Verification of Shared-Reading Synchronisers

Synchronisation classes are an important building block for shared memory concurrent programs. Thus to reason about such programs, it is important to be able to verify the implementation of these synchronisation classes, considering atomic operations as the synchronisation primitives on which the implementations are built. For synchronisation classes controlling exclusive access to a shared resource, such as locks, a technique has been proposed to reason about their behaviour. This paper proposes a technique to verify implementations of both exclusive access and shared-reading synchronisers. We use permission-based Separation Logic to describe the behaviour of the main atomic operations, and the basis for our technique is formed by a specification for class AtomicInteger, which is commonly used to implement synchronisation classes in java.util.concurrent. To demonstrate the applicability of our approach, we mechanically verify the implementation of various synchronisation classes like Semaphore, CountDownLatch and Lock.Comment: In Proceedings MeTRiD 2018, arXiv:1806.0933

Specification and verification of synchronisation classes in Java:A practical approach

Digital services are becoming an essential part of our daily lives. To provide these services, efficient software plays an important role. Concurrent programming is a technique that developers can exploit to gain more performance. In a concurrent program several threads of execution simultaneously are being executed. Sometimes they have to compete to access shared resources, like memory. This race of accessing shared memories can cause unexpected errors. Programmers use synchronisation constructs to tame the concurrency and control the accesses. In order to develop reliable concurrent software, the correctness of these synchronisation constructs is crucial. In this thesis we use a program logic, called permission-based Separation Logic, to statically reason about the correctness of synchronisation constructs. The logic has the power to reason about correct ownership of threads regarding shared memory. A correctly functioning synchroniser is responsible for exchanging a correct permission when a thread requests access to the shared memory. We use our VERCORS verification tool-set to verify the correctness of various synchronisation constructs. In Chapter 1 we discuss the scope of the thesis. All the required technical background about permission-based Separation Logic and synchronisation classes is explained in Chapter 2. In Chapter 3 we discuss how threads' start and join as minimum synchronisation points can be verified. To verify correctness of the synchronisation classes we have to first specify expected behaviour of the classes. This is covered in Chapter 4. In this chapter we present a unified approach to abstractly describe the common behaviour of synchronisers. Using our specifications, one is able to reason about the correctness of the client programs that access the shared state through the synchronisers. The atomic classes of java.util.concurrent are the core element of every synchronisation construct implementation. In Chapter 5 and Chapter 6 we propose a specification for atomic classes. Using this contract, we verified the implementation of synchronisation constructs w.r.t to their specifications from Chapter 4. In our proposed contract the specification of the atomic classes is parameterized with the protocols and resource invariants. Based on the context, the parameters can be defined. In Chapter 7 we propose a verification stack where each layer of stack verifies one particular aspect of a specified concurrent program in which atomic operations are the main synchronisation constructs. We demonstrate how to verify that a non-blocking data structure is data-race free and well connected. Based on the result of the verification from the lower layers, upper layers can reason about the functional properties of the concurrent data structure. In Chapter 8 we present a sound specification and verification technique to reason about data race freedom and functional correctness of GPU kernels that use atomic operations as synchronisation mechanism. Finally, Chapter 9 concludes the thesis with future directions

Mechanising and evolving the formal semantics of WebAssembly: the Web's new low-level language

WebAssembly is the first new programming language to be supported natively by all major Web browsers since JavaScript. It is designed to be a natural low-level compilation target for languages such as C, C++, and Rust, enabling programs written in these languages to be compiled and executed efficiently on the Web. WebAssembly’s specification is managed by the W3C WebAssembly Working Group (made up of representatives from a number of major tech companies). Uniquely, the language is specified by way of a full pen-and-paper formal semantics. This thesis describes a number of ways in which I have both helped to shape the specification of WebAssembly, and built upon it. By mechanising the WebAssembly formal semantics in Isabelle/HOL while it was being drafted, I discovered a number of errors in the specification, drove the adoption of official corrections, and provided the first type soundness proof for the corrected language. This thesis also details a verified type checker and interpreter, and a security type system extension for cryptography primitives, all of which have been mechanised as extensions of my initial WebAssembly mechanisation. A major component of the thesis is my work on the specification of shared memory concurrency in Web languages: correcting and verifying properties of JavaScript’s existing relaxed memory model, and defining the WebAssembly-specific extensions to the corrected model which have been adopted as the basis of WebAssembly’s official threads specification. A number of deficiencies in the original JavaScript model are detailed. Some errors have been corrected, with the verified fixes officially adopted into subsequent editions of the language specification. However one discovered deficiency is fundamental to the model, an instance of the well-known "thin-air problem". My work demonstrates the value of formalisation and mechanisation in industrial programming language design, not only in discovering and correcting specification errors, but also in building confidence both in the correctness of the language’s design and in the design of proposed extensions.2019 Google PhD Fellowship in Programming Technology and Software Engineering Peterhouse Research Fellowshi

Mission Scenario Generation and Characterization to Support Acquisition Decisions for Long Range Precision Fires-Maritime (LRPF-M)

NPS NRP Project PresentationMission Scenario Generation and Characterization to Support Acquisition Decisions for Long Range Precision Fires-Maritime (LRPF-M)Naval Surface Warfare Center (NSWC), Division DahlgrenThis research is supported by funding from the Naval Postgraduate School, Naval Research Program (PE 0605853N/2098). https://nps.edu/nrpChief of Naval Operations (CNO)Approved for public release. Distribution is unlimited.

Secure ADS-B: Towards Airborne Communications Security in the Federal Aviation Administration\u27s Next Generation Air Transportation System

The U.S. Congress has mandated that all aircraft operating within the National Airspace System, military or civilian, be equipped with ADS-B transponders by the year 2020. The ADS-B aircraft tracking system, part of the Federal Aviation Administration\u27s NextGen overhaul of the Air Transportation System, replaces Radar-based surveillance with a more accurate satellite-based surveillance system. However, the unencrypted nature of ADS-B communication poses an operational security risk to military and law enforcement aircraft conducting sensitive missions. The non-standard format of its message and the legacy communication channels used by its transponders make the ADS-B system unsuitable for traditional encryption mechanisms. FPE, a recent development in cryptography, provides the ability to encrypt arbitrarily formatted data without padding or truncation. Indeed, three new algorithms recommended by the NIST, may be suitable for encryption of ADS-B messages. This research assesses the security and hardware performance characteristics of the FF1, FF2, and FF3 algorithms, in terms of entropy of ciphertext, operational latency and resource utilization when implemented on a Field-Programmable Gate Array. While all of the algorithms inherit the security characteristics of the underlying AES block cipher, they exhibit differences in their performance profiles. Findings demonstrate that a Bump-in-the-Wire FPE cryptographic engine is a suitable solution for retrofitting encryption to ADS-B communication

Rivals in Arms: Sino-U.S. Cooperation, Problems, and Solutions and Their Impact on the International UAV Industry

Research and development into drone technology has exploded in the United States in the recent decades. From the operation of killer drones in the military to agricultural survey drones in farms, the proliferation of drone technology is well on its way to radically altering the American future. However, there remains numerous laws, policies, and regulations that place stifling restrictions on drone development and operations in America. Halfway across the world, China has also begun to experience the drone revolution, but with its relatively laxer laws regarding both commercial and public drone operations and manufacturing, it seems poised to surpass the United States in not only drone R&D, but drone export as well. In recent years, China has expanded to become a prolific developer and no-questions-asked exporter of UAVs selling to a plethora of nations ranging from Saudi Arabia to Pakistan and Nigeria.\u27 Domestically, China has relied firmly on indigenous production and R&D since the 1980s to expand its UAV technologies, expanding its UAV industry to include a variety of defense firms as well as academic research groups.2 However, China\u27s drone program is not without its own issues and setbacks, forcing the Civil Aviation Administration of China (CAAC) to issue new drone regulations to be implemented on a trial basis. This paper will analyze and compare the two comprehensive UAV regulations-the stricter FAA regulations and the newer UAV regulations promulgated by the CAAC and explore the differences between the two regulatory policies (both commercial and military), their benefits and drawbacks, and attempt to present solutions as to how the CAAC and the FAA can help build an initial framework for other nations to follow

Unmanned Aerial Systems Research, Development, Education and Training at Embry-Riddle Aeronautical University

With technological breakthroughs in miniaturized aircraft-related components, including but not limited to communications, computer systems and sensors and, state-of-the-art unmanned aerial systems (UAS) have become a reality. This fast growing industry is anticipating and responding to a myriad of societal applications that will provide either new or more cost effective solutions that previous technologies could not, or will replace activities that involved humans in flight with associated risks. Embry-Riddle Aeronautical University has a long history of aviation related research and education, and is heavily engaged in UAS activities. This document provides a summary of these activities. The document is divided into two parts. The first part provides a brief summary of each of the various activities while the second part lists the faculty associated with those activities. Within the first part of this document we have separated the UAS activities into two broad areas: Engineering and Applications. Each of these broad areas is then further broken down into six sub-areas, which are listed in the Table of Contents. The second part lists the faculty, sorted by campus (Daytona Beach---D, Prescott---P and Worldwide--W) associated with the UAS activities. The UAS activities and the corresponding faculty are cross-referenced. We have chosen to provide very short summaries of the UAS activities rather than lengthy descriptions. Should more information be desired, please contact me directly or alternatively visit our research web pages (http://research.erau.edu) and contact the appropriate faculty member directly

Space benefits: The secondary application of aerospace technology in other sectors of the economy

Benefit cases of aerospace technology utilization are presented for manufacturing, transportation, utilities, and health. General, organization, geographic, and field center indexes are included

Inline and Sideline Approaches for Low-cost Memory Safety in C

System languages such as C or C++ are widely used for their high performance, however the allowance of arbitrary pointer arithmetic and type cast introduces a risk of memory corruptions. These memory errors cause unexpected termination of programs, or even worse, attackers can exploit them to alter the behavior of programs or leak crucial data. Despite advances in memory safety solutions, high and unpredictable overhead remains a major challenge. Accepting that it is extremely difficult to achieve complete memory safety with the performance level suitable for production deployment, researchers attempt to strike a balance between performance, detection coverage, interoperability, precision, and detection timing. Some properties are much more desirable, e.g. the interoperability with pre-compiled libraries. Comparatively less critical properties are sacrificed for performance, for example, tolerating longer detection delay or narrowing down detection coverage by performing approximate or probabilistic checking or detecting only certain errors. Modern solutions compete for performance. The performance matrix of memory safety solutions have two major assessment criteria – run-time and memory overheads. Researchers trade-off and balance performance metrics depending on its purpose or placement. Many of them tolerate the increase in memory use for better speed, since memory safety enforcement is more desirable for troubleshooting or testing during development, where a memory resource is not the main issue. Run-time overhead, considered more critical, is impacted by cache misses, dynamic instructions, DRAM row activations, branch predictions and other factors. This research proposes, implements, and evaluates MIU: Memory Integrity Utilities containing three solutions – MemPatrol, FRAMER and spaceMiu. MIU suggests new techniques for practical deployment of memory safety by exploiting free resources with the following focuses: (1) achieving memory safety with overhead < 1% by using concurrency and trading off prompt detection and coverage; but yet providing eventual detection by a monitor isolation design of an in-register monitor process and the use of AES instructions (2) complete memory safety with near-zero false negatives focusing on eliminating overhead, that hardware support cannot resolve, by using a new tagged-pointer representation utilising the top unused bits of a pointer.Research Foundation of Kore

Operational Overview for UAS Integration in the NAS Project Flight Test Series 3

The National Aeronautics and Space Administration Unmanned Aircraft Systems Integration in the National Airspace System Project has conducted a series of flight tests intended to support the reduction of barriers that prevent unmanned aircraft from flying without the required waivers from the Federal Aviation Administration. The 2015 Flight Test Series 3, supported two separate test configurations. The first configuration investigated the timing of Detect and Avoid alerting thresholds using a radar equipped unmanned vehicle and multiple live intruders flown at varying encounter geometries. The second configuration included a surrogate unmanned vehicle (flown from a ground control station, with a safety pilot on board) flying a mission in a virtual air traffic control airspace sector using research pilot displays and Detect and Avoid advisories to maintain separation from live and virtual aircraft. The test was conducted over an eight-week span within the R-2508 Special Use Airspace. Over 200 encounters were flown for the first configuration, and although the second configuration was cancelled after three data collection flights, Flight Test 3 proved to be invaluable for the purposes of planning, managing, and execution of this type of integrated flight test