Getting Started with SPARK Rod Chapman, Praxis High Integrity Systems

Agenda What is SPARK? SPARK Pro, GPL and GAP Teaching SPARK Current research with SPARK Demo – visualizing Hoare-Logic with SPARK and GraphViz Questions

What is SPARK?

SPARK Pro, GPL and GAP

Teaching SPARK

Current research with SPARK

Demo – visualizing Hoare-Logic with SPARK and GraphViz

Questions

What is SPARK? SPARK is… A programming language, A set of static verification tools, A design approach for high-assurance software, A means of enforcing discipline in software process. … All of the above

SPARK is…

A programming language,

A set of static verification tools,

A design approach for high-assurance software,

A means of enforcing discipline in software process.

… All of the above

SPARK What’s special about SPARK? SPARK takes the unusual step of designing a programming language from scratch with verification as the primary design goal. SPARK has mathematical, formal, and unambiguous semantics, therefore…

What’s special about SPARK?

SPARK takes the unusual step of designing a programming language from scratch with verification as the primary design goal.

SPARK has mathematical, formal, and unambiguous semantics, therefore…

SPARK The SPARK tools provide verification which is Sound (no “false negatives”) Complete (very few “false alarms”) Deep (tells you something useful) Fast (tells you it now ) Modular (for incomplete programs) No other language and toolset can offer this combination.

The SPARK tools provide verification which is

Sound (no “false negatives”)

Complete (very few “false alarms”)

Deep (tells you something useful)

Fast (tells you it now )

Modular (for incomplete programs)

No other language and toolset can offer this combination.

SPARK No other language and toolset can offer this combination. How? The language design deliberately excludes features that are hard or impossible to analyse. The SPARK languages embodies a strict subset of Ada, with a system of contracts that enable modular and efficient verification.

No other language and toolset can offer this combination.

How?

The language design deliberately excludes features that are hard or impossible to analyse.

The SPARK languages embodies a strict subset of Ada, with a system of contracts that enable modular and efficient verification.

What’s the catch? As ever, there’s no free lunch. You must have the discipline to adopt, learn and use SPARK properly. SPARK is most suited to high-assurance embedded, critical and real-time systems, not web servers or database applications (yet…)

As ever, there’s no free lunch.

You must have the discipline to adopt, learn and use SPARK properly.

SPARK is most suited to high-assurance embedded, critical and real-time systems, not web servers or database applications (yet…)

SPARK Applications SPARK is most widely used in high-assurance embedded systems, such as Commercial Avionics (Rolls-Royce, LM C130J…) Military Avionics (EuroFighter Typhoon, AerMacchi M346…) Rail Signalling (ALSTOM, Invensys…) High-Grade Secure Systems (Rockwell-Collins, NSA, CESG, NATO C3 Agency…) While SPARK is most commonly associated with safety-critical systems, its roots actually come from the info-sec community (e.g. 1977 CACM paper on info flow by Denning & Denning).

SPARK is most widely used in high-assurance embedded systems, such as

Commercial Avionics (Rolls-Royce, LM C130J…)

Military Avionics (EuroFighter Typhoon, AerMacchi M346…)

Rail Signalling (ALSTOM, Invensys…)

High-Grade Secure Systems (Rockwell-Collins, NSA, CESG, NATO C3 Agency…)

While SPARK is most commonly associated with safety-critical systems, its roots actually come from the info-sec community (e.g. 1977 CACM paper on info flow by Denning & Denning).

SPARK Pro, GPL and GAP There are two major releases of the technology, aimed at three communities: SPARK Pro is the professional, supported product from the AdaCore/Praxis partnership. SPARK GPL is aimed at the open-source community. No formal support. The AdaCore GAP Programme offers support to academic faculty using GNAT and/or SPARK GPL in teaching and research. All available with the GPL licence, so full availability of sources.

There are two major releases of the technology, aimed at three communities:

SPARK Pro is the professional, supported product from the AdaCore/Praxis partnership.

SPARK GPL is aimed at the open-source community. No formal support.

The AdaCore GAP Programme offers support to academic faculty using GNAT and/or SPARK GPL in teaching and research.

All available with the GPL licence, so full availability of sources.

SPARK Pro, GPL and GAP This webinar will concentrate on the use of SPARK in the academic and open-source communities.

This webinar will concentrate on the use of SPARK in the academic and open-source communities.

