Isabelle/SACM: Computer-Assisted Assurance Cases with Integrated Formal Methods
Abstract
Assurance cases (ACs) are often required to certify critical systems. The use of integrated formal methods (FMs) in assurance can improve automation, increase confidence, and overcome errant reasoning. However, ACs can rarely be fully formalised, as the use of FMs is contingent on models that are validated by informal processes. Consequently, assurance techniques should support both formal and informal artifacts, with explicated inferential links between them. In this paper, we contribute a formal machine-checked interactive language for the computer-assisted construction of ACs called Isabelle/SACM. The framework guarantees well-formedness, consistency, and traceability of ACs, and allows a tight integration of formal and informal evidence of various provenance. To validate Isabelle/SACM, we present a novel formalisation of the Tokeneer benchmark, verify its security requirements, and form a mechanised AC that combines the resulting formal and informal artifacts.
Notes
Acknowledgements
This work is funded by EPSRC projects CyPhyAssure8, (grant reference EP/S001190/1), and RoboCalc (grant reference EP/M025756/1), and additionally German Science Foundation (DFG) grant 381212925.
References
- 1.Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., Everett, B.: Engineering the Tokeneer enclave protection software. In: Proceedings of IEEE International Symposium on Secure Software Engineering (ISSSE) (2006)Google Scholar
- 2.Bishop, P.G., Bloomfield, R.E.: A methodology for safety case development. In: Redmill, F., Anderson, T. (eds.) Industrial Perspectives of Safety-Critical Systems, pp. 194–204. Springer, London (1998). https://doi.org/10.1007/978-1-4471-1534-2_14CrossRefGoogle Scholar
- 3.Blanchette, J.C., Bulwahn, L., Nipkow, T.: Automatic proof and disproof in Isabelle/HOL. In: Tinelli, C., Sofronie-Stokkermans, V. (eds.) FroCoS 2011. LNCS (LNAI), vol. 6989, pp. 12–27. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24364-6_2CrossRefGoogle Scholar
- 4.Brucker, A.D., Ait-Sadoune, I., Crisafulli, P., Wolff, B.: Using the isabelle ontology framework. In: Rabe, F., Farmer, W.M., Passmore, G.O., Youssef, A. (eds.) CICM 2018. LNCS (LNAI), vol. 11006, pp. 23–38. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96812-4_3CrossRefGoogle Scholar
- 5.Common Criteria Consortium: Common criteria for information technology security evaluation - part 1: introduction and general model. Technical report CCMB-2017-04-001 (2017). https://www.commoncriteriaportal.org
- 6.Cooper, D., et al.: Tokeneer ID station: formal specification. Technical report, Praxis High Integrity Systems, August 2008. https://www.adacore.com/tokeneer
- 7.Cooper, D., et al.: Tokeneer ID station: security properties. Technical report, Praxis High Integrity Systems, August 2008. https://www.adacore.com/tokeneer
- 8.Cruanes, S., Hamon, G., Owre, S., Shankar, N.: Tool integration with the evidential tool bus. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 275–294. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35873-9_18CrossRefGoogle Scholar
- 9.Denney, E., Pai, G.: Tool support for assurance case development. Autom. Softw. Eng. 25, 435–499 (2018)CrossRefGoogle Scholar
- 10.Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)MathSciNetCrossRefGoogle Scholar
- 11.Diskin, Z., Maibaum, T., Wassyng, A., Wynn-Williams, S., Lawford, M.: Assurance via model transformations and their hierarchical refinement. In: MODELS. IEEE (2018)Google Scholar
- 12.Foster, S., Baxter, J., Cavalcanti, A., Miyazawa, A., Woodcock, J.: Automating verification of state machines with reactive designs and Isabelle/UTP. In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 137–155. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02146-7_7CrossRefGoogle Scholar
- 13.Foster, S., Cavalcanti, A., Canham, S., Woodcock, J., Zeyda, F.: Unifying theories of reactive design contracts. Theoretical Computer Science, September 2019Google Scholar
