From: Peter Amey <peter.amey@praxis-cs.co.uk>
Subject: Re: Buffer overflow Article - CACM
Date: Tue, 29 Nov 2005 10:48:37 +0000
Date: 2005-11-29T10:48:37+00:00 [thread overview]
Message-ID: <3v2q06F13pfa3U1@individual.net> (raw)
In-Reply-To: <1133252164.539307.165050@g49g2000cwa.googlegroups.com>
Harald Korneliussen wrote:
> Peter Amey wrote:
>
>>OF course, using SPARK, we can statically prove the absence of buffer
>>overflows (and many other potential exploits) and thus add precisely
>>nothing in the form of a run-time overhead!
>>
>>Peter
>
>
> I though that with SPARK, you have to write your program with no moving
> parts (or dynamic data structures) and then supply a suite of proofs,
> which may be quite hard, even with the assistant? How often is this
> practical?
>
Obviously how hard it is it depends what it is you are trying to prove.
Proving that a SPARK program is free from all run-time errors (of
which "buffer overflow" is but one) is remarkably straightforward. A
majority of SPARK users are using this technology in an industrial
setting on a regular basis.
For exception-freedom proof, you do not have to add extra annotations,
the Examiner generates the necessary proof obligations from the language
rules of Ada; it essentially generates proof obligations that mirror
what the LRM requires for run-time checks. It is necessary to provide
some extra information, such as the bounds of the predefined types such
as Integer using a configuration file mechanism.
The Simplifier tool, that comes with the SPARK Examiner, usually
discharges over 95% of the resulting verification conditions (assuming
the code is correct of course!). Sometimes the process prompts the
addition of a precondition here and there which is, of course, extremely
useful intelligence for future maintenance of the software.
This paper: http://www.praxis-his.com/pdfs/Industrial_strength.pdf gives
an overview of the process. The Simplifier hit rate has gone up sharply
since it was written but the principles are the same.
regards
Peter
next prev parent reply other threads:[~2005-11-29 10:48 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-13 5:14 Buffer overflow Article - CACM adaworks
2005-11-13 7:35 ` tmoran
2005-11-13 8:49 ` Martin Krischik
2005-11-13 11:55 ` Georg Bauhaus
2005-11-13 14:58 ` Florian Weimer
2005-11-14 13:44 ` Marc A. Criley
2005-11-14 19:13 ` Martin Krischik
2005-11-13 15:02 ` Florian Weimer
2005-11-13 15:44 ` Stephen Leake
2005-11-14 14:40 ` adaworks
2005-11-13 23:57 ` Jeffrey R. Carter
2005-11-14 6:51 ` Martin Dowie
2005-11-14 17:55 ` Jeffrey R. Carter
2005-11-15 9:14 ` Martin Dowie
2005-11-14 7:09 ` Pascal Obry
2005-11-14 8:35 ` Dmitry A. Kazakov
2005-11-14 20:57 ` Simon Wright
2005-11-15 8:49 ` Dmitry A. Kazakov
2005-11-15 14:03 ` Georg Bauhaus
2005-11-15 15:14 ` Dmitry A. Kazakov
2005-11-15 22:32 ` Georg Bauhaus
2005-11-16 1:21 ` Robert A Duff
2005-11-16 9:26 ` Dmitry A. Kazakov
2005-11-16 13:02 ` adaworks
2005-11-17 11:13 ` Martin Dowie
2005-11-14 17:58 ` Jeffrey R. Carter
2005-11-14 18:44 ` Larry Kilgallen
2005-11-25 5:56 ` Christopher Browne
2005-11-26 1:31 ` Jeffrey R. Carter
2005-11-27 21:36 ` adaworks
2005-11-28 12:12 ` Simon Clubley
2005-12-01 2:35 ` robin
2005-12-01 7:05 ` adaworks
2005-12-03 13:42 ` robin
2005-12-03 18:18 ` adaworks
2005-12-12 1:23 ` robin
2005-12-31 7:39 ` robin
2005-12-31 17:03 ` Georg Bauhaus
2006-01-01 12:12 ` Martin Krischik
2006-01-01 23:12 ` robin
2006-01-02 3:37 ` jimmaureenrogers
2006-01-12 22:10 ` robin
2006-01-03 9:52 ` Georg Bauhaus
2006-01-12 22:10 ` robin
2006-01-12 22:36 ` Georg Bauhaus
2006-01-13 19:53 ` Keith Thompson
2006-01-13 20:22 ` Dan Nagle
2006-01-14 17:50 ` Björn Persson
[not found] ` <12ces1lv5dvm6pifdapj11o1hrtlm6ec7q@4ax.com>
2006-01-13 23:28 ` robin
2005-11-30 15:27 ` robin
2005-11-14 10:17 ` Peter Amey
2005-11-29 8:16 ` Harald Korneliussen
2005-11-29 10:48 ` Peter Amey [this message]
2005-11-30 21:21 ` Brian May
2005-12-01 5:36 ` Jeffrey R. Carter
2005-12-01 9:01 ` Harald Korneliussen
2005-12-01 11:21 ` Martin Dowie
2005-12-01 17:58 ` Jeffrey R. Carter
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox