skip to main content
research-article
Public Access
Artifacts Evaluated & Functional

VeriPhy: verified controller executables from verified cyber-physical system models

Published:11 June 2018Publication History
Skip Abstract Section

Abstract

We present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety results are preserved end-to-end as it bridges abstraction gaps, including: i) the gap between mathematical reals in physical models and machine arithmetic in the implementation, ii) the gap between real physics and its differential-equation models, and iii) the gap between nondeterministic controller models and machine code. VeriPhy reduces CPS safety to the faithfulness of the physical environment, which is checked at runtime by synthesized, verified monitors. We use three provers in this effort: KeYmaera X, HOL4, and Isabelle/HOL. To minimize the trusted base, we cross-verify KeYmaeraX in Isabelle/HOL. We evaluate the resulting controller and monitors on commodity robotics hardware.

Skip Supplemental Material Section

Supplemental Material

p617-bohrer.webm

References

  1. Abhishek Anand and Ross A. Knepper. 2015. ROSCoq: Robots powered by constructive reals. In ITP (LNCS), Christian Urban and Xingyuan Zhang (Eds.), Vol. 9236. Springer, 34-50.Google ScholarGoogle Scholar
  2. Rose Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Volp, and Andre Platzer. 2017. Formally verified differential dynamic logic. In Certified Programs and Proofs - 6th ACM SIGPLAN Conference, CPP 2017, Paris, France, January 16-17, 2017, Yves Bertot and Viktor Vafeiadis (Eds.). ACM, 208-221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Sylvie Boldo, Jean-Christophe Filliatre, and Guillaume Melquiond. 2009. Combining Coq and Gappa for certifying floating-point programs. In MKM, Held as Part of CICM (LNCS), Jacques Carette, Lucas Dixon, Claudio Sacerdoti Coen, and Stephen M. Watt (Eds.), Vol. 5625. Springer, 59-74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Sylvie Boldo, Jacques-Henri Jourdan, Xavier Leroy, and Guillaume Melquiond. 2013. A formally-verified C compiler supporting floatingpoint arithmetic. In ARITH, Alberto Nannarelli, Peter-Michael Seidel, and Ping Tak Peter Tang (Eds.). IEEE Computer Society, 107-115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Sylvie Boldo and Guillaume Melquiond. 2011. Flocq: A unified library for proving floating-point algorithms in Coq. In ARITH, Elisardo Antelo, David Hough, and Paolo Ienne (Eds.). IEEE Computer Society, 243-252. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Olivier Bouissou, Eric Goubault, Sylvie Putot, Karim Tekkal, and Franck Vedrine. 2009. HybridFluctuat: A static analyzer of numerical programs within a continuous environment (LNCS), Ahmed Bouajjani and Oded Maler (Eds.), Vol. 5643. Springer, 620s626. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Timothy Bourke, Lelio Brun, Pierre-Evariste Dagand, Xavier Leroy, Marc Pouzet, and Lionel Rieg. 2017. A formally verified compiler for Lustre. In PLDI, Albert Cohen and Martin T. Vechev (Eds.). ACM, 586-601. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Xin Chen, Erika Abraham, and Sriram Sankaranarayanan. 2013. Flow*: An analyzer for non-linear hybrid systems. In CAV (LNCS), Natasha Sharygina and Helmut Veith (Eds.), Vol. 8044. Springer, 258-263. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Marc Daumas, Laurence Rideau, and Laurent Thery. 2001. A generic library for floating-point numbers and its application to exact computing. In TPHOLs (LNCS), Richard J. Boulton and Paul B. Jackson (Eds.), Vol. 2152. Springer, 169-184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Parasara Sridhar Duggirala, Sayan Mitra, Mahesh Viswanathan, and Matthew Potok. 2015. C2E2: A verification tool for stateflow models. In TACAS (LNCS), Christel Baier and Cesare Tinelli (Eds.), Vol. 9035. Springer, 68-82.Google ScholarGoogle Scholar
  11. Trevor Elliott, Lee Pike, Simon Winwood, Patrick C. Hickey, James Bielman, Jamey Sharp, Eric L. Seidel, and John Launchbury. 2015. Guilt free ivory. In Haskell. 189-200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Franz Franchetti, Tze Meng Low, Stefan Mitsch, Juan Paolo Mendoza, Liangyan Gui, Amarin Phaosawasdi, David Padua, Soummya Kar, Jose M. F. Moura, Mike Franusich, Jeremy Johnson, Andre Platzer, and Manuela Veloso. 2017. High-assurance SPIRAL: End-to-end guarantees for robot and car control. IEEE Control Systems 37, 2 (2017), 82-103.Google ScholarGoogle ScholarCross RefCross Ref
  13. Goran Frehse, Colas Le Guernic, Alexandre Donze, Scott Cotton, Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler. 2011. SpaceEx: Scalable verification of hybrid systems. In CAV (LNCS), Ganesh Gopalakrishnan and Shaz Qadeer (Eds.), Vol. 6806. 379-395. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Nathan Fulton, Stefan Mitsch, Rose Bohrer, and Andre Platzer. 2017. Bellerophon: Tactical theorem proving for hybrid systems. In ITP (LNCS), Mauricio Ayala-Rincon and Cesar A. Munoz (Eds.), Vol. 10499. Springer, 207-224.Google ScholarGoogle Scholar
  15. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Volp, and Andre Platzer. 2015. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In CADE (LNCS), Amy Felty and Aart Middeldorp (Eds.), Vol. 9195. Springer, 527-538.Google ScholarGoogle Scholar
  16. Armael Gueneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified characteristic formulae for CakeML. In ESOP (LNCS), Hongseok Yang (Ed.), Vol. 10201. Springer, 584-610.Google ScholarGoogle Scholar
  17. Nicolas Halbwachs, Fabienne Lagnier, and Christophe Ratel. 1992. Programming and verifying real-time systems by means of the synchronous data-flow language LUSTRE. IEEE Trans. Software Eng. 18, 9 (1992), 785-793. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. John Harrison. 2006. Floating-point verification using theorem proving. In Formal Methods for Hardware Verification, SFM (LNCS), Marco Bernardo and Alessandro Cimatti (Eds.), Vol. 3965. Springer, 211-242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. John Harrison. 2007. Verifying nonlinear real formulas via sums of squares. In TPHOLs (LNCS), Klaus Schneider and Jens Brandt (Eds.), Vol. 4732. Springer, 102-118. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Thomas A. Henzinger. 1996. The theory of hybrid automata. In LICS. IEEE Computer Society, 278-292. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Lars Hupel and Tobias Nipkow. 2018. A Verified Compiler from Isabelle/ HOL to CakeML. In ESOP (LNCS), Amal Ahmed (Ed.). Springer.Google ScholarGoogle Scholar
  22. Joe Hurd. 2011. The OpenTheory standard theory library. In NFM (LNCS), Mihaela Gheorghiu Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.), Vol. 6617. Springer, 177-191. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Fabian Immler and Christoph Traut. 2016. The flow of ODEs. In ITP (LNCS), Jasmin Christian Blanchette and Stephan Merz (Eds.), Vol. 9807. Springer, 184-199.Google ScholarGoogle Scholar
  24. Gerwin Klein, June Andronick, Kevin Elphinstone, Gernot Heiser, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2010. seL4: Formal verification of an operating-system kernel. Commun. ACM 53, 6 (2010), 107-115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: A verified implementation of ML. In POPL, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 179-192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Rupak Majumdar, Indranil Saha, and Majid Zamani. 2012. Synthesis of minimal-error control software. In EMSOFT, Ahmed Jerraya, Luca P. Carloni, Florence Maraninchi, and John Regehr (Eds.). ACM, 123-132. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Gregory Malecha, Daniel Ricketts, Mario M. Alvarez, and Sorin Lerner. 2016. Towards foundational verification of cyber-physical systems. In [email protected]. IEEE Computer Society, 1-5.Google ScholarGoogle Scholar
  28. Adolfo Anta Martinez, Rupak Majumdar, Indranil Saha, and Paulo Tabuada. 2010. Automatic verification of control system implementations. In EMSOFT, Luca P. Carloni and Stavros Tripakis (Eds.). ACM, 9-8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Sean McLaughlin and John Harrison. 2005. A proof-producing decision procedure for real arithmetic. In CADE (LNCS), Robert Nieuwenhuis (Ed.), Vol. 3632. Springer, 295-314. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Guillaume Melquiond. 2012. Floating-point arithmetic in the Coq system. Inf. Comput. 216 (2012), 14-23. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Stefan Mitsch and Andre Platzer. 2016. The KeYmaera X proof IDE: Concepts on usability in hybrid systems theorem proving. In 3rd Workshop on Formal Integrated Development Environment (EPTCS), Catherine Dubois, Dominique Mery, and Paolo Masci (Eds.), Vol. 240. Open Publishing Association, 67-81.Google ScholarGoogle Scholar
  32. Stefan Mitsch and Andre Platzer. 2016. ModelPlex: Verified runtime validation of verified cyber-physical system models. Form. Methods Syst. Des. 49, 1 (2016), 33-74. Special issue of selected papers from RV'14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. David Monniaux and Pierre Corbineau. 2011. On the generation of Positivstellensatz witnesses in degenerate cases. In ITP (LNCS), Marko C. J. D. van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk (Eds.), Vol. 6898. Springer, 249-264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Greg Morrisett, Gang Tan, Joseph Tassarotti, Jean-Baptiste Tristan, and Edward Gan. 2012. RockSalt: better, faster, stronger SFI for the x86. In PLDI, Jan Vitek, Haibo Lin, and Frank Tip (Eds.). ACM, 395-404. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Magnus O. Myreen and Scott Owens. 2012. Proof-producing synthesis of ML from higher-order logic. In ICFP, Peter Thiemann and Robby Bruce Findler (Eds.). ACM, 115-126. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Lee Pike, Patrick C. Hickey, James Bielman, Trevor Elliott, Thomas DuBuisson, and John Launchbury. 2014. Programming languages for high-assurance autonomous vehicles: Extended abstract. In PLPV. 1-2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Andre Platzer. 2008. Differential dynamic logic for hybrid systems. J. Autom. Reas. 41, 2 (2008), 143-189. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Andre Platzer. 2012. Logics of dynamical systems. In LICS. IEEE Computer Society, 13s24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Andre Platzer. 2016. Logic & proofs for cyber-physical systems. In IJCAR (LNCS), Nicola Olivetti and Ashish Tiwari (Eds.), Vol. 9706. Springer, 15-21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Andre Platzer. 2017. A complete uniform substitution calculus for differential dynamic logic. J. Autom. Reas. 59, 2 (2017), 219-265. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Andre Platzer and Jan-David Quesel. 2009. European Train Control System: A case study in formal verification. In ICFEM (LNCS), Karin Breitman and Ana Cavalcanti (Eds.), Vol. 5885. Springer, 246-265. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Andre Platzer, Jan-David Quesel, and Philipp Rummer. 2009. Real world verification. In CADE (LNCS), Renate A. Schmidt (Ed.), Vol. 5663. Springer, 485-501. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Jan-David Quesel, Stefan Mitsch, Sarah Loos, Nikos Arechiga, and Andre Platzer. 2016. How to model and prove hybrid systems with KeYmaera: A tutorial on safety. STTT 18, 1 (2016), 67-91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In PLDI, Hans-Juergen Boehm and Cormac Flanagan (Eds.). ACM, 471-482. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony C. J. Fox, Scott Owens, and Michael Norrish. 2016. A new verified compiler backend for CakeML. In ICFP, Jacques Garrigue, Gabriele Keller, and Eijiro Sumii (Eds.). ACM, 60-73. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Lei Yu. 2013. A formal model of IEEE floating point arithmetic. Archive of Formal Proofs (2013). https://www.isa-afp.org/entries/IEEE_Floating_Point.shtmlGoogle ScholarGoogle Scholar

Index Terms

  1. VeriPhy: verified controller executables from verified cyber-physical system models

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!