John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... In our opinion, this is actually an advantage because use of this approach is close to a genuine proof i.e. a chain of argument which will convince a human reviewer; the pitfalls of relying on the mere grunt of assent from an oracle (in this case, the model checking program) are well known [RvH91]. This approach of combining theorem proving and model checking techniques, capitalises on the strengths of each to minimize the weaknesses of the other. For on the one hand, model checking algorithms inherently suffer from a major limitation, namely, state explosion . We employ theorem ....

J. Rushby, F. von Henke. Formal verification of algorithms for critical systems. Computer Science Laboratory, SRI International 1991.

....these accidents with the Therac 25 the reader is referred to [LT93] Formal methods, the term with which the variety of mathematical modelling techniques that are applicable to computer system design is meant, are often advocated as a way of increasing confidence in computer based systems. Many [BS92, BH95b, BS93b, BBL93, BH95a, BS93a, Bow93, But93, CGR93, CG92, GCR94, Hal90, Kem90, Nic91, RvH93, Rus94, WW93] believe that the use of formal methods currently offers the only intellectually defensible method for handling the software crisis which increasingly affects the world of embedded systems. In this report we shall mainly concentrate on safety critical software design. Formal methods can be applied ....

J. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

....was concerned. More recently, NASA commissioned work involving the application of formal methods to support fault tolerance in digital flight control systems (DFCS) 127] contains the formal specification and verification of a model for fault masking and transient recovery in DFCS applications. [129] describes the formal verification of the interactive convergence algorithm for Byzantine fault tolerant clock synchronization. 140] discusses the formal verification of the FtCayuga fault tolerant microprocessor system. It appears that NASA has found this line of investigation fruitful and ....

RUSHBY, J., and VON HENKE, F.: `Formal verification of algorithms for critical systems'. Proc. ACM SIGSOFT 91 Conference on Software for Critical Systems, Software Engineering Notes,ACM Press, December 1991, 16, (5), pp. 1--15

....was concerned. More recently, NASA commissioned work involving the application of formal methods to support fault tolerance in digital flightcontrol systems (DFCS) 108]contains the formal specification and verification of a model for fault masking and transient recovery in DFCS applications. [110] describes the formal verification of the interactiveconvergence algorithm for Byzantine fault tolerant clock synchronization. 120] discusses the formal verification of the FtCayuga fault tolerant microprocessor system. It appears that NASA has found this line of investigation fruitful and or ....

RUSHBY, J., and VON HENKE, F.: `Formal verification of algorithms for critical systems'. Proc. ACM SIGSOFT 91 Conference on Software for Critical Systems, SoftwareEngineering Notes,ACM Press, December 1991, 16, (5), pp. 1--15

....practical finite state techniques. In contrast, non finite state methods usually employ theorem proving techniques which are comparatively human labor intensive, are often research vehicles, and currently find favor in verification of small, complex, critical parts of safety critical systems [RvH93] It may be preferable to mix the two sorts of techniques to obtain the advantages of both [Lam92] There is another reason of principle to require a finite state semantics. This principle is based on inquiring what system information is explicit in concurrentlyrunning processes, and which ....

J. M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, Jan 1993.

....and associated formal verification. We emphasize that the coverage of Byzantine faults necessitates algorithms and proofs of considerable complexity, both obvious and subtle. Formal methods present a level of rigor and establish confidence in such proofs which is often lacking in hand proofs [27]. The intent being to present a composite and comprehensive solution to on line diagnosis of arbitrary faults. It is interesting to note that as we undertake the formal specification and verification of the algorithms, these processes sometimes generate insights which simplify the actual ....

Rushby, J. and Henke, F., "Formal verification of algorithms for critical systems", IEEE Transactions on Software Engineering , vol. 19, pp. 13--23, Jan. 1993.

....From a practical point of view, however, the new scheme incurs a tremendous overhead from priority management. As formal methods have been shown to be able to discover flaws in analysis and to present a level of rigor and establish confidence in proofs which is often lacking in hand analysis [11], we have undertaken the formal specification and verification of FT RMA to establish the correctness of the proposed solutions. One of our interests is to be able to identify flaws in arguments presented in hand analysis of the original version of FT RMA and to demonstrate the capability of ....

J. Rushby, F. von Henke, "Formal Verification of Algorithms for Critical Systems." IEEE Transactions on Software Engineering, SE 19(1), pp. 13--23, 1993. 20

....technique will apply instead of choosing selective case studies. 10 S3: Each node determines a reference value (based on a chosen voting scheme) from the values collected in S2, and computes a correction to align its local clock value to the reference time. convergence) Additional conditions [23] define the chosen voting strategy, currently initially in synchronization conditions, relative clock skews, specified fault tolerance, time stamping window size, etc. This protocol was used as a case study for formal tools using PVS [23] a formal verification revealed that the algorithm makes ....

....the reference time. convergence) Additional conditions [23] define the chosen voting strategy, currently initially in synchronization conditions, relative clock skews, specified fault tolerance, time stamping window size, etc. This protocol was used as a case study for formal tools using PVS [23]; a formal verification revealed that the algorithm makes a number of assumptions that are not essential to correct operation. Moreover, it was pointed out in the investigation that a majority of lemmas in the algorithm proof were incorrect although the final proof was correct. The key observation ....

J. Rushby, F. von Henke, "Formal Verification of Algorithms for Critical Systems." IEEE Trans. on Software Engineering, SE 19(1), pp. 13--23, 1993.

....a family of mathematical and logical techniques used to reason about computer systems, are also seeing increasing usage in this verification process. Their main thrust, so far, has been for the verification of algorithms or protocols, and specifically, on finding design stage flaws in algorithms [11, 15, 18]. Validation techniques, typically entail approaches such as modeling, simulations, stress testing, life testing, and also experimental techniques such as fault injection (FI) Given the enormous state space involved in protocols and especially software, analytical, modeling and simulation ....

....that round (within a defined time stamp interval) data assimilation) S3: Each node determines a reference value (based on a chosen voting scheme) from the values collected in S2, and computes a correction to align its local clock value to the reference time. convergence) Additional conditions [15] define the chosen voting strategy, currently initially in synchronization conditions, relative clock skews, specified fault tolerance, time stamping window size, etc. This algorithm was used as a case study for formal tools using PVS [15] a formal verification revealed that the algorithm ....

[Article contains additional citation context not shown here]

Rushby, J. and von Henke, F., "Formal Verification of Algorithms for Critical Systems." IEEE Trans. Software Engineering, vol. 19, pp. 13--23, Jan. 1993.

....in which programs and assertional specifications are combined, has been defined in the PVS specification language. Related to the work described here is the use of PVS [ORS92] and its predecessor EHDM for a number of applications, such as an interactive convergence clock synchronization algorithm [RvH93], a Byzantine fault tolerant clock synchronization [Sha93] and an algorithm for interactive consistency [LR93] We also mention the specification language TLA (Temporal Logic of Actions) which has been applied to a large number of examples. See, e.g. the specification and the hierarchically ....

J. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, 1993.

....From the viewpoint of establishing correctness and efficient delivery of services, we focus on time critical aspects of dependable real time protocols in this paper. The effective use of formal techniques for analysing discrete dependable or real time services has been demonstrated in [4, 5, 11, 12, 14]. In this paper, we investigate formal methods capabilities for rigorous analysis of composite dependable real time protocols when the environment is not fully predictable (e.g. systems operating in non deterministic environments, i.e. in presence of faults) Specifically, our primary ....

J. Rushby, F. von Henke, "Formal Verification of Algorithms for Critical Systems." IEEE Trans. on Software Engineering, SE 19(1), pp. 13--23, Jan. 1993.

....because use of this approach 48 CHAPTER 4. TOP A VERIFICATION METHOD is close to a genuine proof i.e. a chain of argument which will convince a human reviewer; the pitfalls of relying on the mere grunt of assent from an oracle (in this case, the model checking program) are well known [RvH91]. 4.2 Notation In the following discussion, we associate a set V of variables with every program P. Each variable may take on values over a (finite) domain D. A state is an interpretation of V , assigning to each variable a value from domain D. 4.2.1 Notation for Programs Without loss of ....

J. Rushby and F. von Henke. "Formal verification of algorithms for critical systems." Proc. of the ACM SIGSOFT'91 Conference on Software for Critical Systems, pp. 1--15.

....requirements elucidation, validation, verification, and documentation [16] Indeed, most, if not all, of the formal techniques used for specification can be used for verification as well. A convincing demonstration of the strength of formal methods in verification is given by Rushby Henke [111]. The formal verification rectified and made precise a series of assumptions, constraints and results (synchronization bounds) An automated theorem prover was employed which is probably a very good idea in all but very small projects because otherwise human error in the verification process will ....

J. M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Trans. on Software Engineering, 19(1):13--23, January 1993.

.... synchronising clocks between computers [LMS85] whose descendants are called interactive convergence algorithms [Sch87, Sha92] The rationale for synchronising clocks in on board flight control systems, as well as an account of how the relevant algorithms are shown to be correct may be found in [Rv93] Various interactive convergence algorithms were formally proved correct using the EHDM verification system developed at SRI International in [Sha92] Testing of Flight Control Systems. The failure rate to be aimed for in safety critical systems such as flight control systems is 10 Gamma9 ....

J.M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

No context found.

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

....fails the clocks of remaining, properly functioning processes maintain the required synchrony. Clock synchronization is thus a basic service that warrants careful analysis. The case for applying formal methods, including mechanized theorem proving, to this task has been made in the past (cf. [6]) Reasoning about fault tolerant clock synchronization algorithms is inherently difficult because of the possibility of subtle interactions involving failed components. A proof with the assistance of a mechanized proof system thus offers a higher degree of assurance that the verification of a ....

J. M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Trans. on Software Engineering, 19(1):13--23, Jan. 1993.

....for example, the chosen clocks can change from one round to the next. However, verification of the basic algorithm provides a foundation for the TTA case. Formal verification of clock synchronization algorithms has quite a long history, beginning with Rushby and von Henke s verification [60] of the interactive convergence algorithm of Lamport and Melliar Smith [32] this is similar to the Welch Lynch algorithm, except that the egocentric mean is used as the fault tolerant average. Shankar [70] formally verified Schneider s abstract algorithm and its instantiation for interactive ....

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993. 4

....and to adapt to design changes. For example, the journal presentation of the interactive convergence clock synchronization algorithm [4] has an assumption that all initial clock adjustments are zero. Friedrich von Henke and I retained this assumption when we formally verified the algorithm [13]. Subsequently, when contemplating design of a circuit to implement part of the algorithm, it became clear that this assumption is exceedingly 4 inconvenient. I explored the conjecture that it is unnecessary by simply striking it out of our formal specification and rerunning the proofs of all the ....

....in less than a day by modifying an existing treatment for a symmetric architecture [7] The ability to make these enhancements to complex algorithms, rapidly and reliably, is an opportunity created by mechanized formal methods. Informal methods of proof are unreliable in these domains (see [6, 9, 13] for examples) and it requires superhuman discipline to bring the same level of care and skepticism to the scrutiny of a modified algorithm as to the original. A formal specification and verification, on the other hand, is a reusable intellectual resource: its properties can be calculated, and ....

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

....service that warrants careful analysis. The case for applying formal methods, including mechanized theorem proving, This work has been supported in part by ESPRIT LTR Project 20072 Design for Validation (DeVa) and ESPRIT Project 20716 GUARDS . to this task has been made in the past (cf. [10]; see also [6] for a summary of previous work) Reasoning about fault tolerant clock synchronization algorithms is inherently difficult because of the possibility of subtle interactions involving failed components. A proof with the assistance of a mechanized proof system thus offers a higher ....

