Past Time LTL Runtime Verification for Microcontroller Binary Code

  • Thomas Reinbacher
  • Jörg Brauer
  • Martin Horauer
  • Andreas Steininger
  • Stefan Kowalewski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6959)


This paper presents a method for runtime verification of microcontroller binary code based on past time linear temporal logic (ptLTL). We show how to implement a framework that, owing to a dedicated hardware unit, does not require code instrumentation, thus, allowing the program under scrutiny to remain unchanged. Furthermore, we demonstrate techniques for synthesizing the hardware and software units required to monitor the validity of ptLTL specifications.


Binary Code Memory Location Atomic Proposition Execution Trace Function Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Austin, T.M.: DIVA: A reliable substrate for deep submicron microarchitecture design. In: MICRO, pp. 196–207. IEEE, Los Alamitos (1999)Google Scholar
  2. 2.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What you see is not what you execute. In: VSTTE, Toronto, Canada (2005)Google Scholar
  3. 3.
    Bardin, S., Herrmann, P., Védrine, F.: Refinement-based CFG reconstruction from unstructured programs. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 54–69. Springer, Heidelberg (2011) (to appear)CrossRefGoogle Scholar
  4. 4.
    Brauer, J., King, A.: Transfer function synthesis without quantifier elimination. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 97–115. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Brörkens, M., Möller, M.: Dynamic event generation for runtime checking using the JDI. Electronic Notes in Theoretical Computer Science 70(4), 21–35 (2002)CrossRefGoogle Scholar
  6. 6.
    Chen, F., Roşu, G.: MOP: An efficient and generic runtime verification framework. In: OOPSLA, pp. 569–588. ACM, New York (2007)Google Scholar
  7. 7.
    Colin, S., Mariani, L.: Run-Time Verification. In: Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.) Model-Based Testing of Reactive Systems. LNCS, vol. 3472, pp. 525–555. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Drusinsky, D.: The temporal rover and the ATG rover. In: Havelund, K., Penix, J., Visser, W. (eds.) SPIN 2000. LNCS, vol. 1885, pp. 323–330. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Eide, E., Regehr, J.: Volatiles are miscompiled, and what to do about it. In: EMSOFT, pp. 255–264. ACM, New York (2008)CrossRefGoogle Scholar
  10. 10.
    Emerson, E.A.: Temporal and modal logic. In: Handbook of Theoretical Computer Science, vol. B, pp. 995–1072. MIT Press, Cambridge (1990)Google Scholar
  11. 11.
    Finkbeiner, B., Sipma, H.: Checking finite traces using alternating automata. Form. Methods Syst. Des. 24, 101–127 (2004)CrossRefzbMATHGoogle Scholar
  12. 12.
    Flexeder, A., Mihaila, B., Petter, M., Seidl, H.: Interprocedural control flow reconstruction. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 188–203. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Havelund, K., Roşu, G.: An overview of the runtime verification tool Java PathExplorer. Form. Methods Syst. Des. 24(2), 189–215 (2004)CrossRefzbMATHGoogle Scholar
  14. 14.
    Havelund, K.: Runtime verification of C programs. In: Suzuki, K., Higashino, T., Ulrich, A., Hasegawa, T. (eds.) TestCom/FATES 2008. LNCS, vol. 5047, pp. 7–22. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Havelund, K., Roşu, G.: Synthesizing monitors for safety properties. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 342–356. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Howe, J.M., King, A.: Logahedra: A new weakly relational domain. In: Liu, Z., Ravn, A.P. (eds.) ATVA 2009. LNCS, vol. 5799, pp. 306–320. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Kinder, J., Zuleger, F., Veith, H.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 214–228. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Kroening, D., Strichman, O.: Decision Procedures: An Algorithmic Point of View. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  19. 19.
    Laroussinie, F., Markey, N., Schnoebelen, P.: Temporal logic with forgettable past. In: LICS, pp. 383–392. IEEE, Los Alamitos (2002)Google Scholar
  20. 20.
    Lee, I., Kannan, S., Kim, M., Sokolsky, O., Viswanathan, M.: Runtime assurance based on formal specifications. In: PDPTA, pp. 279–287 (1999)Google Scholar
  21. 21.
    Leroy, X.: Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In: POPL, pp. 42–54. ACM, New York (2006)Google Scholar
  22. 22.
    Leroy, X.: A formally verified compiler back-end. J. Autom. Reason 43, 363–446 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lichtenstein, O., Pnueli, A., Zuck, L.: The glory of the past. In: Parikh, R. (ed.) Logic of Programs 1985. LNCS, vol. 193, pp. 196–218. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  24. 24.
    Lindig, C.: Random testing of C calling conventions. In: AADEBUG, pp. 3–12. ACM, New York (2005)CrossRefGoogle Scholar
  25. 25.
    Lu, H., Forin, A.: The design and implementation of P2V, an architecture for zero-overhead online verification of software programs. Tech. Rep. MSR-TR-2007-99, Microsoft Research (2007)Google Scholar
  26. 26.
    Parr, T.J., Quong, R.W.: ANTLR: a predicated-ll(k) parser generator. Softw. Pract. Exper. 25, 789–810 (1995)CrossRefGoogle Scholar
  27. 27.
    Pellizzoni, R., Meredith, P., Caccamo, M., Rosu, G.: Hardware runtime monitoring for dependable COTS-based real-time embedded systems. In: Real-Time Systems Symposium, pp. 481–491 (2008)Google Scholar
  28. 28.
    PLCopen: Safety software, technical specification, Part 1: Concepts and function blocks. online (2006)Google Scholar
  29. 29.
    Pnueli, A., Siegel, M.D., Singerman, E.: Translation validation. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 151–166. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  30. 30.
    Reinbacher, T., Brauer, J., Horauer, M., Steininger, A., Kowalewski, S.: Test-case generation for embedded binary code using abstract interpretation. In: MEMICS, pp. 151–158 (2010)Google Scholar
  31. 31.
    Reinbacher, T., Horauer, M., Schlich, B., Brauer, J., Scheuer, F.: Model checking assembly code of an industrial knitting machine. In: EM-Com, pp. 97–104. IEEE, Los Alamitos (2009)Google Scholar
  32. 32.
    Roşu, G., Havelund, K.: Rewriting-based techniques for runtime verification. Automated Software Eng. 12(2), 151–197 (2005)CrossRefGoogle Scholar
  33. 33.
    Tsai, J.J.P., Fang, K.Y., Chen, H.Y., Bi, Y.: A noninterference monitoring and replay mechanism for real-time software testing and debugging. IEEE Trans. Softw. Eng. 16, 897–916 (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Thomas Reinbacher
    • 1
  • Jörg Brauer
    • 2
  • Martin Horauer
    • 3
  • Andreas Steininger
    • 1
  • Stefan Kowalewski
    • 2
  1. 1.Embedded Computing Systems GroupVienna University of TechnologyAustria
  2. 2.Embedded Software LaboratoryRWTH Aachen UniversityGermany
  3. 3.Department of Embedded SystemsUAS Technikum WienAustria

Personalised recommendations