30 research outputs found
Proceedings of the Second NASA Formal Methods Symposium
This publication contains the proceedings of the Second NASA Formal Methods Symposium sponsored by the National Aeronautics and Space Administration and held in Washington D.C. April 13-15, 2010. Topics covered include: Decision Engines for Software Analysis using Satisfiability Modulo Theories Solvers; Verification and Validation of Flight-Critical Systems; Formal Methods at Intel -- An Overview; Automatic Review of Abstract State Machines by Meta Property Verification; Hardware-independent Proofs of Numerical Programs; Slice-based Formal Specification Measures -- Mapping Coupling and Cohesion Measures to Formal Z; How Formal Methods Impels Discovery: A Short History of an Air Traffic Management Project; A Machine-Checked Proof of A State-Space Construction Algorithm; Automated Assume-Guarantee Reasoning for Omega-Regular Systems and Specifications; Modeling Regular Replacement for String Constraint Solving; Using Integer Clocks to Verify the Timing-Sync Sensor Network Protocol; Can Regulatory Bodies Expect Efficient Help from Formal Methods?; Synthesis of Greedy Algorithms Using Dominance Relations; A New Method for Incremental Testing of Finite State Machines; Verification of Faulty Message Passing Systems with Continuous State Space in PVS; Phase Two Feasibility Study for Software Safety Requirements Analysis Using Model Checking; A Prototype Embedding of Bluespec System Verilog in the PVS Theorem Prover; SimCheck: An Expressive Type System for Simulink; Coverage Metrics for Requirements-Based Testing: Evaluation of Effectiveness; Software Model Checking of ARINC-653 Flight Code with MCP; Evaluation of a Guideline by Formal Modelling of Cruise Control System in Event-B; Formal Verification of Large Software Systems; Symbolic Computation of Strongly Connected Components Using Saturation; Towards the Formal Verification of a Distributed Real-Time Automotive System; Slicing AADL Specifications for Model Checking; Model Checking with Edge-valued Decision Diagrams; and Data-flow based Model Analysis
Learning Linear Temporal Properties
We present two novel algorithms for learning formulas in Linear Temporal
Logic (LTL) from examples. The first learning algorithm reduces the learning
task to a series of satisfiability problems in propositional Boolean logic and
produces a smallest LTL formula (in terms of the number of subformulas) that is
consistent with the given data. Our second learning algorithm, on the other
hand, combines the SAT-based learning algorithm with classical algorithms for
learning decision trees. The result is a learning algorithm that scales to
real-world scenarios with hundreds of examples, but can no longer guarantee to
produce minimal consistent LTL formulas. We compare both learning algorithms
and demonstrate their performance on a wide range of synthetic benchmarks.
Additionally, we illustrate their usefulness on the task of understanding
executions of a leader election protocol
SOTER: A Runtime Assurance Framework for Programming Safe Robotics Systems
The recent drive towards achieving greater autonomy and intelligence in
robotics has led to high levels of complexity. Autonomous robots increasingly
depend on third party off-the-shelf components and complex machine-learning
techniques. This trend makes it challenging to provide strong design-time
certification of correct operation.
To address these challenges, we present SOTER, a robotics programming
framework with two key components: (1) a programming language for implementing
and testing high-level reactive robotics software and (2) an integrated runtime
assurance (RTA) system that helps enable the use of uncertified components,
while still providing safety guarantees. SOTER provides language primitives to
declaratively construct a RTA module consisting of an advanced,
high-performance controller (uncertified), a safe, lower-performance controller
(certified), and the desired safety specification. The framework provides a
formal guarantee that a well-formed RTA module always satisfies the safety
specification, without completely sacrificing performance by using higher
performance uncertified components whenever safe. SOTER allows the complex
robotics software stack to be constructed as a composition of RTA modules,
where each uncertified component is protected using a RTA module.
To demonstrate the efficacy of our framework, we consider a real-world
case-study of building a safe drone surveillance system. Our experiments both
in simulation and on actual drones show that the SOTER-enabled RTA ensures the
safety of the system, including when untrusted third-party components have bugs
or deviate from the desired behavior
Proceedings of the First NASA Formal Methods Symposium
Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000
Local Reasoning for Global Graph Properties
Separation logics are widely used for verifying programs that manipulate
complex heap-based data structures. These logics build on so-called separation
algebras, which allow expressing properties of heap regions such that
modifications to a region do not invalidate properties stated about the
remainder of the heap. This concept is key to enabling modular reasoning and
also extends to concurrency. While heaps are naturally related to mathematical
graphs, many ubiquitous graph properties are non-local in character, such as
reachability between nodes, path lengths, acyclicity and other structural
invariants, as well as data invariants which combine with these notions.
Reasoning modularly about such graph properties remains notoriously difficult,
since a local modification can have side-effects on a global property that
cannot be easily confined to a small region.
In this paper, we address the question: What separation algebra can be used
to avoid proof arguments reverting back to tedious global reasoning in such
cases? To this end, we consider a general class of global graph properties
expressed as fixpoints of algebraic equations over graphs. We present
mathematical foundations for reasoning about this class of properties, imposing
minimal requirements on the underlying theory that allow us to define a
suitable separation algebra. Building on this theory we develop a general proof
technique for modular reasoning about global graph properties over program
heaps, in a way which can be integrated with existing separation logics. To
demonstrate our approach, we present local proofs for two challenging examples:
a priority inheritance protocol and the non-blocking concurrent Harris list
Learning Invariants using Decision Trees and Implication Counterexamples
Inductive invariants can be robustly synthesized using a learning model where the teacher is a program verifier who instructs the learner through concrete program configurations, classified as positive, negative, and implications. We propose the first learning algorithms in this model with implication counter-examples that are based on scalable machine learning techniques. In particular, we extend decision tree learning algorithms, building new scalable and heuristic ways to construct small decision trees using statistical measures that account for implication counterexamples. We implement the learners and an appropriate teacher, and show that they are scalable, efficient and convergent in synthesizing adequate inductive invariants in a suite of more than 50 programs.Ope
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
Contemporary fuzz testing techniques focus on identifying memory corruption
vulnerabilities that allow adversaries to achieve either remote code execution
or information disclosure. Meanwhile, Algorithmic Complexity
(AC)vulnerabilities, which are a common attack vector for denial-of-service
attacks, remain an understudied threat. In this paper, we present HotFuzz, a
framework for automatically discovering AC vulnerabilities in Java libraries.
HotFuzz uses micro-fuzzing, a genetic algorithm that evolves arbitrary Java
objects in order to trigger the worst-case performance for a method under test.
We define Small Recursive Instantiation (SRI) as a technique to derive seed
inputs represented as Java objects to micro-fuzzing. After micro-fuzzing,
HotFuzz synthesizes test cases that triggered AC vulnerabilities into Java
programs and monitors their execution in order to reproduce vulnerabilities
outside the fuzzing framework. HotFuzz outputs those programs that exhibit high
CPU utilization as witnesses for AC vulnerabilities in a Java library. We
evaluate HotFuzz over the Java Runtime Environment (JRE), the 100 most popular
Java libraries on Maven, and challenges contained in the DARPA Space and Time
Analysis for Cybersecurity (STAC) program. We evaluate SRI's effectiveness by
comparing the performance of micro-fuzzing with SRI, measured by the number of
AC vulnerabilities detected, to simply using empty values as seed inputs. In
this evaluation, we verified known AC vulnerabilities, discovered previously
unknown AC vulnerabilities that we responsibly reported to vendors, and
received confirmation from both IBM and Oracle. Our results demonstrate that
micro-fuzzing finds AC vulnerabilities in real-world software, and that
micro-fuzzing with SRI-derived seed inputs outperforms using empty values.Comment: Network and Distributed Systems Security (NDSS) Symposium, San Diego,
CA, USA, February 202
Routing in the Space Internet: A contact graph routing tutorial
A Space Internet is possible, as long as the delay and disruption challenges imposed by the space environment are properly tackled. Because these conditions are not well addressed by terrestrial Internet, more capable Delay-Tolerant Networking (DTN) protocols and algorithms are being developed. In particular, the principles and techniques for routing among ground elements and spacecraft in near-Earth orbit and deep-space are enacted in the Contact Graph Routing (CGR) framework. CGR blends a set of non-trivial algorithm adaptations, space operations concepts, time-dynamic scheduling, and specific graph models. The complexity of that framework suggests a need for a focused discussion to facilitate its direct and correct apprehension. To this end, we present an in-depth tutorial that collects and organizes first-hand experience on researching, developing, implementing, and standardizing CGR. Content is laid out in a structure that considers the planning, route search and management, and forwarding phases bridging ground and space domains. We rely on intuitive graphical examples, supporting code material, and references to flight-grade CGR implementations details where pertinent. We hope this tutorial will serve as a valuable resource for engineers and that researchers can also apply the insights presented here to topics in DTN research.Fil: Fraire, Juan Andres. Universidad Nacional de Córdoba. Facultad de Ciencias Exactas, Físicas y Naturales; Argentina. Universitat Saarland; AlemaniaFil: De Jonckère, Olivier. Technische Universität Dresden; AlemaniaFil: Burleigh, Scott C.. California Institute of Technology; Estados Unido
Protection Models for Web Applications
Early web applications were a set of static web pages connected to one another. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not updated their protection models to deal with the security consequences of these full-featured programs. This mismatch has been the source of several security problems in web applications.
This dissertation proposes new protection models for web applications. The design and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications