VeTSpec: Verified Trustworthy Software Specification
Lead Research Organisation:
Imperial College London
Department Name: Computing
Abstract
Modern society faces a fundamental problem: the reliability of complex, evolving software systems on which it critically depends cannot be guaranteed by the established, non-mathematical techniques, such as informal prose specification and ad-hoc testing. Modern companies are moving fast, leaving little time for code analysis and testing; concurrent and distributed programs cannot be adequately assessed via traditional testing methods; users of mobile applications neglect to apply software fixes; and malicious users increasingly exploit programming errors, causing major security disruptions. Trustworthy, reliable software is becoming harder to achieve, whilst new business and cyber-security challenges make it of escalating importance.
Developers cope with complexity using abstraction: the breaking up of systems into components and layers connected via software interfaces. These interfaces are described using specifications: for example, documentation in English; test suites with varying degrees of rigour; static typing embedded in programming languages; and formal specifications written in various logics. In computer science, despite widespread agreement on the importance of abstraction, specifications are often seen as an afterthought and a hindrance to software development, and are rarely justified.
Formal specification as part of the industrial software design process is in its infancy. My over-arching research vision is to bring scientific, mathematical method to the specification and verification of modern software systems. A fundamental unifying theme of my current work is my unique emphasis on what it means for a formal specification to be appropriate for the task in hand, properly evaluated and useful for real-world applications. Specifications should be validated, with proper evidence that they describe what they should. This validation can come in many forms, from formal verification through systematic testing to precise argumentation that a formal specification accurately captures an English standard. Specifications should be useful, identifying compositional building blocks that are intuitive and helpful to clients both now and in future. Specifications should be just right, providing a clear logical boundary between implementations and client programs.
VeTSpec has four related objectives, exploring different strengths of program specification, real-world program library specification and mechanised language specification, in each case determining what it means for the specification to be appropriate, properly evaluated and useful for real-world applications.
Objective A: Tractable reasoning about concurrency and distribution is a long-standing, difficult problem. I will develop the fundamental theory for the verified specification of concurrent programs and distributed systems, focussing on safety properties for programs based on primitive atomic commands, safety properties for programs based on more complex atomic transactions used in software transactional memory and distributed databases, and progress properties.
Objective B: JavaScript is the most widespread dynamic language, used by 94.8% of websites. Its dynamic nature and complex semantics make it a difficult target for verified specification. I will develop logic-based analysis tools for the specification, verification and testing of JavaScript programs, intertwining theoretical results with properly engineered tool development.
Objective C: The mechanised specification of real-world programming languages is well-established. Such specifications are difficult to maintain and their use is not fully explored. I will provide a maintainable mechanised specification of Javascript, together with systematic test generation from this specification.
Objective D: I will explore fundamental, conceptual questions associated with the ambitious VeTSpec goal to bring scientific, mathematical method to the specification of modern software systems.
Developers cope with complexity using abstraction: the breaking up of systems into components and layers connected via software interfaces. These interfaces are described using specifications: for example, documentation in English; test suites with varying degrees of rigour; static typing embedded in programming languages; and formal specifications written in various logics. In computer science, despite widespread agreement on the importance of abstraction, specifications are often seen as an afterthought and a hindrance to software development, and are rarely justified.
Formal specification as part of the industrial software design process is in its infancy. My over-arching research vision is to bring scientific, mathematical method to the specification and verification of modern software systems. A fundamental unifying theme of my current work is my unique emphasis on what it means for a formal specification to be appropriate for the task in hand, properly evaluated and useful for real-world applications. Specifications should be validated, with proper evidence that they describe what they should. This validation can come in many forms, from formal verification through systematic testing to precise argumentation that a formal specification accurately captures an English standard. Specifications should be useful, identifying compositional building blocks that are intuitive and helpful to clients both now and in future. Specifications should be just right, providing a clear logical boundary between implementations and client programs.
VeTSpec has four related objectives, exploring different strengths of program specification, real-world program library specification and mechanised language specification, in each case determining what it means for the specification to be appropriate, properly evaluated and useful for real-world applications.