- 14.Foster, S., Cavalcanti, A., Woodcock, J., Zeyda, F.: Unifying theories of time with generalised reactive processes. Inf. Process. Lett. 135, 47–52 (2018)MathSciNetCrossRefGoogle Scholar
- 15.Foster, S., Thiele, B., Cavalcanti, A., Woodcock, J.: Towards a UTP semantics for modelica. In: Bowen, J.P., Zhu, H. (eds.) UTP 2016. LNCS, vol. 10134, pp. 44–64. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52228-9_3CrossRefGoogle Scholar
- 16.Foster, S., Zeyda, F., Nemouchi, Y., Ribeiro, P., Wolff, B.: Isabelle/UTP: mechanised theory engineering for unifying theories of programming. Archive of Formal Proofs (2019). https://www.isa-afp.org/entries/UTP.html
- 17.Foster, S., Zeyda, F., Woodcock, J.: Unifying heterogeneous state-spaces with lenses. In: Sampaio, A., Wang, F. (eds.) ICTAC 2016. LNCS, vol. 9965, pp. 295–314. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46750-4_17CrossRefGoogle Scholar
- 18.Gleirscher, M., Foster, S., Nemouchi, Y.: Evolution of formal model-based assurance cases for autonomous robots. In: Ölveczky, P.C., Salaün, G. (eds.) SEFM 2019. LNCS, vol. 11724, pp. 87–104. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30446-1_5CrossRefGoogle Scholar
- 19.Gleirscher, M., Foster, S., Woodcock, J.: New opportunities for integrated formal methods. ACM Comput. Surv. (2019, in Press). Preprint: https://arxiv.org/abs/1812.10103
- 20.Greenwell, W., Knight, J., Holloway, C.M., Pease, J.: A taxonomy of fallacies in system safety arguments. In: Proceedings of the 24th International System Safety Conference, July 2006Google Scholar
- 21.Habli, I., Kelly, T.: Balancing the formal and informal in safety case arguments. In: VeriSure Workshop, colocated with CAV, July 2014Google Scholar
- 22.Hoare, C.A.R., He, J.: Unifying Theories of Programming. Prentice-Hall, Upper Saddle River (1998)zbMATHGoogle Scholar
- 23.Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2000)CrossRefGoogle Scholar
- 24.Kelly, T.: Arguing safety - a systematic approach to safety case management. Ph.D. thesis, University of York (1998)Google Scholar
- 25.Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL – A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45949-9CrossRefzbMATHGoogle Scholar
- 26.Paige, R.F.: A meta-method for formal method integration. In: Fitzgerald, J., Jones, C.B., Lucas, P. (eds.) FME 1997. LNCS, vol. 1313, pp. 473–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-63533-5_25CrossRefGoogle Scholar
- 27.Rivera, V., Bhattacharya, S., Cataño, N.: Undertaking the tokeneer challenge in event-B. In: FormaliSE 2016. ACM Press (2016)Google Scholar
- 28.Rushby, J.: Logic and epistemology in safety cases. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP 2013. LNCS, vol. 8153, pp. 1–7. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40793-2_1CrossRefGoogle Scholar
- 29.Rushby, J.: Mechanized support for assurance case argumentation. In: Nakano, Y., Satoh, K., Bekki, D. (eds.) JSAI-isAI 2013. LNCS (LNAI), vol. 8417, pp. 304–318. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10061-6_20CrossRefGoogle Scholar
- 30.Wei, R., Kelly, T., Dai, X., Zhao, S., Hawkins, R.: Model based system assurance using the structured assurance case metamodel. Syst. Softw. 154, 211–233 (2019)CrossRefGoogle Scholar
- 31.Wenzel, M., Wolff, B.: Building formal method tools in the Isabelle/Isar framework. In: Schneider, K., Brandt, J. (eds.) TPHOLs 2007. LNCS, vol. 4732, pp. 352–367. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74591-4_26CrossRefzbMATHGoogle Scholar
- 32.Wenzel, M.: Isabelle/jEdit as IDE for domain-specific formal languages and informal text documents. In: Proceedings of the 4th Workshop on Formal Integrated Development Environment (F-IDE), pp. 71–84 (2018). https://doi.org/10.4204/EPTCS.284.6CrossRefGoogle Scholar
- 33.Woodcock, J.: First steps in the verified software grand challenge. IEEE Comput. 39(10), 57–64 (2006)CrossRefGoogle Scholar
- 34.Woodcock, J., Aydal, E.G., Chapman, R.: The tokeneer experiments. In: Roscoe, A.W., Jones, C.B., Wood, K.R. (eds.) Reflections on the Work of C.A.R. Hoare, pp. 405–430. Springer, London (2010). https://doi.org/10.1007/978-1-84882-912-1_17CrossRefzbMATHGoogle Scholar