Selected KIV Projects

For some of the projects done with the KIV system we provide XML representations of the specifications, theorems and proofs. The project pages can be viewed with most modern web browsers. All xml files in these projects are generated automatically, but not at the same time. Since projects may depend on other projects, the following situation can occur: A theorem in project A uses a theorem from project B, but the link to this theorem is dead. This does not mean that the project is inconsistent, but simply that the documentation is not up-to-date.

Verification Competitions

Verification competitions aim at testing tool-usability and the ability of human proof engineers to quickly solve correctness assertions and to find invariants for different small, but often tricky problems. Some of the competitions we have participated in are:

COST Verification Competition 2011
VSTTE Verification Competition 2011
VerifyThis Competition 2012 (best student team)
Verified Software Competition 2014
VerifyThis Competition 2015 (best student team)
VerifyThis Competition 2016
VerifyThis Competition 2017 (best student team)
VerifyThis Competition 2019
VerifyThis Competition 2021 (best student team)

The VeriCode Project

Project VeriCode deals with the correct translation of abstract specifications to efficient C code. Some KIV projects are:

Formalization of the VeriCode Code Generator. This project formalizes the semantics for a core source and target language, and specifies the main transformations performed during code generation. (Web Presentation for a paper submitted to iFM 2024)

The Verified Flash File System

Project Flashix deals with the development of a fully verified flash file system. Some KIV projects are:

Overview over the different formal models
Specification of B+trees that are verified with the help of shape analysis
Concurrent Refinements for WearLeveling. This project demonstrates with a simplified example, how concurrency can be added to refinement tower, which consisted of sequential refinements initially (Web Presentation for an invited paper at ABZ 2020)
Correctness Proofs for the Integration of VFS Caches (Web Presentation for a paper presented at iFM 2020)
Separating Separation Logic - Verification of a pointer implementation of red-black trees (Web Presentation for a paper presented at VSTTE 2022)
Refinement and Separation - Modular verification of a pointer implementation of wandering trees. (Web Presentation for a paper presented at iFM 2023)

Software Transactional Memory (STM)

Three proofs of Opacity of a Transactional Mutex Lock using two approaches: one based on linearizability with KIV, two proofs based on refining the IO automaton TMS2 with Isabelle and KIV (Web Presentation for a submitted journal paper that extends the results of the FM 2015 paper described here. [FM15])
Proofs with Isabelle for opacity of a complex, pessimistic implementation of STM (Web Presentation for a paper presented at OPODIS 2016).

Concurrency and Linearizability

Project VeriCAS deals with the development and application of formal methods for the verification of concurrent algorithms. We are tracking two main approaches. Our first approach is based on pure HOL and the Owicki-Gries Method. Some KIV projects are:

Linearizability proofs for a lock-free stack (Web Presentation for FMOODS 2008 paper)
Linearizability proofs for a lock-free stack and an implementation of sets using fine-grained locking (Web Presentation for journal version of FMOODs 08 paper)
Verification of Linearizability as Refinement using Possibilities (Web Presentation for FM 2011 paper)
Verification of Linearizability of Herlihy and Wing's queue example (Web Presentation for ACM Trans. Computational Logic, Volume 15 Issue 4, August 2014; based on the previous theory)
Verification of the Elimination queue (the largest case study done so far; also based on the previous theory)
Verification of Durable Linearizability of a Persistent Queue (Web Presentation for a paper presented at Formal Methods 2019)
Verification of a Lock-Free Hash Set Implementation using Thread-Local, Step-Local Proof Obligations for Refinement (Web Presentation for a paper presented at ABZ 2023)
A Fully Verified Persistence Library - Verification of the FliT persistency library under the PTSO weak memory model (Web Presentation for a paper accepted at VMCAI 2024)

Our second approach is based on the logic RGITL, which is based on Interval Temporal Logic (ITL) and Rely-Guarantee (RG) Reasoning:

Embedding of the Syntax and Semantics of RGITL in HOL (includes semantic proofs of the basic axioms and rules)
Derivation of RG rules and Verification of Concurrent Algorithms with RGITL
Proofs of Total Correctness for two classical parallel algorithms that demonstrate the benefit of rely-guarantee reasoning using RGITL. The first algorithm "Sieve" is a parallel version of the Sieve of Eratosthenes, the second "FindPos" finds the minimal position in an array that satisfies some predicate by iterating over even and odd indices in parallel.
Proofs of Starvation Freedom for Locking Algorithms with RGITL. The Ticket Lock algorithm is verified using Manna and Pnueli's rule WELL-JP using a ranking function. A novel thread-local approach using RGITL is presented, and its use is exemplified by a verification of Ticket Lock, MCS-Queue lock and Filter Lock (which includes mutual exclusion and linearizability).

Security

The KIV case studies for this topic were done in projects Go!Card and secureMMD:

The Mondex Challenge
Yet another version of the copy card
The Electronic Wallet (E-WALLET) Case Study
E-Wallet Extended (The electronic wallet with an arbitrary number of cardlets and terminals)

PROSECCO-lib (The basic library for modeling Smart Card applications in PROSECCO)
E-Wallet-V2 (The specification of the E-Wallet case study based on PROSECCO-lib)
CINDY case study (Cinema tickets on your mobile)
CINDY-ref (Refinement to a Java program)
An algebraic theory of messages (Used in the verification of cryptographic protocols)

Abstract State Machines

General Refinement Theory

A formalisation of relational concurrent refinement (This is a version of data refinement where data types have external and internal operations. Operations may be blocked and sets of blocked operations are used as final observations (refusals). The possibility of an infinite run of internal operations is interpreted as divergence. This allows to prove that data refinement for such data types coincides with failures-divergence refinement in CSP. More information is given in the paper on which this case study is based.)
Completeness proofs for ASM Refinement and for IO Automata refinement (Web Presentation for ENTCS Special Issue at FM 08)
Completeness proofs for Fair ASM Refinement (Web Presentation for FAC Special Issue at FM 08)

The KIV Library

The basic KIV library (Basic data type specifications)
Embedding of Separation Logic (Separation Logic formulas and Reasoning support)
A polymorphic version of the basic KIV library
A polymorphic version of the embedding of Separation Logic

Back to the main KIV page.

[Imprint] [Data Privacy Statement] [E-Mail]