Com puter Aided Extrinsic Robustness Verification Christle Faure - - PowerPoint PPT Presentation

com puter aided extrinsic robustness verification
SMART_READER_LITE
LIVE PREVIEW

Com puter Aided Extrinsic Robustness Verification Christle Faure - - PowerPoint PPT Presentation

Com puter Aided Extrinsic Robustness Verification Christle Faure Principal scientist Christele.faure@safe-river.com I ndustrial Problem Given the specification of input values , is it possible to verify that the source code of a program is


slide-1
SLIDE 1

Com puter Aided Extrinsic Robustness Verification

Christèle Faure Principal scientist Christele.faure@safe-river.com

slide-2
SLIDE 2

2

I ndustrial Problem

Given the specification of input values, is it possible to verify that the source code of a program is robust w ith respect to erroneous inputs and m em ory alterations?

slide-3
SLIDE 3

3

Softw are Robustness

  • “Art of m aking softw are behave reasonably in

exceptional situations”

  • Robustness failures lead to softw are false executions
  • Com e from
  • Software bugs : Intrinsic
  • Environment of execution problems : Extrinsic

Sensor problems Memory alterations

slide-4
SLIDE 4

4

Enforcem ent of I ntrinsic Robustness

  • I m plem entation: Protects against false executions of

dangerous operations

  • Exam ple: protect against division by zero
  • I ntrinsic robustness enforcem ent
  • A test protects against false executions of the dangerous operation
  • and branches to
  • The dangerous operation
  • The error handler

1 2 3 Assert ( d != 0 ) ; e = n/ d; I f ( d != 0 ) / * error test* / { e = n/ d;} else { / * error handler* / } ;

slide-5
SLIDE 5

5

Autom atic Verification of I ntrinsic Robustness

  • Dangerous events: Runtim e errors ( RTE)
  • Dangerous operations lead to ( not com pletely specified in the

language norm )

  • Undefined behavior
  • Unspecified behavior
  • Implementation defined behavior
  • Verify the absence of RTE
  • Static analyzers based on abstract interpretation: sound , complete
  • Numerical lattices:
  • Non relational: Interval, congruency …
  • Relational: Convex polyhedrons, …
  • Existing tools
  • Astrée: ENS + INRIA + Absint
  • PolySpace: The MathWorks (PolySpace Technologies)
  • Frama-C: CEA List
  • Code Hawk: Kestrel Technology (C Global Surveyor NASA)
slide-6
SLIDE 6

6

Extrinsic Robustness

  • Dangerous events
  • Un-intentional erroneous input values (≠ security)
  • Memory alterations
  • Extrinsic robustness enforcem ent
  • Do not trust input values
  • Check the value w. r. t. domain before consumption
slide-7
SLIDE 7

7

Extrinsic robustness enforcem ent

  • Global input: Phase_ id ∈ [ 0 ..MAX_ PHASE]

1 1 1 2 1 3 1 4 1 5 1 6 { ... scanf( % n, Phase_ id) ; if ( ( Phase_ id < 0 ) | | ( Phase_ id > = MAX_ PHASE) ) { / * handle the phase identification error * / } ; / * else nothing to do * / sw itch ( Phase_ id) { case 3 : …; case 2 : ;} ...}

slide-8
SLIDE 8

8

Robustness enforcem ent rule

  • Do not trust input values
  • Impossible to implement in practice
  • Too much extra calculation
  • Practical enforcem ent rule
  • Put a robustness check (target input, correctness domain, location)
  • For each non pointer input
  • Before value consumption

Target input Correctness dom ain Location Global input From the specification After acquisition I nput param eter To be com puted After function start

slide-9
SLIDE 9

9

Robustness verification

  • No autom atic tool
  • Verification of the coherency betw een
  • Actual enforcement check
  • Expected enforcement check
  • Verification ( for each target input)

Check Correctness property Com plexity I nput Check all inputs Location Protection of all consum ptions Dom ain Coherency w . r. t. global input dom ains

slide-10
SLIDE 10

10

Robustness verification

  • Verification ( for each target input)

Check Required com putation I nput I dentification of

Global inputs Input parameters

I dentification of

Production sites: lower bound Consumption sites: upper bound

Com putation of

Propagated input domain (⇔ expected) Coherency between actual and expected domains

Location Dom ain Mode

Automated Manual Manual Manual Automated Automated

slide-11
SLIDE 11

11

Autom atic Com putations

  • PolySpace TMW
  • Propagation of value dom ains
  • From global inputs (instrumentation by assert)
  • Function parameters
  • Extracted using Inspection Point (instrumentation by IPT)
  • Dom ain coherency
  • Actual domain
  • Propagated domain
  • Coherency verification
  • Protective assert never fail (green)
  • Error handler never executed (grey)
slide-12
SLIDE 12

12

Conclusion

  • I ntrinsic robustness ≠ extrinsic robustness
  • General m ethod
  • Enforcement by coding rule
  • Verification
  • No automatic tool
  • Mostly manual
  • Conclusive if domain coherency automatically verified
  • Could be autom ated
  • Automatic generation of checks (program instrumentation)
  • Automatic verification of checks (program verification)
slide-13
SLIDE 13

13

SafeRiver industrial projects

  • Conception of critical system s
  • THALES/ RSS: train tracking
  • CSWT Ltd: tram-bus of DOUAI
  • Verification of em bedded equipm ents
  • DELPHI : low cost platform for car cabin equipment
  • AREVA T&D : control box for indoor switches (middle voltage)
  • I nform ation system security
  • THALES Communications : application of formal methods to

cryptographic equipment

  • AIRBUS : Aircraft Information System Security