Formal Verification of a Railway Interlocking System using Model Checking

In this paper we describe an industrial application of formal methods. We have used model checking techniques to model and formally verify a rather complex software, i.e. part of the “safety logic” of a railway interlocking system. The formal model is structured to retain the reusability and scalability properties of the system being modelled. Part of it is defined once for all at a low cost, and re-used. The rest of the model can be mechanically generated from the designers' current specification language. The model checker is “hidden” to the user, it runs as a powerful debugger. Its performances are impressive: exhaustive analysis of quite complex configurations with respect to rather complex properties are run in the order of minutes. The main reason for this achievement is essentially a carefully designed model, which exploits all the behaviour evolution constraints. The re-usability/scalability of the model and the fact that formal verification is automatic and efficient are the key factors which open up the possibility of a real usage by designers at design time. We have thus assessed the possibility of introducing the novel technique in the development cycle with an advantageous costs/benefits relation. Received March 1997 / Accepted in revised form July 1998     

Automated Verification of Signalling Principles in Railway Interlocking Systems

In this paper we present a verification strategy for signalling principles for the control of a railway interlocking system written in ladder logic. All translation steps have been implemented and tested on a real-world example of a railway interlocking system. The steps in this translation are as follows: 1. The development of a mathematical model of a railway interlocking system and the translation from ladder logic into this model. 2. The development of verification conditions guaranteeing the correctness of safety conditions. 3. The verification of safety conditions using a satisfiability solver. 4. The generation of safety conditions from signalling principles using a topological model of a railway yard.     

UML Automatic Verification Tool with Formal Methods

The use of the UML specification language is very widespread due to some of its features. However, the ever more complex systems of today require modeling methods that allow errors to be detected in the initial phases of development. The use of formal methods make such error detection possible but the learning cost is high.This paper presents a tool which avoids this learning cost, enabling the active behavior of a system expressed in UML to be verified in a completely automatic way by means of formal method techniques. It incorporates an assistant for the verification that acts as a user guide for writing properties so that she/he needs no knowledge of either temporal logic or the form of the specification obtained.     

微内核中断机制的形式化设计与验证

操作系统的正确性和安全性很难用定量的方法进行描述。形式化方法是操作系统设计和验证领域公认的标 准方法。以操作系统对象语义模型(OSOSM)为基础,采用形式化方法对微内核架构的中断机制进行了设计和验证, 在自行开发的安全可信操作系统VTOS上加以实现,采用Isabelle/HOL对设计过程进行了形式化描述,对VTOS中 断机制的完整性进行了验证,这对操作系统的形式化设计和验证工作起到了一定的借鉴意义。     

基于xMAS模型的SpaceWire信誉逻辑的形式化验证

空间总线(SpaceWire)协议是应用于航空航天领域的高速通信总线协议, 保证其可靠性至关重要。但是由于通信系统具有队列量、分布控制和并发性等特点,传统仿真模拟的验证方法存在不完备性的问题,采用模型检测方法对高层次属性进行验证时,通常会出现状态爆炸的问题。基于xMAS模型对SpaceWire通信系统中的信誉逻辑进行形式化建模、验证,xMAS模型既保留了底层的结构信息,又可以验证高层次的属性。对通信系统中信誉逻辑进行抽象进而建立了xMAS模型,提取了可发送性、可接收性和数据一致性等3个关键属性,运用定理证明工具ACL2对关键属性的正确性进行了自动验证。该方法为验证指导下的系统设计提供了有效的参考。     

嵌入式操作系统的形式化验证研究

描述了一个汽车电子嵌入式实时操作系统的分层形式模型:在低层,该操作系统的顺序内核承担基础设施的角色,实施任务、ISR和系统服务等并发执行体之间的切换;而在高层,该操作系统向用户提供可并发执行的系统服务。两个层次的模型具有不同的配置状态视图和操作粒度。作为最重要的安全相关特性,应用与OS之间的存储隔离保护机制在顺序内核的模型中得以体现。建立了操作系统的实现正确性定理,包括相应的仿真关系和实现不变量。根据该操作系统两个部分模型的特点及相应代码的实现语言情况,选择组合应用定理证明器Isabelle/HOL和程序验证工具VCC的方式,有效完成了该操作系统的形式化验证。     

优先级顶协议的形式化验证

优先级顶协议是一种优先级驱动的抢占式调度协议,它具有无死锁和单阻塞的性质.Dang Van Hung 和Philip Chan在文献[6]中形式地规范和验证了这两个性质.但他们没有对状态函数HiPripcp明确定义,这使得验证的细节较难理解.为了解决这个问题,提出了一种新的方法来验证优先级顶协议单阻塞的性质.通过时段演算的方法,对优先级顶协议进行了规范,并给出了状态函数HiPripcp的明确定义.根据优先级顶协议的规范,形式地验证了该协议的单阻塞性质.采用的验证方法更少地依赖于HiPripcp,这使得验证的细节更易于理解.此外,提出的验证方法可被应用于实时数据库系统中类似协议的形式化验证.     

基于DH标定的机器人正向运动学形式化验证

DH坐标系在机器人运动学分析中发挥着重要的作用。在基于DH坐标系构建的机器人控制系统中,机器人结构的复杂性使得构建安全的控制系统成为一个难题,仅仅依靠人工方法可能导致系统漏洞和安全风险,从而危及机器人的安全。形式化方法通过演绎推理与代码抽取实现了对软硬件系统的设计、开发及验证。基于此,本文设计了基于DH标定的机器人正向运动学的形式化验证框架。在Coq中构建了机器人运动理论的形式化证明,并验证控制算法的正确性以确保机器人的运动安全。首先,对DH坐标系进行形式化建模,构建相邻坐标系间转换矩阵的形式化定义,并验证了该转换矩阵与复合螺旋运动的等价性;其次,构建了机械臂正向运动学的形式化定义,并对机械臂运动的可分解性进行形式化验证;再次,本文对工业机器人中常见连杆结构及机器人进行形式化建模,并完成了正向运动学的形式化验证;最后,本文实现了Coq到OCaml的代码抽取,并对抽取的代码进行分析与验证。     

Formal Verification of a Complex Pipelined Processor

This paper addresses the problem of formally verifying the correctness of a complex pipelined microprocessor at the micro-architectural level of abstraction. The design verified is an example out-of-order execution processor with a reorder buffer, a store buffer, branch prediction, speculative execution and exceptions. We propose a systematic approach called the Completion Functions Approach to decompose and incrementally build its proof of correctness. The central idea is to construct the abstraction function using completion functions, one per unfinished instruction, each of which specifies the effect on the programmer visible state components of completing the instruction. This construction of the abstraction function leads to a very natural decomposition of the proof into proving a series of verification conditions. The approach prescribes a systematic way to generate these verification conditions which can then be discharged with a high degree of automation using techniques based on decision procedures and rewriting. The verification was completed in 34 person days, which we believe, is a modest investment in return for the significant benefits of formal verification.     

A Formal Verification Environment for Railway Signaling System Design

A fundamental problem in the design and development of embedded control systems is the verification of safety requirements. Formal methods, offering a mathematical way to specify and analyze the behavior of a system, together with the related support tools can successfully be applied in the formal proof that a system is safe. However, the complexity of real systems is such that automated tools often fail to formally validate such systems.This paper outlines an experience on formal specification and verification carried out in a pilot project aiming at the validation of a railway computer based interlocking system. Both the specification and the verification phases were carried out in the JACK (Just Another Concurrency Kit) integrated environment. The formal specification of the system was done by means of process algebra terms. The formal verification of the safety requirements was done first by giving a logical specification of such safety requirements, and then by means of model checking algorithms. Abstraction techniques were defined to make the problem of safety requirements validation tractable by the JACK environment.     

典型安全网关的形式化设计与证明

传统上依靠经验设计的安全网关侧重于功能实现,缺少严格的安全模型。对此,针对一种典型安全网关,首先根据其安全需求给出相应的安全策略,然后利用BLP模型对给出的安全策略进行形式化建模并对安全模型的内部一致性进行证明,最后对安全网关的功能规约和安全模型的一致性进行验证。为保证推理过程的正确性,使用定理证明器Isabelle/HOL对上述过程进行描述和推理,保证了安全网关顶层设计的安全性。研究结果为安全网关的形式化设计 提供了一定的借鉴意义。     

基于微分动态逻辑的铁路道口控制分析

利用微分动态逻辑对铁路道口控制进行形式化分析与建模.在火车从发送接近信号到进入道口的运动过程中,根据火车到达道口时间上的要求,将火车速度控制问题抽象成一个混成系统的安全性性质,用微分动态逻辑来描述,并使用混成系统证明工具KeYmaera对系统的安全性进行验证,以实现对火车进入道口前速度的正确控制.     

OAuth2.0协议形式化验证: 使用AVISPA

OAuth协议是一套用于在不同的服务中进行身份认证并且实现资源互访一套协议.由于关系到用户隐私,所以OAuth协议的安全性非常重要.这篇文章的主要贡献是研究OAuth2.0协议文本,对协议进行抽象,并且使用验证工具AVISPA对抽象后的协议进行建模与验证,找到协议中会导致隐私泄露的一种攻击模式.我们在建模过程中提出需将要验证的消息作为双方的对称密码这样一种创新思路.这种对协议的抽象和验证的方法可以推广到其他安全协议上,例如在线支付协议等等.     

基于层次化时间STM软件设计的形式化验证

状态迁移矩阵(State Transition Matrix,STM)是一种基于表结构的程序建模语言。事件变量类型单一,事件和状态数量的增加很容易造成状态空间爆炸问题,无法表达具有时间语义的软件系统等原因,极大限制了该建模方法的推广应用。文中针对这些问题,首先提出层次化时间状态迁移矩阵(Hierarchical Time State Transition Matrix,HTSTM)模型,用于设计、建模和验证具有时间条件约束的软件系统,并给出形式化表示方法。基于该表示方法提出一种符号化编码方法,采用有界模型检测思想将需要验证的LTL性质输入SMT(Satisfiability Modulo Theories)求解器进行验证,从而在一定程度上证明了软件设计的正确性。     

What Kind of Verification of Formal Navigation Modelling for Reliable and Usable Web Applications?

In this paper we introduce briefly a notation dedicated to model navigation of Web applications and we discuss some strategies to assess the usability over navigation models built with such as a notation. Our aim with this kind of evaluation is to ensure (prior to implementation) that important users tasks can (or cannot) be performed using the system.     

整数乘法电路的形式化验证方法研究

采用基于决策图的模型检验方法对整数乘法器验证时会出现内存爆炸,解决该问题的一种有效途径是采用反向替换方法.函数替换算法是反向替换方法的核心算法,如果保证被替换变量位于被替换函数的决策图顶层,替换算法可以简化.通过设置变量序和限定变量替换顺序,提出了一种保证被替换变量始终位于被替换函数决策图的顶层的反向替换方法,可极大降低整数乘法器验证的运行时间和内存使用量.实验结果表明,采用改进的反向替换方法,在1GB内存下,可将Add-Step乘法器的验证规模从84×84位提高到256×256位,将Diagonal乘法器的验证规模从84×84位提高到206×206位.     

利用SPIN实现对OpenFlow协议的形式化验证

为了验证OpenFlow网络中网络控制器NOX系统内典型应用程序Pyswitch的正确性,采用Promela语言对经简化的OpenFlow网络中的网络元素、连接通道及拓扑结构进行建模,并使用SPIN工具对所建模型进行形式化验证。结果表明,Pyswitch在主机不发生移动的情况下结果正确,但在主机发生移动情况下,会由于pyswitch的MAC地址学习算法存在设计缺陷而产生错误。     

联锁逻辑形式化模型检验的研究

利用自动机理论模型检验算法,检验车站联锁逻辑的有色Petri网模型是否满足预期的性能。通过采用带标签的广义Büchi自动机(LGBA)构建线性时态逻辑,有效地解决了模型检验中的状态空间爆炸问题。该方法的研究增强了有色Petri网的分析和验证能力,利用该方法对车站联锁逻辑的实际问题进行了性能验证。