Bernhard Beckert

• Prof. Dr.
• Karlsruhe Institute of Technology

Recent work has shown that Large Language Models (LLMs) are not only a suitable tool for code generation but also capable of generating annotation-based code specifications. Scaling these methodologies may allow us to deduce provable correctness guarantees for large-scale software systems. In comparison to other LLM tasks, the application field of...

When validated neural networks (NNs) are pruned (and retrained) before deployment, it is desirable to prove that the new NN behaves equivalently to the (original) reference NN. To this end, our paper revisits the idea of differential verification which performs reasoning on differences between NNs: On the one hand, our paper proposes a novel abstra...

The KeY tool is a state-of-the-art deductive program verifier for the Java language. Its verification engine is based on a sequent calculus for dynamic logic, realizing forward symbolic execution of the target program, whereby all symbolic paths through a program are explored. Method contracts make verification scalable. KeY combines auto-active an...

In this experience report, we present the complete formal verification of a Java implementation of inplace superscalar sample sort ( "Image missing" ) using the KeY program verification system. As "Image missing" is one of the fastest general purpose sorting algorithms, this is an important step towards a collection of basic toolbox components that...

The realm of quantum computing is inherently tied to real numbers. However, quantum simulators nearly always rely on floating-point arithmetic and thus may introduce rounding errors in their calculations. In this work, we show how we can nevertheless trust the computations of simulators under certain conditions where we can rule out that floating-p...

Online elections and polls are increasingly gaining ground. Since the beginning of the pandemic, many associations, companies and agencies opted for online elections at some point. Yet, most of these elections use online voting systems that are a black box for voters, even though the current state of research offers cryptographic means that would a...

Deductive verification tools are logic-based, formal software verification tools that permit to verify complex, functional and non-functional properties with a very high degree of automation. They exhibit impressive performance at the hands of an expert, but are not ready for productive use by someone with limited or no training in formal verificat...

We give an overview of Generalized Test Tables (GTTs), a specification language derived from existing table-based test case description methods commonly used in the domain of automated production systems. We cover syntax and semantics of GTTs as well as their use for formal verification, and introduce an extension, Relational Test Tables (RTTs), wh...

Ethereum smart contracts expose their functions to an untrusted network. Therefore, access control is of utmost importance. Nevertheless, many smart contracts have suffered exploits due to improper design or implementation of access control policies. In this work, we propose an approach for modeling role-based access control policies for Ethereum s...

The aim of the paper is to summarize and critically discuss the situation in Germany concerning electronic voting.

This Festschrift, dedicated to Reiner Hähnle on the occasion of his 60th birthday, contains papers written by many of his closest collaborators. After positions at Karlsruhe Institute of Technology and Chalmers University of Technology, since 2011 Reiner has been the chaired professor of Software Engineering at Technische Universität Darmstadt, wh...

The concept of enforcing secure information flow is well studied in computer science in the context of information security: If secret information may “flow” through an algorithm or program in such a way that it can influence the program’s public output, this is considered insecure information flow, as attackers could potentially observe (parts of)...

Seit Beginn der Pandemie stehen viele Institutionen (inkl. Vereinen, Unternehmen und Behörden) vor der Frage, wie sie ihre Wahlen und geheimen Abstimmungen organisieren sollen – ohne die Gesundheit der Wähler*innen und Wahlhelfer*innen zu gefährden. Einige Wahlverantwortliche haben sich für die Durchführung von Online-Wahlen bzw. digitalen Abstimmu...

Abstract The dependability characteristic of the control software of manufacturing systems is highlighted more than before, going through repeated changes to cope with various and varying requirements. Formal methods are researched to be applied to automation system engineering to obtain a more effective and efficient quality assurance. One of the...

Smart contracts are programs on decentralized platforms. They provide services in the form of function calls, which are in principle visible to and callable by everyone on the network. However, smart contracts often contain some functionality intended only for a restricted subset of callers. Such smart contracts require access control. In this work...

The original version of the cover and book was revised. The seventh editor name has been updated.

Smart contracts are programs running on decentralized, distributed ledger platforms. Rigorous formal analysis of these programs is highly desirable because they manage valuable assets and therefore are a prime target for security attacks. In this paper, we show that the computation model of smart contracts allows the application of formal methods d...

In this article, we present an overview of recent combinations of deductive program verification and automatic test generation on the one hand and static analysis on the other hand, with the goal of checking noninterference. Noninterference is the non-functional property that certain confidential information cannot leak to certain public output, i....

There are two paradigms for dealing with complex verification targets: Modularization using contract-based specifications and whole-program analysis. In this paper, we present an approach bridging the gap between the two paradigms, introducing concepts from the world of contract-based deductive verification into the domain of software bounded model...

Smart contracts are programs which run in conjunction with distributed ledgers. They often manage valuable assets, but, like all programs, they contain errors which can be exploited by an attacker. This makes them are a prime target for formal methods. Many formal analysis methods require the contracts’ program code to be annotated with formal spec...

This volume contains papers presented at the 5th International Joint Conference on Electronic Voting (E-Vote-ID 2020), held during October 6–9, 2020. Due to the extraordinary situation provoked by the COVID-19 pandemic, the conference was held online during this edition, instead of at the traditional venue in Bregenz, Austria. The E-Vote-ID confere...

This volume contains papers presented at the 5th InternationalJoint Conference on Electronic Voting (E-Vote-ID 2020), held during October 6-9, 2020. Due to the extraordinary situation provoked by the Covid-19 pandemic, the conference was held online during this edition, instead of at the traditional venue in Bregenz, Austria. The E-Vote-ID conferen...

Smart contracts are programs that run on a distributed ledger platform. They usually manage resources representing valuable assets. Moreover, their source code is visible to potential attackers, they are distributed, and bugs are hard to fix. Thus, they are susceptible to attacks exploiting programming errors. Their vulnerability makes a rigorous f...

Since the inception of the KeY project two decades ago, the area of deductive verification has evolved considerably. Support for real world programming languages by deductive program verification tools has become prevalent. This required to overcome significant theoretical and technical challenges to support advanced software engineering and progra...

Poster im Rahmen der Fachtagung Lehrerbildung Baden-Württemberg in Heidelberg am 07. November 2019.

A wide range of interesting program properties are intrinsically relational, i.e., they relate two or more program traces. Two prominent relational properties are secure information flow and conditional program equivalence. By showing the absence of illegal information flow, confidentiality and integrity properties can be proved. Equivalence proofs...

This volume contains papers presented at E-Vote-ID 2019, the Fourth International Joint Conference on Electronic Voting, held during October 1-4, 2019, in Bregenz, Austria. It resulted from the merging of EVOTE and Vote-ID and counting up to 15 years since the �rst E-Vote conference in Austria. Since the �rst conference in 2004, over 1000 experts h...

Program slicing is the process of removing statements from a program such that defined aspects of its behavior are retained. For producing precise slices, i.e., slices that are minimal in size, the program’s semantics must be considered. Existing approaches that go beyond a syntactical analysis and do take the semantics into account are not fully a...

Software verification is a tedious process that involves the analysis of multiple failed verification attempts, and adjustments of the program or specification. This is especially the case for complex requirements, e.g., regarding security or fairness, when one needs to compare multiple related runs of the same software. Verification tools often pr...

Software verification is a tedious process that involves the analysis of multiple failed verification attempts, and adjustments of the program or specification. This is especially the case for complex requirements, e.g., regarding security or fairness, when one needs to compare multiple related runs of the same software. Verification tools often pr...

In this chapter, we elaborate how formal verification techniques can be used to ensure safety properties of automated production systems during their evolution. First, we discuss the opportunities that formal methods offer, particularly when dealing with the evolution of automated production systems, but also which special needs this particular dom...

Digital systems accumulate ever more personal data, and the potential of privacy breaches leading to gross privacy violations continuously increases. Information flow security deals with the problem of how certain program outputs are influenced by certain inputs. This paper handles the problem of testing information flow properties of object orient...

This book constitutes the proceedings of the 4th International Conference on Electronic Voting, E-Vote-ID 2019, held in Bregenz, Austria, in October 2019. The 13 revised full papers presented were carefully reviewed and selected from 45 submissions. The conference was organized in tracks on security, usability and technical issues, administrative,...

Information flow control (IFC) is a category of techniques for enforcing information flow properties. In this paper we present the Combined Approach, a novel IFC technique that combines a scalable system-dependence-graph-based (SDG-based) approach with a precise logic-based approach based on a theorem prover. The Combined Approach has an increased...

Deductive program verification can give high assurances for program correctness. But incomplete partial proofs do not provide any information as to what degree or with what probability the program is correct. In this paper, we introduce the concept of state space coverage for partial proofs, which estimates to what degree the proof covers the state...

With recent trends in manufacturing automation, control software in automated production systems becomes more complex and has more variability to keep pace with customer and market requirements. Quality assurance also becomes more and more important to ensure that the systems live up to expectations. However, correctness of automation software is r...

Distributed programming frameworks like MapReduce, Spark and Thrill, are widely used for the implementation of algorithms operating on large datasets. However, implementing in these frameworks is more demanding than coming up with sequential implementations. One way to achieve correctness of an optimized implementation is by deriving it from an exi...

Information-flow control (IFC) techniques assist in avoiding information leakage of sensitive data to an observable output. Unfortunately, the various IFC approaches are either imprecise, thus producing many false positive alerts, or they do not scale. Using system dependence graphs (SDGs) to model the syntactic dependencies between different progr...

Interactive program verification is characterized by iterations of unfinished proof attempts. To support the process of constructing a complete proof, many interactive program verification systems offer a proof scripting language as a text-based way to describe the non-automatic steps in a proof. Such scripting languages are beneficial, but users s...

Distributed programs are often formulated in popular functional frameworks like MapReduce, Spark and Thrill, but writing efficient algorithms for such frameworks is usually a non-trivial task. As the costs of running faulty algorithms at scale can be severe, it is highly desirable to verify their correctness. We propose to employ existing imperativ...

Distributed programs are often formulated in popular functional frameworks like MapReduce, Spark and Thrill, but writing efficient algorithms for such frameworks is usually a non-trivial task. As the costs of running faulty algorithms at scale can be severe, it is highly desirable to verify their correctness. We propose to employ existing imperativ...

Increased demands in the field of scientific computation require that algorithms be more efficiently implemented. Maintaining correctness in addition to efficiency is a challenge that software engineers in the field have to face. In this report we share our first impressions and experiences on the applicability of formal methods to such design chal...

MapReduce frameworks are widely used for the implementation of distributed algorithms. However, translating imperative algorithms into these frameworks requires significant structural changes to the algorithm. As the costs of running faulty algorithms at scale can be severe, it is highly desirable to verify the correctness of the translation, i.e.,...

Relational program verification refers to the verification of relational properties, which relate different programs, different versions of the same program, or the same program for different inputs. Recently, there is a growing interest in relational properties. One of the main reasons for this trend is that relational properties avoid the bottlen...

Sorting is a fundamental functionality in libraries, for which efficiency is crucial. Correctness of the highly optimised implementations is often taken for granted. De Gouw et al. have shown that this certainty is deceptive by revealing a bug in the Java Development Kit (JDK) implementation of TimSort.

Deductive program verification is a difficult task: in general, user guidance is required to control the proof search and construction. Providing the right guiding information is challenging for users and usually requires several reiterations. Supporting the user in this process can considerably reduce the effort of program verification. In this pa...

Bounded program verification techniques verify functional properties of programs by analyzing the program for user-provided bounds on the number of objects and loop iterations. Whereas those two kinds of bounds are related, existing bounded program verification tools treat them as independent parameters and require the user to provide them. We pres...

In industrial practice today, correctness of software is rarely verified using formal techniques. One reason is the lack of specification languages for this application area that are both comprehensible and sufficiently expressive. We present the concepts and logical foundations of generalised test tables – a specification language for reactive sys...

We present SemSlice, a tool which automatically produces very precise slices for C routines. Slicing is the process of removing statements from a program such that defined aspects of its behavior are retained. For producing precise slices, i.e., slices that are close to the minimal number of statements, the program’s semantics must be considered. S...

We propose a novel method for the verification of information flow security in component-based systems. The method is (a) modular w.r.t. services and components, i.e., overall security is proved to follow from the security of the individual services provided by the components, and (b) modular w.r.t. attackers, i.e., verified security properties can...

A risk-limiting audit is a statistical method to create confidence in the correctness of an election result by checking samples of paper ballots. In order to perform an audit, one usually needs to know what the election margin is, i.e., the number of votes that would need to be changed in order to change the election outcome. In this paper, we pres...

This chapter gives a systematic tutorial introduction on how to perform formal program verification with the KeY system. It illustrates a number of complications and pitfalls, notably programs with loops, and shows how to deal with them. After working through this tutorial, you should be able to formally verify with KeY the correctness of simple Ja...

In the previous chapter, we have introduced JFOL a variant of classical first-order logic tailored for reasoning about (single) states of Java programs (Section 2.4). Now, we extend this logic such that we can reason about the behavior of programs, which requires to consider not just one but several program states. As a trivial example, consider th...

To enable scalability and address the needs of real-world software, deductive verification relies on modularization of the target program and decomposition of its requirement specification. In this paper, we present an approach that, given a Java program and a partial requirement specification written using the Java Modeling Language, constructs a...

Deductive verification is about proving that a piece of code conforms to a given requirement specification. For legacy code, this task is notoriously hard for three reasons: (1) writing specifications post-hoc is much more difficult than producing code and its specification simultaneously, (2) verification does not scale as legacy code is often bad...

Automated production systems (aPS) are complex systems with high reliability standards which can — besides through traditional testing — be ensured by verification using formal methods. In this paper we present a development process for aPS software supported by efficient formal techniques with easy-to-use specification formalisms to increase appli...

Static analysis of software with deductive methods is a highly dynamic field of research on the verge of becoming a mainstream technology in software engineering. It consists of a large portfolio of - mostly fully automated - analyses: formal verification, test generation, security analysis, visualization, and debugging. All of them are realized in...

