Publications

Hulette, Geoffrey C.; Bender, John M.; Pollard, Samuel D.; Thornquist, Heidi K.; Kellison, Ariel &.

Abstract not provided.

Morris Wright, Karla V.; Snook, Colin S.; Hoang, Thai S.; Armstrong, Robert C.; Hulette, Geoffrey C.; Butler, Michael B.

Abstract not provided.

Communications in Computer and Information Science

Morris Wright, Karla V.; Snook, Colin; Hoang, Thai S.; Hulette, Geoffrey C.; Armstrong, Robert C.; Butler, Michael

Although popular in industry, state-chart notations with ‘run to completion’ semantics lack formal refinement and rigorous verification methods. State-chart models are typically used to design complex control systems that respond to environmental triggers with a sequential process. The model is usually constructed at a concrete level and verified and validated using animation techniques relying on human judgement. Event-B, on the other hand, is based on refinement from an initial abstraction and is designed to make formal verification by automatic theorem provers feasible. We introduce a notion of refinement into a ‘run to completion’ statechart modelling notation, and leverage Event-B ’s tool support for theorem proving. We describe the difficulties in translating ‘run to completion’ semantics into Event-B refinements and suggest a solution. We illustrate our approach and show how critical (e.g. safety) invariant properties can be verified by proof despite the reactive nature of the system. We also show how behavioural aspects of the system can be verified by testing the expected reactions using a temporal logic model checking approach.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Morris Wright, Karla V.; Snook, Colin; Hoang, Thai S.; Hulette, Geoffrey C.; Armstrong, Robert C.; Butler, Michael

Statechart notations with ‘run to completion’ semantics, are popular with engineers for designing controllers that respond to events in the environment with a sequence of state transitions. However, they lack formal refinement and rigorous verification methods., on the other hand, is based on refinement from an initial abstraction and is designed to make formal verification by automatic theorem provers feasible. We introduce a notion of refinement into a ‘run to completion’ statechart modelling notation, and leveragetool support for theorem proving. We describe the difficulties in translating ‘run to completion’ semantics intorefinements and suggest a solution. We outline how safety and liveness properties could be verified.

Hulette, Geoffrey C.; Armstrong, Robert C.

While most software development for control systems is directed at what the system is supposed to do (i.e., function), high-consequence controls must account for what the system is not supposed to do (i.e., safety, security and reliability requirements). A Domain Specific Language (DSL) for high-consequence digital controls is proposed. As with similar tools for the design of controls, the DSL will have plug-in modules for common controller functions. However, the DSL will also augment these modules with attendant "templates" that aid in the proof of safety, security and reliability requirements, not available in current tools. The object is to create a development methodology that makes construction of high-assurance control systems as easy as controls that are designed for function alone.

Armstrong, Robert C.; Evans, Noah; Hulette, Geoffrey C.; Morris Wright, Karla V.; Aytac, Jon M.; Johnson-Freyd, Philip A.; Mayo, Jackson M.; Punnoose, Ratish J.

Abstract not provided.

Pollard, Samuel D.; Johnson-Freyd, Philip A.; Aytac, Jon M.; Duckworth, Tristan D.; Carson, Michael J.; Hulette, Geoffrey C.; Harrison, Christopher B.

Abstract not provided.

Johnson-Freyd, Philip A.; Pollard, Samuel D.; Duckworth, Tristan D.; Carson, Michael J.; Hulette, Geoffrey C.; Harrison, Christopher B.

Abstract not provided.

Mayo, Jackson M.; Armstrong, Robert C.; Hulette, Geoffrey C.; Salloum, Maher S.; Smith, Andrew M.

Abstract not provided.

Armstrong, Robert C.; Morris Wright, Karla V.; Hulette, Geoffrey C.; Mayo, Jackson M.; Michnovicz, Jason M.; Aytac, Jon M.; Johnson-Freyd, Philip A.; Punnoose, Ratish J.; Smith, Andrew M.

Abstract not provided.

Armstrong, Robert C.; Aytac, Jon M.; Hulette, Geoffrey C.; Mayo, Jackson M.; Morris Wright, Karla V.

Abstract not provided.

Hulette, Geoffrey C.; Johnson-Freyd, Philip J.; Ariola, Zena M.

Abstract not provided.

Hulette, Geoffrey C.; Mayo, Jackson M.; Morris Wright, Karla V.

Abstract not provided.

Communications in Computer and Information Science

Mayo, Jackson M.; Armstrong, Robert C.; Hulette, Geoffrey C.

Digital systems in an out-of-nominal environment (e.g., one causing hardware bit flips) may not be expected to function correctly in all respects but may be required to fail safely. We present an approach for understanding and verifying a system’s out-of-nominal behavior as an abstraction of nominal behavior that preserves designated critical safety requirements. Because abstraction and refinement are already widely used for improved tractability in formal design and proof techniques, this additional way of viewing an abstraction can potentially verify a system’s out-of-nominal safety with little additional work. We illustrate the approach with a simple model of a turnstile controller with possible logic faults (formalized in the temporal logic of actions and NuSMV), noting how design choices can be guided by the desired out-of-nominal abstraction. Principles of robustness in complex systems (specifically, Boolean networks) are found to be compatible with the formal abstraction approach. This work indicates a direction for broader use of formal methods in safety-critical systems.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Johnson-Freyd, Philip; Hulette, Geoffrey C.; Ariola, Zena M.

