Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Similar documents
Semiformal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

SMT-Based Bounded Model Checking for Embedded ANSI-C Software. Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva

Verifying C & C++ with ESBMC

Model Checking Embedded C Software using k-induction and Invariants

More on Verification and Model Checking

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Bounded Model Checking Of C Programs: CBMC Tool Overview

Software Model Checking. Xiangyu Zhang

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

: A Bounded Model Checking Tool to Verify Qt Applications

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

ECBS SMT-Bounded Model Checking of C++ Programs. Mikhail Ramalho, Mauro Freitas, Felipe Sousa, Hendrio Marques, Lucas Cordeiro, Bernd Fischer

Formal Verification: Practical Exercise Model Checking with NuSMV

Lecture 2: Symbolic Model Checking With SAT

Finite State Verification. CSCE Lecture 14-02/25/2016

Handling Loops in Bounded Model Checking of C Programs via k-induction

ESBMC 1.22 (Competition Contribution) Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer

Finite State Verification. CSCE Lecture 21-03/28/2017

NuSMV Hands-on introduction

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Predicate Abstraction Daniel Kroening 1

The Spin Model Checker : Part I/II

F-Soft: Software Verification Platform

BITCOIN MINING IN A SAT FRAMEWORK

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

CS 510/13. Predicate Abstraction

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Software Model Checking. From Programs to Kripke Structures

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

SMT-Based Bounded Model Checking for Embedded ANSI-C Software

Model Checkers for Test Case Generation: An Experimental Study

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

C Bounded Model Checker

Software verification for ubiquitous computing

A Simple Tutorial on NuSMV

Introduction to CBMC: Part 1

Automated Reasoning Lecture 3: The NuSMV Model Checker

Decision Procedures in the Theory of Bit-Vectors

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

CS/ECE 5780/6780: Embedded System Design

Decision Procedures. An Algorithmic Point of View. Bit-Vectors. D. Kroening O. Strichman. Version 1.0, ETH/Technion

Introduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion

The Low-Level Bounded Model Checker LLBMC

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

Quantifying Information Leaks in Software

A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software

Program Verification. Aarti Gupta

Proving Properties of non-array Programs

List of Code Samples. xiii

Sciduction: Combining Induction, Deduction and Structure for Verification and Synthesis

HECTOR: Formal System-Level to RTL Equivalence Checking

EE382V: System-on-a-Chip (SoC) Design

A Deterministic Concurrent Language for Embedded Systems

COMP26120: Linked List in C (2018/19) Lucas Cordeiro

Deductive Methods, Bounded Model Checking

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Static Program Analysis

Short Notes of CS201

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Cyber Physical System Verification with SAL

High-Level Information Interface

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

A Case Study for CTL Model Update

CS201 - Introduction to Programming Glossary By

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

Motivation was to facilitate development of systems software, especially OS development.

Introduction to NuSMV

BDD-based software verification

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

Static Analysis versus Software Model Checking for bug finding

Efficient test case generation for validation of UML activity diagrams

Sendmail crackaddr - Static Analysis strikes back

Verification Tests for MCAPI

Reasoning about Timed Systems Using Boolean Methods

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.1

Applications of Formal Verification

SAT-based Model Checking for C programs

Pierce Ch. 3, 8, 11, 15. Type Systems

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Having a BLAST with SLAM

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Low level security. Andrew Ruef

Dept. of CSE, York Univ. 1

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Model-Based Diagnosis versus Error Explanation

Sliced Path Prefixes: An Effective Method to Enable Refinement Selection

Cover Page. The handle holds various files of this Leiden University dissertation

Symbolic Synthesis of Observability Requirements for Diagnosability

CSC2108: Automated Verification Assignment 3. Due: November 14, classtime.

Parametric Real Time System Feasibility Analysis Using Parametric Timed Automata

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Advanced use of the C language

Model Checking with Abstract State Matching

Transcription:

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints L. Cordeiro, B. Fischer, H. Chen, J. P. Marques-Silva Lucas Cordeiro lcc08r@ecs.soton.ac.uk

Agenda Introduction Formal Verification Methodology Case Study and Experimental Results Conclusions and Future Work

Introduction Design HW/SW that implements functionalitiesand satisfies constraints. Allocation, Partition, and Refinement System-Design and Verification Tasks Specification Software Interface Hardware Evolving system s specification Identify market needs Time-to-market Product The complexity of ESW increased in embedded products

Platform-Based Design Design methodologies looks for solutions to reduce timeto-market, manufacturinganddesign costs. Reuse and programmability Multicore Reference Applications Platfo orm Platform API Operating System Device Drivers Hardware The size of ESWis increasing to millions of LOC. ASICs Software builds are produced on a weekly or daily basis.

Verification Methodologies and Challenges State-of-the-art ESW verification methodologies aim to: i. Generate test vectors (with constraints) ii. Use assertion-based verification iii. Use the high-level processor model during simulation Verification of embedded systems raises some additional challenges: i.meet the timing constraints ii.handle software concurrency iii.platform-dependent software iv.legacy designs (written in low-level languages)

Objective of this work Improve coverage and reduce verification time by combining static and dynamic verification. Verification Techniques Specification Embedded Software Microprocessor model Simulation Formal Verification Combine Coverage Improve

Bounded Model Checking The basic idea of BMC is to check the negationof a given property φat a given depth. Given a transition system M, a property φand a bound k: Initial state φ φ φ φ φ φ φ φφ... s 0 s 1 s 2 s k-1 s k Counter-example trace Property Bound BMC unrolls the design ktimes and translates it into a verification condition ψsuch that ψis satisfiable iff φhas a counter-example of depth less than or equal to k.

Predicate Abstraction It abstracts data by only keeping track of certain predicates to represent the data. Initial Abstraction Verification C/C++ Program with threads Concurrent Boolean Program Model Checker Property holds CEGAR Framework Refinement Spurious? Bug found Conservative approach reduces the state space, but generates spurious counter-examples.

Agenda Introduction Formal Verification Methodology Case Study and Experimental Results Conclusions and Future Work

Verification Methodology Consider not only higher levels of abstraction, but also the HW/SW interface. Reflect about the design, coverage and reduce the cyclomatic complexity. Counter-example e Unit and Functional Tests Embedded Software Microprocessor Model Product Backlog Property Description Evolving and prioritizing queue of requirements. CTL, RTCTL, LTL and PSL. BMC, predicate abstraction, BDDs. Encode model and property Decision Procedure Model checker

Proposed Approach In complex embedded systems, there will be modules thatdependonthehardwareandothersthatdonot. CPU model, simulator and interruptions generation Hardware 2nd phase: Platform dependent code Software Array bounds, arithmetic overflow, pointer safety, division by zero 3rd phase: Domain-level System Boundary 1st phase: Platform independent code To reason about temporal properties to assure the correctness and timeliness of the design.

Platform-Independent Software Verification ImplementsmallchangesintheESWtobeableto: i. Use model checkers; ii. Perform automated unit tests; iii.runtheeswonthetargetplatform. Include the platform-dependent software in lower level driver files: sensor.c sensor.h ep_sensor.c ep_sensor.h pc_sensor.c pc_sensor.h Embedded Platform PC platform Platform-independent software Platform-dependent software

Platform-Independent Software Verification We separate into two software classes: pure and driven by the environment. EmbUni t The TCs aim to improve the code coverage SATABS sensortest Sensor data Sensor Serial Communication Achieve full path and state coverage Replace the explicit input values with nondeterministic inputs a=nondet_int( ); /*assign arbitrary values*/ assume(a>10 && a<200); /* constrain the values*/

Platform-Dependent Software Verification Specify properties based on C s assert macro using the microprocessor model. Examine the call stack and interpret the counterexample Fml ::= Fml con Fml ~Fml Atm con ::= AND OR XOR Atm ::= Trm rel Trm true false rel ::= < <= > >= =!= Trm := var const CBMC Hold the value of tl0 register Load timer register struct module_tc { unsigned int tl0; } extern struct module_tc oc8051_tc; oc8051_tc.tl0=tlow; for(cycle=0; cycle<n; cycle++) next_timeframe(); assert(oc8051_tc.tl0==y); Change the state of the registers in the verilog model Check user-specified assertions

Domain-Level Verification We use RTCTL to specify properties that involve time bounds. Sensor Compute HR and SpO2 m T = { t ℵm t n} n compute_expr :: MIN [ rtctl_expr, rtctl_expr ] (shortest path) MAX [ rtctl_expr, rtctl_expr ](longest path) rtctl_expr :: EBFm..n p ABFm..n p EBGm..n p ABGm..n p E[p U m..n q] A [p U m..n q] NuSMV2 Simulation Log system Timer Component Function:Filename(line) 12320 c_lcd -> LCD_Driver_InitModule: lcd_class_driver.c(85) 12789 c_lcd -> LCD_WriteData: lcd_class_driver.c(90) 13452 c_lcd -> LCD_InterfaceDescriptor: lcd_class_interface.c(102) 14216 c_lcd -> LCD_InterfaceContext_Create: lcd_class_interface.c(18) 14834 c_lcd -> LCD_initialize: lcd_class_interface.c(80)

Infrastructure SCM Subversion Check Modifications Scheduled Builds CruiseControl Send feedback If build process returns OK, generate and flash the file Invoke Build System Build Environment CruiseControl Build Console make Verification Embedded Unit Local Builds Local Developer Environment Reports with all metrics generated after the build process Libraries embunit Libraries

Agenda Introduction Formal Verification Methodology Case Study and Experimental Results Conclusions and Future Work

Medical Device Case Study The pulse oximeter measures the oxygen saturation and cardiac frequency. i. Show SpO2 and HR on each second. ii. Change the alarm configuration. iii.user interface (keyboard and a graphical display). iv. The design is highly optimized for life-cycle cost and effectiveness. Typical of many embedded real-time systems.

Formal Verification using Model Checking How many bugscan you find in this ANSI-C code fragment? (the compiler compiles it without errors) #define BUFFER_MAX 6400 typedef int Data8; typedef unsigned int udata8; static char buffer[buffer_max]; static Data8 next=0; static udata8 buffer_size=buffer_max; void insertlogelement(data8 b) { if (next < buffer_size) { buffer[next] = b; next = (next+1)%buffer_size; } (pre-production code) First bug: the array buffer is a char data type and the element b is a signed Second integer bug: there data is a type (i.e., division typecast by zeroin overflow (next+1)%buffer_size might occur)

Model Checking with NuSMV2 NuSMV2 accepts models in NuSMV language and system properties in CTL, Real-Time CTL, LTL and PSL. Property (a): ensure that the buffer does not overflow. MODULE log VAR buffer_size : 0..255; nextptr : 0..255; DEFINE nextptr_condition := nextptr < buffersize; ASSIGN init(nextptr) := 0; next(nextptr) := case nextptr = nextptr_condition & buffer_size > 0 :((nextptr+1) mod buffer_size); 1 : nextptr; esac; PSLSPEC AG (nextptr <= buffer_size) NuSMV2 found a division by zero and a typecast overflow. Ensure that on all paths, at all stateson each path the formula holds

Specifying Complex Properties in CBMC and SATABS We specified property (b) in LTL and translated it into Buechi Automata. Property (b): check the data flow to compute the HR value provided by the pulse oximeter sensor hardware. Property (b) can be expressed as: AG ( p Fr) Let p denote the state that the buffer contains HR. Let r denote the state that defines the respective HR value. Any state containing the HR raw data is eventually followed by a state representing the respective HR value.

Specifying Complex Properties in CBMC and SATABS Example: AG ( p Fr) Property in LTL Buechi Automata switch (state) { case T0_init: } break; case accept_s1: break; C code

Experimental Results The pulse oximeter ESW contains approximately 3500 First phase: one bug related lines of ANSI-C code and 80 functions. to array bounds. First Some phase: inconsistencies one bug in related relation to to pointer the requirements safety Third phase: specification one bug related to timing constraints First phase: one bug related to division by zero and another bug related to typecast overflow The most relevant related work verified dynamically ESW from automotive domain with approximately 3000 lines of C code in 34388 seconds(~9 h) using SystemCmodels [Lettnin 08].

Conclusions and Future Work We have combined static and dynamic verification for pure and hardware-related embedded software. Test driven development helps reduce the cyclomatic complexity and alleviates the state explosion problem. The proposed methodology allowed us to find undiscovered bugs. We intend to verify formally ANSI-C and SystemVerilog using SAT Modulo Theories solvers. We aim at defining a subset of Real-Time CTL and PSL to verify more complex properties in embedded software.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback