research-article

Don't sweat the small stuff: formal verification of C code without the pain

Authors:

David Greenaway,

June Andronick,

Gerwin KleinAuthors Info & Claims

PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 429 - 439

https://doi.org/10.1145/2594291.2594296

Published: 09 June 2014 Publication History

Abstract

We present an approach for automatically generating provably correct abstractions from C source code that are useful for practical implementation verification. The abstractions are easier for a human verification engineer to reason about than the implementation and increase the productivity of interactive code proof. We guarantee soundness by automatically generating proofs that the abstractions are correct.

In particular, we show two key abstractions that are critical for verifying systems-level C code: automatically turning potentially overflowing machine-word arithmetic into ideal integers, and transforming low-level C pointer reasoning into separate abstract heaps. Previous work carrying out such transformations has either done so using unverified translations, or required significant proof engineering effort.

We implement these abstractions in an existing proof-producing specification transformation framework named AutoCorres, developed in Isabelle/HOL, and demonstrate its effectiveness in a number of case studies. We show scalability on multiple OS microkernels, and we show how our changes to AutoCorres improve productivity for total correctness by porting an existing high-level verification of the Schorr-Waite algorithm to a low-level C implementation with minimal effort.

References

[1]

E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, and A. Starostin. The Verisoft approach to systems verification. In VSTTE 2008, volume 5295 of LNCS, pages 209--224. Springer, 2008.

Digital Library

[2]

A. Appel. Verified software toolchain. In 20th ESOP, volume 6602 of LNCS, pages 1--17. Springer, 2011.

Digital Library

[3]

T. Ball, E. Bounimova, R. Kumar, and V. Levin. SLAM2: Static driver verification with under 4% false alarms. In 2010 FMCAD, pages 35--42, Lugano, Switzerland, 2010. FMCAD Inc.

Digital Library

[4]

J. Bloch. Nearly all binary searches and mergesorts are broken. http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html, Jun 2006.

[5]

R. Bornat. Proving pointer programs in Hoare Logic. In 5th MPC, volume 1837 of LNCS, pages 102--126. Springer, Jul 2000.

Digital Library

[6]

A. Chlipala. The Bedrock structured programming system: combining generative metaprogramming and Hoare logic in an extensible program verifier. In 18th ICFP, pages 391--402. ACM, 2013.

Digital Library

[7]

D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In 21st TPHOLs, volume 5170 of LNCS, pages 167--182, Montreal, Canada, Aug 2008. Springer.

Digital Library

[8]

E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. VCC: A practical system for verifying concurrent C. In 22nd TPHOLs, volume 5674 of LNCS, pages 23--42, Munich, Germany, 2009. Springer.

Digital Library

[9]

C. Ellison and G. Roşu. An executable formal semantics of C with applications. In 39th POPL, pages 533--544. ACM, 2012.

Digital Library

[10]

D. Greenaway. Autocorres tool. http://ssrg.nicta.com.au/projects/TS/autocorres/, 2014.

[11]

D. Greenaway, J. Andronick, and G. Klein. Bridging the gap: Automatic verified abstraction of C. In 3rd ITP, volume 7406 of LNCS, pages 99--115, Princeton, New Jersey, Aug 2012. Springer.

[12]

T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with Blast. In 10th SPIN, volume 2648 of LNCS, pages 235--239, Portland, OR, USA, May 2003. Springer.

Digital Library

[13]

T. Hubert and C. Marché. A case study of C source code verification: the Schorr-Waite algorithm. In 3rd Int. Conf. Softw. Engin. & Formal Methods, pages 190--199. IEEE, Sep 2005.

Digital Library

[14]

ISO/IEC. Programming languages --- C. Technical Report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005.

[15]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In SOSP, pages 207--220, Big Sky, MT, USA, Oct 2009. ACM.

Digital Library

[16]

G. Klein, R. Kolanski, and A. Boyton. Mechanised separation algebra. In 3rd ITP, volume 7406 of LNCS, pages 332--337. Springer, 2012.

[17]

X. Leroy. Formal verification of a realistic compiler. CACM, 52(7): 107--115, 2009.

Digital Library

[18]

F. Mehta and T. Nipkow. Proving pointer programs in higher-order logic. In 19th CADE, volume 2741 of LNCS, pages 121--135, 2003.

[19]

Y. Moy. Automatic Modular Static Safety Checking for C Programs. PhD thesis, Université Paris-Sud, Paris, France, Jan 2009.

[20]

T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: from general purpose to a proof of information flow enforcement. In IEEE Symp. Security & Privacy, pages 415--429, San Francisco, CA, May 2013.

Digital Library

[21]

T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL --- A Proof Assistant for Higher-Order Logic. Springer, 2002.

Digital Library

[22]

L. Noschinski, C. Rizkallah, and K. Mehlhorn. Verification of certifying computations through AutoCorres and Simpl. In NASA Formal Methods, volume 8430 of LNCS. Springer, 2014. To appear.

Digital Library

[23]

N. Schirmer. Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technische Universität München, 2006.

[24]

H. Schorr and W. M. Waite. An efficient machine-independent procedure for garbage collection in various list structures. CACM, 10 (8):501--506, 1967.

Digital Library

[25]

T. Sewell, M. Myreen, and G. Klein. Translation validation for a verified OS kernel. In 2013 PLDI, pages 471--481. ACM, 2013.

Digital Library

[26]

N. Suzuki. Automatic Verification of Programs with Complex Data Structures. Garland Publishing, New York, 1980.

[27]

H. Tuch, G. Klein, and M. Norrish. Types, bytes, and separation logic. In 34th POPL, pages 97--108, Nice, France, Jan 2007. ACM.

Digital Library

[28]

D. von Oheimb and T. Nipkow. Machine-checking the java specification: Proving type-safety. In Formal Syntax and Semantics of Java, volume 1523 of LNCS, pages 119--156. Springer, 1999.

Digital Library

[29]

X. Wang, H. Chen, A. Cheung, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Undefined behavior: what happened to my code? In 3rd APSys, pages 9:1--9:7, New York, NY, USA, 2012. ACM.

Digital Library

[30]

S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. Mind the gap: A verification framework for low-level C. In 22nd TPHOLs, volume 5674 of LNCS, pages 500--515. Springer, 2009.

Digital Library

Cited By

Xu QSanan DHou ZLuan XWatt CLiu Y(2025)Generically Automating Separation Logic by Functors, Homomorphisms, and ModulesProceedings of the ACM on Programming Languages10.1145/37049039:POPL(1992-2024)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704903
Lawall JNishimura KLozi J(2025)Should We Balance? Towards Formal Verification of the Linux Kernel SchedulerStatic Analysis10.1007/978-3-031-74776-2_8(194-215)Online publication date: 21-Jan-2025
https://doi.org/10.1007/978-3-031-74776-2_8
Nagasamudram RBeringer LBirman KMilano MNaumann D(2024)Verifying a C Implementation of Derecho’s Coordination Mechanism Using VST and CoqNASA Formal Methods10.1007/978-3-031-60698-4_6(99-117)Online publication date: 26-May-2024
https://doi.org/10.1007/978-3-031-60698-4_6
Show More Cited By

Index Terms

Don't sweat the small stuff: formal verification of C code without the pain
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
      1. Semantics
  2. Software organization and properties
    1. Software functional properties
      1. Correctness
2. Theory of computation
  1. Logic
    1. Proof theory
  2. Semantics and reasoning
    1. Program semantics

Recommendations

Don't sweat the small stuff: formal verification of C code without the pain
PLDI '14

We present an approach for automatically generating provably correct abstractions from C source code that are useful for practical implementation verification. The abstractions are easier for a human verification engineer to reason about than the ...
Coinductive Verification of Program Optimizations Using Similarity Relations

