Results 1  10
of
113
Verification of Embedded Systems using a Petri Net based Representation
 in Proc. ISSS, 2000
, 2000
"... The ever increasing complexity of embedded systems consisting of hardware and software components poses a challenge in verifying their correctness. New verification methods that overcome the limitations of traditional techniques and, at the same time, are suitable for hardware/ software systems are ..."
Abstract

Cited by 40 (14 self)
 Add to MetaCart
The ever increasing complexity of embedded systems consisting of hardware and software components poses a challenge in verifying their correctness. New verification methods that overcome the limitations of traditional techniques and, at the same time, are suitable for hardware/ software systems are needed. In this work we formally define the semantics of PRES+, a Petri net based computational model aimed to represent embedded systems. We introduce an approach to formal verification of such systems: we make use of model checking to prove the correctness of embedded systems by determining the truth of CTL and TCTL formulas that specify required properties with respect to a PRES+ model. An ATM server illustrates the feasibility of our approach on practical applications. 1. Introduction Modern electronic systems are typically constituted of applicationspecific hardware components and software running on programmable platforms. The inherent heterogeneity of this kind of systems makes the...
SATbased unbounded symbolic model checking
 in Proc. 40th Design Automat. Conf. Anaheim, CA: IEEE Computer Society
"... Abstract—This paper describes a Boolean satisfiability checking (SAT)based unbounded symbolic modelchecking algorithm. The conjunctive normal form is used to represent sets of states and transition relation. A logical operation on state sets is implemented as an operation on conjunctive normal fo ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
(Show Context)
Abstract—This paper describes a Boolean satisfiability checking (SAT)based unbounded symbolic modelchecking algorithm. The conjunctive normal form is used to represent sets of states and transition relation. A logical operation on state sets is implemented as an operation on conjunctive normal form formulas. A satisfyall procedure is proposed to compute the existential quantification required in obtaining the preimage and fix point. The proposed satisfyall procedure is implemented by modifying a SAT procedure to generate all the satisfying assignments of the input formula, which is based on new efficient techniques such as line justification to make an assignment covering more search space, excluding clause management, and twolevel logic minimization to compress the set of found assignments. In addition, a cache table is introduced into the satisfyall procedure. It is a difficult problem for a satisfyall procedure to detect the case that a previous result can be reused. This paper shows that the case can be detected by comparing sets of undetermined variables and clauses. Experimental results show that the proposed algorithm can check more circuits than binary decision diagrambased and previous SATbased modelchecking algorithms. Index Terms—Boolean satisfiability checking (SAT), formal verification, symbol manipulation, symbolic model checking. I.
Models of computation and languages for embedded system design
 IEE Proceedings on Computers and Digital Techniques
"... ..."
A Foundation for FlowBased Program Matching Using Temporal Logic and Model Checking
"... Reasoning about program controlflow paths is an important functionality of a number of recent program matching languages and associated searching and transformation tools. Temporal logic provides a welldefined means of expressing properties of controlflow paths in programs, and indeed an extensio ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
(Show Context)
Reasoning about program controlflow paths is an important functionality of a number of recent program matching languages and associated searching and transformation tools. Temporal logic provides a welldefined means of expressing properties of controlflow paths in programs, and indeed an extension of the temporal logic CTL has been applied to the problem of specifying and verifying the transformations commonly performed by optimizing compilers. Nevertheless, in developing the Coccinelle program transformation tool for performing Linux collateral evolutions in systems code, we have found that existing variants of CTL do not adequately support rules that transform subterms other than the ones matching an entire formula. Being able to transform any of the subterms of a matched term seems essential in the domain targeted by Coccinelle. In this paper, we propose an extension to CTL named CTLVW (CTL with variables and witnesses) that is a suitable basis for the semantics and implementation of the Coccinelle’s program matching language. Our extension to CTL includes existential quantification over program fragments, which allows metavariables in the program matching language to range over different values within different controlflow paths, and a notion of witnesses that record such existential bindings for use in the subsequent program transformation process. We formalize CTLVW and describe its use in the context of Coccinelle. We then assess the performance of the approach in practice, using a transformation rule that fixes several reference count bugs in Linux code.
Defeating UCI: Building Stealthy and Malicious Hardware
"... Abstract—In previous work Hicks et al. proposed a method called Unused Circuit Identification (UCI) for detecting malicious backdoors hidden in circuits at design time. The UCI algorithm essentially looks for portions of the circuit that go unused during designtime testing and flags them as potenti ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract—In previous work Hicks et al. proposed a method called Unused Circuit Identification (UCI) for detecting malicious backdoors hidden in circuits at design time. The UCI algorithm essentially looks for portions of the circuit that go unused during designtime testing and flags them as potentially malicious. In this paper we construct circuits that have malicious behavior, but that would evade detection by the UCI algorithm and still pass designtime test cases. To enable our search for such circuits, we define one class of malicious circuits and perform a bounded exhaustive enumeration of all circuits in that class. Our approach is simple and straight forward, yet it proves to be effective at finding circuits that can thwart UCI. We use the results of our search to construct a practical attack on an opensource processor. Our malicious backdoor allows any userlevel program running on the processor to enter supervisor mode through the use of a secret “knock. ” We close with a discussion on what we see as a major challenge facing any future designtime malicious hardware detection scheme: identifying a sufficient class of malicious circuits to defend against. Keywordshardware; security; attack I.
Verification of embedded systems using a petri net based representation
 In Proceedings of the 13th international symposium on System synthesis
, 2000
"... The ever increasing complexity of embedded systems consisting of hardware and software components poses a challenge in verifying their correctness. New verification methods that overcome the limitations of traditional techniques and, at the same time, are suitable for hardware/ software systems are ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
The ever increasing complexity of embedded systems consisting of hardware and software components poses a challenge in verifying their correctness. New verification methods that overcome the limitations of traditional techniques and, at the same time, are suitable for hardware/ software systems are needed. In this work we formally define the semantics of PRES+, a Petri net based computational model aimed to represent embedded systems. We introduce an approach to formal verification of such systems: we make use of model checking to prove the correctness of embedded systems by determining the truth of CTL and TCTL formulas that specify required properties with respect to a PRES+ model. An ATM server illustrates the feasibility of our approach on practical applications. 1.
Modeling and formal verification of embedded systems based on a Petri net representation
, 2003
"... In this paper we concentrate on aspects related to modeling and formal verification of embedded systems. First, we define a formal model of computation for embedded systems based on Petri nets that can capture important features of such systems and allows their representation at different levels of ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
In this paper we concentrate on aspects related to modeling and formal verification of embedded systems. First, we define a formal model of computation for embedded systems based on Petri nets that can capture important features of such systems and allows their representation at different levels of granularity. Our modeling formalism has a welldefined semantics so that it supports a precise representation of the system, the use of formal methods to verify its correctness, and the automation of different tasks along the design process. Second, we propose an approach to the problem of formal verification of embedded systems represented in our modeling formalism. We make use of model checking to prove whether certain properties, expressed as temporal logic formulas, hold with respect to the system model. We introduce a systematic procedure to translate our model into timed automata so that it is possible to use available model checking tools. We propose two strategies for improving the verification efficiency, the first by applying correctnesspreserving transformations and the second by exploring the degree of parallelism characteristic to the system. Some examples, including a realistic industrial case, demonstrate the efficiency of our approach on practical applications.
Detecting Malicious Logic Through Structural Checking
"... Abstract—Hardware is just as susceptible as software to “hacker attacks”, through inclusion of malicious logic; and the consequences of such an attack could be disastrous! The impact of software viruses has been felt, at one time or another, by the entire computerized world, through loss of producti ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract—Hardware is just as susceptible as software to “hacker attacks”, through inclusion of malicious logic; and the consequences of such an attack could be disastrous! The impact of software viruses has been felt, at one time or another, by the entire computerized world, through loss of productivity, loss of system resources or data, or mere inconvenience. However, the nature of malicious logic and defending against it is fundamentally different from its software counterpart. Malicious logic has the added dimension of not being removable once encapsulated in the system. This paper will identify hardware vulnerabilities and will outline an automated method, called Structural Checking, to detect and prevent malicious logic from becoming incorporated into an ASIC, which could cause catastrophic system failure, security breaches, or other dire consequences. I.
Using theorem provers to guarantee closedloop system properties
 In ACC
, 2012
"... Abstract — This paper presents a new approach for leveraging the power of theorem provers for formal verification to provide sufficient conditions that can be checked on embedded control designs. Theorem provers are often most efficient when using generic models that abstract away many of the contro ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
(Show Context)
Abstract — This paper presents a new approach for leveraging the power of theorem provers for formal verification to provide sufficient conditions that can be checked on embedded control designs. Theorem provers are often most efficient when using generic models that abstract away many of the controller details, but with these abstract models very general conditions can be verified under which desirable properties such as safety can be guaranteed for the closedloop system. We propose an approach in which these sufficient conditions are static conditions that can be checked for the specific controller design, without having to include the dynamics of the plant. We demonstrate this approach using the KeYmaera theorem prover for differential dynamic logic for two examples: an intelligent cruise controller and a cooperative intersection collision avoidance system (CICAS) for leftturn assist. In each case, safety of the closedloop system proved using KeYmaera provides static sufficient conditions that are checked for the controller design. I.
Symbolic Model Checking of Dual Transition Petri Nets
 In Proceedings of the 10 th International Workshop on Hardware/Software Codesign (CODES/CASHE
, 2002
"... This paper describes the formal verification of the recently introduced Dual Transition Petri Net (DTPN) models [12], using model checking techniques. The methodology presented addresses the symbolic model checking of embedded systems behavioural properties, expressed in either computation tree logi ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
This paper describes the formal verification of the recently introduced Dual Transition Petri Net (DTPN) models [12], using model checking techniques. The methodology presented addresses the symbolic model checking of embedded systems behavioural properties, expressed in either computation tree logics (CTL) or linear temporal logics (LTL). The embedded system specification is given in terms of DTPN models, where elements of the model are captured in a fourmodule library which implements the behaviour of the model. Key issues in the development of the methodology are the heterogeneity and the nondeterministic nature of the model. This is handled by introducing some modifications in both structure and behaviour of the model, thus reducing the points of nondeterminism. Several features of the methodology are discussed and two examples are given in order to show the validity of the model. 1.