skip to main content
research-article

Don't sweat the small stuff: formal verification of C code without the pain

Published:09 June 2014Publication History
Skip Abstract Section

Abstract

We present an approach for automatically generating provably correct abstractions from C source code that are useful for practical implementation verification. The abstractions are easier for a human verification engineer to reason about than the implementation and increase the productivity of interactive code proof. We guarantee soundness by automatically generating proofs that the abstractions are correct.

In particular, we show two key abstractions that are critical for verifying systems-level C code: automatically turning potentially overflowing machine-word arithmetic into ideal integers, and transforming low-level C pointer reasoning into separate abstract heaps. Previous work carrying out such transformations has either done so using unverified translations, or required significant proof engineering effort.

We implement these abstractions in an existing proof-producing specification transformation framework named AutoCorres, developed in Isabelle/HOL, and demonstrate its effectiveness in a number of case studies. We show scalability on multiple OS microkernels, and we show how our changes to AutoCorres improve productivity for total correctness by porting an existing high-level verification of the Schorr-Waite algorithm to a low-level C implementation with minimal effort.

References

  1. E. Alkassar, M. Hillebrand, D. Leinenbach, N. Schirmer, and A. Starostin. The Verisoft approach to systems verification. In VSTTE 2008, volume 5295 of LNCS, pages 209--224. Springer, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Appel. Verified software toolchain. In 20th ESOP, volume 6602 of LNCS, pages 1--17. Springer, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. Ball, E. Bounimova, R. Kumar, and V. Levin. SLAM2: Static driver verification with under 4% false alarms. In 2010 FMCAD, pages 35--42, Lugano, Switzerland, 2010. FMCAD Inc. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. J. Bloch. Nearly all binary searches and mergesorts are broken. http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html, Jun 2006.Google ScholarGoogle Scholar
  5. R. Bornat. Proving pointer programs in Hoare Logic. In 5th MPC, volume 1837 of LNCS, pages 102--126. Springer, Jul 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. A. Chlipala. The Bedrock structured programming system: combining generative metaprogramming and Hoare logic in an extensible program verifier. In 18th ICFP, pages 391--402. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In 21st TPHOLs, volume 5170 of LNCS, pages 167--182, Montreal, Canada, Aug 2008. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. VCC: A practical system for verifying concurrent C. In 22nd TPHOLs, volume 5674 of LNCS, pages 23--42, Munich, Germany, 2009. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. C. Ellison and G. Roşu. An executable formal semantics of C with applications. In 39th POPL, pages 533--544. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. Greenaway. Autocorres tool. http://ssrg.nicta.com.au/projects/TS/autocorres/, 2014.Google ScholarGoogle Scholar
  11. D. Greenaway, J. Andronick, and G. Klein. Bridging the gap: Automatic verified abstraction of C. In 3rd ITP, volume 7406 of LNCS, pages 99--115, Princeton, New Jersey, Aug 2012. Springer.Google ScholarGoogle Scholar
  12. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with Blast. In 10th SPIN, volume 2648 of LNCS, pages 235--239, Portland, OR, USA, May 2003. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. T. Hubert and C. Marché. A case study of C source code verification: the Schorr-Waite algorithm. In 3rd Int. Conf. Softw. Engin. & Formal Methods, pages 190--199. IEEE, Sep 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. ISO/IEC. Programming languages --- C. Technical Report 9899:TC2, ISO/IEC JTC1/SC22/WG14, May 2005.Google ScholarGoogle Scholar
  15. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In SOSP, pages 207--220, Big Sky, MT, USA, Oct 2009. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. G. Klein, R. Kolanski, and A. Boyton. Mechanised separation algebra. In 3rd ITP, volume 7406 of LNCS, pages 332--337. Springer, 2012.Google ScholarGoogle Scholar
  17. X. Leroy. Formal verification of a realistic compiler. CACM, 52(7): 107--115, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. F. Mehta and T. Nipkow. Proving pointer programs in higher-order logic. In 19th CADE, volume 2741 of LNCS, pages 121--135, 2003.Google ScholarGoogle Scholar
  19. Y. Moy. Automatic Modular Static Safety Checking for C Programs. PhD thesis, Université Paris-Sud, Paris, France, Jan 2009.Google ScholarGoogle Scholar
  20. T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: from general purpose to a proof of information flow enforcement. In IEEE Symp. Security & Privacy, pages 415--429, San Francisco, CA, May 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL --- A Proof Assistant for Higher-Order Logic. Springer, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. L. Noschinski, C. Rizkallah, and K. Mehlhorn. Verification of certifying computations through AutoCorres and Simpl. In NASA Formal Methods, volume 8430 of LNCS. Springer, 2014. To appear.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. N. Schirmer. Verification of Sequential Imperative Programs in Isabelle/HOL. PhD thesis, Technische Universität München, 2006.Google ScholarGoogle Scholar
  24. H. Schorr and W. M. Waite. An efficient machine-independent procedure for garbage collection in various list structures. CACM, 10 (8):501--506, 1967. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. T. Sewell, M. Myreen, and G. Klein. Translation validation for a verified OS kernel. In 2013 PLDI, pages 471--481. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. N. Suzuki. Automatic Verification of Programs with Complex Data Structures. Garland Publishing, New York, 1980.Google ScholarGoogle Scholar
  27. H. Tuch, G. Klein, and M. Norrish. Types, bytes, and separation logic. In 34th POPL, pages 97--108, Nice, France, Jan 2007. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. D. von Oheimb and T. Nipkow. Machine-checking the java specification: Proving type-safety. In Formal Syntax and Semantics of Java, volume 1523 of LNCS, pages 119--156. Springer, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. X. Wang, H. Chen, A. Cheung, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Undefined behavior: what happened to my code? In 3rd APSys, pages 9:1--9:7, New York, NY, USA, 2012. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. S. Winwood, G. Klein, T. Sewell, J. Andronick, D. Cock, and M. Norrish. Mind the gap: A verification framework for low-level C. In 22nd TPHOLs, volume 5674 of LNCS, pages 500--515. Springer, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Don't sweat the small stuff: formal verification of C code without the pain

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM SIGPLAN Notices
            ACM SIGPLAN Notices  Volume 49, Issue 6
            PLDI '14
            June 2014
            598 pages
            ISSN:0362-1340
            EISSN:1558-1160
            DOI:10.1145/2666356
            • Editor:
            • Andy Gill
            Issue’s Table of Contents
            • cover image ACM Conferences
              PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation
              June 2014
              619 pages
              ISBN:9781450327848
              DOI:10.1145/2594291

            Copyright © 2014 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 9 June 2014

            Check for updates

            Qualifiers

            • research-article

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!