Model-Based Framework for On-Board-Software

Satellites carry different payloads, but the basic design in hard- and software is generally similar for small satellites. For example, they all receive telecommands, distribute them and generate telemetry packets. Reusing existing components is desirable, especially with limited time and financial budgets. This is where the Corfu comes in, which we present in this work. Corfu is a software framework for safety-critical on-board software. It follows a model-based approach. Developers formally define the structure of the software. The software design is app-centric, i.e. on-board software in Corfu is a composition of apps. Apps define a clear communication interface using a publish/-subscribe principle. This allows on-board software to connect apps among each other. Developers can use and connect apps in different on-board software and even on different missions. This encourages reusability. Based on the information of software definition, Corfu applies two tasks: formal verification of the software structure and generation of source code. In the verification step, Corfu examines the timing properties across all apps that are included into the software. Having a formal definition that is used for both static analysis and code generation, makes in possible to identify structural problems early. The generation process creates code that it can derive from the software specification. This includes communication handling, such as subscribing to topics, distributing telecommands and collecting telemetry. In addition, the generated code also covers thread handling. The result of the generation process is a collection of classes. Most of those classes are abstract, which include abstract methods that the developer fills with mission-specific code. Developers do this by inheriting from those abstract classes and overriding all the abstract methods by carrying out the desired behavior. Developers can focus on implementing the mission relevant code. The software specification defines the communication interface between space and ground as well; therefore, it is sensible to use the same definition for the ground software. Corfu comes with a library for ground software, which parses the configuration file and makes it available to the developer. It also comes with a link interface towards the space segment. Based on the library, Corfu provides a ready-to-use generic ground software with a graphical user interface printing telemetry data and for sending telemetry — according to the software definition. Beyond formal verification of the software definition, Corfu comes with an elaborated testing framework, which provides unit and integration tests to the developers. By generating test-specific classes, Corfu gives developers access to internal software parts to allow more accurate unit testing. By automatically sending telecommands and evaluating telemetry data, developers accomplish integration tests of the full on-board software stack. Corfu already comes with applications and concepts that are common to general on-board software, such as publish/subscribe communication between applications, anomaly and event handling, telecommand distribution among applications, telemetry collection, housekeeper, etc

Source Code Verification for Embedded Systems using Prolog

System relevant embedded software needs to be reliable and, therefore, well tested, especially for aerospace systems. A common technique to verify programs is the analysis of their abstract syntax tree (AST). Tree structures can be elegantly analyzed with the logic programming language Prolog. Moreover, Prolog offers further advantages for a thorough analysis: On the one hand, it natively provides versatile options to efficiently process tree or graph data structures. On the other hand, Prolog's non-determinism and backtracking eases tests of different variations of the program flow without big effort. A rule-based approach with Prolog allows to characterize the verification goals in a concise and declarative way. In this paper, we describe our approach to verify the source code of a flash file system with the help of Prolog. The flash file system is written in C++ and has been developed particularly for the use in satellites. We transform a given abstract syntax tree of C++ source code into Prolog facts and derive the call graph and the execution sequence (tree), which then are further tested against verification goals. The different program flow branching due to control structures is derived by backtracking as subtrees of the full execution sequence. Finally, these subtrees are verified in Prolog. We illustrate our approach with a case study, where we search for incorrect applications of semaphores in embedded software using the real-time operating system RODOS. We rely on computation tree logic (CTL) and have designed an embedded domain specific language (DSL) in Prolog to express the verification goals.Comment: In Proceedings WLP'15/'16/WFLP'16, arXiv:1701.0014

CORFU - Ein erweitertes modellgetriebenes Framework für Satellitensoftware mit Code-Rückinformation

Corfu is a framework for satellite software, not only for the onboard part but also for the ground. Developing software with Corfu follows an iterative model-driven approach. The basis of the process is an engineering model. Engineers formally describe the basic structure of the onboard software in configuration files, which build the engineering model. In the first step, Corfu verifies the model at different levels. Not only syntactically and semantically but also on a higher level such as the scheduling. Based on the model, Corfu generates a software scaffold, which follows an application-centric approach. Software images onboard consist of a list of applications connected through communication channels called topics. Corfu’s generic and generated code covers this fundamental communication, telecommand, and telemetry handling. All users have to do is inheriting from a generated class and implement the behavior in overridden methods. For each application, the generator creates an abstract class with pure virtual methods. Those methods are callback functions, e.g., for handling telecommands or executing code in threads. However, from the model, one can not foresee the software implementation by users. Therefore, as an innovation compared to other frameworks, Corfu introduces feedback from the user code back to the model. In this way, we extend the engineering model with information about functions/methods, their invocations, their stack usage, and information about events and telemetry emission. Indeed, it would be possible to add further information extraction for additional use cases. We extract the information in two ways: assembly and source code analysis. The assembly analysis collects information about the stack usage of functions and methods. On the one side, Corfu uses the gathered information to accomplished additional verification steps, e.g., checking if stack usages exceed stack sizes of threads. On the other side, we use the gathered information to improve the performance of onboard software. In a use case, we show how the compiled binary and bandwidth towards the ground is reducible by exploiting source code information at run-time.Corfu ist ein Framework für Satelliten-Software für beide Seiten: Space und Boden. Mit Corfu folgt die Softwareentwicklung einem iterativen modellgetriebenen Ansatz. Grundlage der Software-Entwicklung ist ein technisches Modell, das formell die grundlegende Struktur der Onboard-Software beschreibt. EntwicklerInnen beschreiben dieses Modell in Konfigurationsdateien, die von Corfu in verschiedenen Aspekten automatisch verifiziert werden, z.B. im Bereich des Scheduling. Anhand des definierten Modells erstellt Corfu ein Quellcode-Gerüst. Die Onboard-Software ist in einzelne Applikationen aufgeteilt, die durch Kommunikationskanäle miteinander kommunizieren (Topics genannt). Generischer Code und der generierte Code implementieren bereits die Behandlung und Verwaltung der Topic-Kommunikation, Telekommandos, Telemetrie und Threads. Der generierte Code definiert pur-virtuelle Callback-Methoden, die BenutzerInnen in erbenden Klassen implementieren. Das vordefinierte Modell kann allerdings nicht alle Implementierungsdetails der BenutzerInnen enthalten. Daher führt Corfu als Neuerung ein Code-Feedback ein. Hierbei werden anhand von statischer Analyse Informationen aus dem BenutzerInnen-Quellcode extrahiert und in einem zusätzlichen Modell gespeichert. Dieses extrahierte Modell enthält u.a. Informationen zu Funktionsaufrufen, Anomalien, Events und Stackspeicherverbrauch von Funktionen. Corfu extrahiert diese Informationen durch Quellcode- und Assembler-Analyse. Das extrahierte Modell erweitert das vordefinierte Modell, da es Elemente aus dem vordefinierten Modell referenziert. Auf der einen Seite nutzt Corfu die gesammelten Informationen, um weitere Verifikationsschritte durchführen zu können, z.B. Überprüfen der Stack-Größen von Threads. Auf der anderen Seite kann die Nutzung von Quellcode-Informationen auch die Leistung verbessern. In einem Anwendungsfall zeigen wir, wie die Größe des kompilierten Programms sowie die genutzte Bandbreite für die Übertragung von Log-Event-Nachrichten durch das erweiterte Modell verringert werden kann

InnoCube — a wireless satellite platform to demonstrate innovative technologies

A new innovative satellite mission, the Innovative CubeSat for Education (InnoCube), is addressed. The goal of the mission is to demonstrate “the wireless satellite”, which replaces the data harness by robust, high-speed, real-time, very short-range radio communications using the SKITH (SKIpTheHarness) technology. This will make InnoCube the first wireless satellite in history. Another technology demonstration is an experimental energy-storing satellite structure that was developed in the previous Wall#E project and might replace conventional battery technology in the future. As a further payload, the hardware for the concept of a software-based solution for receiving signals from Global Navigation Satellite Systems (GNSS) will be developed to enable precise position determination of the CubeSat. Aside from technical goals this work aims to be of use in the teaching of engineering skills and practical sustainable education of students, important technical and scientific publications, and the increase of university skills. This article gives an overview of the overall design of the InnoCube