Automated verification of the freeRTOS scheduler in HIP/SLEEK

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness of the task scheduler component of the FreeRTOS kernel using the verification system HIP/SLEEK. We show how some of HIP/SLEEK features like user-defined predicates and lemmas make the specifications highly expressive and the verification process viable. To the best of our knowledge, this is the first code-level verification of memory safety and functional correctness properties of the FreeRTOS scheduler. The outcome of our experiment confirms that HIP/SLEEK can indeed be used to verify code that is used in production. Moreover, since the properties that we verify are quite general, we envisage that the same approach can be adopted to verify the scheduler of other operating systems.(undefined

Automated verification of the FreeRTOS scheduler in Hip/Sleek

10.1007/s10009-014-0307-4International Journal on Software Tools for Technology Transfe

Refinement-Based Verification of the FreeRTOS Scheduler in VCC

We describe our experience with verifying the scheduler-related functionality of FreeRTOS, a popular open-source embedded real-time operating system. We propose a methodology for carrying out refinement-based proofs of functional correctness of abstract data types in the popular code-level verifier VCC. We then apply this methodology to carry out a full machine-checked proof of the functional correctness of the FreeRTOS scheduler. We describe the bugs found during this exercise, the fixes made, and the effort involved

Program Analysis in A Combined Abstract Domain

Automated verification of heap-manipulating programs is a challenging task due to the complexity of aliasing and mutability of data structures used in these programs. The properties of a number of important data structures do not only relate to one domain, but to combined multiple domains, such as sorted list, priority queues, height-balanced trees and so on. The safety and sometimes efficiency of programs do rely on the properties of those data structures. This thesis focuses on developing a verification system for both functional correctness and memory safety of such programs which involve heap-based data structures. Two automated inference mechanisms are presented for heap-manipulating programs in this thesis. Firstly, an abstract interpretation based approach is proposed to synthesise program invariants in a combined pure and shape domain. Newly designed abstraction, join and widening operators have been defined for the combined domain. Furthermore, a compositional analysis approach is described to discover both pre-/post-conditions of programs with a bi-abduction technique in the combined domain. As results of my thesis, both inference approaches have been implemented and the obtained results validate the feasibility and precision of proposed approaches. The outcomes of the thesis confirm that it is possible and practical to analyse heap-manipulating programs automatically and precisely by using abstract interpretation in a sophisticated combined domain

Model Checking Boot Code from AWS Data Centers

This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis

Formally modelling and verifying the FreeRTOS real-time operating system

Formal methods is an alternative way to develop software, which applies math- ematical techniques to software design and verification. It ensures logical consistency between the requirements and the behaviour of the software, because each step in the development process, i.e., abstracting the requirements, design, refinement and implementation, is verified by mathematical techniques. However, in ordinary software development, the correctness of the software is tested at the end of the development process, which means it is limited and incomplete. Thus formal methods provides higher quality software than ordinary software devel- opment. At the same time, real-time operating systems are playing increasingly more important roles in embedded applications. Formal verification of this kind of software is therefore of strong interest. FreeRTOS has a wide community of users: it is regarded by many as the de facto standard for micro-controllers in embedded applications. This project formally specifies the behaviour of FreeRTOS in Z, and its consistency is ver- ified using the Z/Eves theorem prover. This includes a precise statement of the preconditions for all API commands. Based on this model, (a) code-level annotations for verifying task related API are produced with Microsoft’s Verifying C Complier (VCC); and (b) an abstract model for extension of FreeRTOS to multi-core architectures is specified with the Z notation. This work forms the basis of future work that is refinement of the models to code to produce a verified implementation for both single and multi-core platforms

Embedded Machine-Learning For Variable-Rate Fertiliser Systems: A Model-Driven Approach To Precision Agriculture

