the q compiler - for verifying high-consequence controlsย ยท thearrows:simulaonrelaons definion...
TRANSCRIPT
![Page 1: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/1.jpg)
The Q Compiler
for Verifying High-Consequence Controls
Jon Aytac
6/27/18
Sandia Na onal Laboratories is a mul mission laboratory managed and operated by Na onal Technology & Engineering Solu ons of Sandia, LLC, a wholly owned subsidiary ofHoneywell Interna onal Inc., for the U.S. Department of Energy's Na onal Nuclear Security Administra on under contract DE-NA0003525. SAND NO. TBD
![Page 2: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/2.jpg)
Mo va on
Suppose you believe that
Designs of High Consequence Systems should come with formal
proofs of safety and reliability
Or, at least, Designers of High Consequence Systems should be
able to check whether their designs sa sfy some safety and
reliability proper es
So you give a presenta on to decision makers advoca ng the
adop on of formal methodologies
They donโt have me to read everything, but they like to stay
abreast of whatโs going on in the literature...
6/27/18 2
![Page 3: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/3.jpg)
Mo va on
Suppose you believe that
Designs of High Consequence Systems should come with formal
proofs of safety and reliability
Or, at least, Designers of High Consequence Systems should be
able to check whether their designs sa sfy some safety and
reliability proper es
So you give a presenta on to decision makers advoca ng the
adop on of formal methodologies
They donโt have me to read everything, but they like to stay
abreast of whatโs going on in the literature...
6/27/18 2
![Page 4: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/4.jpg)
Mo va on
Suppose you believe that
Designs of High Consequence Systems should come with formal
proofs of safety and reliability
Or, at least, Designers of High Consequence Systems should be
able to check whether their designs sa sfy some safety and
reliability proper es
So you give a presenta on to decision makers advoca ng the
adop on of formal methodologies
They donโt have me to read everything, but they like to stay
abreast of whatโs going on in the literature...
6/27/18 2
![Page 5: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/5.jpg)
Mo va on
Suppose you believe that
Designs of High Consequence Systems should come with formal
proofs of safety and reliability
Or, at least, Designers of High Consequence Systems should be
able to check whether their designs sa sfy some safety and
reliability proper es
So you give a presenta on to decision makers advoca ng the
adop on of formal methodologies
They donโt have me to read everything, but they like to stay
abreast of whatโs going on in the literature...
6/27/18 2
![Page 6: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/6.jpg)
Disaster!
and they show you this paper of Vanhoef and Piessens in 2017
which describes security vulnerabili es in a protocol proven secure in
this paper of He et al in 2005
A Modular Correctness Proof of IEEE 802.11i and TLS
Changhua He, Mukund Sundararajan, Anupam Datta, Ante Derek, John C. MitchellElectrical Engineering and Computer Science Departments,
Stanford University, Stanford, CA 94305-9045
ABSTRACTThe IEEE 802.11i wireless networking protocol provides mu-tual authentication between a network access point and userdevices prior to user connectivity. The protocol consists ofseveral parts, including an 802.1X authentication phase us-ing TLS over EAP, the 4-Way Handshake to establish afresh session key, and an optional Group Key Handshakefor group communications. Motivated by previous vulnera-bilities in related wireless protocols and changes in 802.11ito provide better security, we carry out a formal proof ofcorrectness using a Protocol Composition Logic previouslyused for other protocols. The proof is modular, comprisinga separate proof for each protocol section and providing in-sight into the networking environment in which each sectioncan be reliably used. Further, the proof holds for a varietyof failure recovery strategies and other implementation andconfiguration options. Since SSL/TLS is widely used apartfrom 802.11i, the security proof for SSL/TLS has indepen-dent interest.
Categories and Subject Descriptors: C.2.2 [Computer-Communication Networks]: Network Protocols
General Terms: Security
Keywords: IEEE802.11i, TLS, Protocol Composition Logic
1. INTRODUCTIONSecurity is an obvious concern in many wireless networks,
because intruders can potentially access a network withoutphysically entering the buildings in which it is used. Whileintended to provide security, the Wired Equivalent Privacy(WEP) [1] protocol lacks good key management and suffersfrom significant cryptographic problems [7], to the extentthat FBI agents have publicly demonstrated that they canbreak a 128-bit WEP key in about three minutes [9]. Forthese reasons, the IEEE Task Group i has developed the802.11i Standard [2], ratified in June 2004, to provide con-fidentiality, integrity, and mutual authentication. 802.11iprovides authentication protocols, key management proto-
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CCSโ05, November 7โ11, 2005, Alexandria, Virginia, USA.Copyright 2005 ACM 1-59593-226-7/05/0011 ...$5.00.
cols, and data confidentiality protocols that may executeconcurrently over a network in which other protocols arealso used.
In this paper, we present a formal correctness proof of the802.11i protocols using Protocol Composition Logic (PCL) [17,18, 11, 14, 12, 13, 25]. In previous work, PCL has beenproved sound for protocol runs that use any number of prin-cipals and sessions, over both symbolic models and (for asubset of the logic at present) over more traditional cryp-tographic assumptions [10], which implies security for anunbounded number of participants and sessions. Therefore,while there are previous studies [20, 21] using finite-stateanalysis to find errors in 802.11i with bounded configura-tions, we believe that this is the first complete proof of802.11i for an unbounded number of participants and ses-sions. Furthermore, the formal proof for the TLS protocolhas independent interest since TLS is widely used indepen-dent of 802.11i (e.g. [3]).
Our proof consists of separate proofs of specific securityproperties for 802.11i components - the TLS authenticationphase, the 4-Way Handshake protocol and the Group KeyHandshake protocol. Using a new form of PCL compositionprinciple, formulated as staged composition in this paper,we combine the component proofs to show that any stageduse of the protocol components achieves the stated securitygoals. It follows that the components compose securely fora range of failure recovery control flows, including the im-provements proposed in [21]. The general result also provessecurity for other configurations presented in the 802.11iStandards document, including the use of a Pre-Shared Key(PSK) or cached Pair-wise Master Key (PMK). In additionto devising a new composition principle for PCL, we alsoextend the logic to handle local memory associated withreusing generated nonces. The memory feature is needed toprove correctness of an unusual feature of the improved 4-Way Handshake protocol [21] that involves reusing a nonceto avoid a Denial of Service (DoS) attack.
An advantage of PCL is that each proof component identi-fies not only the local reasoning that guarantees the securitygoal of that component, but also the environmental condi-tions that are needed to avoid destructive interference fromother protocols that may use the same certificates or keymaterials. These environment assumptions are then provedfor the steps that require them, giving us an invariant thatis respected by the protocol. In formulating the proof, weidentify the precise conditions that will allow other protocolsto be executed in the same environment without interferingwith 802.11i. Moreover, our proof provides certain insights
6/27/18 3
![Page 7: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/7.jpg)
Disaster!
He et al Proved Security Proper es for a Composi on of Protocols ...
A Modular Correctness Proof of IEEE 802.11i and TLS
Changhua He, Mukund Sundararajan, Anupam Datta, Ante Derek, John C. MitchellElectrical Engineering and Computer Science Departments,
Stanford University, Stanford, CA 94305-9045
ABSTRACTThe IEEE 802.11i wireless networking protocol provides mu-tual authentication between a network access point and userdevices prior to user connectivity. The protocol consists ofseveral parts, including an 802.1X authentication phase us-ing TLS over EAP, the 4-Way Handshake to establish afresh session key, and an optional Group Key Handshakefor group communications. Motivated by previous vulnera-bilities in related wireless protocols and changes in 802.11ito provide better security, we carry out a formal proof ofcorrectness using a Protocol Composition Logic previouslyused for other protocols. The proof is modular, comprisinga separate proof for each protocol section and providing in-sight into the networking environment in which each sectioncan be reliably used. Further, the proof holds for a varietyof failure recovery strategies and other implementation andconfiguration options. Since SSL/TLS is widely used apartfrom 802.11i, the security proof for SSL/TLS has indepen-dent interest.
Categories and Subject Descriptors: C.2.2 [Computer-Communication Networks]: Network Protocols
General Terms: Security
Keywords: IEEE802.11i, TLS, Protocol Composition Logic
1. INTRODUCTIONSecurity is an obvious concern in many wireless networks,
because intruders can potentially access a network withoutphysically entering the buildings in which it is used. Whileintended to provide security, the Wired Equivalent Privacy(WEP) [1] protocol lacks good key management and suffersfrom significant cryptographic problems [7], to the extentthat FBI agents have publicly demonstrated that they canbreak a 128-bit WEP key in about three minutes [9]. Forthese reasons, the IEEE Task Group i has developed the802.11i Standard [2], ratified in June 2004, to provide con-fidentiality, integrity, and mutual authentication. 802.11iprovides authentication protocols, key management proto-
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CCSโ05, November 7โ11, 2005, Alexandria, Virginia, USA.Copyright 2005 ACM 1-59593-226-7/05/0011 ...$5.00.
cols, and data confidentiality protocols that may executeconcurrently over a network in which other protocols arealso used.
In this paper, we present a formal correctness proof of the802.11i protocols using Protocol Composition Logic (PCL) [17,18, 11, 14, 12, 13, 25]. In previous work, PCL has beenproved sound for protocol runs that use any number of prin-cipals and sessions, over both symbolic models and (for asubset of the logic at present) over more traditional cryp-tographic assumptions [10], which implies security for anunbounded number of participants and sessions. Therefore,while there are previous studies [20, 21] using finite-stateanalysis to find errors in 802.11i with bounded configura-tions, we believe that this is the first complete proof of802.11i for an unbounded number of participants and ses-sions. Furthermore, the formal proof for the TLS protocolhas independent interest since TLS is widely used indepen-dent of 802.11i (e.g. [3]).
Our proof consists of separate proofs of specific securityproperties for 802.11i components - the TLS authenticationphase, the 4-Way Handshake protocol and the Group KeyHandshake protocol. Using a new form of PCL compositionprinciple, formulated as staged composition in this paper,we combine the component proofs to show that any stageduse of the protocol components achieves the stated securitygoals. It follows that the components compose securely fora range of failure recovery control flows, including the im-provements proposed in [21]. The general result also provessecurity for other configurations presented in the 802.11iStandards document, including the use of a Pre-Shared Key(PSK) or cached Pair-wise Master Key (PMK). In additionto devising a new composition principle for PCL, we alsoextend the logic to handle local memory associated withreusing generated nonces. The memory feature is needed toprove correctness of an unusual feature of the improved 4-Way Handshake protocol [21] that involves reusing a nonceto avoid a Denial of Service (DoS) attack.
An advantage of PCL is that each proof component identi-fies not only the local reasoning that guarantees the securitygoal of that component, but also the environmental condi-tions that are needed to avoid destructive interference fromother protocols that may use the same certificates or keymaterials. These environment assumptions are then provedfor the steps that require them, giving us an invariant thatis respected by the protocol. In formulating the proof, weidentify the precise conditions that will allow other protocolsto be executed in the same environment without interferingwith 802.11i. Moreover, our proof provides certain insights
He et al
6/27/18 4
![Page 8: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/8.jpg)
Disaster!
... The A ack didnโt Violate Those Proper es ...
Vanhoef and Piessens
6/27/18 5
![Page 9: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/9.jpg)
Disaster!
... The Crucial Proper es Were Temporal...
Vanhoef and Piessens
6/27/18 6
![Page 10: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/10.jpg)
Disaster
... and the 802.11i amendment didnโt specify the protocols in such a
way that ques ons about temporal proper es could even be posed ...
Vanhoef and Piessens
6/27/18 7
![Page 11: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/11.jpg)
... Worse yet, the Map isnโt the Territory
Vanhoef and Piessens
6/27/18 8
![Page 12: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/12.jpg)
... Vanhoef and Piessens Proved CounterMeasure
Correctness in NuSMV...
Vanhoef and Piessens
6/27/18 9
![Page 13: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/13.jpg)
Jedi Mind Trick
So then the decision makers say
We need a language for the specifica on of temporal behavior,
preferably one designers would actually use
We need to compile these descrip ons into languages suitable
for proving (e.g. Why3) and checking (e.g. NuSMV) temporal
proper es about composi ons of specifica ons
For scalabilityโs sake, the compiler should allow composi onal
reasoning about systems
We need to prove those proper es descend to implementa ons
6/27/18 10
![Page 14: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/14.jpg)
Jedi Mind Trick
So then the decision makers say
We need a language for the specifica on of temporal behavior,
preferably one designers would actually use
We need to compile these descrip ons into languages suitable
for proving (e.g. Why3) and checking (e.g. NuSMV) temporal
proper es about composi ons of specifica ons
For scalabilityโs sake, the compiler should allow composi onal
reasoning about systems
We need to prove those proper es descend to implementa ons
6/27/18 10
![Page 15: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/15.jpg)
Jedi Mind Trick
So then the decision makers say
We need a language for the specifica on of temporal behavior,
preferably one designers would actually use
We need to compile these descrip ons into languages suitable
for proving (e.g. Why3) and checking (e.g. NuSMV) temporal
proper es about composi ons of specifica ons
For scalabilityโs sake, the compiler should allow composi onal
reasoning about systems
We need to prove those proper es descend to implementa ons
6/27/18 10
![Page 16: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/16.jpg)
Jedi Mind Trick
So then the decision makers say
We need a language for the specifica on of temporal behavior,
preferably one designers would actually use
We need to compile these descrip ons into languages suitable
for proving (e.g. Why3) and checking (e.g. NuSMV) temporal
proper es about composi ons of specifica ons
For scalabilityโs sake, the compiler should allow composi onal
reasoning about systems
We need to prove those proper es descend to implementa ons
6/27/18 10
![Page 17: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/17.jpg)
Jedi Mind Trick
So then the decision makers say
We need a language for the specifica on of temporal behavior,
preferably one designers would actually use
We need to compile these descrip ons into languages suitable
for proving (e.g. Why3) and checking (e.g. NuSMV) temporal
proper es about composi ons of specifica ons
For scalabilityโs sake, the compiler should allow composi onal
reasoning about systems
We need to prove those proper es descend to implementa ons
6/27/18 10
![Page 18: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/18.jpg)
What a Coincidence
At this point, you say, we just so happen to have already wri en a
tool, the ๐ compiler, to do just that!
6/27/18 11
![Page 19: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/19.jpg)
Q Compiler
Designers draw statechart-like diagrams in their specifica ons, so ๐captures these in a statechart-like formal language
and compiles them into a mul tude of languages. We focus here on
how ๐ compiles into ACSL and SMV to enable a workflow with
FramaC and NuSMV.
6/27/18 12
![Page 20: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/20.jpg)
WorkFlow: Boxes and Arrows
Controller Specification
Controller Volatile Environment
Input
Output
C ImplementationController || Volatile
Environment
qqParallel CompositionRefinement by Construction
qqFrama-CProves Refinement
Component
System Implementation
Controller
Input
OutputCParallel Composition
Refinement by Construction
Parallel Composition
Controller Specification
Component Specification
The designer writes abstract spec-
ifica ons for the controller and
the component in a Statechart-like
language, along with system level
proper es about their composi on
6/27/18 13
![Page 21: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/21.jpg)
WorkFlow: Boxes and Arrows
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification Prop( Controller
SpecificationComponent Specification )
๐ then generates an LTL model of the composi on of abstract
specifica ons along with the system level proper es. These
proper es may now be checked with model checking tools like
NuSMV
6/27/18 14
![Page 22: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/22.jpg)
WorkFlow: Boxes and Arrows
Controller Specification
Controller Volatile Environment
Input
Output
C ImplementationController || Volatile
Environment
qqParallel CompositionRefinement by Construction
qqFrama-CProves Refinement
Component
System Implementation
Controller
Input
OutputCParallel Composition
Refinement by Construction
Parallel Composition
Controller Specification
Component Specification
The Engineers then implement the
controller in C
6/27/18 15
![Page 23: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/23.jpg)
WorkFlow: Boxes and Arrows
Controller Specification
Controller Volatile Environment
Input
Output
C ImplementationController || Volatile
Environment
qqParallel CompositionRefinement by Construction
qqFrama-CProves Refinement
Component
System Implementation
Controller
Input
OutputCParallel Composition
Refinement by Construction
Parallel Composition
Controller Specification
Component Specification
The Engineers need to present
some kind of evidence that the
specified system abstracts the sys-
tem implementa on
6/27/18 16
![Page 24: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/24.jpg)
WorkFlow: Boxes and Arrows
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification Prop( Controller
SpecificationComponent Specification )
Prop( Component
System Implementation
Controller
Input
Output
)
Wea
k si
mul
atio
n
In par cular, the evidence of ab-
strac on must be sufficient for
proofs of proper es about the ab-
stract system to imply proofs of
those proper es about the system
implementa on
6/27/18 17
![Page 25: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/25.jpg)
WorkFlow: Boxes and Arrows
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification Propsafety( Controller
SpecificationComponent Specification )
Propsafety( Component
System Implementation
Controller
Input
Output
)
Wea
k si
mul
atio
n
In our context, we are allowed to
focus on stu ering invariant safety
proper es
6/27/18 18
![Page 26: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/26.jpg)
WorkFlow: Boxes and Arrows
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification Propsafety( Controller
SpecificationComponent Specification )
Propsafety( Component
System Implementation
Controller
Input
Output
)
Wea
k si
mu
lati
on
The engineer must therefore
present evidence that the com-
posi on of specifica ons weakly
simulates the composi on of
implementa ons
6/27/18 19
![Page 27: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/27.jpg)
WorkFlow: Boxes and Arrows
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification Propsafety( Controller
SpecificationComponent Specification )
Propsafety( Component
System Implementation
Controller
Input
Output
)
Wea
k sim
ulat
ion
Only Frama-C meets our require-
ments for reasoning about C pro-
grams, but Frama-C analyzes se-
quen al programs. Fortunately,
our C program interacts with com-
ponents through memory mapped
I/O
6/27/18 20
![Page 28: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/28.jpg)
WorkFlow: Boxes and Arrows
AbstractionBy
precongruence
Controller Specification
Controller Volatile Environment
Input
Output
C ImplementationController || Volatile
Environment
qqParallel CompositionAbstraction by precongruence
qqFrama-CProves Abstraction
Component
System Implementation
Controller
Input
OutputCParallel Composition
Abstraction by precongruence
Parallel Composition
Controller Specification
Component Specification
Volatilecomponent So we ask the engineer to present
evidence from which ๐ can con-
struct , in ACSL, a proof obliga-
on that the composi on of the ab-
stract controller specifica on with
a vola le environment weakly sim-
ulates the composi on of the im-
plementa on with a vola le envi-
ronment
6/27/18 21
![Page 29: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/29.jpg)
Workflow: Boxes and Arrows
The proof of this yellow, weak simula on arrow is discharged by
Frama-Cโs Weakest Precondi on plugin. The trick is to obtain the
blue arrows by construc on. Then proof of the yellow arrow gives us
our goal, the right column, for free
Controller Specification
Controller Volatile Environment
Input
Output
C ImplementationController || Volatile
Environment
Component
System Implementation
Controller
Input
Output
Parallel Composition
Controller Specification
Component Specification
Volatilecomponent
6/27/18 22
![Page 30: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/30.jpg)
The Boxes are StateChart-like
The designer writes in a Statechart-like language, by which we mean
a specifica on language for reac ve programs,induc vely defined
through hierarchic and parallel composi on of transi on systems.
6/27/18 23
![Page 31: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/31.jpg)
The Boxes: LTS
A labelled transi on system ๐ โถ LTS is a tuple (๐๐, ๐๐,โ
โ๐, ๐0), with๐๐ the set of states, ๐๐ an alphabet, the transi on rela on
โ โ๐โถ ๐๐ โ ๐ซ(๐๐ ร ๐๐) a map from alphabet to rela ons on states,
and ๐0 a set of ini al states
6/27/18 24
![Page 32: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/32.jpg)
The Boxes: C Programs as LTS
Example
a program point and an execu on environment (which maps
variables to values) together cons tute the program state of a C
program.
The program is given by the data of a map from program points
to commands
Given a program state, the evalua on of the command found at
that program stateโs program point defines a transi on to new
program state.
The label of that transi on is some predicate on the execu on
environment.
In this way, we can think about C programs as labelled transi on
systems.
6/27/18 25
![Page 33: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/33.jpg)
The Boxes: C Programs as LTS
Example
a program point and an execu on environment (which maps
variables to values) together cons tute the program state of a C
program.
The program is given by the data of a map from program points
to commands
Given a program state, the evalua on of the command found at
that program stateโs program point defines a transi on to new
program state.
The label of that transi on is some predicate on the execu on
environment.
In this way, we can think about C programs as labelled transi on
systems.
6/27/18 25
![Page 34: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/34.jpg)
The Boxes: C Programs as LTS
Example
a program point and an execu on environment (which maps
variables to values) together cons tute the program state of a C
program.
The program is given by the data of a map from program points
to commands
Given a program state, the evalua on of the command found at
that program stateโs program point defines a transi on to new
program state.
The label of that transi on is some predicate on the execu on
environment.
In this way, we can think about C programs as labelled transi on
systems.
6/27/18 25
![Page 35: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/35.jpg)
The Boxes: C Programs as LTS
Example
a program point and an execu on environment (which maps
variables to values) together cons tute the program state of a C
program.
The program is given by the data of a map from program points
to commands
Given a program state, the evalua on of the command found at
that program stateโs program point defines a transi on to new
program state.
The label of that transi on is some predicate on the execu on
environment.
In this way, we can think about C programs as labelled transi on
systems.
6/27/18 25
![Page 36: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/36.jpg)
The Boxes: C Programs as LTS
Example
a program point and an execu on environment (which maps
variables to values) together cons tute the program state of a C
program.
The program is given by the data of a map from program points
to commands
Given a program state, the evalua on of the command found at
that program stateโs program point defines a transi on to new
program state.
The label of that transi on is some predicate on the execu on
environment.
In this way, we can think about C programs as labelled transi on
systems.6/27/18 25
![Page 37: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/37.jpg)
The Arrows: Simula on Rela ons
Defini on
For any ๐ , ๐ โถ LTS with ๐๐ = ๐๐, a rela on ๐ โ ๐๐ ร ๐๐ is a
simula on rela on if and only if โ(๐, ๐) โ ๐ , ๐ผ โ ๐๐, ๐โฒ โ ๐๐
๐๐ผ
โ๐ ๐โฒ โ โ๐โฒ โ ๐๐ โถ (๐๐ผ
โ๐ ๐โฒ โง (๐โฒ, ๐โฒ) โ ๐ )
๐ simulates ๐, wri en ๐ โชฏ ๐ or ๐ โ ๐, if ๐0 โ ๐ โ1(๐0).
The rela on ๐ is said to be a witness for ๐ โชฏ ๐, and ๐ is said
to be an abstrac on of ๐. When the witness is a func on, the
simula on rela on is said to be a refinement.
6/27/18 26
![Page 38: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/38.jpg)
The Arrows: Simula on Rela ons
Defini on
For any ๐ , ๐ โถ LTS with ๐๐ = ๐๐, a rela on ๐ โ ๐๐ ร ๐๐ is a
simula on rela on if and only if โ(๐, ๐) โ ๐ , ๐ผ โ ๐๐, ๐โฒ โ ๐๐
๐๐ผ
โ๐ ๐โฒ โ โ๐โฒ โ ๐๐ โถ (๐๐ผ
โ๐ ๐โฒ โง (๐โฒ, ๐โฒ) โ ๐ )
๐ simulates ๐, wri en ๐ โชฏ ๐ or ๐ โ ๐, if ๐0 โ ๐ โ1(๐0).The rela on ๐ is said to be a witness for ๐ โชฏ ๐, and ๐ is said
to be an abstrac on of ๐. When the witness is a func on, the
simula on rela on is said to be a refinement.
6/27/18 26
![Page 39: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/39.jpg)
The Arrows: Simula on Rela ons
Proposi on
This preorder is sound in that ๐ โชฏ ๐ โ trace(๐ ) โ trace(๐). So, if๐ โชฏ ๐, then for any โ๐ โถ Prop(๐) temporal property on ๐ and
โ๐ โถ Prop(๐ ) the corresponding temporal property on ๐, โ๐ โ โ๐.
6/27/18 27
![Page 40: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/40.jpg)
An Example
Example
Here, ๐1 โชฏ ๐1
๐1
_
p10
p11
a
๐1
_
q10
q11
b
q12
a
6/27/18 28
![Page 41: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/41.jpg)
Memory Mapped I/O, Vola le Variables and the Terminal
Abstrac on
Defini on
The terminal abstrac on over the alphabet ๐ is the labeled transi on
system 1๐0= (โ, ๐, โ1๐
, โ) with โ๐ผ โ ๐. โ๐โถ ๐ผ โ โ ร โ.
Proposi on
The terminal abstrac on over a given alphabet abstracts any
machine of the same alphabet โ๐ = (๐๐, ๐๐,โ
โ๐, ๐0) , ๐ โชฏ 1๐๐
6/27/18 29
![Page 42: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/42.jpg)
Memory Mapped I/O, Vola le Variables and the Terminal
Abstrac on
Defini on
The terminal abstrac on over the alphabet ๐ is the labeled transi on
system 1๐0= (โ, ๐, โ1๐
, โ) with โ๐ผ โ ๐. โ๐โถ ๐ผ โ โ ร โ.
Proposi on
The terminal abstrac on over a given alphabet abstracts any
machine of the same alphabet โ๐ = (๐๐, ๐๐,โ
โ๐, ๐0) , ๐ โชฏ 1๐๐
6/27/18 29
![Page 43: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/43.jpg)
Memory Mapped I/O and the Terminal Abstrac on
Example
Let โvola le uint8_t โI;โ a declara on of a reference to a vola le
variable of type uint8_t. Then,
๐๐ผ = {(โ๐ผ == 0), โฏ , (โ๐ผ == 255)}, and the presence of a vola le
variable in a ๐ถ program is an asynchronous parallel composi on with
1๐๐ผ, which weโll write as, ๐ถโ๐1๐๐ผ
6/27/18 30
![Page 44: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/44.jpg)
Proving Spec Simulates Implementa on
So we will use the Q compiler and FramaC to prove
Input==a
Input==c
Input==b
Input==bSA
SB
SCAbstract Controller
ControllerVolatile Environment
Input
Output
C ImplementationController || Volatile
Environment
Input==b
Input==b
Input==c
compS1compS2
compS3Input==a
Parallel Composition
qqParallel CompositionqqFrama-C
ProvesWeak Simulation
Component
System Implementation
Controller
Input
OutputCParallel Composition
Input==a
Input==c
Input==b
Input==bSA
SB
SC
Abstract Controller Abstract Component
*
Inpu
t ==c Input == b
Input == a
a a
6/27/18 31
![Page 45: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/45.jpg)
Proving Spec Simulates Implementa on
So the designer gives a formal specifica on of their design in our
statechart-like language, e.g. the ABC example
๐ด๐
๏ฟฝ๏ฟฝ
๐
๏ฟฝ๏ฟฝ
๐ถ๐
GG
๐ต๐
WW
The implementer of the C program should give a witness that their
program is simulated by this abstract transi on system.
6/27/18 32
![Page 46: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/46.jpg)
Proving Spec Simulates Implementa on
A witness that ๐ simulates ๐ (๐ โชฏ ๐ or ๐ โ ๐) decomposes into a
rela on on labels ๐ ๐ and a rela on on the states ๐ ๐ฎ
๐๐
๐[๐ ๐]
๏ฟฝ๏ฟฝ
โ โ๐ // ๐ซ(๐๐ ร ๐๐)
๐[๐ ๐ฎ]
๏ฟฝ๏ฟฝ
๐๐
โ โ๐
// ๐ซ(๐๐ ร ๐๐)
such that ๐[๐ ๐]โโ
โ๐โโ
โ๐ โ๐[๐ ๐].
6/27/18 33
![Page 47: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/47.jpg)
Proving Spec Simulates Implementa on
For C programs thought of as LTS, the labels are expressions
over the execu on environment.
so ๐ ๐ may be given by a rela on on internal variables, a
rela on on values, and a rela on on inputs,
So the implementer proposes ๐ ๐ and ๐ ๐ฎ via a JSON file
described by the OCaml simMap type below
6/27/18 34
![Page 48: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/48.jpg)
Proving Spec Simulates Implementa on
For C programs thought of as LTS, the labels are expressions
over the execu on environment.
so ๐ ๐ may be given by a rela on on internal variables, a
rela on on values, and a rela on on inputs,
So the implementer proposes ๐ ๐ and ๐ ๐ฎ via a JSON file
described by the OCaml simMap type below
6/27/18 34
![Page 49: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/49.jpg)
Proving Spec Simulates Implementa on
For C programs thought of as LTS, the labels are expressions
over the execu on environment.
so ๐ ๐ may be given by a rela on on internal variables, a
rela on on values, and a rela on on inputs,
So the implementer proposes ๐ ๐ and ๐ ๐ฎ via a JSON file
described by the OCaml simMap type below
6/27/18 34
![Page 50: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/50.jpg)
Proving Spec Simulates Implementa on
๐ ๐ should be pairs of program states in the abstract and concrete
program. For our simple ABC example, the relevant execu on
context is held by a type
6/27/18 35
![Page 51: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/51.jpg)
Proving Spec Simulates Implementa on
In the ABC example, the par cular instance of the type carrying the
execu on environment part of the program state is declared in the C
as
so the implementer specifies this in the JSON as
6/27/18 36
![Page 52: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/52.jpg)
Proving Spec Simulates Implementa on
In the ABC example, the ini al and final program states in the
abstrac on correspond in the C program to the entry and exit
program points given the execu on environment
6/27/18 37
![Page 53: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/53.jpg)
Proving Spec Simulates Implementa on
So the implementer gives the rela on on states as
6/27/18 38
![Page 54: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/54.jpg)
Proving Spec Simulates Implementa on
there being, in this example, no internal variables, the map on
alphabets factors through a map on input variables
6/27/18 39
![Page 55: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/55.jpg)
Proving Spec Simulates Implementa on
and values
6/27/18 40
![Page 56: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/56.jpg)
Proving Spec Simulates Implementa on
Q then generates the ACSL annota ons posi ng the pre and post
condi ons from the specifica on and the simula on rela on. A short
clang program searches through the C implementa onโs code base
for the program points specified by the stateRel and annotates:
6/27/18 41
![Page 57: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/57.jpg)
Proving Spec Simulates Implementa on
The C program interacts with its environment through memory
mapped IO
6/27/18 42
![Page 58: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/58.jpg)
Proving Spec Simulates Implementa on
so the implementer must relate the interface to the environment in
the abstrac on to a memory mapped I/O interface in the
implementa on of a given type
6/27/18 43
![Page 59: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/59.jpg)
Proving Spec Simulates Implementa on
Q generates the ACSL describing the corresponding terminal
abstrac on 1๐๐๐๐๐ก๐, and a short clang program searches through the
codebase for the declara on of a vola le variable of that name and
that type
6/27/18 44
![Page 60: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/60.jpg)
Proving Spec Simulates Implementa on
and defines a collec on of ACSL predicates
6/27/18 45
![Page 61: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/61.jpg)
Using the Q Compiler to Prove Spec Simulates
Implementa on
which form clauses in the transi on rela on
6/27/18 46
![Page 62: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/62.jpg)
Using the Q Compiler to Prove Spec Simulates
Implementa on
in the ABC example, the transi on rela on in this design is
implemented as an actual func on on the execu n environment
and the implementer has related the abstract transi on func on to
this program point
6/27/18 47
![Page 63: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/63.jpg)
Using the Q Compiler to Prove Spec Simulates
Implementa on
For any envoca on of that func on found within a while loop, the
clang program annotates with the corresponding loop invariant
We then pose this invariant as a proof obliga on to FramaCโs WP
plugin.
6/27/18 48
![Page 64: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/64.jpg)
Proving LTL proper es about the Spec
The Q tool produces from the same abstrac on a descrip on of the
same transi on system as a collec on of LTL constraints, e.g. in
NuSMV
6/27/18 49
![Page 65: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/65.jpg)
Proving LTL proper es about the Spec
Any proof obliga ons the designer may have posited
can be checked in NuSMV
What does that say about the implementa on?6/27/18 50
![Page 66: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/66.jpg)
What have we proved?
When FramaCโs WP plugin discharges these proof obliga ons, the
implementerโs simMap witnesses weak simula on
Proving WcuContracts WcuRefact-C
ACSL C
Official Use Only
6/27/18 51
![Page 67: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/67.jpg)
Proving LTL Proper es of Composi ons with
Implementa ons
So Q with FramaC proves weak simula on (in yellow) of the
implementa on asynchronously composed with a vola le
environment by the asynchronous composi on of the spec with
a vola le environment
Input==a
Input==c
Input==b
Input==bSA
SB
SCAbstract Controller
ControllerVolatile Environment
Input
Output
C ImplementationController || Volatile
Environment
Input==b
Input==b
Input==c
compS1compS2
compS3Input==a
Asynchronous composition
Q-Frama-CWeak Simulation
Component
System Implementation
Controller
Input
Output
Input==a
Input==c
Input==b
Input==bSA
SB
SC
Abstract Controller Abstract Component
*
Input ==c
Input==b
Input==a
Asynchronous composition
a a
6/27/18 52
![Page 68: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/68.jpg)
Proving LTL Proper es of Composi ons with
Implementa ons
Q with FramaC proves weak simula on (in yellow) of the
implementa on composed with a vola le environment by the
asynchronous composi on of the spec with the environment
Q can generate models and LTL proof obiga ons for a
composi on of abstrac ons (upper right hand corner)
Input==a
Input==c
Input==b
Input==bSA
SB
SCAbstract Controller
ControllerVolatile Environment
Input
Output
C ImplementationController || Volatile
Environment
Input==b
Input==b
Input==c
compS1compS2
compS3Input==a
Asynchronous composition
Q-Frama-CWeak Simulation
Component
System Implementation
Controller
Input
Output
Input==a
Input==c
Input==b
Input==bSA
SB
SC
Abstract Controller Abstract Component
*
Input ==c
Input==b
Input==a
Asynchronous composition
a a
6/27/18 53
![Page 69: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/69.jpg)
Proving LTL Proper es of Composi ons with
Implementa ons
Q with FramaC proves weak simula on (in yellow) of the
implementa on composed with a vola le environment by the
asynchronous composi on of the spec with the environment
Q can generate models and LTL proof obliga ons for a
composi on of abstrac ons (upper right hand corner)
What does that say about the implementa on (lower right
corner)?
Input==a
Input==c
Input==b
Input==bSA
SB
SCAbstract Controller
ControllerVolatile Environment
Input
Output
C ImplementationController || Volatile
Environment
Input==b
Input==b
Input==c
compS1compS2
compS3Input==a
Asynchronous composition
Q-Frama-CWeak Simulation
Component
System Implementation
Controller
Input
Output
Input==a
Input==c
Input==b
Input==bSA
SB
SC
Abstract Controller Abstract Component
*
Input ==c
Input==b
Input==a
Asynchronous composition
a a
6/27/18 54
![Page 70: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/70.jpg)
The โ between Boxes: Parallel Composi on of LTS
To reduce state space, and to model the composi on of hardware
within clock domains, we actually have in Q a synchronous
composi on
Defini on
The Synchronous composi on of ๐ , ๐ โถ LTS, wri en ๐โ๐ is given by
the rule
๐๐ผ
โ๐ ๐โฒ ๐๐ผ
โ๐ ๐โฒ
(๐, ๐)๐ผ
โ๐โ๐ (๐โฒ, ๐โฒ)
6/27/18 55
![Page 71: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/71.jpg)
An example
Example
โ๐ โ ๐๐, the synchronous composi on of these two LTSโs will never
visit (๐ฃ10๐ฃ21, ๐) or (๐ฃ11๐ฃ20, ๐)
_
0 get/\(v==0)
1
set==1
get/\(v==1)v10
v10v20
get/\(v==0)
v10v21
get/\(v==1)
v11
v11v20
get/\(v==0)
v11v21
get/\(v==1)
_
C0
Set
set==1
get/\(v==0) get/\(v==1)
6/27/18 56
![Page 72: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/72.jpg)
Moving Arrows past โ: Precongruence
Our synchronous โ was a convenient choice for reducing statespaceand for modeling hardware. More importantly, now, is that it is
composi onal, in that
Lemma
Strong simula on โชฏ is a pre-congruence over โ, that is,โ๐, ๐ , ๐ โถ LTS.๐ โชฏ ๐ โ ๐ โ๐ โชฏ ๐โ๐
6/27/18 57
![Page 73: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/73.jpg)
An Example
Example
Here, ๐1 โชฏ ๐1, and ๐1โ๐2 โชฏ ๐1โ๐2
๐1
_
p10
p11
a
๐1
_
q10
q11
b
q12
a
๐2
_
p20
p21
b
b
6/27/18 58
![Page 74: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/74.jpg)
Synchronous, Asynchronous, Strong, Weak
We can recover asynchronous composi on and weak simula on
through a comple on with the right alphabet
Defini on
Let ๐ an alphabet, and let ๐๐ โถ LTS โ LTS โถโถ ๐ โฆ ๐ the comple on
over ๐ be the transi on system (๐๐, ๐๐ โจ ๐,โ
โ, ๐0) with the new
transi on rela on given by rules
๐๐ผ
โ๐ ๐โฒ
๐๐ผโM๐(๐)
๐โฒ
๐ผ โ ๐๐
๐ผโM๐(๐)
๐(2.1)
6/27/18 59
![Page 75: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/75.jpg)
Synchronous, Asynchronous, Strong, Weak
Let ๐ , ๐ โถ LTS with alphabets ๐๐ and ๐๐. We can recover the
asynchronous composi on from the synchronous composi on via the
comple on once given a decomposi on of their meet ๐๐ โ ๐๐ into
disjoint ๐๐๐(labels output by ๐) and ๐๐๐
(labels output by ๐). Let
๐๐/๐ โถ= ๐๐๐โ (๐๐ \ ๐๐) the asynchronous alphabet of ๐ over ๐
Proposi on
Let ๐, ๐ โถ LTS share alphabet ๐๐ = ๐๐ and let ๐๐ธ the alphabet of
their environment. ๐ weakly simulates ๐ (i.e. ๐ โชฏ๐ ๐) if and only if
๐ โชฏ M๐๐ธ/๐(๐), or ๐ โ M๐๐ธ/๐
(๐)
6/27/18 60
![Page 76: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/76.jpg)
Synchronous, Asynchronous, Strong, Weak
Let ๐ , ๐ โถ LTS with alphabets ๐๐ and ๐๐. We can recover the
asynchronous composi on from the synchronous composi on via the
comple on once given a decomposi on of their meet ๐๐ โ ๐๐ into
disjoint ๐๐๐(labels output by ๐) and ๐๐๐
(labels output by ๐). Let
๐๐/๐ โถ= ๐๐๐โ (๐๐ \ ๐๐) the asynchronous alphabet of ๐ over ๐
Proposi on
Let ๐, ๐ โถ LTS share alphabet ๐๐ = ๐๐ and let ๐๐ธ the alphabet of
their environment. ๐ weakly simulates ๐ (i.e. ๐ โชฏ๐ ๐) if and only if
๐ โชฏ M๐๐ธ/๐(๐), or ๐ โ M๐๐ธ/๐
(๐)
6/27/18 60
![Page 77: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/77.jpg)
Synchronous, Asynchronous, Strong, Weak
Lemma
The asynchronous composi on is in strong simula onโs kernel with
the synchronous composi on of comple ons
โ๐ , ๐ โถ ๐ฟ๐ ๐.๐โ๐๐ โ M๐๐/๐(๐ )โM๐๐/๐
(๐)
Lemma
๐ โM๐๐/๐(1๐๐
) โ ๐
Lemma
Q asks FramaC-WP to prove
M๐๐/๐(๐ โM๐๐/๐
(1๐๐))
qFramaC
โ M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
6/27/18 61
![Page 78: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/78.jpg)
Synchronous, Asynchronous, Strong, Weak
Lemma
The asynchronous composi on is in strong simula onโs kernel with
the synchronous composi on of comple ons
โ๐ , ๐ โถ ๐ฟ๐ ๐.๐โ๐๐ โ M๐๐/๐(๐ )โM๐๐/๐
(๐)
Lemma
๐โM๐๐/๐(1๐๐
) โ ๐
Lemma
Q asks FramaC-WP to prove
M๐๐/๐(๐ โM๐๐/๐
(1๐๐))
qFramaC
โ M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
6/27/18 61
![Page 79: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/79.jpg)
Synchronous, Asynchronous, Strong, Weak
Lemma
The asynchronous composi on is in strong simula onโs kernel with
the synchronous composi on of comple ons
โ๐ , ๐ โถ ๐ฟ๐ ๐.๐โ๐๐ โ M๐๐/๐(๐ )โM๐๐/๐
(๐)
Lemma
๐โM๐๐/๐(1๐๐
) โ ๐
Lemma
Q asks FramaC-WP to prove
M๐๐/๐(๐ โM๐๐/๐
(1๐๐))
qFramaC
โ M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
6/27/18 61
![Page 80: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/80.jpg)
Soundness and Composi onality of Q
By terminality of the terminal abstrac on, 1๐๐
!โ ๐.
By functoriality of the comple on,
M๐๐/๐(1๐๐
)M๐๐/๐
โ M๐๐/๐(๐)
Therefore, by precongruence of simula on (โชฐ or โ) over โ,
Theorem (Main Theorem)
The following is a commu ng diagram of LTS with, as maps of LTS,
simula ons
M๐๐/๐(๐ โM๐๐/๐
(1๐๐)) M๐๐/๐
(๐ )โM๐๐/๐(๐)
M๐๐/๐(!)
oo
M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
qFramaC
OO
M๐๐/๐(๐ถ)โM๐๐/๐
(๐)
OO
!oo
6/27/18 62
![Page 81: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/81.jpg)
Soundness and Composi onality of Q
By terminality of the terminal abstrac on, 1๐๐
!โ ๐.
By functoriality of the comple on,
M๐๐/๐(1๐๐
)M๐๐/๐
โ M๐๐/๐(๐)
Therefore, by precongruence of simula on (โชฐ or โ) over โ,
Theorem (Main Theorem)
The following is a commu ng diagram of LTS with, as maps of LTS,
simula ons
M๐๐/๐(๐ โM๐๐/๐
(1๐๐)) M๐๐/๐
(๐ )โM๐๐/๐(๐)
M๐๐/๐(!)
oo
M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
qFramaC
OO
M๐๐/๐(๐ถ)โM๐๐/๐
(๐)
OO
!oo
6/27/18 62
![Page 82: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/82.jpg)
Soundness and Composi onality of Q
By terminality of the terminal abstrac on, 1๐๐
!โ ๐.
By functoriality of the comple on,
M๐๐/๐(1๐๐
)M๐๐/๐
โ M๐๐/๐(๐)
Therefore, by precongruence of simula on (โชฐ or โ) over โ,
Theorem (Main Theorem)
The following is a commu ng diagram of LTS with, as maps of LTS,
simula ons
M๐๐/๐(๐ โM๐๐/๐
(1๐๐)) M๐๐/๐
(๐ )โM๐๐/๐(๐)
M๐๐/๐(!)
oo
M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
qFramaC
OO
M๐๐/๐(๐ถ)โM๐๐/๐
(๐)
OO
!oo
6/27/18 62
![Page 83: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/83.jpg)
Soundness and Composi onality of Q
By terminality of the terminal abstrac on, 1๐๐
!โ ๐.
By functoriality of the comple on,
M๐๐/๐(1๐๐
)M๐๐/๐
โ M๐๐/๐(๐)
Therefore, by precongruence of simula on (โชฐ or โ) over โ,
Theorem (Main Theorem)
The following is a commu ng diagram of LTS with, as maps of LTS,
simula ons
M๐๐/๐(๐ โM๐๐/๐
(1๐๐)) M๐๐/๐
(๐ )โM๐๐/๐(๐)
M๐๐/๐(!)
oo
M๐๐/๐(๐ถ)โM๐๐/๐
(1๐๐)
qFramaC
OO
M๐๐/๐(๐ถ)โM๐๐/๐
(๐)
OO
!oo
6/27/18 62
![Page 84: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/84.jpg)
What Was Accomplished
Weak simulation by precongruence
Controller Specification
Controller Volatile Environment
async
C ImplementationController || Volatile
Environment
Weak simulation byprecongruence
Weak Simulation by QFrama-C
Component
System Implementation
Controller
Input
Output
Weak simulationby precongruence
Synchronous QParallel Composition
Controller Specification
Component SpecificationMA( )
asyncOutput
Input
Synchronous QParallel Composition Safety Properties
)MA(
6/27/18 63
![Page 85: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/85.jpg)
What Was Accomplished
Thus we have accomplished our goal -
Given a proposed witness of simula on of a controller
implementa on by its spec, the Q compiler generates and
emplaces the ACSL annota ons from which FramaC generates
the proof of simula on.
Weak simulation by precongruence
Controller Specification
Controller Volatile Environment
async
C ImplementationController || Volatile
Environment
Weak simulation byprecongruence
Weak Simulation by QFrama-C
Component
System Implementation
Controller
Input
Output
Weak simulationby precongruence
Synchronous QParallel Composition
Controller Specification
Component SpecificationMA( )
asyncOutput
Input
Synchronous QParallel Composition Safety Properties
)MA(
6/27/18 64
![Page 86: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/86.jpg)
What Was AccomplishedThus we have accomplished our goal -
Given a proposed witness of simula on of a controller
implementa on by its spec, the Q compiler generates and
emplaces the ACSL annota ons from which FramaC generates
the proof of simula on.
The Q compiler computes the asynchronous composi on of that
specifica on with specifica ons for other components and
constructs LTL models of the composi ons along with high level
proper es in e.g. Why3 if they are to be proved or e.g. NuSMV if
they are to be checked.
Weak simulation by precongruence
Controller Specification
Controller Volatile Environment
async
C ImplementationController || Volatile
Environment
Weak simulation byprecongruence
Weak Simulation by QFrama-C
Component
System Implementation
Controller
Input
Output
Weak simulationby precongruence
Synchronous QParallel Composition
Controller Specification
Component SpecificationMA( )
asyncOutput
Input
Synchronous QParallel Composition Safety Properties
)MA(
6/27/18 65
![Page 87: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/87.jpg)
What Was Accomplished
Thus we have accomplished our goal -
Given a proposed witness of simula on of a controller
implementa on by its spec, the Q compiler generates and
emplaces the ACSL annota ons from which FramaC generates
the proof of simula on.
The Q compiler computes the composi on of that specifica on
with (the comple on of the) specifica ons for other
components, constructs LTL models of the composi ons along
with high level proper es in e.g. Why3 if they are to be proved
or e.g. NuSMV if they are to be checked.
By the Main Theorem, any Safety Proper es proved about that
composi on of specifica ons implies the same property about
the actual System implementa on
Weak simulation by precongruence
Controller Specification
Controller Volatile Environment
async
C ImplementationController || Volatile
Environment
Weak simulation byprecongruence
Weak Simulation by QFrama-C
Component
System Implementation
Controller
Input
Output
Weak simulationby precongruence
Synchronous QParallel Composition
Controller Specification
Component SpecificationMA( )
asyncOutput
Input
Synchronous QParallel Composition Safety Properties
)MA(
6/27/18 66
![Page 88: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/88.jpg)
What Was Accomplished
Weak simulation by precongruence
Controller Specification
Controller Volatile Environment
async
C ImplementationController || Volatile
Environment
Weak simulation byprecongruence
Weak Simulation by QFrama-C
Component
System Implementation
Controller
Input
Output
Weak simulationby precongruence
Synchronous QParallel Composition
Controller Specification
Component SpecificationMA( )
asyncOutput
Input
Synchronous QParallel Composition Safety Properties
)MA(
6/27/18 67
![Page 89: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/89.jpg)
What is Next for Q?
Q is currently proprietary. However, there is internal discussion
about poten ally open sourcing it
We would like to mechanize the metatheory: ideally Q would
provide cer ficates in, e.g. Coq, that it is doing the right thing.
For that it would be nice to have a formal seman cs of ACSL.
6/27/18 68
![Page 90: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/90.jpg)
Thanks!!""#$#%&'()*'!+&,
!"#$%&'()*(+($,-.%/.0("1$2"3'.4%$,5267,%5-.
Jon M. Aytac (8756)Assured Digital Syst & Comp
Robert Armstrong (8756)Assured Digital Syst & Comp
Benjamin Curt Nilsen (8756)Assured Digital Syst & Comp
Geoffrey Compton Hulette (8756)Assured Digital Syst & Comp
!""#$#%&'()*'!+&,
Andrew Michael Smith (8756)Assured Digital Syst & Comp
Philip Alden Johnson-Freyd (8756)Assured Digital Syst & Comp
Jackson Mayo (8753)Scalable Modeling Analysis
Jason Michnovicz (8756)Assured Digital Syst & Comp
Ratish J. Punnoose (8212)Weapons Subsystems 2
Karla Morris (8756)Assured Digital Syst & Comp
6/27/18 69
![Page 91: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/91.jpg)
Bonus Slide: What about Aeorai
There is already a plugin for producing LTL proper es about C
programs: Aeorai
We could use this for our purposes only a er solving the
following problem
Let โ๐โ๐๐ โถ Prop(๐ โ๐๐) a temporal property on the
asynchronous composi on of ๐ and ๐. Given the specifica on
of ๐, what temporal property โ๐ โถ Prop(๐ ) suffices to obtain
โ๐โ๐๐. This is some mes called the problem of producing
quo ent specifica ons
6/27/18 70
![Page 92: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/92.jpg)
Bonus Slide: What about Aeorai
There is already a plugin for producing LTL proper es about C
programs: Aeorai
We could use this for our purposes only a er solving the
following problem
Let โ๐โ๐๐ โถ Prop(๐ โ๐๐) a temporal property on the
asynchronous composi on of ๐ and ๐. Given the specifica on
of ๐, what temporal property โ๐ โถ Prop(๐ ) suffices to obtain
โ๐โ๐๐. This is some mes called the problem of producing
quo ent specifica ons
6/27/18 70
![Page 93: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/93.jpg)
Bonus Slide: What about Aeorai
There is already a plugin for producing LTL proper es about C
programs: Aeorai
We could use this for our purposes only a er solving the
following problem
Let โ๐โ๐๐ โถ Prop(๐ โ๐๐) a temporal property on the
asynchronous composi on of ๐ and ๐. Given the specifica on
of ๐, what temporal property โ๐ โถ Prop(๐ ) suffices to obtain
โ๐โ๐๐. This is some mes called the problem of producing
quo ent specifica ons
6/27/18 70
![Page 94: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/94.jpg)
Bonus Slide: What about WPA?
_
ptkInit
ptkStart
msg1
msg2msg1
ptkNegotiating
msg3/\MICVer/\~ReplayedMsg
msg4
ptkDone
unconditional msg3/\MICRec/\~ReplayedMsg
6/27/18 71
![Page 95: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/95.jpg)
Bonus Slide: La ce Structure on Labels
The labels in a C program will have some la ce structure, i.e. a
Boolean algebra of expressions over its variables, and this puts some
constraints onโ
โโถ ๐ โ ๐ซ(๐ ร ๐),
๐ฝ โ ๐ผ ๐๐ผโ๐ถ ๐โฒ
๐๐ฝโ๐ถ ๐โฒ
๐๐ผโ ๐โฒ ๐
๐ฝโ๐ถ ๐โฒ
๐๐ผโจ๐ฝโ ๐ถ ๐โฒ ๐
โโ๐ถ ๐โฒ
(2.2)
Soโ
โ is a Galois Connec on. ๐[๐ ๐] must therefore be monotonic for
our witness to be viable.
6/27/18 72
![Page 96: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/96.jpg)
Bonus Slide: La ce Structure on Labels
The labels in a C program will have some la ce structure, i.e. a
Boolean algebra of expressions over its variables, and this puts some
constraints onโ
โโถ ๐ โ ๐ซ(๐ ร ๐),
๐ฝ โ ๐ผ ๐๐ผโ๐ถ ๐โฒ
๐๐ฝโ๐ถ ๐โฒ
๐๐ผโ ๐โฒ ๐
๐ฝโ๐ถ ๐โฒ
๐๐ผโจ๐ฝโ ๐ถ ๐โฒ ๐
โโ๐ถ ๐โฒ
(2.2)
Soโ
โ is a Galois Connec on. ๐[๐ ๐] must therefore be monotonic for
our witness to be viable.
6/27/18 72
![Page 97: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/97.jpg)
Bonus Slide: La ce Structure on Labels
The labels in the abstrac on are the expressions over abstract
variables Var๐ taking values in abstract value domain ๐๐.
if ๐[๐ ๐] factors through a map of variables
๐Var โถ Var๐ โ ๐ซ(Var๐) and a map of their value domains
๐๐ โถ ๐๐ โ ๐ซ(๐๐), then we can know ๐[๐ ๐] is monotonic, no
further proof obliga ons required.
Otherwise, checking monotonicity of ๐[๐ ๐] requires reasoning
about the la ce structure of the algebra of boolean expressions
over the execu on environment of the C program
6/27/18 73
![Page 98: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/98.jpg)
Bonus Slide: La ce Structure on Labels
The labels in the abstrac on are the expressions over abstract
variables Var๐ taking values in abstract value domain ๐๐.
if ๐[๐ ๐] factors through a map of variables
๐Var โถ Var๐ โ ๐ซ(Var๐) and a map of their value domains
๐๐ โถ ๐๐ โ ๐ซ(๐๐), then we can know ๐[๐ ๐] is monotonic, no
further proof obliga ons required.
Otherwise, checking monotonicity of ๐[๐ ๐] requires reasoning
about the la ce structure of the algebra of boolean expressions
over the execu on environment of the C program
6/27/18 73
![Page 99: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/99.jpg)
Bonus Slide: La ce Structure on Labels
The labels in the abstrac on are the expressions over abstract
variables Var๐ taking values in abstract value domain ๐๐.
if ๐[๐ ๐] factors through a map of variables
๐Var โถ Var๐ โ ๐ซ(Var๐) and a map of their value domains
๐๐ โถ ๐๐ โ ๐ซ(๐๐), then we can know ๐[๐ ๐] is monotonic, no
further proof obliga ons required.
Otherwise, checking monotonicity of ๐[๐ ๐] requires reasoning
about the la ce structure of the algebra of boolean expressions
over the execu on environment of the C program
6/27/18 73
![Page 100: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/100.jpg)
So we present the data type provide required to construct the
simula on witness ๐ as well as the informa on to generate 1๐๐ผin a
format encouraging the designer to give the witness without
incurring addi onal proof obliga ons
6/27/18 74
![Page 101: The Q Compiler - for Verifying High-Consequence Controlsย ยท TheArrows:SimulaonRelaons Definion Forany๐,๐โถLTSwith๐๐=๐๐,arelaon ๐
โ๐๐ร๐๐isa simulaonrelaon](https://reader034.vdocuments.net/reader034/viewer/2022042216/5ebf9ba8bcd87b2ee62c797f/html5/thumbnails/101.jpg)
Comple on is not Strong
The comple on is not, however, a strong endofunctor on LTS
M๐๐/๐(๐ โM๐๐/๐
(๐)) โ M๐๐/๐(๐ )โM๐๐/๐
(๐)
6/27/18 75