formal veri cation using coq - ubidesousa/2011-2012/comfia/... · preliminary considerations...

Preliminary ConsiderationsFoundations

The BasicsGetting Serious

Concluding Remarks

Formal Verification using COQTwo lessons on Pro{gramm|v}ing with COQ

Simao Melo de SousaRELEASE

RELiablE And SEcure Computation GroupComputer Science DepartmentUniversidade da Beira Interior

S. Melo de Sousa Coq in two lessons



Concluding Remarks

Plano

1 Preliminary ConsiderationsFormal Methods, Formal Verification and COQProof Assistants in the Jungle of Formal Methods

2 FoundationsOnce upon a time...Formal reasoningInductive DefinitionsThe essence of computationProgramming is proving: The Curry-Howard Correspondence

3 The Basics

4 Getting Serious

5 Concluding RemarksSuccess StoriesThat’s all folks




Concluding Remarks

Formal Methods, Formal Verification and COQProof Assistants in the Jungle of Formal Methods

Outline

1 Preliminary ConsiderationsFormal Methods, Formal Verification and COQProof Assistants in the Jungle of Formal Methods

2 Foundations

3 The Basics

4 Getting Serious

5 Concluding Remarks




Concluding Remarks


An appetizer

Software and cathedrals are much the same. Firstwe build them, then we pray.Anonymous

Formal Methods approach:

Aide toi, et le ciel t’aidera!Jean de La Fontaine - Le Chartier embourbe. Livre VI - Fable 18.

...That what this course (and these two lessons) is about.




Concluding Remarks


COQ

COQ is a Interactive Proof Assistant, thus:

1 COQ is a Heavyweight Formal Method: Powerful, yes... but not for all.

2 Roughly and in a picture, COQ can be seen as a “MATLAB for proofs”

3 Can be used for

The formalization of constructive mathematics (e.g. most of“The Hundred Greatest Theorems” have been proved in COQ)The formal verification of programs (our focus in these twolessons)

4 Is not intended in its present form as a tool to be integrated in a “regular”software development process.

5 Nevertheless, COQ is successfully used in the industry. It belongs to thefamily of tools that are advocated by the Common Criteria forInformation Technology Security Evaluation (the international standardISO/IEC 15408 for computer security) for the highest evaluations.




Concluding Remarks


COQ

Research institution and universities that use COQ : (France)Ecole Normale Superieure (ULM, Lyon), Ecole Polytechnique,INRIA (Sophia Antipolis, LORIA, IRISA), Paris 7, LRI-ParisSud and much more. (USA) CMU, Berkeley, Cornell,Stanford, Harvard, Yale, University of Pennsylvania, etc...(NL) Nijmegen, (Sweden) Chalmers etc...

Here in Portugal: FCUP, UM, IST, UBI, MAPi.

Some Companies that use COQ: Dassault Aviation, FranceTelecom, CEA, Trusted Logic, Gemauto, etc...




Concluding Remarks


Resources

Some resources:

website : http://coq.inria.fr,

a very good, complete and exhaustive book about COQ, TheCOQ’Art:http://www.labri.u-bordeaux.fr/perso/casteran/CoqArt/index.html,

a wiki http://logical.futurs.inria.fr/cocorico.

<pub> the forthcoming Springer-Verlag book “RigorousSoftware Development” by Jorge Sousa Pinto, Jose CarlosBacelar and myself (scheduled for 2009) that will include achapter on Formal Verification with COQ (but also Design byContract, Model based Specification and Verification)</pub>




Concluding Remarks


Resources

Coq comes with a compiler coqc and a toplevel (coqtop)

Interface for Editing Proofs:

CoqIDE, the graphical user interface distributed with Coq.http://coq.inria.fr/coqide/

ProofGeneral. ProofGeneral is an EMACS generic interface forproof assistants. http://proofgeneral.inf.ed.ac.uk/

Presenting Proofs: coqdoc exports vernacular file to TeX or HTML. It ispart of the Coq distribution and documented in the Reference Manual.

Related Tools for Software Verification (tools belonging to the galaxy of

“Design By Contract-JML” and that target COQ):

Caduceus - FramaC: http://why.lri.fr/caduceus/index.en.html

Krakatoa: http://krakatoa.lri.fr/

Why: http://why.lri.fr/index.en.html




Concluding Remarks


The Main Quest of Formal Methods

The Quest:

Provide evidences that a computer/software artifact has a given (expected)behavior




Concluding Remarks



The Quest:


Central Notion of

{−model− specification

that brings the object under study to

mathematics.




Concluding Remarks



The Quest:


This quest can be split into two sub-problems to solve:

Guarantees of behavior: How to ensure/verify, at the model level, a givenbehavior?

Model versus Implementation:

1 How to obtain, from the model, an implementation thatfollows its behavior?

2 How to ensure that a given code shares the samebehavior with the model?

COQ provides support for these two sub-problems: Model, prove, and extractto programming languages




Concluding Remarks


Specifying and Proving properties

3 kinds of support for the Formalverification (J. Rushby)

1 Tools that just provide a formalenvironment

2 Tools that provide a formal systemfor the precise formulation of thereasoning

3 Tools that provide a formal systemand computational support for theprecise formulation of the reasoning

Proofs “by hand”, expressed in a naturallanguage. The proof is validated only ifthere is consensus by the researchcommunity.

Proof “by hands”, but the proof isexpressed in a rigorous language.

=⇒ Much more rigorous (e.g. Lamport,etc...) i.e. in the same framework:the model and its “conformance” proof aredone in the same framework,systematic/mechanical verification of theproof of the model properties proofs.

Where are we?

=⇒ COQ belong to the “level 3” family




Concluding Remarks


Proof systems

Concepts

Formal Systems = Deductive Systems

I.e. : provide in the same formalism means for the expression ofmodels, properties and proofs.

The large variety of formalisms that fall in this family can beexplained by the compromise between two conflicting factors thatmust be taken into account

Logic expressivenessversus

Automation of the reasoning




Concluding Remarks


Interactive Proof Systems

. . . or Proof Assistants

Preference: Logic expressiveness (usually a High-Order Logic)

Advantages: Can express a very big class of concepts, propertiesand proofs, that are required for the complete formalverification of complex systems.The reasoning ability is close to the standardmathematical reasoning.

Drawbacks: Undecidability of the underlying logic =⇒ Userintervention is often required

Systems: Coq, PVS, DECLARE, HOL, ISABELLE




Concluding Remarks

Once upon a time...Formal reasoningInductive DefinitionsThe essence of computationProgramming is proving: The Curry-Howard Correspondence

Outline

1 Preliminary Considerations

2 FoundationsOnce upon a time...Formal reasoningInductive DefinitionsThe essence of computationProgramming is proving: The Curry-Howard Correspondence

3 The Basics

4 Getting Serious

5 Concluding RemarksS. Melo de Sousa Coq in two lessons



Concluding Remarks


A short bio

Coq is the result of more than 20 years of research.

It started in 1984 from an implementation of the Calculus ofConstructions at INRIA-Rocquencourt (France) by Thierry Coquandand Gerard Huet.

In 1991, Christine Paulin (LRI-Orsay) extended it to the Calculus ofInductive Constructions.

COQ is an interactive proof assistant with a strongly typed(including inductive and dependent types), high order, polymorphicfunctional language (the programming language) equipped with ahigher order logic (the proof language and support). I.e. Calculus ofInductive Constructions in a few words...

Fortunately, we will see in the next slides the meaning of all theseweird concepts.




Concluding Remarks


Judgment

Consider a logic (propositional, first order or high order, etc...) andits set of formula F .

Definition (Judgment)

A judgment is a pair (Γ,F ) where Γ (⊂ F) is a finite set offormulas and F a formula.Notation: Γ ` F .

