Sergey Tverdyshev

Invariants, modularity, and rights

The quest for modular concurrency reasoning has led to recent proposals that extend program assertions to include not just knowledge about the state, but rights to access the state. We argue that these rights are really just sugar for knowledge that certain updates preserve certain invariants.

Proving Memory Separation in a Microkernel by Code Level Verification

Often, an integrated mixed-criticality system is built in an environment which provides separation functionality for available on-board resources. In this paper we treat such an environment: the PikeOS separation kernel -- a commercial real-time embedded operating system. PikeOS allows applications with different safety and security levels to run on the same hardware. Obviously, a mixed-criticality system built on PikeOS relies on the correct implementation of the separation mechanisms. In the context of the Verisoft XT and TECOM projects we apply deductive formal software verification to the PikeOS separation mechanisms in order to validate this security requirement. In this work we consider formal verification of a kernel memory manager which is one of the crucial components of the separation functionality. The verification of the memory manager is carried out on the level of the source code using the VCC tool developed by Microsoft Research. Furthermore, we present the overall correctness arguments needed to prove the intended separation property, describe the necessary functional correctness properties of PikeOS, and explain how to formulate these properties in a modular way to be used by VCC. In doing so we demonstrate how a proof of a non-functional system requirement can be conducted based on results from formal verification on the lowest possible level of human-written artefacts, that is the source code level.

Formal Verification of Gate-Level Computer Systems

We present the formal verification of a gate-level computer system, in which a complex processor and external devices run in parallel. The system specification is an instruction set architecture with concurrently running visible devices. To the best of our knowledge this is the first formal treatment of integrating devices into a gate-level computer system.

System description : Combination of Isabelle/HOL with automatic tools

We describe results and status of a sub project of the Verisoft [1] project. While the Verisoft project aims at verification of a complete computer system starting with hardware and up to user applications, the goal of our sub project is an efficient hardware verification. We use the Isabelle theorem prover [2] as the major tool for hardware design and verification. Since many hardware verification problems can be efficiently solved by automatic tools, we combine Isabelle with model checkers and SAT solvers. This combination of tools speeds up verification of hardware and simplifies sharing of the results with verification of the whole computer system. To increase the range of problems which can be solved by external tools we implemented in Isabelle several algorithms for handling uninterpreted functions and data abstraction. The resulting combination was applied to verify many different hardware circuits, automata, and processors. In our project we use open source tools that are free for academical and commercial purposes.

MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures

Electronic architectures in the aerospace domain get more and more integrated and interconnected due to functional and architectural reasons. Such a tight integration raises the need to control information flows between different security domains on-board and off-board aircraft. This paper presents and discusses the specification and implementation of a software architecture of a security gateway integrated into avionics architectures. The paper shows that such a software architecture can be based on the current architectural principles and implementations in the avionics domain. We show that the embedded operating system PikeOS is a possible foundation for such a gateway architecture.

Efficient Bit-Level Model Reductions for Automated Hardware Verification

Transition systems which do not perform domain-specific operations on their state variables can be efficiently reduced. We present two different algorithms which automatically eliminate domain-specific operations and reduce the domains of occurring variables from infinite to small domains. Our work extends earlier techniques which are applicable solely to combinatorial properties to temporal properties of transition systems. We have implemented our algorithm as a proof method in the Isabelle/HOL theorem prover and applied it to bit-level hardware designs. To demonstrate the efficiency of our technique, we fully automatically verify a liveness property of a pipelined processor and correctness of a memory management unit.

Extending the GWV security policy and its modular application to a separation kernel

Nowadays formal methods are required for high assurance security and safety systems. Formal methods allow a precise specification and a deep analysis of system designs. However, usage of formal methods in a certification process can be very expensive. In this context, we analyse the security policy proposed by Greve et al in the theorem prover Isabelle/HOL. We show how this policy with some extensions can be applied in a modular way, and hence, reduce the number of formal models and artifacts to certify. Thus, we show how the security policy for a separation kernel is derived from the security policy of the micro-kernel that forms the basis of the separation kernel.We apply our approach to an example derived from an industrial real-time operating system.

Formal API Specification of the PikeOS Separation Kernel

PikeOS is an industrial operating system for safety and security critical applications in, for example, avionics and automotive contexts. A consortium of several European partners from industry and academia works on the certification of PikeOS up to at least Common Criteria EAL5+, with “+” being applying formal methods compliant up to EAL7. We have formalized the hardware independent security-relevant part of PikeOS that is to be used in a certification context. Over this model, intransitive noninterference has been proven. We present the model and the methodology used to create the model. All results have been formalized in the Isabelle/HOL theorem prover.

A verified platform for a gate-level electronic control unit

We present the formal integration of an automotive bus controller into a formally verified gate-level computer system. This system consists of a complex processor and generic devices which run in parallel. The system specification is an instruction set architecture with concurrently running visible devices. The built system is an electronic control unit which is the base element for a distributed automotive system and its size on an FPGA is ca. 5M gate equivalents.

Security Architecture and Specification Framework for Safe and Secure Industrial Automation

Today policy specification and enforcement mechanisms are often interwoven with the industrial control processes on which the security policy is enforced. This leads to interferences and non-secure behaviour as well as increases system attack surface. This paper presents a security system architecture and a framework where the processes, policies, and enforcement are strictly separated. The security architecture follows separation and least-privilege principles. The policy framework is based on a formal language and tools to specify and generate components for the security architecture. We illustrate our approach on an technological process and present how this solution is implemented in practice where security is mixed with safety requirements such as real-time, worst case execution time and certification.