A synthesized and verified ordered broadcast service with diversity. An ordered broadcast service... more A synthesized and verified ordered broadcast service with diversity. An ordered broadcast service? ß A fault-tolerant service using state machine replication. ß The service can still be used even when machines crash (up to a certain number of failures). ß The service receives requests from clients and ensures that they will be delivered by the replicas in the same order. ß Ordered delivery is implemented using consensus on the i th command, and this for every i .
We establish completeness for intuitionistic first-order logic, iFOL, showing that a formula is p... more We establish completeness for intuitionistic first-order logic, iFOL, showing that a formula is provable if and only if its embedding into minimal logic, mFOL, is uniformly valid under the Brouwer Heyting Kolmogorov (BHK) semantics, the intended semantics of iFOL and mFOL. Our proof is intuitionistic and provides an effective procedure Prf that converts uniform minimal evidence into a formal first-order proof. We have implemented Prf. Uniform validity is defined using the intersection operator as a universal quantifier over the domain of discourse and atomic predicates. Formulas of iFOL that are uniformly valid are also intuitionistically valid, but not conversely. Our strongest result requires the Fan Theorem; it can also be proved classically by showing that Prf terminates using König's Theorem. The fundamental idea behind our completeness theorem is that a single evidence term evd witnesses the uniform validity of a minimal logic formula F. Finding even one uniform realizer guarantees validity because Prf (F, evd) builds a first-order proof of F, establishing its uniform validity and providing a purely logical normalized realizer. We establish completeness for iFOL as follows. Friedman showed that iFOL can be embedded in minimal logic (mFOL) by his A-transformation, mapping formula F to F A. If F is uniformly valid, then so is F A , and by our completeness theorem, we can find a proof of F A in minimal logic. Then we intuitionistically prove F from F F alse , i.e. by taking F alse for A and for ⊥ of mFOL. Our result resolves an open question posed by Beth in 1947.
We constructively prove in type theory the completeness of the minimal Propositional Calculus, sh... more We constructively prove in type theory the completeness of the minimal Propositional Calculus, showing that a formula is provable in mPC if and only if it is uniformly valid in constructive type theory extended with the intersection operator. Our completeness proof provides an effective procedure Prf that converts any uniform evidence into a formal an mPC proof. Mark Bickford has implemented Prf in the Nuprl proof assistant. The fundamental idea behind this completeness proof is that even one polymorphic evidence term in extended intuitionistic type theory,evd, witnesses the uniform validity of an mPC formula F. Finding one such uniform type theoretic realizer evd guarantees validity because Prf(F, evd) builds a first-order proof of F, establishing its validity and providing a purely logical normalized realizer. We reason using symbolic computing on uniform realizers. This style of reasoning and our proof can be formalized in Nuprl’s constructive type theory. These results are publi...
The work done at ORA for NASA-LRC in the design and formal verification of a hardware implementat... more The work done at ORA for NASA-LRC in the design and formal verification of a hardware implementation of a scheme for attaining interactive consistency (byzantine agreement) among four microprocessors is presented in view graph form. The microprocessors used in the design are an updated version of a formally verified 32-bit, instruction-pipelined, RISC processor, MiniCayuga. The 4-processor system, which is designed under the assumption that the clocks of all the processors are synchronized, provides software control over the interactive consistency operation. Interactive consistency computation is supported as an explicit instruction on each of the microprocessors. An identical user program executing on each of the processors decides when and on what data interactive consistency must be performed. This exercise also served as a case study to investigate the effectiveness of reusing the technology which was developed during the MiniCayuga effort for verifying synchronous hardware des...
This article is the first in a series of articles that explain the formalization of a constructiv... more This article is the first in a series of articles that explain the formalization of a constructive model of cubical type theory in Nuprl. In this document we discuss only the parts of the formalization that do not depend on the choice of base category. So, it spells out how we make the first steps of our formalization of cubical type theory.
Abstract. We describe a link between the Nuprl and PVS proof systems that enables users to access... more Abstract. We describe a link between the Nuprl and PVS proof systems that enables users to access PVS from the Nuprl theorem proving environment, to import PVS theories into the Nuprl library, and to browse both Nuprl and PVS theories in a unified formal framework. The combined system is a first step towards a digital library of formalized mathematics that can be shared and used in complex applications. 1
This report documents the Phase 1 results of an effort aimed at formally verifying a key hardware... more This report documents the Phase 1 results of an effort aimed at formally verifying a key hardware component, called Scoreboard, of the Fault Tolerant Parallel Processor (FTPP) being built at Charles Stark Draper Laboratory (CSDL). The Scoreboard is part of the FTPP virtual bus that guarantees reliable communication between processors in the presence of Byzantine faults in the system. The Scoreboard implements a piece of control logic that approves and validates a message before it can be transmitted. The goal of phase 1 was to lay the foundation for the Scoreboard verification. We developed formal specifications of the functional requirements and a high-level design of the Scoreboard. We used a preliminary Scoreboard design developed at CSDL as a basis for developing our hardware design. We proved a main correctness theorem for the Scoreboard design from which the functional requirements can be established as corollaries, The goal of Phase 2 is to verify CSDL's final detailed de...
Building a verified proof assistant entails implementing and mechanizing the concept of a library... more Building a verified proof assistant entails implementing and mechanizing the concept of a library, as well as adding support for standard manipulations on it. In this work we develop such mechanism for the Nuprl proof assistant, and integrate it into the formalization of Nuprl's meta-theory in Coq. We formally verify that standard operations on the library preserve its validity. This is a key property for any interactive theorem prover, since it ensures consistency. Some unique features of Nuprl, such as the presence of undefined abstractions, make the proof of this property nontrivial. Thus, e.g., to achieve monotonicity the semantics of sequents had to be refined. On a broader view, this work provides a backend for a verified version of Nuprl. We use it, in turn, to develop a tool that converts proofs exported from the Nuprl proof assistant into proofs in the Coq formalization of Nuprl's meta-theory, so as to be verified.
2003 IEEE Conference onOpen Architectures and Network Programming.
In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used... more In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used by many operators and/or analysis tools. Unfortunately, in the face of limited, unreliable resources, and varying demands, not all users may be able to get the fidelity they require. This paper describes Media-Net, a distributed multi-media processing system designed with the above scenarios in mind. Unlike past approaches, MediaNet's users can intuitively specify how the system should adapt based on their individual needs. MediaNet uses both local and online global resource scheduling to improve user performance and network utilization, and adapts without requiring underlying support for resource reservations. Performance experiments show that our scheduling algorithm is reasonably fast, and that user performance and network utilization are both significantly improved.
These past few years, we have been experimenting in Nuprl with versions of Brouwer’s Bar Inductio... more These past few years, we have been experimenting in Nuprl with versions of Brouwer’s Bar Induction principle. Until recently we had no formal proof that these rules are valid Nuprl reasoning principles. Thanks to our formalization of Nuprl’s metatheory in Coq, we can now rigorously check whether these principles are consistent with Nuprl. In this paper we present a proof, using our Coq framework, of the validity of Brouwer’s Bar Induction principle on sequences of natural numbers. To prove this result we added all Coq functions from natural numbers to natural numbers to Nuprl’s computation system. Introduction. Nuprl [9, 3] is a dependent type theory a la Martin-Lof based on an untyped functional programming language. Nuprl has a rich type theory including identity (or equality) types, a hierarchy of universes, W types, quotient types [10], set types, union and (dependent) intersection types [14], image types [15], PER types [4], simulation types [17], and partial types [11]. Type c...
Distributed programs are known to be extremely difficult to implement, test, verify, and maintain... more Distributed programs are known to be extremely difficult to implement, test, verify, and maintain. This is due in part to the large number of possible unforeseen interactions among components, and to the difficulty of precisely specifying what the programs should accomplish in a formal language that is intuitively clear to the programmers. We discuss here a methodology that has proven itself in building a state of the art implementation of Multi-Paxos and other distributed protocols used in a deployed database system. This article focuses on the basic ideas of formal EventML programming illustrated by implementing a fault-tolerant consensus protocol and showing how we prove its safety properties with the Nuprl proof assistant.
: This report describes a computer-aided verification tool, called Spectool, for a class of synch... more : This report describes a computer-aided verification tool, called Spectool, for a class of synchronous hardware designs. The tool reduces the effort required for verifying a design in the targeted class by automating most of the routine, but cumbersome, parts of the verification process. The input to the tool is a circuit diagram of the design. This diagram is drawn using the graphical user-interface provided by the tool. Spectool has been used on several examples including a large pipelined microprocessor design. Hardware Verification, Computer Security, Formal Methods.
Attack-tolerant distributed systems change their protocols on-the-fly in response to apparent att... more Attack-tolerant distributed systems change their protocols on-the-fly in response to apparent attacks from the environment; they substitute functionally equivalent versions possibly more resistant to detected threats. Alternative protocols can be packaged together as a single adaptive protocol or variants from a formal protocol library can be sent to threatened groups of processes. We are experimenting with libraries of attacktolerant protocols that are correct-by-construction and testing them in environments that simulate specified threats, including constructive versions of the famous FLP imaginary adversary against fault-tolerant consensus. We expect that all variants of tolerant protocols are automatically generated and accompanied by machine checked proofs that the generated code satisfies formal properties.
Our topic is broadening a practical ”proofs-asprograms” method of program development to “proofs-... more Our topic is broadening a practical ”proofs-asprograms” method of program development to “proofs-asprocesses”. We extend our previous results that implement proofs-as-processes for the standard model of asynchronous message passing computation to a much wider class of process models including the π-calculus and other process algebras. Our first result is a general process model whose definition in type theory is interesting in itself both technically and foundationally. Process terms are type free lambda-terms. Typed processes are elements of a co-inductive type. They are higher-order in that they can take processes as inputs and produce them as outputs. A second new result is a procedure to generate event structures over the general process model and then define event logics and event classes over these structures. Processes are abstract realizers for assertions in the event logics over them, and they extend the class of primitively realizable propositions built on the propositions...
A synthesized and verified ordered broadcast service with diversity. An ordered broadcast service... more A synthesized and verified ordered broadcast service with diversity. An ordered broadcast service? ß A fault-tolerant service using state machine replication. ß The service can still be used even when machines crash (up to a certain number of failures). ß The service receives requests from clients and ensures that they will be delivered by the replicas in the same order. ß Ordered delivery is implemented using consensus on the i th command, and this for every i .
We establish completeness for intuitionistic first-order logic, iFOL, showing that a formula is p... more We establish completeness for intuitionistic first-order logic, iFOL, showing that a formula is provable if and only if its embedding into minimal logic, mFOL, is uniformly valid under the Brouwer Heyting Kolmogorov (BHK) semantics, the intended semantics of iFOL and mFOL. Our proof is intuitionistic and provides an effective procedure Prf that converts uniform minimal evidence into a formal first-order proof. We have implemented Prf. Uniform validity is defined using the intersection operator as a universal quantifier over the domain of discourse and atomic predicates. Formulas of iFOL that are uniformly valid are also intuitionistically valid, but not conversely. Our strongest result requires the Fan Theorem; it can also be proved classically by showing that Prf terminates using König's Theorem. The fundamental idea behind our completeness theorem is that a single evidence term evd witnesses the uniform validity of a minimal logic formula F. Finding even one uniform realizer guarantees validity because Prf (F, evd) builds a first-order proof of F, establishing its uniform validity and providing a purely logical normalized realizer. We establish completeness for iFOL as follows. Friedman showed that iFOL can be embedded in minimal logic (mFOL) by his A-transformation, mapping formula F to F A. If F is uniformly valid, then so is F A , and by our completeness theorem, we can find a proof of F A in minimal logic. Then we intuitionistically prove F from F F alse , i.e. by taking F alse for A and for ⊥ of mFOL. Our result resolves an open question posed by Beth in 1947.
