2026-04-06·11 min read·sota.io team

Deploy SeaHorn to Europe — Jorge A. Navas 🇪🇸 (SRI International), the LLVM-Based Horn Clause Verification Framework Used by NASA JPL and AWS, on EU Infrastructure in 2026

The verification gap between proving a Hoare-logic specification on paper and checking that real C code compiled with Clang actually satisfies a safety property is vast. Tools like Frama-C operate on source-level abstract syntax trees, inserting C annotations that must match the actual compiler's interpretation. Tools like CBMC bound the loop count and search exhaustively — but miss bugs that only appear at iteration 10,001. What if the verification engine could work directly on the compiler's internal representation, with no annotation language, no bound on loop iterations, and no gap between the model and the binary?

SeaHorn answers this question. It is a fully automated verification framework for C and C++ that operates on LLVM IR — the same intermediate representation Clang produces before emitting machine code — and discharges safety queries via Constrained Horn Clauses (CHC) and the Z3 Spacer engine. The gap between model and binary is closed by construction: SeaHorn verifies the same IR that the compiler backend consumes.

Jorge A. Navas 🇪🇸 (born in Spain, PhD background from the University of Minnesota, formerly at NASA JPL, now SRI International) is the lead architect and principal maintainer of SeaHorn. Arie Gurfinkel (formerly Carnegie Mellon SEI, now University of Waterloo 🇨🇦) co-designed the Horn clause encoding and the Spacer integration. Temesghen Kahsai (formerly NASA Ames, now AWS) extended SeaHorn for cloud-scale workloads. The foundational paper — "The SeaHorn Verification Framework" — appeared at CAV 2015 (Computer-Aided Verification, the premier venue for automated verification research). SeaHorn is BSD-3-Clause licensed, open source at github.com/seahorn/seahorn.

The Pipeline: LLVM IR → Horn Clauses → Z3 Spacer

SeaHorn's key architectural insight is to use LLVM IR as the universal intermediate language for verification, then encode the verification problem as Constrained Horn Clauses (CHCs) — a class of first-order logic formulas that unifies program logic, loop invariants, and interprocedural specifications into a single constraint system that modern SMT solvers can reason about directly.

Step 1: C/C++ → LLVM IR (Clang)

# Compile C source to LLVM bitcode
clang -c -emit-llvm -O0 -g program.c -o program.bc

This step uses the standard LLVM/Clang toolchain. SeaHorn imposes no special annotation language on the C source — the developer writes plain C.

Step 2: LLVM IR → Instrumented IR (SeaHorn Front-End)

SeaHorn's LLVM pass pipeline transforms the IR:

sea-pp (Preprocessing): resolves indirect calls, rewrites C++ exceptions, lowers intrinsics
sea-horn (Horn encoding): translates LLVM basic blocks into Horn clause heads and bodies
sea-opt (Optimization): applies abstract interpretation for pre-analysis (intervals, zones, octagons via Crab — SeaHorn's abstract interpretation library)

The safety property is injected via __VERIFIER_error() — any path reaching this function call is an error. This convention is shared with SV-COMP, CBMC, CPAchecker, and the broader automated verification ecosystem.

Step 3: Horn Clauses → Z3 Spacer (PDR/IC3 for CHC)

The output of SeaHorn's encoding is a set of Constrained Horn Clauses of the form:

∀x. (body(x) ∧ constraints(x)) → head(x)

Where head is a predicate representing a program location (basic block) and body contains predicates for predecessor locations plus the transition constraints (assignments, guards). The query clause:

∀x. (error_location(x)) → false

This CHC system is SATISFIABLE iff the program is SAFE (no path to __VERIFIER_error()). The CHC system is UNSATISFIABLE iff there exists a reachable error path, and Spacer produces a counterexample trace — an assignment of concrete values that drives execution to the error state.

Z3 Spacer (also called PDR-CHC or IC3+interpolation for CHC) is an engine developed by Nikolaj Bjørner (Microsoft Research) and Arie Gurfinkel for Horn clause satisfiability. It extends the IC3/PDR algorithm (originally for hardware model checking) to Horn clause systems over linear arithmetic, bit-vector arithmetic, and arrays. Spacer interleaves:

Inductive strengthening: finds an inductive invariant that excludes the error state
Counterexample-guided refinement: uses interpolation to generalize from failed proof attempts
Property-directed reachability: maintains a sequence of over-approximations, similar to IC3 frames

The combination of LLVM's precise IR semantics and Spacer's Horn clause reasoning gives SeaHorn unbounded verification — no loop unrolling bound required — for programs where loop invariants can be expressed in the theory of linear arithmetic or bit-vectors.

Running SeaHorn

# Install SeaHorn (Docker recommended)
docker pull seahorn/seahorn-llvm14:nightly

# Verify a C program
docker run --rm -v $(pwd):/host seahorn/seahorn-llvm14:nightly \
  sea verify --cex /host/program.c

# Output: SAFE or UNSAFE + counterexample trace

A minimal safety property example:

#include "seahorn/seahorn.h"

int divide(int x, int y) {
  sassert(y != 0);  // SeaHorn assertion: no division by zero
  return x / y;
}

int main(void) {
  int a = nd_int();  // non-deterministic input
  int b = nd_int();
  assume(b > 0);     // constrain: b is positive
  divide(a, b);
  return 0;
}

sea verify divide.c encodes the full interprocedural verification problem as CHCs and queries Spacer. With assume(b > 0), Spacer proves SAFE. Without the assumption, it produces a counterexample with b = 0.

Crab: Abstract Interpretation as Pre-Analysis

SeaHorn integrates Crab — a standalone C++ abstract interpretation library — as a pre-analysis layer before Horn clause generation. Crab implements a family of numerical abstract domains:

Intervals (ikos-int): variable ranges [lo, hi], cheapest, no relational information
Zones (ikos-zones): difference bounds xᵢ - xⱼ ≤ c, captures simple relationships
Octagons (ikos-oct): ±xᵢ ± xⱼ ≤ c, richer relational domain, based on Antoine Miné's work
Polyhedra (ikos-lin): full convex hull, most precise, exponential worst-case

Crab's analysis produces invariants per program location that seed the Horn clause encoding. These invariants dramatically reduce the search space for Spacer: instead of starting from the most general approximation, Spacer starts from a pre-computed over-approximation that already captures loop bounds, pointer ranges, and linear relationships between variables.

The Crab domains include the octagon domain originally developed by Antoine Miné 🇫🇷 (ENS Paris, Cousot group — the same lineage as Astrée) and the array smashing/segmentation domains for heap-allocated arrays. This demonstrates the convergence of EU and US formal verification research: French abstract interpretation theory (Cousot 🇫🇷 + Miné 🇫🇷) feeding directly into a US aerospace verification tool.

NASA JPL: Verifying Flight Software

Jorge Navas worked at NASA Jet Propulsion Laboratory (Pasadena, California) before joining SRI International. During this period, SeaHorn was applied to flight software verification for NASA missions — the most demanding correctness standard in engineering practice.

NASA's Core Flight System (cFS) architecture, used on missions including the Mars Science Laboratory (Curiosity rover), is written in C following strict JPL Institutional Coding Standards (a subset of MISRA C) and DO-178C principles. Flight software verification at JPL typically combines:

Static analysis (Polyspace, CodeSonar) for MISRA compliance
Model-based testing (Simulink/Stateflow) for functional behavior
Automated verification for safety-critical properties

SeaHorn provided a third pillar: automated unbounded safety verification for properties that static analysis cannot certify (absence of specific error states in the presence of unbounded iteration) and that model-based testing cannot guarantee (full path coverage is undecidable).

The key advantage of SeaHorn's LLVM-based approach for NASA: the same LLVM toolchain (clang + LLVM backend) that produces the flight binary is used for verification. There is no model extraction step, no annotation-to-code gap, no question of whether the verified model matches the deployed binary. The verification input is the compilation unit.

AWS: Cloud-Scale Verification

Temesghen Kahsai, after NASA Ames Research Center, joined AWS and applied SeaHorn's techniques to cloud service verification. AWS has invested heavily in formal verification: Amazon's s2n-tls (the successor to OpenSSL used across AWS services) was verified using CBMC; AWS Lambda functions have been analyzed using a range of automated techniques.

