Software Certification and Software Certificate Management Systems - PowerPoint PPT Presentation
1 / 23
Title:
Software Certification and Software Certificate Management Systems
Description:
(double)(-2) Documenting Code Generation. model mog as 'Mixture of Gaussians' ... vcg(skip, P, P) :- !. vcg(assign(x,e), P, Q) :- subst([x=e],P, Q). vcg(for(I,L, ... – PowerPoint PPT presentation
Number of Views:46
Avg rating:3.0/5.0
Title: Software Certification and Software Certificate Management Systems
1
Software Certification and Software Certificate
Management Systems
Ewen Denney Bernd Fischer Robust Software
Engineering Group NASA Ames Research
Center edenney,fisch_at_email.arc.nasa.gov
2
Automated Code Generation
... // Initialization for(v440v44ltn-1v44
) for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ...
) ...
model mog as 'Mixture of Gaussians'. ...
Class probabilities double rho(1..c). where 1
sum(I1..c, rho(I)). Class parameters double
mu(1..c). double sigma(1..c). where 0 lt
sigma(_). Hidden variable nat z(1..n)
discrete(rho). Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Code
CodeGenerator
High-LevelModel
3
Documenting Code Generation
... // Initialization for(v440v44ltn-1v44
) for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ...
) ...
model mog as 'Mixture of Gaussians'. ...
Class probabilities double rho(1..c). where 1
sum(I1..c, rho(I)). Class parameters double
mu(1..c). double sigma(1..c). where 0 lt
sigma(_). Hidden variable nat z(1..n)
discrete(rho). Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Code
CodeGenerator
High-LevelModel
Documentation
4
Documenting Code Generation
... // Initialization for(v440v44ltn-1v44
) for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ...
) ...
model mog as 'Mixture of Gaussians'. ...
Class probabilities double rho(1..c). where 1
sum(I1..c, rho(I)). Class parameters double
mu(1..c). double sigma(1..c). where 0 lt
sigma(_). Hidden variable nat z(1..n)
discrete(rho). Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Code
CodeGenerator
High-LevelModel
Documentation
5
Certifiable Code Generation
... // Initialization for(v440v44ltn-1v44
) for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ...
) ...
model mog as 'Mixture of Gaussians'. ...
Class probabilities double rho(1..c). where 1
sum(I1..c, rho(I)). Class parameters double
mu(1..c). double sigma(1..c). where 0 lt
sigma(_). Hidden variable nat z(1..n)
discrete(rho). Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Code
Proofs
CodeGenerator
High-LevelModel
Documentation
6
Certifiable Code Generation
... // Initialization for(v440v44ltn-1v44
) for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ...
) ...
model mog as 'Mixture of Gaussians'. ...
Class probabilities double rho(1..c). where 1
sum(I1..c, rho(I)). Class parameters double
mu(1..c). double sigma(1..c). where 0 lt
sigma(_). Hidden variable nat z(1..n)
discrete(rho). Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Code
CodeGenerator
High-LevelModel
Documentation
7
Certification Browser
Highlight code
Show explain obligations
8
Certificate System Aspects
include "claraty/estimation/kalman_filter.h" cla
ss Nominal_filter_System_Model public
KF_System_Model Nominal_filter_System_Model
(double l, Vectorltdoublegt sigma,
int n, int m) double _l l
Vectorltdoublegt _sigma sigma int _n n
int _m m Vectorltdoublegt
compute_transition(const Vectorltdoublegt state,
const kf_measurement_t
control) Vectorltdoublegt state2
get_transition_matrix () state return
state2 Matrixltdoublegt
get_transition_matrix() double tmp
1, 0, 0, 0, 1, 0, -1/_l, 1/_l, 0
Matrixltdoublegt m(1, _n - 1, tmp) return m
private double _l Vectorltdoublegt
_sigma int _n int _m
9
Certificate System Aspects
include "claraty/estimation/kalman_filter.h" cla
ss Nominal_filter_System_Model public
KF_System_Model Nominal_filter_System_Model
(double l, Vectorltdoublegt sigma,
int n, int m) double _l l
Vectorltdoublegt _sigma sigma int _n n
int _m m Vectorltdoublegt
compute_transition(const Vectorltdoublegt state,
const kf_measurement_t
control) Vectorltdoublegt state2
get_transition_matrix () state return
state2 Matrixltdoublegt
get_transition_matrix() double tmp
1, 0, 0, 0, 1, 0, -1/_l, 1/_l, 0
Matrixltdoublegt m(1, _n - 1, tmp) return m
private double _l Vectorltdoublegt
_sigma int _n int _m
Consts unmodified
10
Certificate System Aspects
include "claraty/estimation/kalman_filter.h" cla
ss Nominal_filter_System_Model public
KF_System_Model Nominal_filter_System_Model
(double l, Vectorltdoublegt sigma,
int n, int m) double _l l
Vectorltdoublegt _sigma sigma int _n n
int _m m Vectorltdoublegt
compute_transition(const Vectorltdoublegt state,
const kf_measurement_t
control) Vectorltdoublegt state2
get_transition_matrix () state return
state2 Matrixltdoublegt
get_transition_matrix() double tmp
1, 0, 0, 0, 1, 0, -1/_l, 1/_l, 0
Matrixltdoublegt m(1, _n - 1, tmp) return m
private double _l Vectorltdoublegt
_sigma int _n int _m
Matrix sizes match
Consts unmodified
11
Certificate System Aspects
include "claraty/estimation/kalman_filter.h" cla
ss Nominal_filter_System_Model public
KF_System_Model Nominal_filter_System_Model
(double l, Vectorltdoublegt sigma,
int n, int m) double _l l
Vectorltdoublegt _sigma sigma int _n n
int _m m Vectorltdoublegt
compute_transition(const Vectorltdoublegt state,
const kf_measurement_t
control) Vectorltdoublegt state2
get_transition_matrix () state return
state2 Matrixltdoublegt
get_transition_matrix() double tmp
1, 0, 0, 0, 1, 0, -1/_l, 1/_l, 0
Matrixltdoublegt m(1, _n - 1, tmp) return m
private double _l Vectorltdoublegt
_sigma int _n int _m
Class parametersassigned to localvariables
Matrix sizes match
Consts unmodified
12
Certificate System Aspects
include "claraty/estimation/kalman_filter.h" cla
ss Nominal_filter_System_Model public
KF_System_Model Nominal_filter_System_Model
(double l, Vectorltdoublegt sigma,
int n, int m) double _l l
Vectorltdoublegt _sigma sigma int _n n
int _m m Vectorltdoublegt
compute_transition(const Vectorltdoublegt state,
const kf_measurement_t
control) Vectorltdoublegt state2
get_transition_matrix () state return
state2 Matrixltdoublegt
get_transition_matrix() double tmp
1, 0, 0, 0, 1, 0, -1/_l, 1/_l, 0
Matrixltdoublegt m(1, _n - 1, tmp) return m
private double _l Vectorltdoublegt
_sigma int _n int _m
Class parametersassigned to localvariables
Matrix sizes match
Consts unmodified
Signed off by ttp_at_nasa.gov
13
Certificate Organizational Aspects
Annotated Code
Safety Policy
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
Prover Axioms
ProofObligations
14
Certificate Organizational Aspects
Annotated Code
Safety Policy
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
array, V1.6by B. Fischer
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
V1.7, 11/05/05by E. Denney
Prover Axioms
ProofObligations
15
Certificate Organizational Aspects
Annotated Code
Safety Policy
EKF algorithm from Kalman Filtering, 2nd Edition,
p.99
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
array, V1.6by B. Fischer
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
V1.7, 11/05/05by E. Denney
Prover Axioms
ProofObligations
16
Certificate Organizational Aspects
Annotated Code
Safety Policy
EKF algorithm from Kalman Filtering, 2nd Edition,
p.99
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
CLARAty platform V3.1
array, V1.6by B. Fischer
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
V1.7, 11/05/05by E. Denney
Prover Axioms
ProofObligations
-target claraty
17
Certificate Organizational Aspects
Annotated Code
Safety Policy
EKF algorithm from Kalman Filtering, 2nd Edition,
p.99
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
CLARAty platform V3.1
array, V1.6by B. Fischer
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Hosted at U Miamiwww.cs.miami.edu/tptp/
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
V1.7, 11/05/05by E. Denney
Prover Axioms
ProofObligations
-target claraty
18
Certificate Organizational Aspects
Annotated Code
Safety Policy
EKF algorithm from Kalman Filtering, 2nd Edition,
p.99
... // Initialization for(v440v44ltn-1v44)
for(v450v45ltc-1v45)
q(v44,v45)0 for(v460v46ltn-1v46)
q(v46,z(v46))1 / post 0 lt q(i,j) lt 1
/ ... for(v120v12ltc-1v41)
v68exp((x(v12)-mu(v41))2
/(double)(-2) ... ) ...
CLARAty platform V3.1
array, V1.6by B. Fischer
ID 1.7 model mog as 'Mixture of
Gaussians'. ... Class probabilities double
rho(1..c). where 1 sum(I1..c, rho(I)).
Class parameters double mu(1..c). double
sigma(1..c). where 0 lt sigma(_). Hidden
variable nat z(1..n) discrete(rho).
Data data double x(1..n). x(I)
gauss(mu(z(I)),sigma(z(I))). Goal max
pr(xrho,mu,sigma) for rho,mu,sigma.
Checkedby GDV
Hosted at U Miamiwww.cs.miami.edu/tptp/
vcg(skip, P, P) - !. vcg(assign(x,e), P, Q) -
!, subst(xe,P, Q). vcg(for(I,L,H,B,Inv), P,
Q) - ...
VCG
input_formula(quat_0001, ( (equal(pv56,pv57)
leq(0 pv5)leq(0,pv56) ) gt !S,T (
leq(0,S) leq(0,T) ... ) ) ).
CodeGenerator
Model
axioms.ax
V1.7, 11/05/05by E. Denney
Prover Axioms
ProofObligations
-target claraty
19
Structured Software Certificate
File rover_claraty.cc generated from
specification rover.ab V1.7, by
edenney_at_email.arc.nasa.gov generated by
AutoFilter V1.87 (compiled 1020am Nov 04
2005) on 1025am Friday Nov 04 2005 for target
platform CLARAty (no additional flags) based on
EKF algorithm from Kalman filtering, 2nd edition,
p.99. Certified for safety policies array -
all indexes are within given array bounds file
array.pl V1.6, by fisch_at_email.arc.nasa.gov
init using VCG file vcg.pl V1.62,
by edenney_at_email.arc.nasa.gov domain theory
file axioms.ax V1.8, by fisch_at_email.arc.nasa.g
ov file axgen.sh V1.5, by schumann_at_email.arc.
nasa.gov prover eprover V0.82, installed at U
Miami given signoff for method
get_transition_matrix() by ttp_at_nasa.gov on Nov 05
2005 Documentation rover_claraty.html Simulat
ion rover_claraty_sim.m validated within
tolerance 0.02 by schumann_at_email.arc.nasa.gov.
20
Re-Certification
Certificate can be turned into makefile for
re-certification
File rover_claraty.cc generated from
specification rover.ab V1.7, by
edenney_at_email.arc.nasa.gov generated by
AutoFilter V1.87 (compiled 1020am Nov 04
2005) on 1025am Friday Nov 04 2005 for target
platform CLARAty (no additional flags) based on
EKF algorithm from Kalman filtering, 2nd edition,
p.99. Certified for safety policies array -
all indexes are within given array bounds file
array.pl V1.6, by fisch_at_email.arc.nasa.gov
init using VCG file vcg.pl V1.62,
by edenney_at_email.arc.nasa.gov domain theory
file axioms.ax V1.8, by fisch_at_email.arc.nasa.g
ov file axgen.sh V1.5, by schumann_at_email.arc.
nasa.gov prover eprover,V0.82, installed at U
Miami given signoff for method
get_transition_matrix() by ttp_at_nasa.gov on Nov 05
2005
21
Re-Certification
Certificate can be turned into makefile for
re-certification
all autofilter rover_claraty rover_claraty.cert
rover_claray_sim.m rover_claraty.o
rover_claraty.cc gcc -Iclaraty.h
rover_claraty.cc rover_claraty.cc
rover.ab autofilter target claraty
rover.ab rover_claraty.cert rover_claraty.cc
rover_claraty.array.proof ... mail -s
certify_request_msg (get_transition_matrix) a
rover_claraty.cc \ ttp_at_nasa.gov
rover_claraty.array.proof rover_claraty.cc
rover_claraty.array..vc ... autofilter
certify array rover_claraty.cc prove_all
-prover EP---0.82_at_cs.umiami.edu
rover_claraty.array autofilter cvs co -t
1020am Nov 04 2005 /usr/src/af/.pl
/usr/scr/af//.pl ... make -f
/usr/src/af/Makefile autofilter
22
Auditing
Certificate can be turned into makefile for
certification audit
File rover_claraty.cc generated from
specification rover.ab V1.7, by
edenney_at_email.arc.nasa.gov generated by
AutoFilter V1.87 (compiled 1020am Nov 04
2005) on 1025am Friday Nov 04 2005 for target
platform CLARAty (no additional flags) based on
EKF algorithm from Kalman filtering, 2nd edition,
p.99. Certified for safety policies array -
all indexes are within given array bounds file
array.pl V1.6, by fisch_at_email.arc.nasa.gov
init using VCG file vcg.pl V1.62,
by edenney_at_email.arc.nasa.gov domain theory
file axioms.ax V1.8, by fisch_at_email.arc.nasa.g
ov file axgen.sh V1.5, by schumann_at_email.arc.
nasa.gov prover eprover,V0.82, installed at U
Miami given signoff for method
get_transition_matrix() by ttp_at_nasa.gov on Nov 05
2005
23
Conclusions
- Certificate complexity comes from
- system structure
- organizational structure
- Need persistence, extensibility, common format
- gt Representing and manipulating this requires a
certification infrastructure - Enables other actions
- browsing of certificates
- estimating time/effort to re-certify
- enforcing release policies
Recommended
CrystalGraphics Presentations
