Mo Model-base sed Deve velopment for High Assu ssurance ce - - PowerPoint PPT Presentation

mo model base sed deve velopment for high assu ssurance
SMART_READER_LITE
LIVE PREVIEW

Mo Model-base sed Deve velopment for High Assu ssurance ce - - PowerPoint PPT Presentation

Aug 04, 2023 386 likes •773 views

Mo Model-base sed Deve velopment for High Assu ssurance ce Embedded Syst ystems Slang Embedded Toolchain Overview Robby John Hatcliff Jason Belt Professor University Distinguished Professor Research Associate Kansas State University

slide-1
SLIDE 1

Mo Model-base sed Deve velopment for High Assu ssurance ce Embedded Syst ystems

John Hatcliff

University Distinguished Professor Lucas-Rathbone Professor of Engineering Kansas State University

Slang Embedded Toolchain Overview Robby

Professor Kansas State University

Jason Belt

Research Associate Kansas State University

This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CDS) BAA HSHQDC- 14-R-B0005, the Government of Israel and the National Cyber Bu- reau in the Government of Israel via contract number D16PC00057, as well as the US National Science Foundation FDA Scholar-in-Residence Program.

slide-2
SLIDE 2

SL SLang Emb Embedded Frame mework

n

The Slang Embedded Framework is an integrated modeling, development, analysis, and verification framework for component-oriented embedded systems

n

”Slang” stands for Sireum Language – Sireum is a programming language analysis, verification, and transformation framework developed at Kansas State University

n

Slang Embedded has a special emphasis on development of systems built on top of separation kernels and platforms (infrastructure that can be reused across multiple implementations)

n

Model the architecture (i.e., the design) (both hardware and software of embedded systems)

n

Specify important properties about your system in architecture models

n

Generate templates/interfaces for your Slang code and “autoprogram” communication between components

n

Analyze and verify your models and code against many different types of properties

n

Help you simulate/debug your code

n

Interface with sensors, actuators, and

  • ther hardware elements

n

Automatically translate Slang to C and a “deployable build” for a particular platform

Slang Embedded --- Overview

What is it? What can you do with it?

slide-3
SLIDE 3

Primary y Stages s in Tool Chain

Slang Embedded --- Overview

Hypervisors / Micro-kernels

  • Minex 3 (enhanced)
  • SeL4
  • Xen
  • Lynx Secure

Deployment on Embedded/Distributed Platforms

Medical/IoT Reference Architecture Code Generation, e.g.,

  • C + Platform Run-Time
  • C compatible with CompCERT verified compiler
  • Conforms to AADL Run-Time Services (informally

specifies a computational model for real-time threading and communication.

Source Code, Simulation, Analysis, Verification Slang – Subset of Scala for critical systems

Code Generation

  • - Slang + Run-Time System Abstraction

System Modeling and Analysis (AADL)

AADL OSATE Analyses

  • Scheduleability
  • Information Flow

Analysis and verification results moved up and down abstraction layers

slide-4
SLIDE 4

Ex Examp mple Doma mains

Slang Embedded --- Overview

UxAS – Unmanned (AFRL, DARPA)

Unmanned Systems Autonomy Services Code deployed on machine-verified micro-kernel SEL4

Medical Devices (US Dept of Homeland Security)

Code deployed using Genode OS framework using Xen Hypervisor and SeL4 microkernel

Building Controls (US Dept of Homeland Security)

Code deployed using enhanced Minix micro-kernel Containment labs for critical agriculture experiments

Example applications areas currently being addressed with Slang Embedded framework

STM32 / FreeRTOS (education)

slide-5
SLIDE 5

To Toolchain Architecture

AADL Model

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator OSATE

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

+ system properties and configuration info Slang Embedded --- Overview

slide-6
SLIDE 6

To Toolchain Architecture

AADL Model

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator OSATE

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

+ system properties and configuration info Slang Embedded --- Overview

slide-7
SLIDE 7

Op Open PCA Pump Architecture

Slang Embedded --- Overview

AADL Graphical View of the primary subsystems of the PCA Device

Open PCA Pump pedagogical material provides a 40-min video lecture overview of the pump architecture -- http://highassurance.santoslab.org/?q=lectures Fluid Subsystem Operational Subsystem Safety Subsystem Power Subsystem

slide-8
SLIDE 8

Ar Architecture provides “F “Foundati tion fo for r Tru ruth th”

Slang Embedded --- Overview

AADL models form scaffolding and an abstraction of the system that is used to link many different types of artifacts

Information Flow Analysis Requirements Hazard Analysis Behavioral Interface Specification (contracts/verification) Realt-Time Schedulability Analysis Code Generation + Hardware Platform Configuration Assurance Cases

slide-9
SLIDE 9

Si Simp mple Ex Examp mple Sy System

Slang Embedded --- Overview

Simple “Temperature Control” illustrates many core concepts of cyber- physical systems

slide-10
SLIDE 10

OS OSATE – AADL AADL Model (Graphical Vi View) w)

Slang Embedded --- Overview

Simple Temperature Control model in AADL (OSATE)

…create/edit system architecture in OSATE/AADL

(this particular diagram emphasizes software aspects)

Temp Sensor Heater/Fan Actuator Temperature Controller (thermostat) Operator Interface Model how you want the system to be decomposed into hardware elements, drivers, threads, and specify the communication between these. Then the Slang framework will autocode the communication and will generate templates for you to program the components.

slide-11
SLIDE 11

OS OSATE – AADL AADL Model (Graphical Vi View) w)

Slang Embedded --- Overview

Simple Temperature Control model in AADL (OSATE)

…create/edit system architecture in OSATE/AADL

(this particular diagram emphasizes software aspects)

Temp Sensor Heater/Fan Actuator Temperature Controller (thermostat) Operator Interface Specify interfaces/boundaries of components in terms of input/output event/data

  • ports. Slang will auto

generate interface code and method signatures.

slide-12
SLIDE 12

OS OSATE – AADL AADL Model (Graphical Vi View) w)

Slang Embedded --- Overview

Simple Temperature Control model in AADL (OSATE)

…create/edit system architecture in OSATE/AADL

(this particular diagram emphasizes software aspects)

Heater/Fan Actuator Temperature Controller (thermostat) Operator Interface Wire the ports together to specify the communication topology (who talks to whom). Slang generates all the code for the communication from the ”wires”/connections that you specify.

slide-13
SLIDE 13

OS OSATE – AADL AADL Model (Textual Vi View) w)

AADL has both a textual view and a graphical view and OSATE keeps them synchronized

Slang Embedded --- Overview

slide-14
SLIDE 14

OS OSATE – AADL AADL Model (Textual Vi View) w)

AADL has both a textual view and a graphical view and OSATE keeps them synchronized

Temperature Controller component Temperature Controller to Fan connection

Slang Embedded --- Overview

slide-15
SLIDE 15

AADL AADL Pr Properties

In AADL you can attach various “properties” about the system that are used to configure the underlying platform, direct code generation, and to support model-level analysis Simple properties to configure the RTOS scheduler and auto-generated thread skeleton and to and support real-time schedulability analysis.

Slang Embedded --- Overview

slide-16
SLIDE 16

AADL AADL Pr Properties

In AADL you can attach various “properties” about the system that are used to configure the underlying platform, direct code generation, and to support model-level analysis Properties capturing communication latencies.

Slang Embedded --- Overview

slide-17
SLIDE 17

An Analysis

Slang Embedded --- Overview

Multiple forms of analysis can be carried out with AADL/OSATE plug-ins KSU’s AWAS Information Flow and dependency analyis.

slide-18
SLIDE 18

Primary y Stages s in Tool Chain

Slang Embedded --- Overview

Hypervisors / Micro-kernels

  • Minex 3 (enhanced)
  • SeL4
  • Xen
  • Lynx Secure

Deployment on Embedded/Distributed Platforms

Medical/IoT Reference Architecture Code Generation, e.g.,

  • C + Platform Run-Time
  • C compatible with CompCERT verified compiler
  • Conforms to AADL Run-Time Services (informally

specifies a computational model for real-time threading and communication.

Source Code, Simulation, Analysis, Verification Slang – Subset of Scala for critical systems

Code Generation

  • - Slang + Run-Time System Abstraction

System Modeling and Analysis (AADL)

AADL OSATE Analyses

  • Scheduleability
  • Information Flow

Now moving from AADL models to Slang code

slide-19
SLIDE 19

To Toolchain Architecture

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

AADL Model

OSATE

+ system properties and configuration info Slang Embedded --- Overview

slide-20
SLIDE 20

AADL AADL Intermediate Re Representation (AI AIR) R)

Slang Embedded --- Overview

AIR = JSON-based representation of AADL model

…AIR is auto-generated from a AADL Model

(excerpt of AIR file)

slide-21
SLIDE 21

To Toolchain Architecture

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

AADL Model

OSATE

+ system properties and configuration info Slang Embedded --- Overview

slide-22
SLIDE 22

Co Component Interfaces Generated from AI AIR R of AADL AADL Model

Slang Embedded --- Overview

…Interfaces/APIs/Skeletons are auto-generated from AADL model …Component implementations are developed in Slang – a ”safety critical” subset of Scala.

Default “business logic” of component to be replaced by developer. Implementation of “handle” methods is placed in an accompanying file.

slide-23
SLIDE 23

Component Implementations s in in Slang lang

Slang Embedded --- Overview

…Slang is used to implement component business logic (corresponding to event handlers for incoming interface events) handle

slide-24
SLIDE 24

Component Implementations s in in Slang lang

Slang Embedded --- Overview

…Slang implementations include calls to publish events on output ports and get/set values of data ports

Sending an event (with ‘cmd’ payload) out the fanCmd port Reading a value from the currentTemp data port

Send Get

slide-25
SLIDE 25

To Toolchain Architecture

STRESS

AADL Model

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator CINCO

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

Slang Embedded --- Overview

slide-26
SLIDE 26

Sl Slang Ru Runtime (A (AADL Runti time Serv rvices)

Slang Embedded --- Overview

Code in the ART folder provides the implementation of the Slang Embedded run-time environment (application independent framework for thread structure and communication infrastructure.

slide-27
SLIDE 27

Sl Slang Ru Runtime (A (AADL Runti time Serv rvices)

Slang Embedded --- Overview

Code in the BRIDGE folder ”bridges” the user business logic code to the Slang Embedded Runtime code. It provides a component/port- specific API for each component that calls the application independent threading and communication services.

slide-28
SLIDE 28

Sl Slang Ru Runtime (A (AADL Runti time Serv rvices)

Slang Embedded --- Overview

The code fragment above illustrates bridge code for the fanCmd port. The application API method sendfanCmd is expressed in terms of the port name (application dependent). The implementation calls the application independent Slang realization of the AADL runt- time service putValue where the specific port is referenced by an numeric identifier.

(excerpt of TempControl bridge)

slide-29
SLIDE 29

To Toolchain Architecture

STRESS

AADL Model

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator CINCO

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

Slang Embedded --- Overview

slide-30
SLIDE 30

Sl Slang Ru Runtime De Debugging Framewo work

Slang Embedded --- Overview

The Slang Debugging infrastructure provides hooks for “watching” communication and component state and for “injecting” events/values into communication and component state. This can be used to

  • btain a variety of interesting projections

and visualization of system execution.

Debugging Functionality Application Independent Application Specific

slide-31
SLIDE 31

Sl Slang Ru Runtime De Debugging Framewo work

Slang Embedded --- Overview

The Slang Debugging infrastructure provides hooks for registering call- back methods that get invoked where there is an action on an

  • utput port or input port, or

when the value of a component local variable changes.

Debugging Code

Call-back Methods

Event Stream Visualizations & Run-time Monitoring

slide-32
SLIDE 32

Sl Slang Ru Runtime De Debugging Framewo work

Slang Embedded --- Overview

The Slang Debugging infrastructure allows to inject values at an

  • utput port or input port. It

also allows a component local variable to be directly set/perturbed.

Debugging Code

State-seeding / Fault Injection

Testing Framework

slide-33
SLIDE 33

Sl Slang Ru Runtime De Debugging Framewo work

Slang Embedded --- Overview Debugging Functionality Application Independent Application Specific

By building a “watcher” for all send / receive actions on ports, and formatting info for a standardized Message Sequence Chart format, we can rapidly develop an MSC visualization of system as it is running. Example Message Sequence Chart visualization

slide-34
SLIDE 34

Ex Examp mple MSC MSC Vi Visualization

Slang Embedded --- Overview

slide-35
SLIDE 35

Back ck-end end Code Code Gener Generation ation (e.g., e.g., C) C)

Slang Embedded --- Overview

Hand-coded by platform engineer

  • nce for each platform, then

reused for each application Platform Implementation of AADL Runtime Services (Slang ART)

e.g., C / middleware realization

  • n a partitioned architecture

Platform Implementation

  • f Bridge Code for each

Component

Translation scheme designed

  • nce by platform engineer,

and then called for each application to generate bridge code for each component. Translation scheme designed once by platform engineer, and then called for each application to generate “business logic” code for each component.

Platform Implementation

  • f Component Code for

each Component

Note: Many elements of a generic C compilation can be reused across platforms.

slide-36
SLIDE 36

To Toolchain Architecture

STRESS

AADL Model

AADL Runtime Simulator Slang Verification

JSON Files (AIR) SAnToS AADL Instance Model (AADL IM) to JSON Transforms AADL instance model with additional properties and AADL annex clauses to JSON representation Code Generation: Slang AADL IM to Slang Embedded Transforms Slang AADL IM to a Slang Embedded project including architecture definition, code skeletons, and Slang contracts

Slang AADL IM Slang AST to Slang Embedded Translator CINCO

SIREUM Slang Embedded C source files Slang Embedded Deployment Transforms Slang component code to C with integration to platform-specific implementations of AADL run-time services. C-based AADL Run-time Services SAnToS JSON AADL IM to Slang AADL IM Transforms JSON AADL IM to in memory Slang representation.

AADL IM to JSON JSON AADL IM to Slang AADL IM

Slang

Arch definition

w/ AADL properties

Slang

Component source files

w/ contracts Slang Testing and Fault Injection

Slang Tools in IntelliJ IDE

Slang Embedded Deployment

Slang Embedded --- Overview

slide-37
SLIDE 37

C C Code Code Exam ampl ple

Slang Embedded --- Overview

Excerpt of auto-generated C code for handleCurrentTemp

The generated C is compatible with the CompCert (machine verified compiler), GCC, Clang C compilers and the CLion IDE

slide-38
SLIDE 38

Conc Conclus usions

  • ns

n The Slang Embedded Framework is an

integrated modeling, analysis/verification, and development environment for (safety/security- critical) embedded systems

n Slang is a safety-critical subset of Scala

designed to align with embedded systems structure and to be easy to verify

n Slang can target a variety of embedded

platforms, but focuses on partitioning architectures like micro-kernels

Slang Embedded --- Overview