Top

Software and Systems Modeling

Published in:

21-03-2023 | Special Section Paper

Synthesizing verified components for cyber assured systems engineering

Authors: Eric Mercer, Konrad Slind, Isaac Amundson, Darren Cofer, Junaid Babar, David Hardin

Published in: Software and Systems Modeling | Issue 5/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Safety-critical systems such as avionics need to be engineered to be cyber resilient meaning that systems are able to detect and recover from attacks or safely shutdown. As there are few development tools for cyber resiliency, designers rely on guidelines and checklists, sometimes missing vulnerabilities until late in the process where remediation is expensive. Our solution is a model-based approach with cyber resilience-improving transforms that insert high-assurance components such as filters to block malicious data or monitors to detect and alarm anomalous behavior. Novel is our use of model checking and a verified compiler to specify, verify, and synthesize these components. We define code contracts as formal specifications that designers write for high-assurance components, and test contracts as tests to validate their behavior. A model checker proves whether or not code contracts satisfy test contracts in an iterative development cycle. The same model checker also proves whether or not a system with the inserted components, assuming they adhere to their code contracts, provides the desired cyber resiliency for the system. We define an algorithm to synthesize implementations for code contracts in a semantics-preserving way that is backed by a verified compiler. The entire workflow is implemented as part of the open source BriefCASE toolkit. We report on our experience using BriefCASE with a case study on a UAV system that is transformed to be cyber resilient to communication and supply chain cyber attacks. Our case study demonstrates that writing code contracts and then synthesizing correct implementations from them are feasible in real-world systems engineering for cyber resilience.

previous article MORGAN: a modeling recommender system based on graph kernel

next article The ForeMoSt approach to building valid model-based safety arguments

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

This work was funded in part by the Defense Advanced Research Projects Agency (DARPA) CASE program. The views expressed are those of the authors and do not reflect the official policy or position of DARPA or the US Government.

AADL is the acronym for Architecture Analysis and Design Language [53].

AGREE is the acronym for Assume-Guarantee Reasoning Environment.

Abrahamsson, O., Ho, S., Kanabar, H., Kumar, R., Myreen, M.O., Norrish, M., Tan, Y.K.: Proof-producing Synthesis of CakeML from Monadic HOL Functions. Springer, Berlin (2020)CrossRefMATH

AGREE specification example. https://github.com/ericmercer/agree-specification-example

Amundson, I., Cofer, D.: Resolute assurance arguments for cyber assured systems engineering. In: Design Automation for Cyber-Physical Systems and Internet of Things (DESTION 2021) (2021)

An SMT-based infinite-state model checker for safety properties in Lustre. https://github.com/loonwerks/jkind

Backes, J., Cofer, D., Miller, S., Whalen, M.: Requirements analysis of a quad-redundant flight control system. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NASA Formal Methods, pp. 82–96. Springer, Berlin (2015)CrossRef

Biernacki, D., Colaço, J.-L., Hamon, G., Pouzet, M.: Clock-directed modular code generation for synchronous data-flow languages. SIGPLAN Not. 43(7), 121–130 (2008)CrossRef

Bourke, T., Brun, L., Dagand, P.-É., Leroy, X., Pouzet, M., Rieg, L.: A formally verified compiler for Lustre. SIGPLAN Not. 52(6), 586–601 (2017)CrossRef

Collins Aerospace Common Avionics Architecture System. https://www.collinsaerospace.com/what-we-do/Helicopters/Rotary-Wing/Common-Avionics-Architecture-System

CakeML. https://cakeml.org/

10.

Cyber Assured Systems Engineering (CASE) TA6 platform assessment CAmkES applications. https://github.com/loonwerks/case-ta6-platform-assessment-camkes-apps

11.

CASE: Cyber Assured Systems Engineering. http://loonwerks.com/projects/case

12.

Caspi, P., Pilaud, D., Halbwachs, N., Plaice, J.A.: LUSTRE: a declarative language for real-time programming. In: Proceedings of the 14th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’87, pp. 178–188. Association for Computing Machinery, New York, NY, USA (1987)

13.

Cofer, D., Amundson, I., Babar, J., Hardin, D., Slind, K., Alexander, P., Hatcliff, J., Klein, G.R., Lewis, C., Mercer, E., Shackleton, J.: Cyberassured systems engineering at scale. IEEE Secur. Priv. 15, 2–14 (2022)

14.

Cofer, D., Gacek, A., Miller, S., Whalen, M., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NASA Formal Methods, pp. 126–140. Springer, Berlin, Heidelberg (2012)CrossRef

15.

Cofer, D., Gacek, A., Miller, S., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NASA Formal Methods, pp. 126–140. Springer, Berlin, Heidelberg (2012)CrossRef

16.

Colaço, J.-L., Pagano, B., Pouzet, M.: A conservative extension of synchronous data-flow with state machines. In: Proceedings of the 5th ACM International Conference on Embedded Software, EMSOFT ’05, pp. 173–18. Association for Computing Machinery, New York (2005)

17.

Colaço, J.-L., Pouzet, M.: Clocks as first class abstract types. In: Alur, R., Lee, I. (eds.) Embedded Software, pp. 134–155. Springer, Berlin, Heidelberg (2003)CrossRef

18.

Compcert. https://compcert.org

19.

Cyber Assured Systems Engineering (CASE) experimental platform models. https://github.com/loonwerks/case-ta6-experimental-platform-models

20.

Dafny. https://dafny.org

21.

Dimoulas, C., Tobin-Hochstadt, S., Felleisen, M.: Complete monitors for behavioral contracts. In: Seidl, H. (ed.) Programming Languages and Systems, pp. 214–233. Springer, Berlin, Heidelberg (2012)CrossRef

22.

Findler, R.B., Felleisen, M.: Contracts for higher-order functions. SIGPLAN Not. 37(9), 48–59 (2002)CrossRefMATH

23.

Formal methods workbench. https://github.com/loonwerks/formal-methods-workbench

24.

Gacek, A., Katis, A., Whalen, M., Backes, J., Cofer, D.: Towards realizability checking of contracts using theories. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NASA Formal Methods, pp. 173–187. Springer, Berlin (2015)CrossRef

25.

Gérard, L., Guatto, A., Pasteur, C., Pouzet, M.: A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. SIGPLAN Not. 47(5), 51–60 (2012)CrossRef

26.

Gómez-Londoño, A., Pohjola, J.Å., Syeda, H.T., Myreen, M.O., Tan, Y.K.: Do you have space for dessert? A verified space cost semantics for CakeML programs. In: Proceedings of the 2020 ACM Object-Oriented Programming, Systems, Languages, and Applications Conference (OOPSLA), pp. 4:204:1–204:29 (2020)

27.

Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data flow programming language LUSTRE. Proc. IEEE 79(9), 1305–1320 (1991)CrossRef

28.

Hardin, D.S., Slind, K.L.: Formal synthesis of filter components for use in security-enhancing architectural transformations. In: Proceedings of the Seventh Workshop on Language-Theoretic Security, 42nd IEEE Symposium and Workshops on Security and Privacy (LangSec 2021) (2021)

29.

Hardin, D.S., Slind, K.L., Pohjola, J.Å., Sproul, M.: Synthesis of verified architectural components for autonomy hosted on a verified microkernel. In: Proceedings of the 53rd Hawaii International Conference on System Sciences, pp. 6365–6374 (2020)

30.

Hatcliff, J., Belt, J., Robby, C.T.: HAMR: an AADL multi-platform code generation toolset. In: Margaria, T., Steffen, B. (eds.) Leveraging Applications of Formal Methods, Verification and Validation, pp. 274–295. Springer, Berlin (2021)CrossRef

31.

Havelund, K., Roşu, G.: Efficient monitoring of safety properties. Int. J. Softw. Tools Technol. Transf. 6(2), 158–173 (2004)CrossRef

32.

Kansas State University. Sireum HAMR: High Assurance Modeling and Rapid Engineering for Embedded Systems (2021)

33.

Katis, A., Fedyukovich, G., Gacek, A., Backes, J., Gurfinkel, A., Whalen, M.: Synthesis from assume-guarantee contracts using skolemized proofs of realizability (2017)

34.

Katis, A., Fedyukovich, G., Guo, H., Gacek, A., Backes, J., Gurfinkel, A., Whalen, M.: Validity-guided synthesis of reactive systems from assume-guarantee contracts. In: Beyer, D., Huisman, M. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 176–193. Springer, Berlin (2018)CrossRef

35.

Katis, A., Gacek, A., Whalen, M.: Machine-checked proofs for realizability checking algorithms. In: Gurfinkel, A., Seshia, S.A. (eds.) Verified Software: Theories, Tools, and Experiments, pp. 110–123. Springer, Berlin (2016)CrossRef

36.

Kingston, D.B., Rasmussen, S., Humphrey, L.R.: Automated UAV tasks for search and surveillance. In: 2016 IEEE Conference on Control Applications, CCA 2016, Buenos Aires, Argentina, September 19–22, 2016, pp. 1–8. IEEE (2016)

37.

Klein, G., Andronick, J., Elphinstone, K., Murray, T.C., Sewell, T., Kolanski, R., Heiser, G.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32(1), 2:1-2:70 (2014)CrossRef

38.

Klein, G., Andronick, J., Fernandez, M., Kuz, I., Murray, T.C., Heiser, G.: Formally verified software in the real world. Commun. ACM 61(10), 68–77 (2018)CrossRef

39.

Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Matthews, J.N., Anderson, T.E. (eds.) Proceedings of the 22nd ACM Symposium on Operating Systems Principles 2009, SOSP 2009, Big Sky, Montana, USA, October 11–14, 2009, pp. 207–220. ACM (2009)

40.

41.

Laddaga, R., Robertson, P., Shrobe, H.E., Cerys, D., Manghwani, P., Meijer, P.: Deriving cyber-security requirements for cyber physical systems. CoRR (2019). arXiv:1901.01867

42.

Lichtenstein, O., Pneuli, A.: Propositional temporal logics: decidability and completeness. Logic J. IGPL 8(1), 55–85 (2000)MathSciNetCrossRefMATH

43.

Liskov, B.: Keynote address—data abstraction and hierarchy. SIGPLAN Not. 23(5), 17–34 (1987)CrossRef

44.

Liu, C., Babar, J., Amundson, I., Hoech, K., Cofer, D., Mercer, E.: Assume-guarantee reasoning with scheduled components. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds.) NASA Formal Methods, pp. 355–372. Springer, Cham (2022)CrossRef

45.

Murugesan, A., Whalen, M., Rayadurgam, S., Heimdahl, M.: Compositional verification of a medical device system. Ada Lett. 33(3), 51–64 (2013)CrossRef

46.

Myreen, M.O., Owens, S.: Proof-producing synthesis of ML from higher-order logic. In: International Conference on Functional Programming (ICFP), pp. 115–126. ACM Press (2012)

47.

Nguyundefinedn, P.C., Gilray, T., Tobin-Hochstadt, S., Van Horn, D.: Soft contract verification for higher-order stateful programs. Proc. ACM Program. Lang. POPL(2), 511–5130 (2017)

48.

Patten, T., Mitchell, D., Call, C.: Cyber attack grammars for risk-cost analysis. In: Proceedings of the 15th International Conference on Cyber Warfare and Security. Norfolk, VA (2020)

49.

Petz, A., Alexander, P.: An infrastructure for faithful execution of remote attestation protocols. In: Proceedings of the 13th NASA Formal Methods Symposium (NFM 2021) (2021)

50.

Pike, L., Wegmann, N., Niller, S., Goodloe, A.: Copilot: Monitoring embedded systems. Innov. Syst. Softw. Eng. 9(4), 235–255 (2013)CrossRef

51.

Robby, H., Hatcliff, J.: Slang: the Sireum programming language. In: Margaria, T., Steffen, B. (eds.) Leveraging Applications of Formal Methods, Verification and Validation, pp. 253–273. Springer, Berlin (2021)CrossRef

52.

Saadatmand, M., Leveque, T.: Modeling security aspects in distributed real-time component-based embedded systems. In: 2012 Ninth International Conference on Information Technology—New Generations, pp. 437–444 (2012)

53.

SAE: Architecture Analysis and Design Language (AADL). Technical Report AS-5506, SAE International (2009)

54.

Slind, K.L.: Specifying message formats with contiguity types. In: Proceedings of the Twelfth International Conference on Interactive Theorem Proving (ITP 2021) (2021)

55.

Thiagarajan, H., Hatcliff, J., Robby, H.: Awas: AADL information flow and error propagation analysis framework. In: Innovations in Systems and Software Engineering (ISSE) (2021)

56.

Whalen, M., Gacek, A., Cofer, D., Murugesan, A., Heimdahl, M., Rayadurgam, S.: Your “what’’ is my “how’’: iteration and hierarchy in system design. IEEE Softw. 30(2), 54–60 (2013)CrossRef

Title: Synthesizing verified components for cyber assured systems engineering
Authors: Eric Mercer
Konrad Slind
Isaac Amundson
Darren Cofer
Junaid Babar
David Hardin
Publication date: 21-03-2023
Publisher: Springer Berlin Heidelberg
Published in: Software and Systems Modeling / Issue 5/2023
Print ISSN: 1619-1366
Electronic ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-023-01096-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 5/2023

Execution trace analysis for a precise understanding of latency violations

Efficient regression testing of distributed real-time reactive systems in the context of model-driven development

MoDALAS: addressing assurance for learning-enabled autonomous systems in the face of uncertainty

Repository mining for changes in Simulink and Stateflow models

Assessing the usefulness of a visual programming IDE for large-scale automation software

Model-driven design space exploration for multi-robot systems in simulation

Premium Partner