Efficient use of fertilisers, in particular the use of Nitrogen (N), is one of the rate-limiting factors in meeting global food production requirements. While N is a key driver in increasing crop yields, overuse can also lead to negative environmental and health impacts. It has been suggested that Variable-Rate Fertiliser (VRF) techniques may help to reduce excessive N applications. VRF seeks to spatially vary fertiliser input based on estimated crop requirements, however a major challenge in the operational deployment of VRF systems is the automated processing of large amounts of sensor data in real-time. Machine Learning (ML) algorithms have shown promise in their ability to process these large, high-velocity data streams, and to produce accurate predictions. The newly developed Fuzzy Boxes (FB) algorithm has been designed with VRF applications in mind, however no publicly available software implementation currently exists. Therefore, development of a prototype implementation of FB forms a component of this work. This thesis will also employ a Hardware-in-the-Loop (HWIL) testing methodology using a potential target device in order to simulate a real-world VRF deployment environment. By using this environment simulation, two existing ML algorithms (Artificial Neural Network (ANN) and Support Vector Machine (SVM)) can be compared against the prototype implementation of FB for applicability to VRF applications. It will be shown that all tested algorithms could potentially be suitable for high-speed VRF when measured on prediction time and various accuracy metrics. All algorithms achieved higher than 84.5% accuracy, with FB20 reaching 87.21%. Prediction times were highly varied; the fastest average predictor was an ANN (16.64μs), while the slowest was FB20(502.77μs). All average prediction times were fast enough to achieve a spatial resolution of 31 mm when operating at 60 m/s, making all tested algorithms fast enough predictors for VRF applications

Comparative modelling and verification of Pthreads and Dthreads

The POSIX threads (Pthreads) library is a thread API for C/C++ to control parallel threads and spawn concurrent process flows. Programming in Pthreads usually suffers from undesirable deadlock, data race, and race condition problems due to the potential nondeterministic execution behaviors between parallel threads. Dthreads, as another multithreading model that re-implements Pthreads, was proposed by Liu et al for efficient deterministic multithreading. They found out that, under specific test cases, Dthreads can effectively prevent data races. However, no comparison test has been made with Pthreads. To perform a formal comparison between Pthreads and Dthreads over deadlocks, data races, and race conditions, in this paper, we adopt CSP (communicating sequential processes) as a formal model for specifying part of API functions in Pthreads and Dthreads and illustrate the model construction using 4 classical example programs. By feeding the models into the model checker PAT (process analysis toolkit), we have verified that deadlocks and data races exist in Pthreads, but do not exist in Dthreads, for the considered programs. We have also found that neither of them can prevent race conditions. Our comparative modelling and verification of Pthreads and Dthreads show that though Dthreads cannot prevent all the deadlock situations, shown by verification results of another 2 example programs, Dthreads is better than Pthreads on eliminating data races and preventing deadlocks. Considering limited scalability of Dthreads, we have introduced a new programming model to support coarse granularity in bank transfer. Our modelling is also extended by covering the synchronization operations in Liu et al work

Design and Development of Biofeedback Stick Technology (BfT) to Improve the Quality of Life of Walking Stick Users

Biomedical engineering has seen a rapid growth in recent times, where the aim to facilitate and equip humans with the latest technology has become widespread globally. From high-tech equipment ranging from CT scanners, MRI equipment, and laser treatments, to the design, creation, and implementation of artificial body parts, the field of biomedical engineering has significantly contributed to mankind. Biomedical engineering has facilitated many of the latest developments surrounding human mobility, with advancement in mobility aids improving human movement for people with compromised mobility either caused by an injury or health condition. A review of the literature indicated that mobility aids, especially walking sticks, and appropriate training for their use, are generally prescribed by allied health professionals (AHP) to walking stick users for rehabilitation and activities of daily living (ADL). However, feedback from AHP is limited to the clinical environment, leaving walking stick users vulnerable to falls and injuries due to incorrect usage. Hence, to mitigate the risk of falls and injuries, and to facilitate a routine appraisal of individual patient’s usage, a simple, portable, robust, and reliable tool was developed which provides the walking stick users with real-time feedback upon incorrect usage during their activities of daily living (ADL). This thesis aimed to design and develop a smart walking stick technology: Biofeedback stick technology (BfT). The design incorporates the approach of patient and public involvement (PPI) in the development of BfT to ensure that BfT was developed as per the requirements of walking stick users and AHP recommendations. The newly developed system was tested quantitatively for; validity, reliability, and reproducibility against gold standard equipment such as the 3D motion capture system, force plates, optical measurement system for orientation, weight bearing, and step count. The system was also tested qualitatively for its usability by conducting semi-informal interviews with AHPs and walking stick users. The results of these studies showed that the newly developed system has good accuracy, reported above 95% with a maximum inaccuracy of 1°. The data reported indicates good reproducibility. The angles, weight, and steps recorded by the system during experiments are within the values published in the literature. From these studies, it was concluded that, BfT has the potential to improve the lives of walking stick users and that, with few additional improvements, appropriate approval from relevant regulatory bodies, and robust clinical testing, the technology has a huge potential to carve its way to a commercial market