Alwyn Goodloe

Copilot: a hard real-time runtime monitor

We address the problem of runtime monitoring for hard realtime programs--a domain in which correctness is critical yet has largely been overlooked in the runtime monitoring community. We describe the challenges to runtime monitoring for this domain as well as an approach to satisfy the challenges. The core of our approach is a language and compiler called Copilot. Copilot is a stream-based dataflow language that generates small constant-time and constant-space C programs, implementing embedded monitors. Copilot also generates its own scheduler, obviating the need for an underlying real-time operating system.

Formal prototyping in early stages of protocol design

Network protocol design is usually an informal process where debugging is based on successive iterations of a prototype implementation. The feedback provided by a prototype can be indispensable since the requirements are often incomplete at the start. A draw-back of this technique is that errors in protocols can be notoriously difficult to detect by testing alone. Applying formal methods such as theorem proving can greatly increase ones confidence that the protocol is correct. However, formal methods can be tedious to use, rarely support successive design iterations and prototyping, are difficult to scale to entire designs, and typically require a clear understanding of requirements in advance. We investigate how formal simulation based on Maude executable specifications overcomes many of these hurdles. We apply this technique in the early stages of the design of a new security protocol, known as Layer 3 Accounting (L3A), aimed at protecting known vulnerabilities in the wireless accounting infrastructure. The protocol sets up a collection of IPsec security associations that provide the necessary protection. We demonstrate how formal simulation uncovered problems in several successive iterations of the L3A protocol design.

Copilot: monitoring embedded systems

Runtime verification (RV) is a natural fit for ultra-critical systems that require correct software behavior. Due to the low reliability of commodity hardware and the adversity of operational environments, it is common in ultra-critical systems to replicate processing units (and their hosted software) and incorporate fault-tolerant algorithms to compare the outputs, even if the software is considered to be fault-free. In this paper, we investigate the use of software monitoring in distributed fault-tolerant systems and the implementation of fault-tolerance mechanisms using RV techniques. We describe the Copilot language and compiler that generates monitors for distributed real-time systems, and we discuss two case-studies in which Copilot-generated monitors were used to detect onboard software and hardware faults and monitor air-ground data link messaging protocols.

Predictable programs in barcodes

We explore the challenges for making the programming interfaces for embedded devices open and safe, and present a prototype architecture for delivering verified programs using barcodes. In particular, we consider programs for microwave ovens, which provide a basic open API for controlling cooking times. In our architecture, recipes are written in Java, and their safety properties are formally verified using the model checker Spin. We use off-the-shelf utilities for compressing the byte code, and use two-dimensional barcodes for program delivery. We report on experiments that demonstrate the feasibility of the proposed architecture for predictability and delivery.

Compositional verification of a communication protocol for a remotely operated aircraft

This paper presents the formal specification and verification of a communication protocol between a ground station and a remotely operated aircraft. The protocol can be seen as the vertical composition of protocol layers, where each layer performs input and output message processing, and the horizontal composition of different processes concurrently inhabiting the same layer, where each process should satisfy a distinct delivery requirement. A compositional technique is used to formally prove that the protocol satisfies these requirements. Although the protocol itself is not novel, the methodology employed in its verification extends existing techniques by automating the tedious and usually cumbersome part of the proof, thereby making the iterative design process of protocols feasible.

Reasoning about Concurrency for Security Tunnels

There has been excellent progress on languages for rigorously describing key exchange protocols and techniques for proving that the network security tunnels they establish preserve confidentiality and integrity. New problems arise in describing and analyzing establishment protocols and tunnels when they are used as building blocks to achieve high-level security goals for network administrative domains. We introduce a language called the tunnel calculus and associated analysis techniques that can address functional problems arising in the concurrent establishment of tunnels. In particular, we use the tunnel calculus to explain and resolve cases where interleavings of establishment messages can lead to deadlock. Deadlock can be avoided by making unwelcome security compromises, but we prove that it can be eliminated systematically without such compromises using a concept of session to relate tunnels. Our main results are noninterference and progress theorems familiar to the concurrency community, but not previously applied to tunnel establishment protocols.

Compositional Verification of a Communication Protocol for a Remotely Operated Vehicle

We present the specification and verification, in PVS, of a protocol intended to facilitate communication in an experimental remotely operated vehicle used by NASA researchers. The protocol is defined as a stack-layered composition of simpler protocols. It can be seen as the vertical composition of protocol layers, where each layer performs input and output message processing, and the horizontal composition of different processes concurrently inhabiting the same layer, where each process satisfies a distinct requirement. We formally prove that the protocol components satisfy certain delivery guarantees. Then, we demonstrate compositional techniques that allow us to prove that these guarantees also hold in the composed system. Although the protocol itself is not novel, the methodology employed in its verification extends existing techniques by automating the tedious and usually cumbersome part of the proof, thereby making the iterative design process of protocols feasible.

Completeness of discovery protocols

Tunnel-complex protocols construct topologies of security tunnels by directing tunnel-establishment protocols to set up pair-wise tunnels, where the resulting collection of tunnels achieves an overall security objective. Such protocols ease the burden on network managers, but their design exhibits subtleties relating to functional correctness that can benefit from formal analysis. A class of tunnel-complex protocols that are of special interest are discovery protocols that discover security gateways and set up tunnels to negotiate their traversal by delivering the requisite credentials to satisfy the policies at security gateways on the dataflow path. We present a case study of a discovery protocol that sets up a concatenated sequence of tunnels. We then propose the concept of a theorem for discovery protocols that expresses the completeness of the protocols credential distribution mechanism. The theorem is parameterized for different protocols. We show how it is instantiated for the protocol in our case study and discuss how specific instances of the theorem characterize different classes of discovery protocols.