https://github.com/awesomo4000/awesome-provable

A curated set of links to formal methods involving provable code.
https://github.com/awesomo4000/awesome-provable

List: awesome-provable

agda certified-programming coq formal-verification idris isabelle isabelle-hol sel4

Last synced: about 2 months ago
JSON representation

A curated set of links to formal methods involving provable code.

• Host: GitHub
• URL: https://github.com/awesomo4000/awesome-provable
• Owner: awesomo4000
• Created: 2017-11-10T11:34:31.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2021-12-12T16:28:56.000Z (almost 3 years ago)
• Last Synced: 2024-05-19T21:03:16.904Z (4 months ago)
• Topics: agda, certified-programming, coq, formal-verification, idris, isabelle, isabelle-hol, sel4
• Size: 25.4 KB
• Stars: 187
• Watchers: 10
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• more-awesome - awesome-provable - A curated set of links to formal methods involving provable code. (Computer Science)
• awesome-awesome - awesome-provable - A curated set of links to formal methods involving provable code. (Computer Science)
• ultimate-awesome - awesome-provable - A curated set of links to formal methods involving provable code. (Other Lists / PowerShell Lists)

README

        
# Provably Awesome.    [![](img/badge.svg)](http://awesome.re)

This is a curated list of links and resources related to mathematical proofs

about the properties of computer programs.

#### Table of Contents

* [Languages](#languages) - Languages with good ability to use formal type

safety

* [Proof Assistants](#proof-assistants) - Interactive theorem provers used to

prove properties of programs.

* [Projects](#projects) - Projects involving provably correct code.

* [Books](#books) - Textbooks commonly referred to 

* [Courses](#courses) - Online courses (youtube, university courses)

* [More Links](#more) - Video presentations about formal proof of code topics

## Languages

* [Idris](https://www.idris-lang.org/) : Idris is a general purpose pure 

functional programming language with dependent types. Dependent types allow 

types to be predicated on values, meaning that some aspects of a program’s 

behaviour can be specified precisely in the type. It is compiled, with eager 

evaluation. Its features are influenced by Haskell and ML.

  * [Idris docs](http://docs.idris-lang.org/en/latest/)

  * [Idris tutorial](http://docs.idris-lang.org/en/latest/tutorial/index.html#tutorial-index)

  * [Theorem proving with Idris tutorial](http://docs.idris-lang.org/en/latest/proofs/index.html)

* [Agda](http://wiki.portal.chalmers.se/agda/pmwiki.php) : Dependently

 typed functional programming language. It has inductive families, i.e., data 

 types which depend on values, such as the type of vectors of a given length. 

 It also has parametrised modules, mixfix operators, Unicode characters, and an

  interactive Emacs interface which can assist the programmer in writing the 

  program.

  * [Agda Github](https://github.com/agda/agda)

  * [Agda User Manual](http://agda.readthedocs.io/en/v2.5.2/)

* [UR/Web](http://www.impredicative.com/ur/) : Ur/Web is Ur plus a special 

standard library and associated rules for parsing and optimization. Ur/Web 

supports construction of dynamic web applications backed by SQL databases. 

The signature of the standard library is such that well-typed Ur/Web programs 

"don't go wrong" in a very broad sense. Not only do they not crash during 

particular page generations, but they also may not:

  * Suffer from any kinds of code-injection attacks

  * Return invalid HTML

  * Contain dead intra-application links

  * Have mismatches between HTML forms and the fields expected by their handlers

  * Include client-side code that makes incorrect assumptions about the 

    "AJAX"-style services that the remote web server provides

  * Attempt invalid SQL queries

  * Use improper marshaling or unmarshaling in communication with SQL databases

    or between browsers and web servers

* [Haskell](https://www.haskell.org/) : An advanced, purely functional 

programming language. 

