Static and Dynamic Verification of Relational Properties on Self-Composed C Code

TL;DR

This paper introduces a verification technique for relational properties in C programs, using self-composition, implemented as a FRAMA-C plugin called RPP, supporting side effects and recursion, and enabling static and dynamic analysis.

Contribution

It presents a novel approach for verifying relational properties in C, implemented as a FRAMA-C plugin supporting complex functions and combining static and dynamic methods.

Findings

Effective verification of relational properties in C programs.

Supports functions with side effects and recursion.

Combines static proof and runtime testing for verification.

Abstract

Function contracts are a well-established way of formally specifying the intended behavior of a function. However, they usually only describe what should happen during a single call. Relational properties, on the other hand, link several function calls. They include such properties as non-interference, continuity and monotonicity. Other examples relate sequences of function calls, for instance, to show that decrypting an encrypted message with the appropriate key gives back the original message. Such properties cannot be expressed directly in the traditional setting of modular deductive verification, but are amenable to verification through self-composition. This paper presents a verification technique dedicated to relational properties in C programs and its implementation in the form of a FRAMA-C plugin called RPP and based on self-composition. It supports functions with side effects and recursive functions. The proposed approach makes it possible to prove a relational property, to check it at runtime, to generate a counterexample using testing and to use it as a hypothesis in the subsequent verification. Our initial experiments on existing benchmarks confirm that the proposed technique is helpful for static and dynamic analysis of relational properties.