Program Verification – The KeY Project

Contents

Supported Java Features
Tutorials
Relevant blog posts
Literature

The core feature of KeY is a theorem prover for Java Dynamic Logic based on a sequent calculus. It allows for full functional verification of sequential Java (without floats, garbage collection and multithreading, see the section below) and Java Card 2.2.x programs. Properties can be specified in the Java Modelling Language (JML) or in Java Dynamic Logic directly. To try out KeY for program verification, go to the download page and follow the instructions. Upon start of KeY, you can select among several examples in menu “File > Load Examples”. Read the corresponding descriptions and try out what looks most interesting to you. Alternatively, have a look at our tutorials section.

Supported Java Features

Java is a very complex language which massively evolved over the time. KeY does not support all Java features. Some of those, like floating-point arithmetic, are in principle hard to handle from a theorem-proving point of view; others, like Generics and Lambdas, could be considered in future versions of the system. The following (incomplete) table gives an overview about the state of selected Java features in the current KeY version. Features shaded in green are supported, those in red are unsupported; features in yellow are in principle not supported, but can be treated with restrictions by a workaround supplied by KeY. A list of supported JML features is available here.

Feature	State
Basic Java 1.2 features	KeY supports Integer arithmetic (for both mathematical Integers and actual Integer types with overflows), Strings, inheritance, dynamic dispatch, loops, recursion, …
Enhanced “for” loops	Supported.
Floating point types	Supported, reasoning via axioms and by using SMT solvers with float support.
Library methods	KeY will throw an error when you use libraries the code of which is not in KeY’s classpath. However, we have a plugin in our eclipse extension which can create stubs with default contracts for library methods such that you can directly start proving properties about your code, or manually refine the stub specifications before.
Generics	Unsupported; However, a tool to statically remove Generics from the code can be downloaded here.
Multithreading	Unsupported.
try-with-resources and multi-catch (both Java 7)	Unsupported.
Java 8 features (lambdas etc.)	Unsupported.

Tutorials

Video Tutorial: Interactive Verification with the Symbolic Execution Debugger (SED)

Video Tutorial: Proof Attempt Inspection with the Symbolic Execution Debugger

Formal Verification with KeY: A Tutorial (2016)

By Bernhard Beckert, Reiner Hähnle, Martin Hentschel and Peter H. Schmitt Book chapter of the KeY book. This chapter gives a systematic tutorial introduction on how to perform formal program verification with the KeY system. It illustrates a number of complications and pitfalls, notably programs with loops, and shows how to deal with them. After working through this tutorial, you should be able to formally verify with KeY the correctness of simple Java programs, such as standard sorting algorithms, gcd, etc. Find this tutorial on SpringerLink

Note: The following tutorials may require older versions of KeY.

Verifying Object-Oriented Programs with KeY: A Tutorial (2007)

By Wolfgang Ahrendt, Bernhard Beckert, Reiner Hähnle, Philipp Rümmer, and Peter H. Schmitt. Abstract. This paper is a tutorial on performing formal specification and semi-automatic verification of Java programs with the formal software development tool KeY. This tutorial aims to fill the gap between elementary introductions using toy examples and state-of-art case studies by going through a self-contained, yet non-trivial, example. It is hoped that this contributes to explain the problems encountered in verification of imperative, object-oriented programs to a readership outside the limited community of active researchers. Download this tutorial.

KeY: The Sequent Calculus of the KeY Tool (2015)

Tutorial at CADE-25 by Reiner Hähnle and Peter H. Schmitt You can download part I and part II of the slides of this tutorial as well as the corresponding KeY proofs.

Relevant blog posts

Norwegian Governmental Election Software Formally Verified with KeY - In his recently finished Master's thesis, Henrik Torland Klev verified (parts of) EVA, the main support system for elections in municipalities and counties in Norway, using the KeY prover.

Proving the Correctness of Program Transformations with Abstract Execution and REFINITY - Summary. Abstract Execution (AE) is a new program analysis technique for automatically proving second-order properties about programs. It is based on the symbolic execution of abstract programs with second-order symbolic stores.

Proving JDK’s Dual Pivot Quicksort Correct - by Bernhard Beckert, Jonas Schiffl, Peter H. Schmitt and Mattias Ulbrich Sorting is a fundamental functionality in libraries, for which efficiency is crucial. Correctness of the highly optimized implementations is often taken for granted. De Gouw et al. have shown that this certainty is deceptive by revealing a bug in the Java Development Kit (JDK) […]

New Feature: State Merging in KeY - Current nightly builds of KeY contain a new feature called state merging, a technique to decrease the size of proof trees arising from the symbolic execution of large programs.

Literature

26 entries « ‹ 2 of 3 › »

2016

Mostowski, Wojciech; Ulbrich, Mattias

Dynamic Dispatch for Method Contracts Through Abstract Predicates Journal Article

In: Trans. Modularity and Composition, vol. 1, pp. 238–267, 2016.

Links | BibTeX

Wasser, Nathan

Automatic generation of specifications using verification tools = Automatische Spezifikationserzeugung mit Hilfe von Verifikationswerkzeugen PhD Thesis

Darmstadt University of Technology, Germany, 2016.

