A verified encrypted packet interface
暂无分享,去创建一个
Of the lemmas enumerated above, all hut two were proved mechanically with the Gypsy and Affirm theorem provers. The other tw o fall into the category of Gypsy type-specific lemmas. They are simple facts about the data types which should have been reduced bu t currently are not handled by the algebraic simplifier. Normal application of the Gypsy methods for verifying concur rent programs involves the proof of theorems containing variou s relations over buffer histories. Since these histories are instances of the sequence data type, often the heart of these proofs i s showing that certain properties of specific sequence types hold. Many of these properties are best proved by structural induction, a proof method not currently supported by the Gypsy prover. The Affirm system, on the other hand, directly supports this kind of proof. Several lemmas of this type were required to complete the proof of the Alternating Bit Protocol so an attempt was made to apply th e Affirm prover to this task. The lemmas arose from the concurrent part of the proof, i .e. the verification condition for "ab-protocol ." In the Gypsy proof, fou r lemmas were used and assumed and subsequently carried over to the Affirm system for proof. One of these can be thought of as th e key lemma which makes the Alternating Bit Protocol work ; the others are lesser theorems. In the proof of this key lemma, additiona l supporting Affirm lemmas were put forth and proved. The procedure for combining proofs on the two systems was as follows. 1. The first step was to arrive at a common concept of sequences. A subset of the Gypsy sequence operators was chose n and mapped into the corresponding operators in the Affirm standard type specification for sequence. 2. This basic sequence type was then instantiated to get sequences with appropriate element types. The domain-specifi c and type-specific functions expressed in Gypsy were then mapped onto these type specifications as additional operators. The function definitions were introduced as axioms so they could be applied as rewrite rules. 3. Finally, the required lemmas were expressed in terms of these new types and functions and proofs were carried out wit h the Affirm prover. Intermediate lemmas were further introduced as needed. The Alternating Bit Protocol has been modeled using the Gypsy methodology for concurrent programming. A comprehensive safet y property was stated and the …