Guillaume P Brat Arnaud J Venet g uillaumepbratnasagov arnaudjvenet nasagov Carnegie Mellon University NASA Ames Research Center Roadmap Static analysis for flightcritical systems ID: 1003396
Download Presentation The PPT/PDF document "Scalable and Flexible Static Analysis of..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Scalable and Flexible Static Analysis of Flight-Critical SoftwareGuillaume P. Brat Arnaud J. Venetguillaume.p.brat@nasa.gov arnaud.j.venet@nasa.govCarnegie Mellon UniversityNASA Ames Research Center
2. RoadmapStatic analysis for flight-critical systemsChallenges of sound static analysisIKOS: an open architecture for sound static analyzersApplications of IKOS
3. RoadmapStatic analysis for flight-critical systemsChallenges of sound static analysisIKOS: an open architecture for sound static analyzersApplications of IKOS
4. Static AnalysisCodeStatic AnalyzerDefectsCertificates of CorrectnessProperties,Invariants
5. Flight-Critical CodeTesting is insufficientImpossible to explore all execution paths (A330 cockpit display shutdown after 96 hours of operation due to an arithmetic overflow)Some errors may be hard to detect (memory corruption due to a buffer overflow)Static analysis brings a new level of assuranceSoundness is important
6. SoundnessUnsound tools (Coverity, KlocWork, GrammaTech)False negatives, false positivesLittle parameterization requiredSound tools (MathWorks PolySpace, ASTREE)No false negatives: formal verificationFalse positivesParameterization is key to low false positive rate:Bounds on inputs of the systemSpecialization of the analysis algorithms
7. RoadmapStatic analysis for flight-critical systemsChallenges of sound static analysisIKOS: an open architecture for sound static analyzersApplications of IKOS
8. The Specialization ConundrumMathWorks PolySpace Verifier:General purpose tool for embedded C/C++ codeApplicable to codes under 100 KLOC in practiceManual review of warnings may be effort-intensiveASTREE:Scalable, yields zero or few warningsSpecialized for a restricted subset of C (single-threaded, no dynamic memory allocation, no complex pointer structure)
9. Building a Custom Static AnalyzerC Global Surveyor (developed in the RSE group at NASA Ames Research Center)Specialized for complex C code developed in the Mars Exploration Program (Mars Pathfinder, MER)Analyzes the whole MER flight system (550+ KLOC)One-time exerciseComplete rewrite may be necessary when changing the target code and/or properties analyzedSignificant expertise required
10. What do we need?A static analysis tool with an open architectureAccess to the algorithmsPossibility of refining/specializing the way the tool operatesA flexible APIWe don’t want to rewrite the core analysis algorithmsBut we want to be able to combine them in new ways for a particular application
11. RoadmapStatic analysis for flight-critical systemsChallenges of sound static analysisIKOS: an open architecture for sound static analyzersApplications of IKOS
12. IKOS: Flexible Static Analysis Design Inference Kernel for Open Static AnalyzersA development platform for building static analyzersLibrary of C++ classes encapsulating high performance static analysis algorithmsA static analyzer is assembled from the building blocks provided by IKOSAn effective buffer overflow analyzer for C programs can be written in a few hundred lines of C++ using IKOS
13. Flexible C/C++ Front-EndThe untold story of using static analysis toolsGetting the code to just parse is a daunting taskThe front-end of most static analysis tools expects standard C/C++ code as an input, which is rarely the case for embedded softwareSignificant changes to the build/code may be requiredIKOS is based on the LLVM platformThe GCC compiler can compile just about any existing code with little or no changeGCC can generate LLVM assembly code
14. Static Analysis Design with IKOSGCCC/C++CodeLLVMAnalyzerVerifierPropertiesVerification ReportInterval DomainPointer AnalysisDecision ProcedureFixpoint IteratorOctagon Domain……IKOS
15. ExampleThe analysis discovers program properties:0 ≤ i ≤ 7p points to fourth element of structure Svoid f(double *p, int n) { int i; for (i = 0; i < n; i++) { p[i] = ...; }}...f(&S[3], 8);...
16. ExampleThe verification uses the properties discovered:Array-bound complianceCheck that structure S has at least 11 elementsvoid f(double *p, int n) { int i; for (i = 0; i < n; i++) { p[i] = ...; }}...f(&S[3], 8);...Access within bounds?
17. Specialization of the AnalyzerSpecialization consists of finding the right blend of algorithmsTo compute strong enough properties for the verifierAnd guarantee reasonable analysis timesThis is an intrinsically empirical processIKOS allows the analysis designer to easily swap abstractions and decision proceduresIKOS helps streamline the design of specialized static analyzers
18. RoadmapStatic analysis for flight-critical systemsChallenges of sound static analysisIKOS: an open architecture for sound static analyzersApplications of IKOS
19. Verification of UAS AutopilotsCertifying the flight software of unmanned aircrafts is critical for NextGenComplex code basesVariety of platforms and architecturesNo standard development process like DO178Static analysis can helpFormal verification provides high assuranceCost-effective, works on the code “as is”
20. Experiments with IKOSVerification of array-bound compliance (NASA APG milestone)Benchmark of realistic UAS autopilotsJuliet is a cyber-security benchmark from NIST and is listed here just to demonstrate the scalability of the analyzer
21. MATLAB/Simulink AutocodeAuto-generated code from MATLAB/Simulink models is increasingly used in critical flight softwareStatic analysis can provide formal guarantees that the autocode satisfies critical safety propertiesWe are currently developing a specialized analyzer for this class of code using IKOS
22. Technical InfusionOngoing activities to transfer the technology into NASA missions
23. ConclusionStatic analysis is an important tool for the assurance of flight-critical softwareThere is no silver bullet: static analyzers need to be specialized to be effectiveIKOS is a step toward streamlining the design of specialized high-performance static analyzers