Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.

Slides:



Advertisements
Similar presentations
Certifying Auto-generated Flight Code Ewen Denney Robust Software Engineering NASA Ames Research Center California, USA.
Advertisements

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Model Checking C++ Daniel Kroening Daniel Kroening 2 Warning! No new research in this talk Talk is about doing existing stuff for.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Software Testing and Quality Assurance
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Design of a Certifiably Dependable Next- Generation Air Transportation System Stephen A. JacklinMichelle M. Eshow Michael R. LowryDave McNally Ewen Denny.
8/9/2005Kestrel Technology LLC Page 1 C Global Surveyor Arnaud Venet Kestrel Technology, LLC 3260 Hillview Avenue Palo Alto, CA 94304
Effective Methods for Software and Systems Integration
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
An Introduction to MBT  what, why and when 张 坚
Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
2.2 Software Myths 2.2 Software Myths Myth 1. The cost of computers is lower than that of analog or electromechanical devices. –Hardware is cheap compared.
A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
1 Software Reliability Assurance for Real-time Systems Joel Henry, Ph.D. University of Montana NASA Software Assurance Symposium September 4, 2002.
Johnson Space Center SAS05_CodeSurfer_Infusion_JSC_Markovich S&MA Directorate Can CodeSurfer Increase Code Inspection Efficiency? A Research Infusion Project.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
1 Optimizing compiler tools and building blocks project Alexander Drozdov, PhD Sergey Novikov, PhD.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Software Testing and Quality Assurance Software Quality Assurance 1.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
March 2004 At A Glance NASA’s GSFC GMSEC architecture provides a scalable, extensible ground and flight system approach for future missions. Benefits Simplifies.
The course. Description Computer systems programming using the C language – And possibly a little C++ Translation of C into assembly language Introduction.
Introduction to Program Analysis CS 8803 FPL Aug 20, 2013.
Towards a Compositional SPIN Corina Păsăreanu QSS, NASA Ames Research Center Dimitra Giannakopoulou RIACS/USRA, NASA Ames Research Center.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.
MK++ A High Assurance Operating System Kernel Shai Guday David Black.
High Confidence Software and Systems HCMDSS Workshop Brad Martin June 2, 2005.
Static WCET Analysis vs. Measurement: What is the Right Way to Assess Real-Time Task Timing? Worst Case Execution Time Prediction by Static Program Analysis.
Virtual Application Profiler (VAPP) Problem – Increasing hardware complexity – Programmers need to understand interactions between architecture and their.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
USING MODEL CHECKING TO DISCOVER AUTOMATION SURPRISES Java class User: - getExpectation() - checkExpectation() FAULTY EXECUTION start incrMCPAlt pullAltKnob.
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
R-Verify: Deep Checking of Embedded Code James Ezick † Donald Nguyen † Richard Lethin † Rick Pancoast* (†) Reservoir Labs (*) Lockheed Martin The Eleventh.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Using Ada-C/C++ Changer as a Converter Automatically convert to C/C++ to reuse or redeploy your Ada code Eliminate the need for a costly and.
Lecture 1: Introduction to JAVA
Chapter 8 – Software Testing
Ik-Soon Kim December 18, 2010 Embedded Software Platform Team
runtime verification Brief Overview Grigore Rosu
Structural testing, Path Testing
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
QGen and TQL-1 Qualification
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
QGen and TQL Qualification
Foundations and Definitions
Chapter 7 Software Testing.
Presentation transcript:

Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie Mellon University NASA Ames Research Center

Roadmap Static analysis for flight-critical systems Challenges of sound static analysis IKOS: an open architecture for sound static analyzers Applications of IKOS

Roadmap Static analysis for flight-critical systems Challenges of sound static analysis IKOS: an open architecture for sound static analyzers Applications of IKOS

Static Analysis Code Static Analyzer Defects Certificates of Correctnes s Properties, Invariants Properties, Invariants

Flight-Critical Code Testing is insufficient – Impossible to explore all execution paths (A330 cockpit display shutdown after 96 hours of operation due to an arithmetic overflow) – Some errors may be hard to detect (memory corruption due to a buffer overflow) Static analysis brings a new level of assurance – Soundness is important

Soundness Unsound tools (Coverity, KlocWork, GrammaTech) – False negatives, false positives – Little parameterization required Sound tools (MathWorks PolySpace, ASTREE) – No false negatives: formal verification – False positives – Parameterization is key to low false positive rate: Bounds on inputs of the system Specialization of the analysis algorithms

Roadmap Static analysis for flight-critical systems Challenges of sound static analysis IKOS: an open architecture for sound static analyzers Applications of IKOS

The Specialization Conundrum MathWorks PolySpace Verifier: – General purpose tool for embedded C/C++ code – Applicable to codes under 100 KLOC in practice – Manual review of warnings may be effort-intensive ASTREE: – Scalable, yields zero or few warnings – Specialized for a restricted subset of C (single- threaded, no dynamic memory allocation, no complex pointer structure)

Building a Custom Static Analyzer C Global Surveyor (developed in the RSE group at NASA Ames Research Center) – Specialized for complex C code developed in the Mars Exploration Program (Mars Pathfinder, MER) – Analyzes the whole MER flight system (550+ KLOC) One-time exercise – Complete rewrite may be necessary when changing the target code and/or properties analyzed – Significant expertise required

What do we need? A static analysis tool with an open architecture – Access to the algorithms – Possibility of refining/specializing the way the tool operates A flexible API – We don’t want to rewrite the core analysis algorithms – But we want to be able to combine them in new ways for a particular application

Roadmap Static analysis for flight-critical systems Challenges of sound static analysis IKOS: an open architecture for sound static analyzers Applications of IKOS

IKOS: Flexible Static Analysis Design Inference Kernel for Open Static Analyzers – A development platform for building static analyzers – Library of C++ classes encapsulating high performance static analysis algorithms – A static analyzer is assembled from the building blocks provided by IKOS An effective buffer overflow analyzer for C programs can be written in a few hundred lines of C++ using IKOS

Flexible C/C++ Front-End The untold story of using static analysis tools – Getting the code to just parse is a daunting task – The front-end of most static analysis tools expects standard C/C++ code as an input, which is rarely the case for embedded software – Significant changes to the build/code may be required IKOS is based on the LLVM platform – The GCC compiler can compile just about any existing code with little or no change – GCC can generate LLVM assembly code

Static Analysis Design with IKOS GCC C/C++ Code C/C++ Code LLVM Analyzer Verifier Properties Verification Report Interval Domain Pointer Analysis Decision Procedure Fixpoint Iterator Octagon Domain …… IKOS

Example The analysis discovers program properties: – 0 ≤ i ≤ 7 –p points to fourth element of structure S void f(double *p, int n) { int i; for (i = 0; i < n; i++) { p[i] =...; }... f(&S[3], 8);...

Example The verification uses the properties discovered: – Array-bound compliance – Check that structure S has at least 11 elements void f(double *p, int n) { int i; for (i = 0; i < n; i++) { p[i] =...; }... f(&S[3], 8);... Access within bounds?

Specialization of the Analyzer Specialization consists of finding the right blend of algorithms – To compute strong enough properties for the verifier – And guarantee reasonable analysis times This is an intrinsically empirical process – IKOS allows the analysis designer to easily swap abstractions and decision procedures – IKOS helps streamline the design of specialized static analyzers

Roadmap Static analysis for flight-critical systems Challenges of sound static analysis IKOS: an open architecture for sound static analyzers Applications of IKOS

Verification of UAS Autopilots Certifying the flight software of unmanned aircrafts is critical for NextGen – Complex code bases – Variety of platforms and architectures – No standard development process like DO178 Static analysis can help – Formal verification provides high assurance – Cost-effective, works on the code “as is”

Experiments with IKOS Verification of array-bound compliance (NASA APG milestone) Benchmark of realistic UAS autopilots Juliet is a cyber-security benchmark from NIST and is listed here just to demonstrate the scalability of the analyzer

MATLAB/Simulink Autocode Auto-generated code from MATLAB/Simulink models is increasingly used in critical flight software Static analysis can provide formal guarantees that the autocode satisfies critical safety properties We are currently developing a specialized analyzer for this class of code using IKOS

Technical Infusion Ongoing activities to transfer the technology into NASA missions

Conclusion Static analysis is an important tool for the assurance of flight-critical software There is no silver bullet: static analyzers need to be specialized to be effective IKOS is a step toward streamlining the design of specialized high-performance static analyzers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.