Ralf Huuck

Verification of PLC Programs Given as Sequential Function Charts

Programmable Logic Controllers (PLC) are widespread in the manufacturing and processing industries to realize sequential procedures and to avoid safety-critical states. For the specification and the implementation of PLC programs, the graphical and hierarchical language Sequential Function Charts (SFC) is increasingly used in industry. To investigate the correctness of SFC programs with respect to a given set of requirements, this contribution advocates the use of formal verification. We present two different approaches to convert SFC programs algorithmically into automata models that are amenable to model checking. While the first approach translates untimed SFC into the input language of the tool Cadence SMV, the second converts timed SFC into timed automata which can be analyzed by the tool Uppaal. For different processing system examples, we illustrate the complete verification procedure consisting of controller specification, model transformation, integration of dynamic plant models, and identifying errors in the control program by model checking.

A Unifying Semantics for Sequential Function Charts

Programmable Logic Controllers (PLC) are widely used as device controllers for assembly lines, chemical processes, or power plants. Sequential Function Charts (SFC) form one of the main programming languages for PLCs and, therefore, the correctness of the PLC software implemented as SFCs is crucial for a safe operation of the controlled process. A prerequisite for reasoning about program correctness is a clear understanding of the program semantics. As we show in this work, this is currently not the case for SFCs. Although syntactically specified in the IEC 61131-3 standard, SFCs lack an unambiguous, complete semantic description. We point out a number of problems and explain how these lead to different interpretations in commercial programming environments. To remedy this situation we introduce a parameterized formal semantics for SFCs including many high-level programming features such as parallelism, hierarchy, actions and activity manipulation. Moreover, we show how to extend the semantics to include time, clocks, and timed actions. The presented semantics is general enough to comprise different existing interpretations while at the same time being adjustable to precisely represent each of them.

Model Checking Software at Compile Time

Software has been under scrutiny by the verification community from various angles in the recent past. There are two major algorithmic approaches to ensure the correctness of and to eliminate bugs from such systems: software model checking and static analysis. Those approaches are typically complementary. In this paper we use a model checking approach to solve static analysis problems. This not only avoids the scalability and abstraction issues typically associated with model checking, it allows for specifying new properties in a concise and elegant way, scales well to large code bases, and the built-in optimizations of modern model checkers enable scalability also in terms of numbers of properties to be checked. In particular, we present Goanna, the first C/C++ static source code analyzer using the off-the-shelfmodel checker NuSMV, and we demonstrate Goannas suitability for developer machines by evaluating its run-time performance, memory consumption and scalability using the source code of OpenSSL as a test bed.

Goanna: a static model checker

In this work we present Goanna, the first tool that uses an off-the-shelf model checker for the static analysis of C/C++ source code. We outline its architecture and show how syntactic properties can be expressed in CTL. Once the properties have been defined the tool analyses source code automatically and efficiently. We demonstrate its applicability by presenting experimental results on analysing OpenSSL and the GNU coreutils.

Semantics and Analysis of Instruction List Programs

Instruction List (IL) is a simple typed assembly language commonly used in embedded control. There is little tool support for IL and, although defined in the IEC 61131-3 standard, there is no formal semantics. In this work we develop a formal operational semantics. Moreover, we present an abstract semantics, which allows approximative program simulation for a (possibly infinte) set of inputs in one simulation run. We also extended this framework to an abstract interpretation based analysis, which is implemented in our tool Homer. All these analyses can be carried out without knowledge of formal methods, which is typically not present in the IL community.

SMT-based false positive elimination in static program analysis

Static program analysis for bug detection in large C/C++ projects typically uses a high-level abstraction of the original program under investigation. As a result, so-called false positives are often inevitable, i.e., warnings that are not true bugs. In this work we present a novel abstraction refinement approach to automatically investigate and eliminate such false positives. Central to our approach is to view static analysis as a model checking problem, to iteratively compute infeasible sub-paths of infeasible paths using SMT solvers, and to refine our models by adding observer automata to exclude such paths. Based on this new framework we present an implementation of the approach into the static analyzer Goanna and discuss a number of real-life experiments on larger C code projects, demonstrating that we were able to remove most false positives automatically.

Goanna: Syntactic Software Model Checking

Goanna is an industrial-strength static analysis tool used in academia and industry alike to find bugs in C/C++ programs. Unlike existing approaches Goanna uses the off-the-shelf NuSMV model checker as its core analysis engine on a syntactic flow-sensitive program abstraction. The CTL-based model checking approach enables a high degree of flexibility in writing checks, scales to large number of checks, and can scale to large code bases. Moreover, the tool incorporates techniques from constraint solving, classical data flow analysis and a CEGAR inspired counterexample based path reduction. In this paper we describe Goannas core technology, its features and the relevant techniques, as well as our experiences of using Goanna on large code bases such as the Firefox web browser.

An Abstract Model for Sequential Function Charts

Sequential function charts (SFCs for short) is a modeling language defined in the IEC 1131-3 standard that can be used to drive programmable logic controllers (PLCs). It includes interesting concepts like hierarchy and history variables. As the typical application area of this language is the control of industrial processes, it is obvious that a clear understanding of the semantics of these languages is of interest. It is also of interest for the programmers as well as for the builders of development environments based on this standard to know which semantic ambiguities the standard leaves open. This paper addresses these points providing a clear and formal semantic framework for SFCs that can be used, for instance, as a sound basis for building validation tools.

Operating System Verification

When one is interested in assuring the safety, security, or functional correctness of a computing system, the formal verification of its operating system (OS) is one of the obvious places to start. The operating system has privileged access to hardware and is therefore able to undermine any assurance that might have been derived independently for other parts of the system. This was recognised early, and a number of projects set out to formally verify the functional correctness of operating systems in the late 1970s and early 1980s. These pioneering efforts included UCLA Secure Unix, the PSOS project, and later Bevier’s small KIT. It turned out that operating system verification is a hard nut to crack and none of the initial efforts ended up with a formally verified, realistic operating system or operating system kernel. OS verification is hard because the flaws one is interested in uncovering often occur in the implementation layer. This is because operating systems are commonly implemented in low-level languages like C that are hard to reason about, and because convenient abstractions such as virtual memory, message passing, and memory allocation are services that are implemented by the OS and cannot be assumed. In recent years, there is a renewed interest in the formal analysis and verification of operating systems, both in the OS research community and in the formal verification area. Formal verification techniques and proof assistants have advanced dramatically in the past 30 years, as has our understanding of language semantics.

Automatic Bug Detection in Microcontroller Software by Static Program Analysis

Microcontroller software typically consists of a few hundred lines of code only, but it is rather different from standard application code. The software is highly hardware and platform specific, and bugs are often a consequence of neglecting subtle specifications of the microcontroller architecture. Currently, there are hardly any tools for analyzing such software automatically. In this paper, we outline specifics of microcontroller software that explain why those programs are different to standard C/C++ code. We develop a static program analysis for a specific microcontroller, in our case the ATmega16, to spot code deficiencies, and integrate it into our generic static analyzer Goanna. Finally, we illustrate the results by a case study of an automotive application. The case study highlights that --- even without formal proof --- the proposed static techniques can be valuable in pinpointing software bugs that are otherwise hard to find.