5: The Hoare Logic I a formal system to rigorously reason about the correctness of programs I usage to prove correctness “by hand” I difficult and error prone I doable for small algorithms I unfeasible for large programs I learning goals I learn the rules of Hoare Logic I apply them to tiny algorithms “by hand” I use a tool applying them for automatic verification (! section on SPARK) I The goal behind the goals: I understand how tool-based program verification works (without knowing the HL, you could not reasonably use such tools). –206– S. Lucks Security Engineering 5: Hoare Logic History Floyd, 1967: Usage of asserts as a tool for proofs of correctness Hoare, 1969: Axiomatic definition of the program correctness via “Hoare-Triples”: fPrecond.g Program(-fragment) fPostcond.g Distinction between partial and total correctness Dijkstra 1975: “Weakest precondition” as the foundation for automatically generated proofs – though not with using the computers available in 1975 –207– S. Lucks Security Engineering 5: Hoare Logic partial and total correctness I Consider a program S, and assume its precondition is satisfied. Notation as a “Hoare Triple”: fPreconditiong S fPostconditiong: I S is partially correct, if, when it delivers a result, the result satisfies the postcondition. S may not always deliver a result. I S is totally correct, if it s partially correct and it always terminates (without raising an exception – though Hoare didn’t consider exception in 1969). I What S does if its precondition is not satisfied, doesn’t affect correctness. –208– S. Lucks Security Engineering 5: Hoare Logic Examples Which of the examples is (a) totally correct, (b) partially but not totally correct, or (c) even partially incorrect? 1. fX = 1g null; fX = 0g. 2. fTrueg X := 1; fX = 0g. 3. fX = 1g null; fX = 1g. 4. fX = 1g loop null; end loop; fX = 0g. 5. fTrueg X := 1; fX = 1g 6. fFalseg X := 1; fX = 0g –209– S. Lucks Security Engineering 5: Hoare Logic Mathematical Proofs I New proofs are examined carefully when (and even before) they are published (“peer review”). I Sometimes, people find flaws in proofs published many years before. –210– S. Lucks Security Engineering 5: Hoare Logic Proofs in Computer Science I Proof of correctness for Algorithms and Communication Protocols: “peer review”, as in mathematics. I Proofs of correctness for software (implementation of algorithms): no “peer review”, hardly any incentive. I The proofs are often not more easy to understand than the source code. I If the computer can’t verify the proofs – who else will do? –211– S. Lucks Security Engineering 5: Hoare Logic Correctness fX ≥ 1g while X > 1 loop if X mod 2 = 0 then X := X / 2; else X := 3∗X + 1; end if; end loop; fX = 1g I Partial correctness: Yes We Can! I Total correctness: Unsolved problem from mathematics. I Note: Our “Integers” are mathematical (elements of Z). –212– S. Lucks Security Engineering 5: Hoare Logic Surprise? I Given integers X and Y, search for statement(-sequence) S with fTrueg S fY = max(X,Y)g: Which of these statement(-sequence)s are correct? I Y := X; I X := Y; I X := 0; I if X > Y then X := Y; end if; I if X > Y then Y := X; end if; I X := 0; Y := 0; Guess which solution is desired? ;-) –213– S. Lucks Security Engineering 5: Hoare Logic The (perhaps) correct Specification I Consider fXold = X ^ Yold = Yg S fY = max(Xold; Yold)g: with S=”if X > Y then Y := X; end if;” I This is the excepted behaviour. Observe the “gnost variables”, such as X old and Y old that represent the “old” values of X and Y . I Also correct, S= “if X > Y then Y := X; else X := Y end if;” I The defense against changing X: fXold = X ^ Yold = Yg S fX = Xold ^ Y = max(Xold; Yold)g: I Classical Hoare logic requires to specify all variables which didn’t change. This scales extremely bad for larger applications! I Tools avoid that need – e.g., SPARK’s data flow analysis. –214– S. Lucks Security Engineering 5: Hoare Logic Case study: Sort array A[1::N] I 1st idea: define S(A) = A[1] ≤ A[2] ≤ · · · A[N]. (S(A)= ”A is sorted”). fTrueg Sort(A); fS(A)g I This is too weak! (why?) What else do we need? I 2nd idea: P(Aold; A)= ”A is a permutation of Aold”; fTrueg Sort(A); fS(A) ^ P(Aold; A)g I This does what we want. But how shall we actually formalize P(Aold; A)? –215– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks and a Toy Language I First order logic I Two axioms and four other rules to define a “toy language” . but a real language can be derived from this I Logical deduction (application of rules and axioms) to define new rules – and to prove them! –216– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule of Composition P S1 P fPg S1 fRg; fRg S2 fQg R S1 fPg S ; S ; fQg R S2 1 2 S2 Q Q Statements S1 and S2 can merge into S1; S2 if the postcondition of S1 is the same as the precondition for S2. Example: I S1===fX ≥ 1gX := X + 1; fX ≥ 2g I S2===fX ≥ 2gX := X=2; fX ≥ 1g –217– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks How all rules look like, in general H1 H2 H1; H2;:::; Hn C C Hn I “Conclusion” C I “Hypothesis” H1 ^ H2; ^ · · · ; ^Hn “Axiom”: A rule with (H1 ^ H2; ^ · · · ; ^Hn) = true. –218– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule/Axiom 1: Empty Statement P True null; fPgnull; fPg P The axiom ensures that the null; statement doesn’t change the state of the program. Whatever holds true before null; also holds true afterwards, and vice versa. –219– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Axiom 2: Assignment P[E−>v] True v := E fP[Expr ! v]g v := Expr; fPg P If P and Expr are expressions, “P[Expr ! v]” denotes the expression where all “free” occurrences of v in P are replaced by Expr. Example: f2 ∗ X = AgX := 2 ∗ X; fX = Ag P === X = A; v === X If the equation X = A shall hold after the assignment, Expr === 2 ∗ X then the equation 2 ∗ X = A must P[Expr ! v] === 2 ∗ X = A hold before. –220– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule 3: Composition (We have seen that before) P S1 P R S1 R S2 S2 Q Q fPg S1 fRg; fRg S2 fQg fPg S1; S2; fQg –221– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule 4: IF-THEN-ELSE P B no yes P ⋀¬ B P ⋀ B fP; Bg S1 fQg; fP; :Bg S2 fQg S2 S1 fPg if B then S1; else S2; end if ; fQg Q Q Q –222– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule 5: WHILE P ¬ B P ⋀ B fP; Bg S fPg S fPg while B loop S; end loop; fP; :Bg P P ⋀¬ B –223– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Rule 6: Conclusion P ⇒ P' P P ) P0; fP0g S fQ0g; Q0 ) Q S ⇒ S fPg S fQg Q' Q ⇒ Q –224– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Deriving new rules (1) Conclusion: P ) P0; fP0g S fQ0g; Q0 ) Q fPg S fQg Abstract Logic: P ) P and Q0 ) Q. Postcondition Weakening Precondition Strengthening fPg S fQ0g; Q0 ) Q P ) P0; fP0g S fQg fPg S fQg fPg S fQg –225– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Deriving new rules (2) Rule of Composition: fPg S1 fRg; fRg S2 fQg fPg S1; S2; fQg Conclusion: P ) P0; fP0g S fQ0g; Q0 ) Q fPg S fQg extended Rule of Composition: 0 0 fPg S1 fRg; fR g S2 fQg; R ) R fPg S1; S2; fQg –226– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks Our Toy Language Ada-Code Fragments: I variables of a (mathematical) integer type I expressions I integer I boolean I statements: I null; I assignment: variable := integer-expr I sequence of statements I control structures: I if boolean-expr then statement else statement end if; I while boolean-expr loop statement end loop –227– S. Lucks Security Engineering 5: Hoare Logic 5.1: Building Blocks 5.2: The WHILE rule is special fP; Bg S fPg fPg whileB loop S; end loop ; fP; :Bg 1. WHILE separates partial from complete correctness. Note that the language we currently have does not support (recursive) subprograms. 2. WHILE-loops are difficult to prove correct, both manually and (especially) automatically. –228– S. Lucks Security Engineering 5: Hoare Logic 5.2: WHILE Invariant An important tool to analyze loops P is an invariant of a loop, if it holds before and after each iteration of the loop. Example: fY = 0g whileX > 0 loop Y := Y +1; X := X −1; end loop; fY = Xoldg What invariant would you use? –229– S. Lucks Security Engineering 5: Hoare Logic 5.2: WHILE Variant Another tool to analyze loops – for total correctness An integer expression V is a variant of a loop, 1. if V ≥ 0 and 2. if V decreases during each iteration. Example: fY = 0g whileX > 0 loop Y := Y +1; X := X −1; end loop; fY = Xoldg What is the variant of the loop? –230– S.