Teaching SPARK… So why teach SPARK? Well…SPARK can be seen as a vehicle for teaching: Safety-Critical Software Engineering Security-Critical Software Engineering Design-by-Contract™ Embedded and Real-Time Systems “ Formal Methods” Semantics and “Proof” of Programs Programming Language Design Oh…and there’s a good book…

So why teach SPARK?

Well…SPARK can be seen as a vehicle for teaching:

Safety-Critical Software Engineering

Security-Critical Software Engineering

Design-by-Contract™

Embedded and Real-Time Systems

“ Formal Methods”

Semantics and “Proof” of Programs

Programming Language Design

Oh…and there’s a good book…

Teaching SPARK… Examples: Manchester University, UK – SPARK used in first year undergraduate course to teach design-by-contract style programming. (Dr Kung-Kiu Lau). Kansas State University – Critical Systems course (Prof John Hatcliff). University of York, UK – SPARK used in post-graduate MSc in Safety-Critical Systems Engineering (Prof John McDermid and others).

Examples:

Manchester University, UK – SPARK used in first year undergraduate course to teach design-by-contract style programming. (Dr Kung-Kiu Lau).

Kansas State University – Critical Systems course (Prof John Hatcliff).

University of York, UK – SPARK used in post-graduate MSc in Safety-Critical Systems Engineering (Prof John McDermid and others).

Research with SPARK… SPARK provides a formal basis for many interesting research problems. As a target language for formal refinement. Theorem-Proving (e.g. SAT and SMTLib style provers). Counter-example finding. Automatic test-case generation. “ Hard” language issues (e.g. generics, interfaces) currently beyond the SPARK subset. Proof of floating-point algorithms. Program slicing and visualization. Any many many more things that we haven’t even thought of yet…

SPARK provides a formal basis for many interesting research problems.

As a target language for formal refinement.

Theorem-Proving (e.g. SAT and SMTLib style provers).

Counter-example finding.

Automatic test-case generation.

“ Hard” language issues (e.g. generics, interfaces) currently beyond the SPARK subset.

Proof of floating-point algorithms.

Program slicing and visualization.

Any many many more things that we haven’t even thought of yet…

Research with SPARK… Prior to SPARK GPL, it was difficult to use SPARK in research: Proprietary nature of tools Very little publicly visible SPARK code But…times have changed: GPL release of technology. “ Open Source” Release of Tokeneer project as a model-example of SPARK code for research challenges.

Prior to SPARK GPL, it was difficult to use SPARK in research:

Proprietary nature of tools

Very little publicly visible SPARK code

But…times have changed:

GPL release of technology.

“ Open Source” Release of Tokeneer project as a model-example of SPARK code for research challenges.

Some current research projects Specification refinement from PVS (Prof John Knight, Virginia). Model-checking of Tokeneer security properties and (Prof Jim Woodcock, Uni of York). Program slicing and value-dependent information flow analysis (Prof John Hatcliff, KSU). SMTLib prover interface (Dr Paul Jackson, Uni of Edinburgh). Decision procedures for non-linear arithmetic in CVC3 prover (Dr Clark Barrett, NYU).

Specification refinement from PVS (Prof John Knight, Virginia).

Model-checking of Tokeneer security properties and (Prof Jim Woodcock, Uni of York).

Program slicing and value-dependent information flow analysis (Prof John Hatcliff, KSU).

SMTLib prover interface (Dr Paul Jackson, Uni of Edinburgh).

Decision procedures for non-linear arithmetic in CVC3 prover (Dr Clark Barrett, NYU).

Demo – Visualizing Hoare-Logic with SPARK and GraphViz Teaching program verification can be kinda dull…especially if done “pencil and paper” style. Students like to have tools and pictures… SPARK GPL provides a means to visualize the semantics of SPARK and the action of the Verification Condition Generator using the GraphViz package. Demo time…

Teaching program verification can be kinda dull…especially if done “pencil and paper” style.

Students like to have tools and pictures…

SPARK GPL provides a means to visualize the semantics of SPARK and the action of the Verification Condition Generator using the GraphViz package.

Demo time…

Questions and Answers Contact details GAP: [email_address] www.adacore.com/home/academia Tokeneer reports and downloads www.adacore.com/tokeneer SPARK Pro: [email_address] www.adacore.com/home/products/sparkpro

Contact details

GAP: [email_address]

www.adacore.com/home/academia

Tokeneer reports and downloads

www.adacore.com/tokeneer

SPARK Pro: [email_address]

www.adacore.com/home/products/sparkpro