Symbolic Model Checking of Software

Model checking is a popular formal verification technique for both software and hardware. The verification of concurrent software predominantly employs explicit-state model checkers, such as SPIN, that use partial-order reduction as a main technique to deal with large state spaces efficiently. In the hardware domain, the introduction of symbolic model checking has been considered a breakthrough, allowing the verification of systems clearly out-of-reach of any explicit-state model checker.This paper introduces ImProviso, a new algorithm for model checking of software that efficiently combines the advantages of partial-order reduction with symbolic exploration. IMPROVISO uses implicit BDD representations for both the state space and the transition relation together with a new implicit in-stack proviso for efficient partial-order reduction. The new approach is inspired by the Twophase partial-order reduction algorithm for explicit-state model checking.Initial experimental results show that the proposed algorithm improves the existing symbolic model checking approach and can be used to tackle problems that are not tractable using explicit-state methods.     

ESpin*：基于SPIN的Eclipse模型检测环境

信息化社会中人们对软件可信性的要求越来越高,传统的测试技术已经不能充分保证系统的安全性,基于模型的形式化验证技术成为解决此类问题的重要途径。SPIN作为典型的模型检测工具,在学术界和工业界都得到了广泛应用。在Eclipse平台上设计并实现了一个基于SPIN的易扩展的模型检测环境ESpin,通过一个优化了的代码分区算法和可迅速支持SPIN升级的文法分析器,构造了一个高效、易扩充的Promela编辑器。编辑器除了支持Promela的全部语法规则外,还提供了包括实时语法反馈、关键字高亮、大纲视图、代码折叠、代码提示、代码补全在内的多种功能,提高了复杂模型的建模效率。ESpin还为用户提供了多种运行模式和特有的向导、配置界面,简化了SPIN的操作过程。     

Embedded Software Verification Using Symbolic Execution and Uninterpreted Functions

Symbolic simulation and uninterpreted functions have long been staple techniques for formal hardware verification. In recent years, we have adapted these techniques for the automatic, formal verification of low-level embedded software—specifically, checking the equivalence of different versions of assembly language programs. Our approach, though limited in scalability, has proven particularly promising for the intricate code optimizations and complex architectures typical of high-performance embedded software, such as for DSPs and VLIW processors. Indeed, one of our key findings was how easy it was to create or retarget our verification tools to different, even very complex, machines. The resulting tools automatically verified or found previously unknown bugs in several small sequences of industrial and published example code. This paper provides an introduction to these techniques and a review of our results.     

基于SPIN的SSL3.0握手协议模型检测

文章介绍了密钥交换协议SSL3.0协议,并利用模型检测工具SPIN对其进行了形式化分析、建模和验证。实验结果表明此验证方法的正确性,证明了协议本身的安全性与可行性,并且提高了协议的验证效率。     

实时嵌入式系统协调设计的行为验证模型

嵌入式系统协调设计中，通常采用协同验证方法检验系统设计的正确性，目前比较常用的验证手段有行为验证和基于处理器结构的指令集模拟．指令集模拟从底层时序关系模拟CPU功能，通过建立与硬件模拟器连结关系来验证软硬件接口．指令集模拟的主要特点是模拟精度高，但模拟速度慢，对于不同的CPU结构需要构造不同的指令集模拟器．文中研究一种基于RTOS实时嵌入式系统行为验证模型，通过扩展RTOS功能，建立RTOS软件模拟器，实现RTOS模拟器和VHDL／VerilogHDL协同模拟交互．RTOS模拟器把嵌入式软件功能代码、CPU接口代码以及定制硬件驱动代码分开，实现嵌入式软件设计与硬件平台的弱相关，从更高层次验证系统功能。     

一种基于故障扩展SysML活动图的安全性验证框架研究

随着嵌入式系统在能源、交通等安全关键领域的广泛应用,针对嵌入式软件的安全性分析与验证方法一直是学术界和工业界的研究热点之一。使用扩展了故障树语义信息的SysML活动图来统一系统的功能模型与安全需求分析模型,并在保留故障树和SysML活动图两种模型语义描述的基础上,提出了一种基于故障扩展SysML活动图的安全性验证框架,包括:首先利用故障树最小割集提取故障信息并给出故障树逻辑门的转换规则;然后给出故障扩展SysML活动图的构建步骤;最后使用Promela对故障扩展SysML活动图进行建模,并使用模型检测工具SPIN对其进行分析验证。通过一个燃气灶控制系统验证了此方法的有效性。     

An overview of model checking practices on verification of PLC software

Programmable logic controllers (PLCs) are heavily used in industrial control systems, because of their high capacity of simultaneous input/output processing capabilities. Characteristically, PLC systems are used in mission critical systems, and PLC software needs to conform real-time constraints in order to work properly. Since PLC programming requires mastering low-level instructions or assembly like languages, an important step in PLC software production is modelling using a formal approach like Petri nets or automata. Afterward, PLC software is produced semiautomatically from the model and refined iteratively. Model checking, on the other hand, is a well-known software verification approach, where typically a set of timed properties are verified by exploring the transition system produced from the software model at hand. Naturally, model checking is applied in a variety of ways to verify the correctness of PLC-based software. In this paper, we provide a broad view about the difficulties that are encountered during the model checking process applied at the verification phase of PLC software production. We classify the approaches from two different perspectives: first, the model checking approach/tool used in the verification process, and second, the software model/source code and its transformation to model checker’s specification language. In a nutshell, we have mainly examined SPIN, SMV, and UPPAAL-based model checking activities and model construction using Instruction Lists (and alike), Function Block Diagrams, and Petri nets/automata-based model construction activities. As a result of our studies, we provide a comparison among the studies in the literature regarding various aspects like their application areas, performance considerations, and model checking processes. Our survey can be used to provide guidance for the scholars and practitioners planning to integrate model checking to PLC-based software verification activities.     

Language-specific model checking of UML-RT models

Model-driven development (MDD) deals with complexities of modern software development by using models. Their verification is one of the opportunities of MDD, since it can be performed in the early stages of the development. The prevailing trend in verification of MDD models has been to translate them to an input language of one of the existing tools, most notably model checkers. Such an approach has advantages; for instance, we can use tools that achieved a higher level of maturity, including SPIN, NuSMV and Java PathFinder. However, the input languages of model checkers are typically not compatible with MDD models, which can make the translations very complex and difficult to maintain. Moreover, it is more difficult to take advantage of specific features of the structure and semantics of models to, e.g., speed up analysis. In this paper, we depart from the translational trend and present more direct and dedicated approach. We use an MDD language, namely UML-RT (used in IBM Rational Software Architect RealTime Edition), and we introduce a verification method built around its main features such as hierarchical structures, action code and asynchronous communication. In our method we use a formalization tailored to UML-RT models. This enables very easy transformation of models, but also reduces the necessary translations of verification results and directly supports the most important features of UML-RT. The proposed method includes an on-the-fly model checking algorithm based on the original CTL labeling. This algorithm is further optimized to include lazy composition. In the paper, we present all necessary components of the checking algorithms. Additionally, we also show the results of experiments with our implementation using several UML-RT models and CTL formulas. The experiments provide some evidence of the viability of a language-specific analysis of MDD models and of the effectiveness of our optimizations in certain cases.     

The effect of uncontrolled concurrency on model checking

Correctness of concurrent software is usually checked by techniques such as peer code reviews or code walkthroughs and testing. These techniques, however, are subject to human error, and thus do not achieve an in‐depth verification of correctness. Model‐checking techniques, which can systematically identify and verify every state that a system can enter, are a powerful alternative method for verifying concurrent systems. However, the usefulness of model checking is limited because the number of states for concurrent models grows exponentially with the number of processes in the system. This is often referred to as the ‘state explosion problem.’ Some processes are a central part of the software operation and must be included in the model. However, we have found that some exponential complexity results due to uncontrolled concurrency introduced by the programmer rather than due to the intrinsic characteristics of the software being modeled. We have performed tests on multimedia synchronization to show the effect of abstraction as well as uncontrolled concurrency using the Promela/SPIN model checker. We begin with a sequential model not expected to have exponential complexity but that results in exponential complexity. In this paper, we provide alternative designs and explain how uncontrolled concurrency can be removed from the code. Copyright © 2007 John Wiley & Sons, Ltd.     

Formal Methods in Designing Embedded Systems—the SACRES Experience

From automotive electronics to avionics, embedded systems are part of our everyday life, and developed societies are increasingly dependent on their reliability in operation. At the same time, current design practice is inadequate in coping with the challenge of constructing dependable embedded systems.SACRES is an experimental design environment aimed at the seamless development of embedded systems. It incorporates state-of-the-art industrial design tools and provides formal specification, model checking technology and validated code generation. These concepts have been integrated on the basis of the synchronous approach to reactive systems.As a result, synchronous compilation techniques have been enhanced, in particular as regards techniques for distributed code generation. Formal verification technology was advanced to increase efficiency, handle composed systems and cover some real-time aspects. The new approach of translation validation was developed and proven to work.Real bugs have been found even in well-tested models. It was demonstrated that a formal design including verification is often more efficient than testing. As a consequence, all user partners are committed to further introducing formal design and verification technology.This paper summarises the essential achievements of the project. It explains the results in terms of the basic ideas, the available tools and methodology, as well as the experience gained.     

