Retour à l'OSIS

Frama-C & SPARK Day - Formal Analysis and Proof for Programs in C and Ada

30 Mai 2017 — Frama-C & SPARK Day - Formal Analysis and Proof for Programs in C and Ada

09h-17h

Amphithéâtre Buffon, Paris "Qualité logicielle"

Résumé

This one-day workshop aims at gathering both academic and industrial users of the environments Frama-C and SPARK, for sharing experiences and discussing perspectives.

It is co-organized by CEA List (http://www-list.cea.fr/en/), AdaCore (http://www.adacore.com/), Inria joint lab `ProofInUse' (http://www.spark-2014.org/proofinuse), and Université Paris-Diderot.

This workshop will take place in the context of the event `Open Source Innovation Spring 2017' (http://www.open-source-innovation-spring.org/) initiated by thematic group `Logiciel libre' of the cluster Systematic-Paris-Region and IRILL (`Initiative de Recherche et Innovation sur le Logiciel Libre').

Direction de programme

Programme dirigé par Yannick Moy, AdaCore ; Claude Marché, Inria Saclay ; Florent Kirchner et Nikolai Kosmatov, LIST CEA Tech ; et Mihaela Sighireanu, Université Paris-Diderot.

Description détaillée

Featuring :

  • talks by the Frama-C and SPARK community
  • talks on current developments by the Frama-C and SPARK teams
  • the flair from a central Parisian location

Programme résumé

  • 09:00: Remove Before Flight: Defect-Free Software and Agile Development in SPARK 2014

    Martin Becker (TU München)

  • 09:00: Static vs runtime checking in Frama-C/SPARK

    Claude Marché (Inria)

  • 09:00: CubedOS: A Verified CubeSat Operating System

    Carl Brandon, Peter Chapin (Vermont Technical College)

  • 09:00: Structuring an Abstract Interpreter through State and Value Abstractions

    David Bühler (CEA List)

  • 09:00: Specifying and proving correctness of Linux kernel components with ACSL

    Alexey Khoroshilov, Mikhail Mandrykin (Linux Verification Center, ISPRAS)

  • 09:00: Development of security-critical software with SPARK/Ada at secunet

    Stefan Berghofer (secunet)

  • 09:00: From learning examples to high-integrity middleware, comparing ACSL and SPARK

    Christophe Garion, Jérôme Hughes (ISAE)

  • 09:00: Real Behavior of Floating Point Numbers

    François Bobot (CEA List)

Lieu

Amphithéâtre Buffon

Ville: Paris


Programme détaillé

  • 09:00 - Remove Before Flight: Defect-Free Software and Agile Development in SPARK 2014

    Martin Becker (TU München)

    Development and verification of safety-critical software requires trained experts and takes its time. We challenged this opinion by developing an entire flight stack for a high-altitude glider in Ada/SPARK 2014 within only a few months of time. We started implementation with an initial software design and continuously applied static analysis to eliminate defects, adapt the design to verification needs, and to ensure a goal-oriented progress during the implementation phase. This talk introduces the project, explains the workflow that has been established, and reflects on project progress, final results and remaining challenges of verifying SPARK programs.

  • 09:00 - Static vs runtime checking in Frama-C/SPARK

    Claude Marché (Inria)

    TBA

  • 09:00 - CubedOS: A Verified CubeSat Operating System

    Carl Brandon, Peter Chapin (Vermont Technical College)

    In this paper we present CubedOS, a lightweight application framework for CubeSat flight software. CubedOS is written in SPARK and verified free of certain classes of runtime errors. It consists of a collection of interacting, concurrent modules that communicate via message passing over a microkernel based on Ada's Ravenscar tasking model. It provides core services such as communication protocol processing and publish/subscribe message handling. In addition, application-specific modules can be added to provide both high level functions such as navigation and power management, as well as low level device drivers for mission-specific hardware. Here we present the architecture of CubedOS, and describe Lunar IceCube, the first mission to use CubedOS.

  • 09:00 - Structuring an Abstract Interpreter through State and Value Abstractions

    David Bühler (CEA List)

    The new abstract interpreter of Frama-C, EVA, enjoys a modular and extensible architecture, where new analysis domains may be plugged-in. These domains can interact through different means to achieve maximal precision. First, they work cooperatively to emit the alarms that exclude the undefined behaviors of the program. Second, they exchange information through abstractions of the possible values of expressions. Those value abstractions are themselves extensible, should two domains require a novel form of cooperation. In this talk, we present this communication system and illustrate how the different domains of EVA benefit from it.

