Ashlie B. Hocking

SCT: A Safety Case Toolkit

SCT is a safety case toolkit designed to support the development and maintenance of safety cases for large, safety-critical systems. SCT supports safety case development by providing facilities to manage the file structure associated with the safety case, editors for various notations including GSN, and a build system that creates a custom web site to store the safety case. The web-based representation of the safety case includes a variety of features for safety case examination including comprehensive hyper linking of elements, a GSN viewer, an argument index, and various custom reports.

Arguing Software Compliance with ISO 26262

ISO 26262 is a safety standard for electrical and/or electronic systems in automobiles and includes specific requirements for software. Compliance with the standard requires a safety case. In this paper we present an approach to structuring a software assurance case that complies with ISO 26262 and argues explicitly that the subject software meets appropriate dependability goals. The resulting assurance case integrates conveniently into a safety case for the subject system.

Proving Model Equivalence in Model Based Design

We introduce the concept of constrained equivalence of models in model-based development and present a proof technology for establishing constrained equivalence for models documented in Math Works Simulink. We illustrate the approach using a simple model of an automobile anti-lock braking system.

Proving Critical Properties of Simulink Models

Modern cyber-physical systems place ever-increasing reliance on high-assurance software. Recent high-profile safety and security incidents directly attributable to software point to a failure to develop sufficient assurance of software correctness through verification and validation. While formal methods provide techniques for proving that critical safety and security properties hold for all inputs and all execution paths, engineers typically rely on simulation and testing -- which can only establish the presence but not the absence of defects. A key reason for the lack of application of formal methods is the perception that they are difficult to learn and to use. In previous work, we introduced Simulink2PVS, a tool that converts SIMULINK models to the PVS specification language. In this paper, we extend Simulink2PVS to translate the checks associated with SIMULINK assertion blocks to putative theorems. This approach allows engineers to state critical safety and security properties using SIMULINK assertion blocks, which are immediately familiar to engineers with SIMULINK experience. Engineers can then prove that the properties hold for all inputs and all execution paths. As a result, the expressive and analytic power of the engineers existing toolkit has been greatly increased and engineers are able to greatly enhance their confidence in the assurance provided by the software.

Input Space Partitioning to Enable Massively Parallel Proof

Real-world applications often include large, empirically defined discrete-valued functions. When proving properties about these applications, the proof naturally breaks into one case per entry in the first function reached, and again into one case per entry in the next function, and continues splitting. This splitting yields a combinatorial explosion of proof cases that challenges traditional proof approaches. While each proof case represents a mathematical path from inputs to outputs through these functions, the full set of cases is not available up front, preventing a straightforward application of parallelism. Here we describe an approach that slices the input space, creating a partition based on pre-computed mathematical paths such that each slice has only a small number of proof cases. These slices are amenable to massively parallel proof. We evaluate this approach using an example model of an adaptive cruise control, where proofs are conducted in a highly parallel PVS environment.

A Proof Infrastructure for Binary Programs

Establishing properties of binary programs by proof is a desirable goal when the properties of interest are crucial, such as those that arise in safety- and security-critical applications. Practical development of proofs for binary programs requires a substantial infrastructure to disassemble the program, define the machine semantics, and actually undertake the required proofs. At the center of these infrastructure requirements is the need to document semantics in a formal language. In this paper we present a work-in-progress proof infrastructure for binary programs based on AdaCore and Altrans integrated development and verification environment, SPARKPro. We illustrate the infrastructure with proof of a security property.

A System for the Security Protection of Embedded Binary Programs

Software for which development artifacts are missing is increasingly common and difficult to avoid, including in embedded systems. The lack of development artifacts leaves doubt about whether the software possesses critical security properties and makes enhancement of the software extremely difficult. Embedded systems often have strict resource restrictions/constraints making the application of security enhancements especially difficult. In this paper, we present details of a system that is being developed to provide significant protection against security exploits of embedded systems. The system operates on binary programs. No source code or other development artifacts are required, and the typical size and time constraints of embedded systems are accounted for in the analysis and processing of subject binary programs. Formal verification of security properties is used to eliminate unnecessary security transformations, and transformations are applied by a highly efficient static binary rewriter.

A Proposed Approach for Use of Assurance Cases in Certification of Airborne Software

The type certification process for aircraft intended to fly in the National Airspace System (NAS) incorporates a process for assuring that the airborne software to be run on such aircraft complies with Federal Aviation Regulations (FARs). At the time of the work described in this paper, FAA AC 20-115B recognized RTCA/DO-178B as a means for demonstrating this assurance, and in practice DO-178B has been the means used almost exclusively for many years. For some organizations and some software systems, alternatives to DO-178B might be more effective in terms of cost, applicability, flexibility, and even strength of the ultimate assurance claim. Assurance cases have generated significant interest as a possible tool for addressing software assurance challenges, including those associated with the Next Generation Air Transportation System (NextGen). This paper describes work to compare a compliance approach based on DO-178B to one based around assurance case methods, and to do so in the context of collision avoidance software that is representative of the challenges of NextGen software systems. The comparison revealed substantial differences between the methods, both in the associated engineering goals and in the level of maturity. The work produced two argument structures for demonstrating software compliance, including one based on the guidance of AC 20-171. The authors conclude that the assurance case methods have the potential to provide value in the software assurance process in large part by presenting an explicit rationale for software assurance that is missing from standards like DO-178B.