Sandia engineers use the Temporal Logic of Actions (TLA) early in the design process for digital systems where safety considerations are critical. TLA allows us to easily build models of interactive systems and prove (in the mathematical sense) that those models can never violate safety requirements, all in a single formal language. TLA models can also be refined, that is, extended by adding details in a carefully prescribed way, such that the additional details do not break the original model. Our experience suggests that engineers using refinement can build, maintain, and prove safety for designs that are significantly more complex than they otherwise could. We illustrate the way in which we have used TLA, including refinement, with a case study drawn from a real safety-critical system. This case exposes a need for refinement by composition, which is not currently provided by TLA. We have extended TLA to support this kind of refinement by building a specialized version of it in the Coq theorem prover. Taking advantage of Coq’s features, our version of TLA exhibits other benefits over stock TLA: we can prove certain difficult kinds of safety properties using mathematical induction, and we can certify the correctness of our proofs.

Electronic Notes in Theoretical Computer Science

Hulette, Geoffrey C.; Armstrong, Robert C.; Mayo, Jackson M.; Ruthruff, Joseph R.

This work outlines an equation-based formulation of a digital control program and transducer interacting with a continuous physical process, and an approach using the Coq theorem prover for verifying the performance of the combined hybrid system. Considering thermal dynamics with linear dissipation for simplicity, we focus on a generalizable, physically consistent description of the interaction of the real-valued temperature and the digital program acting as a thermostat. Of interest in this work is the discovery and formal proof of bounds on the temperature, the degree of variation, and other performance characteristics. Our approach explicitly addresses the need to mathematically represent the decision problem inherent in an analog-to-digital converter, which for rare values can take an arbitrarily long time to produce a digital answer (the so-called Buridan's Principle); this constraint ineluctably manifests itself in the verification of thermostat performance. Furthermore, the temporal causality constraints in the thermal physics must be made explicit to obtain a consistent model for analysis. We discuss the significance of these findings toward the verification of digital control for more complex physical variables and fields.

Mayo, Jackson M.; Armstrong, Robert C.; Hulette, Geoffrey C.

Abstract not provided.

9th Annual IEEE International Systems Conference, SysCon 2015 - Proceedings

Mayo, Jackson M.; Armstrong, Robert C.; Hulette, Geoffrey C.

Current programming languages and programming models make it easy to create software and hardware systems that fulfill an intended function but also leave such systems open to unintended function and vulnerabilities. Software engineering and code hygiene may make systems incrementally safer, but do not produce the wholesale change necessary for secure systems from the outset. Yet there exists an approach with impressive results: We cite recent examples showing that formal methods, coupled with formally informed digital design, have produced objectively more robust code even beyond the properties directly proven. Though discovery of zero-day vulnerabilities is almost always a surprise and powerful tools like semantic fuzzers can cover a larger search space of vulnerabilities than a developer can conceive of, formal models seem to produce robustness of a higher qualitative order than traditionally developed digital systems. Because the claim is necessarily a qualitative one, we illustrate similar results with an idealized programming language in the form of Boolean networks where we have control of parameters related to stability and adaptability. We argue that verifiability with formal methods is an instance of broader design constraints that promote robustness. We draw analogies to real-world programming models and languages that can be mathematically reasoned about in contrast to ones that are essentially undecidable.

Mayo, Jackson M.; Armstrong, Robert C.; Hulette, Geoffrey C.

Abstract not provided.

Hulette, Geoffrey C.

This report summarizes our work on methods for developing high-assurance digital systems. We present an approach for understanding and evaluating trust issues in digital systems, and for us- ing computer-checked proofs as a means for realizing this approach. We describe the theoretical background for programming with proofs based on the Curry-Howard correspondence, connect- ing the field of logic and proof theory to programs. We then describe a series of case studies, intended to demonstrate how this approach might be adopted in practice. In particular, our stud- ies elucidate some of the challenges that arise with this style of certified programming, including induction principles, generic programming, termination requirements, and reasoning over infinite state spaces.

Hulette, Geoffrey C.; Armstrong, Robert C.; Mayo, Jackson M.; Ruthruff, Joseph R.

Abstract not provided.

Lloyd, Levi L.; Fritz, David J.; Erickson, Jeremy L.; Choe, Yung R.; Dirks, David H.; Hulette, Geoffrey C.; Armstrong, Robert C.; Vorobeychik, Yevgeniy V.; Deccio, Casey T.

Abstract not provided.

Hulette, Geoffrey C.

Abstract not provided.

Hulette, Geoffrey C.

Abstract not provided.

Mayo, Jackson M.; Armstrong, Robert C.; Allan, Benjamin A.; Hulette, Geoffrey C.; Schwartz, Moses D.; Bauer, Todd B.

Abstract not provided.