Abstract
We present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety results are preserved end-to-end as it bridges abstraction gaps, including: i) the gap between mathematical reals in physical models and machine arithmetic in the implementation, ii) the gap between real physics and its differential-equation models, and iii) the gap between nondeterministic controller models and machine code. VeriPhy reduces CPS safety to the faithfulness of the physical environment, which is checked at runtime by synthesized, verified monitors. We use three provers in this effort: KeYmaera X, HOL4, and Isabelle/HOL. To minimize the trusted base, we cross-verify KeYmaeraX in Isabelle/HOL. We evaluate the resulting controller and monitors on commodity robotics hardware.
Supplemental Material
- Abhishek Anand and Ross A. Knepper. 2015. ROSCoq: Robots powered by constructive reals. In ITP (LNCS), Christian Urban and Xingyuan Zhang (Eds.), Vol. 9236. Springer, 34-50.Google Scholar
- Rose Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Volp, and Andre Platzer. 2017. Formally verified differential dynamic logic. In Certified Programs and Proofs - 6th ACM SIGPLAN Conference, CPP 2017, Paris, France, January 16-17, 2017, Yves Bertot and Viktor Vafeiadis (Eds.). ACM, 208-221. Google Scholar
Digital Library
- Sylvie Boldo, Jean-Christophe Filliatre, and Guillaume Melquiond. 2009. Combining Coq and Gappa for certifying floating-point programs. In MKM, Held as Part of CICM (LNCS), Jacques Carette, Lucas Dixon, Claudio Sacerdoti Coen, and Stephen M. Watt (Eds.), Vol. 5625. Springer, 59-74. Google Scholar
Digital Library
- Sylvie Boldo, Jacques-Henri Jourdan, Xavier Leroy, and Guillaume Melquiond. 2013. A formally-verified C compiler supporting floatingpoint arithmetic. In ARITH, Alberto Nannarelli, Peter-Michael Seidel, and Ping Tak Peter Tang (Eds.). IEEE Computer Society, 107-115. Google Scholar
Digital Library
- Sylvie Boldo and Guillaume Melquiond. 2011. Flocq: A unified library for proving floating-point algorithms in Coq. In ARITH, Elisardo Antelo, David Hough, and Paolo Ienne (Eds.). IEEE Computer Society, 243-252. Google Scholar
Digital Library
- Olivier Bouissou, Eric Goubault, Sylvie Putot, Karim Tekkal, and Franck Vedrine. 2009. HybridFluctuat: A static analyzer of numerical programs within a continuous environment (LNCS), Ahmed Bouajjani and Oded Maler (Eds.), Vol. 5643. Springer, 620s626. Google Scholar
Digital Library
- Timothy Bourke, Lelio Brun, Pierre-Evariste Dagand, Xavier Leroy, Marc Pouzet, and Lionel Rieg. 2017. A formally verified compiler for Lustre. In PLDI, Albert Cohen and Martin T. Vechev (Eds.). ACM, 586-601. Google Scholar
Digital Library
- Xin Chen, Erika Abraham, and Sriram Sankaranarayanan. 2013. Flow*: An analyzer for non-linear hybrid systems. In CAV (LNCS), Natasha Sharygina and Helmut Veith (Eds.), Vol. 8044. Springer, 258-263. Google Scholar
Digital Library
- Marc Daumas, Laurence Rideau, and Laurent Thery. 2001. A generic library for floating-point numbers and its application to exact computing. In TPHOLs (LNCS), Richard J. Boulton and Paul B. Jackson (Eds.), Vol. 2152. Springer, 169-184. Google Scholar
Digital Library
- Parasara Sridhar Duggirala, Sayan Mitra, Mahesh Viswanathan, and Matthew Potok. 2015. C2E2: A verification tool for stateflow models. In TACAS (LNCS), Christel Baier and Cesare Tinelli (Eds.), Vol. 9035. Springer, 68-82.Google Scholar
- Trevor Elliott, Lee Pike, Simon Winwood, Patrick C. Hickey, James Bielman, Jamey Sharp, Eric L. Seidel, and John Launchbury. 2015. Guilt free ivory. In Haskell. 189-200. Google Scholar
Digital Library
- Franz Franchetti, Tze Meng Low, Stefan Mitsch, Juan Paolo Mendoza, Liangyan Gui, Amarin Phaosawasdi, David Padua, Soummya Kar, Jose M. F. Moura, Mike Franusich, Jeremy Johnson, Andre Platzer, and Manuela Veloso. 2017. High-assurance SPIRAL: End-to-end guarantees for robot and car control. IEEE Control Systems 37, 2 (2017), 82-103.Google Scholar
Cross Ref
- Goran Frehse, Colas Le Guernic, Alexandre Donze, Scott Cotton, Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler. 2011. SpaceEx: Scalable verification of hybrid systems. In CAV (LNCS), Ganesh Gopalakrishnan and Shaz Qadeer (Eds.), Vol. 6806. 379-395. Google Scholar
Digital Library
- Nathan Fulton, Stefan Mitsch, Rose Bohrer, and Andre Platzer. 2017. Bellerophon: Tactical theorem proving for hybrid systems. In ITP (LNCS), Mauricio Ayala-Rincon and Cesar A. Munoz (Eds.), Vol. 10499. Springer, 207-224.Google Scholar
- Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Volp, and Andre Platzer. 2015. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In CADE (LNCS), Amy Felty and Aart Middeldorp (Eds.), Vol. 9195. Springer, 527-538.Google Scholar
- Armael Gueneau, Magnus O. Myreen, Ramana Kumar, and Michael Norrish. 2017. Verified characteristic formulae for CakeML. In ESOP (LNCS), Hongseok Yang (Ed.), Vol. 10201. Springer, 584-610.Google Scholar
- Nicolas Halbwachs, Fabienne Lagnier, and Christophe Ratel. 1992. Programming and verifying real-time systems by means of the synchronous data-flow language LUSTRE. IEEE Trans. Software Eng. 18, 9 (1992), 785-793. Google Scholar
Digital Library
- John Harrison. 2006. Floating-point verification using theorem proving. In Formal Methods for Hardware Verification, SFM (LNCS), Marco Bernardo and Alessandro Cimatti (Eds.), Vol. 3965. Springer, 211-242. Google Scholar
Digital Library
- John Harrison. 2007. Verifying nonlinear real formulas via sums of squares. In TPHOLs (LNCS), Klaus Schneider and Jens Brandt (Eds.), Vol. 4732. Springer, 102-118. Google Scholar
Digital Library
- Thomas A. Henzinger. 1996. The theory of hybrid automata. In LICS. IEEE Computer Society, 278-292. Google Scholar
Digital Library
- Lars Hupel and Tobias Nipkow. 2018. A Verified Compiler from Isabelle/ HOL to CakeML. In ESOP (LNCS), Amal Ahmed (Ed.). Springer.Google Scholar
- Joe Hurd. 2011. The OpenTheory standard theory library. In NFM (LNCS), Mihaela Gheorghiu Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.), Vol. 6617. Springer, 177-191. Google Scholar
Digital Library
- Fabian Immler and Christoph Traut. 2016. The flow of ODEs. In ITP (LNCS), Jasmin Christian Blanchette and Stephan Merz (Eds.), Vol. 9807. Springer, 184-199.Google Scholar
- Gerwin Klein, June Andronick, Kevin Elphinstone, Gernot Heiser, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2010. seL4: Formal verification of an operating-system kernel. Commun. ACM 53, 6 (2010), 107-115. Google Scholar
Digital Library
- Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: A verified implementation of ML. In POPL, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 179-192. Google Scholar
Digital Library
- Rupak Majumdar, Indranil Saha, and Majid Zamani. 2012. Synthesis of minimal-error control software. In EMSOFT, Ahmed Jerraya, Luca P. Carloni, Florence Maraninchi, and John Regehr (Eds.). ACM, 123-132. Google Scholar
Digital Library
- Gregory Malecha, Daniel Ricketts, Mario M. Alvarez, and Sorin Lerner. 2016. Towards foundational verification of cyber-physical systems. In [email protected]. IEEE Computer Society, 1-5.Google Scholar
- Adolfo Anta Martinez, Rupak Majumdar, Indranil Saha, and Paulo Tabuada. 2010. Automatic verification of control system implementations. In EMSOFT, Luca P. Carloni and Stavros Tripakis (Eds.). ACM, 9-8. Google Scholar
Digital Library
- Sean McLaughlin and John Harrison. 2005. A proof-producing decision procedure for real arithmetic. In CADE (LNCS), Robert Nieuwenhuis (Ed.), Vol. 3632. Springer, 295-314. Google Scholar
Digital Library
- Guillaume Melquiond. 2012. Floating-point arithmetic in the Coq system. Inf. Comput. 216 (2012), 14-23. Google Scholar
Digital Library
- Stefan Mitsch and Andre Platzer. 2016. The KeYmaera X proof IDE: Concepts on usability in hybrid systems theorem proving. In 3rd Workshop on Formal Integrated Development Environment (EPTCS), Catherine Dubois, Dominique Mery, and Paolo Masci (Eds.), Vol. 240. Open Publishing Association, 67-81.Google Scholar
- Stefan Mitsch and Andre Platzer. 2016. ModelPlex: Verified runtime validation of verified cyber-physical system models. Form. Methods Syst. Des. 49, 1 (2016), 33-74. Special issue of selected papers from RV'14. Google Scholar
Digital Library
- David Monniaux and Pierre Corbineau. 2011. On the generation of Positivstellensatz witnesses in degenerate cases. In ITP (LNCS), Marko C. J. D. van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk (Eds.), Vol. 6898. Springer, 249-264. Google Scholar
Digital Library
- Greg Morrisett, Gang Tan, Joseph Tassarotti, Jean-Baptiste Tristan, and Edward Gan. 2012. RockSalt: better, faster, stronger SFI for the x86. In PLDI, Jan Vitek, Haibo Lin, and Frank Tip (Eds.). ACM, 395-404. Google Scholar
Digital Library
- Magnus O. Myreen and Scott Owens. 2012. Proof-producing synthesis of ML from higher-order logic. In ICFP, Peter Thiemann and Robby Bruce Findler (Eds.). ACM, 115-126. Google Scholar
Digital Library
- Lee Pike, Patrick C. Hickey, James Bielman, Trevor Elliott, Thomas DuBuisson, and John Launchbury. 2014. Programming languages for high-assurance autonomous vehicles: Extended abstract. In PLPV. 1-2. Google Scholar
Digital Library
- Andre Platzer. 2008. Differential dynamic logic for hybrid systems. J. Autom. Reas. 41, 2 (2008), 143-189. Google Scholar
Digital Library
- Andre Platzer. 2012. Logics of dynamical systems. In LICS. IEEE Computer Society, 13s24. Google Scholar
Digital Library
- Andre Platzer. 2016. Logic & proofs for cyber-physical systems. In IJCAR (LNCS), Nicola Olivetti and Ashish Tiwari (Eds.), Vol. 9706. Springer, 15-21. Google Scholar
Digital Library
- Andre Platzer. 2017. A complete uniform substitution calculus for differential dynamic logic. J. Autom. Reas. 59, 2 (2017), 219-265. Google Scholar
Digital Library
- Andre Platzer and Jan-David Quesel. 2009. European Train Control System: A case study in formal verification. In ICFEM (LNCS), Karin Breitman and Ana Cavalcanti (Eds.), Vol. 5885. Springer, 246-265. Google Scholar
Digital Library
- Andre Platzer, Jan-David Quesel, and Philipp Rummer. 2009. Real world verification. In CADE (LNCS), Renate A. Schmidt (Ed.), Vol. 5663. Springer, 485-501. Google Scholar
Digital Library
- Jan-David Quesel, Stefan Mitsch, Sarah Loos, Nikos Arechiga, and Andre Platzer. 2016. How to model and prove hybrid systems with KeYmaera: A tutorial on safety. STTT 18, 1 (2016), 67-91. Google Scholar
Digital Library
- Thomas Arthur Leck Sewell, Magnus O. Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In PLDI, Hans-Juergen Boehm and Cormac Flanagan (Eds.). ACM, 471-482. Google Scholar
Digital Library
- Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony C. J. Fox, Scott Owens, and Michael Norrish. 2016. A new verified compiler backend for CakeML. In ICFP, Jacques Garrigue, Gabriele Keller, and Eijiro Sumii (Eds.). ACM, 60-73. Google Scholar
Digital Library
- Lei Yu. 2013. A formal model of IEEE floating point arithmetic. Archive of Formal Proofs (2013). https://www.isa-afp.org/entries/IEEE_Floating_Point.shtmlGoogle Scholar
Index Terms
VeriPhy: verified controller executables from verified cyber-physical system models
Recommendations
VeriPhy: verified controller executables from verified cyber-physical system models
PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety ...
Verifying cyber-physical systems by combining software model checking with hybrid systems reachability
EMSOFT '16: Proceedings of the 13th International Conference on Embedded SoftwareCyber-physical systems (CPS) span the communication, computation and control domains. Creating a single, complete, and detailed model of a CPS is not only difficult, but, in terms of verification, probably not useful; current verification algorithms are ...
Real-Time Reachability for Verified Simplex Design
Special Issue on Innovative Design, Special Issue on MEMOCODE 2014 and Special Issue on M2M/IOTThe Simplex architecture ensures the safe use of an unverifiable complex/smart controller by using it in conjunction with a verified safety controller and verified supervisory controller (switching logic). This architecture enables the safe use of smart,...







Comments