A candid industrial evaluation of formal software verification using model checking

Bennion, Matthew Russell; Habli, Ibrahim

doi:10.1145/2591062.2591184

Cited by 14 publications

(3 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are largely two methods for such evaluation: conventional testing and formal verification. They have their merits and demerits, and do not exclude but complement each other [5,17]. For example, formal verification can give a proof for the verification result by checking all possible states, while it can also lead to state explosion as the complexity of a system increases.…”

Section: Verification Of Safety Constraintsmentioning

confidence: 99%

Evaluation Framework for Performance Limitation of Autonomous Systems under Sensor Attack

Shimizu

Suzuki

Muramatsu

et al. 2021

Preprint

View full text Add to dashboard Cite

Autonomous systems such as self-driving cars rely on sensors to perceive the surrounding world. Measures must be taken against attacks on sensors, which have been a hot topic in the last few years. For that goal one must first evaluate how sensor attacks affect the system, i.e. which part or whole of the system will fail if some of the built-in sensors are compromised, or will keep safe, etc. Among the relevant safety standards, ISO/PAS 21448 addresses the safety of road vehicles taking into account the performance limitations of sensors, but leaves security aspects out of scope. On the other hand, ISO/SAE 21434 addresses the security perspective during the development process of vehicular systems, but not specific threats such as sensor attacks. As a result the safety of autonomous systems under sensor attack is yet to be addressed. In this paper we propose a framework that combines safety analysis for scenario identification, and scenario-based simulation with sensor attack models embedded. Given an autonomous system model, we identify hazard scenarios caused by sensor attacks, and evaluate the performance limitations in the scenarios. We report on a prototype simulator for autonomous vehicles with radar, cameras and LiDAR along with attack models against the sensors. Our experiments show that our framework can evaluate how the system safety changes as parameters of the attacks and the sensors vary.

show abstract

Section: Verification Of Safety Constraintsmentioning

confidence: 99%

Evaluation Framework for Performance Limitation of Autonomous Systems under Sensor Attack

Shimizu

Suzuki

Muramatsu

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Habli and Kelly [32] and Denney and Pai [15] present safety case patterns for the use of formal method results for certification. Bennion et al [3] present a safety case for arguing the compliance of a particular model checker, namely, the Simulink Design Verifier for DO-178C. Gallina and Andrews [23] argue about adequacy of a model-based testing process, and Carlan et al [7] provide a safety pattern for choosing and composing verification techniques based on how they contribute to the identification or mitigation of systematic faults known to affect system safety.…”

Section: Combining Evidencementioning

confidence: 99%

Software Assurance in an Uncertain World

Chećhik

Salay

Viger

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

From financial services platforms to social networks to vehicle control, software has come to mediate many activities of daily life. Governing bodies and standards organizations have responded to this trend by creating regulations and standards to address issues such as safety, security and privacy. In this environment, the compliance of software development to standards and regulations has emerged as a key requirement. Compliance claims and arguments are often captured in assurance cases, with linked evidence of compliance. Evidence can come from testcases, verification proofs, human judgment, or a combination of these. That is, experts try to build (safety-critical) systems carefully according to well justified methods and articulate these justifications in an assurance case that is ultimately judged by a human. Yet software is deeply rooted in uncertainty; most complex open-world functionality (e.g., perception of the state of the world by a self-driving vehicle), is either not completely specifiable or it is not cost-effective to do so; software systems are often to be placed into uncertain environments, and there can be uncertainties that need to be We argue that the role of assurance cases is to be the grand unifier for software development, focusing on capturing and managing uncertainty. We discuss three approaches for arguing about safety and security of software under uncertainty, in the absence of fully sound and complete methods: assurance argument rigor, semantic evidence composition and applicability to new kinds of systems, specifically those relying on ML.

show abstract

“…model checking). Benefits include an increase in testing coverage, early error-detection, and requirements clarification [2,7,15]. However, their usage in industry (e.g.…”

Section: Introductionmentioning

confidence: 99%

Formal verification of a gain scheduling control scheme

Ordoñez

Mills

Dodd

et al. 2017

2017 25th Mediterranean Conference on Control and Automation (MED)

View full text Add to dashboard Cite

Abstract-Gain scheduling is a commonly used closed-loop control approach for safety critical non-linear systems, such as commercial gas turbine engines. It is preferred over more advanced control strategies due to a known route to certification. Nonetheless, the stability of the system is hard to prove analytically, and consequently, safety and airworthiness is achieved by burdensome extensive testing. Model checking can aid in bringing down development costs of such a control system and simultaneously improve safety by providing guarantees on properties of embedded control systems. Due to model-checking exhaustive verification capabilities, it has long been recognised that coverage and error-detection rate can be increased compared to traditional testing methods. However, the state-space explosion is still a major computational limitation when applying model-checking to verify dynamic system behaviour. A practical methodology to incrementally design and formally verify control system requirements for a gain scheduling scheme is demonstrated in this paper, overcoming the computational constraints traditionally imposed by model checking. In this manner, the gain-scheduled controller can be efficiently and safely generated with the aid of the model checker.

show abstract

A candid industrial evaluation of formal software verification using model checking

Cited by 14 publications

References 24 publications

Evaluation Framework for Performance Limitation of Autonomous Systems under Sensor Attack

Evaluation Framework for Performance Limitation of Autonomous Systems under Sensor Attack

Software Assurance in an Uncertain World

Formal verification of a gain scheduling control scheme

Contact Info

Product

Resources

About