Formal Verification of a Mixed-Trust Synchronization Protocol

Cyber-Physical Systems (CPS) are becoming widespread in many safety-critical real-time applications, such as autonomous driving, robotics systems, and unmanned aircraft. However, verifying these complex real-time systems remains an open challenge because traditional verification techniques are unable to verify all components. One approach to address this challenge is to use the framework for mixed-trust computing for real-time systems where unverified (untrusted) components are constrained not to exhibit unsafe behavior by verified (trusted) components. This framework increases assurance in the CPS by verifying timing and functional properties of the trusted components. However, even though the trusted components are verified, formal verification of the synchronization protocol between trusted and untrusted components has been an open problem. If the synchronization protocol between the untrusted and trusted components is incorrect then the behavior of the entire system can be compromised. In this paper, we present a formal model of a synchronization protocol between trusted and untrusted components using timed automata. We use temporal logic to prove the protocol satisfies properties that guarantee its correctness. The verification was used to identify and correct a critical flaw in the previous protocol implementation and increases confidence in the mixed-trust framework.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  Leslie Lamport Who builds a house without drawing blueprints? , 2015, Commun. ACM.

[3]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[4]  Patricia Bouyer,et al.  Efficient Timed Diagnosis Using Automata with Timed Domains , 2018, RV.

[5]  Sagar Chaki,et al.  Formal Verification of a Timing Enforcer Implementation , 2017, ACM Trans. Embed. Comput. Syst..

[6]  Vladimir Cretu,et al.  Timed Automata Model for Component-Based Real-Time Systems , 2010, 2010 17th IEEE International Conference and Workshops on Engineering of Computer Based Systems.

[7]  Sagar Chaki,et al.  überSpark: Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor , 2016, USENIX Security Symposium.

[8]  Frits W. Vaandrager,et al.  Analysis of a clock synchronization protocol for wireless sensor networks , 2009, Theor. Comput. Sci..

[9]  Enrique Martínez,et al.  Timed Automata Semantics for Visual e-Contracts , 2011, FLACOS.

[10]  Eugene Asarin,et al.  Scheduling with timed automata , 2006, Theor. Comput. Sci..

[11]  Olivier H. Roux,et al.  Structural translation from Time Petri Nets to Timed Automata , 2005, J. Syst. Softw..

[12]  Jirí Srba,et al.  TCTL-preserving translations from timed-arc Petri nets to networks of timed automata , 2014, Theor. Comput. Sci..

[13]  Hoyt Lougee,et al.  SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION , 2001 .

[14]  M. Diaz,et al.  Modeling and Verification of Time Dependent Systems Using Time Petri Nets , 1991, IEEE Trans. Software Eng..

[15]  Insup Lee,et al.  Incremental schedulability analysis of hierarchical real-time components , 2006, EMSOFT '06.

[16]  Insup Lee,et al.  Compositional Schedulability Analysis of Hierarchical Real-Time Systems , 2007, 10th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC'07).

[17]  Marcin Andrychowicz,et al.  Modeling Bitcoin Contracts by Timed Automata , 2014, FORMATS.

[18]  Stavros Tripakis,et al.  Kronos: A Model-Checking Tool for Real-Time Systems , 1998, CAV.

[19]  Jack P. C. Kleijnen,et al.  EUROPEAN JOURNAL OF OPERATIONAL , 1992 .

[20]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Kim G. Larsen,et al.  A Tutorial on Uppaal , 2004, SFM.

[22]  Alan Burns,et al.  A Survey of Research into Mixed Criticality Systems , 2017, ACM Comput. Surv..

[23]  Louchka Popova-Zeugmann,et al.  Time and Petri Nets , 2013, Springer Berlin Heidelberg.

[24]  Ragunathan Rajkumar,et al.  On the Scheduling of Mixed-Criticality Real-Time Task Sets , 2009, 2009 30th IEEE Real-Time Systems Symposium.

[25]  Marco Roveri,et al.  Extending nuXmv with Timed Transition Systems and Timed Temporal Properties , 2019, CAV.

[26]  Mark Klein,et al.  Work-In-Progress: Toward Precomputation in Real-Time Mixed-Trust Scheduling , 2020, 2020 IEEE Real-Time Systems Symposium (RTSS).

[27]  Joël Ouaknine,et al.  Timed Temporal Logics , 2017, Models, Algorithms, Logics and Tools.

[28]  Burcu Kulahcioglu,et al.  Utilization of Timed Automata as a Verification Tool for Security Protocols , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion.

[29]  Scott A. Smolka,et al.  Using integer clocks to verify clock-synchronization protocols , 2011, Innovations in Systems and Software Engineering.

[30]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[31]  Satoshi Yamane,et al.  The symbolic model-checking for real-time systems , 1996, Proceedings of the Eighth Euromicro Workshop on Real-Time Systems.

[32]  Lina Khatib,et al.  Mapping temporal planning constraints into timed automata , 2001, Proceedings Eighth International Symposium on Temporal Representation and Reasoning. TIME 2001.

[33]  Gabriel A. Moreno,et al.  Safety enforcement for the verification of autonomous systems , 2018, Defense + Security.

[34]  Kumkum Garg An Approach to Performance Specification of Communication Protocols Using Timed Petri Nets , 1985, IEEE Transactions on Software Engineering.

[35]  Lui Sha,et al.  Using Simplicity to Control Complexity , 2001, IEEE Softw..

[36]  A. Udaya Shankar,et al.  Time-dependent distributed systems: proving safety, liveness and real-time properties , 1985, Distributed Computing.

[37]  Björn Andersson,et al.  Combining Symbolic Runtime Enforcers for Cyber-Physical Systems , 2017, RV.

[38]  John P. Lehoczky,et al.  Mixed-Trust Computing for Real-Time Systems , 2019, 2019 IEEE 25th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA).