Extensible Specifications for Automatic Re-Use of Specifications and Proofs Daniel Matichuk 1 and Toby Murray 1,2 1 NICTA, Sydney, Australia ⋆ 2 School of Computer Science and Engineering, UNSW, Sydney, Australia {firstname.lastname}@nicta.com.au Abstract. One way to reduce the cost of formally verifying a large program is to perform proofs over a specification of its behaviour, which its implementation refines. However, interesting programs must often satisfy multiple properties. Ideally, each property should be proved against the most abstract specification for which it holds. This simplifies reasoning and increases the property’s robustness against later tweaks to the program’s implementation. We introduce extensible specifications, a lightweight technique for constructing a specification that can be instantiated and reasoned about at multiple levels of abstraction. This avoids having to write and maintain a different specification for each property being proved whilst still allowing properties to be proved at the highest levels of abstraction. Importantly, properties proved of an extensible specification hold automatically for all instantiations of it, avoiding unnecessary proof duplication. We explain how we applied this idea in the context of verifying confidentiality enforcement for the seL4 microkernel, saving us significant proof and code duplication. 1 Introduction Formally verifying real software is expensive: proving a single property of a program’s implementation can require an order of magnitude more effort than to write the implementation [4, 5]. To avoid expending this much effort on every property to be proved of an implementation, it is common to construct an abstract specification for the software and prove that the software’s implementation formally refines this specification. While this is expensive, subsequent reasoning can then be performed over the abstract specification. In practice, such proofs can require only a similar amount of effort as that to write the implementation [5]. The verification of the seL4 microkernel [4] provides a useful data-point, being to our knowledge the most extensive code-level verification ever performed of a general-purpose software artifact. A microkernel is a minimal operating system kernel; seL4 implements services such as threads, virtual address spaces, IPC, and capability-based access control. An initial proof of refinement between the kernel’s ⋆ NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program