Assuring the Guardians

Runtime Monitors observe the execution of a system with the aim of reaching a verdict about it. One property that is expected of monitors is consistent verdict detections; this property was characterised in prior work via a symbolic analysis called symbolic controllability. This paper explores whether the proposed symbolic analysis lends itself well to the construction of a tool that checks monitors for this deterministic behaviour. We implement a prototype that automates this symbolic analysis, and establish complexity upper bounds for the algorithm used. We also consider a number of optimisations for the implemented prototype, and assess the potential gains against benchmark monitors.

Section: Resultsmentioning

confidence: 99%

On Implementing Symbolic Controllability

Francalanza¹,

Xuereb²

2020

“…Currently, proof engines based on Satisfiability Modulo Theories (smt) are used to discharge proofs. The Copilot prover was first introduced in [16], where its utility was demonstrated in assuring notoriously subtle voting algorithms.…”

Section: Do No Harmmentioning

confidence: 99%

Challenges in High-Assurance Runtime Verification

Goodloe

2016

Self Cite

Safety-critical systems are growing more complex and becoming increasingly autonomous. Runtime Verification (RV) has the potential to provide protections when a system cannot be assured by conventional means, but only if the RV itself can be trusted. In this paper, we proffer a number of challenges to realizing high-assurance RV and illustrate how we have addressed them in our research. We argue that high-assurance RV provides a rich target for automated verification tools in hope of fostering closer collaboration among the communities.https://ntrs.nasa.gov/search.

“…Three RV engines currently exist that can fly on real systems: Copilot, LOLA and the Realizable, Responsive, Unobtrusive Unit (R2U2). Copilot is a stream-based, real-time operating system that implements embedded monitors [5,7,10,11]. This utility is incompatible with the ACS software.…”

Section: Introductionmentioning

confidence: 99%

Integrating Runtime Verification into a Sounding Rocket Control System

Hertz

Luppen

Rozier

2021

An actuation fault in the aerobraking control system (ACS) took down Iowa State's Nova Somnium rocket during the 2019 Spaceport America Cup competition, prematurely ending the team's participation. The ACS engaged incorrectly before motor burnout, altering the rocket's trajectory and leading to a dangerous crash. The ability to detect this fault in real time on-board the ACS's Arduino microcontroller would have prevented an uncontrolled landing and rapid unscheduled disassembly, which posed a major safety threat and ended a year's worth of effort by the 50-student team. Runtime verification (RV) specializes in efficiently catching this type of scenario; the R2U2 RV engine uniquely fits in the project's resource constraints. We design specifications to detect ACS faults and trigger the appropriate mitigations. We discuss specification development, validation, coverage, and robustness against false positives. Experimental evaluation on the real, recorded flight data demonstrates that running R2U2 on the Nova Somnium ACS would have prevented this accident from occurring. We generalize our results and outline our plans for integrating runtime verification into future sounding rockets.