Skip to main content
SpringerLink
Log in

Synthesizing verified components for cyber assured systems engineering

  • Special Section Paper
  • Published:
Software and Systems Modeling Aims and scope Submit manuscript

Abstract

Safety-critical systems such as avionics need to be engineered to be cyber resilient meaning that systems are able to detect and recover from attacks or safely shutdown. As there are few development tools for cyber resiliency, designers rely on guidelines and checklists, sometimes missing vulnerabilities until late in the process where remediation is expensive. Our solution is a model-based approach with cyber resilience-improving transforms that insert high-assurance components such as filters to block malicious data or monitors to detect and alarm anomalous behavior. Novel is our use of model checking and a verified compiler to specify, verify, and synthesize these components. We define code contracts as formal specifications that designers write for high-assurance components, and test contracts as tests to validate their behavior. A model checker proves whether or not code contracts satisfy test contracts in an iterative development cycle. The same model checker also proves whether or not a system with the inserted components, assuming they adhere to their code contracts, provides the desired cyber resiliency for the system. We define an algorithm to synthesize implementations for code contracts in a semantics-preserving way that is backed by a verified compiler. The entire workflow is implemented as part of the open source BriefCASE toolkit. We report on our experience using BriefCASE with a case study on a UAV system that is transformed to be cyber resilient to communication and supply chain cyber attacks. Our case study demonstrates that writing code contracts and then synthesizing correct implementations from them are feasible in real-world systems engineering for cyber resilience.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

Notes

  1. This work was funded in part by the Defense Advanced Research Projects Agency (DARPA) CASE program. The views expressed are those of the authors and do not reflect the official policy or position of DARPA or the US Government.

  2. AADL is the acronym for Architecture Analysis and Design Language [53].

  3. AGREE is the acronym for Assume-Guarantee Reasoning Environment.

References

  1. Abrahamsson, O., Ho, S., Kanabar, H., Kumar, R., Myreen, M.O., Norrish, M., Tan, Y.K.: Proof-producing Synthesis of CakeML from Monadic HOL Functions. Springer, Berlin (2020)

    Book  MATH  Google Scholar 

  2. AGREE specification example. https://github.com/ericmercer/agree-specification-example

  3. Amundson, I., Cofer, D.: Resolute assurance arguments for cyber assured systems engineering. In: Design Automation for Cyber-Physical Systems and Internet of Things (DESTION 2021) (2021)

  4. An SMT-based infinite-state model checker for safety properties in Lustre. https://github.com/loonwerks/jkind

  5. Backes, J., Cofer, D., Miller, S., Whalen, M.: Requirements analysis of a quad-redundant flight control system. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NASA Formal Methods, pp. 82–96. Springer, Berlin (2015)

    Chapter  Google Scholar 

  6. Biernacki, D., Colaço, J.-L., Hamon, G., Pouzet, M.: Clock-directed modular code generation for synchronous data-flow languages. SIGPLAN Not. 43(7), 121–130 (2008)

    Article  Google Scholar 

  7. Bourke, T., Brun, L., Dagand, P.-É., Leroy, X., Pouzet, M., Rieg, L.: A formally verified compiler for Lustre. SIGPLAN Not. 52(6), 586–601 (2017)

    Article  Google Scholar 

  8. Collins Aerospace Common Avionics Architecture System. https://www.collinsaerospace.com/what-we-do/Helicopters/Rotary-Wing/Common-Avionics-Architecture-System

  9. CakeML. https://cakeml.org/

  10. Cyber Assured Systems Engineering (CASE) TA6 platform assessment CAmkES applications. https://github.com/loonwerks/case-ta6-platform-assessment-camkes-apps

  11. CASE: Cyber Assured Systems Engineering. http://loonwerks.com/projects/case

  12. Caspi, P., Pilaud, D., Halbwachs, N., Plaice, J.A.: LUSTRE: a declarative language for real-time programming. In: Proceedings of the 14th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’87, pp. 178–188. Association for Computing Machinery, New York, NY, USA (1987)

  13. Cofer, D., Amundson, I., Babar, J., Hardin, D., Slind, K., Alexander, P., Hatcliff, J., Klein, G.R., Lewis, C., Mercer, E., Shackleton, J.: Cyberassured systems engineering at scale. IEEE Secur. Priv. 15, 2–14 (2022)

    Google Scholar 

  14. Cofer, D., Gacek, A., Miller, S., Whalen, M., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NASA Formal Methods, pp. 126–140. Springer, Berlin, Heidelberg (2012)

    Chapter  Google Scholar 

  15. Cofer, D., Gacek, A., Miller, S., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NASA Formal Methods, pp. 126–140. Springer, Berlin, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Colaço, J.-L., Pagano, B., Pouzet, M.: A conservative extension of synchronous data-flow with state machines. In: Proceedings of the 5th ACM International Conference on Embedded Software, EMSOFT ’05, pp. 173–18. Association for Computing Machinery, New York (2005)

  17. Colaço, J.-L., Pouzet, M.: Clocks as first class abstract types. In: Alur, R., Lee, I. (eds.) Embedded Software, pp. 134–155. Springer, Berlin, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Compcert. https://compcert.org

  19. Cyber Assured Systems Engineering (CASE) experimental platform models. https://github.com/loonwerks/case-ta6-experimental-platform-models

  20. Dafny. https://dafny.org

  21. Dimoulas, C., Tobin-Hochstadt, S., Felleisen, M.: Complete monitors for behavioral contracts. In: Seidl, H. (ed.) Programming Languages and Systems, pp. 214–233. Springer, Berlin, Heidelberg (2012)

    Chapter  Google Scholar 

  22. Findler, R.B., Felleisen, M.: Contracts for higher-order functions. SIGPLAN Not. 37(9), 48–59 (2002)

    Article  MATH  Google Scholar 

  23. Formal methods workbench. https://github.com/loonwerks/formal-methods-workbench

  24. Gacek, A., Katis, A., Whalen, M., Backes, J., Cofer, D.: Towards realizability checking of contracts using theories. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NASA Formal Methods, pp. 173–187. Springer, Berlin (2015)

    Chapter  Google Scholar 

  25. Gérard, L., Guatto, A., Pasteur, C., Pouzet, M.: A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. SIGPLAN Not. 47(5), 51–60 (2012)

    Article  Google Scholar 

  26. Gómez-Londoño, A., Pohjola, J.Å., Syeda, H.T., Myreen, M.O., Tan, Y.K.: Do you have space for dessert? A verified space cost semantics for CakeML programs. In: Proceedings of the 2020 ACM Object-Oriented Programming, Systems, Languages, and Applications Conference (OOPSLA), pp. 4:204:1–204:29 (2020)

  27. Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data flow programming language LUSTRE. Proc. IEEE 79(9), 1305–1320 (1991)

    Article  Google Scholar 

  28. Hardin, D.S., Slind, K.L.: Formal synthesis of filter components for use in security-enhancing architectural transformations. In: Proceedings of the Seventh Workshop on Language-Theoretic Security, 42nd IEEE Symposium and Workshops on Security and Privacy (LangSec 2021) (2021)

  29. Hardin, D.S., Slind, K.L., Pohjola, J.Å., Sproul, M.: Synthesis of verified architectural components for autonomy hosted on a verified microkernel. In: Proceedings of the 53rd Hawaii International Conference on System Sciences, pp. 6365–6374 (2020)

  30. Hatcliff, J., Belt, J., Robby, C.T.: HAMR: an AADL multi-platform code generation toolset. In: Margaria, T., Steffen, B. (eds.) Leveraging Applications of Formal Methods, Verification and Validation, pp. 274–295. Springer, Berlin (2021)

    Chapter  Google Scholar 

  31. Havelund, K., Roşu, G.: Efficient monitoring of safety properties. Int. J. Softw. Tools Technol. Transf. 6(2), 158–173 (2004)

    Article  Google Scholar 

  32. Kansas State University. Sireum HAMR: High Assurance Modeling and Rapid Engineering for Embedded Systems (2021)

  33. Katis, A., Fedyukovich, G., Gacek, A., Backes, J., Gurfinkel, A., Whalen, M.: Synthesis from assume-guarantee contracts using skolemized proofs of realizability (2017)

  34. Katis, A., Fedyukovich, G., Guo, H., Gacek, A., Backes, J., Gurfinkel, A., Whalen, M.: Validity-guided synthesis of reactive systems from assume-guarantee contracts. In: Beyer, D., Huisman, M. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, pp. 176–193. Springer, Berlin (2018)

    Chapter  Google Scholar 

  35. Katis, A., Gacek, A., Whalen, M.: Machine-checked proofs for realizability checking algorithms. In: Gurfinkel, A., Seshia, S.A. (eds.) Verified Software: Theories, Tools, and Experiments, pp. 110–123. Springer, Berlin (2016)

    Chapter  Google Scholar 

  36. Kingston, D.B., Rasmussen, S., Humphrey, L.R.: Automated UAV tasks for search and surveillance. In: 2016 IEEE Conference on Control Applications, CCA 2016, Buenos Aires, Argentina, September 19–22, 2016, pp. 1–8. IEEE (2016)

  37. Klein, G., Andronick, J., Elphinstone, K., Murray, T.C., Sewell, T., Kolanski, R., Heiser, G.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32(1), 2:1-2:70 (2014)

    Article  Google Scholar 

  38. Klein, G., Andronick, J., Fernandez, M., Kuz, I., Murray, T.C., Heiser, G.: Formally verified software in the real world. Commun. ACM 61(10), 68–77 (2018)

    Article  Google Scholar 

  39. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Matthews, J.N., Anderson, T.E. (eds.) Proceedings of the 22nd ACM Symposium on Operating Systems Principles 2009, SOSP 2009, Big Sky, Montana, USA, October 11–14, 2009, pp. 207–220. ACM (2009)

  40. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Matthews, J.N., Anderson, T.E. (eds.) Proceedings of the 22nd ACM Symposium on Operating Systems Principles 2009, SOSP 2009, Big Sky, Montana, USA, October 11–14, pp. 207–220. ACM (2009)

  41. Laddaga, R., Robertson, P., Shrobe, H.E., Cerys, D., Manghwani, P., Meijer, P.: Deriving cyber-security requirements for cyber physical systems. CoRR (2019). arXiv:1901.01867

  42. Lichtenstein, O., Pneuli, A.: Propositional temporal logics: decidability and completeness. Logic J. IGPL 8(1), 55–85 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  43. Liskov, B.: Keynote address—data abstraction and hierarchy. SIGPLAN Not. 23(5), 17–34 (1987)

    Article  Google Scholar 

  44. Liu, C., Babar, J., Amundson, I., Hoech, K., Cofer, D., Mercer, E.: Assume-guarantee reasoning with scheduled components. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds.) NASA Formal Methods, pp. 355–372. Springer, Cham (2022)

    Chapter  Google Scholar 

  45. Murugesan, A., Whalen, M., Rayadurgam, S., Heimdahl, M.: Compositional verification of a medical device system. Ada Lett. 33(3), 51–64 (2013)

    Article  Google Scholar 

  46. Myreen, M.O., Owens, S.: Proof-producing synthesis of ML from higher-order logic. In: International Conference on Functional Programming (ICFP), pp. 115–126. ACM Press (2012)

  47. Nguyundefinedn, P.C., Gilray, T., Tobin-Hochstadt, S., Van Horn, D.: Soft contract verification for higher-order stateful programs. Proc. ACM Program. Lang. POPL(2), 511–5130 (2017)

    Google Scholar 

  48. Patten, T., Mitchell, D., Call, C.: Cyber attack grammars for risk-cost analysis. In: Proceedings of the 15th International Conference on Cyber Warfare and Security. Norfolk, VA (2020)

  49. Petz, A., Alexander, P.: An infrastructure for faithful execution of remote attestation protocols. In: Proceedings of the 13th NASA Formal Methods Symposium (NFM 2021) (2021)

  50. Pike, L., Wegmann, N., Niller, S., Goodloe, A.: Copilot: Monitoring embedded systems. Innov. Syst. Softw. Eng. 9(4), 235–255 (2013)

    Article  Google Scholar 

  51. Robby, H., Hatcliff, J.: Slang: the Sireum programming language. In: Margaria, T., Steffen, B. (eds.) Leveraging Applications of Formal Methods, Verification and Validation, pp. 253–273. Springer, Berlin (2021)

    Chapter  Google Scholar 

  52. Saadatmand, M., Leveque, T.: Modeling security aspects in distributed real-time component-based embedded systems. In: 2012 Ninth International Conference on Information Technology—New Generations, pp. 437–444 (2012)

  53. SAE: Architecture Analysis and Design Language (AADL). Technical Report AS-5506, SAE International (2009)

  54. Slind, K.L.: Specifying message formats with contiguity types. In: Proceedings of the Twelfth International Conference on Interactive Theorem Proving (ITP 2021) (2021)

  55. Thiagarajan, H., Hatcliff, J., Robby, H.: Awas: AADL information flow and error propagation analysis framework. In: Innovations in Systems and Software Engineering (ISSE) (2021)

  56. Whalen, M., Gacek, A., Cofer, D., Murugesan, A., Heimdahl, M., Rayadurgam, S.: Your “what’’ is my “how’’: iteration and hierarchy in system design. IEEE Softw. 30(2), 54–60 (2013)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Brigham Young University, Provo, UT, USA

    Eric Mercer

  2. Applied Research and Technology, Collins Aerospace, Minneapolis, MN, USA

    Konrad Slind, Isaac Amundson & Darren Cofer

  3. Applied Research and Technology, Collins Aerospace, Cedar Rapids, IA, USA

    Junaid Babar & David Hardin

Authors
  1. Eric Mercer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konrad Slind
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Isaac Amundson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Darren Cofer
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Junaid Babar
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. David Hardin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Mercer.

Additional information

Communicated by Shiva Nejati and Daniel Varro.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

DISTRIBUTION STATEMENT A. Approved for public release.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mercer, E., Slind, K., Amundson, I. et al. Synthesizing verified components for cyber assured systems engineering. Softw Syst Model 22, 1451–1471 (2023). https://doi.org/10.1007/s10270-023-01096-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-023-01096-3

Keywords

Search

Navigation