* [Liquid Haskell](https://ucsd-progsys.github.io/liquidhaskell-blog/) :

LiquidHaskell (LH) refines Haskell's types with logical predicates that let 

you enforce critical properties at compile time. (Guarantee functions are total,

keep pointers within bounds, avoid infinite loops, enforce correctness 

properties, prove laws by writing code)

* [Elm](http://elm-lang.org/) : A type-safe functional programming language for 

declaratively creating web browser-based graphical user interfaces. 

Implemented in Haskell. It generates JavaScript with great performance and 

*no runtime exceptions*.

## Proof Assistants

* [Coq](https://coq.inria.fr/) : Coq is a formal proof management system. It 

provides a formal language to write mathematical definitions, executable 

algorithms and theorems together with an environment for semi-interactive 

development of machine-checked proofs. 

[[current stable version](https://coq.inria.fr/download)]

[[reference manual](https://coq.inria.fr/distrib/current/refman)]

    * https://github.com/Ptival/PeaCoq

    * https://math-comp.github.io/mcb/

* [Isabelle](https://isabelle.in.tum.de/) : Isabelle is a generic proof assistant.

 It allows mathematical formulas to be expressed in a formal language and 

 provides tools for proving those formulas in a logical calculus.

 [[overview](https://isabelle.in.tum.de/overview.html)]

* [HOL](https://hol-theorem-prover.org/) : The HOL interactive theorem prover is

 a proof assistant for higher-order logic: a programming environment in which 

 theorems can be proved and proof tools implemented. Built-in decision 

 procedures and theorem provers can automatically establish many simple 

 theorems (users may have to prove the hard theorems themselves!) An oracle 

 mechanism gives access to external programs such as SMT and BDD engines. 

 HOL is particularly suitable as a platform for implementing combinations of 

 deduction, execution and property checking. 

 [[Other HOLS](https://hol-theorem-prover.org/other-hols.html)]

* [LEAN](https://leanprover.github.io/) : Lean is a new open source theorem 

 prover being developed at Microsoft Research, and its standard library at 

 Carnegie Mellon University. Lean aims to bridge the gap between interactive and 

 automated theorem proving, by situating automated tools and methods in a framework 

 that supports user interaction and the construction of fully specified axiomatic 

 proofs. The goal is to support both mathematical reasoning and reasoning about 

 complex systems, and to verify claims in both domains.

   [Online version](https://leanprover.github.io/live/latest/)

* [K Framework](http://www.kframework.org/index.php/Main_Page) : The K framework

 is a rewrite-based executable semantic framework in which programming languages, 

 type systems and formal analysis tools can be defined using configurations, 

 computations and rules. Configurations organize the state in units called cells, 

 which are labeled and can be nested. Computations carry computational meaning as 

 special nested list structures sequentializing computational tasks, such as fragments 

 of program. Computations extend the original language abstract syntax. K (rewrite) 

 rules make it explicit which parts of the term they read-only, write-only, read-write, 

 or do not care about. This makes K suitable for defining truly concurrent languages 

 even in the presence of sharing. Computations are like any other terms in a rewriting 

 environment: they can be matched, moved from one place to another, modified, or 

 deleted. This makes K suitable for defining control-intensive features such as 

 abrupt termination, exceptions or call/cc.

   * [K Tutorial](http://www.kframework.org/index.php/K_Tutorial) by [Grigore Rosu](https://github.com/grosu), [video playlist](https://www.youtube.com/watch?v=eSaIKHQOo4c&list=PLx_U8qR-tMtLQEDPvVk1y9gTIdUIWGaQd)

   * (https://runtimeverification.com/) : Company formed from K Framework people. 

     Runtime Verification Inc. is currently developing three core products: 

     * RV-Predict is a predictive runtime analysis tool focused on automatically 

       detecting concurrency errors in your programs. 

     * RV-Monitor is a development methodology and library generation tool allowing 

       for the monitoring and enforcement of user-selected properties at runtime. 

     * RV-Match is a tool allowing for exhaustive runtime verification to be performed 

       symbolically on all possible program paths, proving certain properties correct 

       for all possible executions of a given program.

