PowerPoint Presentation

Safe and Secure Software SystemsAn Automated Reasoning PerspectiveAndrew IrelandDependable Systems GroupSchool of Mathematical & Computer SciencesHeriot-Watt UniversityEdinburgh

1Setting the SceneInaugural lecture?Achievements and research visionBlend of technical and big picture coupled historical perspectiveFirst things first software and automated reasoning?

Making Stuffand How it Works

Making Software Stuff - DataMaking Software Stuff - DataMaking Software Stuff ProgramsProgram Execution

programdataHow It Works

8

A Practical Example

Proving Stuff Proof = Guarantee + Explanation

Proving the conjecture:

Automated Reasoning: building software systems that construct proofsGivensGoalAll Sylvanians are tiny, Coral is a Sylvanian

Coral is tiny? (conjecture) thereforeCoral is tiny

Proof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGivensGoalProof as GuaranteeGoalGivensProof as GuaranteeGoalGivensProof as GuaranteeProof as GuaranteeGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:30Proof as ExplanationGiven:Goal:Proof as ExplanationGiven:Goal:Rippling = difference identification + difference reductionProof PlansA proof plan represents a common pattern of reasoning, e.g. ripplingProof plan = tactic + strategy

Proof plans:Automate the search for proofs - via proof planningPromote strategy reuse

Guarantee Explanation Proof PlanningConjectureTheoryMethodStrategiesTactic[ tailored for conjecture ]

Proof PlanningConjectureTheoryMethodCriticCritics provide flexibility during the search for proofsStrategiesProductive Use of FailureDRipplemethodMissing Properties(Lemmas)Case SplitsInduction RulesConjectureGeneralization

Making Software Stuff - Faster!Conjecture Generalization CriticGiven:Goal:blockedConjecture Generalization Critic

Given:Goal:proof planning

Conjecture Generalization Critic

Given:Goal:proof planninghttp://www.rippling.org/Related PhD ProjectsProof planning for imperative program development (Jamie Stark)Reuse of proof plansLoop invariant discovery Program synthesis, i.e.

... develop a program and its proof hand-in-hand, with the proof ideas Leading the way! (Gries, 1981)

BerthaRelated PhD ProjectsUsing Proof in Transformation Synthesis for Automatic Parallelisation - EPSRC GR/L42889 (Andrew Cook) Verification & synthesis of performance enhancing eureka steps, e.g. transformations that facilitate the parallelization of software

Reasoning About Correctness Properties of a Coordination Programming Language (Gudmund Grov)HUME: a novel programming languageVerification and transformation of HUME programs to improve resource usage (space and time guarantees)

Alan Turing: 1912-1954

Birth of the Modern Computer

Manchesters Small Scale Experimental Machine A.K.A. The Baby (1948)

Turing, A. M. 1949. Checking a Large Routine. In Report of a Conference on High Speed Automatic Calculating Machines, Univ. Math. Lab., Cambridge, pp. 67-69.Software VerificationAnd 63 Years Later ?A wealth of new logics and automated reasoning techniques Computers are faster and memory is cheapVerification tools are typically highly integrated and automatic Significant industrial scale success stories within niche markets, e.g. Microsoft, Praxis, D-RisQ, Now it matters!Now it Matters!Software is woven into almost all aspects of our daily lives from communications, entertainment and consumer electronics, to finance, defence and national infrastructureA key differentiator in commercial products is embedded software dependability is crucial to commercial success, where software correctness is a key ingredient Cyber Security carries significant risks for economic growth and society in general a priority area for UK Government Software testing is not enough to guarantee safe and secure software systems correctness-by-construction is called for, underpinned by a range of formal notations and automated reasoning technologiesInternational Verified Software Initiative coming together of academia and industry

SPARK Programming LanguageSPARK is an Ada subset that eliminates potential ambiguities and insecurities (Altran Praxis) Expressive enough for industrial applications, but restrictive enough to support rigorous analysis, i.e. correctness-by-constructionApplications: e.g. air traffic control (iFACTS), avionics (Eurofighter Typhoon), security (Mondex), Focus on exception freedom proof, e.g. proving code is free from arithmetic overflows, buffer overflows, division by zero, .

Consider converting 64-bits of data into 16-bits:

Arithmetic Overflow Overflow Error48Developed by European Space AgencyUnmanned rocket with a cargo of scientific satellites ($500 million) In 1996, just 39 seconds into its maiden flight an overflow error occurred resulting the Ariane 5 control software initiating a self-destruction operation!

The Cost of Failure Ariane 5

49Verifying SPARK CodeSPARK ExaminerSPADE SimplifierSPADEProof CheckerVCsCmdsUnprovenVCs

SPARKcodeProofsAnnotationsVCs = Verification Conditions (conjectures)Our focus was on the problems the SPARK tools failed on:Verifying loops (iteration) Loop invariant discovery productive use of failure 50CmdsSPARK ExaminerSPADE SimplifierSPADEProof Checker Bill J. Ellis (RA + PhD) EPSRC Critical Systems programme (GR/R24081) EPSRC RAIS Scheme (GR/T11289) http://www.macs.hw.ac.uk/nuspadeVCsAnnotationsSPADEaseSPARKcodeProofsUnprovenVCsProof Planning for SPARK51SPADEaseUnprovenVCsProofPlannerProgramAnalyzerAnnotationsAbstract PredicatesR >= ? and R = 0 and R = 0 and R =0 and A(I)=0 and A(I)