SeaHorn's Horn clause encoding is particularly well-suited to cloud function verification: Lambda functions are bounded in execution time (15 minutes), have clearly defined input/output interfaces, and are typically short (hundreds to thousands of lines of C/Rust/Go after LLVM compilation). The CHC encoding scales to this size class and can prove properties like:

Memory safety (no buffer overflows in the handler hot path)
Null pointer safety (no null dereferences on validated API responses)
Resource bounds (no unbounded allocation loops in request handlers)

AWS's use of SeaHorn-adjacent techniques demonstrates that formal verification is no longer confined to safety-critical aerospace: cloud infrastructure at hyperscaler scale now routinely deploys these methods in CI/CD pipelines.

SeaHorn in SV-COMP

SeaHorn participates in SV-COMP (the International Competition on Software Verification), the standardized benchmark competition that evaluates automated C verification tools on thousands of real-world and crafted programs. The competition categories include:

ReachSafety: prove or disprove that __VERIFIER_error() is reachable
MemSafety: prove absence of null dereferences, array bounds violations, and use-after-free
Overflow: prove absence of signed integer overflow

SeaHorn's CHC encoding and Crab pre-analysis give it competitive performance in the ReachSafety category — particularly on programs with complex loop invariants where bounded tools (CBMC, 2LS) require large unrolling bounds while SeaHorn finds an inductive invariant directly.

The SV-COMP benchmark suite includes programs extracted from real-world software: Linux kernel drivers, network protocol implementations, and cryptographic library functions — making competition performance a meaningful proxy for industrial applicability.

Regulatory Context: DO-178C, ISO 26262, EU AI Act, NIS2

DO-178C — Software Considerations in Airborne Systems

At the highest assurance level (DAL A — catastrophic failure condition), DO-178C requires structural coverage at the MC/DC (Modified Condition/Decision Coverage) level and prohibits reliance on dynamic testing alone for safety-critical properties. Automated verification tools can be qualified as Verification Tools (TOR category) under DO-178C with appropriate tool qualification data, reducing the manual analysis burden.

SeaHorn's LLVM-based approach is directly applicable to the object-code verification gap in DO-178C: after the compiler produces LLVM IR (and then machine code), SeaHorn verifies properties on the same IR the compiler used — providing evidence that no compiler-introduced transformation violated the safety properties verified at source level. Combined with Alive2 (which verifies that LLVM optimization passes preserve semantics), SeaHorn provides a complete chain of compiler-level assurance.

ISO 26262 (Automotive) — ASIL D

Automotive software at ASIL D requires demonstrating freedom from interference and absence of random hardware faults combined with software correctness. SeaHorn's memory safety verification (null pointer, array bounds, use-after-free) directly addresses the absence of common software vulnerabilities required under ISO 26262 Part 6 (Software Product Development). The LLVM-based approach also supports Rust LLVM IR, enabling formal verification of AUTOSAR-adjacent Rust components emerging in automotive embedded software.

EU AI Act — Article 9 (Risk Management System)

Article 9 of the EU AI Act requires high-risk AI systems to implement a risk management system demonstrating that safety risks are "eliminated or reduced as far as possible." For AI systems written in C/C++ (embedded inference engines, AUTOSAR ADAS components, robotics perception pipelines), SeaHorn's unbounded safety verification constitutes a machine-checkable demonstration of absence of runtime errors — exactly the kind of technical evidence required by Article 9's proportionality principle.

NIS2 — Article 21 (Cybersecurity Risk Management)

NIS2 Article 21 requires operators of essential services to implement "technical measures… to manage the risks posed to the security of network and information systems." Memory safety properties — buffer overflows, null dereferences, use-after-free — are the root cause of the majority of critical CVEs (CWE-119, CWE-125, CWE-787). SeaHorn's automated verification of these properties for C services constitutes a documented, reproducible, and auditable cybersecurity risk management measure that satisfies Article 21's intent.

CRA 2027 — Cyber Resilience Act

From 2027, the Cyber Resilience Act requires manufacturers of products with digital elements to demonstrate that software contains "no known exploitable vulnerabilities." SeaHorn's CHC-based verification can serve as evidence that specific vulnerability classes (integer overflow, memory corruption, null dereference) are provably absent in the verified components — a stronger claim than "no known CVEs" because it is derived from mathematical proof rather than lookup in a vulnerability database.

Deploying SeaHorn on EU Infrastructure

Docker deployment

FROM seahorn/seahorn-llvm14:nightly AS verifier
WORKDIR /verify
COPY src/ ./src/
RUN sea verify --cex src/main.c

CI/CD integration

# .gitlab-ci.yml (or GitHub Actions equivalent)
seahorn-verify:
  image: seahorn/seahorn-llvm14:nightly
  stage: verify
  script:
    - sea verify --cex --horn-answer src/critical_module.c
    - echo "SeaHorn verification passed"
  artifacts:
    paths:
      - seahorn-report/
    when: always

Running with Crab pre-analysis

# Enable octagon domain pre-analysis for richer invariants
sea verify --crab --crab-dom=zones program.c

# Enable array bounds checking
sea verify --horn-singleton-aliases --crab program.c

Batch verification across a C codebase

#!/bin/bash
# verify_all.sh — run SeaHorn on all .c files in src/
find src/ -name "*.c" | while read f; do
  echo "Verifying $f..."
  sea verify --cex "$f" 2>&1 | tee "results/$(basename $f).txt"
done
grep -l "UNSAFE" results/*.txt && echo "Verification failures found"

The LLVM Verification Ecosystem: SeaHorn's Position

SeaHorn sits in a growing LLVM-based verification ecosystem that uses LLVM IR as a shared language for verification tools:

CBMC (Daniel Kroening 🇩🇪, Oxford 🇬🇧): SAT-based bounded model checking via LLVM/JBMC
2LS (Kroening group 🇩🇪, Oxford 🇬🇧): template-based two-level invariant synthesis via LLVM
ESBMC (Lucas Cordeiro 🇵🇹, Manchester 🇬🇧): SMT-based BMC + k-Induction via LLVM
Alive2 (Nuno Lopes 🇵🇹, Universidade de Lisboa 🇵🇹): translation validation, verifies LLVM optimization passes
SeaHorn (Jorge Navas 🇪🇸, SRI International): CHC + Spacer unbounded verification via LLVM

Each tool occupies a different niche: CBMC and ESBMC excel at finding concrete bugs quickly (bounded); 2LS synthesizes polynomial invariants automatically; Alive2 verifies the compiler itself; SeaHorn targets unbounded proofs of absence via Horn clause invariant synthesis. Together they form a layered defense in depth: bounded tools find most bugs quickly, SeaHorn certifies safety properties that hold for all inputs and all iterations.

The EU provenance running through this ecosystem is strong: Kroening (German) + Oxford (EU-associated), Cordeiro (Portuguese), Lopes (Portuguese) — and SeaHorn's Crab library incorporating Miné's octagon domain (French/ENS). Jorge Navas brings Spanish academic background to US aerospace research, with SeaHorn now deployed from Houston to Pasadena to Amazon's data centers — and available on EU-sovereign infrastructure via sota.io.

Deploy SeaHorn to EU Servers with sota.io

sota.io is the EU-native PaaS designed for exactly this class of security-critical tooling deployment. Run SeaHorn in a verification pipeline, a continuous compliance scanner, or an automated code review workflow — all on European infrastructure, GDPR-compliant by default.

# sota.io deployment
sota deploy --image seahorn/seahorn-llvm14:nightly \
  --run "sea verify --cex /code/main.c" \
  --region eu-west-1

Free tier includes enough compute to verify medium-sized C modules. No Cloud Act. No PRISM. No EU verification data leaving the EU. When DO-178C tool qualification evidence must be stored on EU-sovereign infrastructure — which is increasingly an ITAR/export-control requirement for European aerospace programs — sota.io provides the hosting stack that satisfies both the technical requirements of automated verification and the regulatory requirements of EU data sovereignty.

SRI International 🇺🇸 — Jorge A. Navas 🇪🇸 (Spanish-born). BSD-3-Clause. github.com/seahorn/seahorn.