A Formally Verified, Optimized Monitor for Metric First-Order - PowerPoint PPT Presentation

A Formally Verified, Optimized Monitor for Metric First-Order Dynamic Logic David Basin, Thibault Dardinier, Lukas Heimes, Srđan Krstić , Martin Raszyk , Joshua Schneider and Dmitriy Traytel Department of Computer Science 1

Dmitriy Joshua Srđan Martin Rocket engineer Monitoring researcher Working formalizer Quality assurer All characters and events mentioned in this presentation are entirely fictitious. The paper is real. 2

Act I: Going to Space Dmitriy Joshua Rocket engineer Monitoring researcher Where: WASA Cafeteria When: One week before the IJCAR deadline 3

Monitoring Background image: NASA/JPL-Caltech/MSSS 4

Monitoring Correct behavior? Background image: NASA/JPL-Caltech/MSSS 4

Monitoring Observations Correct behavior? at runtime Background image: NASA/JPL-Caltech/MSSS 4

Monitoring Observations Correct behavior? at runtime Monitor Background image: NASA/JPL-Caltech/MSSS 4

Specifications Metric First-Order Temporal Logic (MFOTL) with aggregations 5

Specifications Metric First-Order Temporal Logic (MFOTL) with aggregations t ::= x | c | t + t | t × t | ... ϕ ::= p ( t 1 ,..., t n ) | t = t | t < t | t ≤ t | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | x ← Ω x ; � x . ϕ | ... Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] 5

Specifications Examples: Metric First-Order Temporal Logic (MFOTL) with aggregations Published reports must have been approved in the past seven days. t ::= x | c | t + t | t × t | ... publish ( r ) → � [ 0 , 7 d ] approve ( r ) ϕ ::= p ( t 1 ,..., t n ) (where � I ϕ = true S I ϕ ) | t = t | t < t | t ≤ t | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | x ← Ω x ; � x . ϕ | ... Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] 5

Specifications Examples: Metric First-Order Temporal Logic (MFOTL) with aggregations Published reports must have been approved in the past seven days. t ::= x | c | t + t | t × t | ... publish ( r ) → � [ 0 , 7 d ] approve ( r ) ϕ ::= p ( t 1 ,..., t n ) (where � I ϕ = true S I ϕ ) | t = t | t < t | t ≤ t | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ Maximum radiation must not exceed | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ 3 Roentgen. ( m ← MAX x . rad ( x )) → m ≤ 3 | x ← Ω x ; � x . ϕ | ... Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] 5

Monitors Formal specification publish ( r ) → � [ 0 , 7 d ] approve ( r ) Log/trace/event stream Verdict . . . . . . ✓ 29/05/2020 15:03 approve(report41) [ JACM 2015] ✓ 29/05/2020 15:24 publish(report41) ✓ 09/06/2020 13:45 approve(report67) ✗ (report41) 10/06/2020 07:51 publish(report41) ✓ 10/06/2020 07:52 publish(report67) . . . . . . 6

Monitors Formal specification publish ( r ) → � [ 0 , 7 d ] approve ( r ) Log/trace/event stream Verdict . . . . . . ✓ 29/05/2020 15:03 approve(report41) [ JACM 2015] ✓ 29/05/2020 15:24 publish(report41) ✓ 09/06/2020 13:45 approve(report67) ✗ (report41) 10/06/2020 07:51 publish(report41) ✓ 10/06/2020 07:52 publish(report67) . . . . [RV 2019] . . 6

Let’s try ... Spec 1: The robot must not start to move if three or more transmissions of the same data failed within the last ten minutes without a successful transmission in between. 7

Let’s try ... Spec 1: The robot must not start to move if three or more transmissions of the same data failed within the last ten minutes without a successful transmission in between. Spec 2: The module with the highest energy consumption within the second to last minute must be reported to ground control. 7

MFOTL subset of MFOTL with aggregations no aggregations t ::= x | c | t + t | t × t | ... t ::= x | c ϕ ::= p ( t 1 ,..., t n ) ϕ ::= p ( t 1 ,..., t n ) | t = t | t < t | t ≤ t | t = t | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | x ← Ω t ; � x . ϕ Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] I ::= [ N , N ∪ {∞} ] 8

MFOTL subset of MFOTL with aggregations no aggregations t ::= x | c | t + t | t × t | ... t ::= x | c ϕ ::= p ( t 1 ,..., t n ) ϕ ::= p ( t 1 ,..., t n ) | t = t | t < t | t ≤ t | t = t | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | x ← Ω t ; � x . ϕ cannot express Spec 2! Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] I ::= [ N , N ∪ {∞} ] 8

Spec 1 in MFOTL: MFOTL subset of MFOTL with aggregations no aggregations t ::= x | c | t + t | t × t | ... t ::= x | c � � � [ 0 , x 1 ] ( ¬ com_ok ( d ) S [ 0 , x 2 ] ( com_fail ( d ) ∧ ϕ ::= p ( t 1 ,..., t n ) ϕ ::= p ( t 1 ,..., t n ) x ∈ N 6 , � [ 0 , x 3 ] ( ¬ com_ok ( d ) S [ 0 , x 4 ] ( com_fail ( d ) ∧ | t = t | t < t | t ≤ t | t = t � i x i = 600 � � [ 0 , x 5 ] ( ¬ com_ok ( d ) S [ 0 , x 6 ] com_fail ( d )))))) → ¬ move | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ | x ← Ω t ; � x . ϕ Ω ::= MAX | MIN | CNT | SUM | AVG I ::= [ N , N ∪ {∞} ] I ::= [ N , N ∪ {∞} ] 8

Spec 1 in MFOTL: MFOTL subset of MFOTL � � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 600 ] � � com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] with aggregations no aggregations � � ( com_fail ( d ) ∧ � [ 0 , 1 ] ( ¬ com_ok ( d ) S [ 0 , 599 ] com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] � ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 2 ] ( ¬ com_ok ( d ) S [ 0 , 598 ] com_fail ( d )))))) ∨ t ::= x | c | t + t | t × t | ... t ::= x | c � � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 3 ] ( ¬ com_ok ( d ) S [ 0 , 597 ] � � com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ϕ ::= p ( t 1 ,..., t n ) ϕ ::= p ( t 1 ,..., t n ) � � ( com_fail ( d ) ∧ � [ 0 , 4 ] ( ¬ com_ok ( d ) S [ 0 , 596 ] com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] � ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 5 ] ( ¬ com_ok ( d ) S [ 0 , 595 ] com_fail ( d )))))) ∨ | t = t | t < t | t ≤ t | t = t � � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 6 ] ( ¬ com_ok ( d ) S [ 0 , 594 ] � � com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ | ¬ ϕ | ϕ ∧ ϕ | ∃ x . ϕ � � ( com_fail ( d ) ∧ � [ 0 , 7 ] ( ¬ com_ok ( d ) S [ 0 , 593 ] com_fail ( d )))))) ∨ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] � ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 8 ] ( ¬ com_ok ( d ) S [ 0 , 592 ] com_fail ( d )))))) | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ ∨ | � I ϕ | � I ϕ | ϕ S I ϕ | ϕ U I ϕ � � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 0 ] ( ¬ com_ok ( d ) S [ 0 , 0 ] ( com_fail ( d ) ∧ � [ 0 , 9 ] ( ¬ com_ok ( d ) S [ 0 , 591 ] | x ← Ω t ; � � ∨ ... x . ϕ com_fail ( d )))))) Ω ::= MAX | MIN | CNT | SUM | AVG 664 353 676 371 disjuncts, assuming discrete time in seconds I ::= [ N , N ∪ {∞} ] I ::= [ N , N ∪ {∞} ] 8

A Formally Verified, Optimized Monitor for Metric First-Order - PowerPoint PPT Presentation

A Formally Verified, Optimized Monitor for Metric First-Order Dynamic Logic David Basin, Thibault Dardinier, Lukas Heimes, Sran Krsti , Martin Raszyk , Joshua Schneider and Dmitriy Traytel Department of Computer Science 1 Dmitriy Joshua

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Securing Existing Software using Formally Verified Libraries Tobias Reiher FOSDEM, Brussels,

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

A Formally Verified Interpreter for a Shell-like Programming Language Claude March e Nicolas

A Simple Supercompiler Formally Verified in Coq Dimitur Krustev IGE+XAO Balkan 4 July 2010 /

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

Showing a CakeML program is safe CakeML A verified implementation of ML Formally