Meaning: Γ ` F is an affirmation. Admitting the validity of theformulas of Γ, F can be deduced. (` = deduction). Obviously suchan affirmation is valid iff on can provide a proof of its validity. Thisis the goal of a deductive system like Natural Deduction.




Concluding Remarks


Inference rule

P1 P2 · · · Pn

Goal

forward meaning: If the premises P1 P2 · · · Pn are verified(i.e. have a proof) then one can built a proof of Goal .

backward meaning: In order to prove Goal , one cansuccessfully prove P1 P2 · · · Pn.

Special case (the most basic, in fact)

Goal

A proof of Goal can be built without premises.




Concluding Remarks


Proof tree

A proof tree is a combination of inference rules of the form

...P1

...P2 · · ·

...Pn

Goal

such that the root is the statement to be proved, the leaves areinference rules without premises.

Proof tree = Proof




Concluding Remarks


Natural Deduction

Deduction system defined by G. Gentzen (1935) which rulestry to reflect the usual mathematical reasoning and proofs.

For each connective, there are two types of rules:

introduction ruleselimination rules.




Concluding Remarks


axiom A ∈ Γ

Γ ` Aelim⊥ Γ ` ⊥

Γ ` A

intro→Γ, A ` B

Γ ` A→ Belim→ Γ ` A Γ ` A→ B

Γ ` B

intro∧ Γ ` A Γ ` BΓ ` A ∧ B

elim∧1Γ ` A ∧ B

Γ ` A

elim∧2Γ ` A ∧ B

Γ ` Bintro∨1

Γ ` AΓ ` A ∨ B

intro∨2Γ ` B

Γ ` A ∨ Belim∨

Γ ` A ∨ B Γ, A ` C Γ, B ` C

Γ ` C

intro¬Γ, A ` ⊥Γ ` ¬A

elim¬ Γ ` A Γ ` ¬AΓ ` ⊥

classic Γ ` ¬¬AΓ ` A

intro↔Γ, A ` B Γ, B ` A

Γ ` A↔ B

elim↔1Γ ` A Γ ` A↔ B

Γ ` Belim↔2

Γ ` B Γ ` A↔ BΓ ` A

intro∃Γ ` F [x := t] t term

Γ ` ∃xFelim∃

Γ ` ∃xF t term Γ, F [x := t] ` G

Γ ` G

intro∀ Γ ` F x not free in ΓΓ ` ∀xF

elim∀ Γ ` ∀xF ∀t term

Γ ` F [x := t]

Figura: Natural Deduction for first order logicS. Melo de Sousa Coq in two lessons



Concluding Remarks


An example

axiom(A→ B) ` (A→ B) axiom

A ` A

(A→ B), A ` Baxiom

(B → C) ` (B → C)

(A→ B), (B → C), A ` C

(A→ B), (B → C) ` (A→ C)

(A→ B) ` (B → C)→ (A→ C)

` (A→ B)→ ((B → C)→ (A→ C))

A proof of ` (A→ B)→ ((B → C)→ (A→ C))




Concluding Remarks


Definition (Inductively Defined Set)

Consider a Set E , a non-empty sub-set B of E (called the base)and a set K of operations φ : E ](φ) −→ E (the set of constructors).A sub-set X of E is said inductively defined if it is the smallestset that verify:

(B): ∀x ∈ B =⇒ x ∈ X ,

(I): ∀φ ∈ K , x1, . . . , x](φ) ∈ X =⇒ φ(x1, . . . , x](φ)) ∈ X .

It can be convenient to see such term as trees (Leaf = elements ofthe base, Nodes = constructors). From this point of view it is easydo induce a notion of sub-term (= sub-tree).




Concluding Remarks


Induction Principle for free

Theorem (Structural Induction)

Consider an inductively defined set X and a predicate P(x) over X .If

(B’) For all x ∈ B, P(x).