WTP协议的SPIN模型检测

基于模型检测技术,使用SPIN对WTP协议进行了建模和分析．应用自动机和Promela对协议进行建模。利用LTL规范了协议需要满足的安全性,时序性。通过分析发现了协议的一个错误。     

Comparison of SPIN and VIS for protocol verification

In this paper, we compare and contrast SPIN and VIS, two widely used formal verification tools. In particular, we devote special attention to the efficiency of these tools for the verification of communications protocols that can be implemented either in software or hardware. As a basis of our comparison, we formally describe and verify the Asynchronous Transfer Mode Ring (ATMR) medium access protocol using SPIN and its hardware model using VIS. We believe that this study is of particular interest as more and more protocols, like ATM protocols, are implemented in hardware to match high-speed requirements. Published online: 1 March 2002     

Petri网模型的扩展与检测

扩展了基本Petri网，提出了更加适合模型检测的MCPN方法，并将MCPN模型转换成模型检测工具SPIN的输入语言——PROMELA。使用SPIN完成对系统模型的检测，以提高软件设计的可靠性。在转换过程中，考虑了对当前情态下处于激活状态的多个变迁的同时激发；并提出了一种处理Petri网公平性问题的解决方案。     

WTP协议的SPIN模型检测

基于模型检测技术,使用SPIN对WTP协议进行了建模和分析.应用自动机和Promela对协议进行建模,利用LTL规范了协议需要满足的安全性,时序性。通过分析发现了协议的一个错误。     

Verification support for ARINC‐653‐based avionics software

Software model checking consists in applying the most powerful results in formal verification research to programming languages such as C. One general technique to implement this approach is producing a reduced model of the software in order to employ existing and efficient tools, such as SPIN . This paper focusses on the application of this approach to the avionics software constructed on top of the Application Executive Software (APEX ) Interface, which is widely employed by manufacturers in the avionics industry. It presents a method to automatically extract PROMELA models from the C source code. In order to close the extracted model during verification, we built a reusable APEX ‐specific environment. This APEX environment models the execution engine (i.e. an APEX compliant real‐time operating system) that implements APEX services. In particular, it explains how to deal with aspects such as real‐time and APEX scheduling. Time is modelled in such a way that the we save time and memory by avoiding the analysis of irrelevant steps. This model of time and the construction of a deterministic scheduler guarantees the scalability of our approach. The paper also presents a tool that can verify realistic applications, and that has been used as a novel testing method to ensure the correctness of our APEX environment. This testing method uses SPIN to execute official APEX test cases. Copyright © 2010 John Wiley & Sons, Ltd.     

嵌入式Linux系统的设计与实现

近几年计算机硬件技术及网络水平的不断发展和提高,嵌入式系统在军事、政治、经济、生活等各个方面都得到了普遍的应用。 Linux操作系统具有代码公开、内核优化、占用资源少等多方面无与伦比的优点。因此,文中提出了一种嵌入式Linux系统设计及具体实现方法,其中包括硬件结构,软件设计主要分析了嵌入式操作系统的选择和驱动程序的实现。该系统采用微处理芯片来控制实现系统功能,并最终提出了一种使用软硬件技术开发的嵌入式Linux系统的方法。     

Towards automatic software model checking of thousands of Linux modules—a case study with Avinux

Modular software model checking of large real‐world systems is known to require extensive manual effort in environment modelling and preparing source code for model checking. Avinux is a tool chain that facilitates the automatic analysis of Linux and especially of Linux device drivers. The tool chain is implemented as a plugin for the Eclipse IDE, using the source code bounded model checker CBMC as its backend. Avinux supports a verification process for Linux that is built upon specification annotations with SLICx (an extension of the SLIC language), automatic data environment creation, source code transformation and simplification, and the invocation of the verification backend. In this paper technical details of the verification process are presented: Using Avinux on thousands of drivers from various Linux versions led to the discovery of six new errors. In these experiments, Avinux also reduced the immense overhead of manual code preprocessing that other projects incurred. Copyright © 2008 John Wiley & Sons, Ltd.