheritance mechanism on structures which can mix primitive operations, axioms, algorithms and proofs. Inheritance from existing structures allows to reuse their components under some conditions, which are statically checked by the compiler. In this paper, we first present the main constructions of the language. Then we show a shallow embedding of these constructions in the Coq proof assistant, which is used to check the proofs made in Focal. Such a proof can be either an hand-written Coq script, made in an environment set up by the Focal compiler, or a Coq term given the zenon theorem prover, which is partly developed within Focal. Last, we present a formal- ization of focal structures...
Contexte. Les methodes de verification deductive basees sur la logique de Hoare [7] fournissent u... more Contexte. Les methodes de verification deductive basees sur la logique de Hoare [7] fournissent une approche puissante pour prouver qu'une fonction respecte certaines proprietes. Elles sont generalement couplees a un langage permettant de specifier formellement les proprietes attendues, en particulier sous forme de contrats de fonction. Un tel contrat comprend des pre-et des post-conditions decrivant respectivement les entrees attendues et le comportement exige de la fonction. Probleme. Cependant, toutes les proprietes qu'on peut vouloir etablir sur un programme donne ne s'expriment pas facilement sous cette forme. En effet, un contrat de fonction decrit le deroulement d'une execution d'une fonction donnee. Cependant, il est frequent qu'on veuille parler d'une propriete relationnelle mettant en jeu l'execution de plusieurs fonctions, ou comparer les resultats d'une meme fonction sur differents parametres. En particulier, des groupes de fonctions s...
Formal methods provide systematic and rigorous techniques for software development. We are convin... more Formal methods provide systematic and rigorous techniques for software development. We are convinced that they must be taught in Software Engineering curricula. In this paper, we present a set of formal methods courses included in a Software Engineering & Security track of ENSIIE, Ecole Nationale Superieure d’Informatique pour l’Industrie et l’Entreprise, a French engineering school delivering the Open image in new window Ingenieur de l’ENSIIE Open image in new window degree (master level). These techniques have been taught over the last fifteen years in our education programs in different formats. One of the difficulty we encounter is that students consider these kinds of techniques difficult and requiring much work and thus are inclined to choose other courses when they can. Furthermore, students are strongly focused on the direct applicability of the knowledge they are taught, and they are not all going to pursue a professional career in the development of critical systems. Our e...
Modular deductive verification provides a sound and powerful technique to establish that any call... more Modular deductive verification provides a sound and powerful technique to establish that any call to a given function respects its given specification. However, relational properties, i.e. properties relating several function calls, are not supported. This short paper presents an original automated technique for specification and verification of such properties using the classic deductive verification approach. We illustrate the proposed technique by comprehensive examples and present its implementation as a Frama-C plugin, named RPP.
Modular deductive veri cation is a powerful technique capable to show that each function in a pro... more Modular deductive veri cation is a powerful technique capable to show that each function in a program satis es its contract. However, function contracts do not provide a global view of which highlevel (e.g. security-related) properties of a whole software module are actually established, making it very di cult to assess them. To address this issue, this paper proposes a new speci cation mechanism, called meta-properties. A meta-property can be seen as an enhanced global invariant speci ed for a set of functions, and capable to express predicates on values of variables, as well as memory related conditions (such as separation) and read or write access constraints. We also propose an automatic transformation technique translating meta-properties into usual contracts and assertions, that can be proved by traditional deductive veri cation tools. This technique has been implemented as a Frama-C plugin called MetAcsl and successfully applied to specify and prove safetyand security-related...
Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced cover... more Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging task. This short paper evaluates three detection approaches involving dataflow analysis, value analysis and weakest precondition calculus. We implement and compare these approaches, analyze their detection capacities and propose a methodology for their efficient combination. Initial experiments illustrate the benefits of the proposed approach.
Deductive verification provides a powerful tool to show functional properties of a given program.... more Deductive verification provides a powerful tool to show functional properties of a given program. However, in practice, many properties of interest link several program calls. This is for instance the case for non-interference, continuity and monotony. Other examples relate sequences of function calls, for instance to show that decrypting an encrypted message with the appropriate key gives back the original one message. Such properties cannot be expressed directly in the traditional setting used by modular deductive verification, but are amenable to verification through self-composition. This paper presents a verification tool dedicated to relational properties, in the form of a Frama-C plug-in called RPP and based on self-composition. It supports functions with side effects and recursive functions. Our initial experiments on existing benchmarks confirm that RPP is useful to prove relational properties.
Le (bon) sequencement des evenements au fil du temps fait partie des nombreux sujets d'analys... more Le (bon) sequencement des evenements au fil du temps fait partie des nombreux sujets d'analyse de programmes, par exemple pour l'etude de protocoles d'echange d'information ou de systemes embarques. De nombreux travaux de logique temporelle lineaire (LTL) permettent de decrire formellement le comportement attendu d'un programme, sous la forme d'une succession d’actions distinctes. Implante au sein de Frama-C, plate-forme d'analyse de code source en langage C, le greffon Aorai permet la generation de specifications equivalentes, dans leur ensemble, a la conformite d'un programme C donne vis a vis d'une formule de logique temporelle lineaire. Ce greffon discretise le temps de telle sorte que seuls les appels et les retours de fonctions sont consideres comme des evenements. Cet article presente Model-CaRet, un nouveau greffon Frama-C qui generalise la trace etudiee par Aorai. Plus precisement, Model-CaRet est dedie a la generation du test de satisfia...
ion The term \lambda τ1 x1, . . . , τn xn ; t denotes the n-ary logic function which maps x1, . .... more ion The term \lambda τ1 x1, . . . , τn xn ; t denotes the n-ary logic function which maps x1, . . . , xn to t. It has the same precedence as \forall and \exists In this latter case, note that the two ’>’ must be separated by a space, to avoid confusion with the shift operator. ANSI/ISO C Specification Language CAT RNTL project 2.6 Logic specifications 39 term ::= \lambda binders ; term abstraction | extended-quantifier ( term , term , term ) extended-quantifier ::= \max | \min | \sum | \product | \numof Figure 2.12: Grammar for higher-order constructs Extended quantifiers Terms \quant(t1, t2, t3) where quant is max min sum product or numof are extended quantifications. t1 and t2 must have type integer, and t3 must be a unary function with an integer argument, and a numeric value (integer or real) except for \numof for which it should have a boolean value. Their meanings are given as follows: \max(i, j, f) = max{f(i), f(i+ 1), . . . , f(j)} \min(i, j, f) = min{f(i), f(i+ 1), . . ....
This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial ... more This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with rational coefficients to the generalized eigenvector problem. Also, we prove the existence of such certificates for any transformation with integer coefficients, which is not the case with rational coefficients.
In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students... more In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students. First, in the framework of a course of programming language semantics, Coq greatly helps the students to understand formal and abstract notions, such as induction, by binding them to more concrete terms. Next, a computer science project shows that Coq is also appropriate when dealing with larger problems. Last, we show how proofs developed by means of the Focal toolbox made it possible to get very valuable hints on the development of that system.
This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial ... more This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with rational coefficients to the generalized eigenvector problem. Also, we prove the existence of such certificates for any transformation with integer coefficients, which is not the case with rational coefficients.
While a wide range of different, sometimes heterogeneous test coverage criteria have been propose... more While a wide range of different, sometimes heterogeneous test coverage criteria have been proposed, there exists no generic formalism to describe them, and available test automation tools usually support only a small subset of them. We introduce a unified specification language, called HTOL, providing a powerful generic mechanism to define test objectives, which permits encoding numerous existing criteria and supporting them in a unified way. HTOL comes with a formal semantics and can express complex requirements over several executions (using a novel notion of hyperlabels), as well as alternative requirements or requirements over a whole program execution. A novel classification of a large class of existing criteria is proposed. Finally, a coverage measurement tool for HTOL objectives has been implemented. Initial experiments suggest that the proposed approach is both efficient and practical.