(I’) For all φ ∈ K (P(x1), . . . ,P(x](φ))) =⇒ P(φ(x1, . . . , x](φ)))

then ∀x ∈ X ,P(x).




Concluding Remarks


Structurally recursive functions

Definition

Let be X ⊆ E an (non-ambiguous) inductively defined set. Let beF a set. A structurally recursive function is a recursive function inwhich each recursive call is done with a sub-term of the initialargument.

Theorem (Termination for free)

There is no infinite recursive calls in the evaluation of a structurallyrecursive function.




Concluding Remarks


Example: Binary Trees

The set AB of binary tree over A is inductively defined over(A ∪ {∅, ”(”, ”)”, ”, ”})∗ by

(B) ∅ ∈ AB (empty tree)(I) e, d ∈ AB,∀a ∈ A =⇒ (a, g , d) ∈ AB (the tree with the root

a, the left subtree e and the right subtree d).

The induction principle is:P(∅) ∧ (∀x ∈ A, e, d ∈ ABP(e) ∧ P(d) =⇒ P((x , e, d)))=⇒ ∀a ∈ AB,P(a)

A function:

inf (x) =

{ε se x = ∅inf (g).a.inf (d) se x = (a, g , d)




Concluding Remarks


λ-calculus

conceived (ca. 1930) as part of a general (later shown inconsistent)theory of functions and logic, intended as a foundation for mathematics;

all recursive functions can be represented in the (pure) λ-calculus (i.e.Turing Complete);

theory modeling functions and their applicative behavior;

concept of function seen as a rule, i.e. process of passing an argument toa value (contrary to the notion of seeing a function as a graph);

this is important for the study of computability and for theory ofcomputation in general, since it emphasizes the computational aspectassociated to the notion of function.

Give rise to important applications (functional programming languages,constructive mathematics, computational linguistics, reasoning bycomputer, programming languages semantics, and much more..)




Concluding Remarks


The smallest programming language... almost

Consider V = {x , y , z , t, . . .}, a possibly infinite, countable set ofvariables

Definition (Inductive definition of λ-terms)

each variable x is a λ-term;

if M and N are λ-terms, then (MN) is a λ-term, (application);

if M is a λ-term and x a variable, then (λx .M) is a λ-term,(abstraction).

Examples: (λx .x), (x(λy .(xy))),λxyzt.xyzt that stands for ((((λx .(λy .(λz .(λt.(((xy)z)t)))))




Concluding Remarks


α-conversion

all occurrences of a variable x that occur in an expression of theform λx .M are bound;

an occurrence of a variable that is not bound is called free;

FV (M) is the set of variables with free occurrences in M;

if FV (M) = ∅ we say that M is closed;

we will consider λ-terms equivalent up to bound variablerenaming, (α-conversion).

Examples: λxy .xyz ≡α λyu.yuz , but (λx .x)z 6≡α (λx .y)z




Concluding Remarks


Substitutions

The expression M[N/x ] denotes the result of substituting in Meach free occurrence of x by N and making any changes of boundvariables needed to prevent variables free in N from becomingbound in M[N/x ].Example:

(λxy .xyz)[(λu.y)/z] 6≡ λxy .xy(λu.y)

but(λxy .xyz)[(λu.y)/z] ≡ λxv .xv(λu.y)




Concluding Remarks


The execution model: β reduction

a term of the form (λx .M)N is called a β-redex;

its contractum is the term M[N/x ];

we write M →1β N, and say that M reduces in one step ofβ-reduction to N, iff N can be obtained from M by replacingone β-redex in M by its contractum;

→β is the reflexive and transitive closure of →1β;

≡β is the reflexive, simetric and transitive closure of →1β.




Concluding Remarks


The result of a computation: a normal form

A term M is said to be in β-normal form (or β-nf) if itcontains no β-redex;

we say that M has a β-nf if there is some β-nf N such thatM →β N.

Not all λ-terms have β-nf or not all β-reductions lead to β-nf:

The term (λx .xx)(λx .xx) has no β-nf since(λx .xx)(λx .xx) →1β (λx .xx)(λx .xx) →1β

(λx .xx)(λx .xx) →1β . . .

the term (λxy .x)(λx .x)((λx .xx)(λx .xx)) has normal formλx .x , but not every reduction sequence leads to this normalform.




Concluding Remarks


Programming in the pure λ-calculus

notation:F nX = F (F (. . . (F︸︷︷︸

n

X )) . . .)

Natural numbers, via Churchnumerals: cn = λfx.f nx , forn ≥ 0;

A+ = add =λmnfx.mf (nfx),(A+cncm ≡ cn+m) ;

A× = mult =λmnfx.m(nf )x ,(A×cncm ≡ cn×m);

Aexp = exp = λmnfx.nmfx ,(Aexp cncm ≡ cnm );

succ = λnfx.f (nfx);

Booleans, true = λxy.x ,false = λxy.y ;

if = λbxy.bxy ,(if true M N ≡ M andif false M N ≡ N);

iszero = λn.n(λx.false)true;

Ordered pairs,pair = (., .) = λxyf .fxy ;

fst = in1 = λp.ptrue,(fst (pair M N) ≡ M);

snd = in2 = λp.pfalse,(snd (pair M N) ≡ N);

prefn =λfp.pair(f (fstp))(fstp);

pre =λnfx.snd(n(prefn f )(pair x x));

sub = λmn.nprem;

Lists nil = λz.z;

cons = λxy.pair false (pair x y);

null = fst;

hd = λz.fst(snd z);

tl = λz.snd(snd z).

fixed point combinators Y: term suchthat ∀F , YF ≡ F (YF )

Curry Fixed Point combinator:λf .(λx.f (xx))(λx.f (xx))

Recursive Functions via fixed pointcombinator

fact =λn.((Y (λfx.((iszerox)1(multx(f (predx)))))n)




Concluding Remarks


Types and λ calculi

And what happens if one wants to type λ-calculus? Simply typedλ-calculus.

allow to conveniently refuse λ terms like (λx .x x)

This has a price: but we lose the ability to “loop” (i.e. not Turingcomplete).

Intuitively, we enrich the λ-calculus with a notion of type. Let{α, β, . . .} a countable set of type variables. The variables α, β, . . .are the atomic types. Thus, if x has type α and M the type β then(λx .M) has type α→ β

Notion of type judgment: “under the declarations x1 : α1 . . . xn : αn

the term t has type α”.




Concluding Remarks


Types and λ calculi

A variable has type α if it was declared of type α

x : α ` x : α

If M is a function of type α→ β and N of type α, then (M N) is of typeβ.. . . ` M : α→ β . . . ` N : α

. . . ` (MN) : β

If, assuming that x is of type α, one can infer that M is of type β thenthere is a function λx .M of type α→ β

. . . x : α ` M : β

. . . ` (λx .M) : α→ β




Concluding Remarks





Concluding Remarks


BHK - interpretation (wikipedia)

In mathematical logic, the Brouwer-Heyting-Kolmogorov interpretation, or BHKinterpretation, of intuitionistic logic was proposed by L. E. J. Brouwer, Arend Heytingand independently by Andrey Kolmogorov.The interpretation states exactly what is intended to be a proof of a given formula.This is specified by induction on the structure of that formula:

A proof of P ∧Q is a pair < a, b > where a is a proof of P and b is a proof of Q.

A proof of P ∨ Q is a pair < a, b > where a is 0 and b is a proof of P, or a is 1and b is a proof of Q.

A proof of P → Q is a function f which converts a proof of P into a proof of Q.

A proof of ∃x ∈ S : φ(x) is a pair < a, b > where a is an element of S, and b isa proof of φ(a).

A proof of ∀x ∈ S : φ(x) is a function f which converts an element a of S into aproof of φ(a).

The formula ¬P is defined as P → ⊥, so a proof of it is a function f whichconverts a proof of P into a proof of ⊥.

⊥ is absurdity. There ought not be a proof of it.The interpretation of a primitive proposition is supposed to be known fromcontext.




Concluding Remarks


Curry-Howard Isomorphism (excerpt from wikipedia)

The Curry-Howard correspondence extends the BHK-interpretation and is the directrelationship between computer programs and mathematical proofs. It refers to thegeneralization of a syntactic analogy between systems of formal logic andcomputational calculi that was first discovered by the American mathematician HaskellCurry and logician William Alvin Howard.

logic λ-calculus Programming

formula type specificationproof term programcut β-reduction execution

The relation with programming is particularly interesting when the logic/type language

is rich enough. This is the case for the Calculus of Inductive Construction




Concluding Remarks


Consequences? Benefits?

Consider

∀(x , y) ∈ N2.∃(q, r) ∈ N2.(y = (q × x + r) ∧ r < x)

The proof of such theorem can be seen as a function thatcomputes from (x , y) the pair (q, r) and the proof that(y = (q × x + r) ∧ r < x .COQ can even produce a complete program (Haskell, OCaml,Scheme) from such proof! Indeed, such a program is provedcorrect by construction.




Concluding Remarks


Even Nicer....

Theorem: Every Java program has an equivalent x86 machinelanguage program.

By choosing a suitable constructive logic, we guarantee thatany proof of this theorem can be converted into a genuineJava compiler!

By using a generic program extraction mechanism, we get thefree theorem that our compiler preserves the semantics ofprograms.. . . which saves us a huge amount of testing.




Concluding Remarks

Outline


2 Foundations

3 The Basics

4 Getting Serious





Concluding Remarks

Slides set 1.




Concluding Remarks

Outline


2 Foundations

3 The Basics

4 Getting Serious





Concluding Remarks

Slides set 2.




Concluding Remarks

Success StoriesThat’s all folks

Outline


2 Foundations

3 The Basics

4 Getting Serious

5 Concluding RemarksSuccess StoriesThat’s all folks




Concluding Remarks


Some successful Applications of COQ

A contribution

Formal verification of the Java-Card Platform in COQ (joint workwith G. Barthe, G. Dufay): Design of an innovative methodologyfor the automatic generation of

1 a specification and prototype of JavaCard Execution Platformand

2 the proof that (Milner citation)

Well-typed (JavaCard) Programs cannot go wrong

3 A (proved) correct implementation of the ByteCode Verifier(BCV), a crucial security module based on static programanalysis.




Concluding Remarks


4-color theorem (excerpt from the official announcement)

Completion of the formalization of the four colors theorem in Coq. Full formalizationof the 4 colors theorem in Coq has been completed in December 2004. Started in1999 at INRIA-Rocquencourt by Georges Gonthier et Benjamin Werner, the projecthas been completed by Georges Gonthier who found support at Cambridge MicrosoftResearch. The formalization, based on Robertson, Sanders, Seymour and Thomas(RSST) proof from 1995 has been done in Coq V7.3. Port to Coq 8.0 is ongoing. Theformalization has involved the following issues:

Use of computational reflexion to prove the part of the RSST proof that was leftto a C program.

Use of an original notion of hypermaps to concisely represent planar graphs.

Use of specific proof techniques: design of a very small language of expressivetactics with a concise syntax; computation on decidable propositions byembedding within the booleans.

Formalization of a topological ”hat”on top of the combinatoric proof on graphsand extension to the infinite case thanks to a construction of real numbers usingDedekind cuts.

The project has motivated new extensions of Coq. Especially, a new optimized

reduction machine dedicated to computation of reflexion tactics will be available in the

next released version of Coq.




