Introduction to CS 270 Math Foundations of CS

Transcription

1 Introduction to CS 270 Math Foundations of CS Verification of Computer Systems Jeremy Johnson Drexel University

2 Course Description Emphasizes analytic problem-solving and introduction of mathematical material necessary for later courses in algorithms, systems architecture, programming languages, software engineering, concurrent programming and artificial intelligence. Includes topics such as logic, theorem-proving, language operations, context-free grammars and languages, recurrence relations, and analysis of algorithms. 1

3 Course Description (revised) Introduces formal logic and its connections to Computer Science. Students learn to translate statements about the behavior of computer programs into logical claims and to prove such assertions both by hand and using automated tools. Considers approaches to proving termination, correctness, and safety for programs. Discusses notations used in logic, propositional and first order logic, logical inference, recursion and mathematical induction, and structural induction. 2

4 Course Goals For students to learn how to formally specify and reason about properties of computer systems. To appreciate what it means to prove something and the value of formalism. To become aware of tools for formal specification and automatic deduction. To use logical thinking to become better programmers and systems designers. 3

5 Course Topics Functional Programming Recursion, Recursive Definitions and Induction Divide and Conquer Algorithms and Recurrence Relations Termination Analysis Logic (Propositional and Predicate) and Deduction Applications of Logic to Computer Science Program Specification and Verification Automated Reasoning and Proof Checking Test Case and Counter Example Generation ACL2 (A Computational Logic for Applicative Common Lisp) Proof and Truth Tutor (CMU online logic course OLI) 4

6 Course Objectives To use recursion and divide and conquer to solve problems To provide recursive definitions of patterns and data structures To formally specify the input/output requirements of programs To use induction and other proof techniques to prove properties of algorithms, data structures, programs, and software systems To use logic to describe the state of systems and to use logical deduction (by hand and using tools) to prove properties of systems 5

7 Prerequisites and Grading Programming skills (CS 172) Course Requirements and Grading Class Participation (10%) Biweekly homework assignments (40%) Midterm (25%) and Final (25%) exams 6

8 Software Bugs In 1980, NORAD reported that the US was under missile attack. The problem was caused by a faulty circuit, a possibility the reporting software hadn t taken into account. The Therac-25 medical radiation therapy device was involved in several cases where massive overdoses of radiation were administered to patients in , a side effect of the buggy software powering the device. In 1996, a European Ariane 5 rocket was set to deliver a payload of satellites into Earth orbit, but problems with the software caused the launch rocket to veer off its path a mere 37 seconds after launch. 7

9 Software Bugs In 1994 in Scotland, a Chinook helicopter crashed and killed all 29 passengers. While initially the pilot was blamed for the crash, that decision was later overturned since there was evidence that a systems error had been the actual cause. One of the subcontractors NASA used when building its Mars climate orbiter had used English units instead of the intended metric system, which caused the orbiter s thrusters to work incorrectly. Due to this bug, the orbiter crashed almost immediately when it arrived at Mars in The cost of the project was $327 million, not to mention the lost time (it took almost a year for the orbiter to reach Mars). In 2002 NIST estimated that programming errors cost the US economy $60B annually 8

10 Hardware Bug Intel FDIV Bug Intel P5 Pentium floating point unit $500M Error as high as the fourth significant digit of a decimal number, but the possibilities of this happening are 1 in 360 billion. Approximately 8000 bugs introduced in during design of Pentium 4. 9

11 Verification and Validation Verification and Validation is the process of checking that a SW/HW system meets specifications and fulfills its intended purpose PowerGrid Tie-Line Flows Hardware Power System Model Engineering Analysis Station Decision Making Station Economic Analysis Station Ultra-Fast Bus 10

12 Empirical Testing Traditionally, errors in hardware and software have been detected empirically by testing Number of possibilities too large so only a small subset can be tested E.G. Testing arithmetic operations on all 2 64 double precision floating point numbers is infeasible 11

13 Formal Methods In the context of hardware and software systems, formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics 12

14 Success Stories Verified the cache coherence protocol in the IEEE Futurebus+ Standard Analysis of Microsoft Windows device drivers using SLAM Non-overflow proof for Airbus A380 flight control software Verification of Pentium 4 floating-point unit with a mixture of STE and theorem proving NICTA s embedded L4 microkernel Compcert compiler 13

15 Approaches Model Checking Temporal logic, BDD, Z notation, Static Analysis Type Checking Logical Inference Automated theorem proving Proof Checking Program Derivation 14

16 Model Checking model checking refers to the following problem: Given a model of a system, test automatically whether this model meets a given specification. Typically, the systems one has in mind are hardware or software systems, and the specification contains safety requirements such as the absence of deadlocks and similar critical states that can cause the system to crash. Model checking is a technique for automatically verifying correctness properties of finite-state systems. An important class of model checking methods have been developed for checking models of hardware and software designs where the specification is given by a temporal logic formula. Pioneering work in the model checking of temporal logic formulae was done by E. M. Clarke and E. A. Emerson[1][2][3] and by J. P. Queille and J. Sifakis. 15

17 Automated Theorem Proving Formal proof by hand is difficult Have proof checked or generated automatically by a computer Higher Order Logic, or HOL, is a widelyused tool for creating formal specifications of systems, and for proving properties about them. It has been used in both industry and academia to support formal reasoning in many areas, including hardware and software verification. It can be used to support any project which can be defined in higher order logic, an expressive logic originally developed as a foundation for mathematics. 16

18 Proof Carrying Code Proof-carrying code (PCC) is a software mechanism that allows a host system to verify properties about an application via a formal proof that accompanies the application's executable code. The host system can quickly verify the validity of the proof, and it can compare the conclusions of the proof to its own security policy to determine whether the application is safe to execute. This can be particularly useful in ensuring memory safety, i.e. preventing buffer overflows and other vulnerabilities common in some programming languages. Proof-carrying code was originally described in 1996 by George Necula and Peter Lee. 17

19 Static Analysis Static program analysis (also static code analysis or SCA) is the analysis of computer software that is performed without actually executing programs built from that software. The term is usually applied to the analysis performed by an automated tool. A growing commercial use of static analysis is in the verification of properties of software used in safety-critical computer systems and locating potentially vulnerable code [3]. For example the following industries have identified the use of static code analysis as a means of improving the quality of increasingly sophisticated and complex software: Medical software, Nuclear software. 18

20 Program Generation program derivation is the derivation of a program from its specification, by mathematical means. To derive a program means to write a formal specification, which is usually non-executable, and then apply mathematically correct rules in order to obtain an executable program satisfying that specification. The program thus obtained is then correct by construction. Program and correctness proof are constructed together. Hoare logic, stepwise refinement, Bird-Meertens Formalism, parallel program design, FLAME, SPIRAL 19

21 ACL2 ACL2 is a programming language, logic, and theorem prover/checker based on Common Lisp. ACL2 is a powerful system for integrated modeling, simulation, and inductive reasoning. Under expert control, it has been used to verify some of the most complex theorems to have undergone mechanical verification. 20

22 ACL2s (acl2s.ccs.neu.edu) Eclipse plugin (sedan version) Pure functional subset Ensure valid input Different operational modes Termination analysis Random testing and bug generation Install and test and read (ACL2s Programming Language) 21

23 References E. Allen Emerson, The Beginning of Model Checking: A Personal Perspective John Harrison, Formal verification of floating-point arithmetic at Intel, June John Harrison, Formal Verification in Industry (I),