KIV TOOLKIV TOOL ((KKarlsruhe arlsruhe IInteractive nteractive VVerifier )erifier )

Anna Rossato – 1999s066@educ.disi.unige.itAnna Rossato – 1999s066@educ.disi.unige.it

IndexIndex

IntroductionIntroduction– What is KIVWhat is KIV– Application areasApplication areas– History: former and current projectsHistory: former and current projects

KIV systemKIV system– KIV featuresKIV features– Using KIVUsing KIV– Proof SupportProof Support

An exampleAn example– Java Smart CardJava Smart Card

The KIV SystemThe KIV System

tool for tool for formal system developmentformal system development used to used to

– construct formal models construct formal models – design and to verify high assurance systemsdesign and to verify high assurance systems

used inused in– industrial pilot applications industrial pilot applications – in formal methods courses as an educational in formal methods courses as an educational

tooltool

Why Formal MethodsWhy Formal Methods

software failures can software failures can – cause significant economic loss cause significant economic loss – endanger human life or environmental damage endanger human life or environmental damage

formal methods use mathematics as a formal methods use mathematics as a sound basis for sound basis for – describing the structure of the system in a describing the structure of the system in a

formal specification formal specification – finding the properties of the systemfinding the properties of the system– symplifing the whole softwaresymplifing the whole software

KIV Application AreasKIV Application Areas

specification and verification of software specification and verification of software systems systems

development of safety critical systems, development of safety critical systems, from from formal requirements specifications to formal requirements specifications to executable codeexecutable code

semantical foundations of programming semantical foundations of programming language, language, from a specification of the from a specification of the semantics to a verified compilersemantics to a verified compiler

other areas, like mathematicsother areas, like mathematics

KIV HistoryKIV History

KIV started in 1986 at the University of KIV started in 1986 at the University of Karlsruhe Karlsruhe – first project sponsored by the DFG (German first project sponsored by the DFG (German

Research Foundation)Research Foundation)– focus on tactical theorem proving focus on tactical theorem proving – PPL, the basic framework of the KIV system, PPL, the basic framework of the KIV system,

was developed was developed

work continued in 1992 with two projects:work continued in 1992 with two projects:– KORSO, sponsored by the BMFT (German KORSO, sponsored by the BMFT (German

ministry of research)ministry of research) theory of modular, sequential software systems was theory of modular, sequential software systems was

developed and implemented developed and implemented strategy for the reuse of proofs strategy for the reuse of proofs

– VSE (VSE (Verification Support EnvironmentVerification Support Environment), ), sponsored by the BSI (German Security sponsored by the BSI (German Security Agency) Agency) a case tool and an automatic theorem prover were a case tool and an automatic theorem prover were

integrated with the KIV system integrated with the KIV system

KIV HistoryKIV History

functional Verification of JavaCard Appletsfunctional Verification of JavaCard Applets– the study investigates the study investigates costs, benefits, costs, benefits,

requirements to formally verify Java Card requirements to formally verify Java Card programsprograms

VSE-II VSE-II – extension of the application domain of the VSE extension of the application domain of the VSE

to distributed, reactive systemsto distributed, reactive systems– improvements to the productivity and improvements to the productivity and

ergonomics of the VSE system for its use in ergonomics of the VSE system for its use in industrial projects industrial projects

KIV History:KIV History:Current ProjectsCurrent Projects

FORMOSA (Integrating FORmal MOdels FORMOSA (Integrating FORmal MOdels and Safety Analysis) and Safety Analysis)

– method for the systematic development of formal method for the systematic development of formal models for high assurance systemsmodels for high assurance systems

SMaCOS (Secure Multiapplicative SMaCOS (Secure Multiapplicative SmartCard Operating System) SmartCard Operating System)

generic formal security model for multiplicative generic formal security model for multiplicative smartcardssmartcards

Asbru Medical Protocols Asbru Medical Protocols – formally verifying the correctness of medical formally verifying the correctness of medical

treatment protocolstreatment protocols

KIV HistoryKIV History Current ProjectsCurrent Projects

KIV FeaturesKIV Features

different specification and implementation different specification and implementation techniques, usying a techniques, usying a Higher-OrderHigher-Order variant of variant of Dynamic LogicDynamic Logic

powerful proof support powerful proof support – automation, heuristics, simplification automation, heuristics, simplification

a large library of standard data typesa large library of standard data types ergonomical graphical user interface ergonomical graphical user interface documentation facilities for all levels of documentation facilities for all levels of

development development

PPLPPL

the meta-language of the KIV system is PPL the meta-language of the KIV system is PPL – typed functional language in the style of ML typed functional language in the style of ML

the basic data structure of PPL are proof the basic data structure of PPL are proof trees of trees of sequentssequents– the root is the assertion to be provedthe root is the assertion to be proved– the leaves are closed if they correspond to the leaves are closed if they correspond to

some axiom, or open if the proof is partial some axiom, or open if the proof is partial – each step in a proof tree corresponds to a rule each step in a proof tree corresponds to a rule

application application

KIV handles every single software system in KIV handles every single software system in a project, consisting ofa project, consisting of– specification componentsspecification components– implementation modulesimplementation modules– their dependenciestheir dependencies

Using KIVUsing KIV

Software development Software development environmentenvironment

Start

Project 1 … Project k

Spec 1 … Module m

Proof 1

…

Proof n

KIVKIV

DaVinciDaVinci

Specification/ModuleSpecification/Module

Specification/Module Specification/Module StrategyStrategy

structured algebraic specificationsstructured algebraic specifications– signaturesignature– axiomsaxioms– principles of inductionprinciples of induction

to create a new specificationto create a new specification– choose its typechoose its type– type its texttype its text– install it (its syntactical correctness is install it (its syntactical correctness is

automatically checked)automatically checked)– work on itwork on it– when all theorems are proved, it can be set in when all theorems are proved, it can be set in

the the Proved StateProved State

SpecificationSpecification

used to implement one abstract data type, used to implement one abstract data type, i.e. a specification, on the basis of anotheri.e. a specification, on the basis of another

consist ofconsist of– an export interface: the specification to an export interface: the specification to

implementimplement– an export interface: the specification of the used an export interface: the specification of the used

data typedata type– a mapping that defines the corrispondance a mapping that defines the corrispondance

between the export interface, the import one between the export interface, the import one and the module implementationand the module implementation

– the implementation: procedure declarations that the implementation: procedure declarations that implement the export operationsimplement the export operations

Implementation modulesImplementation modules

each one has some files each one has some files – module: text for the modulemodule: text for the module– sequents: to enter or modify theoremssequents: to enter or modify theorems– module-specific: pattern of the heuristicsmodule-specific: pattern of the heuristics– formulas: to enter complex formula for rulesformulas: to enter complex formula for rules– proofs: theorem base and all proofsproofs: theorem base and all proofs– doc: documentation automatically generateddoc: documentation automatically generated

Implementation modulesImplementation modules

dependencies between specification and dependencies between specification and module form a directed acyclic graphmodule form a directed acyclic graph

represented with represented with DaVinci DaVinci development graphsdevelopment graphs

DependenciesDependencies

example: implementing ordered sets by ordered example: implementing ordered sets by ordered lists lists – sets are generated by the sets are generated by the emptyempty set and set and insertinsert which which

adds an element to a setadds an element to a set– specification: ordersetspecification: orderset– module: ordeset-modulemodule: ordeset-module

what to do?what to do?– write the import and export specificationwrite the import and export specification– proof the specification until it is set in the proved stateproof the specification until it is set in the proved state– write the implementation modulewrite the implementation module– proof the moduleproof the module

KIV walkthroughKIV walkthrough

KIV walk through:KIV walk through: Project selectionProject selection

KIV walk through:KIV walk through: Work on specificationWork on specification

KIV walk through:KIV walk through: Work on implementationWork on implementation

Proof SupportProof Support

the heart of KIV is a tactical theorem prover the heart of KIV is a tactical theorem prover construction of proofs is done by construction of proofs is done by

– applying tactics, selectioned by heuristics applying tactics, selectioned by heuristics – reducing goals to subgoals reducing goals to subgoals

if all heuristics fail, the user may if all heuristics fail, the user may – select tactics or heuristicsselect tactics or heuristics– backtracking (If the choice proves incorrect, backtracking (If the choice proves incorrect,

computation backtracks or restarts at the point of choice computation backtracks or restarts at the point of choice and tries another choice) and tries another choice)

– pruning the proof tree pruning the proof tree – introducing lemmas introducing lemmas

two kinds of rulestwo kinds of rules– basic rules basic rules – user-defined rules user-defined rules

rules may be schematic, in that their rules may be schematic, in that their sequents may contain meta-variables for all sequents may contain meta-variables for all syntactical categoriessyntactical categories

S1S1 S2S2 … … SnSn

SSCC

Proof SupportProof Support:: RulesRules

Proof Support:Proof Support: Proof tacticsProof tactics

proofs are supported by an advanced interactive proofs are supported by an advanced interactive deduction component based on deduction component based on proof tacticsproof tactics – simplification simplification – lemma application lemma application – induction for first-order reasoning induction for first-order reasoning

first order induction systems do not typically allow quantification first order induction systems do not typically allow quantification over predicates. But, unlike first order systems, all objects are over predicates. But, unlike first order systems, all objects are assumed to be finite.assumed to be finite.

– proof strategy based on symbolic executionproof strategy based on symbolic execution a static analysis technique in which program execution is a static analysis technique in which program execution is

simulated using symbols, such as variable names, rather than simulated using symbols, such as variable names, rather than actual values for input data, and program outputs are actual values for input data, and program outputs are expressed as logical or mathematical expressions involving expressed as logical or mathematical expressions involving these symbols these symbols

Proof Support:Proof Support: HHeuristicseuristics

rules that reduces or limits the search for solutions rules that reduces or limits the search for solutions in domains that are difficult. Unlike algorithms, in domains that are difficult. Unlike algorithms, heuristics do not guarantee optimal solutionsheuristics do not guarantee optimal solutions

to automate proofs (for both specifications and to automate proofs (for both specifications and modules) KIV offers a number of modules) KIV offers a number of heuristicsheuristics – inductioninduction– simplificationsimplification– ......

heuristics can be chosen freely and changed any heuristics can be chosen freely and changed any time during the proof time during the proof

heuristics manage to find 80 - 100 % of the heuristics manage to find 80 - 100 % of the required proof steps automatically required proof steps automatically

Proof Support:Proof Support: SimplifierSimplifier

a complete proof for a complete proof for φφ means to simplify means to simplify φφ in the in the formula trueformula true

simplifier rules describe what simplifier rules describe what simplification step simplification step should be doneshould be done

KIV handles thousands of rules, using some KIV handles thousands of rules, using some extensions like forward reasoning extensions like forward reasoning – given an implication of the form:            given an implication of the form:           

If conditions then conclusionIf conditions then conclusionand a collection of statements that match the conditions, and a collection of statements that match the conditions, forward reasoning derives the conclusion as a logical forward reasoning derives the conclusion as a logical consequence of the conditionsconsequence of the conditions

the user explicitly chooses the simplification rules the user explicitly chooses the simplification rules

Proof Support:Proof Support: Proof engineeringProof engineering facilitiesfacilities

the problem in engineering high assurance the problem in engineering high assurance systems is to interpret failed proofsystems is to interpret failed proof– errors in specifications, programs, lemmas etc errors in specifications, programs, lemmas etc

the user is assisted in the decision whether the user is assisted in the decision whether the goal to prove is not correct, proof the goal to prove is not correct, proof decisions were incorrect, or there is a flaw in decisions were incorrect, or there is a flaw in the specification the specification

Proof Support:Proof Support: ProofProof reusereuse

both successful and failed proof attempts both successful and failed proof attempts are reused automatically to guide the are reused automatically to guide the verification after corrections or modificationsverification after corrections or modifications

90% of a failed proof attempt can be 90% of a failed proof attempt can be recycled for the verification after correction recycled for the verification after correction

Proof Support:Proof Support: Correctness managementCorrectness management

changes to or deletions of specifications, changes to or deletions of specifications, modules, and theorems do not lead to modules, and theorems do not lead to inconsistenciesinconsistencies

proofs can be done in any order proofs can be done in any order only the minimal number of proofs are only the minimal number of proofs are

invalidated after modificationsinvalidated after modifications there are no cycles in the proof hierarchy there are no cycles in the proof hierarchy all used lemmas are been provedall used lemmas are been proved

Java Smart CardJava Smart Card

Java Cards areJava Cards are– openopen– portableportable– component of distributed systemscomponent of distributed systems– GSM computer (in cellular phones)GSM computer (in cellular phones)

butbut– limited resourceslimited resources– few innovative application realisedfew innovative application realised

Java Smart CardJava Smart Card The projectThe project

objective: improving the security of multi objective: improving the security of multi application JSC for internet based usageapplication JSC for internet based usage

formal design metodology forformal design metodology for– abstract and modular specification for innovative abstract and modular specification for innovative

applicationsapplications– formalization and proof of security objectivesformalization and proof of security objectives– implementation and verification of JavaCard appletimplementation and verification of JavaCard applet– NOT physical tampering and cryptographic algorithmsNOT physical tampering and cryptographic algorithms

deveploment of a security policy for a multi deveploment of a security policy for a multi application JC application JC

applicationapplication– purchase and transfer of a railroad ticket via purchase and transfer of a railroad ticket via

mobile phonemobile phone– SmartCard contains SmartCard contains

ticketticket ticketing applet (Railroad Company)ticketing applet (Railroad Company) digital signature capability (Trust Center)digital signature capability (Trust Center)

Java Smart CardJava Smart Card An ApplicationAn Application

Java Smart CardJava Smart Card An ApplicationAn Application

customercustomer– ticket genuine, anonymous, trasferibleticket genuine, anonymous, trasferible– loading a ticket modifies no other data on the loading a ticket modifies no other data on the

cardcard– purchase and restitution are provablepurchase and restitution are provable

railroad companyrailroad company– no forgery and copying possibleno forgery and copying possible– no multiple usageno multiple usage– offline ticket inspectionoffline ticket inspection– no repudiation of expense claimno repudiation of expense claim

Java Smart CardJava Smart Card Security objectivesSecurity objectives

modular combination of protocol and modular combination of protocol and cryptographic methodscryptographic methods

authentication with PINauthentication with PIN public key cryptography for tamper-proof public key cryptography for tamper-proof

signaturesignature nonrepudation through time stamps and nonrepudation through time stamps and

trust centertrust center uniqueness with session keysuniqueness with session keys

Java Smart CardJava Smart Card Security mechanismsSecurity mechanisms

is this a correct is this a correct implementation of implementation of the protocol?the protocol?

formal specification formal specification of use cases and of use cases and protocolsprotocols

formalization of formalization of security objectivessecurity objectives

proof of securityproof of security

Java Smart CardJava Smart Card Formal methodsFormal methods

verification of JC programsverification of JC programs– correctness of command encodingcorrectness of command encoding– correctness of data encodingcorrectness of data encoding– bounded resourcesbounded resources– time conditionstime conditions

advantageadvantage– correctnesscorrectness– no gapsno gaps

Java Smart CardJava Smart Card Formal methodsFormal methods

the semantic chosen is the natural one, the semantic chosen is the natural one, defined relatively to an algebraic defined relatively to an algebraic specification specification – the full semantics of the language constructs is the full semantics of the language constructs is

described in 123 rulesdescribed in 123 rules every one describes exactly one case that may occur every one describes exactly one case that may occur

during evaluation during evaluation

proof rules are specified and implemented in proof rules are specified and implemented in KIV and their corretness has been provedKIV and their corretness has been proved

currently KIV is the only prover usable for a currently KIV is the only prover usable for a Java Card calculusJava Card calculus

