Using context descriptions and property definition patterns for software formal verification

1
Using context descriptions and property
definition patterns for software formal
verification
Philippe Dhaussy Julien Auvray Stéphane de
Belloy Frédéric Boniol Eric Landel
Laboratoire DTN, ENSIETA, BREST, F-29806 cedex
9 dhaussy _at_ensieta.fr THALES AIR SYSTEMS, BP
20351 - F-94628 RUNGIS Cedex stephane.debelloy
_at_thalesgroup.com IRIT-ENSEEIHT, 2 rue C.
Camichel BP 7122 - F-31071 Toulouse, cedex
7 frederic.boniol_at_enseeiht.fr
09/04/2008
2
Outline

• Context and Motivations
• Experimentations Thales Air Systems, Airbus
  CSSI
• Context Description Language (CDL)
• Conclusion and perspectives

3
Thales
World leader for mission - critical information
systems

• RD at Thales totals 2.2bn (18 of revenues)
• 25,000 researchers on cutting - edge technologies
• 300 inventions per year
• Over 15,000 patents
• Over 30 cooperation agreements with universities
  and public research laboratories in Europe, the
  United States and Asia

4
Context

• Exhaustive simulation based on
• Timed automata (Rajeev Alur and David L. Dill)
• Observers (Nicolas Halbwachs, Fabienne Lagnier
  and Pascal Raymond)
• Context (Jon Whittle - Jean-Charles Roger)
• Implementation OBP (Observer-Based Prover)
• Industrial experimentations
• Thales Air Systems (WS/WO)
• CS-SI-Airbus
• Inspiration sources EIA 632, SPEM, Leblanc et
  al. 05,
• Combemale et al. 06, TopCased 06, Omega
  project,

5
Motivations

• Reduce the gap between industrial developments
  and formal analysis techniques
• Bypass combinatorial explosion

6
Proof of a subset of properties for a context
System model to be validated
Context_k

• The proof is the verification of properties on
  the model depending a context.
• To do this we need
• To transform properties into observer automata
• To merge model, context and observers
• To analyse accessibility of "rejection" states

Properties
7
Our approach for model formal analysis
Model to be validated (UML, AADL, SDL, )
transitions system
Formal model (Timed automata)
Composition, simulation, (IFx)Verimag
Context, formal properties (observers)
Accessibility analyzing
Safety, Bounded liveness

• Environment
• behavior
• To restrict
• the model
• behaviors

Analysis data return
8
Outline

• Context and Motivations
• Experimentations Thales Air Systems, Airbus
  CSSI
• Context Description Language (CDL)
• Conclusion and perspectives

9
2 experimentations

• Experimentation 1 AFN (SDL) component
  validation (AIRBUS, CS-SI)
• 20 requirements proved (as example)
• Found 1 error on the IF2 model ! (buffer too
  small, but not in an operational case)
• Experimentation 2 SM (UML) component
  validation (Thales Air Systems)
• 30 significant requirements proved (on 170)
• Found 1 error on the IF2 model ! (2 messages
  sent instead of 1)

10
Validation of ADMS component (Thales Air Systems)
SM component
Fight System
Missile
ADMS System
Radar
C2
ULT
MFR
CSCI SM
Launchers
Fight control (FCS)
Air Defence Missile System
11
CSCI SM properties
133 system requirements 188 software requirements
Ada code generation
50 asynchronous external messages, translated
into functional triggered operations calls by
interface layer
38000 lines of code generated
3 automata 365 states 560 transitions
12
Some difficulties using OBP V1 (industrial view)

• System to be validated in UML ( Ada)
• ? Manual Translation in IF2
• Requirements were not precise, not formal and
  ambiguous
• ? Manual Translation in IF2
• Validation contexts were not formalized
• ? Manual description in XML
• Proposal
• ? Context Description Language (CDL)
• ? Property patterns

13
Experimentations returns and benefits (industrial
view)

• At the start
• Contexts were not formalized
• Requirements were not precise, not formal and
  ambiguous
• ? CDL definition
• ? Property patterns definition
• Present
• The complete methodology has to be defined
• CDL (Context Properties) has to be integrated
  in OBP for more experimentations
• ? Definition of MDA components (Adaptation and
  Proof units) in progress
• ? Development of OBP V2 in progress
• ? CDL experimentation in progress