Objective A: Tractable reasoning about concurrency and distribution is a long-standing, difficult problem. I will develop the fundamental theory for the verified specification of concurrent programs and distributed systems, focussing on safety properties for programs based on primitive atomic commands, safety properties for programs based on more complex atomic transactions used in software transactional memory and distributed databases, and progress properties.
Objective B: JavaScript is the most widespread dynamic language, used by 94.8% of websites. Its dynamic nature and complex semantics make it a difficult target for verified specification. I will develop logic-based analysis tools for the specification, verification and testing of JavaScript programs, intertwining theoretical results with properly engineered tool development.
Objective C: The mechanised specification of real-world programming languages is well-established. Such specifications are difficult to maintain and their use is not fully explored. I will provide a maintainable mechanised specification of Javascript, together with systematic test generation from this specification.
Objective D: I will explore fundamental, conceptual questions associated with the ambitious VeTSpec goal to bring scientific, mathematical method to the specification of modern software systems.
Planned Impact
I summarise the significant long-term academic, industrial, economic, governmental and societal impact that VeTSpec offers. I emphasise my strong focus on delivering widespread impact beyond academia: on industry, via technology transfer and targeted dissemination; and on society in general via interaction with GCHQ, government and outreach.
Academic Impact
As outlined in 'Academic Beneficiaries', VeTSpec will have substantial academic impact, influencing both theoretical and practical research in program analysis and verification, and contributing to the next generation of research leaders in academia.
Impact on Industry
VeTSpec research will help bring formal specification and verification into the industrial software design process, resulting in broad, sustainable, long-term industrial impact. Engagement with my industrial partners at ARM (Chong, Reid), Amazon (Cook), Facebook (O'Hearn), Google (Miller, also on the ECMAScript Committee), and IBM (Dolby), is vital to achieving this. These partners will provide challenging examples to drive the VeTSpec foundational research, and will contribute by evaluating prototypes of the tools arising from the project, and helping me identify and capitalise on industrial impact opportunities. Economic impact will arise from the reduction in effort required for software maintenance due to the high degree of reliability that program specification and verification offer.
VeTSpec research will have impact on programming language and library standards. VeTSpec will provide a maintainable formal specification of JavaScript (C1), a concurrent specification of POSIX (A1), and several formal specifications of libraries and benchmarks. By engaging with the organisations that manage these languages, libraries and benchmarks, such as ECMAScript for JavaScript, the Austin Group for POSIX, and Erlang Solutions for the Erlang language, I will achieve valuable technology transfer to industry.
VeTSpec research will have impact on the industrial program developer. My partners are at the cutting edge of industrial specification and tool building, and, in turn, have huge impact on expert and non-expert developers in their respective industries, analysing millions of lines of code, deployed in products used regularly by billions of people. In particular, my work on fundamental theory and prototype tools is of direct interest to O'Hearn in Facebook, and my work on logic-based analysis tools for analysing JavaScript programs is of direct interest to Amazon, Facebook and IBM.
Governmental and Societal Impact
VeTSpec will influence the wider community interested in analysis and verification: those responsible for high-grade industry software certification at GCHQ and NCSC (partner Burns); those developing high-grade industrial software; and those representing cybersecurity inside government. For example, I have recently been invited to the NCSC Research Advisory Group, with the remit to be a 'critical friend'. I have also been asked to write a short position paper on 'Verified Trustworthy Software Systems' for civil servants representing the 'Secure by Default' programme and the 'CyberInvest' programme, so that they can better represent analysis and verification in strategy meetings. My industrial and academic impact plans will, in turn, generate wider societal impact, by leading to higher-quality software for end-users that is hardened against malicious attackers. To maximise societal impact, I will do outreach and advocacy activities to make the government and the general public aware of our research.
Academic Impact
As outlined in 'Academic Beneficiaries', VeTSpec will have substantial academic impact, influencing both theoretical and practical research in program analysis and verification, and contributing to the next generation of research leaders in academia.