* [Viper](https://www.pm.inf.ethz.ch/research/viper.html) : Viper (Verification Infrastructure for Permission-based Reasoning) is a language and suite of tools developed at ETH Zurich, providing an architecture on which new verification tools and prototypes can be developed simply and quickly. It comprises a novel intermediate verification language, also named Viper, and automatic verifiers for the language, as well as example front-end tools. The Viper toolset can be used to implement verification techniques for front-end programming languages via translations into the Viper language. ETH Zurich has built several verifiers on top of Viper, including the [Gobra](https://www.pm.inf.ethz.ch/research/gobra.html) verifier for Go, [Nagini](https://www.pm.inf.ethz.ch/research/nagini.html) for Python and [Prusti](https://www.pm.inf.ethz.ch/research/prusti.html) for Rust.

## Projects

* [seL4](https://sel4.systems/) : The world's first operating-system kernel with 

an end-to-end proof of implementation correctness and security enforcement 

is available as open source. 

[[brochure](https://sel4.systems/Info/Docs/seL4-brochure.pdf)]

[[white paper](https://sel4.systems/Info/Docs/GD-NICTA-whitepaper.pdf)]

* [Certikos](http://flint.cs.yale.edu/certikos/) : Certified Kit Operating 

System.

  * **Certified OS Kernels**: Clean-slate design with end-to-end guarantees on 

    extensibility, security, and resilience.

    Without Zero-Day Kernel Vulnerabilities.

  * **Layered Approach**: Divides a complex

     system into multiple certified abstraction layers, which are deep 

     specifications of their underlying implementations.

  * **Languages and Tools**: New formal methods, languages, compilers and other 

  tools for developing, checking, and automating specs and proofs.

* [Compcert](http://compcert.inria.fr/) : The CompCert project investigates the 

formal verification of realistic compilers usable for critical embedded 

software. Such verified compilers come with a mathematical, machine-checked 

proof that the generated executable code behaves exactly as prescribed by the 

semantics of the source program. 

[[C compiler](http://compcert.inria.fr/download.html)]

* [Bedrock](http://plv.csail.mit.edu/bedrock/) 

[[tutorial pdf](http://plv.csail.mit.edu/bedrock/tutorial.pdf)] :

Bedrock is a library that turns Coq into a tool much like classical 

verification systems (e.g., ESC, Boogie), but niftier. In particular, 

Bedrock is:

  * **Low-level**: You can verify programs that, for performance reasons or 

  otherwise, can't tolerate any abstraction beyond that associated with 

  assembly language.

  * **Foundational**: The output of a Bedrock verification is a theorem whose 

  statement depends only on the predicates you choose to use in the key 

  specifications and on the operational semantics of a simple cross-platform 

  machine language. That is, you don't need to trust that the verification 

  framework is bug-free; rather, you need to trust the usual Coq proof-checker

  and the formalization of the machine language semantics.

  * **Higher-order**: Bedrock facilitates quite pleasant reasoning about code 

  pointers as data.

  * **Computational**: Many useful functions are specified most effectively by 

  comparing with "reference implementations" in a pure functional language. 

  Bedrock supports that model, backed by the full expressive power of Coq's 

  usual programming language.

  * **Structured**: Bedrock is an extensible programming language: any client 

  program may add new control flow constructs by providing their proof rules. 

  For example, adding high-level syntax for your own calling convention or 

  exception handling construct is relatively straightforward and does not 

  require tweaking the core library code.

  * **Mostly automated**: Tactics automate verification condition generation 

  (in a form inspired by separation logic) and most of the process of 

  discharging those conditions. Many interesting programs can be verified with 

  zero manual proof effort, in stark contrast to most Coq developments.

* [HACMS](https://www.darpa.mil/program/high-assurance-cyber-military-systems)

: High-Assurance Cyber Military Systems (HACMS)

. Dr. Raymond Richards. Technology for cyber-physical systems,

functionally correct and satisfying appropriate safety and security properties. 

Clean-slate, formal methods, semi-automated code synthesis from executable, 

formal specifications. HACMS seeks a synthesizer capable of producing a 

machine-checkable proof that generated code satisfies functional 

specs as well as security and safety policies, and development to ensure 

proofs are composable, allowing  components.

  [[more Darpa "formal" tagged links](https://www.darpa.mil/tag-list?tt=78)]

  [[verigames-crowdsourced formal verification](https://www.darpa.mil/news-events/2013-12-04a)]

* [Genode](http://genode.org/) : Genode is a novel OS architecture that is 

able to master complexity by applying a strict organizational structure to all

 software components including device drivers, system services, and applications. 

## Books

* [The Little Prover](https://mitpress.mit.edu/books/little-prover)

The Little Prover introduces inductive proofs as a way to determine facts about

 computer programs.

* [Certified Programming with Dependent Types](http://adam.chlipala.net/cpdt/) by

Adam Chlipala. Textbook about practical engineering with the Coq proof assistant.

The focus is on building programs with proofs of correctness, using dependent 

types and scripted proof automation.

[[Latest draft](http://adam.chlipala.net/cpdt/cpdt.pdf)]

* [Software Foundations](https://softwarefoundations.cis.upenn.edu/) by

Benjamin Pierce and others. The Software Foundations series is a broad 

introduction to the mathematical underpinnings of reliable software.

  * [Vol. 1:](https://softwarefoundations.cis.upenn.edu/lf-current/index.html)

[[read](https://softwarefoundations.cis.upenn.edu/lf-current/toc.html)]

[[download](https://softwarefoundations.cis.upenn.edu/lf-current/lf.tgz)]

Logical Foundations, serves as the entry-point to the series. It covers 

functional programming, basic concepts of logic, computer-assisted theorem 

proving,and Coq.

  * [Vol. 2:](https://softwarefoundations.cis.upenn.edu/plf-current/index.html)

[[read](https://softwarefoundations.cis.upenn.edu/plf-current/toc.html)]

[[download](https://softwarefoundations.cis.upenn.edu/plf-current/plf.tgz)]

Programming Language Foundations, surveys the theory of programming languages, 

including operational semantics, Hoare logic, and static type systems.

  * [Vol. 3: Verified Functional Algorithms](https://softwarefoundations.cis.upenn.edu/vfa-current/index.html)

[[read](https://softwarefoundations.cis.upenn.edu/vfa-current/index.html)]

[[download](https://softwarefoundations.cis.upenn.edu/vfa-current/vfa.tgz)]

Learn how to specify and verify (prove the correctness of) sorting algorithms, 

binary search trees, balanced binary search trees, and priority queues.

* HoTT : [Homotopy Type Theory: Univalent Foundations of Mathematics](https://homotopytypetheory.org/book/)

[[pdf](http://saunders.phil.cmu.edu/book/hott-online.pdfUnivalent)] 

Foundations of Mathematics is Vladimir Voevodsky’s new program for a 

comprehensive, computational foundation for mathematics based on the homotopical

interpretation of type theory. The type theoretic univalence axiom relates 

propositional equality on the universe with homotopy equivalence of small types. 

The program is currently being implemented with the help of the automated proof 

assistant Coq.

* https://math-comp.github.io/mcb/

## Courses

* [DeepSpec Summer School](https://www.youtube.com/channel/UC5yB0ZRgc4A99ttkwer-dDw)

41 Videos about deep specification. Coq videos, examples, tutorials.

* Adam Chlipala Videos:

  * 2017-12-29 CCC Presentation: [Coming Soon Machine-Checked Mathematical Proofs in Everyday Software and Hardware Development](https://media.ccc.de/v/34c3-9105-coming_soon_machine-checked_mathematical_proofs_in_everyday_software_and_hardware_development)

  * [Adam Chlipala Lecture 1, OPLSS 2015](https://www.youtube.com/watch?v=ORKAy_CHDYM)

