© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren.

Slides:



Advertisements
Similar presentations
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Advertisements

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design, 2 nd Edition Copyright 2003 © John Wiley & Sons, Inc. All rights reserved.
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
Trust, Privacy, and Security Moderator: Bharat Bhargava 1 Coordinators: Bharat Bhargava 1, Csilla Farkas 2, and Leszek Lilien 1 1 Purdue University and.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Industrial Avionics Working Group 19/04/07 Architecture Integration.
© Copyright 2011 John Wiley & Sons, Inc.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Course Instructor: Aisha Azeem
Exmouth House 3–11 Pine Street London EC1R 0JH T F E W CAE – Next generation and Building.
SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
Software Engineering Center Compositional Analysis of System Architectures (using Lustre) Mike Whalen Program Director University of Minnesota Software.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
ISA 562 Internet Security Theory & Practice
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
Formal Analysis of Security Protocols Dr. Changyu Dong
Copyright John C. Knight SOFTWARE ENGINEERING FOR DEPENDABLE SYSTEMS John C. Knight Department of Computer Science University of Virginia.
John D. McGregor Session 2 Preparing for Requirements V & V
111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,
Faculty Advisor – Dr. Suraj Kothari Client – Jon Mathews Team Members – Chaz Beck Marcus Rosenow Shaun Brockhoff Jason Lackore.
© 2012 xtUML.org Bill Chown – Mentor Graphics Model Driven Engineering.
An Introduction to Software Engineering. Communication Systems.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
CPSC 372 John D. McGregor Module 3 Session 1 Architecture.
Open Platform for EvolutioNary Certification Of Safety-critical Systems Large-scale integrating project (IP) Nuanced Term-Matching to Assist in Compositional.
Safety-Critical Systems 5 Testing and V&V T
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
Hong Zhu Dept of Computing and Communication Technologies Oxford Brookes University Oxford, OX33 1HX, UK TOWARDS.
Copyright Prof. Dr. Shuichiro Yamamoto Prof. Dr. Shuichiro Yamamoto Nagoya University.
ReSeTrus Development of a digital library technology based on redundancy elimination and semantic elevation, with special emphasis on trust management.
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.
Faculty Advisor – Dr. Suraj Kothari Client – Jon Mathews Team Members – Chaz Beck Marcus Rosenow Shaun Brockhoff Jason Lackore.
2 April, 2008AADL/UML workshop - Belfast1 Arcade: A formal, extensible, model-based dependability evaluation framework Hichem Boudali 1, Pepijn Crouzen.
Smart Home Technologies
Industrial Avionics Working Group 18/04/07 The Relationship Between the Design and Safety Domains in IAWG Modular Certification Part 2: Completeness of.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Requirements Engineering Methods for Requirements Engineering Lecture-31.
The Development Process Compilation. Compilation - Dr. Craig A. Struble 2 Programming Process Problem Solving Phase We will spend significant time on.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
OBJECT-ORIENTED TESTING. TESTING OOA AND OOD MODELS Analysis and design models cannot be tested in the conventional sense. However, formal technical reviews.
Agenda  Quick Review  Finish Introduction  Java Threads.
MDD-Kurs / MDA Cortex Brainware Consulting & Training GmbH Copyright © 2007 Cortex Brainware GmbH Bild 1Ver.: 1.0 How does intelligent functionality implemented.
A Brief Introduction to Architectural Modeling Using AADL and Collaborative, Adaptive Cruise Control John D. McGregor Roselane S. Silva.
M&CML: A Monitoring & Control Specification Modeling Language
CSCE 548 Secure Software Development Risk-Based Security Testing
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
SysML 2.0 Formalism: Requirement Benefits, Use Cases, and Potential Language Architectures Formalism WG December 6, 2016.
CPSC 875 John D. McGregor C24.
QGen and TQL Qualification
Chapter 27 Security Engineering
John D. McGregor Session 6 Preparing for Architecture V & V
Argumentation Strategies
John D. McGregor Session 5 Error Modeling
Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract, Computer,
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Presentation transcript:

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren Cofer, Konrad Slind – Rockwell Collins Mike Whalen – University of Minnesota High Integrity Language Technology 20 October 2014

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. HACMS– Security of Cyber Physical Systems 2 Security vulnerabilities that can lead to safety hazards

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Evidence in the model How can we make high-level claims about correctness? Combine heterogeneous evidence from multiple sources –Galois: IVORY DSL –NICTA: Sel4 Microkernel –Boeing: Internal Processes and Best Practices 3

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases A reasoned and compelling argument, supported by a body of evidence, that a system, service or organization will operate as intended for a defined application in a defined environment –GSN community standard V1 A graphical representation of an argument supported by evidence May address different system aspects –Safety –Security –Correctness 4

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Goal Structuring Notation (GSN) is used in several tools –Goals: claims about the system –Strategy: argues why a goal is true –Assumptions –Solution: leaf level evidence 5

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Positives –Informal –Can include many different sources of evidence –Understandable by domain experts –Captures structure of argument Negatives –Informal –Not strongly tied to the system design –Semantics are loose (English is ambiguous) 6

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Negatives –Informal –Not strongly tied to the system design –Semantics are loose (English is ambiguous) Resolute: An Assurance Case Language for Architecture Models –Use a logic to generate an assurance case –Make the structure of the system architecture dictate the structure of the assurance case –Use an architectural design language with defined semantics (AADL) 7

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute Language Claims and rules for satisfying those claims Rules and claims parameterized by AADL types Assurance cases instantiated with elements from AADL model 8 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q))

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute Logic Rules are sufficient but not complete –No closed world assumption (similar to other logic programing languages) This means a claim can never be used in a negative context –“The absence of evidence is not evidence of absence” Resolute supports computations which can be used in a negative context 9 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q))

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Tool Environment Implemented as an annex in AADL Uses Xtext to work fluidly in OSATE 10 process implementation Main_Loop.Impl subcomponents SS: thread Sensors; CCT: thread Command_Control_Telemetry; RC: thread Radio_Control; SN: thread Stability_Navigation; MC: thread Motor_Control; DC: thread Decrypt; annex resolute {** prove only_receive_gs(this.MC) prove schedulable(this) **}; end Main_Loop.Impl;

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 11 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory"

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 12 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 13 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 14 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 15 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 16 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 17 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 18 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 19 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 20 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory “System.Proc2.Thread3” Written in Ivory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Failed Assurance Cases Unlike traditional assurance cases, Resolute can produce a failed assurance case –Claims that are false are shown in red so the assurance case can be debugged Failures may occur if the architecture changes, or if external analysis fails 21

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. 22 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory “System.Proc2.Thread3” Written in Ivory

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Analysis Results 23 Failed assurance case Successful assurance case

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Research Vehicle Architecture 24

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. AADL model 25

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Properties from SMACCM Project 26 Wireless network Encrypt Key command User Ground Station Comm Unknown credentials command Attacker Attacker A Comm Key Actuator Control Laws Validate Vehicle Mission computerFlight computer Internal bus The motor controller only receives messages from the trusted ground station. All messages received by the radio reach the motor controller. All connections are accurate/non-bypassable. Requires memory-safety Decrypt

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Proper use of encryption Threads before authentication Classification of inputs UAV motors only execute commands from the ground station Secure Delivery 27

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Thread only writes to to its own memory space Thread local state protected by RTOS Memory Safety 28 Requires guarantees from eChronos RTOS and Ivory-Tower component generation

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Future Work 29 Integration with other assurance case tools –We currently support CertWare Support for other GSN types Integration with other AADL analyses –Internal: Schedulability, Fault Analysis –External: HOL, SMT Solvers Support for other AADL semantics

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Common tools: Formal Methods Workbench Trusted Build Architecture Translation seL4 eChronos A B C Assumption: Input < 20 Guarantee: Output < 2*Input Assumption: Input < 20 Guarantee: Output < Input + 15 Assumption: none Guarantee: Output = Input1 + Input2 Assumption: Input < 10 Guarantee: Output < 50 Architecture Analysis Architecture Models OSATE Resolute Assurance Case AGREE Behavioral Analysis Lute Structural Analysis Kind/JKind 30

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Comments/Questions? 31