HASTEN: Advanced Tool Integration for
Embedded Systems Assurance
Insup Lee
Department of Computer and Information Science
University of Pennsylvania
May 10, 2005
1
Principle investigators
o
o
o
o
o
o
o
o
Rajeev Alur (UPenn)
Sampath Kannan (UPenn)
Insup Lee (PI, UPenn)
Oleg Sokolsky (UPenn)
Robert P. Cook (GSU)
Carl Gunter (UIUC)
Elsa Gunter (UIUC)
Kang G. Shin (UMich)
May 10,, 2005
HCES Review Meeting
2
Embedded Systems
 Embedded system are
o devices used to control, monitor or assist the operation of appliances,
gadgets, equipment, machinery or plant;
o an integral part of the system.
 Characteristics
o Tightly coupled to the physical world; i.e., interacts with (or reacts to)
its environment
o Correct operation is subject to
 Physical constraints imposed by the environment
 Resource constraints of the device
o Heterogeneity, networked at larger scale
o Sociological and ethical requirements
 Users are not system experts
 Trustworthiness, security and privacy
May 10,, 2005
HCES Review Meeting
3
A Variety of Application Domains

Hybrid and embedded systems
o Aerospace, automobiles, robotics, process control, sensor networks, smart spaces

Medical devices and instruments
o Patient monitoring, MRI, infusion pumps, artificial organs

Multimedia
o Virtual reality, immersive environment

Consumer electronics
o Mobile phones, office electronics, digital appliances

Network components
o Bridges, routers, switches, hubs

E-business
o ATM, vending machines

Distributed and grid computing
o Critical infrastructure defense system, air traffic control, intelligent highway systems,
emergence response system
May 10,, 2005
HCES Review Meeting
4
Goals of the HASTEN Project
 High Assurance Systems Tools and ENvironments (HASTEN)
 Develop techniques and tools for “end-to-end” software engineering of
embedded software systems
o
o
o
o
Requirements capture
Specification, analysis, simulation
Implementation generation and validation: code generation, testing
Deployed system monitoring, checking, and steering
 Integrated use of tools
o Vertical integration (reuse models)
o Horizontal integration (layered modeling and analysis)
 Case studies
o automotive controllers, mobile robots, medical devices, embedded Linux
May 10,, 2005
HCES Review Meeting
5
Example: Workflow for Policy Modeling and
Verification
NL
Documents
Build
NLFSM
Paragraphs
Paragraphs
NLFSMs
1. Write NL Requirements
2. Extract formal system specifications
(EFSMs)
3. Analyze specifications
4. Implement system
5. Create test scripts
6. Run test scripts on implementation
7. Use test results and properties to decide if
implementation passes
May 10,, 2005
Manual
Translation
and Merging
System
Specification
Programmer
Test Script
Generation
Tool
Properties
Program
Code
Certification
Test
Scripts
Tester
Certification
Criteria
HCES Review Meeting
Test
Outcomes
Certifier
Yes / No
Outcome
6
Software Development Process

Requirements capture and analysis
o Informal to formal
o Consistency and completeness
o Assumptions and interfaces between system
components
o Application-specific properties

Design specifications and analysis
o Formal modeling notations
o Analysis techniques & Abstractions
o Interfaces

Requirements
Implementation
Design
specification
o Code generation & synthesis
o Validation
 Testing
 Model extraction and verification
 Run-time monitoring and checking
May 10,, 2005
HCES Review Meeting
Implementation
7
Posters and Demos

Requirements capture and analysis
o

Design specification and analysis
o
o

CHARON-AADL: An integrated framework for architectural and behavioral specifications, Jesung
Kim, Duncan Clarke, Oleg Sokolsky
Symbolic Compositional Verification by Learning Assumptions, Won Hong Nam, Rajeev Alur
Implementation generation and verification
o
o
o

