Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems

Similar documents
Software Eng. 2F03: Logic For Software Engineering

8.2.1 Therac-25 Radiation Overdoses

Industrial Experience with SPARK. Praxis Critical Systems

Focusing Software Education on Engineering

Purpose and Difficulty of Software Testing

Scientific Certification

Ethics. Paul Jackson. School of Informatics University of Edinburgh

CSE 435: Software Engineering

Making your ISO Flow Flawless Establishing Confidence in Verification Tools

Formally Verified Endgame Tables

When Formal Systems Kill. Computer Ethics and Formal Methods

Dependable Computer Systems

Testing in the Lifecycle

COEN7501: Formal Hardware Verification

Credible Autocoding for Verification of Autonomous Systems. Juan-Pablo Afman Graduate Researcher Georgia Institute of Technology

Analysis of Software Artifacts

Dr. Carl Brandon & Dr. Peter Chapin Vermont Technical College (Brandon),

BMET7102 MEDICAL DEVICE DEVELOPMENT AND STANDARDS

BCS3323 Software Testing and Maintenance. Overview of Testing

A SERVICE-ORIENTED SYSTEM ARCHITECTURE FOR THE HUMAN CENTERED DESIGN OF INTELLIGENT TRANSPORTATION SYSTEMS

The Use of SPARK in a Complex Spacecraft CubeSat Developer s Workshop - Copyright 2017 Carl Brandon & Peter Chapin

24 Challenges in Deductive Software Verification

Validation and Verification of Field Programmable Gate Array based systems

UNIT-III LIFE-CYCLE PHASES

Software Testing Introduction

Software processes, quality, and standards Static analysis

Understanding Software Architecture: A Semantic and Cognitive Approach

Software verification

Center for Hybrid and Embedded Software Systems. Hybrid & Embedded Software Systems

STPA FOR LINAC4 AVAILABILITY REQUIREMENTS. A. Apollonio, R. Schmidt 4 th European STAMP Workshop, Zurich, 2016

FORMAL MODELING AND VERIFICATION OF MULTI-AGENTS SYSTEM USING WELL- FORMED NETS

Technical-oriented talk about the principles and benefits of the ASSUMEits approach and tooling

STUDY ON FIREWALL APPROACH FOR THE REGRESSION TESTING OF OBJECT-ORIENTED SOFTWARE

Logic Model Checking of Unintended Acceleration Claims in the 2005 Toyota Camry Electronic Throttle Control System

Deviational analyses for validating regulations on real systems

First Experience with PCP in the PRACE Project: PCP at any cost? F. Berberich, Forschungszentrum Jülich, May 8, 2012, IHK Düsseldorf

Formal verification of industrial control systems at CERN

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

ICS Security Architecture Where Worlds Collide SecureWorld September 22, 2011

Formal Hardware Verification: Theory Meets Practice

What is Digital Literacy and Why is it Important?

Welcome to 6.S084! Computation Structures (special)

The Importance of Being Right. Sergei Artemov, CUNY Graduate Center

Eliminating Embedded Software Defects Prior to Integration Test

Code Complete 2: A Decade of Advances in Software Construction Construx Software Builders, Inc. All Rights Reserved.

A New Systems-Theoretic Approach to Safety. Dr. John Thomas

The Project Objectives

ARMADILLO: Subsystem Booklet

Requirements Gathering using Object- Oriented Models

Nancy G. Leveson and Clark S. Turner, An Investigation of the Therac-25 Accidents. Computer 26(7), pp , Jul Presented by Dror Feitelson

Patent Statistics as an Innovation Indicator Lecture 3.1

Designing for recovery New challenges for large-scale, complex IT systems

Lessons Learned from the US Chemical Safety and Hazard Investigations Board. presented at

Imagine your future lab. Designed using Virtual Reality and Computer Simulation

Limits to Dependability Assurance - A Controversy Revisited (Or: A Question of Confidence )

CHAPTER 1: INTRODUCTION. Multiagent Systems mjw/pubs/imas/

PELLISSIPPI STATE TECHNICAL COMMUNITY COLLEGE MASTER SYLLABUS. CIVIL ENGINEERING DRAWING W/LAB CID 2290 (formerly CID 2195)

An Industrial Application of an Integrated UML and SDL Modeling Technique

EECS 579 Fall What is Testing?

Pan-Canadian Trust Framework Overview

Dependable Computer Systems

Map of Human Computer Interaction. Overview: Map of Human Computer Interaction

A Winning Combination

Introduction of Programmable Electronic Devices in nuclear safety systems: a new challenge in assessment.

MORT and Organisational Failures

Case studies in research commercialisation

Decentralized Protocol for Self-Sovereign Identities with Embedded Compliance

Software in Safety Critical Systems: Achievement and Prediction John McDermid, Tim Kelly, University of York, UK

Towards an MDA-based development methodology 1

Welcome to the future of energy

Executive Summary. Chapter 1. Overview of Control

Simulated SWIM services in ATM

Do not copy BME Abbreviated Course Title (19 spaces or less): Design of Biomedical Systems and Devices

Wireless Interference in Healthcare Is Real, but Manageable

COURSE OUTLINE. School of Engineering Technology and Applied Science

CENG3430 RAPID PROTOTYPING OF DIGITAL SYSTEMS

Developing Critical Systems with PLD Components

Spectrum Detector for Cognitive Radios. Andrew Tolboe

Lecture 13: Requirements Analysis

CSE 435: Software Engineering FYI

Engineering, & Mathematics

ARTES Competitiveness & Growth Full Proposal. Requirements for the Content of the Technical Proposal

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

Early Adopter : Multiprocessor Programming in the Undergraduate Program. NSF/TCPP Curriculum: Early Adoption at the University of Central Florida

FUNCTIONAL VERIFICATION: APPROACHES AND CHALLENGES

Name of Customer Representative: n/a (program was funded by Rockwell Collins) Phone Number:

Stress Testing the OpenSimulator Virtual World Server

Independent Communications Authority of South Africa Pinmill Farm, 164 Katherine Street, Sandton Private Bag X10002, Sandton, 2146

Diploma Electrical Engineering Program Educational Objectives (PEOs)

FM p.i-xxii 4/2/04 11:39 AM Page v. Preface

Democratising Parallel Software

Introduction. Lecture 0 ICOM 4075

Datorstödd Elektronikkonstruktion

UNIVERSITY OF TWENTE. Guard-based Partial-Order Reduction in LTSmin. Formal Methods & Tools.

Domain: Computer Science and Information Technology Curricula for the First Year (2012/2013)

SR&ED for the Software Sector Northwestern Ontario Innovation Centre

EXPERT GROUP MEETING ON CONTEMPORARY PRACTICES IN CENSUS MAPPING AND USE OF GEOGRAPHICAL INFORMATION SYSTEMS New York, 29 May - 1 June 2007

Qosmotec. Software Solutions GmbH. Technical Overview. QPER C2X - Car-to-X Signal Strength Emulator and HiL Test Bench. Page 1

ELCN100 Electronic Lab. Instruments and Measurements Spring Lecture 01: Introduction

Programme Specification

Transcription:

Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

Module Overview Distributed Formal Methods + Systems Programming = Implementation Technologies Lecturers: Andrew Ireland (G.57) a.ireland@hw.ac.uk & Hamish Taylor (1.43) hamish@macs.hw.ac.uk Lectures: Wed-11.15 (3.03); Thu-16.15 (3.02); Fri-11.15 (3.02) Labs: Fri-16.15 in 2.50 (Linux Lab) OR 3.03 Coursework: Two assignments, one for each part of the module (40%) Examination: End of Semester 1 (60%) Materials: Available via VISION Note: Formal Methods materials also via http://www.macs.hw.ac.uk/~air/dsp-spin/

The Economic Motive... the national annual cost estimates of an inadequate infrastructure for software testing are estimated to be $59.5 billion. Federal Study, US Dept of Commerce, May 2002. Worse and spreading the effect of software flaws far beyond the original customer several devastating computer viruses have taken advantage of bugs and defects in common operating systems... CNET Networks Inc, Aug 2002. US Internal Revenue Service a failed $4-billion modernization effort in 1997, followed by an equally troubled $8-billion update. FBI $170-million virtual case-file management system was terminated in 2005.

More of the Same? Conventional modelling techniques rely heavily on natural language and diagrammatic methods. Such approaches make it hard to: Write unambiguous models. Analyse properties of our models. Generate effective test cases for our implementations. Omissions and defects introduced early within the life-cycle are the most expensive to rectify if they go undetected...

The Economics of Defect Detection Cost Requirements Coded Released (Boehm, 1976) Late life-cycle fixes are generally costly, i.e. can range from 40% to 100% more expensive than corrections in the early phases.

Complementary Methods The notion of formal methods has emerged over several decades as a way of addressing the weaknesses of the conventional methods highlighted above. One definition of formal methods is:... a set of tools and notations (with a formal semantics) used to specify unambiguously the requirements of a computer system that supports the proof of properties of that specification and proofs of correctness of an eventual implementation with respect to that specification. M.G. Hinchey & J.P. Bowen (1995)

Drivers: Business & Economic Related Time + Money Requirements Specification Design Acceptance System Test Integration Test Code Unit Test Conventional methods profile: Formal methods profile:

Drivers: Safety Related Standards RTCA DO-178B (USA Civil Avionics) Def Stan 00-55 (UK MoD) IEC 61508 (Generic Programmable Systems ) IEC 601 (Medical Equipment) (Pr)EN 50128 (Railway Industry) IEC 880 (Nuclear Power Control) MISRA (Automotive Industry) FDA (Medical Equipment)

Health Warning There are no absolute guarantees. When applied correctly, formal methods have been demonstrated to result in systems of the highest integrity. Correctness is only guaranteed with respect to a specification you need to validate the assumptions which under-pin the specification. Formal methods complement rather than replace conventional approaches, e.g. testing, simulation and prototyping. But formal methods are applied by humans who are error prone so tools are crucial.

When should Formal Methods be Used? Complex: abstraction is an important technique for managing the complexity of large systems and is central to the notion of a formal method. Concurrent: distributed systems give rise to concurrency. While we find it hard to reason about concurrency, certain formal methods have been developed which ease this task. Quality-critical: applications where failure is not dangerous but economically expensive, e.g. financial applications and telecommunications.

When should Formal Methods be Used? Safety-critical: applications where failure may endanger human life, e.g. fly-by-wire control systems and railway signalling systems. Security-critical: applications where failure means unauthorized access to sensitive information, e.g. medical records and security databases. Standardized: where systems are designed to meet specific, internationally recognized, standards then it is important that the standards can be interpreted uniformly, e.g. language specifications and protocol standards.

What Do Formal Methods Cost? The cost of applying formal methods is high, i.e. labour intensive coupled with a skills bottle-neck. Need for support tools which are integrated within the conventional software development environments. The potential for re-use within formal methods is high At the 4 th NASA Langley Formal Methods Workshop (1997), work by Rockwell Avionics Research on the formal verification of the AAMP family of microprocessors (designed for embedded real-time applications used on Boeing 737, 747, 757 & 767 aircraft) demonstrated a 6 fold speed up in the formal verification effort when the work under-taken on the AAMP-5 was reused with the AAMP-FV.

The Cost of Failure In 1994 a bug in the floating-point hardware of Intel s Pentium microprocessor was discovered. The replacement costs were > $400 million. Intel now has a number of Formal Methods teams in the US... In 1996 on the maiden flight of Ariane 5, just 39 seconds into its maiden flight Ariane 5 initiated self-destruct mechanism... Ariane 5 cost the European Space Agency 10 years and $7 billion to produce. Ariane 5 was running Ariane 4 software, however, underlying hardware architectures were different self-destruction occurred when the Ariane 5 guidance system tried to convert a 64-bit number (velocity data) into a 16-bit format resulted in an overflow error.

The Cost of Failure Therac-25: a computer-controlled radiation therapy machine, build by Atomic Energy of Canada Ltd (AECL) used in US and Canadian hospitals and clinics during the 1980 s. The Therac-25 was the successor to the Therac-6 and Therac-20 models. Unlike its predecessors the Therac-25 relied more on software control mechanisms. Potential hazards from the Therac machines are high energy beam with inappropriate magnet settings. Hazard analysis for the Therac-25 (March 1983) excluded the possibility of software defects since extensive testing had been undertaken. However, software errors resulted in several patients being killed and injured by radiation overdoses during the mid to late 1980 s.

Which Formal Method is Best? The choice is very much application dependent indeed a number of complementary methods may often be required for a single application. When specifying state based aspects of systems it is best to use a model-based approach such as: Z: The Z Notation: A Reference Manual, Spivey, J.M. Prentice Hall 1992. VDM: Systematic Software Development using VDM, Jones, C.B. Prentice Hall 1990.

Which Formal Method is Best? Distributed concurrent systems: Process algebras provide formalisms for modelling distributed current systems: CCS: Communication and Concurrency. CSP: Communicating Sequential Processes. LOTOS: Language Of Temporal Ordering Specification. Description languages, less formal but greater industrial up-take: SDL: Specification and Description Language. Promela: PROcess MEta LAnguage.

Examples from Industrial SPARK: A programming language derived from Ada that includes annotations SPARK toolset supports flow analysis and formal verification (Praxis critical Systems, UK). ESTELLE (telecommunications) SCADE (embedded systems): Support specification and an notion of correctness-by-construction, (Esterel Technologies, France). SDV: Static Device Verifier automatically analyzes system software (C programs) detects violations with respect to application programming interface (API) usage rules (Microsoft Research, US) http://www.microsoft.com/whdc/devtools/tools/sdv.mspx

Aims and Objectives To promote an understand of the issues involved in using formal methods within system design, in particular the design of distributed and concurrent systems. To provide practical experience of the formal modelling and analysis of such systems through Promela and the SPIN design verification tool. To give an insight into the theory which underpins such formal modelling and analysis tools.

Summary Learning outcomes: Recommended reading: Gain an understanding of the: Limitations of conventional modelling and analysis techniques. Complementary nature of formal methods as well as their strengths and weaknesses. M.G. Hinchey & J.P. Bowen (Eds), Applications of Formal Methods, Prentice Hall 1995. http://www.macs.hw.ac.uk/~air/dsp-spin/ http://formalmethods.wikia.com/wiki/ Formal_methods

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback