## CS250: Software Foundations## Fall 2014: Pierce Hall 100-F, Tue and Thu, 10:00am-11:30am## Greg Morrisett |

### Texts

You may want to purchase these books, but they are also freely available online.- Pierce et al's Software Foundations
- Chlipala's Certified Programming with Dependent Types

### Links

- The Coq Proof Assistant
- Proof General -- an Emacs-based front-end for Coq.

### Homework

**For class on Sep 4:**Install the latest version of Coq (version 8.4pl4) and either the Coq IDE or else Emacs and Proof General.

### Background

Have you ever had an algorithm that you think is correct, but are not
quite sure is correct? Have you ever worried that you may have a bug
in your program that could lead to a security flaw or a safety
problem? This course is focused on the emerging discipline of how to
produce *ultra-high-assurance* software, where instead of simply
testing the code for the absence of errors, we instead construct a
formal proof that the code respects the desired safety or security
properties.

Normally, when we think of a "proof", we think of an informal English description of an argument. In this context, a "proof" will be a formal object that we will construct with the assistance of a proof assistant, and the proof assistant will ensure that the proof is valid. By valid, we simply mean that each step in the proof follows from the basic rules of a given (higher-order) logic, and that taken together, the steps allow us to conclude that the given property holds.

In this course, you will learn how to construct formal proofs of correctness for software using the Coq proof assistant. Modern proof assistants, such as Coq, provide a uniform environment for writing code, models of systems and mathematical objects, logical specifications, and proofs. Programs in Coq are written in a typed, functional language similar to OCaml, except that the type system is much more powerful. That extra power is used to reflect specifications and logical (math) properties as types, while proofs are represented as functional expressions that build evidence of the validity of a given specification. In this fashion, Coq is able to reduce proof-checking to a form of type-checking. In other words, the type-checker of Coq prevents you from assembling a purported proof unless the proof is actually valid.

Coq and other proof assistants have been used to foramlly prove a wide variety of interesting and useful results. For example, Coq was used to validate the Four-Color Theorem in graph theory, and more recently, the Feit-Thompson Theorem from group theory. In the context of software systems, Coq has been used to construct a provably correct C compiler, a tool for sandboxing native code, a kernel for a web browser, a simple, in-core relational database system, and many other interesting research prototypes.

### Some Outcomes

In this course you will:

- Greatly solidify your understanding of functional programming.
- Learn to read and write specifications in a (higher-order) logic, including different approaches to modeling languages and systems.
- Learn how to formally prove mathematical constructions and properties of programs.
- Experience the short-comings of today's proof assistants and proof automation, and why some of these limitations will be hard to overcome.
- Learn techniques for scaling models, specifications, and proofs to large developments (i.e., "proof engineering").
- Be exposed to the deep and beautiful relationships between types and programming languages, mathematics, and logic.

### Prerequisites

The only real prerequisite for this course is an exposure to functional programming (i.e., CS 51) and some sophistication when it comes to discrete mathematics. For example, you should be comfortable with the idea of constructing paper-and-pencil proofs, as in CS 20, CS 121, or Math 125. I particularly encourage undergraduates to take this course, in spite of the 200-level number!

### Format and Assessment

This is a coding intensive class, similar to something like CS 161 or CS 153. Lectures will be spent demonstrating new concepts and techniques in Coq, and working through exercises together.

In the first half of the course, assignments will be given weekly and will be due at the end of each week. I expect and encourage collaboration through the course Piazza web site, but you are responsible for doing the exercises yourself. It is crucial that you do these exercises in a timely fashion, or you will quickly fall behind.

In the second half of the course, students will (optionally) form teams, and begin work on a specification and verification project of their own design. You may choose to work on verified data structures or algorithms, protocols, etc. Alternatively, you may wish to formalize some basic results from mathematics (e.g., group theory or category theory). Your project will be due before the last class in the semester. More details about the project will be posted at a later date.

Your grade will be determined based on the assignments, class participation, and final project.