124 research outputs found
COAST : des réseaux de Petri à la planification assistée
COAST est un outil d'assistance à la planification militaire. Son architecture distribuée comprend un serveur constitué d'un moteur d'analyse de réseaux de Petri tandis que l'interface graphique fournie par le client permet de masquer l'utilisation des méthodes formelles. Les synchronisations entre tâches à planifier sont un aspect essentiel de COAST. Dans cet article, après une présentation générale de la problématique et de l'outil, nous décrivons les synchronisations, montrons comment elles sont modélisées et implantées
From PNML to counter systems for accelerating Petri Nets with FAST
We use the tool FAST to check parameterized safety properties on Petri nets with a large or infinite state space. Although this tool is not dedicated to Petri nets, it can be used for these as place/transition nets (and some of their extensions) are subcases of FASTinput model. The originality of the tool lies in the use of acceleration techniques in order to compute the exact reachability set for infinite systems. In this paper, we present the automatic transformation of Petri nets written in PNML (Petri Net Markup Language) into counter systems. Then, FAST provides a simple but very powerful language to express complex properties and check these
A Quantitative Flavour of Robust Reachability
Many software analysis techniques attempt to determine whether bugs are
reachable, but for security purpose this is only part of the story as it does
not indicate whether the bugs found could be easily triggered by an attacker.
The recently introduced notion of robust reachability aims at filling this gap
by distinguishing the input controlled by the attacker from those that are not.
Yet, this qualitative notion may be too strong in practice, leaving apart bugs
which are mostly but not fully replicable. We aim here at proposing a
quantitative version of robust reachability, more flexible and still amenable
to automation. We propose quantitative robustness, a metric expressing how
easily an attacker can trigger a bug while taking into account that he can only
influence part of the program input, together with a dedicated quantitative
symbolic execution technique (QRSE). Interestingly, QRSE relies on a variant of
model counting (namely, functional E-MAJSAT) unseen so far in formal
verification, but which has been studied in AI domains such as Bayesian
network, knowledge representation and probabilistic planning. Yet, the existing
solving methods from these fields turn out to be unsatisfactory for formal
verification purpose, leading us to propose a novel parametric method. These
results have been implemented and evaluated over two security-relevant case
studies, allowing to demonstrate the feasibility and relevance of our ideas
From PNML to counter systems for accelerating Petri Nets with FAST
We use the tool FAST to check parameterized safety properties on Petri nets with a large or infinite state space. Although this tool is not dedicated to Petri nets, it can be used for these as place/transition nets (and some of their extensions) are subcases of FASTinput model. The originality of the tool lies in the use of acceleration techniques in order to compute the exact reachability set for infinite systems. In this paper, we present the automatic transformation of Petri nets written in PNML (Petri Net Markup Language) into counter systems. Then, FAST provides a simple but very powerful language to express complex properties and check these
Get rid of inline assembly through verification-oriented lifting
Formal methods for software development have made great strides in the last
two decades, to the point that their application in safety-critical embedded
software is an undeniable success. Their extension to non-critical software is
one of the notable forthcoming challenges. For example, C programmers regularly
use inline assembly for low-level optimizations and system primitives. This
usually results in driving state-of-the-art formal analyzers developed for C
ineffective. We thus propose TInA, an automated, generic, trustable and
verification-oriented lifting technique turning inline assembly into
semantically equivalent C code, in order to take advantage of existing C
analyzers. Extensive experiments on real-world C code with inline assembly
(including GMP and ffmpeg) show the feasibility and benefits of TInA
Interface Compliance of Inline Assembly: Automatically Check, Patch and Refine
Inline assembly is still a common practice in low-level C programming,
typically for efficiency reasons or for accessing specific hardware resources.
Such embedded assembly codes in the GNU syntax (supported by major compilers
such as GCC, Clang and ICC) have an interface specifying how the assembly codes
interact with the C environment. For simplicity reasons, the compiler treats
GNU inline assembly codes as blackboxes and relies only on their interface to
correctly glue them into the compiled C code. Therefore, the adequacy between
the assembly chunk and its interface (named compliance) is of primary
importance, as such compliance issues can lead to subtle and hard-to-find bugs.
We propose RUSTInA, the first automated technique for formally checking inline
assembly compliance, with the extra ability to propose (proven) patches and
(optimization) refinements in certain cases. RUSTInA is based on an original
formalization of the inline assembly compliance problem together with novel
dedicated algorithms. Our prototype has been evaluated on 202 Debian packages
with inline assembly (2656 chunks), finding 2183 issues in 85 packages -- 986
significant issues in 54 packages (including major projects such as ffmpeg or
ALSA), and proposing patches for 92% of them. Currently, 38 patches have
already been accepted (solving 156 significant issues), with positive feedback
from development teams
- …