Thomas Reinbacher

Temporal-Logic Based Runtime Observer Pairs for System Health Management of Real-Time Systems

We propose a real-time, Realizable, Responsive, Unobtrusive Unit (rt-R2U2) to meet the emerging needs for System Health Management (SHM) of new safety-critical embedded systems like automated vehicles, Unmanned Aerial Systems (UAS), or small satellites. SHM for these systems must be able to handle unexpected situations and adapt specifications quickly during flight testing between closely-timed consecutive missions, not mid-mission, necessitating fast reconfiguration. They must enable more advanced probabilistic reasoning for diagnostics and prognostics while running aboard limited hardware without affecting the certified on-board software. We define and prove correct translations of two real-time projections of Linear Temporal Logic to two types of efficient observer algorithms to continuously assess the status of the system. A synchronous observer yields an instant abstraction of the satisfaction check, whereas an asynchronous observer concretizes this abstraction at a later, a priori known, time. By feeding the system’s real-time status into a statistical reasoning unit, e.g., based on Bayesian networks, we enable advanced health estimation and diagnosis. We experimentally demonstrate our novel framework on real flight data from NASA’s Swift UAS. By on-boarding rt-R2U2 aboard an existing FPGA already built into the standard UAS design and seamlessly intercepting sensor values through read-only observations of the system bus, we avoid system integration problems of software instrumentation or added hardware. The flexibility of our approach with regard to changes in the monitored specification is not due to the reconfigurability offered by FPGAs; it is a benefit of the modularity of our observers and would also be available on non-reconfigurable hardware platforms such as ASICs.

Runtime verification of embedded real-time systems

We present a runtime verification framework that allows on-line monitoring of past-time Metric Temporal Logic (ptMTL) specifications in a discrete time setting. We design observer algorithms for the time-bounded modalities of ptMTL, which take advantage of the highly parallel nature of hardware designs. The algorithms can be translated into efficient hardware blocks, which are designed for reconfigurability, thus, facilitate applications of the framework in both a prototyping and a post-deployment phase of embedded real-time systems. We provide formal correctness proofs for all presented observer algorithms and analyze their time and space complexity. For example, for the most general operator considered, the time-bounded Since operator, we obtain a time complexity that is doubly logarithmic both in the point in time the operator is executed and the operator’s time bounds. This result is promising with respect to a self-contained, non-interfering monitoring approach that evaluates real-time specifications in parallel to the system-under-test. We implement our framework on a Field Programmable Gate Array platform and use extensive simulation and logic synthesis runs to assess the benefits of the approach in terms of resource usage and operating frequency.

Real-Time Runtime Verification on Chip

We present an algorithmic framework that allows on-line monitoring of past-time MTL specifications in a discrete time setting. The algorithms allow to be synthesized into efficient observer hardware blocks, which take advantage of the highly-parallel nature of hardware designs. For the time-bounded Since operator of past-time MTL we obtain a time complexity that is double logarithmic in the time it is executed at and the given time bounds of the Since operator. This result is promising with respect to a non-interfering monitoring approach that evaluates real-time specifications during the execution of the system-under-test. The resulting hardware blocks are reconfigurable and have applications in prototyping and runtime verification of embedded real-time systems.

Precise control flow reconstruction using boolean logic

This paper presents a SAT-based method for control flow graph reconstruction from executable code. The key idea of the technique is to express the semantics of each basic block in a program using Boolean logic, followed by inferring pre- and postconditions for each block through interleaved forward and backward analysis. In particular, the technique relies on register-wise value-set abstractions, which are subsequently refined using alternating forward and backward analyses. Experimental evidence shows that this approach, despite being sound, recovers the control flow graph precisely for different real-world benchmarks.

Past time LTL runtime verification for microcontroller binary code

This paper presents a method for runtime verification of microcontroller binary code based on past time linear temporal logic (ptLTL). We show how to implement a framework that, owing to a dedicated hardware unit, does not require code instrumentation, thus, allowing the program under scrutiny to remain unchanged. Furthermore, we demonstrate techniques for synthesizing the hardware and software units required to monitor the validity of ptLTL specifications.

Automated test-trace inspection for microcontroller binary code

This paper presents a non-intrusive framework for runtime verification of executable microcontroller code. A dedicated hardware unit is attached to a microcontroller, which executes the program under scrutiny, to track atomic propositions stated as assertions over program variables. The truth verdicts over the assertions are the inputs to a custom-designed μ CPU unit that evaluates past-time LTL specifications in parallel to program execution. To achieve this, the instruction set of the μ CPU is tailored to determining satisfaction of specifications.

Model checking embedded software of an industrial knitting machine

Model checking is a promising approach for the verification of embedded systems software. The [mc]square approach for verification of binary code provides several improvements compared to other existing methods: the system model is automatically derived from the binary code using dedicated microcontroller simulators and state spaces are reduced by applying automatic abstraction techniques. In this paper, we survey the involved mechanisms and assess the overall approach by conducting an industrial case study – the verification of the embedded software of a monitoring device of a knitting machine.

Refining assembly code static analysis for the Intel MCS-51 microcontroller

Embedded systems are ubiquitous and their software is in most cases the elaborate part of the system. The use of formal verification methods such as model checking was proposed to verify these software systems. One disadvantage of model checking is that it suffers from the state-explosion problem. [mc]square combines model checking and static source code analysis at assembly code level to alleviate this downside. This approach allows considering particular features of the targeted microcontroller. In this paper, a novel data-flow analysis termed register bank analysis is presented. This analysis is an extension of a reaching definitions analysis to cope with register bank switching as performed by the Intel MCS-51 target. An informal and a formal description of the register bank analysis is given and an example to highlight the effectiveness of our approach is presented. Moreover, four remaining challenges in assembly code static analysis are pointed out.

Challenges in embedded model checking — a simulator for the [mc]square model checker

Model checking is considered a promising approach for the verification of software for embedded systems. Generating system models that are close to real-life behavior, however, is challenging. As a result, in some approaches a model can be automatically constructed out of the assembly code along with an appropriate target simulator/debugger. The implementation of the latter is crucial for the entire verification process. To that end, this paper presents requirements and challenges that arise when implementing and verifying such a simulator for the [mc]square model checker from the RWTH Aachen University.

Runtime verification of microcontroller binary code

Runtime verification bridges the gap between formal verification and testing by providing techniques and tools that connect executions of a software to its specification without trying to prove the absence of errors. This article presents a framework for runtime verification of microcontroller binary code, which provides the above mentioned link in a non-intrusive fashion: the framework neither requires code instrumentation nor does it affect the execution of the analyzed program. This is achieved using a dedicated hardware unit that runs on a field programmable gate array in parallel to the analyzed microcontroller program. Different instances of this framework are discussed, with varying degrees of expressiveness of the supported specification languages and complexity in the hardware design. These instances range from invariant checkers for a restricted class of linear template constraints to a programmable processor that supports past-time linear temporal logic with timing constraints.