14
Outline

• Context and Motivations
• Experimentations Thales Air Systems, Airbus
  CSSI
• Context Description Language (CDL)
• Conclusion and perspectives

15
Environment description What features do
engineer have ?

• Most of the time engineers have specification and
  analysis documents with
• not formalized and incomplete textual
  descriptions
• some actors with sequence diagrams
• use cases

Environment model formalization
16
Context Description Language

• DSL Context Description Language
• Formals properties (Patterns)
• Description of all the system environment

17
The verification context Jon Whittle ,
Jean-Charles Roger
Activity diagrams
Sequence diagrams
18
Eclipse CDL editor

• Eclipse CDL editor (develop with GMF)

19
Context unfolding and partitioning
CDL Model

• The unfolding action provides partitioning
• Executions without cycles
• Actions count
• Finished and acyclic concrete context
• Finite number of paths

20
Properties definition

• In most cases, the requirement description
• Is ambiguous
• Refers
• to the state of the system
• to a history of system or environment behaviour
  (described somewhere else")
• to an implicit behaviour knowledge of the of the
  system and its environment

21
Proof context description
CDL (Context Description Language) Inspired by
Whittle 05 Adapted in Roger 06 Extended in
de Belloy Dhaussy 07
Proof context
Context model
Properties model
Property patterns Inspired by Smith et al. 02,
Dwyers M.B et al. 99, Konrad S. and Cheng B.
05 1- extended in Dhaussy et al. 07 2
linked to the context
22
Property patterns extension (Response)
Inspired by Smith et al. 02, Dwyers M.B et al.
99, Konrad S. and Cheng B. 05
Global, Before, After, Between, After-Until
Dhaussy et al., 07
Scope An, All ORDER / COMBINED
if ( condition_m0 ) Pre-arity
occurrences of x0 if ( condition_mk )
Post-arity occurrences of xk END
Immediacy leads to lt to An, All
ORDER / COMBINED if ( condition_n0 )
Post-arity occurrences of y0 if (
condition_nk ) Post-arity occurrences of
yk END x0 Nullity occurs, , xk
Nullity occurs one of y0, yk
Precedency occurs before the first one of x0,
xk Repeatability
Immediately, Eventually
Exactly one, One or more
May Never, Must
Cannot, May
True, False
23
Methodology for property definition

• choice of the pattern (with events)
• choice of options and guards
• choice of the scope
• link to a node of the context

Context model
Proof context
P1
Pn
P2
P3
Properties model
Observer automata (formal semantic)
automatic generation
24
Observer automata generation
25
Outline

• Context and Motivations
• Experimentations Thales Air Systems, Airbus
  CSSI
• Context Description Language (CDL)
• Conclusion and perspectives

26
Conclusion and Perspectives

• Integration of CDL graphic editors (context and
  properties)
• FIACRE code generation (TopCased project)
  proving tools connection
• Managing contexts (thesis CIFRE CS-SI)
  completeness and consistency
• Studying on different abstraction levels
  traceability for properties
• Properties (time, frequency,)
• Case studies underway
• Specifications SoS (DGA / MRIS), embedded
  components (Thales Air Systems)
• Avionic protocols Airbus-ATC (CS-SI), dev.
  process (CNES)
• Methodology MDA Components (Units of proof)
• DOMINO Project (RNTL), MOPCOM-ING (Submitted DGE)

27
OBP version 2.0 (under development)
Observers Automata (properties)
CDL Model (Contexts, proprerties, restrictions)
Restriction automata
Simulation
Composition, exploration (IFx)
IF2 Programs
Concret contexts, Set of paths
a-contexts, a-actions (Intermediate format)
Import (Transformations)
Transformations (java)
unfolding (Java)
Partitioning (Java)
Model to be validated (IF2)
Analysis data return
Prototype tool (Observer-Based Prover)
Vers 1.0 available (open-source) TopCased
project http//gforge.enseeiht.fr/projects/obp/
28
Thank you for your attention
29
APPENDIX
30
CDL (Context Description Language) Whi05 ,
Rog06, Dha07
Entity 3
ltlt property gtgt P2
ltlt property gtgt P1
action0
ltlt restriction gtgt R1
Level 1
action1
action2
Activity diagrams
action5
action3
action4
Level 2
ltlt property gtgt P3
action3
Level 3
Sequence diagrams
31
CDL Meta model (context)
32
CDL Meta model(properties)
33
CDL model Level 1
Initialization
Configuration initialization
Cond_managment
State_managment
Config_managment
ltlt Property gtgt REQ_S_CP_SUPSTATE_0320
34
CDL model Level 2 3
Level 3
Env
S_CP
Level 2
Config_managment
AIC_CP_change_req_CP_readiness_state
CP_status(Immediate_Notice)
Ra_To_I_Pmpi
CP_state_manage
Env
S_CP
CP_requested_conf(Ready_to_fire) 
Req_accepted
Req_not_ok
Req_accepted
ok
cancel
Env
S_CP
Req_error
CP_INIT_ULT_status(Ready) 
stop
Condition_manage
35
CDL example
36
CDL level 1 example 1/2
37
CDL level 1 example 2/2
38
CDL level 2 and 3 example
39
Requirement specification an example (Thales
Air Systems)

