论文信息 - VeriPhy: verified controller executables from verified cyber-physical system models

VeriPhy: verified controller executables from verified cyber-physical system models

We present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety results are preserved end-to-end as it bridges abstraction gaps, including: i) the gap between mathematical reals in physical models and machine arithmetic in the implementation, ii) the gap between real physics and its differential-equation models, and iii) the gap between nondeterministic controller models and machine code. VeriPhy reduces CPS safety to the faithfulness of the physical environment, which is checked at runtime by synthesized, verified monitors. We use three provers in this effort: KeYmaera X, HOL4, and Isabelle/HOL. To minimize the trusted base, we cross-verify KeYmaeraX in Isabelle/HOL. We evaluate the resulting controller and monitors on commodity robotics hardware.

[1] Pierre Corbineau,et al. On the Generation of Positivstellensatz Witnesses in Degenerate Cases , 2011, ITP.

[2] Magnus O. Myreen,et al. Translation validation for a verified OS kernel , 2013, PLDI.

[3] Guillaume Melquiond,et al. Flocq: A Unified Library for Proving Floating-Point Algorithms in Coq , 2011, 2011 IEEE 20th Symposium on Computer Arithmetic.

[4] Laurence Rideau,et al. A Generic Library for Floating-Point Numbers and Its Application to Exact Computing , 2001, TPHOLs.

[5] Mahesh Viswanathan,et al. C2E2: A Verification Tool for Stateflow Models , 2015, TACAS.

[6] John Launchbury,et al. Guilt free ivory , 2015, Haskell.

[7] John Launchbury,et al. Programming languages for high-assurance autonomous vehicles: extended abstract , 2014, PLPV '14.

[8] Lei Yu,et al. A Formal Model of IEEE Floating Point Arithmetic , 2013, Arch. Formal Proofs.

[9] Michael Norrish,et al. seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[10] André Platzer,et al. ModelPlex: verified runtime validation of verified cyber-physical system models , 2014, Formal Methods in System Design.

[11] Ramana Kumar,et al. CakeML: a verified implementation of ML , 2014, POPL.

[12] André Platzer,et al. Formally verified differential dynamic logic , 2017, CPP.

[13] Magnus O. Myreen,et al. Proof-producing synthesis of ML from higher-order logic , 2012, ICFP.

[14] Joe Hurd,et al. The OpenTheory Standard Theory Library , 2011, NASA Formal Methods.

[15] Paulo Tabuada,et al. Automatic verification of control system implementations , 2010, EMSOFT '10.

[16] André Platzer,et al. Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[17] André Platzer,et al. Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[18] Guillaume Melquiond,et al. Combining Coq and Gappa for Certifying Floating-Point Programs , 2009, Calculemus/MKM.

[19] Nathan Fulton,et al. Bellerophon: Tactical Theorem Proving for Hybrid Systems , 2017, ITP.

[20] Ramana Kumar,et al. A new verified compiler backend for CakeML , 2016, ICFP.

[21] John Harrison,et al. Verifying Nonlinear Real Formulas Via Sums of Squares , 2007, TPHOLs.

[22] Sorin Lerner,et al. Towards foundational verification of cyber-physical systems , 2016, 2016 Science of Security for Cyber-Physical Systems Workshop (SOSCYPS).

[23] André Platzer,et al. Real World Verification , 2009, CADE.

[24] André Platzer,et al. A Complete Uniform Substitution Calculus for Differential Dynamic Logic , 2016, Journal of Automated Reasoning.

[25] Eric Goubault,et al. HybridFluctuat: A Static Analyzer of Numerical Programs within a Continuous Environment , 2009, CAV.

[26] Antoine Girard,et al. SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[27] André Platzer,et al. The KeYmaera X Proof IDE - Concepts on Usability in Hybrid Systems Theorem Proving , 2017, F-IDE@FM.

[28] André Platzer,et al. European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[29] Ross A. Knepper,et al. ROSCoq: Robots Powered by Constructive Reals , 2015, ITP.

[30] Thomas A. Henzinger,et al. The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[31] Fabian Immler,et al. The Flow of ODEs , 2016, ITP.

[32] Tobias Nipkow,et al. A Verified Compiler from Isabelle/HOL to CakeML , 2018, ESOP.

[33] Tze Meng Low,et al. High-Assurance SPIRAL: End-to-End Guarantees for Robot and Car Control , 2017, IEEE Control Systems.

[34] Xin Chen,et al. Flow*: An Analyzer for Non-linear Hybrid Systems , 2013, CAV.

[35] John Harrison,et al. A Proof-Producing Decision Procedure for Real Arithmetic , 2005, CADE.

[36] Joseph Tassarotti,et al. RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[37] Guillaume Melquiond,et al. Floating-point arithmetic in the Coq system , 2012, Inf. Comput..

[38] John Harrison,et al. Floating-Point Verification Using Theorem Proving , 2006, SFM.

[39] Nathan Fulton,et al. KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[40] Guillaume Melquiond,et al. Floating-point arithmetic , 2023, Acta Numerica.

[41] André Platzer,et al. How to model and prove hybrid systems with KeYmaera: a tutorial on safety , 2015, International Journal on Software Tools for Technology Transfer.

[42] Ramana Kumar,et al. Verified Characteristic Formulae for CakeML , 2017, ESOP.

[43] Nicolas Halbwachs,et al. Programming and Verifying Real-Time Systems by Means of the Synchronous Data-Flow Language LUSTRE , 1992, IEEE Trans. Software Eng..

[44] André Platzer. Logic & Proofs for Cyber-Physical Systems , 2016, IJCAR.

[45] Timothy Bourke,et al. A formally verified compiler for Lustre , 2017, PLDI.

[46] Rupak Majumdar,et al. Synthesis of minimal-error control software , 2012, EMSOFT '12.

[47] A. Platzer,et al. ModelPlex: verified runtime validation of verified cyber-physical system models , 2016, Formal Methods Syst. Des..