Main navigation | Main content
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David
Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal
Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon
Winwood. “seL4: formal verification of an OS kernel”. In
Symposium on Operating Systems Principles (SOSP), pages
207–220, Big Sky, MT, USA, October 2009.
[ACM]
Octavian Udrea, Cristian Lumezanu, and Jeffrey
S. Foster. “Rule-based static analysis of network protocol
implementations”. In USENIX Security Symposium, pages
193–208, Vancouver, BC, Canada, August 2006.
[USENIX]
Question: As described in the last part of section 3.2 of the second reading, Pistachio attempts to infer a loop invariant by taking the intersection of the sets of facts is has determined over previous iterations. Like any sound, terminating algorithm for determining a loop invariant, this approach is not complete. To illustrate this, give an example (as plausible as you can imagine) of a loop occurring in a network protocol for which this algorithm would not be able to infer an appropriate invariant.
Werner Dietl, Stephanie Dietzel, Michael D. Ernst, Nathaniel Mote,
Brian Walker, Seth Cooper, Timothy Pavlik, and Zoran
Popović. “Verification games: making verification
fun”. In Formal Techniques for Java-like Programs
(FTfJP), pages 42–49, Beijing, China, June 2012.
[ACM]
The annotations addressed in this work are more like type annotations than a full specification, but I put this paper in this section because it accepts as inevitable the requirement to have human assistance in program checking. Given that constraint they ask the question, can we make it into a game?