Ghosts for Lists: A Critical Module of Contiki Verified in Frama-C

Abstract: Internet of Things (IoT) applications are becoming increasingly critical and require rigorous formal verification. In this paper we target Contiki, a widely used open-source OS for IoT, and present a verification case study of one of its most critical modules: that of linked lists. Its API and list representation differ from the classical linked list implementations, and are particularly challenging for deductive verification. The proposed verification technique relies on a parallel view of a list through a co… Show more

“…For specification and verification of the list module, it is convenient to have a more abstract view of the elements of a linked list. In a previous work [6], we used a companion ghost array for this purpose. Our new approach relies on a companion logic list and uses the logic list datatype available in Acsl.…”

“…At the beginning of its development in 2002, the security of Contiki was not the main concern. Security of communication was introduced later, while the source code has become a target of formal verification only very recently [6,19,21].…”

“…That makes it different from other classical implementations of linked lists and justifies the need for a dedicated verification effort. In a previous work [6], we performed formal specification and deductive verification of the list module using the Frama-C verification platform [15]. The approach is based on a companion ghost array, reflecting the contents of the actual linked list and used to specify the list manipulations more easily.…”

“…All functions of the module (including the function not proved correct previously) have been specified and formally verified. As in the previous work [6], the verification has been performed in the Frama-C/Wp tool [15] and relies on a formal specification in Acsl [4], the specification language offered by Frama-C. The proposed specifications have also been validated by proving a few client functions manipulating lists.…”

“…All those lemmas have been proved using the Coq proof assistant [25]. Thanks to them, the specifications of all functions are proved automatically (except for a couple of assertions in the most complex function, list_insert, which were proved in Coq) and relatively fast, which makes us believe that the new approach is more suitable for automatic deductive verification than the previous approach [6] using ghost arrays.…”

Logic against ghosts

“…For specification and verification of the list module, it is convenient to have a more abstract view of the elements of a linked list. In a previous work [6], we used a companion ghost array for this purpose. Our new approach relies on a companion logic list and uses the logic list datatype available in Acsl.…”

“…At the beginning of its development in 2002, the security of Contiki was not the main concern. Security of communication was introduced later, while the source code has become a target of formal verification only very recently [6,19,21].…”

“…That makes it different from other classical implementations of linked lists and justifies the need for a dedicated verification effort. In a previous work [6], we performed formal specification and deductive verification of the list module using the Frama-C verification platform [15]. The approach is based on a companion ghost array, reflecting the contents of the actual linked list and used to specify the list manipulations more easily.…”

“…All functions of the module (including the function not proved correct previously) have been specified and formally verified. As in the previous work [6], the verification has been performed in the Frama-C/Wp tool [15] and relies on a formal specification in Acsl [4], the specification language offered by Frama-C. The proposed specifications have also been validated by proving a few client functions manipulating lists.…”

“…All those lemmas have been proved using the Coq proof assistant [25]. Thanks to them, the specifications of all functions are proved automatically (except for a couple of assertions in the most complex function, list_insert, which were proved in Coq) and relatively fast, which makes us believe that the new approach is more suitable for automatic deductive verification than the previous approach [6] using ghost arrays.…”

Logic against ghosts

Towards Full Proof Automation in Frama-C Using Auto-active Verification

Teaching Formal Methods to Future Engineers