Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Program Verification with Dafny Benedikt Maderbacher IAIK – Graz University of Technology [email protected] Name Place, Date Title 1 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems http://www.iaik.tugraz.at Dafny 2 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Interactive Theorem Prover ▪ Checks if a program is correct ▪ with help of from the user ▪ User provides: ▪ annotations ▪ manual proofs for some properties http://www.iaik.tugraz.at Dafny 3 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Interactive Theorem Provers ▪ Dafny ▪ Hoare Logic ▪ Coq, Lean, Agda, F* ▪ Depended Type Theory ▪ Isabelle/HOL, HOL Light ▪ Higher Order Logic http://www.iaik.tugraz.at Dafny 4 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Applications ▪ CompCert ▪ A verified compiler (Coq) ▪ seL4 ▪ A verified micro kernel (Isabelle/HOL) ▪ Project Everest ▪ A verified network stack (multiple) http://www.iaik.tugraz.at Dafny 5 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Demo: Dafny http://www.iaik.tugraz.at Dafny 6 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Total Correctness ▪ Proof that a program is correct and terminates. ▪ Show that a loop can’t run forever. http://www.iaik.tugraz.at Dafny 7 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Total Correctness http://www.iaik.tugraz.at Dafny 8 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems http://www.iaik.tugraz.at Dafny 9 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Total Correctness ▪ Proof that a program is correct and terminates. ▪ Use a variant to show a loop can’t run forever. ▪ In Dafny this is annotated with decreases. http://www.iaik.tugraz.at Dafny 10 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Total Correctness http://www.iaik.tugraz.at Dafny 11 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Total Correctness ▪ Only works if E terminates! ▪ All functions calls must terminate. ▪ Can be done similar to while loops. http://www.iaik.tugraz.at Dafny 12 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Frame Rules ▪ Define what areas of the heap a method/function may access. ▪ reads ▪ What a function/predicate can read. ▪ modifies ▪ What a method can write http://www.iaik.tugraz.at Dafny 13 Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems Frame Rules ▪ Local reasoning over mutable state. ▪ Make proofing larger programs feasible. http://www.iaik.tugraz.at Dafny 14.