Satisfiability Checking for Mission-Time LTL

Mission-time LTL (MLTL) is a bounded variant of MTL over naturals designed to generically specify requirements for mission-based system operation common to aircraft, spacecraft, vehicles, and robots. Despite the utility of MLTL as a specification logic, major gaps remain in analyzing MLTL, e.g., for specification debugging or model checking, centering on the absence of any complete MLTL satisfiability checker. We prove that the MLTL satisfiability checking problem is NEXPTIME-complete and that satisfiability checking MLTL0 , the variant of MLTL where all intervals start at 0, is PSPACE-complete. We introduce translations for MLTL-to-LTL, MLTL-to-LTLf , MLTL-to-SMV, and MLTL-to-SMT, creating four options for MLTL satisfiability checking. Our extensive experimental evaluation shows that the MLTL-to-SMT transition with the Z3 SMT solver offers the most scalable performance

On Teaching Applied Formal Methods in Aerospace Engineering

As formal methods come into broad industrial use for verification of safety-critical hardware, software, and cyber-physical systems, there is an increasing need to teach practical skills in applying formal methods at both the undergraduate and graduate levels. In the aerospace industry, flight certification requirements like the FAA’s DO-178B, DO-178C, DO-333, and DO-254, along with a series of high-profile accidents, have helped turn knowledge of formal methods into a desirable job skill for a wide range of engineering positions. We approach the question of verification from a safety-case perspective: the primary teaching goal is to impart students with the ability to look at a verification question and identify what formal methods are applicable, which tools are available, what the outputs from those tools will say about the system, and what they will not, e.g., what parts of the safety case need to be provided by other means. We overview the lectures, exercises, exams, and student projects in a mixed-level (undergraduate/graduate) Applied Formal Methods course (Additional materials are available on the course website: http://temporallogic.org/courses/AppliedFormalMethods/) taught in an Aerospace Engineering department. We highlight the approach, tools, and techniques aimed at imparting a good sense of both the state of the art and the state of the practice of formal methods in an effort to effectively prepare students headed for jobs in an increasingly formal world

Specification: The Biggest Bottleneck in Formal Methods and Autonomy

Advancement of AI-enhanced control in autonomous systems stands on the shoulders of formal methods, which make possible the rigorous safety analysis autonomous systems require. An aircraft cannot operate autonomously unless it has design-time reasoning to ensure correct operation of the autopilot and runtime reasoning to ensure system health management, or the ability to detect and respond to off-nominal situations. Formal methods are highly dependent on the specifications over which they reason; there is no escaping the “garbage in, garbage out” reality. Specification is difficult, unglamorous, and arguably the biggest bottleneck facing verification and validation of aerospace, and other, autonomous systems. This VSTTE invited talk and paper examines the outlook for the practice of formal specification, and highlights the on-going challenges of specification, from design-time to runtime system health management. We exemplify these challenges for specifications in Linear Temporal Logic (LTL) though the focus is not limited to that specification language. We pose challenge questions for specification that will shape both the future of formal methods, and our ability to more automatically verify and validate autonomous systems of greater variety and scale. We call for further research into LTL Genesis

SAT-based Explicit LTL Reasoning

We present here a new explicit reasoning framework for linear temporal logic (LTL), which is built on top of propositional satisfiability (SAT) solving. As a proof-of-concept of this framework, we describe a new LTL satisfiability tool, Aalta\_v2.0, which is built on top of the MiniSAT SAT solver. We test the effectiveness of this approach by demonnstrating that Aalta\_v2.0 significantly outperforms all existing LTL satisfiability solvers. Furthermore, we show that the framework can be extended from propositional LTL to assertional LTL (where we allow theory atoms), by replacing MiniSAT with the Z3 SMT solver, and demonstrating that this can yield an exponential improvement in performance

Mightyl: A compositional translation from mitl to timed automata

Metric Interval Temporal Logic (MITL) was first proposed in the early 1990s as a specification formalism for real-time systems. Apart from its appealing intuitive syntax, there are also theoretical evidences that make MITL a prime real-time counterpart of Linear Temporal Logic (LTL). Unfortunately, the tool support for MITL verification is still lacking to this day. In this paper, we propose a new construction from MITL to timed automata via very-weak one-clock alternating timed automata. Our construction subsumes the well-known construction from LTL to Büchi automata by Gastin and Oddoux and yet has the additional benefits of being compositional and integrating easily with existing tools. We implement the construction in our new tool MightyL and report on experiments using Uppaal and LTSmin as back-ends

More Scalable LTL Model Checking via Discovering Design-Space Dependencies (D3)

Modern system design often requires comparing several models over a large design space. Different models arise out of a need to weigh different design choices, to check core capabilities of versions with varying features, or to analyze a future version against previous ones. Model checking can compare different models; however, applying model checking off-the-shelf may not scale due to the large size of the design space for today’s complex systems. We exploit relationships between different models of the same (or related) systems to optimize the model-checking search. Our algorithm, D3 , preprocesses the design space and checks fewer model-checking instances, e.g., using nuXmv. It automatically prunes the search space by reducing both the number of models to check, and the number of LTL properties that need to be checked for each model in order to provide the complete model-checking verdict for every individual model-property pair. We formalize heuristics that improve the performance of D3 . We demonstrate the scalability of D3 by extensive experimental evaluation, e.g., by checking 1,620 real-life models for NASA’s NextGen air traffic control system. Compared to checking each model-property pair individually, D3 is up to 9.4 × faster

Formal reasoning about the security of amazon web services

We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community

Integrating Runtime Verification into an Automated UAS Traffic Management System

Unmanned Aerial Systems (UAS) are quickly integrating into the National Air Space (NAS). With the number of registered small (under 55 pounds) UAS in the USA alone at over 1.5 million, and projected to expand rapidly, according to the Federal Aviation Administration (FAA), safety is a pressing consideration. Safe UAS integration into the NAS requires an intelligent, automated system for UAS Traffic Management (UTM). Even more than for manned aircraft, UTM must integrate runtime checks to ensure system safety, at the very least to make up for the lack of humans on board to employ the common-sense safety checks ingrained into the culture of human aviation. We overview a candidate automated, intelligent UTM system and propose multiple integration points for runtime verification (RV) to ensure that each part of the UTM adheres to safety requirements during operation. We write, validate, and present patterns for formal requirements across multiple subsystems of this UTM framework. After encoding our requirements as flight-certifiable runtime observers in the R2U2 RV engine, we execute them in simulation across multiple real-life test flights supplemented with simulated data to cover additional cases that did not occur in flight. Lessons learned accompany an analysis of the efficacy and performance of RV integration into the UTM framework

Synthesizing Approximate Implementations for Unrealizable Specifications

The unrealizability of a specification is often due to the assumption that the behavior of the environment is unrestricted. In this paper, we present algorithms for synthesis in bounded environments, where the environment can only generate input sequences that are ultimately periodic words (lassos) with finite representations of bounded size. We provide automata-theoretic and symbolic approaches for solving this synthesis problem, and also study the synthesis of approximative implementations from unrealizable specifications. Such implementations may violate the specification in general, but are guaranteed to satisfy the specification on at least a specified portion of the bounded-size lassos. We evaluate the algorithms on different arbiter specifications

Arquitectura de control confiable con PLEXIL y ROS para robots con ruedas autónomos

Today’s autonomous robots are being used for complex tasks, including space exploration, military applications, and precision agriculture. As the complexity of control architectures increases, reliability of autonomous robots becomes more challenging to guarantee. This paper presents a hybrid control architecture, based on the Plan Execution Interchange Language ( PLEXIL ), for autonomy of wheeled robots running the Robot Operating System ( ROS ). PLEXIL is a synchronous reactive language developed by NASA for mission critical robotic systems, while ROS is one of the most popular frameworks for robotic middle-ware development. Given the safety-critical nature of spacecraft operations, PLEXIL operational semantics has been mathematically defined, and formal techniques and tools have been developed to automatically analyze plans written in this language. The hybrid control architecture proposed in this paper is showcased in a path tracking scenario using the Husky robot platform via a Gazebo simulation. Thanks to the architecture presented in this paper, all formal analysis techniques and tools currently available to PLEXIL are now available to build reliable plans for ROS -enabled wheeled robots.Los robots autónomos de hoy se utilizan para tareas complejas, incluida la exploración espacial, aplicaciones militares y agricultura de precisión. A medida que aumenta la complejidad de las arquitecturas de control, la fiabilidad de los robots autónomos se vuelve más difícil de garantizar. Este artículo presenta una arquitectura de control híbrida, basada en el lenguaje de intercambio de ejecución de planes ( PLEXIL ), para la autonomía de los robots con ruedas que ejecutan el sistema operativo del robot ( ROS ). PLEXIL es un lenguaje reactivo sincrónico desarrollado por la NASA para sistemas robóticos de misión crítica, mientras que ROS es uno de los marcos más populares para el desarrollo de middleware robótico. Dada la naturaleza crítica para la seguridad de las operaciones de las naves espaciales, PLEXIL Se ha definido matemáticamente la semántica operativa y se han desarrollado técnicas y herramientas formales para analizar automáticamente los planes escritos en este lenguaje. La arquitectura de control híbrida propuesta en este documento se muestra en un escenario de seguimiento de ruta utilizando la plataforma de robot Husky a través de una simulación de Gazebo. Gracias a la arquitectura presentada en este artículo, todas las técnicas y herramientas de análisis formales disponibles actualmente para PLEXIL ahora están disponibles para construir planes confiables para ROS -Robots con ruedas habilitados.1.Escuela Colombiana de Ingeniería Julio Garavito Bogotá, Colombia. 2.Pontificia Universidad Javeriana Santiago de Cali, Colombia