Bruno Dutertre

Yicesä2.2

Yices is an SMT solver developed by SRI International. The first version of Yices was released in 2006 and has been continuously updated since then. In 2007, we started a complete re-implementation of the solver to improve performance and increase modularity and flexibility. We describe the latest release of Yices, namely, Yices 2.2. We present the tools architecture and discuss the algorithms it implements, and we describe recent developments such as support for the SMT-LIBa2.0 notation and various performance improvements.

Modeling and Verification of a Fault-Tolerant Real-Time Startup Protocol Using Calendar Automata

We discuss the modeling and verification of real-time systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and abstraction, and show how these techniques are efficiently supported by the SAL symbolic model-checking tools. The modeling and verification method is applied to the fault-tolerant real-time startup protocol used in the Timed Triggered Architecture.

A tutorial on satisfiability modulo theories

Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from Boolean variables and operations. SMT solvers have a wide range of applications in hardware and software verification, extended static checking, constraint solving, planning, scheduling, test case generation, and computer security. We briefly survey the theory of SAT and SMT solving, and present some of the key algorithms in the form of pseudocode. This tutorial presentation is primarily directed at those who wish to build satisfiability solvers or to use existing solvers more effectively.

An Architecture for an Adaptive Intrusion-Tolerant Server

We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verify the behavior of servers and other proxies, and monitoring and alert management components based on the EMERALD intrusion-detection framework. Integrity and availability are maintained by dynamically adapting the system configuration in response to intrusions or other faults. The dynamic configuration specifies the servers assigned to each client request, the agreement protocol used to validate server replies, and the resources spent on monitoring and detection. Alerts trigger increasingly strict regimes to ensure continued service, with graceful degradation of performance, even if some servers or proxies are compromised or faulty. The system returns to less stringent regimes as threats diminish. Servers and proxies can be isolated, repaired, and reinserted without interrupting service.

Intrusion tolerant software architectures

The complexity of the software systems built today virtually guarantees the existence of security vulnerabilities. When the existence of specific vulnerabilities becomes known - typically as a result of detecting a successful attack - intrusion prevention techniques such as firewalls and anti-virus software seek to prevent future attackers from exploiting these vulnerabilities. However, vulnerabilities cannot be totally eliminated, their existence is not always known and preventing mechanisms cannot always be built. Intrusion tolerance is a new concept, a new design paradigm, and potentially a new capability for dealing with residual security vulnerabilities. In this article, we describe our initial exploration of the hypothesis that intrusion tolerance is best designed and enforced at the software architecture level.

Intrusion-tolerant Enclaves

Despite our best efforts, any sufficiently complex computer system has vulnerabilities. It is safe to assume that such vulnerabilities can be exploited by attackers who will be able to penetrate the system. Intrusion tolerance attempts to maintain acceptable service despite such intrusions. This paper presents an application of intrusion-tolerance concepts to Enclaves, a software infrastructure for supporting secure group applications. Intrusion tolerance is achieved via a combination of Byzantine fault-tolerant protocols and secret sharing techniques.

From security to safety and back

Dependability encompasses different classes of system properties, related to security, reliability, or safety. This paper examines the relevance of the security concept of noninterference to safety-related properties, and conversely, the applicability of fault-tolerance mechanisms usually applied to provide safety and reliability in the security domain. We suggest promising lines of research in the intersection of safety and security, in the application of security concepts and models to different classes of safety or fault-tolerance properties, and in the theory and practice of fault-tolerant systems applied to intrusion tolerance.

Automated formal verification of the TTEthernet synchronization quality

Clock synchronization is the foundation of distributed realtime architectures such as the Timed-Triggered Architecture. Maintaining the local clocks synchronized is particularly important for fault tolerance, as it allows one to use simple and effective fault-tolerance algorithms that have been developed in the synchronous system model. Clock synchronization algorithms have been extensively studied since the 1980s, and many fundamental results have been established. Traditionally, the correctness of a new clock synchronization algorithm is shown by reduction to these results. Until now, formal proofs of correctness all relied on interactive theorem provers such as PVS or Isabelle/ HOL. In this paper, we present an automated proof of the TTEthernet clock-synchronization algorithm that is based on the SAL model checker.

SMT-based formal verification of a TTEthernet synchronization function

TTEthernet is a communication infrastructure for mixed-criticality systems that integrates dataflow from applications with different criticality levels on a single network. For applications of highest criticality, TTEthernet provides a synchronization strategy that tolerates multiple failures. The resulting fault-tolerant timebase can then be used for time-triggered communication to ensure temporal partitioning on the shared network. In this paper, we present the formal verification of the compression function which is a core element of the clock synchronization service of TTEthernet. The compression function is located in the TTEthernet switches: it collects clock readings from the end systems, performs a fault-tolerant median calculation, and feedbacks the result to the end systems. While traditionally the formal proof of these types of algorithms is done by theorem proving, we successfully use the model checker sal-inf-bmc incorporating the YICES SMT solver. This approach improves the automatized verification process and, thus, reduces the manual verification overhead.

The practice of formal methods in safety-critical systems

Abstract By describing several industrial-scale applications of formal methods, we demonstrate that formal methods for software development and safety analysis are being increasingly adopted in the safety-critical systems sector. The benefits and limitations of formal methods are described, and the problems in developing software for safety-critical systems are analyzed.