Extracting Formal Models from Natural Language Policy, Nikhil Dinesh, Arvind Easwaran, Aravind
Joshi, Insup Lee
Sound distributed code generation from hybrid system models, Madhukar Anand, Sebatian
Fischmeister, Jesung Kim, Insup Lee
On-the-fly model-checking of recursive state machines, Swarat Chaudhuri, Rajeev Alur
Real-time and probabilistic extensions to MaC, Usa Sammapun, Oleg Sokolsky, Insup Lee
Medical Device Case Studies:
o
Generic Infusion Pump and Bloodbank Management System, Dave Arney, Aravind Easwaran, Sebastian
Fischmeister, Jesung Kim, Insup Lee
May 10,, 2005
HCES Review Meeting
8
Other on-going projects
 Token coherence protocol, Alur
 Stochastic Charon, Alur
 Policy integration for programmable embedded devices, Alur,
Gunter
 Understanding what can be done with steering, Kannan, Lee
 Compositional real-time scheduling framework, Lee
 Adding time and power consumption to the model supported
by the Path Exploration Tool, Gunter
 Investigating the combination of model checking, equational
rewriting and general theorem proving with Maude, Spin, and
Isabelle, Gunter
 Etc.
May 10,, 2005
HCES Review Meeting
9
Technology transfer I
 Schedulability analysis of embedded systems
o AADL is an SAE standard for modeling of embedded
systems
o Formal schedulability
analysis by VERSA
o Eclipse plugin for
OSATE AADL
modeling tool
May 10,, 2005
HCES Review Meeting
10
Technology transfer II
 LMCO: MaC run-time verification tool
o Checking properties of systems at run time
o Dynamic and timing properties
 QinetiQ: finding exploitable vulnerabilities in binary
code
o Use MaC to provide dynamic data into static constraint
solving problem
 BAI Intl.: providing safety wrappers for avionics
controllers
o Use MaC to evaluate the wrapper at run time
May 10,, 2005
HCES Review Meeting
11
Applied Verification by Bob Cook
 Discovered bug in Red Hat Next-generation POSIX Thread
Library (NPTL); acknowledged/fixed by Red Hat
 Description of tools and users
o
o
o
o
Implemented a POSIX Threads multi-platform library
Java FSM Explorer for PDAs
Experiments with code strip verification
Porting NASA Shuttle Launch Control code to multiple platforms and
analyzing it
 Tech transfer activities
o
o
o
o
invited participant NASA Roadmap Workshop
FA-24 Instructor, Fort Gordon
NASA KSC Faculty Fellow, 04/05
Requested to consult, Battle Lab, Ft. Gordon in the area of network
protocol analysis
May 10,, 2005
HCES Review Meeting
12
HCMDSS (High-Confidence Medical Device
Software and Systems) Workshop

The High Confidence Software and Systems (HCSS) Coordinating Group (CG) of
the Federal Networking and Information Technology R&D (NITRD)
Subcommittee, Committee on Technology of the National Science and Technology
Council, invites you to submit a position paper for a workshop on High Confidence
Medical Device Software and Systems (HCMDSS).

The Federal government recognizes that the rapidly increasing software
complexity of medical devices makes the development of high integrity medical
device software and systems a crucial issue in public health.

The purpose of the HCMDSS workshop is to provide an open, working forum for
leaders and visionaries concerned with medical devices from industry, research
laboratories, academia, and government with the goal of developing a roadmap to
overcome crucial medical device software and systems issues and challenges facing
the design, manufacture, certification, and use of medical devices.

June 2 & 3, 2005, Philadelphia, PA (www.cis.upenn.edu/hcmdss/)
May 10,, 2005
HCES Review Meeting
13
Topics of Interest

Enabling Technologies for Future Medical Devices
o

Foundations for Integration of Medical Device Systems/Models
o
o

Care-giver requirements solicitation and capture, design and implementation V&V (Verification and Validation)
Heterogeneity in environment, architecture, platform in medical devices
Medical Practice-driven Models and Requirements
o

Architecture, platform, middleware, resource management, QoS (Quality of Service), PnP (Plug-and-Play) of MDSS
High-Confidence Medical Device Software Development & Assurance
o
o

Large scale, high fidelity organ and patient models for design and testing
Embedded, Real-Time, Networked System Infrastructures for MDSS
o

Robust, verifiable, fault-tolerant control of uncertain, multi-modal systems
Patient Modeling & Simulation
o

Component-based foundations for accelerated design and verifiable system integration
System of systems (including models, medical devices, care-givers, patients)
Distributed Control & Sensing of Networked Medical Device Systems
o

Implantable regulatory devices, networked biosensors, telesurgery, robotic surgery
User-centered design, risk understanding, and use/misuse modeling in medical practice
Certification of MDSS
o
o
Quantifiable incremental certification of MDSS, role of design tools
COTS, non-determinisitic and self-adaptive medical device systems
May 10,, 2005
HCES Review Meeting
14
Talks
 Algorithmic software verification, Rajeev Alur
 Schedulability analysis of AADL models" Oleg
Sokolsky
 Role-based access control in a mobile environment,
Elsa Gunter
May 10,, 2005
HCES Review Meeting
15