automatic verification of safety critical softwares
play

Automatic verification of safety critical softwares Xavier Rival - PowerPoint PPT Presentation

Apr 14, 2023 •273 likes •490 views

Automatic verification of safety critical softwares Xavier Rival INRIA Paris Rocquencourt Nov, 8th. 2012 Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 1 / 20 Why to verify embedded softwares ?

  1. Automatic verification of safety critical softwares Xavier Rival INRIA Paris Rocquencourt Nov, 8th. 2012 Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 1 / 20

  2. Why to verify embedded softwares ? Outline Potential impact of bugs in safety critical softwares : ◮ disastrous , not theoretical State of the art in industry : ◮ mostly testing , need for better techniques Abstract interpretation based static analysis : ◮ sound , automatic ◮ successful verification of synchronous softwares towards the verification of wider families of softwares verification of programs manipulating complex data-structures Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 2 / 20

  3. Why to verify embedded softwares ? The Ariane 501 flight failure (1996) The failure : ◮ at T 0 + 30 s , an arithmetic overflow ( float -> short int ) both Inertial Reference Systems to return negative error codes ◮ the on-board computer misinterprets those as physical data ◮ loss of control of the trajectory A long list of design issues : failure to assess the range of inputs : reuse of legacy code 1 wrong settings of hardware interruptions : crash the system ! 2 the faulty computation was useless after takeoff... 3 main and back-up systems running the same faulty software 4 A very expensive failure: more than $ 300 000 000 cost Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 3 / 20

  4. Why to verify embedded softwares ? Issues in critical embedded softwares Ariane 501 flight is not the only occurrence : Patriot missile Dahran failure : ◮ imprecisions in fixed-point computation (0.1 not representable) ◮ 28 fatalities Loss of a Mars explorer vehicle : ◮ wrong use of units : no conversion between meters and yards ◮ crash on the surface of Mars Saab Grippen fighter jet : ◮ unstability issues in control sofwares ◮ two crashes, due to “Pilot Induced Oscillations” Many others... Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 4 / 20

  5. Verification in avionics State of the art in industry Defined per area, “good industrial practices” : DO 178 standards in avionics : assess level of criticality 1 flight-by-wire level A highly critical flight warning system level C medium passenger IFE level E irrelevant address qualification requirements depending on criticality level 2 Examples of certification tasks ◮ documentation , traceability of software ◮ testing , from unit testing to iron bird Expensive processes; e.g., test: about 90 % of the cost No guarantee of safety , test does not cover all executions Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 5 / 20

  6. Verification in avionics The undecidability barrier Automatic verification is a very desirable goal Cheaper, better guarantee on software... Absence of runtime errors e.g., no crashes on arithmetic or memory errors Functional properties e.g., the program transmits accurate orders to actuators But interesting semantic properties are all undecidable when onsidering Turing complete languages Proof by reduction to the halting problem Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 6 / 20

  7. Verification in avionics Static analysis and verification Verification using abstraction Retain only relevant properties of the concrete semantics Derive a computable, abstract semantics Sound : forgets no concrete behavior Generally incomplete : may fail to capture desired properties Example : attempt to verify that semantics � S � satisfies property P using over-approximate semantics � S � upper Unsuccessful analysis : Successful verification : � S � upper � S � upper � S � � S � P P Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 7 / 20

  8. bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC bC Static analysis fundamental principles Abstraction of properties Abstract domains Families of abstract predicates adapted to static analysis Compact and efficient representations Operations for the static analysis of concrete operations Example : abstraction of sets of pairs of integers y y y y x x x x concrete set interval domain octagon domain polyedra domain In static analyses: various cost / precision ratios Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 8 / 20

  9. bC bC bC bC bC bC bC bC bC bC bC bC Static analysis fundamental principles Abstraction of execution steps Computing sound abstract transformer Conservative analysis of concrete execution steps in the abstract e.g., assignments , condition tests ... May lose precision , will never forget any behavior Balance between cost and precision Example : analysis of a translation with octagons y y x x concrete transformation abstract transformation Soundness: all concrete behaviors are accounted for ! Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 9 / 20

  10. Static analysis fundamental principles Abstraction of infinite computations Computing invariants about infinite executions with widening ▽ Loops may induce executions of unbounded length Analyses should compute inductive invariants Widening ▽ over-approximates ∪ : soundness guarantee Widening ▽ guarantees the termination of the analyses Example : iteration of the translation ( 2 , 1 ) , with octagons y y y X 1 = X 0 ▽ F ( X 0 ) F ( X 0 ) F ( X 1 ) X 0 X 0 X 1 x x x initial iteration 1 iteration 2: stable ! Soundness: all concrete behaviors are accounted for ! Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 10 / 20

  11. Application to control software The Astrée analyzer Goal: verify the absence of runtime errors in synchronous embedded softwares Answer : domain specific static analyzer Group : Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, Xavier Rival Characteristics : declare and initialize state variables; huge softwares : around 1 MLOC loop forever huge states : ≈ 50 000 variables read volatile input variables, compute output and state variables, complex algorithms : write to volatile output variables; boolean control, digital filtering, wait for next clock tick interpolations... end loop very hard to verify Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 11 / 20

  12. Application to control software A numerical abstraction: octagons An invariant to prove in the analysis of a real system : Relational numerical invariants Convex polyedra : assume ( x ∈ [ − 10 , 10 ]) if ( x < 0 ) �� � � j α ij x j ≤ β i y = − x ; i else high computational cost y = x ; ① if ( y ≤ 5 ) Octagons (A. Miné): ② assert ( − 5 ≤ x ≤ 5 ); ◮ two variables per inequality ◮ α ij ∈ {− 1 , 0 , 1 } ◮ reasonable cost Relation between x, y needed  0 ≤ y − x ≤ 10 � 0 ≤ y − x ≤ 10  At ① : At ② : ∧ 0 ≤ x + y ≤ 20 ∧ 0 ≤ x + y ≤ 20 thus − 5 ≤ x ≤ 5  Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 12 / 20

  13. Application to control software A symbolic abstraction: trace partitioning imprecise An interpolation routine interval invariant to analyze precisely : assume ( x ≥ 0 ); int i = 0 ; while ( i < n && t 0 [ i ] ≤ x ) concrete output i = i + 1 ; y = (( x − t 0 [ i ]) ⋆ t 1 [ i ] + t 2 [ i ]); Disjunctions needed input Disjunctions in static analysis With no partitioning: y ≥ − 1 Can be very costly , With partitioning: y ∈ [ − 0 . 5 , 2 ] if too many disjuncts  1 iter ⇒ y ∈ [ − 0 . 5 , 0 ] Trace partitioning :  2 iters ⇒ y ∈ [ 0 , 2 ] link states to control history 3 iters ⇒ y ∈ [ 2 , 2 ]  (L. Mauborgne, X. Rival) Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 13 / 20

  14. Application to control software Results Practical results Proof of safety of industrial codes Airbus A 340 FBW 70 kLOC 1h30 400 Mb 0 alarm Airbus A 380 FBW 700 kLOC 12h 2 Gb 0 alarm Industrialized by AbsInt since 2009 Customers in avionics , automotive , embedded systems Continued research effort , driven by industrial examples: ◮ new abstract domains ◮ new analysis techniques ◮ . . . Theoretical results : better understanding of static analysis techniques, combination of many abstract domains Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 14 / 20

  15. Beyond control software Towards the verification of wider families of softwares numeric computations complex data-structures synchronous structure asynchronous structure e.g., Astrée analyzer no satisfactory analysis level of criticality very high fly-by-wire control internal command bus flight warning system communication/navigation software high low in-flight entertainment system static analysis difficulty easier to analyze harder to analyze Many families of softwares not addressed by Astrée Significant issues to analyze them: asynchrony , memory properties Xavier Rival (INRIA Paris Rocquencourt) Verify safety critical softwares Nov, 8th. 2012 15 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EE Analyzer Xavier R IVAL rival@di.ens.fr Certification of embedded softwares Safety critical

EE Analyzer Xavier R IVAL rival@di.ens.fr Certification of embedded softwares Safety critical

The A STR EE Analyzer Xavier R IVAL rival@di.ens.fr Certification of embedded softwares Safety critical applications avionic softwares but also automotive, space... synchronous Properties to prove to guarantee safety:

491 views • 36 slides
Clearsy Provides safety critical systems and softwares Fersil is the railway activity of

Clearsy Provides safety critical systems and softwares Fersil is the railway activity of

Clearsy Provides safety critical systems and softwares Fersil is the railway activity of Clearsy Clearsy Provides safety critical sytems SIL2 to SIL4 Provides safety critical softwares SIL2 to SIL4 Uses the B formal method to

490 views • 13 slides
WITH A Feature of - M M I Softwares (P) Ltd About MMI Softwares Pvt. Ltd. MMI Softwares Pvt.

WITH A Feature of - M M I Softwares (P) Ltd About MMI Softwares Pvt. Ltd. MMI Softwares Pvt.

CONNECTED BANKING WITH A Feature of - M M I Softwares (P) Ltd About MMI Softwares Pvt. Ltd. MMI Softwares Pvt. Ltd. was established in Jan-1997 by a team of core software professionals endeavoring to provide best IT solutions to the

561 views • 15 slides
F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software

Submitted to IEEE Software 2009 - Special issue on Software Development for Embedded Systems F Formal Modeling and Verification of l M d li d V ifi ti f Safety-Critical Software implemented in PLC JUNBEOM YOO JUNBEOM YOO KONKUK

882 views • 32 slides
SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification now hot Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification) Bounded Model Checking a

468 views • 25 slides
Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic Verification of Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Marta

500 views • 29 slides
Important From Last Time A system is safety critical when its failure may result in injuries

Important From Last Time A system is safety critical when its failure may result in injuries

Important From Last Time A system is safety critical when its failure may result in injuries or deaths Verification and validation can dominate overall development effort Today Embedded system security General principles

599 views • 27 slides
+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an Vanzetto LPAR-18, M erida, Venezuela March 12th, 2012 1 + language The TLA Specification and verification language for (concurrent and

735 views • 27 slides
Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification Trustworthy Systems Laboratory Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Verification and Validation for Safety

1.29k views • 72 slides
Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research Center Overview Background Verification and Certification Aircraft self-separation Runtime verification Formal-Methods for numerical

812 views • 50 slides
Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine

Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine

Context Projects Leveraging Automatic Deduction for Verification Antoine Defourn 11-14 th of June, 2019 Antoine Defourn Leveraging Automatic Deduction for Verification Context Projects Summary Supervisors: Stephan Merz, Pascal Fontaine

379 views • 16 slides
Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei

Automatic Verification of RMA Programs via Abstraction Extrapolation Cedric Baumann 1 , Andrei Marian Dan 1 , Yuri Meshman 2 , Torsten Hoefler 1 , Martin Vechev 1 1 Department of Computer Science, ETH Zurich, Switzerland 2 IMDEA Software Institute,

761 views • 61 slides
CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in

CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in

CheckThat! 2020 3 rd edition Enabling the Automatic Identification and Verification of Claims in Social Media Organization Alberto Tamer Preslav Giovanni Maram Reem Barrn-Cedeo Elsayed Nakov da San Martino Hassanain Suwaileh

611 views • 24 slides
Overview Objectives RSRUK Wellstock Verification process Historical data review

Overview Objectives RSRUK Wellstock Verification process Historical data review

Overview Objectives RSRUK Wellstock Verification process Historical data review Verification data - results Changes and budget planning Re-cap Study Objectives To investigate failure rates for safety critical

480 views • 24 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

VLSI Design Verification and Test Simulation CMPE 646 Design Verification Simulation used for 1) design verification : verify the correctness of the design and 2) test verification. Design verification: Specification Critical or

426 views • 15 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
--

--

-- /,.)&quot;(-&amp;&amp;0

294 views • 4 slides
UC UC SF SF Introduction: Retrograde Access Wide spread application of endovascular

UC UC SF SF Introduction: Retrograde Access Wide spread application of endovascular

UC UC SF SF Introduction: Retrograde Access Wide spread application of endovascular techniques to infrageniculate arterial occlusive disease Pedal Access: Technical failure rate of crossing complex tibio-peroneal lesions of ~10%

498 views • 7 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
Computer Security TA: Adrian Sham adrsham@cs Original slides provided by Franzi and using

Computer Security TA: Adrian Sham adrsham@cs Original slides provided by Franzi and using

CSE 484 / CSE M 584 Computer Security TA: Adrian Sham adrsham@cs Original slides provided by Franzi and using elements from previous quarters Security Reviews Assets (what should be protected) Adversaries (possible attackers)

348 views • 11 slides
Structured light and active ranging techniques 3D photography course schedule Topic Feb 21

Structured light and active ranging techniques 3D photography course schedule Topic Feb 21

Structured light and active ranging techniques 3D photography course schedule Topic Feb 21 Introduction Feb 28 Lecture: Geometry, Camera Model, Calibration Mar 7 Lecture: Features &amp; Correspondences Mar 14 Project Proposals Mar 21

588 views • 40 slides
Five Mindsets to Succeed as a Data Scientist IRL Pallav Agrawal, Director, Data Science Levi

Five Mindsets to Succeed as a Data Scientist IRL Pallav Agrawal, Director, Data Science Levi

Five Mindsets to Succeed as a Data Scientist IRL Pallav Agrawal, Director, Data Science Levi Strauss &amp; Co. I WANT TO KNOW YOU What do Data Scientists Create? Create Concise Generalizations 90 percent of the data in the world today

1.09k views • 72 slides
Feature Model Synthesis Steven She Generative Software Development Lab What is Variability in

Feature Model Synthesis Steven She Generative Software Development Lab What is Variability in

Feature Model Synthesis Steven She Generative Software Development Lab What is Variability in Software? Variability in a software system is its ability for a system to adapt and customize for a particular context. van Gurp et al., 2001

931 views • 67 slides
Spectra from thermal relativistic nuclear field theory Elena Litvinova Western Michigan

Spectra from thermal relativistic nuclear field theory Elena Litvinova Western Michigan

Spectra from thermal relativistic nuclear field theory Elena Litvinova Western Michigan University In collaboration with H. Wibowo, C. Robin, and P. Schuck Workshop: FRIB and the GW170817 kilonova, NSCL@MSU, July 16-27, 2018 Outline

991 views • 29 slides

More recommend