Links | BibTeX

2015

Mostowski, Wojciech; Ulbrich, Mattias

Dynamic Dispatch for Method Contracts through Abstract Predicates Proceedings Article

In: Proceedings of the 14th International Conference on Modularity, MODULARITY 2015, Fort Collins, CO, USA, March 16 - 19, 2015, pp. 109–116, ACM, 2015.

Links | BibTeX

Bruns, Daniel; Mostowski, Wojciech; Ulbrich, Mattias

Implementation-level Verification of Algorithms with KeY Journal Article

In: Software Tools for Technology Transfer, vol. 17, no. 6, pp. 729–744, 2015, ISSN: 1433-2779.

Abstract | Links | BibTeX

Küsters, Ralf; Truderung, Tomasz; Beckert, Bernhard; Bruns, Daniel; Kirsten, Michael; Mohr, Martin

A Hybrid Approach for Proving Noninterference of Java Programs Proceedings Article

In: Fournet, Cédric; Hicks, Michael (Ed.): 28th IEEE Computer Security Foundations Symposium (CSF 2015), pp. 305-319, 2015.

Abstract | Links | BibTeX

@inproceedings{KuestersTruderungBeckertEA2015,

title = {A Hybrid Approach for Proving Noninterference of Java Programs},

author = {Ralf K\"{u}sters and Tomasz Truderung and Bernhard Beckert and Daniel Bruns and Michael Kirsten and Martin Mohr},

editor = {C\'{e}dric Fournet and Michael Hicks},

doi = {10.1109/CSF.2015.28},

year  = {2015},

date = {2015-01-01},

booktitle = {28th IEEE Computer Security Foundations Symposium (CSF 2015)},

pages = {305-319},

abstract = {Several tools and approaches for proving noninterference properties for Java and other languages exist. 

 Some of them have a high degree of automation or are even fully automatic, but overapproximate 

 the actual information flow, and hence, may produce false positives. 

 Other tools, such as those based on theorem proving, are precise, but may need interaction, and hence, 

 analysis is time-consuming. 

 

 

 In this paper, we propose a hybrid approach that aims at obtaining the best of both approaches: 

 We want to use fully automatic analysis as much as possible and only at places in a program where, 

 due to overapproximation, the automatic approaches fail, we resort to more precise, but interactive 

 analysis, where the latter involves only the verification of specific functional properties in certain 

 parts of the program, rather than checking more intricate noninterference properties for the whole 

 program. 

 

 

 To illustrate the hybrid approach, in a case study we use the hybrid approach---along with the fully 

 automatic tool Joana for checking noninterference properties for Java programs and the theorem prover 

 KeY for the verification of Java programs---and the CVJ framework proposed by K"usters, Truderung, 

 and Graf to establish cryptographic privacy properties for a non-trivial Java program, namely an 

 e-voting system. 

 The CVJ framework allows one to establish cryptographic indistinguishability properties for Java 

 programs by checking (standard) noninterference properties for such programs.},

keywords = {},

pubstate = {published},

tppubtype = {inproceedings}

}

Küsters, Ralf; Truderung, Tomasz; Beckert, Bernhard; Bruns, Daniel; Kirsten, Michael; Mohr, Martin

A Hybrid Approach for Proving Noninterference of Java Programs Journal Article

In: IACR Cryptology ePrint Archive, vol. 2015, pp. 438, 2015.

Abstract | Links | BibTeX

@article{KuestersTruderungBeckertEA2015b,

title = {A Hybrid Approach for Proving Noninterference of Java Programs},

author = {Ralf K\"{u}sters and Tomasz Truderung and Bernhard Beckert and Daniel Bruns and Michael Kirsten and Martin Mohr},

url = {http://eprint.iacr.org/2015/438},

year  = {2015},

date = {2015-01-01},

journal = {IACR Cryptology ePrint Archive},

volume = {2015},

pages = {438},

abstract = {Several tools and approaches for proving noninterference properties for Java and other languages exist. 

 Some of them have a high degree of automation or are even fully automatic, but overapproximate 

 the actual information flow, and hence, may produce false positives. 

 Other tools, such as those based on theorem proving, are precise, but may need interaction, and hence, 

 analysis is time-consuming. 

 

 

 In this paper, we propose a hybrid approach that aims at obtaining the best of both approaches: 

 We want to use fully automatic analysis as much as possible and only at places in a program where, 

 due to overapproximation, the automatic approaches fail, we resort to more precise, but interactive 

 analysis, where the latter involves only the verification of specific functional properties in certain 

 parts of the program, rather than checking more intricate noninterference properties for the whole 

 program. 

 

 

 To illustrate the hybrid approach, in a case study we use the hybrid approach---along with the fully 

 automatic tool Joana for checking noninterference properties for Java programs and the theorem prover 

 KeY for the verification of Java programs---and the CVJ framework proposed by K"usters, Truderung, 

 and Graf to establish cryptographic privacy properties for a non-trivial Java program, namely an 

 e-voting system. 

 The CVJ framework allows one to establish cryptographic indistinguishability properties for Java 

 programs by checking (standard) noninterference properties for such programs.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

Wasser, Nathan

Generating Specifications for Recursive Methods by Abstracting Program States Proceedings Article

In: SETTA, pp. 243–257, Springer, 2015.

BibTeX

2014

Ghazi, Aboubakr Achraf El; Ulbrich, Mattias; Gladisch, Christoph; Tyszberowicz, Shmuel; Taghdiri, Mana

JKelloy: A Proof Assistant for Relational Specifications of Java Programs Proceedings Article

In: NASA Formal Methods - 6th International Symposium, NFM 2014, Houston, TX, USA, April 29 - May 1, 2014. Proceedings, pp. 173–187, 2014.

Links | BibTeX

Ahrendt, Wolfgang; Beckert, Bernhard; Bruns, Daniel; Bubel, Richard; Gladisch, Christoph; Grebing, Sarah; Hähnle, Reiner; Hentschel, Martin; Herda, Mihai; Klebanov, Vladimir; Mostowski, Wojciech; Scheben, Christoph; Schmitt, Peter H.; Ulbrich, Mattias

The KeY Platform for Verification and Analysis of Java Programs Proceedings Article

In: Giannakopoulou, Dimitra; Kroening, Daniel (Ed.): Verified Software: Theories, Tools, and Experiments (VSTTE 2014), pp. 1–17, Springer-Verlag, 2014, ISBN: 978-3-642-54107-0.

Abstract | Links | BibTeX

2013

Kirsten, Michael

Proving Well-Definedness of JML Specifications with KeY Masters Thesis

ITI Schmitt, Karlsruhe Institute of Technology, 2013.

Abstract | BibTeX

@mastersthesis{KirstenStA2013,

title = {Proving Well-Definedness of JML Specifications with KeY},

author = {Michael Kirsten},

year = {2013},

date = {2013-01-01},

school = {ITI Schmitt, Karlsruhe Institute of Technology},

abstract = {Specification methods in formal program verification enable the enhancement of source

code with formal annotations as to formally specify the behaviour of a program. This is

a popular way in order to subsequently prove software to be reliable and meet certain

requirements, which is crucial for many applications and gains even more importance in

modern society. The annotations can be taken as a contract, which then can be verified

guaranteeing the specified program element \textendash as a receiver \textendash to fulfil this contract with

its caller. However, these functional contracts can be problematic for partial functions,

e.g. a division, as certain cases may be undefined, as in this example a division by zero.

Modern programming languages such as Java handle undefined behaviour by casting an exception.

There are several approaches to handle a potential undefinedness of specifications. In

this thesis, we chose one which automatically generates formal proof obligations ensuring

that undefined specification expressions will not be evaluated.

Within this work, we elaborate on so-called Well-Definedness Checks dealing with undefinedness

occurring in specifications of the modelling language JML/JML* in the

KeY System, which is a formal software development tool providing mechanisms to

deductively prove the before mentioned contracts. Advantages and delimitations are

discussed and, furthermore, precise definitions as well as a fully functional implementation

within KeY are given. Our work covers the major part of the specification elements

currently supported by KeY, on the higher level including class invariants, model fields,

method contracts, loop statements and block contracts. The process of checking the

well-definedness of a specification forms a preliminary step before the actual proof and

rejects undefined specifications. We further contribute by giving a choice between two

different semantics, both bearing different advantages and disadvantages. The thesis also

includes an extensive case study analysing many examples and measuring the performance

of the implemented Well-Definedness Checks.},

type = {Studienarbeit},

keywords = {},

pubstate = {published},

tppubtype = {mastersthesis}

}

Specification methods in formal program verification enable the enhancement of source
code with formal annotations as to formally specify the behaviour of a program. This is
a popular way in order to subsequently prove software to be reliable and meet certain
requirements, which is crucial for many applications and gains even more importance in
modern society. The annotations can be taken as a contract, which then can be verified
guaranteeing the specified program element – as a receiver – to fulfil this contract with
its caller. However, these functional contracts can be problematic for partial functions,
e.g. a division, as certain cases may be undefined, as in this example a division by zero.
Modern programming languages such as Java handle undefined behaviour by casting an exception.

There are several approaches to handle a potential undefinedness of specifications. In
this thesis, we chose one which automatically generates formal proof obligations ensuring
that undefined specification expressions will not be evaluated.

Within this work, we elaborate on so-called Well-Definedness Checks dealing with undefinedness
occurring in specifications of the modelling language JML/JML* in the
KeY System, which is a formal software development tool providing mechanisms to
deductively prove the before mentioned contracts. Advantages and delimitations are
discussed and, furthermore, precise definitions as well as a fully functional implementation
within KeY are given. Our work covers the major part of the specification elements
currently supported by KeY, on the higher level including class invariants, model fields,
method contracts, loop statements and block contracts. The process of checking the
well-definedness of a specification forms a preliminary step before the actual proof and
rejects undefined specifications. We further contribute by giving a choice between two
different semantics, both bearing different advantages and disadvantages. The thesis also
includes an extensive case study analysing many examples and measuring the performance
of the implemented Well-Definedness Checks.

26 entries « ‹ 2 of 3 › »