CVPP: A Tool Set for Compositional Verification of Control–Flow Safety Properties

Author(s):  
Marieke Huisman ◽  
Dilian Gurov
2014 ◽  
Vol 2014 ◽  
pp. 1-12
Author(s):  
Lianyi Zhang ◽  
Qingdi Meng ◽  
Kueiming Lo

The efficiency of the compositional verification of invariants depends on the abstraction, which may lead to verification incompleteness. The invariant strengthening and state partitioning techniques are proposed in this paper. The former could refine the overapproximation by removing the unreachable states, and the latter is a variant of counterexample-guided abstraction refinement. Integrated with these two refinement techniques, a unified compositional verification framework is presented to strengthen the abstraction and find counterexamples. Some examples are included to show that the verification of the safety properties in component-based systems has been achieved by our framework.


2019 ◽  
Vol 48 (2) ◽  
pp. 299-315
Author(s):  
Marcus Mikulcak ◽  
Paula Herber ◽  
Thomas Göthel ◽  
Sabine Glesner

Simulink and its state machine design toolbox Stateflow are widely-used industrial tools for the development of complex embedded systems. Due to the strongly differing execution semantics of Simulink and Stateflow, the analysis of combined models poses a difficult challenge. In this paper, we present a novel approach to relate the semantics of both the dynamic and the controller components and use it to perform an information flow analysis on a combined model consisting of discrete Simulink components and Stateflow controllers. The key idea of our approach is that we analyze the information flow in a given model by computing an over-approximation of the control flow, and deduce whether all control flow conditions combined permit information to flow on a given path or not. Our control flow analysis approach is threefold: (1) we identify timed path conditions which capture the conditions for time-dependent information flow on paths of interest for (discrete) Simulink components, and translate them into a UPPAAL timed automata representation, (2) we translate the Stateflow components to UPPAAL timed automata, and (3) we perform model checking on the resulting set of automata to analyze the existence of paths in the combined model. With our approach, we safely rule out the existence of information flow on specific paths through a model, which enables us to reason about non-interference between model parts and the compliance with security policies. Furthermore, our approach presents a starting point to generate feasible, efficient test cases and to perform compositional verification. We demonstrate the applicability of our approach using two versions of a complex case study from the automotive domain consisting of multiple safety-critical components communicating over a shared bus system.


2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Seyed Mohammad Javad Hosseini ◽  
Bahman Arasteh ◽  
Ayaz Isazadeh ◽  
Mehran Mohsenzadeh ◽  
Mitra Mirzarezaee

PurposeThe purpose of this study is to reduce the number of mutations and, consequently, reduce the cost of mutation test. The results of related studies indicate that about 40% of injected faults (mutants) in the source code are effect-less (equivalent). Equivalent mutants are one of the major costs of mutation testing and the identification of equivalent and effect-less mutants has been known as an undecidable problem.Design/methodology/approachIn a program with n branch instructions (if instruction) there are 2n execution paths (test paths) that the data and codes into each of these paths can be considered as a target of mutation. Given the role and impact of data in a program, some of data and codes propagates the injected mutants more likely to the output of the program. In this study, firstly the error-propagation rate of the program data is quantified using static analysis of the program control-flow graph. Then, the most error-propagating test paths are identified by the proposed heuristic algorithm (Genetic Algorithm [GA]). Data and codes with higher error-propagation rate are only considered as the strategic locations for the mutation testing.FindingsIn order to evaluate the proposed method, an extensive series of mutation testing experiments have been conducted on a set of traditional benchmark programs using MuJava tool set. The results depict that the proposed method reduces the number of mutants about 24%. Also, in the corresponding experiments, the mutation score is increased about 5.6%. The success rate of the GA in finding the most error-propagating paths of the input programs is 99%. On average, only 7.46% of generated mutants by the proposed method are equivalent. Indeed, 92.54% of generated mutants are non-equivalent.Originality/valueThe main contribution of this study is as follows: Proposing a set of equations to measure the error-propagation rate of each data, basic-block and execution path of a program. Proposing a genetic algorithm to identify a most error-propagating path of program as locations of mutations. Developing an efficient mutation-testing framework that mutates only the strategic locations of a program identified by the proposed genetic algorithms. Reducing the time and cost of mutation testing by reducing the equivalent mutants.


2021 ◽  
Vol 43 (1) ◽  
pp. 1-41
Author(s):  
Marco Patrignani ◽  
Deepak Garg

Security-preserving compilers generate compiled code that withstands target-level attacks such as alteration of control flow, data leaks, or memory corruption. Many existing security-preserving compilers are proven to be fully abstract, meaning that they reflect and preserve observational equivalence. Fully abstract compilation is strong and useful but, in certain cases, comes at the cost of requiring expensive runtime constructs in compiled code. These constructs may have no relevance for security, but are needed to accommodate differences between the source and target languages that fully abstract compilation necessarily needs. As an alternative to fully abstract compilation, this article explores a different criterion for secure compilation called robustly safe compilation or RSC . Briefly, this criterion means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with the compiled program. We show that RSC can be proved more easily than fully abstract compilation and also often results in more efficient code. We also present two different proof techniques for establishing that a compiler attains RSC and, to illustrate them, develop three illustrative robustly safe compilers that rely on different target-level protection mechanisms. We then proceed to turn one of our compilers into a fully abstract one and through this example argue that proving RSC can be simpler than proving full abstraction. To better explain and clarify notions, this article uses syntax highlighting in a way that colourblind and black-8-white readers can benefit from Reference [58]. For a better experience, please print or view this article in colour . 1


Author(s):  
Hoda Mehrpouyan ◽  
Dimitra Giannakopoulou ◽  
Irem Y. Tumer ◽  
Chris Hoyle ◽  
Guillaume Brat

This paper presents a novel safety specification and verification approach based on the compositional reasoning and model checking algorithms. The behavioral specification of each component and subsystem is modeled to describe the overall structure of the design. Then, these specifications are analyzed to determine the least number of component redundancies that are required to tolerate and prevent catastrophic system failure. The framework utilizes Labelled Transition Systems (LTS) formalism to model the behavior of components and subsystems. Furthermore, compositional analysis is used to reason about the components’ constraints (or assumptions) on their environments and the properties (or guarantees) of their output. This identification of local safety properties of components and subsystems leads to satisfaction of the desired safety requirements for the global system. A model of quad-redundant Electro-Mechanical Actuator (EMA) is constructed and, in an iterative approach, its safety properties are analyzed. Experimental results confirm the feasibility of the proposed approach for verifying the safety issues associated with complex systems in the early stages of the design process.


2020 ◽  
Vol 16 (2) ◽  
pp. 214
Author(s):  
Wang Yong ◽  
Liu SanMing ◽  
Li Jun ◽  
Cheng Xiangyu ◽  
Zhou Wan

Sign in / Sign up

Export Citation Format

Share Document