Formal Verification of Cyberphysical Systems

17 USC 105 interim-entered record; under review.Computer hosts a virtual roundtable with seven experts to discuss the formal specification and verification of cyberphysical systems.http://hdl.handle.net/10945/6944

SecFloat: Accurate Floating-Point meets Secure 2-Party Computation

We build a library SecFloat for secure 2-party computation (2PC) of 32-bit single-precision floating-point operations and math functions. The existing functionalities used in cryptographic works are imprecise and the precise functionalities used in standard libraries are not crypto-friendly, i.e., they use operations that are cheap on CPUs but have exorbitant cost in 2PC. SecFloat bridges this gap with its novel crypto-friendly precise functionalities. Compared to the prior cryptographic libraries, SecFloat is up to six orders of magnitude more precise and up to two orders of magnitude more efficient. Furthermore, against a precise 2PC baseline, SecFloat is three orders of magnitude more efficient. The high precision of SecFloat leads to the first accurate implementation of secure inference. All prior works on secure inference of deep neural networks rely on ad hoc float-to-fixed converters. We evaluate a model where the fixed-point approximations used in privacy-preserving machine learning completely fail and floating-point is necessary. Thus, emphasizing the need for libraries like SecFloat

Structural model checking

The introduction of symbolic approaches, based on Binary Decision Diagrams (BDD), to Model Checking has led to significant improvements in Formal Verification, by allowing the analysis of very large systems, such as complex circuit designs. These were previously beyond the reach of traditional, explicit methods, due to the state space explosion phenomenon. However, after the initial success, the BDD technology has peaked, due to a similar problem, the BDD explosion.;We present a new approach to symbolic Model Checking that is based on exploiting the system structure. This technique is characterized by several unique features, including an encoding of states with Multiway Decision Diagrams (MDD) and of transitions with boolean Kronecker matrices. This approach naturally captures the property of event locality, inherently present in the class of globally asynchronous/locally synchronous systems.;The most important contribution of our work is the saturation algorithm for state space construction. Using saturation, the peak size of the MDD (luring the exploration is drastically reduced, often to sizes equal or comparable to the final MDD size, which makes it optimal in these terms. Subsequently, saturation can achieve similar reductions in runtimes. When compared to the leading state-of-the art tools based on traditional symbolic approaches, saturation is up to 100,000 times faster and uses up to 1,000 times less memory. This enables our approach to study much larger systems than ever considered. Following the success in state space exploration, we extend the applicability of the saturation algorithm to CTL Model Checking, and also to efficient generation of shortest length counterexamples for safety properties, with similar results.;This approach to automatic verification is implemented in the tool SMART. We test the new model checker on a real life, industrial size application: the NASA Runway Safety Monitor (RSM). The analysis exposes a number of potential problems with the decision procedure designed to signal all hazardous situations during takeoff and landing procedures on runways. Attempts to verify RSM with other model checkers (NuSMV, SPIN) fail due to excessive memory consumption, showing that our structural method is superior to existing symbolic approaches

Directing greybox fuzzing to discover bugs in hardware and software

Computer systems are deeply integrated into our daily routines such as online shopping, checking emails, and posting photos on social media platforms. Unfortunately, with the wide range of functionalities and sensitive information stored in computer systems, they have become fruitful targets for attackers. Cybersecurity ventures estimate that the cost of cyber attacks will reach $10.5 trillion USD annually by 2025. Moreover, data breaches have resulted in the leakage of millions of people’s social security numbers, social media account passwords, and healthcare information. With the increasing complexity and connectivity of computer systems, the intensity and volume of cyber attacks will continue to increase. Attackers will continuously look for bugs in the systems and ways to exploit them for gaining unauthorized access or leaking sensitive information. Minimizing bugs in systems is essential to remediate security weaknesses. To this end, researchers proposed a myriad of methods to discover bugs. In the software domain, one prominent method is fuzzing, the process of repeatedly running a program under test with “random” inputs to trigger bugs. Among different variants of fuzzing, greybox fuzzing (GF) has especially seen widespread adoption thanks to its practicality and bug-finding capability. In GF, the fuzzer collects feedback from the program (e.g., code coverage) during its execution and guides the input generation based on the feedback. Due to its success in finding bugs in the software domain, GF has gained traction in the hardware domain as well. Several works adapted GF to the hardware domain by addressing the differences between hardware and software. These works demonstrated that GF can be leveraged to discover bugs in hardware designs such as processors. In this thesis, we propose three different fuzzing mechanisms, one for software and two for hardware, to expose bugs in the multiple layers of systems. Each mechanism focuses on different aspects of GF to assist the fuzzing procedure for triggering bugs in hardware and software. The first mechanism, TargetFuzz, focuses on producing an effective seed corpus when fuzzing software. The seed corpus consists of a set of inputs serving as starting points to the fuzzer. We demonstrate that carefully selecting seeds to steer GF towards potentially buggy code regions increases the bug-finding capability of GF. Compared to prior works, TargetFuzz discovered 10 additional bugs and achieved 4.03× speedup, on average, in the total elapsed time for finding bugs. The second mechanism, DirectFuzz, adapts a specific variant of GF for software fuzzing, namely directed greybox fuzzing (DGF), to the hardware domain. The main use case of DGF in software is patch testing where the goal is to steer fuzzing towards recently modified code region. Similar to software, hardware design is an incremental and continuous process. Therefore, it is important to prioritize testing of a new component in a hardware design rather than previously well-tested components. DirectFuzz takes several differences between hardware and software (such as clock sensitivity, concurrent execution of multiple code fragments, hardware-specific coverage) into account to successfully adapt DGF to the hardware domain. DirectFuzz relies on coverage feedback applicable to a wide range of hardware designs and requires limited design knowledge. While this increases its ease of adoption to many different hardware designs, its effectiveness (i.e., bug-finding success) becomes limited in certain hardware designs such as processors. Overall, compared to a state-of-the-work hardware fuzzer, DirectFuzz covers specified targets sites (e.g., modified hardware regions) 2.23× faster. Our third mechanism named ProcessorFuzz relies on novel coverage feedback tailored for processors to increase the effectiveness of fuzzing in processors. Specifically, ProcessorFuzz monitors value changes in control and status registers which form the backbone of a processor. ProcessorFuzz addresses several drawbacks of existing works in processor fuzzing. Specifically, existing works can introduce significant instrumentation overhead, result in misleading guidance, and have lack of support for widely-used hardware languages. ProcessorFuzz revealed 8 new bugs in widely-used open source processors and identified bugs 1.23× faster than a prior work

Toatie : functional hardware description with dependent types

Describing correct circuits remains a tall order, despite four decades of evolution in Hardware Description Languages (HDLs). Many enticing circuit architectures require recursive structures or complex compile-time computation — two patterns that prove difficult to capture in traditional HDLs. In a signal processing context, the Fast FIR Algorithm (FFA) structure for efficient parallel filtering proves to be naturally recursive, and most Multiple Constant Multiplication (MCM) blocks decompose multiplications into graphs of simple shifts and adds using demanding compile time computation. Generalised versions of both remain mostly in academic folklore. The implementations which do exist are often ad hoc circuit generators, written in software languages. These pose challenges for verification and are resistant to composition. Embedded functional HDLs, that represent circuits as data, allow for these descriptions at the cost of forcing the designer to work at the gate-level. A promising alternative is to use a stand-alone compiler, representing circuits as plain functions, exemplified by the CλaSH HDL. This, however, raises new challenges in capturing a circuit’s staging — which expressions in the single language should be reduced during compile-time elaboration, and which should remain in the circuit’s run-time? To better reflect the physical separation between circuit phases, this work proposes a new functional HDL (representing circuits as functions) with first-class staging constructs. Orthogonal to this, there are also long-standing challenges in the verification of parameterised circuit families. Industry surveys have consistently reported that only a slim minority of FPGA projects reach production without non-trivial bugs. While a healthy growth in the adoption of automatic formal methods is also reported, the majority of testing remains dynamic — presenting difficulties for testing entire circuit families at once. This research offers an alternative verification methodology via the combination of dependent types and automatic synthesis of user-defined data types. Given precise enough types for synthesisable data, this environment can be used to develop circuit families with full functional verification in a correct-by-construction fashion. This approach allows for verification of entire circuit families (not just one concrete member) and side-steps the state-space explosion of model checking methods. Beyond the existing work, this research offers synthesis of combinatorial circuits — not just a software model of their behaviour. This additional step requires careful consideration of staging, erasure & irrelevance, deriving bit representations of user-defined data types, and a new synthesis scheme. This thesis contributes steps towards HDLs with sufficient expressivity for awkward, combinatorial signal processing structures, allowing for a correct-by-construction approach, and a prototype compiler for netlist synthesis.Describing correct circuits remains a tall order, despite four decades of evolution in Hardware Description Languages (HDLs). Many enticing circuit architectures require recursive structures or complex compile-time computation — two patterns that prove difficult to capture in traditional HDLs. In a signal processing context, the Fast FIR Algorithm (FFA) structure for efficient parallel filtering proves to be naturally recursive, and most Multiple Constant Multiplication (MCM) blocks decompose multiplications into graphs of simple shifts and adds using demanding compile time computation. Generalised versions of both remain mostly in academic folklore. The implementations which do exist are often ad hoc circuit generators, written in software languages. These pose challenges for verification and are resistant to composition. Embedded functional HDLs, that represent circuits as data, allow for these descriptions at the cost of forcing the designer to work at the gate-level. A promising alternative is to use a stand-alone compiler, representing circuits as plain functions, exemplified by the CλaSH HDL. This, however, raises new challenges in capturing a circuit’s staging — which expressions in the single language should be reduced during compile-time elaboration, and which should remain in the circuit’s run-time? To better reflect the physical separation between circuit phases, this work proposes a new functional HDL (representing circuits as functions) with first-class staging constructs. Orthogonal to this, there are also long-standing challenges in the verification of parameterised circuit families. Industry surveys have consistently reported that only a slim minority of FPGA projects reach production without non-trivial bugs. While a healthy growth in the adoption of automatic formal methods is also reported, the majority of testing remains dynamic — presenting difficulties for testing entire circuit families at once. This research offers an alternative verification methodology via the combination of dependent types and automatic synthesis of user-defined data types. Given precise enough types for synthesisable data, this environment can be used to develop circuit families with full functional verification in a correct-by-construction fashion. This approach allows for verification of entire circuit families (not just one concrete member) and side-steps the state-space explosion of model checking methods. Beyond the existing work, this research offers synthesis of combinatorial circuits — not just a software model of their behaviour. This additional step requires careful consideration of staging, erasure & irrelevance, deriving bit representations of user-defined data types, and a new synthesis scheme. This thesis contributes steps towards HDLs with sufficient expressivity for awkward, combinatorial signal processing structures, allowing for a correct-by-construction approach, and a prototype compiler for netlist synthesis

Requirements Specification, Behavioral Specification and Checking of object-oriented Interlocking Systems using Multi-Object Logics, UML State Machines and Multi-Object Checking

Rechner haben durch ihre Programmierbarkeit und ihre Leistungsfähigkeit in nahezu sämtliche Bereiche des täglichen Lebens Einzug gehalten. Für den Einsatz rechnergestützter Systeme in sicherheitskritischen Umgebungen ist ein Nachweis für die korrekte Funktion von Hard- und Software zu erbringen. Unter dem Gesichtspunkt der Wirtschaftlichkeit erfordert die Entwicklung sicherheitskritischer Systeme den Einsatz automatisierbarer Verfahren, die diesen Nachweis unterstützen. Während relevante Normen die Anwendung formaler und damit automatisierbarer Verfahren empfehlen, existieren keinerlei Kriterien, welche Formalismen wie adäquat oder gar effizient eingesetzt werden können. Universelle Beschreibungssprachen wie die Unified Modeling Language (UML) erfahren durch die hohe Verfügbarkeit von Entwicklungswerkzeugen zunehmende Verbreitung, können den Anforderungen an Formalität und Verifikationsunterstützung jedoch nicht nachkommen. In der vorliegenden Arbeit wird eine Methodik zur Unterstützung des Entwicklungsprozesses sicherheitskritischer Systeme an einem Beispiel aus der Leit- und Sicherungstechnik im Eisenbahnwesen entwickelt. Die Methodik greift dabei Darstellungskonzepte der UML geeignet auf, so dass vorhandene Entwicklungswerkzeuge weiterhin Verwendung finden können. Die vorgestellte Methodik umfasst die Formalisierung der funktionalen Anforderungen in Formeln in der Multi-Objektlogik D1, die über mehrfach erweiterten Kripke-Strukturen interpretiert werden. Mehrfach erweiterte Kripke-Strukturen bilden ebenfalls die Grundlage für kommunizierende Zustandsmaschinen, die durch Zerlegung aus UML-Zustandsmaschinen generiert werden können. Durch die gemeinsame Basis von Anforderungs- und Verhaltensspezifikation wird die Anwendung des effizienten, automatisierbaren Multi-Object Checking Verfahrens zur Verifikation möglich. Im Rahmen der vorliegenden Arbeit wurde dieses Verfahren um einen Mechanismus zur Generierung von Fehlerszenarien erweitert. Dieser findet sowohl bei der Verifikation zur Fehlerlokalisation im Modell als auch bei der Validation zur Generierung von Testfällen Anwendung, so dass nicht nur die Verifikation sondern auch die Validation geeignet unterstützt werden. Die Anwendbarkeit der Methodik wird an einem Fallbeispiel, der Entwicklung einer Stellwerkslogik, demonstriert.Due to their programmability and their high capabilities, computers have entered almost all areas of everyday life. In order to use computer-based systems in a safety-critical environment, the proper function of hardware and software has to be certified. For economic reasons, the development of safety-critical systems requires automation providing such evidence. Whereas relevant norms recommend the application of formal and for this reason automatable methods, criteria regarding how to apply which formalism adequately or even efficiently do not exist yet. As a result of their large amount of available development tools, modeling languages like the Unified Modeling Language (UML) have become more and more popular. However, the UML does not meet the requirements as to formality or as to verification support. In this thesis, a methodology to support the development process of safety-critical systems is developed, using an example of the operation and control technology in railway systems. The methodology reuses UML concepts in such a way that existing development tools can be applied. The provided methodology includes the formalization of functional requirements as Multi-Object Logic D1 formulas. These formulas are interpreted over several times extended Kripke structures which are the basis for communicating state machines. As UML state machines can be decomposed into communicating state machines, UML state machines become applicable in the behavior specification phase. Due to the common basis of the requirements and the behavioral specification, the Multi-Object Checking procedure can be utilized for verification. In this thesis, the Multi-Object Checking procedure is extended by a scenario generation feature in case a Multi-Object Checking property does not hold. This feature can be applied both to verification for fault localization in the model and to validation for test case generation. The applicability of the methodology is demonstrated, using the example of the development of an interlocking logic

Generalized simulation relations with applications in automata theory

Finite-state automata are a central computational model in computer science, with numerous and diverse applications. In one such application, viz. model-checking, automata over infinite words play a central rˆole. In this thesis, we concentrate on B¨uchi automata (BA), which are arguably the simplest finite-state model recognizing languages of infinite words. Two algorithmic problems are paramount in the theory of automata: language inclusion and automata minimization. They are both PSPACE-complete, thus under standard complexity-theoretic assumptions no deterministic algorithm with worst case polynomial time can be expected. In this thesis, we develop techniques to tackle these problems. In automata minimization, one seeks the smallest automaton recognizing a given language (“small” means with few states). Despite PSPACE-hardness of minimization, the size of an automaton can often be reduced substantially by means of quotienting. In quotienting, states deemed equivalent according to a given equivalence are merged together; if this merging operation preserves the language, then the equivalence is said to be Good for Quotienting (GFQ). In general, quotienting cannot achieve exact minimization, but, in practice, it can still offer a very good reduction in size. The central topic of this thesis is the design of GFQ equivalences for B¨uchi automata. A particularly successful approach to the design of GFQ equivalences is based on simulation relations. Simulation relations are a powerful tool to compare the local behavior of automata. The main contribution of this thesis is to generalize simulations, by relaxing locality in three perpendicular ways: by fixing the input word in advance (fixed-word simulations, Ch. 3), by allowing jumps (jumping simulations, Ch. 4), and by using multiple pebbles (multipebble simulations for alternating BA, Ch. 5). In each case, we show that our generalized simulations induce GFQ equivalences. For fixed-word simulation, we argue that it is the coarsest GFQ simulation implying language inclusion, by showing that it subsumes a natural hierarchy of GFQ multipebble simulations. From a theoretical perspective, our study significantly extends the theory of simulations for BA; relaxing locality is a general principle, and it may find useful applications outside automata theory. From a practical perspective, we obtain GFQ equivalences coarser than previously possible. This yields smaller quotient automata, which is beneficial in applications. Finally, we show how simulation relations have recently been applied to significantly optimize exact (exponential) language inclusion algorithms (Ch. 6), thus extending their practical applicability

Verified transformations for convex programming

This thesis is concerned with developing and enhancing several components of CvxLean, a convex optimization modeling framework based on the mechanical proof assistant Lean 4. Convex programming studies the class of optimization problems that are either convex (convex objective function and feasible set) or equivalent to a convex problem. In practice, solvers expect the input to be in conic form, a low-level representation of the problem. Transforming a problem to an equivalent problem in conic form is not straightforward. It often requires several steps and uses properties of the functions involved in the problem in nontrivial ways. This is exactly the process that we formally verify in this work. The main transformation we verified is the "DCP transformation" step. This required formalizing and extending disciplined convex programming (DCP), a popular technique to transform problems into conic form. It works by iteratively replacing applications of well-understood functions with new variables and conic constraints. In our development, each replacement is augmented with proof obligations that are then combined to produce an overall proof of equivalence between the starting problem and its conic form counterpart. DCP requires problems to follow a strict set of rules. Often, users need to adjust how they write problems to follow these rules. Instead, we propose an automated and verified "pre-DCP transformation" step using an e-graph-based rewriting system. This procedure explores the space of equivalent problems and finds a sequence of rewrites to transform initial user problems into DCP-compliant forms. The applicability of the methods that we describe throughout the thesis to real-world problems is backed by a number of examples and case studies