Dagstuhl Intro
Mike Whalen
Mike Whalen
•
http://www.umsec.umn.edu
•
•
•
•
My main goal is to reduce software verification and validation
(V&V) cost and increasing rigor
 Applied automated V&V techniques on industrial systems
 Proofs, bounded analyses, static analysis, automated testing
 Combining several kinds of assurance artifacts
PhD in proofs of translation for synchronous languages [UMN 2005]
Worked at Rockwell Collins for
6 ½ years on formal analysis of
avionics systems
Came back to UMN in December
2009 as Program Director for
UM Software Engineering Center
Work very closely with Mats
Heimdahl, Rockwell Collins folks,
and several other collaborators
August,2 2011
RE 2011: Mike Whalen
2
Uses of Formal Requirements
Level of
Scale
Requirements
Design / Code
Test
Field
Subsystem
http://www.umsec.umn.edu
Automated proof that
design/code
satisfies requirements
System
Automated
completeness and
consistency
checking of
requirements
Automated test
generation from
requirements
Compositional
analysis
Static
analysis
System of
Systems
3
Requirementsbased test oracles
for unit and
integration test
runtime
monitors
to recover
from failures
at runtime
Rockwell Collins Inc.
Gryphon Tool Family
UMN: simulator, fault seeder,
coverage measurement tool, TCG
RCI: Information Flow Modeling
Simulink
Simulink
Gateway
SCADE
http://www.umsec.umn.edu
Lustre
Reactis
StateFlow
Simulink
Gateway
Safe State
Machines
Model Checkers:
NuSMV, Prover,
BAT, Kind, SAL
Theorem Provers:
ACL2, PVS
Programming
Languages:
SPARK (Ada), C
Rockwell Collins/U of Minnesota
Design
Verifier
Esterel Technologies
MathWorks
Reactive Systems
M. Whalen, D. Greve, L. Wagner, Model Checking
Information Flow, In: Design and Verification of
Microprocessor Systems for High-Assurance
Applications, D. Hardin, Ed., Springer, March 2010.
S. Miller, M. Whalen, D. Cofer, Software Model
Checking Takes Off, Communications of the
ACM, February 2010
4
D. Hardin, D.R. Johnson, L. Wagner, and M. Whalen.
Development of Security Software: A High-Assurance
Methodology, ICFEM 2009, Rio de Janeiro, Brazil, December,
2009.
ADGS-2100 Adaptive Display &
Guidance System
Modeled in Simulink
Translated to NuSMV
4,295 Subsystems
http://www.umsec.umn.edu
16,117 Simulink Blocks
Over 1037 Reachable States
Example Requirement:
Drive the Maximum Number of Display Units
Given the Available Graphics Processors
Counterexample Found in 5 Seconds
Checked 573 Properties Found and Corrected 98 Errors
in Early Design Models
5
Architectural design patterns attack system complexity through
automated model transformations with guaranteed behaviors
Use of formally verified Active/Standby
design pattern cut development time
by 1/3 and saved hundreds of hours of
on-aircraft test time
1.E+07
Active-Standby pattern
for fault-tolerant
control allows system
developers to work at
a higher level of
abstraction
FCS
1.E+06
1.E+05
1.E+04
Avionics
System
leader transition
bounded
1.E+03
1.E+02
1.E+01
http://www.umsec.umn.edu
Async
1.E+00
Activestandby
(2 nodes)
Activestandby
(3 nodes)
PALS
Pair-pair
(quad)
redundant
Pair-pair /
Activestandby
Pair-pair /
TMR
FGS_L
FGS_R
PALS: Physically Asynchronous
Logically Synchronous
i
Leader
Select
Flight Control System (FCS)
i+1
i
NODE 1
NODE 1
NODE 2
NODE 2
NODE 3
NODE 3
synchronous
communication
PALS
one node
operational
Rep
i+1
Flight Guidance System (FGS)
timing
constraints
not
co-located
LEADER SELECT
Platform
T
SYNCHRONOUS NETWORK
CLOCK JITTER
MODE LOGIC
ASYNCHRONOUS BOUNDED DELAY NETWORK WITH PALS
Verification reuse through design
patterns supports correct-byconstruction system development
Rework cost is up to
60% of total development
cost for large, complex systems.
CONTROL
LOGIC
Compositional verification exploits
natural system hierarchy through
formal assume-guarantee reasoning
Steven P. Miller, Michael W. Whalen, and Darren D.
Cofer. Software Model Checking Takes Off.
6Communications of the ACM, February, 2010.
6
GUARANTEES
Avionics System (AADL model)
ASSUMPTIONS
PALS pattern for virtual synchrony achieves >3
orders of magnitude reduction in state space
and verification complexity
Contracts between patterns and
components
Avionics system
requirement
leader transition
bounded
Behavior
Under single-fault assumption,
GC output transient response is
bounded in time and magnitude
http://www.umsec.umn.edu
•
Relies upon




synchronous
communication
Guarantees provided by
patterns and components
Structural properties of
model
Resource allocation
feasibility
Probabilistic system-level
failure characteristics
© Copyright 2011 Rockwell Collins, Inc.
All rights reserved.
LS
7
one node
operational
PALS
Rep
Structure
timing
constraints
not
co-located
Platform
Resource
Probabilistic
RT sched
& latency
Error
model
ASSUMPTIONS
GUARANTEES
•
Avionics
System
And other stuff…
• Test metrics and oracles [ICSE 2008, ICSE 2011,
•
http://www.umsec.umn.edu
•
•
•
FASE 2012]
Semantics and analysis of Statecharts [ISSTA 11,
NFM 2012]
DSL and Analysis for Guard Languages [TACAS
2012]
Invariant generation techniques for K-Induction
model checkers [NFM 2012]
Requirements-based testing [ICFEM 2008, ISSTA
2006]
8