Lecture Notes in Computer Science
Commenced Publication in 1973 Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
6172
Editorial Board
David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum MaxPlanck Institute of Computer Science, Saarbruecken, Germany
Matt Kaufmann
Lawrence C. Paulson (Eds.)
Interactive Theorem Proving
First International Conference, ITP 2010 Edinburgh, UK, July 1114, 2010 Proceedings
13
Volume Editors
Matt Kaufmann University of Texas at Austin, Department of Computer Science Austin, TX 78712, USA Email: kaufmann@cs.utexas.edu
Lawrence C. Paulson University of Cambridge, Computer Laboratory Cambridge, CB3 0FD, UK Email: lp15@cam.ac.uk
Library of Congress Control Number: 2010929576
CR Subject Classiﬁcation (1998): F.3, F.4.1, D.2.4, D.2, I.2.3, D.3
LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues
_{I}_{S}_{S}_{N} 
03029743 
_{I}_{S}_{B}_{N}_{}_{1}_{0} 
3642140513 Springer Berlin Heidelberg New York 
_{I}_{S}_{B}_{N}_{}_{1}_{3} 
9783642140518 Springer Berlin Heidelberg New York 
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, speciﬁcally the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microﬁlms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law.
springer.com
© SpringerVerlag Berlin Heidelberg 2010 Printed in Germany
Typesetting: Cameraready by author, data conversion by Scientiﬁc Publishing Services, Chennai, India
Printed on acidfree paper
06/3180
Preface
This volume contains the papers presented at ITP 2010: the First International Conference on Interactive Theorem Proving. It was held during July 11–14, 2010 in Edinburgh, Scotland as part of the Federated Logic Conference (FLoC, July 9–21, 2010) alongside the other FLoC conferences and workshops. ITP combines the communities of two venerable meetings: the TPHOLs con ference and the ACL2 workshop. The former conference originated in 1988 as
a workshop for users of the HOL proof assistant. The ﬁrst two meetings were
at the University of Cambridge, but afterwards they were held in a variety of venues. By 1992, the workshop acquired the name HigherOrder Logic Theorem Proving and Its Applications . In 1996, it was christened anew as Theorem Prov ing in HigherOrder Logics , TPHOLs for short, and was henceforth organized as
a conference. Each of these transitions broadened the meeting’s scope from the
original HOL system to include other proof assistants based on forms of higher order logic, including Coq, Isabelle and PVS. TPHOLs has regularly published research done using ACL2 (the modern version of the wellknown BoyerMoore theorem prover), even though ACL2 implements a unique computational form of ﬁrstorder logic. The ACL2 community has run its own series of workshops since 1999. By merging TPHOLs with the ACL2 workshop, we include a broader community of researchers who work with interactive proof tools. With our enlarged community, it was not surprising that ITP attracted a recordbreaking 74 submissions, each of which was reviewed by at least three Programme Committee members. The Programme Committee accepted 33 pa pers and asked two leading researchers, Gerwin Klein and Benjamin Pierce, to present invited lectures about their work. We were able to assemble a strong programme covering topics such as counterexample generation, hybrid system veriﬁcation, translations from one formalism to another, and cooperation be tween tools. Several veriﬁcation case studies were presented, with applications to computational geometry, uniﬁcation, real analysis, etc. The tool used most in the presented papers was Coq, followed by Isabelle/HOL. Of the 33 accepted papers, ﬁve were “proof pearls” (concise and elegant worked examples) and three were “rough diamonds” (promising ideas in an early form). All 33 papers are included in these proceedings; unlike with TPHOLs, there are no separate proceedings consisting of “Track B” papers. We would like to thank Moshe Vardi (FLoC General Chair), Leonid Libkin and Gordon Plotkin (FLoC Cochairs), and the other members of the FLoC Or ganizing Committee. David Aspinall took care of ITP local arrangements, while Michael Norrish looked after ITP’s satellite workshops. We gratefully knowledge the generous support of FLoC’s sponsors: the EPSRC (the UK’s Engineering and Physical Sciences Research Council), NSF (the US National Science Founda tion), the Association for Symbolic Logic, CADE Inc. (Conference on Automated
VI
Preface
Deduction), HewlettPackard Corporation, Microsoft Research, Google Inc., and Intel Corporation. Every aspect of the editorial process, including the production of these pro ceedings, was facilitated by the EasyChair conference management system. We are grateful to the EasyChair team, Andrei Voronkov and Bartek Klin, for their advice and for ﬁxing problems quickly as they arose. We are grateful to Springer for publishing these proceedings, as they have done for TPHOLs and its prede cessors since 1993. Next year’s conference, ITP 2011, will be held at the Radboud University Nijmegen, The Netherlands. This site was chosen by a ballot of the interactive theorem proving research community. This volume is dedicated to Susan Paulson, the second editor’s wife, who went into hospital around the time that these proceedings were being assembled. She had been struggling with cancer for several years. As of this writing, she was not expected to live long enough to see this volume in print.
April 2010 
Matt Kaufmann 
Lawrence Paulson 
Conference Organization
Programme Chairs
Matt Kaufmann 
University of Texas at Austin, USA 
Lawrence Paulson 
University of Cambridge, UK 
Workshop Chair
Michael Norrish
NICTA, Australia
Programme Committee
Thorsten Altenkirch David Aspinall Jeremy Avigad Gilles Barthe Jens Brandt Thierry Coquand Ruben Gamboa Georges Gonthier David Greve Elsa L. Gunter John Harrison
Joe Hurd Gerwin Klein Xavier Leroy Assia Mahboubi Panagiotis Manolios John Matthews J Moore C´esar Mu˜noz Tobias Nipkow Michael Norrish
David Pichardie Brigitte Pientka Lee Pike Sandip Ray Jos´e Luis Ruiz Reina David Russinoﬀ Peter Sewell Konrad Slind Soﬁ`ene Tahar Christian Urban
Local Arrangements
David Aspinall
University of Edinburgh, UK
VIII
Conference Organization
External Reviewers
Andreas Abel Sanaz Afshad Mauricio AyalaRinc´on Peter Baumgartner Stefan Berghofer Yves Bertot Sandrine Blazy David Cachera Harsh Raju Chamarthi James Chapman Arthur Chargu´eraud Kaustuv Chaudhuri Cyril Cohen Juan Manuel Crespo Eugene Creswick Nils Anders Danielsson Iavor Diatchki Lucas Dixon Levent Erk¨ok Germain Faure Andrew Gacek
Amjad Gawanmeh Thomas Genet Eugene Goldberg Alwyn Goodloe David Greenaway Florian Haftmann Osman Hasan Daniel Hedin Joe Hendrix Brian Huﬀman Ian Johnson Andrew Kennedy Rafal Kolanski Alexander Krauss John Launchbury Hanbing Liu Liya Liu Luc Maranget Andrew McCreight James McKinna Stephan Merz
Tarek Mhamdi Aleksandar Nanevski Anthony Narkawicz Henrik Nilsson Steven Obua Nicolas Oury Scott Owens Ioana Pasca Randy Pollack Fran¸cois Pottier Vlad Rusu Susmit Sarkar Carsten Schuermann PeterMichael Seidel Matthieu Sozeau Sam Staton Rob Sumners Andrew Tolmach Tiphaine Turpin Makarius Wenzel Iain Whiteside
Table of Contents
Invited Talks
A 
Formally Veriﬁed OS Kernel. Now What? Gerwin Klein 
1 
Proof Assistants as Teaching Assistants: A View from the Trenches Benjamin C. Pierce 
8 

