Formalising Executable Specifications of Low-Level Systems

Abstract : Formal models of low-level applications rely often on the distinction between executable layer and underlying hardware abstraction. This is also the case for the model of Pip, a separation kernel formalised and verified in Coq using a shallow embedding. DEC is a deeply embedded imperative typed language with primitive recursion and specified in terms of small-step semantics, which we developed in Coq as a reified counterpart of the shallow embedding used for Pip. In this paper, we introduce DEC and its semantics, we present its interpreter based on the type soundness proof and extracted to Haskell, we introduce a Hoare logic to reason about DEC code, and we use this logic to verify properties of Pip as a case study, comparing the new proofs with those based on the shallow embedding. Notably DEC can import shallow specifications as external functions, thus allowing for reuse of the abstract hardware model.
Liste complète des métadonnées
Contributor : David Nowak <>
Submitted on : Friday, November 16, 2018 - 5:43:41 PM
Last modification on : Saturday, March 23, 2019 - 1:26:12 AM
Document(s) archivé(s) le : Sunday, February 17, 2019 - 3:05:50 PM


Files produced by the author(s)


  • HAL Id : hal-01829374, version 2



Paolo Torrini, David Nowak, Narjes Jomaa, Mohamed Sami Cherif. Formalising Executable Specifications of Low-Level Systems. 10th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE 2018), Jul 2018, Oxford, United Kingdom. 〈hal-01829374v2〉



Record views


Files downloads