Nannan He

Mutation-based test case generation for simulink models

The Matlab/Simulink language has become the standard formalism for modeling and implementing control software in areas like avionics, automotive, railway, and process automation. Such software is often safety critical, and bugs have potentially disastrous consequences for people and material involved. We define a verification methodology to assess the correctness of Simulink programs by means of automated test-case generation. In the style of fault- and mutation-based testing, the coverage of a Simulink program by a test suite is defined in terms of the detection of injected faults. Using bounded model checking techniques, we are able to effectively and automatically compute test suites for given fault models. Several optimisations are discussed to make the approach practical for realistic Simulink programs and fault models, and to obtain accurate coverage measures.

Test-case generation for embedded simulink via formal concept analysis

Mutation testing suffers from the high computational cost of automated test-vector generation, due to the large number of mutants that can be derived from programs and the cost of generating test-cases in a white-box manner. We propose a novel algorithm for mutation-based test-case generation for Simulink models that combines white-box testing with formal concept analysis. By exploiting similarity measures on mutants, we are able to effectively generate small sets of short test-cases that achieve high coverage on a collection of Simulink models from the automotive domain. Experiments show that our algorithm performs significantly better than random testing or simpler mutation-testing approaches.

Bounded model checking of embedded software in wireless cognitive radio systems

We present a new verification approach that applies aggressive program slicing and a proof-based abstraction-refinement strategy to enhance the scalability of bounded model checking of embedded software. While many software model-checking tools use program slicing as a separate or optional step, our program slicing is integrated in the model construction and reduction process. And it is combined with the compilation optimization techniques so to compute a more accurate slice. We also explore a proof-based abstraction-refinement strategy using the under/overapproximation on our proposed software model, and propose a heuristic method of deciding new encoding size to refine the under-approximation. Experiments on C programs from wireless cognitive radio systems show this approach can greatly reduce the model size and shorten the solving time by the SAT-solver.

A new testability guided abstraction to solving bit-vector formula

We present a new abstraction approach based on the concept of the under- and over-approximation to efficiently solve bit-vector formulae generated from software verification instances, which include intensive control structures. Our proposed approach applies two common testability metrics: controllability metric (CM) and observability metric (OM) for guiding the abstraction refinement procedure. We implement the under-approximation by enforcing constant constraints on a small set of single-bit variables that control the branch selection of some ITE nodes. Subsequently, each constructed under-approximate model includes only a subset of paths in the formula. We use CM and OM to build such models so that a counterexample can be obtained with little effort. If the under-approximate model is unsatisfiable, an over-approximate abstraction is obtained by refining along the paths included in the model. This is conducted by learning the relevant formula constraints using the UNSAT proof. So the verification can be conducted incrementally due to the path(s) based partition feature of our approach. We also use OM as a guide to heuristically and efficiently restore additional verification-relevant constraints during the iteration. The experimental results show a significant reduction of the solving time compared to state-of-the-art solvers for bit-vector arithmetic.

A New Security Sensitivity Measurement for Software Variables

As software security becomes increasingly crucial in modern software system, security-oriented software development will become a vital component towards a secure system. Therefore, how to effectively analyze and measure the software security vulnerability during the software development process emerges as an essential problem. In this paper, we propose a new security sensitivity metric for software variables. Unlike the conventional black-box-based approaches, our metric targets at a fine granularity - the variable level. Model checking is applied to check whether any security property is violated when a program variable is influenced by the attack impacts. The security vulnerability of the variable is then calculated as its overall capability of maintaining security properties under malicious external attacks. A case study on stack-based buffer overflow property shows the effectiveness of our measurement in identifying and evaluating the security criticality of different variables in the software.

Experience of teaching embedded systems design with BeagleBone Black board

This paper primarily presents our work of employing the BeagleBone Black board, a small but powerful single-board embedded computer, to enrich the teaching materials of embedded systems design for technology students. It introduces the hardware and software features of the BeagleBone Black. It then presents the learning outcomes, contents and lab organization. The comparison of the BBB with another commonly used single board computer Raspberry Pi is also discussed. Two developed Internet of Things (IoT) relevant capstone projects are reported. Our experiences demonstrate that BBB is an easy-to-use development board which can be employed by college-level students for developing complex embedded computing systems, especially targeting at network applications.

Teaching touch sensing technologies through project-based learning

Compared with conventional keyboard and mouse systems, touch sensing input devices provide more accurate and direct interaction with the user. More and more touch devices appear in various domains. To keep up with this technology change, we have introduced touch sensing technologies to electrical and computer engineering technology students by using the project-based learning (PBL) approach. Our experiences indicate that the PBL approach is efficient and practical for teaching touch sensing techniques. Two different sets of courseware including hardware kits and software packages have been utilized in design projects to teach touch in two existing courses respectively. Students have shown the great interest and the capability in adopting touch devices into their senior embedded systems design projects to improve user interactions with the computing systems.

Model-based verification of PLC programs using Simulink design

Programmable Logic Controllers (PLCs) have been widely applied in safety-critical industrial processes. Automated verification of PLC programs is a challenging task for control system engineers. A method of mutation-based verification of Simulink design models for verifying PLCs programs is proposed. In this work, PLC programs coded in the Structured Text (ST) language are assumed to be automatically generated from Simulink models using the tool Simulink PLC Coder from Mathworks. We utilize Simulink diagrams as system design models. Simulink is a powerful design tool for developing complex event-driven applications. To formally verify the functional properties of the design models, a verifying model compiler called Gene-auto is applied to automatically translate Simulink models to C code. The properties to be checked are also translated as C assertions, which are inserted into the translated C code. Then, the generated C code instrumented with assertions is formally verified with a bounded model checking tool for C program called CBMC. The approach is experimentally assessed on a water control system case study. Compared with the previous approach of translating a PLC program to a timed automata and verifying by the use of a model-checking tool, our approach is significantly more scalable to verify non-timing related functional properties.

Use of model-based design to teach embedded systems programming

As embedded systems become increasingly complex, there is a great need to equip engineering students with the knowledge of advanced embedded software development techniques so as to improve their efficiency in software development and programming. This paper presents our experiences of introducing the model-based design (MBD) methodology to two computer engineering related undergraduate courses: Programming Tools and Real-time Embedded Systems. MBD is an emerging design methodology whose effectiveness and efficiency have been demonstrated in the development of embedded software systems in industry. Matlab/Simulink from MathWorks supports the MBD and has become the predominant software modeling language in many safety-critical embedded applications. The novelty of this teaching effort is incorporating two on-going research projects on the MBD with the Matlab/Simulink into education. The synergistic benefits of integrating research with teaching have been explored in two different manners. Our experiences demonstrate that the integration of research results with educational practices is efficient to improve the effectiveness of teaching programming and software development to engineering students, and promote undergraduates to participate in research projects as well.

A New Hybrid Static/Run-time Secure Memory Access Protection

Secure memory access protection plays a critical role in making software systems resilient to malicious security attacks. Run-time checking is one of the major strategies that provides safe memory accesses. However, in many security-critical applications, the performance overhead due to the extra computation at runtime is often unacceptable. In order to reduce this cost, we propose a new strategy that minimizes the number of runtime checks by efficiently integrating the results from static software verification. Our strategy applies a verification approach called SAT-based software bounded model checking (BMC) to detect memory access violations as well as to prove the absence of such violations within a given bound statically, followed by a runtime checking to synergistically and completely secure the memory accesses. Our method makes use of static verification in a fine-grained manner, in which redundant runtime checks can be avoided for those safe accesses. Furthermore, with BMC, our strategy can provide the error traces useful for debugging if the instance is proved unsafe.