Proof Pearls 

A 
Certiﬁed Denotational Abstract Interpreter David Cachera and David Pichardie 
9 
Using a First Order Logic to Verify That Some Set of Reals Has No Lesbegue Measure John Cowles and Ruben Gamboa 
25 

A 
New Foundation for Nominal Isabelle Brian Huﬀman and Christian Urban 
35 
(Nominal) Uniﬁcation by Recursive Descent with Triangular Substitutions Ramana Kumar and Michael Norrish 
51 

A 
Formal Proof of a Necessary and Suﬃcient Condition for 

DeadlockFree Adaptive Networks Freek Verbeek and Julien Schmaltz 
67 

Regular Papers 

Extending Coq with Imperative Features and Its Application to SAT Veriﬁcation Micha¨el Armand, Benjamin Gr´egoire, Arnaud Spiwack, and Laurent Th´ery 
83 

A 
Tactic Language for Declarative Proofs Serge Autexier and Dominik Dietrich 
99 
Programming Language Techniques for Cryptographic Proofs Gilles Barthe, Benjamin Gr´egoire, and Santiago Zanella B´eguelin 
115 

Nitpick: A Counterexample Generator for HigherOrder Logic Based on a Relational Model Finder Jasmin Christian Blanchette and Tobias Nipkow 
131 
X
Table of Contents
Formal Proof of a Wave Equation Resolution Scheme: The Method Error Sylvie Boldo, Fran¸cois Cl´ement, JeanChristophe Filliˆatre, Micaela Mayero, Guillaume Melquiond, and Pierre Weis 
147 

An Eﬃcient Coq Tactic for Deciding Kleene Algebras Thomas Braibant and Damien Pous 
163 

Fast LCFStyle Proof Reconstruction for Z3 Sascha B¨ohme and Tjark Weber 
179 

The Optimal Fixed Point Combinator Arthur Chargu´eraud 
195 

Formal Study of Plane Delaunay Triangulation JeanFran¸cois Dufourd and Yves Bertot 
211 

Reasoning with HigherOrder Abstract Syntax and Contexts: 

A Comparison Amy Felty and Brigitte Pientka 
227 

A Trustworthy Monadic Formalization of the ARMv7 Instruction Set 

Architecture Anthony Fox and Magnus O. Myreen 
243 

Automated MachineChecked Hybrid System Safety Proofs Herman Geuvers, Adam Koprowski, Dan Synek, and Eelis van der Weegen 
259 

Coverset Induction with Partiality and Subsorts: A Powerlist Case Study Joe Hendrix, Deepak Kapur, and Jos´e Meseguer 
275 

CaseAnalysis for Rippling and Inductive Proof Moa Johansson, Lucas Dixon, and Alan Bundy 
291 

Importing HOL Light into Coq Chantal Keller and Benjamin Werner 
307 

A 
Mechanized Translation from HigherOrder Logic to Set Theory Alexander Krauss and Andreas Schropp 
323 
The Isabelle Collections Framework Peter Lammich and Andreas Lochbihler 
339 

Interactive Termination Proofs Using Termination Cores Panagiotis Manolios and Daron Vroon 
355 

A 
Framework for Formal Veriﬁcation of Compiler Optimizations William Mansky and Elsa Gunter 
371 
Table of Contents
XI
On the Formalization of the Lebesgue Integration Theory in HOL Tarek Mhamdi, Osman Hasan, and Soﬁ`ene Tahar 
387 

From Total Store Order to Sequential Consistency: A Practical Reduction Theorem Ernie Cohen and Bert Schirmer 
403 

Equations: A Dependent PatternMatching Compiler Matthieu Sozeau 
419 

A Mechanically Veriﬁed AIGtoBDD Conversion Algorithm Sol Swords and Warren A. Hunt Jr 
435 

Inductive Consequences in the Calculus of Constructions Daria WalukiewiczChrz aszcz and Jacek Chrz aszcz

450 

Validating QBF Invalidity in HOL4 Tjark Weber 
466 

Rough Diamonds 

HigherOrder Abstract Syntax in Isabelle/HOL Douglas J. Howe 
481 

Separation Logic Adapted for Proofs by Rewriting Magnus O. Myreen 
485 

Developing the Algebraic Hierarchy with Type Classes in Coq Bas Spitters and Eelis van der Weegen 
490 

Author Index 
495 
A Formally Veriﬁed OS Kernel. Now What?
Gerwin Klein
NICTA ^{} , Australia School of Computer Science and Engineering, UNSW, Sydney, Australia gerwin.klein@nicta.com.au
Abstract. Last year, the L4.veriﬁed project produced a formal, machine checked Isabelle/HOL proof that the C code of the seL4 OS microkernel correctly implements its abstract implementation. In my presentation
I will summarise the proof together with its main implications and as
sumptions, I will describe in which kinds of systems this formally veriﬁed kernel can be used for gaining assurance on overall system security, and
I will explore further future research directions that open up with a for mally veriﬁed OS kernel.
1 A Formally Veriﬁed OS Kernel
Last year, we reported on the full formal veriﬁcation of the seL4 microkernel fromahighlevel model down to very lowlevel C code [5]. To build a truly trustworthy system, one needs to start at the operating system
(OS) and the most critical part of the OS is its kernel. The kernel is deﬁned as the software that executes in the privileged mode of the hardware, meaning that there can be no protection from faults occurring in the kernel, and every single bug can potentially cause arbitrary damage. The kernel is a mandatory part of a system’s trusted computing base (TCB)—the part of the system that can bypass security [9]. Minimising this TCB is the core concept behind microkernels, an idea that goes back 40 years.
A microkernel, as opposed to the more traditional monolithic design of con
temporary mainstream OS kernels, is reduced to just the bare minimum of code wrapping hardware mechanisms and needing to run in privileged mode. All OS services are then implemented as normal programs, running entirely in (unpriv ileged) user mode, and therefore can potentially be excluded from the TCB. Previous implementations of microkernels resulted in communication overheads that made them unattractive compared to monolithic kernels. Modern design and implementation techniques have managed to reduced this overhead to very competitive limits.
A microkernel makes the trustworthiness problem more tractable.Awell
designed highperformance microkernel, such as the various representatives of the L4 microkernel family, consists of the order of 10,000 lines of code (10 kloc).
^{} NICTA is funded by the Australian Government as represented by The Department of Broadband, Communications and the Digital Economy and the Australian Re search Council through the ICT Centre of Excellence program.
M. Kaufmann and L. Paulson (Eds.): ITP 2010, LNCS 6172, pp. 1–7, 2010. c SpringerVerlag Berlin Heidelberg 2010
2
G. Klein
We have demonstrated that with modern techniques and careful design, an OS microkernel is entirely within the realm of full formal veriﬁcation. The approach we used was interactive, machineassisted and machinechecked proof. Speciﬁcally, we used the theorem prover Isabelle/HOL [8]. Formally, our correctness statement is classic reﬁnement: all possible behaviours of the C im plementation are already contained in the behaviours of the abstract speciﬁ cation. The C code of the seL4 kernel is directly and automatically translated into Isabelle/HOL. The correctness theorem connects our abstract Isabelle/HOL speciﬁcation of kernel behaviour with the C code. The main assumptions of the proof are correctness of the C compiler and linker, assembly code, hardware, and boot code. In my presentation I will give an overview of this proof and reﬂect on some of the lessons learned in this project. For instance, one question with any veriﬁca tion is: what do es the speciﬁcation say, what level of detail do es it contain, and why? The current abstract speciﬁcation of the seL4 kernel was written with the following goals:
– abstract from data structures and implementation, aim to specify what, not how;
– have enough detail for functional correctness proofs of applications on top of seL4;
– have enough detail for users to understand results, error conditions and error codes
Especially the latter two goals mean that the abstraction level of this speciﬁca tion is at p oints lower than one might wish for a speciﬁcation. For instance, to be able to show functional correctness of code on top of seL4, we do not want to use nondeterminism too liberally in the speciﬁcation. If the kernel is allowed to do either A or B nondeterministically for a certain system call, then user programs will always need to handle both cases, even though in the implementa tion it will usually be possible (and desired) to predict which case is taken. We have therefore usually tried to include enough data in the abstract speciﬁcation layer to precisely predict kernel behaviour. This draws a small number of rather arcane implementation details to a high speciﬁcation level. In hindsight it is pre cisely these cases that users of the kernel now ﬁnd hard to understand and that are candidates for future evolvement and simpliﬁcation of the seL4 API. Some of these were eliminated in early API iterations (precisely to achieve an nicer speciﬁcation), but others were deemed too hard or necessary at the time. An area where nondeterminism is more reasonable is the pure indication of failure due to implementation restrictions not visible at an abstract level. In seL4 this would mean the system call either fully succeeds or has no eﬀect and returns with an error code. This is signiﬁcantly simpler to handle for the user than two diﬀerent behaviours with state change. On the other hand, this means for user programs that such system calls will always need error handling code. Hence, there is still a tradeoﬀ to be made between predictive precision and elegant abstraction.
A Formally Veriﬁed OS Kernel. Now What?
3
Another way to achieve more abstraction is to focus on speciﬁc aspects of the system. We have previously published diﬀerent versions ofahighlevel access control model of seL4 [3,2]. These models abstract from message passing, memory content, and nearly all other behaviour of the system. They only record which objects have access to which capabilities. This in turn determines which system calls a thread may perform and which objects it may access. If system calls and capabilities are additionally tagged with information ﬂow attributes, it becomes possible to reason about the authorised information ﬂow behaviour ofasystem without knowing its full functional behaviour. Another potential abstraction of the kernel may be purely its message passing behaviour, p ossibly ignoring or disabling shared memory. This could be used to implement abstract communication formalisms such as the pi calculus.
2 What Now?