Concluding Remarks


COQ and Common Criteria (excerpt from the officialannouncements)

September 2007: a big step in program certification in the real world:The Technology and Innovation group at Gemalto has successfullycompleted a Common Criteria (CC) evaluation on a Java Card basedcommercial product. This evaluation is the world’s first CC certificate ofa Java product involving EAL7 components

Trusted Logic announces (press release of November 18th, 2003) that theDCSSI has successfully evaluated its security methodology applied to theJava Card System at the Common Criteria EAL7 level, in a reportpublished earlier this year.Coq is the proof engine used by Trusted Logics, and was chosen for itsexpressiveness. As a part of the certification process, it is beingacknowledged as trustworthy by the DCSSI.




Concluding Remarks


Certified Compilation (excerpt from the compcert website)

Compcert is a compiler that generates PowerPC assembly code from Clight, alarge subset of the C programming language. The particularity of this compileris that it is written mostly within the specification language of the Coq proofassistant, and its correctness — the fact that the generated assembly code issemantically equivalent to its source program — was entirely proved within theCoq proof assistant.A high-level overview of the Compcert compiler and its proof of correctness canbe found in the following papers:

Xavier Leroy, Formal certification of a compiler back-end, or:programming a compiler with a proof assistant. Proceedings of the POPL2006 symposium.

Sandrine Blazy, Zaynah Dargaye and Xavier Leroy, Formal verification of aC compiler front-end. Proceedings of Formal Methods 2006, LNCS 4085.




Concluding Remarks


RESCUE - REliable and Safe Code execUtion forEmbedded systems

Main Goal

Ensuring Reliability and Safety of Code Execution in EmbeddedSystems

This FCT project aims at providing innovative, efficient andexpressive mechanisms for the secure implementation andexecution of code, with an emphasis on problems posed byembedded systems.

Proposed approach for safety mechanisms

emerging (source level) PCC as a back-end (and COQ as the proofsystem ) for the formal compliance to embedded system safety

policies




Concluding Remarks


Rescue in a picture

Producer Side Consumer Side

Security PoliciesSource Code

Compiled Code + Certificate

Compiler

Proof System

VCGENSource

Proof Checker

Execution Platform

VCGENmachine

Loading Stage

Proof Obligations

Certificate

Certificate

CodeLoading Stage

Proof Obligations

Code√

NO




Concluding Remarks


Certified Cryptography

Correctness of RSA Algorithm, by Jose C. Almeida (DIUM),Laurent Thery

Certifying Prime Number with the Coq prover. CoqPrime is alibrary built on top of the Coq proof system to certify primalityusing Pocklington certificate and Elliptic Curve Certificate.




Concluding Remarks


But also,

Garbage Collection,

Operating System modules,

Communication and Cryptographic Protocols,

Circuits and Hardware,

Programming languages methodologies ans semantics (see forinstance POPLMark)




Concluding Remarks


Final remarks and Perspectives

Current trends

Rise of an attractive market (i.e. $$!) that still has no clear leader(for how long?):

Intel, Microsoft, IBM, NASA, Esterel Technology, ProverTechnology, Clearsy, Trusted Logic, Escher Technologies, Siemens,Alstom, Keesda, Systerel, Lerios Technologies, Critical Software(pt), EdiSoft (pt), Efacec (pt), etc...




Concluding Remarks


Final remarks and Perspectives

Current trends

The relevance of the Common Criteria is growing. But oldercomputer system and software development standards areintegrating formal methods in their quality insurance layer.

Perspectives: 2 directions.

Conceptual and Technical Development of new solutions (i.e.formalisms, tools and techniques)Current trends: A growing use of FM (I don’t say ineverywhere.... but in much more industries than one usuallythink of)

FM =- A valuable and highly sought skills- The software/computer engineer, aside be able to

produce well designed software, should also knowhow to validate and provides evidences




Concluding Remarks


Un peu de programmation eloigne de la logique mathematique;beaucoup de programmation y ramene.

Xavier Leroy.


formal veri cation using coq - ubidesousa/2011-2012/comfia/... · preliminary considerations...

Documents