Impact on Industry
VeTSpec research will help bring formal specification and verification into the industrial software design process, resulting in broad, sustainable, long-term industrial impact. Engagement with my industrial partners at ARM (Chong, Reid), Amazon (Cook), Facebook (O'Hearn), Google (Miller, also on the ECMAScript Committee), and IBM (Dolby), is vital to achieving this. These partners will provide challenging examples to drive the VeTSpec foundational research, and will contribute by evaluating prototypes of the tools arising from the project, and helping me identify and capitalise on industrial impact opportunities. Economic impact will arise from the reduction in effort required for software maintenance due to the high degree of reliability that program specification and verification offer.
VeTSpec research will have impact on programming language and library standards. VeTSpec will provide a maintainable formal specification of JavaScript (C1), a concurrent specification of POSIX (A1), and several formal specifications of libraries and benchmarks. By engaging with the organisations that manage these languages, libraries and benchmarks, such as ECMAScript for JavaScript, the Austin Group for POSIX, and Erlang Solutions for the Erlang language, I will achieve valuable technology transfer to industry.
VeTSpec research will have impact on the industrial program developer. My partners are at the cutting edge of industrial specification and tool building, and, in turn, have huge impact on expert and non-expert developers in their respective industries, analysing millions of lines of code, deployed in products used regularly by billions of people. In particular, my work on fundamental theory and prototype tools is of direct interest to O'Hearn in Facebook, and my work on logic-based analysis tools for analysing JavaScript programs is of direct interest to Amazon, Facebook and IBM.
Governmental and Societal Impact
VeTSpec will influence the wider community interested in analysis and verification: those responsible for high-grade industry software certification at GCHQ and NCSC (partner Burns); those developing high-grade industrial software; and those representing cybersecurity inside government. For example, I have recently been invited to the NCSC Research Advisory Group, with the remit to be a 'critical friend'. I have also been asked to write a short position paper on 'Verified Trustworthy Software Systems' for civil servants representing the 'Secure by Default' programme and the 'CyberInvest' programme, so that they can better represent analysis and verification in strategy meetings. My industrial and academic impact plans will, in turn, generate wider societal impact, by leading to higher-quality software for end-users that is hardened against malicious attackers. To maximise societal impact, I will do outreach and advocacy activities to make the government and the general public aware of our research.
Organisations
- Imperial College London (Fellow, Lead Research Organisation)
- University of Lisbon (Collaboration)
- UNIVERSITY OF CAMBRIDGE (Collaboration)
- University of Toronto (Collaboration, Project Partner)
- Inria Rennes - Bretagne Atlantique Research Centre (Collaboration)
- Max Planck Institute for Software Systems (Collaboration)
- Aarhus University (Project Partner)
- Amazon Web Services (UK) (Project Partner)
- Google (United States) (Project Partner)
- French Institute for Research in Computer Science and Automation (Project Partner)
- ARM (United Kingdom) (Project Partner)
- IBM (United States) (Project Partner)
- University of Cambridge (Project Partner)
- Korea Advanced Institute of Science and Technology (Project Partner)
- Government Communications Headquarters (Project Partner)
- Max Planck Institutes (Project Partner)
- Facebook UK (Project Partner)
People |
ORCID iD |
| Philippa Gardner (Principal Investigator / Fellow) |
Publications
Bodin M
(2019)
Skeletal semantics and their interpretations
in Proceedings of the ACM on Programming Languages
D'Osualdo E
(2021)
TaDA Live: Compositional Reasoning for Termination of Fine-grained Concurrent Programs
in ACM Transactions on Programming Languages and Systems
Donald M
(2022)
A Research Protocol for Implementation and Evaluation of a Patient-Focused eHealth Intervention for Chronic Kidney Disease.
in Global implementation research and applications
Fragoso Santos J
(2019)
JaVerT 2.0: compositional symbolic execution for JavaScript
in Proceedings of the ACM on Programming Languages
Fragoso Santos J
(2020)
Gillian, part i: a multi-language platform for symbolic execution
Paulus J
(2023)
Termination in Concurrency, Revisited
Watt C.
(2019)
A Program Logic for First-Order Encapsulated WebAssembly
Xiong, S.
(2020)
Parametric Operational Semantics for Consistency Models
| Description | Reasoning about Concurrent Programs (Objective A). Scalable reasoning for concurrent programs with shared memory is a long-standing, difficult problem, due to complex interactions between processes competing for shared resource. O'Hearn introduced concurrent separation logic (CSL, Godel prize, 2016) to provide scalable verification of course-grained concurrent programs with built-in synchronisation primitives. By introducing abstraction to CSL, Gardner has substantially contributed to developing scalable verification for concurrent programs in general, by introducing logical abstraction (the CAP logic) and logical atomicity (the TaDA logic) and verifying some of the most advanced examples of concurrent behaviour (concurrent B-trees and skip lists in java.util.concurrent; POSIX file systems). With D'Osualdo (Imperial then MPI-SWS) and Farzan (Toronto), Gardner has developed TaDA Live, a concurrent separation logic for reasoning compositionally about the termination of concurrent programs. The crucial challenge is how to deal with abstract atomic blocking: that is, abstract atomic operations that have blocking behaviour arising from, for example, fine-grained spin locks. The fundamental innovation of TaDA Live lies with the design of abstract specifications that capture this blocking behaviour, introducing liveness assumptions on the environment. This allows TaDA Live to reason about the termination of clients which use such operations without breaking their abstraction boundaries, and the correctness of the implementations of the operations with respect to their abstract specifications. The subtlety of TaDA live is illustrated using some of the most advanced examples of concurrent blocking behaviour. Semantics of Distributed Atomic Transactions (Objective A). Transactions are the de facto synchronisation mechanism in modern distributed databases. To achieve scalability and performance, distributed databases often use weak transactional consistency guarantees known as consistency models. Many consistency models were originally invented by engineers using (some quite informal) definitions specific to particular real-world reference implementations. More recently, general definitions of consistency model have been defined independently of particular implementations, either declaratively using execution graphs (well-studied) or operationally using abstract states or execution graphs (less well studied). The challenge has been to define a general semantics for weak consistency models with which we can both verify reference implementations and analyse the behaviour of client programs with respect to a particular consistency model. With Raad (Imperial then MPI-SWS), Gardner has introduced an interleaving operational semantics for describing the client-observational behaviour of atomic transactions on distributed key-value stores, verifying that the COPS replicated database and the Clock-SI partitioned database satisfy their consistency models using trace refinement, and proving invariant properties of client programs. JavaScript Analysis Tools (Objective B). The complex, dynamic nature of JavaScript makes it a difficult target for logical analysis. Building on JaVerT (verification based on separation logic) and Cosette (symbolic testing with Dolby, IBM NY) which uses the trusted infrastructure of JaVerT, JaVerT 2.0 provides a state-of-the-art symbolic execution tool which unifies semi-automatic symbolic testing, full verification and automatic symbolic testing based on a technique called bi-abduction developed for Meta's Infer analysis tool. JaVerT 2.0 was used to find bugs (fixed) in the real-world Buckets.js data-structure library. An extension of JaVerT 2.0, JaVerT.Click, which handles event-driven APIs for DOM and JavaScript, was used to find bugs (fixed) and provided bounded correctness results in real-world libraries (e.g. cash, a widely-used alternative to jQuery), including an internal library inside Amazon Prime. A Multi-language Platform for Symbolic Analysis (related to Objective B). Inspired by the JavaScript analysis tool JaVert 2.0, Gardner with Fragoso Santos (Imperial then Instituto Superior Tecnico, Lisbon) designed and built a platform for the development of symbolic-analysis tools for many programming languages which, unusually, is parametric on the memory model of the target language. Gillian has been instantiated to JavaScript and C, finding non-trivial bugs (fixed) in the real-world data-structure libraries Buckets.js and Collections-C (the performance is twice as fast as JaVerT 2.0 and competitive with the C tools), and finding bugs in and verifying the JavaScript and C implementations of the AWS Encryption SDK message header deserialisation module. The AWS work was done with help from an Amazon code developer, who annotates his code with first-order assertions. The work used his specifications where possible, and led to him fixing bugs and adapting (and improving) the code structure to accommodate the verification. Skeletons (Adaptation of Objective C). The challenge is to develop formal specifications and analyses of large real-world languages. Previous work between Imperial and Inria (Schmitt, Chargueraud) developed a Coq-mechanised JavaScript specification (JSCert, 900 rules), but could not achieve even a simple analysis (e.g. heap well-formedness). This work with Inria (Schmitt, Jensen, Bodin) introduces a Coq-mechanised skeletal semantics (http://skeletons.inria.fr), in which both the concrete specification and the abstract semantics are generated together, linked by a general correctness result. Inria is now developing skeletal analysis tools (https://gitlab.inria.fr/skeletons/necro/tree/master) with the ultimate aim to prove properties of the current JavaScript standard (now 1800 rules). This has now turned into a large project at Inria Rennes. Mechanised Specification for WebAssembly (Adaptation of Objective C). WebAssembly (Wasm) is a new bytecode language supported by all major Web browsers, designed primarily to be an efficient compilation target for low-level languages such as C/C++ and Rust. It is unusual in that it is officially specified through a formal semantics. An initial draft specification was published in 2017. Using the methodology for mechanising languages introduced in the JSCert project, Watt developed an associated mechanised specification in Isabelle/HOL that found bugs in the original specification (fixed before Wasm publication) and proved type soundness. The first official W3C standard, WebAssembly 1.0, was published in 2019. With Watt and Pichon (Cambridge) and Bodin (Imperial then Inria Grenoble), Gardner introduced two comprehensive mechanised specifications of the WebAssembly 1.0 industry standard, WasmCert-Isabelle and WasmCert-Coq written in different theorem provers, and proved type soundness. This is the first time that it is tractable to develop a trusted mechanisation of an industrial language standard whose core (at least) can be maintained. |
| Exploitation Route | Concurrency. Gardner's previous work on logical abstraction and abstract atomicity for concurrent separation logics underpins the large Iris project, centred in MPI-SWS, Aarhus and Nijmegen. The expectation is that the work of the Fellowship on environment liveness conditions will eventually be incorporated into Iris. Gillian Platform. Gillian has been used for bug-finding and verification of JavaScript and C code, requiring real engagement with developers inside Amazon Prime and Amazon Web Service. It will take substantial engineering to develop Gillian instantiations to a stage that can be used by others. There is already much interest in the ideas underpinning this platform by the developer community, as evidenced by the industrial and NCSC gifts and the many invitations to talk at developer conferences. WasmCert-Coq and WasmCert-Isabelle. The hope is that these mechanised specifications will be referenced by the Web Assembly Standard. The expectation is that these mechanised specifications of Web Assembly 1.0 will form the bedrock for many mechanisation projects on WebAssembly developed in Coq and Isabelle. |
| Sectors | Digital/Communication/Information Technologies (including Software) |
| URL | https://www.doc.ic.ac.uk/~pg/#publications-and-phd-theses |
| Description | Amazon Prime, London. JaVerT 2.0 was used to find bugs and provide bounded correctness results for an internal Amazon Prime library whilst Gabriela Sampaio was a PhD intern in 2021. Amazon Web Services (AWS). Gillian (CAV'21) was used to verify both the JavaScript and C implementations of the deserialisation procedure of the AWS Message Header, part of the AWS Encryption SDK Message Format, formally verifying properties that were previously written by an Amazon code developer as English comments. This is the first time that industrial-grade JavaScript code has been fully verified. It also demonstrates how data-structure specification and verification can be used across substantially different programming languages. Meta. Meta have established the viability of using continuously-integrated scalable analysis techniques inside the industrial design process, both at Meta and in many other companies, developing the tools INFER and PULSE based on compositional bi-abduction arising from separation logic. The modular design of JaVerT 2.0 (POPL'19) provides a fundamental understanding of bi-abduction, the pioneering compositional analysis technique used by the Facebook static analysis tool Infer, in terms of fixes arising from resource errors. The memory models of Gillian-C and Gillian-JavaScript dovetail with ideas arising from PULSE and incorrectness separation logic. |
| First Year Of Impact | 2019 |
| Sector | Digital/Communication/Information Technologies (including Software) |
| Description | Amazon Web Services, Research Gift: A Formally Verified Serialisation Module for the AWS Encryption SDK Message Format |
| Amount | £100,000 (GBP) |
| Organisation | Amazon.com |
| Department | Amazon Web Services |
| Sector | Private |
| Country | United States |
| Start | 08/2019 |
| Description | Genifer: A General Verification and Testing Framework |
| Amount | £74,526 (GBP) |
| Funding ID | RFA20789/4214910 |
| Organisation | Government Communications Headquarters (GCHQ) |
| Sector | Public |
| Country | United Kingdom |
| Start | 10/2019 |
| End | 03/2020 |
| Description | Research Gift: Gillian |
| Amount | $500,000 (USD) |
| Organisation | |
| Sector | Private |
| Country | United States |
| Start | 09/2020 |
| End | 09/2021 |
| Description | Emanuele D'Osualdo, MPI-SWS |
| Organisation | Max Planck Institute for Software Systems |
| Country | Germany |
| Sector | Public |
| PI Contribution | TaDA Live arose from a stream of work at Imperial on concurrent separation logics which started in 2010. D'Osualdo arrived in 2017 at Imperial, became an independent Marie Curie Fellow in 2018, and moved to MPI-SWS in 2020. |
| Collaborator Contribution | TaDA Live, including assistant supervision of a PhD student at Imperial on TaDA Live. |
| Impact | Publication: TaDA Live: Compositional Reasoning for Termination of Fine-grained Concurrent Programs. |
| Start Year | 2020 |
| Description | JaVerT and Gillian, José Fragoso Santos, Instituto Superior Técnico, Lisbon, Portugal. |
| Organisation | University of Lisbon |
| Department | Instituto Superior Tecnico |
| Country | Portugal |
| Sector | Academic/University |
| PI Contribution | Fragoso Santos was a postdoc at Imperial before moving to Lisbon. He has continued to work with us on JaVerT and Gillian. |
| Collaborator Contribution | Contributions to JaVerT and Gillian, assistant supervisor to a PhD student on JaVerT. Click for analysing JavaScript with events. |
| Impact | Publications: 1. Maksimovic P, Ayoun S, Santos J, Gardner P. (2021). Gillian, Part II: Real-World Verification for JavaScript and C. Computer Aided Verification - 33rd International Conference, CAV 2021, Virtual Event, July 20-23, 2021, Proceedings, Part II. (pp. 827-850). 2. Sampaio G, Fragoso Santos J, Maksimovic P, Gardner P. (2020). A Trusted Infrastructure for Symbolic Analysis of Event-Driven Web Applications. 3. Fragoso Santos J, Maksimovic P, Ayoun S, Gardner P, (2020). Gillian, part I: A Multi-language Platform for Symbolic Execution. Software: JaVerT.click, Gillian. |
| Start Year | 2019 |
| Description | Semantics for distributed transactions, Azalea Raad, MPI-SWS, Germany |
| Organisation | Max Planck Institute for Software Systems |
| Country | Germany |
| Sector | Public |
| PI Contribution | Raad was a PhD student and postdoc at Imperial before moving to MPI-SWS, and now she is back at Imperial as an academic. She worked with us on the semantics of distributed transactions, initially Imperial then at MPI-SWS. |
| Collaborator Contribution | Semantics of distributed transactions. |
| Impact | Publication: Xiong S., Cerone A., Raad A., Gardner P.. (2020). Data Consistency in Transactional Storage Systems: A Centralised Semantics. |
| Start Year | 2018 |
| Description | Skeletal semantics, Alan Schmitt, Thomas Jensen, Projet Celtique, INRIA Rennes, |
| Organisation | Inria Rennes - Bretagne Atlantique Research Centre |
| Country | France |
| Sector | Public |
| PI Contribution | This work was not initiated by us but we did make significant contributions to the foundational work and the Coq development. |
| Collaborator Contribution | Schmitt initiated this work on skeletal semantics, and there is now a large project at Inria Rennes centred on skeletons. |
| Impact | Publication: Bodin M, Gardner P, Jensen T, Schmitt A, (2019). Skeletal semantics and their interpretations. Proceedings of the ACM on Programming Languages. Software: Software - Coq formalisation of Skeletal Semantics (2019). |
| Start Year | 2018 |
| Description | TaDA Live, Azadeh Farzan, University of Toronto |
| Organisation | University of Toronto |
| Country | Canada |
| Sector | Academic/University |
| PI Contribution | The work on environment liveness conditions, introduced in TaDA Live, arose from a stream of work at Imperial on concurrent separation logics which started in 2010. Farzan visited us for three months in 2019 in order to work on this research stream which complements her research into concurrency. |
| Collaborator Contribution | Worked with us on TaDA live. |
| Impact | Publication, TaDA Live: Compositional Reasoning for Termination of Fine-grained Concurrent Programs. |
| Start Year | 2019 |
| Description | WebAssembly, Conrad Watt, Jean Pichon, Neel Krishnaswami, University of Cambridge |
| Organisation | University of Cambridge |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | WasmCert-Coq, in collaboration with Watt and Pichon. Wasm program logic with Watt and Krishnaswami. |
| Collaborator Contribution | WasmCert-Coq, Watt and Pichon. Full development of WasmCert-Isabelle, Watt. Wasm program logic, Watt and Krishnaswami. |
| Impact | Publication: Watt C., Maksimovic P., Krishnaswami N., Gardner P.. (2019). A Program Logic for First-Order Encapsulated WebAssembly. |
| Start Year | 2019 |
| Title | Coq formalisation of Skeletal Semantics |
| Description | This software represents the mechanisation of all of the definitions, lemmas, and theorems of the paper: Martin Bodin, Philippa Gardner, Thomas Jensen, Alan Schmitt. 2019. Skeletal Semantics and their Interpretations. In ACM Symposium on Principles of Programming Languages (POPL'19). https://doi.org/10.1145/3290357. |
| Type Of Technology | Software |
| Year Produced | 2019 |
| Impact | N/A |
| URL | https://dl.acm.org/do/10.1145/3291651/full/ |
| Title | Gillian |
| Description | Gillian is a language-independent platform for the development of compositional symbolic analysis tools. It supports three flavours of analysis: whole-program symbolic testing, full verification, and bi-abduction. It comes with fully parametric meta-theoretical results and a modular implementation, designed to minimise the instantiation effort required of the user. Gillian has been instantiated to JavaScript and C and evaluated on both real-world code and custom-made data-structure libraries, obtaining results that indicate that Gillian is robust enough to reason about real-world programming languages and programs. |
| Type Of Technology | Software |
| Year Produced | 2020 |
| Open Source License? | Yes |
| Impact | Gillian has garnered interest from both academia (e.g., Cambridge), industry (e.g., Facebook, Amazon, Arm), and government (National Cyber Security Centre). It was used to verify JavaScript and C implementations of the AWS Message Header deserialisation procedure; this is the first full verification of industry-grade JavaScript code. The initial success of Gillian led to a Facebook gift to Prof. Gardner's group in the amount of £500K, with the purpose of further development. |
| URL | https://gillianplatform.github.io/ |
| Title | JaVerT 2.0: Compositional Symbolic Execution for JavaScript |
| Description | JaVerT 2.0 introduces a novel, unified approach to the development of compositional symbolic execution tools, bridging the gap between classical symbolic execution and compositional program reasoning based on separation logic. It supports whole-program symbolic testing, verification, and, for the first time, automatic compositional testing based on bi-abduction. The meta-theory underpinning JaVerT 2.0 is developed modularly, streamlining the proofs and informing the implementation. Our explicit treatment of symbolic execution errors allows us to give meaningful feedback to the developer during whole-program symbolic testing and guides the inference of resource of the bi-abductive execution. JaVerT 2.0 has been evaluated on a number of JavaScript data-structure libraries, demonstrating: the scalability of our whole-program symbolic testing; an improvement over the state-of-the-art in JavaScript verification; and the feasibility of automatic compositional testing for JavaScript. |
| Type Of Technology | Software |
| Year Produced | 2019 |
| Open Source License? | Yes |
| Impact | JaVerT 2.0 has won a Facebook Research award ($50K) and was part of a project to verify parts of the Amazon AWS Message Format management system, which then migrated to Gillian. JaVerT 2.0 was the starting point for JaVerT.click, an extension which has the ability to reason about event-driven programs that use the DOM and JavaScript constructs for asynchronous programming. |
| URL | https://dl.acm.org/doi/abs/10.1145/3290379 |
| Title | JaVerT.click |
| Description | We introduce a trusted infrastructure for symbolic analysis of modern event-driven Web applications. This infrastructure consists of reference implementations of the DOM Core Level 1 and UI Events, JavaScript Promises, and the JavaScript async/await APIs, all underpinned by a simple Core Event Semantics that is sufficiently expressive to describe the event models underlying all these APIs. Our reference implementations are trustworthy in that they follow the API respective standards line-by-line and they are thoroughly tested against the appropriate official test-suites, passing all the applicable tests. Using the Core Events Semantics and the reference implementations, we develop JaVerT.Click, a symbolic execution tool for JavaScript that, for the first time, supports reasoning about JavaScript programs that use some (possibly all) these APIs. |
| Type Of Technology | Software |
| Year Produced | 2020 |
| Open Source License? | Yes |
| Impact | JaVerT.Click was used to perform comprehensive symbolic testing of the events module of Cash, a widely-used jQuery alternative, creating a symbolic test suite with 100% line coverage, establishing bounded correctness of several essential properties of the module, and discovering two subtle, previously unknown bugs. As part of a project protected under an NDA, it was also used to analyse parts of the Amazon Prime Video codebase. |
| URL | https://drops.dagstuhl.de/opus/volltexte/2020/13202/ |
| Title | WasmCert |
| Description | Mechanisation of WebAssembly (Wasm) 1.0 in Coq and Isabelle, based on the official formalisation, including a proof of type soundness. |
| Type Of Technology | Software |
| Year Produced | 2021 |
| Open Source License? | Yes |
| Impact | N/A |
| URL | https://github.com/WasmCert |
| Description | Talk at Iris Workshop, Aarhus University, Denmark |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | The two-day workshop, held at Aarhus University, Denmark focused on Iris, a Higher-Order Concurrent Separation Logic Framework implemented and verified in the proof assistant Coq that can be used for reasoning about safety of concurrent programs. I gave a talk on joint work with collaborators at MPI,"Compositional Reasoning for the Termination of Fine-grained Concurrent Programs". This resulted in discussions of future collaborations, increased awareness of the research work done in the project, and strengthening of links with other universities. |
| Year(s) Of Engagement Activity | 2019 |
| URL | https://iris-project.org/workshop-2019/#invited |
| Description | UNESCO World Logic Day event |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Presentation and workshop at event to Logic as a vital and core part of Computing as part of the UNESCO World Logic day 2021. The workshop brought together PhD students, post-docs and academics working in areas where there is a need for logical inference or benefits and advantages in using logic-based methods. The event included presentations by members of Department of Computing, at Imperial College London showcasing advancements made in "Logic and Programming Languages" and "Logic and Artificial Intelligence". |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://sites.google.com/view/imperial-worldlogicday2021/home |
| Description | Verified Software: From Theory to Practice, Isaac Newton Institute for Mathematical Sciences (INI), Cambridge |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | The workshop was attended by over 30 internationally recognized researchers working on the specification and verification of software-intensive systems. The workshop allowed participants to exchange of ideas between researchers facing the challenges of cutting-edge applications and theoreticians armed with the conceptual tools to potentially address these challenges. The discussions will then inform the INI scientific programme on Verified Software in the summer of 2022. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.newton.ac.uk/event/vsow03/ |
| Description | Verified Software: Tools and Experiments, Isaac Newton Institute for Mathematical Sciences (INI), Cambridge |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Researchers at the workshop discussed integrated tool resources for automated formal methods with standardized interfaces and interchange and data/evidence formats that allow services and arguments to be composed and test cases and counterexamples to be shared across different formal models. The goal workshop was to lay the foundation for powerful automated tools and integrated tool suites that can be deployed in a range of large-scale experiments and case studies. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.newton.ac.uk/event/vsow04/ |