Automated production systems are usually driven by Programmable Logic Controllers (PLCs). These systems are long-living – yet have to adapt to changing requirements over time. This paper presents a novel method for regression verification of PLC code, which allows one to prove that a new revision of the plant’s software does not break existing inte...

Regression verification and checking for illicit information flow in programs are probably the two most prominent instances of so-called relational program reasoning. Regression verification is concerned with proving that two programs behave either equally or differently in a formally specified manner; information-flow checking aims to establish th...

This paper contributes to the investigation of object-sensitive information flow properties for sequential Java, i.e., properties that take into account information leakage through objects, as opposed to primitive values. We present two improvements to a popular object-sensitive non-interference property. Both reduce the burden on analysis and moni...

In recent years the effectiveness of interactive theorem provers has increased to an extent that the bottleneck in the interactive process shifted to efficiency: while in principle large and complex theorems are provable (effectiveness), it takes a lot of effort for the user interacting with the system (lack of efficiency). We conducted focus group...

The effectiveness of interactive theorem provers (ITPs) increased such that the bottleneck in the proof process shifted from effectiveness to efficiency. While in principle large theorems are provable, it takes much effort for the user to interact with the system. A major obstacle for the user is to understand the proof state in order to guide the...

The KeY system offers a platform of software analysis tools for sequential Java. Foremost, this includes full functional verification against contracts written in the Java Modeling Language. But the approach is general enough to provide a basis for other methods and purposes: (i) complementary validation techniques to formal verification such as te...

The possibility to use computers for counting ballots allows us to design new voting schemes that are arguably fairer than existing schemes designed for hand-counting. We argue that formal methods can and should be used to ensure that such schemes behave as intended and conform to the desired democratic properties. Specifically, we define two seman...

In this article, the authors give an overview of tool-based verification of hardware and software systems and discuss the relation between verification and logical reasoning. Here, "verification"' refers to reasoning-based methods to establish dependability. This isn't restricted to proofs of functional correctness; it also includes other scenarios...

The ability to count ballots by computers allows us to design new voting schemes that are arguably fairer than existing schemes designed for hand-counting. We argue that formal methods can and should be used to ensure that such schemes behave as intended and are conform to the desired democratic properties. Specifically, we define two semantic crit...

The correctness of program verification systems is of great importance, and it needs to be checked and demonstrated to users and certification agencies. One of the contributing factors to the correctness of the whole verification system is the correctness of the background axiomatization, respectively the correctness of calculus rules. In this pape...

We present a method for using first-order logic to specify the semantics of preferences as used in common vote counting algorithms. We also present a corresponding system that uses Celf linear-logic programs to describe voting algorithms and which generates explicit examples when the algorithm departs from its specification. When we applied our met...

Dynamic logic is an established instrument for program verification and for reasoning about the semantics of programs and programming languages. In this paper, we define an extension of dynamic logic, called Dynamic Trace Logic (DTL), which combines the expressiveness of program logics such as dynamic logic with that of temporal logic. And we prese...

Formal methods have been applied successfully to the verification of medium-sized programs in protocol and hardware design for some time. However, their application to the development of large systems requires more emphasis on specification, modeling, and validation techniques supporting the concepts of reusability and modifiability, and their impl...

Software verification tools have become a lot more powerful in recent years. Even verification of large, complex systems is feasible, as demonstrated in the L4.verified and Verisoft XT projects. Still, functional verification of large software systems is rare - for reasons beyond the large scale of verification effort needed due to the size alone....

It is widely recognized that abstraction and modularization are indispensable for specification of real-world programs. In source-code level program specification and verification, model fields are a common means for those goals. However, it remains a challenge to provide a well-founded formal semantics for the general case in which the abstraction...

We present MODL, a Dynamic Logic and a deductive verification calculus for a core Java-like language that includes multi-threading. The calculus is based on symbolic execution. Even though we currently do not handle non-atomic loops, employing the technique of symmetry reduction allows us to verify systems without limits on state space or thread nu...

Usability is an important criterion for measuring and comparing the quality of software systems. It is particularly important for interactive verification systems, which heavily rely on user support to find proofs and that require various complex user interactions. In this paper, we present a questionnaire for evaluating interactive verification sy...

This book presents the thoroughly refereed post-conference proceedings of the International Conference on Formal Verification of Object-Oriented Software, FoVeOOS 2011, held in Turin, Italy, in October 2011 – organised by COST Action IC0701. The 10 revised full papers presented together with 5 invited talks were carefully reviewed and selected from...

Modular deductive verification of software systems is a complex task: the user has to put a lot of effort in writing module specifications that fit together when verifying the system as a whole. In this paper, we propose a combination of deductive verification and software bounded model checking (SBMC), where SBMC is used to support the user in the...