This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE c... more This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE contract 2005/973. 2 ANSI/ISO C Specification Language
FoC is a computer algebra library with a strong emphasis on formal certification of its algorithm... more FoC is a computer algebra library with a strong emphasis on formal certification of its algorithms. We present in this article our work on the link between the FoC language and OMDoc, an emerging XML standard to represent and share mathematical contents. On the one hand, we focus on the elaboration of the documentation system FoCDoc. After an analysis of an OMDoc approach of the documentation we present our own XML implementation (FoCDoc) and how we generate, from a FoC program, documentation files in HTML (MathML), LaTEX and OMDoc. On the other
This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE c... more This work has been supported by the ’CAT ’ ANR project (ANR-05-RNTL-0030x) and by the ANR CIFRE contract 2005/973. 2
The focal language (formerly Foc) allows a programmer to incrementally build mathematical structu... more The focal language (formerly Foc) allows a programmer to incrementally build mathematical structures and to formally prove their correctness. focal encourages a development process by refinement, de- riving step-by-step implementations from specifications. This refinement process is realized using an inheritance mechanism on structures which can mix primitive operations, axioms, algorithms and proofs. Inheritance from existing structures allows to reuse their components under some conditions, which are statically checked by the compiler. In this paper, we first present the main constructions of the language. Then we show a shallow embedding of these constructions in the Coq proof assistant, which is used to check the proofs made in Focal. Such a proof can be either an hand-written Coq script, made in an environment set up by the Focal compiler, or a Coq term given the zenon theorem prover, which is partly developed within Focal. Last, we present a formal- ization of focal structures...
Contexte. Les methodes de verification deductive basees sur la logique de Hoare [7] fournissent u... more Contexte. Les methodes de verification deductive basees sur la logique de Hoare [7] fournissent une approche puissante pour prouver qu'une fonction respecte certaines proprietes. Elles sont generalement couplees a un langage permettant de specifier formellement les proprietes attendues, en particulier sous forme de contrats de fonction. Un tel contrat comprend des pre-et des post-conditions decrivant respectivement les entrees attendues et le comportement exige de la fonction. Probleme. Cependant, toutes les proprietes qu'on peut vouloir etablir sur un programme donne ne s'expriment pas facilement sous cette forme. En effet, un contrat de fonction decrit le deroulement d'une execution d'une fonction donnee. Cependant, il est frequent qu'on veuille parler d'une propriete relationnelle mettant en jeu l'execution de plusieurs fonctions, ou comparer les resultats d'une meme fonction sur differents parametres. En particulier, des groupes de fonctions s...
Formal methods provide systematic and rigorous techniques for software development. We are convin... more Formal methods provide systematic and rigorous techniques for software development. We are convinced that they must be taught in Software Engineering curricula. In this paper, we present a set of formal methods courses included in a Software Engineering & Security track of ENSIIE, Ecole Nationale Superieure d’Informatique pour l’Industrie et l’Entreprise, a French engineering school delivering the Open image in new window Ingenieur de l’ENSIIE Open image in new window degree (master level). These techniques have been taught over the last fifteen years in our education programs in different formats. One of the difficulty we encounter is that students consider these kinds of techniques difficult and requiring much work and thus are inclined to choose other courses when they can. Furthermore, students are strongly focused on the direct applicability of the knowledge they are taught, and they are not all going to pursue a professional career in the development of critical systems. Our e...
Modular deductive verification provides a sound and powerful technique to establish that any call... more Modular deductive verification provides a sound and powerful technique to establish that any call to a given function respects its given specification. However, relational properties, i.e. properties relating several function calls, are not supported. This short paper presents an original automated technique for specification and verification of such properties using the classic deductive verification approach. We illustrate the proposed technique by comprehensive examples and present its implementation as a Frama-C plugin, named RPP.