J. M. Rushby and F. von Henke. Formal verification of algorithms for critical systems. IEEE Trans. on Software Engineering, 19(1):13--23, Jan. 1993.

....methods, but must also provide very effective automation for theories that are commonly encountered. For illustration, I will use a verification of the Interactive Convergence Algorithm for Byzantine fault tolerant clock synchronization [9] that Friedrich von Henke and I performed some years ago [15]. The goal is to keep the clocks of distributed processors approximately synchronized, given that good clocks have some bounded drift rate, good processors can read the clocks of other good processors with some small error, and faulty processors and clocks are unconstrained (in particular, they ....

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

....that is required by that framework. The link is facilitated by our structuring of specifications in such a manner that they fit the framework seamlessly. This is similar to the demonstration by Di Vito and Butler [3] that the treatment of the interactive convergence algorithm presented in [15] satisfies the synchronization requirements of the Reliable Computing Platform. The remainder of this paper is structured as follows. The next sections give an overview of the Time Triggered Protocol to the extent needed for this paper and describe the extraction of the clock synchronization ....

.... if i = 0 ttss(p) schedule(syncround(i) 1) if i 0 It is easy to see that the following equation holds for LC i p (t) LC i p (t) PC p (t) adj i p In previous work on clock synchronization clocks are also sometimes expressed in terms of functions mapping clock time to real time [11,12,15]. Some of our definitions and proofs are more naturally described this way and we therefore introduce the inverse mapping pc p of p s physical clock; pc p (T) denote the earliest real time that p s physical clock reads T . Thus, we can define an inverse mapping of LC i p as lc i p (T) pc p ....

J. Rushby and F. von Henke. Formal Verification of Algorithms for Critical Systems. IEEE Trans. on Software Engineering, 19(1):13--23, January 1993.

....the argument. We were able to derive a journal style presentation from our mechanized verification that is not only more precise than the original, but is simpler, more uniform, and easier to fol 4 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 21, NO. 2, FEBRUARY 1995, pp. 107 125 low [26] [27]. Our mechanized verification in Ehdm took us a couple of months to complete and required about 200 lemmas (many of which are concerned with background knowledge, such as summation and properties of the arithmetic mean, that are assumed in informal presentations) We have modified our original ....

....equality on abstract stacks corresponds to equality of the implementing arrays up to the pointer; this is not the standard equality on pairs. FORMAL VERIFICATION FOR FAULT TOLERANT ARCHITECTURES AND THE DESIGN OF PVS 13 consistency of the axiomatization used to specify assumptions about clocks [27], we have a module algorithm that uses (imports) the module clocks. An interpretation for algorithm will normally generate interpretations for the types and constants in clocks as well. But if we have already established an interpretation for clocks, we will want the interpretation for algorithm ....

John Rushby and Friedrich von Henke, "Formal verification of algorithms for critical systems", IEEE Transactions on Software Engineering, vol. 19, no. 1, pp. 13--23, Jan. 1993.

....boundary conditions and case analyses. These are precisely the kinds of arguments where informal reasoning may be expected to go astray and go astray it does: for example, the published proof for one synchronization algorithm [LMS85] has flaws in its main theorem and in four of its five lemmas [RvH93] The flaws in this example were discovered while undertaking formal analysis at Level 3 and suggest the benefits that may be derived from this level of rigor. The value of undertaking mechanically checked proofs is that the dialog with a theorem prover forces examination of all cases to the ....

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

....and implementation strategies employed in fault tolerant systems argue for the use of formal methods as a means of design assurance. A research program led by NASA Langley Research Center [4] has precisely this goal. So far the classical Byzantine fault tolerant clock synchronization algorithms [26,28], the Oral Messages Algorithm for Interactive Consistency [2,23] fault masking and transient recovery by majority voting [6, 24] extensions of clock synchronization to hybrid fault models [25] and transient recovery [20] extensions of the Oral Messages algorithm to the hybrid fault model ....

John Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

No context found.

John M. Rushby and Friedrich von Henke. Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering, 19(1):13--23, January 1993.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC