source: Papers/jar-cerco-2017/cerco.tex @ 3656

\begin{filecontents*}{example.eps}
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 19 19 221 221
%%CreationDate: Mon Sep 29 1997
%%Creator: programmed by hand (JK)
%%EndComments
gsave
newpath
  20 20 moveto
  20 220 lineto
  220 220 lineto
  220 20 lineto
closepath
2 setlinewidth
gsave
  .4 setgray fill
grestore
stroke
grestore
\end{filecontents*}

\RequirePackage{fix-cm}

\documentclass[smallextended]{svjour3}

\usepackage{amsfonts}
\usepackage{amsmath}
\usepackage{amssymb} 
\usepackage[british]{babel}
\usepackage{color}
\usepackage{fancybox}
\usepackage{fancyvrb}
\usepackage{graphicx}
\usepackage[colorlinks,
            bookmarks,bookmarksopen,bookmarksdepth=2]{hyperref}
\usepackage{hyphenat}
\usepackage[utf8x]{inputenc}
\usepackage{listings}
\usepackage{mdwlist}
\usepackage{microtype}
\usepackage{stmaryrd}
\usepackage{url}

\usepackage{tikz}
\usetikzlibrary{positioning,calc,patterns,chains,shapes.geometric,scopes}

\lstset{language=C,basicstyle=\tt,basewidth=.5em,lineskip=-1.5pt}
\def\lstlanguagefiles{lst-grafite.tex}

\newlength{\mylength}
\newenvironment{frametxt}%
        {\setlength{\fboxsep}{5pt}
                \setlength{\mylength}{\linewidth}%
                \addtolength{\mylength}{-2\fboxsep}%
                \addtolength{\mylength}{-2\fboxrule}%
                \Sbox
                \minipage{\mylength}%
                        \setlength{\abovedisplayskip}{0pt}%
                        \setlength{\belowdisplayskip}{0pt}%
                }%
                {\endminipage\endSbox
                        \[\fbox{\TheSbox}\]}

\smartqed

\lstset{extendedchars=false}
\lstset{inputencoding=utf8x}
\DeclareUnicodeCharacter{8797}{:=}
\DeclareUnicodeCharacter{10746}{++}
\DeclareUnicodeCharacter{9001}{\ensuremath{\langle}}
\DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}}

\title{CerCo: Certified Complexity\thanks{The project CerCo acknowledges the 
financial support of the Future and Emerging Technologies (FET) programme within 
the Seventh Framework Programme for Research of the European Commission, under 
FET-Open grant number: 243881}}
\subtitle{Source-level complexity analysis for a large fragment of C}
\journalname{Journal of Automated Reasoning}
\titlerunning{Certified Complexity}
\date{Received: date / Accepted: date}
\author{Jaap Boender \and Brian Campbell \and Dominic P. Mulligan \and Claudio Sacerdoti~Coen
        \and %Roberto
Roberto~M. Amadio \and
Nicolas Ayache \and
Fran\c{c}ois Bobot \and
Ilias Garnier \and
Antoine Madet \and
James McKinna \and
Mauro Piccolo \and
Randy Pollack \and
Yann R\'{e}gis-Gianas \and
Ian Stark \and
Paolo Tranquilli} % who else?
\authorrunning{Boender, Campbell, Mulligan, and Sacerdoti~Coen}
\institute{Roberto M. Amadio, Antoine Madet, and Yann R\'{e}gis-Gianas \at
            Universit\'e Paris Diderot (Paris 7), Paris, France.
           \and
           Nicolas Ayache \at
            IKOS Consulting, France.
           \and
           Fran\c{c}ois Bobot \at
           Software Reliability Laboratory, CEA, France.
           \and
           Jaap Boender \at
              Middlesex University London, United Kingdom.
           \and
           Brian Campbell, James McKinna, Randy Pollack, and Ian Stark \at
              University of Edinburgh, United Kingdom.
           \and
           Ilias Garnier, \at
             \'Ecole Normale Sup\'erieure, Paris, France.
           \and
           Dominic P. Mulligan \at
             University of Cambridge, United Kingdom.
           \and
           Claudio Sacerdoti~Coen \at
              University of Bologna, Italy.}

\begin{document}

\maketitle

\begin{abstract}
Concrete non-functional properties of programs---for example, time and space usage as measured in basal units of measure such as milliseconds and bytes allocated---are important components of the specification of a program, and therefore overall program correctness.
Indeed, for many application domains, concrete complexity analysis is arguably more important than any asymptotic complexity analysis.
Libraries exporting cryptographic primitives that must be impervious to timing side-channel attacks, or real-time applications with hard timing limits on responsiveness, are examples.

Worst Case Execution Time tools, based on abstract interpretation, currently represent the state-of-the-art in determining concrete time bounds for a program execution.
These tools suffer from a number of disadvantages, not least the fact that all analysis is performed on machine code, rather than high-level source code, making results hard to interpret by programmers.
Further, these tools are often complex pieces of software, whose analysis is hard to trust.
More ideal would be a mechanism to `lift' a cost model from the machine code generated by a compiler, back to the source code level, where analyses could be performed in terms understood by the programmer.
How one could incorporate the precision of traditional static analyses into such a high-level approach---and how this could be done reliably---is not \emph{a priori} clear.

In this paper, we describe the scientific contributions of the European Union's FET-Open Project CerCo (`Certified Complexity').
CerCo's main achievement is the development of a technique for analysing non-functional properties of programs at the source level, with little or no loss of accuracy, and a small trusted code base.
The core component of the project is a compiler for a large fragment of the C programming language, verified in the Matita theorem prover, that produces an instrumented copy of the source code in addition to generating object code.
This instrumentation exposes, and tracks precisely, the concrete (non-asymptotic) computational cost of the input program at the source level.
Untrusted invariant generators and trusted theorem provers may then be used to compute and certify the parametric execution time of the code.

We describe the architecture of our C compiler, its proof of correctness, and the associated toolchain developed around the compiler.
Using our toolchain, we describe a case study in applying our technique to the verification of concrete timing bounds for cryptographic code.

\keywords{Verified compilation \and Complexity analysis \and Worst Case Execution Time analysis \and CerCo (`Certified Complexity') \and Matita}
\end{abstract}

\include{introduction}
\include{architecture}
\include{proof}
\include{development}
\include{framac}
\include{conclusions}

\begin{acknowledgements}
\end{acknowledgements}

\bibliographystyle{spmpsci}
\bibliography{cerco}

\end{document}