Java Smart CardJava Smart Card Formal methodsFormal methods

ReferencesReferences

KIV at KarlsruheKIV at Karlsruhe

http://i11www.ira.uka.de/~kiv/KIV-KA.htmhttp://i11www.ira.uka.de/~kiv/KIV-KA.htmll

KIV at AugsburgKIV at Augsburg

http://www.informatik.uni-augsburg.de/swhttp://www.informatik.uni-augsburg.de/swt/fmg/t/fmg/

KIV at SaarbrückenKIV at Saarbrücken

http://www.dfki.uni-sb.de/vse/projects/kiv.http://www.dfki.uni-sb.de/vse/projects/kiv.htmlhtml

it has more expressive power then first-it has more expressive power then first-order logicorder logic

extends first-order logic with function that extends first-order logic with function that have functions as argument and resultshave functions as argument and results

function variablesfunction variables lambda expression λx.e that denote lambda expression λx.e that denote

anonymous functionanonymous function

Higher Order LogicHigher Order Logic

extends predicate logic with two modal operatorsextends predicate logic with two modal operators– [.] box[.] box

[[]]φφ

statement statement terminates terminates andand afterwards afterwards φφ holds holds– <.> diamond<.> diamond

<<>>φφ

ifif statement statement terminates terminates thenthen afterwards afterwards φφ holds holds

allows the expression of properties of programs allows the expression of properties of programs like partial and total correctness, program like partial and total correctness, program equivalence etcequivalence etc

example:example:card.balance =1 |--- <card.change(17);>card.balance = 18card.balance =1 |--- <card.change(17);>card.balance = 18

Dynamic LogicDynamic Logic

DaVinci development graphDaVinci development graph

specification

implementation module

DaVinci development graphDaVinci development graph

each node each node – corresponds to a specification component or a corresponds to a specification component or a

implementation moduleimplementation module– has a has a theorem basetheorem base attached, containing attached, containing

axiomsaxioms automatically generated proof automatically generated proof theorems added by the user theorems added by the user

and managing proofs and their dependencies and managing proofs and their dependencies – the colors show the status: planed, worked on, the colors show the status: planed, worked on,

provedproved

let let φφ1,…, 1,…, φφn,n,ψψ1,… 1,… ψψm DL(m DL(ΣΣ,X) ,X)

(DL=Dynamic Logic) be two lists of formulas with (DL=Dynamic Logic) be two lists of formulas with n,m>=0n,m>=0

φφ1,…, 1,…, φφn |--- n |--- ψψ1,… 1,… ψψm m

is called sequentis called sequent It is a simple way to present It is a simple way to present

φφ11ΛΛ……ΛφΛφn → n → ψψ11ΛΛ……ΛψΛψm m

SequentsSequents

simplifier rules are sequents whose syntactical simplifier rules are sequents whose syntactical form describes what simplification step should be form describes what simplification step should be done, i.e.done, i.e.– Formula substitution step: a formula is substituted with a Formula substitution step: a formula is substituted with a

simpler onesimpler one ΓΓ |--- |--- φφ → ( → (ψψ ↔↔ χχ))

ψψ is the formula to be simplified and is the formula to be simplified and χχ the result of the the result of the simplificationsimplification

– Term rewriting step: a term is riwritten to another, Term rewriting step: a term is riwritten to another, simpler onesimpler one ΓΓ |--- |--- φφ → → ζζ = = σσ

ζζ is the term to be simplified and is the term to be simplified and σσ the result of the simplification the result of the simplification

SimplificationSimplification