We constructively prove in type theory the completeness of the minimal Propositional Calculus, sh... more We constructively prove in type theory the completeness of the minimal Propositional Calculus, showing that a formula is provable in mPC if and only if it is uniformly valid in constructive type theory extended with the intersection operator. Our completeness proof provides an effective procedure Prf that converts any uniform evidence into a formal an mPC proof. Mark Bickford has implemented Prf in the Nuprl proof assistant. The fundamental idea behind this completeness proof is that even one polymorphic evidence term in extended intuitionistic type theory,evd, witnesses the uniform validity of an mPC formula F. Finding one such uniform type theoretic realizer evd guarantees validity because Prf(F, evd) builds a first-order proof of F, establishing its validity and providing a purely logical normalized realizer. We reason using symbolic computing on uniform realizers. This style of reasoning and our proof can be formalized in Nuprl’s constructive type theory. These results are publi...
The work done at ORA for NASA-LRC in the design and formal verification of a hardware implementat... more The work done at ORA for NASA-LRC in the design and formal verification of a hardware implementation of a scheme for attaining interactive consistency (byzantine agreement) among four microprocessors is presented in view graph form. The microprocessors used in the design are an updated version of a formally verified 32-bit, instruction-pipelined, RISC processor, MiniCayuga. The 4-processor system, which is designed under the assumption that the clocks of all the processors are synchronized, provides software control over the interactive consistency operation. Interactive consistency computation is supported as an explicit instruction on each of the microprocessors. An identical user program executing on each of the processors decides when and on what data interactive consistency must be performed. This exercise also served as a case study to investigate the effectiveness of reusing the technology which was developed during the MiniCayuga effort for verifying synchronous hardware des...
This article is the first in a series of articles that explain the formalization of a constructiv... more This article is the first in a series of articles that explain the formalization of a constructive model of cubical type theory in Nuprl. In this document we discuss only the parts of the formalization that do not depend on the choice of base category. So, it spells out how we make the first steps of our formalization of cubical type theory.
Abstract. We describe a link between the Nuprl and PVS proof systems that enables users to access... more Abstract. We describe a link between the Nuprl and PVS proof systems that enables users to access PVS from the Nuprl theorem proving environment, to import PVS theories into the Nuprl library, and to browse both Nuprl and PVS theories in a unified formal framework. The combined system is a first step towards a digital library of formalized mathematics that can be shared and used in complex applications. 1
This report documents the Phase 1 results of an effort aimed at formally verifying a key hardware... more This report documents the Phase 1 results of an effort aimed at formally verifying a key hardware component, called Scoreboard, of the Fault Tolerant Parallel Processor (FTPP) being built at Charles Stark Draper Laboratory (CSDL). The Scoreboard is part of the FTPP virtual bus that guarantees reliable communication between processors in the presence of Byzantine faults in the system. The Scoreboard implements a piece of control logic that approves and validates a message before it can be transmitted. The goal of phase 1 was to lay the foundation for the Scoreboard verification. We developed formal specifications of the functional requirements and a high-level design of the Scoreboard. We used a preliminary Scoreboard design developed at CSDL as a basis for developing our hardware design. We proved a main correctness theorem for the Scoreboard design from which the functional requirements can be established as corollaries, The goal of Phase 2 is to verify CSDL's final detailed de...
Building a verified proof assistant entails implementing and mechanizing the concept of a library... more Building a verified proof assistant entails implementing and mechanizing the concept of a library, as well as adding support for standard manipulations on it. In this work we develop such mechanism for the Nuprl proof assistant, and integrate it into the formalization of Nuprl's meta-theory in Coq. We formally verify that standard operations on the library preserve its validity. This is a key property for any interactive theorem prover, since it ensures consistency. Some unique features of Nuprl, such as the presence of undefined abstractions, make the proof of this property nontrivial. Thus, e.g., to achieve monotonicity the semantics of sequents had to be refined. On a broader view, this work provides a backend for a verified version of Nuprl. We use it, in turn, to develop a tool that converts proofs exported from the Nuprl proof assistant into proofs in the Coq formalization of Nuprl's meta-theory, so as to be verified.
2003 IEEE Conference onOpen Architectures and Network Programming.
In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used... more In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used by many operators and/or analysis tools. Unfortunately, in the face of limited, unreliable resources, and varying demands, not all users may be able to get the fidelity they require. This paper describes Media-Net, a distributed multi-media processing system designed with the above scenarios in mind. Unlike past approaches, MediaNet's users can intuitively specify how the system should adapt based on their individual needs. MediaNet uses both local and online global resource scheduling to improve user performance and network utilization, and adapts without requiring underlying support for resource reservations. Performance experiments show that our scheduling algorithm is reasonably fast, and that user performance and network utilization are both significantly improved.
These past few years, we have been experimenting in Nuprl with versions of Brouwer’s Bar Inductio... more These past few years, we have been experimenting in Nuprl with versions of Brouwer’s Bar Induction principle. Until recently we had no formal proof that these rules are valid Nuprl reasoning principles. Thanks to our formalization of Nuprl’s metatheory in Coq, we can now rigorously check whether these principles are consistent with Nuprl. In this paper we present a proof, using our Coq framework, of the validity of Brouwer’s Bar Induction principle on sequences of natural numbers. To prove this result we added all Coq functions from natural numbers to natural numbers to Nuprl’s computation system. Introduction. Nuprl [9, 3] is a dependent type theory a la Martin-Lof based on an untyped functional programming language. Nuprl has a rich type theory including identity (or equality) types, a hierarchy of universes, W types, quotient types [10], set types, union and (dependent) intersection types [14], image types [15], PER types [4], simulation types [17], and partial types [11]. Type c...
Distributed programs are known to be extremely difficult to implement, test, verify, and maintain... more Distributed programs are known to be extremely difficult to implement, test, verify, and maintain. This is due in part to the large number of possible unforeseen interactions among components, and to the difficulty of precisely specifying what the programs should accomplish in a formal language that is intuitively clear to the programmers. We discuss here a methodology that has proven itself in building a state of the art implementation of Multi-Paxos and other distributed protocols used in a deployed database system. This article focuses on the basic ideas of formal EventML programming illustrated by implementing a fault-tolerant consensus protocol and showing how we prove its safety properties with the Nuprl proof assistant.
: This report describes a computer-aided verification tool, called Spectool, for a class of synch... more : This report describes a computer-aided verification tool, called Spectool, for a class of synchronous hardware designs. The tool reduces the effort required for verifying a design in the targeted class by automating most of the routine, but cumbersome, parts of the verification process. The input to the tool is a circuit diagram of the design. This diagram is drawn using the graphical user-interface provided by the tool. Spectool has been used on several examples including a large pipelined microprocessor design. Hardware Verification, Computer Security, Formal Methods.
Attack-tolerant distributed systems change their protocols on-the-fly in response to apparent att... more Attack-tolerant distributed systems change their protocols on-the-fly in response to apparent attacks from the environment; they substitute functionally equivalent versions possibly more resistant to detected threats. Alternative protocols can be packaged together as a single adaptive protocol or variants from a formal protocol library can be sent to threatened groups of processes. We are experimenting with libraries of attacktolerant protocols that are correct-by-construction and testing them in environments that simulate specified threats, including constructive versions of the famous FLP imaginary adversary against fault-tolerant consensus. We expect that all variants of tolerant protocols are automatically generated and accompanied by machine checked proofs that the generated code satisfies formal properties.
Our topic is broadening a practical ”proofs-asprograms” method of program development to “proofs-... more Our topic is broadening a practical ”proofs-asprograms” method of program development to “proofs-asprocesses”. We extend our previous results that implement proofs-as-processes for the standard model of asynchronous message passing computation to a much wider class of process models including the π-calculus and other process algebras. Our first result is a general process model whose definition in type theory is interesting in itself both technically and foundationally. Process terms are type free lambda-terms. Typed processes are elements of a co-inductive type. They are higher-order in that they can take processes as inputs and produce them as outputs. A second new result is a procedure to generate event structures over the general process model and then define event logics and event classes over these structures. Processes are abstract realizers for assertions in the event logics over them, and they extend the class of primitively realizable propositions built on the propositions...
Uploads
Papers by Mark Bickford