  • 09:00 - Specifying and proving correctness of Linux kernel components with ACSL

    Alexey Khoroshilov, Mikhail Mandrykin (Linux Verification Center, ISPRAS)

    The talk presents our experience in deductive verification of Linux kernel components using Frama-C with AstraVer plugin (a fork of Jessie). It includes an overview of new features that were required to verify kernel code and a discussion of possible improvements in ACSL specification. Particularly, ACSL suggests unbounded semantics for operations on integral numbers in specifications and also does not provide special constructs for specifying relatively complex proofs, e.g. inductive proofs through lemma functions. Our experience has shown benefits of using different integer semantics and lemma functions, in particular for fragments involving complicated bit-twiddling tricks used for bit-counting, checksum computation, byte reorderings etc.

    Currently we are working on an experimental extension of ACSL with operations on bounded integers (interpreted as bit-vectors), full support for ghost (lemma) functions and possibly different semantics for logic functions and predicates with support of inlined axiomatic definitions. We are going to present our preliminary results in proving correctness of some bit-twiddling algorithms e.g. Gray decoding and Kernighan's bitcount using only an extension of ACSL, a deductive verification plugin, and Why3 IDE, without resorting to interactive theorem provers e.g. Coq or Isabelle.

  • 09:00 - Development of security-critical software with SPARK/Ada at secunet

    Stefan Berghofer (secunet)

    In this talk, we describe how the SPARK/Ada language and toolset is used for the development of component-based high-security systems at secunet Security Networks AG. To make the complexity of assessing the security of these systems manageable, the components are running on top of the Muen separation kernel, which ensures that they can only communicate with each other via designated channels. We give an overview of our methodology for verifying trusted components using a combination of the SPARK tools and the interactive proof assistant Isabelle, which is used for solving proof obligations that are beyond reach of automatic provers. We illustrate the methodology using selected correctness properties of a cryptographic library.

  • 09:00 - From learning examples to high-integrity middleware, comparing ACSL and SPARK

    Christophe Garion, Jérôme Hughes (ISAE)

    In this talk, we report on two experiments using ACSL and SPARK. In the first part, we introduce SPARK-by-Example, a SPARK translation of the well-known ACSL-by-Example booklet. This work has been started to learn more about the SPARK2014 language. In the second part, we report on an ongoing effort to port an AADL runtime, a middleware meant for safety-critical systems. ISAE has implemented two variants of this runtime: one targeting typical C/RTOS (FreeRTOS, RTEMS, RT-POSIX), and one targeting Ada 2005 (Ravenscar profile and high-integrity restrictions). As part of the TASTE and ESROCOS projects, we want to demonstrate absence of runtime errors. The two runtimes share common algorithms, but leverage different constructs (pointers, OS APIs vs native language constructs). We report on the current status of both activities, and required blocks to complete this task.

  • 09:00 - Real Behavior of Floating Point Numbers

    François Bobot (CEA List)

    Floating point numbers are pervasively used in programs, yet when one starts to look into them it becomes clear that they are nothing like reals. There are a lot of counter-examples of simple real number properties that are completely wrong for floating point numbers. Yet, actual C or SPARK developers are using floating point numbers and expect their code to behave like reals! and in many cases they are indeed right. However it is difficult for state-of-the-art program verification tools to prove that the floating point properties they are using are true. We will show the result of the fruitful collaboration done in the SOPRANO project that allowed the Frama-C and SPARK tools to tackle these problems orders of magnitude faster than before.

Organisateurs et/ou sponsors

  • AdaCore

    AdaCore supplies software development and verification tools for mission-critical, safety-critical and security-critical systems. One of its flagship products is the SPARK Pro verification environment, a toolset based on formal methods and oriented toward high-assurance system.

  • Frama-C

    Frama-C is an extensible and collaborative platform dedicated to source-code analysis of C software.

  • ProofInUse

    ProofInUse originates from the sharing of resources and knowledge between the Toccata research team from Inria and AdaCore, with the objective to provide verification tools, based on mathematical proof, to industry users. These tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.

Organisateurs (2016)

Co-organisateurs et sponsors (2016)

Ils parlent de l'OSIS (2016)

Soutiens du Pôle Systematic