Formal verification methods have gained increased importance due to their ability to guarantee system correctness and improve reliability. Nevertheless, the question how proofs are to be formalized in theorem provers is far from being trivial, yet very ...
Formalization of the Resolution Calculus for First-Order Logic

I present a formalization in Isabelle/HOL of the resolution calculus for first-order logic with formal soundness and completeness proofs. To prove the calculus sound, I use the substitution lemma, and to prove it complete, I use Herbrand interpretations ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2014

619 pages

ISBN:9781450327848

DOI:10.1145/2594291

General Chair:
Michael O'Boyle
University of Edinburgh
,
Program Chair:
Keshav Pingali
University of Texas, Austin

ACM SIGPLAN Notices Volume 49, Issue 6
PLDI '14
June 2014
598 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2666356
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Australian Government

Conference

PLDI '14

Sponsor:

PLDI '14: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 9 - 11, 2014

Edinburgh, United Kingdom

Acceptance Rates

PLDI '14 Paper Acceptance Rate 52 of 287 submissions, 18%;

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
557
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)9

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xu QSanan DHou ZLuan XWatt CLiu Y(2025)Generically Automating Separation Logic by Functors, Homomorphisms, and ModulesProceedings of the ACM on Programming Languages10.1145/37049039:POPL(1992-2024)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704903
Lawall JNishimura KLozi J(2025)Should We Balance? Towards Formal Verification of the Linux Kernel SchedulerStatic Analysis10.1007/978-3-031-74776-2_8(194-215)Online publication date: 21-Jan-2025
https://doi.org/10.1007/978-3-031-74776-2_8
Nagasamudram RBeringer LBirman KMilano MNaumann D(2024)Verifying a C Implementation of Derecho’s Coordination Mechanism Using VST and CoqNASA Formal Methods10.1007/978-3-031-60698-4_6(99-117)Online publication date: 26-May-2024
https://doi.org/10.1007/978-3-031-60698-4_6
Blanchard AMarché CPrevosto V(2024)Formally Expressing What a Program Should Do: The ACSL LanguageGuide to Software Verification with Frama-C10.1007/978-3-031-55608-1_1(3-80)Online publication date: 10-Jul-2024
https://doi.org/10.1007/978-3-031-55608-1_1
Nicolae AIrofti PLeuştean I(2024)OpenBSD Formal Driver Verification with SeL4Innovative Security Solutions for Information Technology and Communications10.1007/978-3-031-52947-4_11(144-156)Online publication date: 21-Jan-2024
https://doi.org/10.1007/978-3-031-52947-4_11
Pohjola JSyeda HTanaka MWinter KSau TNott BUng TMcLaughlin CSeassau RMyreen MNorrish MHeiser G(2023)PancakeProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624544(1-9)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624544
Chen ZLafont AO'Connor LKeller GMcLaughlin CJackson VRizkallah C(2023)Dargent: A Silver Bullet for Verified Data Layout RefinementProceedings of the ACM on Programming Languages10.1145/35712407:POPL(1369-1395)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571240
Crisafulli PTaha SWolff B(2023)Modeling and analysing Cyber–Physical Systems in HOL-CSPRobotics and Autonomous Systems10.1016/j.robot.2023.104549170:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.robot.2023.104549
Yuan SLion BBesson FTalpin J(2023)Making an eBPF Virtual Machine Faster on Microcontrollers: Verified Optimization and Proof SimplificationDependable Software Engineering. Theories, Tools, and Applications10.1007/978-981-99-8664-4_22(385-401)Online publication date: 27-Nov-2023
https://dl.acm.org/doi/10.1007/978-981-99-8664-4_22
Lepigre RSammler MMemarian KKrebbers RDreyer DSewell P(2022)VIP: verifying real-world C idioms with integer-pointer castsProceedings of the ACM on Programming Languages10.1145/34986816:POPL(1-32)Online publication date: 12-Jan-2022
https://dl.acm.org/doi/10.1145/3498681
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten