An Application of Formal Analysis to Software in a Fault-Tolerant Environment

The paper describes work that represents the culmination of a comprehensive hardware/software modeling and analysis project concerning the Charles Stark Draper Laboratory Fault-Tolerant Processor (FTP). The FTP performs a safety related function at the Integral Fast Reactor (IFR, previously known as the Experimental Breeder Reactor-II) operated by Argonne National Laboratory for the Department of Energy. Previously, we demonstrated the tolerance to hardware failures of data exchange instructions on the FTP (G.H. Chisholm et al., 1987; A.J. Kljaich et al., 1989; A.S. Wojcik et al., 1984; A.S. Wojcik, 1983). We describe a methodology for assuring that the software executing on the FTP is also tolerant to hardware failures. This methodology is based on an abstraction of the program data and control flows in terms of the specification of an abstract application program that operates on the FTP. We then prove the fault tolerance of the abstract application program to hardware and sensor failures. Based on a more detailed specification and analysis of the code that is used in the application software, we demonstrate that this code satisfies the sufficient conditions developed for the abstract application program to claim system fault tolerance.

[1]  George W. Dinolt,et al.  Combining components and policies , 1994, Proceedings The Computer Security Foundations Workshop VII.

[2]  Victor L. Winter,et al.  A formal model for verification of abstract properties , 1992 .

[3]  James M. Boyle,et al.  Program Reusability through Program Transformation , 1984, IEEE Transactions on Software Engineering.

[4]  Thomas Anderson Safe and Secure Computing Systems , 1989 .

[5]  J. Goldberg,et al.  SIFT: Design and analysis of a fault-tolerant computer for aircraft control , 1978, Proceedings of the IEEE.

[6]  Grzegorz Rozenberg,et al.  High-level Petri Nets: Theory And Application , 1991 .

[7]  David Lorge Parnas,et al.  Evaluation of safety-critical software , 1990, CACM.

[8]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[10]  William McCune,et al.  OTTER 3.0 Reference Manual and Guide , 1994 .

[11]  J.H. Lala,et al.  A design approach for ultrareliable real-time systems , 1991, Computer.

[12]  Dan Craigen,et al.  An International Survey of Industrial Applications of Formal Methods , 1992, Z User Workshop.

[13]  Friedrich W. von Henke,et al.  Formal Verification of Algorithms for Critical Systems , 1993, IEEE Trans. Software Eng..

[14]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[15]  Larry Wos,et al.  Automated Reasoning: Introduction and Applications , 1984 .

[16]  Bengt Jonsson,et al.  Compositional specification and verification of distributed systems , 1994, TOPL.

[17]  Peter G. Neumann,et al.  On hierarchical design of computer systems for critical applications , 1986, IEEE Transactions on Software Engineering.

[18]  Gitanjali Swamy,et al.  Formal verification of digital systems , 1997, Proceedings Tenth International Conference on VLSI Design.

[19]  Jane Sinclair,et al.  Introduction to formal specification and Z , 1991, Prentice Hall International Series in Computer Science.

[20]  Ewing L. Lusk,et al.  LMA-based theorem prover , 1982 .

[21]  G. H. Chisholm,et al.  An approach to the verification of a fault-tolerant, computer-based reactor safety system: A case study using automated reasoning: Volume 2, Appendixes: Interim report , 1987 .

[22]  J. S. Moore,et al.  Proof Checking The RSA Public Key Encryption Algorithm , 1984 .

[23]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[24]  A. Cohn The notion of proof in hardware verification , 1989 .

[25]  T. Fine A framework for composition , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[26]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[27]  Robert S. Boyer,et al.  PROOF CHECKING THE RSA PUBLIC KEY ENCRYPTION ALGORITHM11The research reported here was supported by National Science Foundation Grant MCS-8202943 and Office of Naval Research Contract N00014-81-K-0634. , 1986 .

[28]  Yiannis E. Papelis,et al.  Specification and Analysis of Parallel/Distributed Software and Systems by Petri Nets With Transition Enabling Functions , 1992, IEEE Trans. Software Eng..

[29]  Anthony S. Wojcik,et al.  A Formal Design Verification System Based on an Automated Reasoning System , 1984, 21st Design Automation Conference Proceedings.

[30]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[31]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[32]  Zohar Manna,et al.  Introduction to mathematical theory of computation , 1972 .

[33]  Jr. Joseph Kljaich Formal verification of digital systems (hierarchical modeling, petri nets, verification, rule-based) , 1985 .

[34]  Toshinori Suzuki,et al.  A Protocol Modeling and Verification Approach Based on a Specification Language and Petri Nets , 1990, IEEE Trans. Software Eng..

[35]  John McCarthy,et al.  Mathematical Theory of Computation , 1991 .

[36]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[37]  John M. Rushby,et al.  Formal Specification and Verification of a Fault-Masking and Transient-Recovery Model for Digital Flight-Control Systems , 1992, FTRTFT.

[38]  Anthony S. Wojcik,et al.  Formal Verification of Fault Tolerance Using Theorem-Proving Techniques , 1989, IEEE Trans. Computers.

[39]  Tomas Olovsson,et al.  On the Integration of Security and Dependability in Computer Systems , 1992 .

[40]  Anthony S. Wojcik,et al.  Formal Design Verification of Digital Systems , 1983, 20th Design Automation Conference Proceedings.

[41]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[42]  John Rushby,et al.  Formal verification of algorithms for critical systems , 1991 .

[43]  David A. Watt,et al.  Programming language concepts and paradigms , 1990, Prentice Hall International Series in Computer Science.

[44]  Laura K. Dillon,et al.  Verifying General Safety Properties of Ada Tasking Programs , 1990, IEEE Trans. Software Eng..