dagstuhl intro mike whalen. 2 mike whalen my main goal is to reduce software verification and...
TRANSCRIPT
Dagstuhl Intro
Mike Whalen
http://ww
w.um
sec.umn.edu
2
Mike Whalen• My main goal is to reduce software verification and
validation (V&V) cost and increasing rigor Applied automated V&V techniques on industrial
systems Proofs, bounded analyses, static analysis, automated
testing Combining several kinds of assurance artifacts
• PhD in proofs of translation for synchronous languages [UMN 2005]
• Worked at Rockwell Collins for6 ½ years on formal analysis of avionics systems
• Came back to UMN in December 2009 as Program Director forUM Software Engineering Center
• Work very closely with Mats Heimdahl, Rockwell Collins folks,and several other collaborators
August, 2011 2RE 2011: Mike Whalen
http://ww
w.um
sec.umn.edu
3
Requirements Design / Code Test Field
Automatedcompleteness and
consistency checking of requirements
Compositional analysis
Static analysis
Automated proof that design/code
satisfies requirements
Requirements-based test oracles
for unit and integration test
runtime monitors
to recover from failures
at runtime
Automated test generation from
requirements
Subsystem
System
System of Systems
Level of Scale
Uses of Formal Requirements
http://ww
w.um
sec.umn.edu
4
Rockwell Collins Inc.Gryphon Tool Family
SCADE
Lustre
Safe StateMachines
Simulink Simulink
Gateway
StateFlow
Reactis
SimulinkGateway
DesignVerifier
Rockwell Collins/U of Minnesota
MathWorks
Reactive Systems
Esterel Technologies
Model Checkers:NuSMV, Prover, BAT, Kind, SAL
Theorem Provers: ACL2, PVS
Programming Languages:
SPARK (Ada), C
UMN: simulator, fault seeder, coverage measurement tool, TCGRCI: Information Flow Modeling
S. Miller, M. Whalen, D. Cofer, Software Model Checking Takes Off, Communications of the ACM, February 2010
M. Whalen, D. Greve, L. Wagner, Model Checking Information Flow, In: Design and Verification of Microprocessor Systems for High-Assurance Applications, D. Hardin, Ed., Springer, March 2010.
D. Hardin, D.R. Johnson, L. Wagner, and M. Whalen. Development of Security Software: A High-Assurance Methodology, ICFEM 2009, Rio de Janeiro, Brazil, December, 2009.
http://ww
w.um
sec.umn.edu
5
ADGS-2100 Adaptive Display & Guidance System
Example Requirement:Drive the Maximum Number of Display Units
Given the Available Graphics Processors
Counterexample Found in 5 Seconds
Checked 573 Properties -Found and Corrected 98 Errors
in Early Design Models
Modeled in Simulink
Translated to NuSMV
4,295 Subsystems
16,117 Simulink Blocks
Over 1037 Reachable States
http://ww
w.um
sec.umn.edu
6
Use of formally verified Active/Standby design pattern cut development time
by 1/3 and saved hundreds of hours of on-aircraft test time
Flight Control System (FCS)
FGS_L FGS_R
6
Architectural design patterns attack system complexity through automated model
transformations with guaranteed behaviors
Active-standby
(2 nodes)
Active-standby
(3 nodes)
Pair-pair(quad)
redundant
Pair-pair /Active-
standby
Pair-pair /TMR
PALS
Async1.E+00
1.E+01
1.E+02
1.E+03
1.E+04
1.E+05
1.E+06
1.E+07
Sta
te S
pace
Siz
e
Fault-tolerance Configuration
SYNCHRONOUS NETWORK ASYNCHRONOUS BOUNDED DELAY NETWORK WITH PALS
NODE 1
NODE 2
NODE 3
NODE 1
NODE 2
NODE 3T CLOCK JITTER
i i + 1 i i + 1
PALS: Physically Asynchronous Logically Synchronous
Rework cost is up to 60% of total development
cost for large, complex systems.
Verification reuse through design patterns supports correct-by-
construction system development
Avionics System (AADL model)
FCS
Flight Guidance System (FGS)
MODE LOGIC
CONTROL LOGIC
LEADER SELECT
PALS pattern for virtual synchrony achieves >3 orders of magnitude reduction in state space
and verification complexity
AS
SU
MP
TIO
NS
GU
AR
AN
TE
ES
Compositional verification exploits natural system hierarchy through
formal assume-guarantee reasoning
LeaderSelect
PALS Rep
Platform
synchronouscommunication
one nodeoperational
timingconstraints
notco-located
AvionicsSystem
leader transitionbounded
Active-Standby pattern for fault-tolerant
control allows system developers to work at
a higher level of abstraction
Steven P. Miller, Michael W. Whalen, and Darren D. Cofer. Software Model Checking Takes Off. Communications of the ACM, February, 2010.
http://ww
w.um
sec.umn.edu
7
Contracts between patterns and components
• Avionics system requirement
• Relies upon Guarantees provided by
patterns and components
Structural properties of model
Resource allocation feasibility
Probabilistic system-level failure characteristics
LS
PALS Rep
Platform
synchronouscommunication
one nodeoperational
timingconstraints
notco-located
AvionicsSystem
leader transitionbounded
AS
SU
MP
TIO
NS
GU
AR
AN
TE
ES
Under single-fault assumption, GC output transient response is bounded in time and magnitude
RT sched& latency
Errormodel
Behavior
Structure
Resource Probabilistic
© Copyright 2011 Rockwell Collins, Inc. All rights reserved.
?
http://ww
w.um
sec.umn.edu
8
And other stuff…
• Test metrics and oracles [ICSE 2008, ICSE 2011, FASE 2012]
• Semantics and analysis of Statecharts [ISSTA 11, NFM 2012]
• DSL and Analysis for Guard Languages [TACAS 2012]
• Invariant generation techniques for K-Induction model checkers [NFM 2012]
• Requirements-based testing [ICFEM 2008, ISSTA 2006]