  * [Bedrock: A Software Development Ecosystem Inside a Proof Assistant](https://www.youtube.com/watch?v=BSyrp-iYBMo)

  * [CACM August 2016 - Ur/Web: A Simple Model for Programming the Web](https://www.youtube.com/watch?v=J3XI6-aZZXk)

  * [Proof engineering Adam Chlipala](https://www.youtube.com/watch?v=yXLeyANzAC4)

  * [2015 Coq Proof Assistant and Its Applications to Programming-Language Semantics](https://www.youtube.com/playlist?list=PLt7hcIEdZLAnO7AawDQkHwE7RtwPDOFEc)

* [Type-Drive Development in Idris - Edwin Brady](https://www.youtube.com/watch?v=X36ye-1x_HQ)

* [Benjamin Pierce - Software Foundations Course](https://www.youtube.com/playlist?list=PLGCr8P_YncjUT7gXUVJWSoefQ40gTOz89)

* [Learning Automated Theorem Proving](https://cs.stackexchange.com/questions/820/learning-automated-theorem-proving) : Stackexchange post about learning

## More

* [Curry-Howard](https://en.wikipedia.org/wiki/Curry%E2%80%93Howard_correspondence) :

Curry–Howard correspondence refers to the direct relationship between computer

programs and mathematical proofs. This is also the idea of "proofs as programs",

and "propositions (formulas)-as-types".

* [Hoare logic](https://en.wikipedia.org/wiki/Hoare_logic)

Hoare logic (also known as Floyd–Hoare logic or Hoare rules) is a formal system 

with a set of logical rules for reasoning rigorously about the correctness of 

computer programs. 

* [Designing A Theorem Prover (Paulson, Cambridge, 1990)](https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-192.pdf)

* [Rolf Rolles Program Synthesis in Reverse Engineering](https://www.youtube.com/watch?v=mFjSbxV_1vw)

...Assume you generate all possible programs...

* [The Open-Source seL4 Kernel. Military-Grade Security Through Mathematics - SFO17-417](https://www.youtube.com/watch?v=heSmrHzHcuM)

* [DARPA Hack Proof Drones](https://www.defensetech.org/2014/05/21/darpa-unveils-hack-proof-drone/)

  Uses SEL4, other RTOS

* [Pentagon Wants Unhackable Helicopters](https://www.engadget.com/2015/03/16/pentagon-wants-unhackable-helicopters/)

* [Hacker-Proof Code Confirmed](https://www.quantamagazine.org/formal-verification-creates-hacker-proof-code-20160920/) : 

Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems. The advances are being used to secure everything from unmanned drones to the internet.

* [CertiKOS enables creation of secure system kernels](http://www.zdnet.com/article/certikos-a-hacker-proof-os/) [[certikos project](http://flint.cs.yale.edu/certikos/)]

Computer system security stinks, because our 

software is buggy and untestable in full. Great for cyber criminals, but not 

for us. So why doesn't someone build a mathematically verified, secure, 

concurrent kernel that can run on x86 and ARM? A team at Yale has.

* [seL4 Is Free – What Does This Mean For You?](https://www.youtube.com/watch?v=lRndE7rSXiI)

* [From L3 to seL4 what have we learnt in 20 years of L4 microkernels?](https://www.youtube.com/watch?v=RdoaFc5-1Rk)

* [seL4 introduction: Capability--based Access Model](https://www.youtube.com/watch?v=x3P6Y6VO0UI) <- Chinese, translation?

* [seL4 playlist](https://www.youtube.com/playlist?list=PL8UO9ZG39Nx43YCAKGCtj9Rb6p2_3utdc)

* [Creating drones that can't be hacked](https://www.youtube.com/watch?v=4oONdV5RYp8)

* [HACMS: Protecting Military Systems from Hackers](https://www.youtube.com/watch?v=OyqNpn6JpBk)

* [Formal Methods for Avionics Software Verification pt1](https://www.youtube.com/watch?v=tRtK4xOK-8o

)

* TODO: find Heartbleed Example with Agda Showing Proofs