Proving refinement transformations for deriving high-assurance software

The construction of a high-assurance system requires some evidence, ideally a proof, that the system as implemented will behave as required. Direct proofs of implementations do not scale up well as systems become more complex and therefore are of limited value. In recent years, refinement-based approaches have been investigated as a means to manage the complexity inherent in the verification process. In a refinement-based approach, a high-level specification is converted into an implementation through a number of refinement steps. The hope is that the proofs of the individual refinement steps will be easier than a direct proof of the implementation. However, if stepwise refinement is performed manually, the number of steps is severly limited, implying that the size of each step is large. If refinement steps are large, then proofs of their correctness will not be much easier than a direct proof of the implementation. We describe an approach to refinement-based software development that is based on automatic application of refinements, expressed as program transformations. This automation has the desirable effect that the refinement steps can be extremely small and, thus, easy to prove correct. We give an overview of the TAMPR transformation system that we use for automated refinement. We then focus on some aspects of the semantic framework that we have been developing to enable proofs that TAMPR transformations are c o m c t ness preserving. With this framework, proofs of correctness for transformations can be obtained with the assistance of an automated reasoning system. *This work was supported in part by the United States Department of Energy under Contract DE-ACO494AL85000, and in part by the BM/C3 directorate, Ballistic Missile Defense Organization, U.S. Department of Defense. iThis work was supported by the BM/C3 directorate, Ballistic Missile Defense Organization, U.S. Department of Defense.