THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM

  • Slides: 28
Download presentation
“THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY,

“THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS” Io. T Modelling Framework and Papyrus Shuai Li, CEA CHARIOT-VESSEDIA Workshop 9 May 2019, Dublin, Ireland CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 1

Presentation outline 01 From specifications to proof goals 02 System models to symbolically executable

Presentation outline 01 From specifications to proof goals 02 System models to symbolically executable models 03 Symbolic execution and relational property inference 04 6 Lo. WPAN case-study CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 2

From specifications to proof goals

From specifications to proof goals

Context Problems: 1 Often safety and security requirements are expressed at system level 2

Context Problems: 1 Often safety and security requirements are expressed at system level 2 Need to validate these requirements at code level Challenge : How to translate high-level requirements into low-level proof goals? Approach : A model-based framework for static code analysis CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 4

From system models to code validation Highlevel model Low-level requiremen ts Automatic tooling Diversity

From system models to code validation Highlevel model Low-level requiremen ts Automatic tooling Diversity Papyrus Code validatio n Frama-C η 0 c? x 1 sd C 1 C 2 Frama-C proof η 1 C 3 c!r r=foo(x) t=bar(r) c!t 1 x. LIA 1 η η 2 3 η 4 r=foo(x) η 5 c!x 1 -1 η 8 t=bar(r) Low-level requirements (Relational properties) η 7 CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 5

System models to symbolically executable models

System models to symbolically executable models

System modelling framework <<Interface>> Itf. B + b(p. B: Integer) <<Interface>> Itf. A +

System modelling framework <<Interface>> Itf. B + b(p. B: Integer) <<Interface>> Itf. A + a(p. A: Integer) AClass + b(p. B: Integer) A: AClass B: BClass a + a(p. A: String) b System A: AClass B: BClass Focus on transformation of interactions to symbolically executable state-machines CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 7

Message occurrence transformation sd x. LIA: state q 2 { transition tr_2 { input

Message occurrence transformation sd x. LIA: state q 2 { transition tr_2 { input A( b ); } --> q 3; CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 8

Behavior execution transformation sd y = f(x) @routine: macro routine f(integer a, return integer

Behavior execution transformation sd y = f(x) @routine: macro routine f(integer a, return integer r) { newfresh(r); CALLstack <=< { “f”, a, r}; } CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland x. LIA: state q 2 { transition tr_2 { f(x, y); } --> q 3; 9

Optional fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019,

Optional fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 10

Alternative fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019,

Alternative fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 11

Loop fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019,

Loop fragment transformation Lifeline A transformation sd CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 12

Symbolic execution and relational property inference

Symbolic execution and relational property inference

Symbolic execution CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 14

Symbolic execution CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 14

Symbolic execution to cover expected behavior η 0: (s 0, x: =x 0, r:

Symbolic execution to cover expected behavior η 0: (s 0, x: =x 0, r: =r 0, t: =t 0, True, Φ) in? x 1 [r>3] out ! x-1 in ? x r=foo(x) s 0 [t>5] out ! t s 2 η 1: (s 1, x: =x 1, r: =r 1, t: =t 0, True, [(foo, x 1, r 1)]) out!x 1 -1 s 1 [x>10 ᴧ r ≤ 3] out ! r t=bar(r+1) η 2: (s 0, x: =x 1, r: =r 1, x 1 ≤ 10 ᴧ r 1>3, [(foo, x 1, r 1)] ) out!r 1 η 3: (s 0, x: =x 1, r: =r 1, t: =t 1, x 1 >10 ᴧ r 1 ≤ 3 , [(foo, x 1, r 1), (bar, r 1 +1, t 1)]) out!t 1 η 4: (s 0, x: =x 1, r: =r 1, t: =t 1, x 1 >10 ᴧ r 1 ≤ 3 ᴧ t 1 > 5 , [(foo, x 1, r 1), (bar, r 1 +1, t 1)]) CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 15

Relational property inference η 0 @relational forall int x 1; callset( call(foo, x 1,

Relational property inference η 0 @relational forall int x 1; callset( call(foo, x 1, id 1) , call(bar, callresult(id 1) + 1, id 2) ) => in? x 1 η 1 out!r 1 η 3 out!t 1 η 4 yyyyy x 1 >10 ᴧ r 1 ≤ 3 ᴧ t 1 > 5 , [ (foo, x 1, r 1) , (bar, r 1 +1, t 1) ]) (x 1 >10 => ( callresult(id 1) ≤ 3 => callresult(id 2) >5) ); CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 16

6 Lo. WPAN case-study

6 Lo. WPAN case-study

Verify “firmware update” behavior of 6 Lo. WPAN networks 6 Lo. WPAN software code

Verify “firmware update” behavior of 6 Lo. WPAN networks 6 Lo. WPAN software code Which properties to validate for “firmware update” behavior correctness in the code? CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 18

Modeling the “firmware update” behavior The first package contains metadata about Nbpackage, and package

Modeling the “firmware update” behavior The first package contains metadata about Nbpackage, and package size. . Load the address into the flash memory (two partitions). Release of the flash memory area that will receive the firmware High-level modeling write each received package to flash memory Integrit y check Send confirmatio n CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 19

Interactions to state-machines in textual x. Lia language Uml sequence diagram Model translation into

Interactions to state-machines in textual x. Lia language Uml sequence diagram Model translation into x. LIA CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 20

Configure tool for symbolic execution Configure our property inference module from model input model

Configure tool for symbolic execution Configure our property inference module from model input model Select the behavior: All firmware update packages are received and successfully installed on the node Specify output file CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 21

Performing symbolic execution Diversity execution console Launch inference from Diversity CHARIOT – VESSEDIA Workshop,

Performing symbolic execution Diversity execution console Launch inference from Diversity CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 22

Visualizing execution tree Scenario: All firmware update packages are received and successfully installed on

Visualizing execution tree Scenario: All firmware update packages are received and successfully installed on the node CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 23

Relational properties inference This is the low-level property corresponding to the selected firmware update

Relational properties inference This is the low-level property corresponding to the selected firmware update scenario The property annotates functions called within the Property: firmware update does the functions' code scenario allow the firmware update mechanism or not? CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 24

Static code analysis Code analysis with Frama-C using generated low-level requirements Property proven CHARIOT

Static code analysis Code analysis with Frama-C using generated low-level requirements Property proven CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 25

Conclusion

Conclusion

Summary and future work § A model-based framework for static code analysis: bridge gap

Summary and future work § A model-based framework for static code analysis: bridge gap betweensystem model and code level proof goal § UML architecture models and their interaction models § Transformation of interaction models to symbolically executable x. Lia textual state-machines § Symbolic execution of state-machines to find paths covering correct behaviors § Inference of relation properties in the code § Integrated Development Environment § Papyrus UML modeler § Diversity symbolic execution engine § Frama-C code analyzer § Future work § Streamline integration with other elements of the VESSEDIA modeling framework and tools § State-machine models, embedded Operation contracts in ACSL, embedded constraints in ACSL § Existing C code and ACSL state property generators CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 27

Contact Details CEA Shuai Li shuai. li@cea. fr The projects CHARIOT & VESSEDIA have

Contact Details CEA Shuai Li shuai. li@cea. fr The projects CHARIOT & VESSEDIA have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780075 & No 731453. CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 28