formal methods and cryptography
play

Formal Methods and Cryptography Lecture 25 Formal Methods Formal - PowerPoint PPT Presentation

Sep 27, 2023 •433 likes •1.67k views

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

  1. Modeling e.g. Dolev-Yao Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt” For each user X, public operation E X and private operation D X D X (E X (m)) can be rewritten as m Separate(Pair(a,b)) gives a,b No other rewritings; each party can use terms it received and rewrite them (according to the protocol); adversary can obtain the closure of all terms sent out in the network

  2. Security Properties - 1

  3. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

  4. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary

  5. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property

  6. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] )

  7. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] ) e.g.: (in BAN logic) “(A believes B said X) at some point ⇒ (B said X) before that point”

  8. Security Properties - 2

  9. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security

  10. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs

  11. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent

  12. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent Limitation: original spi calculus incorporated an ideal shared-key encryption and no other cryptographic features; extensions typically limited to secure communication tasks

  13. An Example

  14. An Example Needham-Schroeder-Lowe (public-key) protocol

  15. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication”

  16. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement”

  17. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

  18. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key

  19. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this example, to show that they can find the bug in the original Needham-Schroeder protocol (1978)

  20. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this example, to show that they can find the bug in the original Needham-Schroeder protocol (1978) Or new bugs in extended settings

  21. Initiator ( M init ): Responder ( M resp ): initialize ( self , other ); initialize ( self , other ); newrandom ( na ); receive ( a na enc ); pair ( self , na , a na ); decrypt ( self , a na enc , a na ); encrypt ( other , a na , a na enc ); separate ( a na , a , na ); send ( a na enc ); test ( a == other ); receive ( b na nb enc ); newrandom ( nb ); decrypt ( self , b na nb enc , b na nb ); pair ( other , na , b na ); separate ( b na nb , b , na nb ); pair ( b na , nb , b na nb ); test ( b == other ); encrypt ( other , b na nb , b na nb enc ); separate ( na nb , na2 , nb ); send ( b na nb enc ); test ( na == na2 ); receive ( nb enc ); encrypt ( other , nb , nb enc ); decrypt ( self , nb enc , nb2 ); send ( nb enc ); test ( nb == nb2 ); pair ( self , other , a b ); pair ( self , x , b a x ); pair ( a b , x , a b x ); pair ( Finished , b a x , out ); pair ( Finished , a b x , out ); output ( out ); output ( out ); done ; done ; Version 1: x = na (Initiator’s nonce output as secret key) Version 2: x = nb (Responder’s nonce output as secret key) [NSL protocol, from Canetti-Herzog 2006]

  22. Automated Analysis

  23. Automated Analysis Not necessarily very efficient

  24. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

  25. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions

  26. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (e.g., single session)

  27. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (e.g., single session) Sometimes state-exploration (using model-checking tools) can be used to discover (some) flaws, but does not prove security

  28. What does Security in a Formal Model mean?

  29. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

  30. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model

  31. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models

  32. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models Security against adversaries who use only operations permitted by the formal model

  33. What does Security in a Formal Model mean?

  34. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

  35. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model

  36. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following:

  37. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following: Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

  38. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

  39. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security definitions

  40. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security Soundness of the formal model and formal security definitions property for the computational task and primitive used

  41. Soundness of Formal Models

  42. Soundness of Formal Models Initiated by Abadi-Rogaway (2001)

  43. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model

  44. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

  45. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc.

  46. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption)

  47. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption) Somewhat general frameworks: e.g., Backes et al. (CCS 2009)

  48. Soundness of Formal Models

  49. Soundness of Formal Models Several challenges

  50. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

  51. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason

  52. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session

  53. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session Only a few security properties have been considered (related to authentication and secure communication). Need to identify automatically verifiable (and sufficient) criteria for each new task

  54. Universal Composition

  55. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

  56. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

  57. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment

  58. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions

  59. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize

  60. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize Advantages: 1. Security for concurrent sessions. 2. Easy to use as a sub-module in higher level protocols and analyze security. Analysis of higher level protocols often “automatable”

  61. Composition Logic

  62. Composition Logic Ongoing research

  63. Composition Logic Ongoing research Protocol Composition Logic of Mitchell et al.

  64. Composition Logic Ongoing research Protocol Composition Logic of Mitchell et al. Formal model and soundness theorems by Canetti-Herzog

Recommend

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge, UK 2013.03.0408 18th Estonian Winter School in Computer Science EWSCS 2013 EasyCrypt pipeline ProofGeneral Frontend Emacs Shell EasyCrypt

724 views • 47 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in Mathematics January 8, 2020 1 / 35 marijn@cmu.edu Computer-Aided Mathematics Chromatic Number of the Plane Clausal Proof Optimization

634 views • 52 slides
Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby

Software Verification/Validation Methods and Tools . . . or Practical Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Practical Formal Methods: 1 Need: Growing Importance and Cost of

278 views • 12 slides
Lecture Outline 1. Course summary 2. Beyond the course DD2452 Formal Methods 3. Exam

Lecture Outline 1. Course summary 2. Beyond the course DD2452 Formal Methods 3. Exam

Lecture Outline 1. Course summary 2. Beyond the course DD2452 Formal Methods 3. Exam preparation 4. Course evaluation Concluding Lecture 1. Course Summary Formal Verification Formal methods : Two possibilities : correctness by

498 views • 3 slides
Procurement Plan Formal Procurement Formal Procurement Methods Invitation for Bid (IFB)

Procurement Plan Formal Procurement Formal Procurement Methods Invitation for Bid (IFB)

Procurement Plan Formal Procurement Formal Procurement Methods Invitation for Bid (IFB) Competitive Proposal (RFP) Advertising the Procurement The announcement of an IFB or RFP must be announced in ways that do not restrict free

995 views • 46 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Opportunities for Industrial Applications of Formal Methods John Rushby Computer Science

Opportunities for Industrial Applications of Formal Methods John Rushby Computer Science

Opportunities for Industrial Applications of Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I CAL Inauguration Seminar: 1 Formal Methods These are ways for exploring properties

740 views • 45 slides
1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

1 FM does not replace testing! Why Use Formal Methods Reduces burden on testing phases to

Topics Introduction and terminology Overview of Formal Methods FM and Software Engineering Applications of FM Propositional and Predicate Logic Program derivation Intuitive program verification Algebraic Specifications

174 views • 5 slides
Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Program verification Formal arithmetic Decision procedures Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en Informatique INRIA SaclayIdF, Universit e Paris Sud, CNRS October 28, 2009

1.07k views • 77 slides

More recommend