Modular deductive veri cation is a powerful technique capable to show that each function in a pro... more Modular deductive veri cation is a powerful technique capable to show that each function in a program satis es its contract. However, function contracts do not provide a global view of which highlevel (e.g. security-related) properties of a whole software module are actually established, making it very di cult to assess them. To address this issue, this paper proposes a new speci cation mechanism, called meta-properties. A meta-property can be seen as an enhanced global invariant speci ed for a set of functions, and capable to express predicates on values of variables, as well as memory related conditions (such as separation) and read or write access constraints. We also propose an automatic transformation technique translating meta-properties into usual contracts and assertions, that can be proved by traditional deductive veri cation tools. This technique has been implemented as a Frama-C plugin called MetAcsl and successfully applied to specify and prove safetyand security-related...
Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced cover... more Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging task. This short paper evaluates three detection approaches involving dataflow analysis, value analysis and weakest precondition calculus. We implement and compare these approaches, analyze their detection capacities and propose a methodology for their efficient combination. Initial experiments illustrate the benefits of the proposed approach.
Deductive verification provides a powerful tool to show functional properties of a given program.... more Deductive verification provides a powerful tool to show functional properties of a given program. However, in practice, many properties of interest link several program calls. This is for instance the case for non-interference, continuity and monotony. Other examples relate sequences of function calls, for instance to show that decrypting an encrypted message with the appropriate key gives back the original one message. Such properties cannot be expressed directly in the traditional setting used by modular deductive verification, but are amenable to verification through self-composition. This paper presents a verification tool dedicated to relational properties, in the form of a Frama-C plug-in called RPP and based on self-composition. It supports functions with side effects and recursive functions. Our initial experiments on existing benchmarks confirm that RPP is useful to prove relational properties.
Le (bon) sequencement des evenements au fil du temps fait partie des nombreux sujets d'analys... more Le (bon) sequencement des evenements au fil du temps fait partie des nombreux sujets d'analyse de programmes, par exemple pour l'etude de protocoles d'echange d'information ou de systemes embarques. De nombreux travaux de logique temporelle lineaire (LTL) permettent de decrire formellement le comportement attendu d'un programme, sous la forme d'une succession d’actions distinctes. Implante au sein de Frama-C, plate-forme d'analyse de code source en langage C, le greffon Aorai permet la generation de specifications equivalentes, dans leur ensemble, a la conformite d'un programme C donne vis a vis d'une formule de logique temporelle lineaire. Ce greffon discretise le temps de telle sorte que seuls les appels et les retours de fonctions sont consideres comme des evenements. Cet article presente Model-CaRet, un nouveau greffon Frama-C qui generalise la trace etudiee par Aorai. Plus precisement, Model-CaRet est dedie a la generation du test de satisfia...
ion The term \lambda τ1 x1, . . . , τn xn ; t denotes the n-ary logic function which maps x1, . .... more ion The term \lambda τ1 x1, . . . , τn xn ; t denotes the n-ary logic function which maps x1, . . . , xn to t. It has the same precedence as \forall and \exists In this latter case, note that the two ’>’ must be separated by a space, to avoid confusion with the shift operator. ANSI/ISO C Specification Language CAT RNTL project 2.6 Logic specifications 39 term ::= \lambda binders ; term abstraction | extended-quantifier ( term , term , term ) extended-quantifier ::= \max | \min | \sum | \product | \numof Figure 2.12: Grammar for higher-order constructs Extended quantifiers Terms \quant(t1, t2, t3) where quant is max min sum product or numof are extended quantifications. t1 and t2 must have type integer, and t3 must be a unary function with an integer argument, and a numeric value (integer or real) except for \numof for which it should have a boolean value. Their meanings are given as follows: \max(i, j, f) = max{f(i), f(i+ 1), . . . , f(j)} \min(i, j, f) = min{f(i), f(i+ 1), . . ....
This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial ... more This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with rational coefficients to the generalized eigenvector problem. Also, we prove the existence of such certificates for any transformation with integer coefficients, which is not the case with rational coefficients.
In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students... more In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students. First, in the framework of a course of programming language semantics, Coq greatly helps the students to understand formal and abstract notions, such as induction, by binding them to more concrete terms. Next, a computer science project shows that Coq is also appropriate when dealing with larger problems. Last, we show how proofs developed by means of the Focal toolbox made it possible to get very valuable hints on the development of that system.
Uploads
Papers by Virgile Prevosto