Symbolic execution of programmable logic controller code

Programmable logic controllers (PLCs) are specialized computers for automating a wide range of cyber-physical systems. Since these systems are often safety-critical, software running on PLCs need to be free of programming errors. However, automated tools for testing PLC software are lacking despite the pervasive use of PLCs in industry. We propose a symbolic execution based method, named SymPLC, for automatically testing PLC software written in programming languages specified in the IEC 61131-3 standard. SymPLC takes the PLC source code as input and translates it into C before applying symbolic execution, to systematically generate test inputs that cover both paths in each periodic task and interleavings of these tasks. Toward this end, we propose a number of PLC-specific reduction techniques for identifying and eliminating redundant interleavings. We have evaluated SymPLC on a large set of benchmark programs with both single and multiple tasks. Our experiments show that SymPLC can handle these programs efficiently, and for multi-task PLC programs, our new reduction techniques outperform the state-of-the-art partial order reduction technique by more than two orders of magnitude.

[1]  John Regehr,et al.  Interrupt Verification via Thread Verification , 2007, Electron. Notes Theor. Comput. Sci..

[2]  Stefan Kowalewski,et al.  Predicate Abstraction for Programmable Logic Controllers , 2013, FMICS.

[3]  E. V. Kuzmin,et al.  Construction and verification of PLC LD programs by the LTL specification , 2014, Automatic Control and Computer Sciences.

[4]  Bent Thomsen,et al.  Symbolic execution and timed automata model checking for timing analysis of Java real-time systems , 2015, EURASIP J. Embed. Syst..

[5]  Guiming Luo,et al.  Design and implementation of automatic verification for PLC systems , 2013, 2013 IEEE 12th International Conference on Cognitive Informatics and Cognitive Computing.

[6]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[7]  Daniel Kroening,et al.  Effective verification of low-level software with nested interrupts , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[8]  Dániel Darvas,et al.  Formal Verification of Safety PLC Based Control Software , 2016, IFM.

[9]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[10]  Stefan Kowalewski,et al.  Arcade.PLC: a verification platform for programmable logic controllers , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[11]  Bengt Lennartson,et al.  Methods for Reliable Simulation-Based PLC Code Verification , 2012, IEEE Transactions on Industrial Informatics.

[12]  Chung-Hao Huang,et al.  G4LTL-ST: Automatic Generation of PLC Programs , 2014, CAV.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Sagar Chaki,et al.  Efficient verification of periodic programs using sequential consistency and snapshots , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[15]  Erika Ábrahám,et al.  A CEGAR Tool for the Reachability Analysis of PLC-Controlled Plants Using Hybrid Automata , 2015, Formalisms for Reuse and Systems Integration.

[16]  Alexander Aiken,et al.  Detecting races in Relay Ladder Logic programs , 1998, International Journal on Software Tools for Technology Transfer.

[17]  Stefan Kowalewski,et al.  Counterexample-Guided Abstraction Refinement for PLCs , 2010, SSV.

[18]  Mengyuan Li,et al.  A hierarchy framework on compositional verification for PLC software , 2014, 2014 IEEE 5th International Conference on Software Engineering and Service Science.

[19]  Luciano Baresi,et al.  On Accurate Automatic Verification of Publish-Subscribe Architectures , 2007, 29th International Conference on Software Engineering (ICSE'07).

[20]  Chao Wang,et al.  Assertion guided abstraction: a cooperative optimization for dynamic partial order reduction , 2014, ASE.

[21]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[22]  Matthew B. Dwyer,et al.  Model-Checking Middleware-Based Event-Driven Real-Time Embedded Software , 2002, FMCO.

[23]  Hendrik Simon,et al.  Concolic test generation for PLC programs using coverage metrics , 2016, 2016 13th International Workshop on Discrete Event Systems (WODES).

[24]  Murat Uzam,et al.  The synthesis and PLC implementation of hybrid modular supervisors for real time control of an experimental manufacturing system , 2014 .

[25]  Béatrice Bérard,et al.  Verification of a Timed Multitask System With Uppaal , 2005, IEEE Transactions on Automation Science and Engineering.

[26]  Chao Wang,et al.  Conc-iSE: Incremental symbolic execution of concurrent software , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[27]  Corina S. Pasareanu,et al.  Symbolic Execution with Abstract Subsumption Checking , 2006, SPIN.

[28]  Xavier Crégut,et al.  A model-driven engineering approach to formal verification of PLC programs , 2011, ETFA2011.

[29]  Víctor M. González Suárez,et al.  Applying Model Checking to Industrial-Sized PLC Programs , 2015, IEEE Transactions on Industrial Informatics.

[30]  Sagar Chaki,et al.  Time-bounded analysis of real-time systems , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[31]  Thomas Noll,et al.  Speeding Up the Safety Verification of Programmable Logic Controller Code , 2013, Haifa Verification Conference.

[32]  Dan Grossman,et al.  Symbolic execution of multithreaded programs from arbitrary program contexts , 2014, OOPSLA 2014.

[33]  Chao Wang,et al.  Peephole Partial Order Reduction , 2008, TACAS.

[34]  Bernhard Beckert,et al.  Regression Verification for Programmable Logic Controller Software , 2015, ICFEM.

[35]  Chen Gang PLC Program Verification and Analysis Using the COQ Theorem Prover , 2010 .

[36]  Willem Visser,et al.  Model Checking Real Time Java Using Java PathFinder , 2005, ATVA.

[37]  Chao Wang,et al.  Dynamic partial order reduction for relaxed memory models , 2015, PLDI.

[38]  Matthew B. Dwyer,et al.  A Case Study in Domain-customized Model Checking for Real-time Component Software , 2004, ISoLA.

[39]  Michael Tiegelkamp,et al.  IEC 61131-3: Programming Industrial Automation Systems: Concepts and Programming Languages, Requirements for Programming Systems, Decision-Making Aids , 2001 .

[40]  Erika Ábrahám,et al.  Two CEGAR-based approaches for the safety verification of PLC-controlled plants , 2016, Inf. Syst. Frontiers.

[41]  Chao Wang,et al.  Assertion guided symbolic execution of multithreaded programs , 2015, ESEC/SIGSOFT FSE.

[42]  Chao Wang,et al.  Monotonic Partial Order Reduction: An Optimal Symbolic Partial Order Reduction Technique , 2009, CAV.

[43]  Cristian-Gyozo Haba,et al.  Mixed mode verification of PLC based control systems , 2011, 2011 7TH INTERNATIONAL SYMPOSIUM ON ADVANCED TOPICS IN ELECTRICAL ENGINEERING (ATEE).

[44]  Kim G. Larsen,et al.  Model-based schedulability analysis of safety critical hard real-time Java programs , 2008, JTRES '08.

[45]  Chih-Hong Cheng,et al.  Structural Synthesis for GXW Specifications , 2016, CAV.

[46]  Sang C. Park,et al.  PLCStudio: Simulation based PLC code verification , 2008, 2008 Winter Simulation Conference.

[47]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[48]  Chang Ho Lee,et al.  Simulation framework for the verification of PLC programs in automobile industries , 2011 .