• REQ_SM_SUPSTATE_0320
• Suite à une requête légale de changement d'état
  de 'Minimal Notice Normal' à 'Immediate Notice
  Normal' provenant du CSCI AIC (Invoquée par
  PAAMS(E) uniquement) ou du CSCI PMPI
  'ANY_SM_request_of_change_of_PAAMS_readiness_state
  ', le CSCI SM doit refuser la requête si le
  système de navigation est indisponible (le
  dernier message 'PMPI_ANY_NAVS_availability'
  contenait dans le champ 'NAVS_availability' la
  valeur 'FALSE').
• Sinon, le CSCI SM accepte la requête de
  changement d'état et doit envoyer
• aux CSCIs AIC (Applicable à PAAMS(E)
  uniquement) et PMPI le message
  'SM_ANY_PAAMS_status' contenant dans le champ
  'PAAMS_requested_readiness_state' la valeur
  'Immediate Notice Normal'
• au CSCI VOI le message 'SM_VOI_VLS_requested_sta
  te' contenant dans le champ 'VLS_requested_state'
  la valeur 'Ready_to_fire'.
• (Applicable à PAAMS(E)) au CSCI INT le message
  'SM_INT_ULT_requested_state' contenant dans le
  champ 'ULT_requested_state' la valeur 'Ready'.
• Le CSCI SM est alors en phase de transition.
• END_REQ_SM_SUPSTATE_0320

40
Observers automata generation
41
Observers automata generation
42
Observers Activation
43
Observers Activation
ltlt property gtgt
P
CDL
Actif
44
Observers Activation
ltlt property gtgt
P
CDL
Inactif
45
Some patterns
Response, Precedence, Existence, Absence
46
Pattern Response
Dhaussy et al., 07
Scope An, All ORDER / COMBINED
if ( condition_m0 ) Pre-arity
occurrences of x0 if ( condition_mk )
Post-arity occurrences of xk END
Immediacy leads to lt to An, All
ORDER / COMBINED if ( condition_n0 )
Post-arity occurrences of y0 if (
condition_nk ) Post-arity occurrences of
yk END x0 Nullity occurs, , xk
Nullity occurs one of y0, yk
Precedency occurs before the first one of x0,
xk Repeatability
47
Pattern Precedence
Dhaussy et al., 07
Scope An, All ORDER / COMBINED
if ( condition_m0 ) Pre-arity
occurrences of x0 Pre-arity occurrences of
x1 if ( condition_mk ) Pre-arity
occurrences of xk END Immediacy precedes
lt to An, All ORDER / COMBINED
if ( condition_n0 ) Post-arity
occurrences of y0 if ( condition_nk )
Post-arity occurrences of yk END x0
Nullity occurs, , xk Nullity occurs one
of y0, yk Precedency occurs before the
first one of x0, xk Repeatability
48
Pattern Absence
Dhaussy et al., 07
Scope An, All ORDER / COMBINED
if ( condition_m0 ) Pre-arity
occurrences of x0 Pre-arity occurrences of
x1 if ( condition_mk ) Pre-arity
occurrences of xk END occurs never
49
Pattern Existence
Dhaussy et al., 07
Scope An, All ORDER / COMBINED
if ( condition_m0 ) Pre-arity
occurrences of x0 Pre-arity occurrences of
x1 if ( condition_mk ) Pre-arity
occurrences of xk END occurs lt to