IoT Modelling Framework and Papyrus Shuai Li, CEA CHARIOT-VESSEDIA Workshop “THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS” IoT Modelling Framework and Papyrus Shuai Li, CEA CHARIOT-VESSEDIA Workshop 9 May 2019, Dublin, Ireland CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Presentation outline CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

From specifications to proof goals

Context 1 2 Problems: Challenge: Approach: Often safety and security requirements are expressed at system level Need to validate these requirements at code level 2 How to translate high-level requirements into low-level proof goals? Challenge: Problems: A model-based framework for static code analysis Approach: CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

From system models to code validation High-level model Low-level requirements Code validation Automatic tooling Papyrus Diversity Frama-C η0 sd c?x1 Frama-C proof η1 C1 C2 C3 c!r1 r=foo(x) η2 η3 c!t1 r=foo(x) t=bar(r) xLIA η4 η5 Low-level requirements (Relational properties) c!x1-1 t=bar(r) η8 η7 CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

System models to symbolically executable models

System modelling framework AClass + b(pB: Integer) BClass + a(pA: String) <<Interface>> ItfB ItfA + a(pA: Integer) A: AClass B: BClass a b System A: AClass B: BClass Focus on transformation of interactions to symbolically executable state-machines CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Message occurrence transformation sd xLIA: state q2 { transition tr_2 { input A( b ); } --> q3; CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Behavior execution transformation sd y = f(x) @routine: macro routine f(integer a, return integer r) { newfresh(r); CALLstack <=< { “f”, a, r}; } xLIA: state q2 { transition tr_2 { f(x, y); } --> q3; CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Optional fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Alternative fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Loop fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Symbolic execution and relational property inference

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Symbolic execution CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Symbolic execution to cover expected behavior η0: (s0, x:=x0, r:=r0, t:=t0, True, Φ) in? x1 [r>3] out ! x-1 η1: (s1, x:=x1, r:=r1, t:=t0, True, [(foo, x1, r1)]) out!x1-1 out!r1 in ? x r=foo(x) s1 s0 η2: (s0, x:=x1, r:=r1, x1 ≤ 10 ᴧ r1>3, [(foo, x1, r1)] ) η3: (s0, x:=x1, r:=r1, t:=t1, x1 >10 ᴧ r1 ≤ 3 , [(foo, x1, r1), (bar, r1 +1, t1)]) [x>10 ᴧ r ≤ 3] out ! r t=bar(r+1) s2 [t>5] out ! t out!t1 η4: (s0, x:=x1, r:=r1, t:=t1, x1 >10 ᴧ r1 ≤ 3 ᴧ t1 > 5 , [(foo, x1, r1), (bar, r1 +1, t1)]) CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Relational property inference η0 @relational \forall int x1; \callset( \call(foo, x1, id1) , \call(bar, \callresult(id1) + 1, id2) ) => (x1 >10 => ( \callresult(id1) ≤ 3 => \callresult(id2) >5) ); in?x1 η1 out!r1 η3 out!t1 η4 yyyyy x1 >10 ᴧ r1 ≤ 3 ᴧ t1 > 5 , [ (foo, x1, r1) , (bar, r1 +1, t1) ]) CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

6LoWPAN case-study

Verify “firmware update” behavior of 6LoWPAN networks software code Which properties to validate for “firmware update” behavior correctness in the code? CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Modeling the “firmware update” behavior The first package contains metadata about Nbpackage, and package size .. Load the address into the flash memory (two partitions). Release of the flash memory area that will receive the firmware High-level modeling write each received package to flash memory Integrity check Send confirmation CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Interactions to state-machines in textual xLia language Uml sequence diagram Model Model translation into xLIA CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Configure tool for symbolic execution Configure our property inference module from model input model Select the behavior: All firmware update packages are received and successfully installed on the node Specify output file CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Performing symbolic execution Diversity execution console Launch inference from Diversity CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Visualizing execution tree Scenario: All firmware update packages are received and successfully installed on the node CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Relational properties inference This is the low-level property corresponding to the selected firmware update scenario Property:  does the functions' code allow the    firmware update mechanism or not? The property annotates functions called within  the firmware update scenario CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Code analysis with Frama-C using generated low-level requirements Static code analysis Code analysis with Frama-C using generated low-level requirements Property proven CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

Conclusion

Summary and future work A model-based framework for static code analysis: bridge gap betweensystem model and code level proof goal UML architecture models and their interaction models Transformation of interaction models to symbolically executable xLia textual state-machines Symbolic execution of state-machines to find paths covering correct behaviors Inference of relation properties in the code Integrated Development Environment Papyrus UML modeler Diversity symbolic execution engine Frama-C code analyzer Future work Streamline integration with other elements of the VESSEDIA modeling framework and tools State-machine models, embedded Operation contracts in ACSL, embedded constraints in ACSL Existing C code and ACSL state property generators CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland

CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland Contact Details CEA Shuai Li shuai.li@cea.fr The projects CHARIOT & VESSEDIA have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780075 & No 731453. CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland