Formal Methods

Dharmendra Kumar Yadav

Professor, CSED,
MNNIT, Allahabad
Course Focus

 Techniques and tools for formal modelling

and analysis of computer systems with
particular focus on Software Verification
 Topics:
– Modelling techniques
– Model checking, temporal logic, automata
– Process algebra, CCS, CWB & Pi-calculus
 Hands-on approach towards formal verification.
 More on practical use of verification, Each of you will
apply formal methods to verify some part of software
as part of Lab.
Readings

 Textbook :
– Communication and Concurrency: Robin Milner
– Pi-calculus: Robin Milner, Available in Library
– Logic in computer science: Huth and Ryan
Available in Book Store
– Model Checking : Clarke, Grumberg, Peled
Available in Library
 Lecture Slides
Assessment + Workload
 Assessment Criteria
– Mid Semester – 20%
– Quizzes & Assignment – 15%
– Final Examination – 60%
– Attendance -5%

 Workload
– Weekly reading : 4 hrs.
– Assignments & Quizzes: 2 hrs.
– Lectures : 4 hrs.
– TOTAL : 06 hrs. (approx) per Week excluding lectures
Motivation

The better you understand the problem and your proposed

solution
The better the quality of the end product

Understanding ! Properties
! Modelling
! Formalisation
! PROOF!

Formalisation and proof = use of mathematics and logics

Embodied in usable tools

Challenges

Real systems are huge and complex

There is no silver bullet

Problems
– Undecidability: Applies to humans as well as machines
– Distribution: Complexity explodes

Engineering:
– How to get a satisfactory analysis with the resources (time,
space, people, machines) available
– Satisfactory: Correct, or good enough for trust
Why Software Systems?

 Software Systems everywhere

– wristwatches, washing machines, microwave
ovens,
– elevators, mobiles, telephones, printers,
– FAX machines, Telephone exchanges,
– Automobiles, Aircrafts, Railways …..
Safety-critical Systems

 Aircrafts, Trains,
 Nuclear & Industrial Plants, Avionics
 Life Support Systems
 Quality of Computational Systems
= Quality of life
Example: auto-pilot

Problem:
“Design a part in auto-pilot that avoids collision with other
planes.”
Solution:
“When distance is 1km, give warning to other plane and notify
pilot. When distance is 300m, and no changes in the course of
other plane were noticed, go up to avoid collision”
Problem with solution

Both planes have the same software. Both

go up...
Why it happens ?

 Hard to predict all behaviors!

– US aircraft went to southern hemisphere and … flipped
when crossing the equator

– Software written for US F-16

 Accidents took place when reused in Israeli aircraft that flown
over the Dead Sea
(altitude < sea level)
What are Formal Methods

Barry Boehm (Boehm, 1981):

Verification: To establish the truth of correspondence between a
software product and its specification (from the Latin veritas, “truth”).

Validation: To establish the fitness or worth of a software product for its

operational mission (from the Latin valere, “to be worth”).

Verification: Are we building the product right?

Validation: are we building the right product?”
What are Formal Methods

domain verify

speci-
fication
Developers
Application design
verify
Framework design
Architecture design
Validate
imple-
mentation
verify
config.
instance
Market needs needs validate
and needs
system
users
Why Use Formal Methods?

Formal methods are typically employed for

the following reasons:
– they are required by the contract or by law
– they are expected to save development costs
– the product cannot be made sufficiently reliable
otherwise
Formal Specification

– The language of logic provides an unambiguous method of

recording the specification.
– The process of writing a formal specification helps uncover
any ambiguity and incompleteness.
– We can reason about a formal specification to check that
the system specified will possess other desired properties.
Formal Specification Techniques

Formal specification techniques can be

partitioned into two broad classes:
– Algebraic Specification: The object to be
described is considered as a collection of actions.
Equations are then used to show the desired
inter-relations between those actions.
– Model Based Specification: The object to be
described is modeled in some expressive logic.
Formal Verification

 Formal verification is a process of constructing a

proof that a computer system will behave in
accordance with its specification.
 The ‘standard’ verification technique is testing, but . .
.
– Program testing can be a very effective way to show the
presence of bugs, but it is hopelessly inadequate for
showing their absence.
 Edsgar W. Dijkstra
The Formal Verification Process

 Describe the property you want to hold over

the system (the formal specification).
 Describe the implementation you hope has
it.
 Construct a proof to this effect.
Formal Verification Requires

 A language for describing both

specifications and implementations.

 A deductive calculus for proving propositions

in this language.
The Key Questions

What is the right level of abstraction?

– Physical? Circuit? Network?
– Binaries? Bytecode? Source program? Libraries?
– Architectural? Algorithmic? Process? Model?

What are the important properties?

– Type safety (e.g. Java bytecode verifier)?
– Partial/total correctness? Implementation correctness?
– Deadlocks? Starvation? Reactiveness?

There is no ”correct” answer

Answers determine choice of methods and tools

Main Schools

Theorem proving
– FOL, HOL, type theory, using formalised theories
– Problem of proof search
– Will not be covered
Model checking
– Automatic traversal of finite state machine graphs
– Efficient, but scalability issues
Floyd/Hoare logic
– Theorem proving for flow graphs/while programs
– Proof search, but more domain knowledge
– Will not be covered
Process algebra
– Reasoning about abstract processes
– Structured approach
The Field

Formal verification is an ambitious task, so:

– Use with discretion
– Avoid exaggerated expectations
– For engineers, not for programmers

Current industrial usage

– Programming language design
 Operational semantics, type systems
 Check out the SLAM project at Microsoft
– Processor design
 all major chip vendors + tool providers
– Safety-critical systems
 Railway, automotive, power industry, aerospace