This section gives an overview of our current work on top of the seL4 kernel. The main, longterm aim of this work is to produce codelevel formal security proofs for large systems on the order of 1 million lines of code or more. The key idea of microkernelbased designs is to drastically reduce the trusted computing base ofasystem. If the system architecture explicitly takes security boundaries into account, as for example in MILS (Multiple Independent Levels of Security or Safety) systems [1], and these security boundaries are adequately enforced by the underlying OS kernel, it should be possible to reduce the amount of code that needs to be formally veriﬁed to a manageable size of a few thousand or maybe only a few hundred lines of code. For an initial case study, we have conﬁrmed that this is p ossible and feasible. The case study is a small network switching device that gives a frontend terminal access to either of two backend networks. The job of the switch is to make sure that no data travels between the backend networks through the switch. It is Ok for data to travel through the terminal. In this case study the user and the frontend terminal are trusted to do the right thing. A simple Linuxbased switch with web interface and user authentication will at least include the Linux kernel, a web server, and a full network stack. This already brings us into the area of millions of lines of code. With the seL4 kernel as the bottom layer and the right architecture, we man aged to isolate the security critical part into one small component with less than 2,000 lines of code. The component starts and stops Linux instances that do the actual authentication and network routing/switching work. Security is achieved by using seL4’s ﬁnegrained access control mechanism to restrict the Linux instances suﬃciently such that they do not need to be trusted for the information ﬂow property above to be true. 2,000 lines of code are small enough to be formally veriﬁed, and we have already formalised and veriﬁed the access control aspect of this trusted component as well as of the entire system. This proof shows that the modelled highlevel behaviour of the trusted component achieves the security property and it shows that this component is indeed the
4
G. Klein
only trusted component of the system — all other components are assumed to try anything in their power to subvert the system. We conducted the above proof in Isabelle/HOL. It took about 1 month of work for one person relatively new to Isabelle. We also tried the same proof in the SPIN model checker. The same person, reasonably experienced in SPIN, took about half a week to achieve the same result. This is encouraging, because it means that at least the highlevel problem could be solved automatically and even the interactive proof was not very time consuming. On the other hand, even for this small system, we found it necessary to simplify and change the model to avoid state explosion in the model checker. This does not necessarily mean that SPIN would not be able to solve larger systems (our security model may just not be very suitable for model checking), but it does indicate that the process of connecting this highlevel model to code will not be straightforward. The initial Isabelle model tried to be a faithful abstraction of the access con trol content of the actual system with a straightforward path to code reﬁnement for the trusted component. The SPIN model needed custom abstractions and simpliﬁcations that (we think) were justiﬁed, but that do not have a straightfor ward reﬁnement path to code any more. An interesting direction for future work will be to see if such simpliﬁcations can be automated and justiﬁed automatically by Isabelle/HOL proof. To connect this highlevel mo del and proof to co de, the following challenges are still open: we need to show that the seL4 kernel actually implements the access control model we used in the proof and we need to show that the C code of the trusted component implements the access control behaviour that we modelled.
3 What Else?
The previous section gave a broad outline of our current research agenda. Of course, there are further useful and interesting things to be done with a formally veriﬁed OS kernel. In this section, I explore two of them.
Veriﬁed Compiler
The arguably strongest assumption of our functional correctness proof is trusting the compiler to translate seL4 correctly. We are using standard gcc for the ARM platform with optimisations. While it is almost certain that there are bugs in this version of gcc, there is suﬃcient hope that this particular program (seL4) does not expose them, because the seL4 implementation is sticking to welltested parts of the C language. Nonetheless, it would be appealing to use a veriﬁed compiler on the source code of seL4, even if it is not as strongly optimising as gcc. The obvious candidate is the CompCert project by Leroy et al [6]: an optimisingCcompiler, formally veriﬁed in Coq, with ARM as one possible backend. We have not yet spent seri ous eﬀort trying to use this compiler on the seL4 source, but initial investigations
A Formally Veriﬁed OS Kernel. Now What?
5
show that there will be a number of challenges. The main ones are: diﬀerent theo rem provers, diﬀerent memory models, and diﬀerent C language subsets. Firstly, our proof is in Isabelle/HOL, the CompCert proof is in Coq. While it should in principle be possible to transform the proof in one system into the other, in practice both proofs are very large and an automatic transformation will quickly run into technical diﬃculties. Secondly, while the memory models for C used in either project are morally very close, they are technically diﬀerent and it is not immediately clear how the correctness statement in one translates into the other. And ﬁnally, the C language subset used in seL4 contains features that are not strictly supported by the C standard, but are nonetheless used for kernel programming. Not all of these are covered by the CompCert compiler which is targeted more at user programs. All of these can be overcome in principle, but they will require signiﬁcant eﬀort. Even if the formalisms were not adjusted to fully ﬁt together and the connection would therefore remain informal, one would arguably still achieveahigher level of trustworthiness by running the seL4 source through a veriﬁed compiler. A diﬀerent, similarly promising approach is the one of Slind et al [7], where the compilation pro cess happens directly in the theorem prover. For our case the approach would probably have to be fully reimplemented in Isabelle/HOL and targeted to the SIMPL intermediate language [10] that is also the target of our parser from C into Isabelle. Performing the compilation and its correctness proof fully inside the theorem prover would have the advantage that it neatly removes the translation step fromCto Isabelle from the trusted c
Гораздо больше, чем просто документы.
Откройте для себя все, что может предложить Scribd, включая книги и аудиокниги от крупных издательств.
Отменить можно в любой момент.