Abstract
Verified software secures the Unmanned Little Bird autonomous helicopter against mid-flight cyber attacks.
Supplemental Material
Available for Download
Appendix to "Formally verified software in the real world"
- Alves-Foss, J., Oman, P.W., Taylor, C., and Harrison, S. The MILS architecture for high-assurance embedded systems. International Journal of Embedded Systems 2, 3--4 (2006), 239--247.Google Scholar
- Blackham, B., Shi, Y., Chattopadhyay, S., Roychoudhury, A., and Heiser, G. Timing analysis of a protected operating system kernel. In Proceedings of the 32<sup>nd</sup> IEEE Real-Time Systems Symposium (Vienna, Austria, Nov. 29-Dec. 2). IEEE Computer Society Press, 2011, 339--348. Google ScholarDigital Library
- Boeing. Unmanned Little Bird H-6U; http://www.boeing.com/defense/unmanned-little-bird-h-6u/Google Scholar
- Boyton, A., Andronick, J., Bannister, C., Fernandez, M., Gao, X., Greenaway, D., Klein, G., Lewis, C., and Sewell, T. Formally verified system initialisation. In Proceedings of the 15<sup>th</sup> International Conference on Formal Engineering Methods (Queenstown, New Zealand, Oct. 29-Nov. 1). Springer, Heidelberg, Germany, 2013 70--85.Google Scholar
- Chen, H., Ziegler, D., Chajed, T., Chlipala, A., Frans Kaashoek, M., and Zeldovich, N. Using Crash Hoare logic for certifying the FSCQ file system. In Proceedings of the 25<sup>th</sup> ACM Symposium on Operating Systems Principles (Monterey, CA, Oct. 5--7). ACM Press, New York, 2015, 18--37. Google ScholarDigital Library
- Cock, D., Ge, Q., Murray, T., and Heiser, G. The last mile: An empirical study of some timing channels on seL4. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, AZ, Nov. 3--7). ACM Press, New York, 2014, 570--581. Google ScholarDigital Library
- Cock, D., Klein, G., and Sewell, T. Secure microkernels, state monads and scalable refinement. In Proceedings of the 21<sup>st</sup> International Conference on Theorem Proving in Higher Order Logics (Montreal, Canada, Aug. 18--21). Springer, Heidelberg, Germany, 2008, 167--182. Google ScholarDigital Library
- Colbert, E. and Boehm, B. Cost estimation for secure software & systems. In Proceedings of the International Society of Parametric Analysts / Society of Cost Estimating and Analysis 2008 Joint International Conference (Noordwijk, the Netherlands, May 12--14). Curran, Red Hook, NY, 2008.Google Scholar
- Davis, J. and Myreen, M.O. The reflective Milawa theorem prover is sound (down to the machine code that runs it). Journal of Automated Reasoning 55, 2 (Aug. 2015), 117--183. Google ScholarDigital Library
- Dennis, J.B. and Van Horn, E.C. Programming semantics for multi-programmed computations. Commun. ACM 9, 3 (Mar. 1966), 143--155. Google ScholarDigital Library
- Elliott, T., Pike, L., Winwood, S., Hickey, P., Bielman, J., Sharp, J., Seidel, E., and Launchbury, J. Guilt-free Ivory. In Proceedings of the ACM SIGPLAN Haskell Symposium (Vancouver, Canada, Sept. 3--4). ACM Press, New York, 189--200. Google ScholarDigital Library
- Fernandez, M. Formal Verification of a Component Platform. Ph.D. thesis. School of Computer Science & Engineering, University of New South Wales, Sydney, Australia, July 2016.Google Scholar
- Fernandez, M., Andronick, J., Klein, G., and Kuz, I. Automated verification of RPC stub code. In Proceedings of the 20<sup>th</sup> International Symposium on Formal Methods (Oslo, Norway, June 22--26). Springer, Heidelberg, Germany, 2015, 273--290.Google Scholar
- Floyd, R.W. Assigning meanings to programs. Mathematical Aspects of Computer Science 19, (1967), 19--32.Google ScholarCross Ref
- Gonthier, G. A Computer-Checked Proof of the Four-Colour Theorem. Microsoft Research, Cambridge, U.K, 2005; https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gonthier-4colproof.pdfGoogle Scholar
- Gonthier, G., Asperti, A., Avigad, J., Bertot, Y., Cohen, C., Garillot, F., Le Roux, S., Mahboubi, A., O'Connor, R., Biha S.O., Pasca, I., Rideau, L., Solovyev, A., Tassi, E., and Théry, L. A machine-checked proof of the Odd Order Theorem. In Proceedings of the Fourth International Conference on Interactive Theorem Proving, Volume 7998 of LNCS (Rennes, France, July 22--26). Springer, Heidelberg, Germany, 2013, 163--179. Google ScholarDigital Library
- Gu, R., Shao, Z., Chen, H., Wu, X.(N.)., Kim, J., Sjöberg, V., and Costanzo, C. CertiKOS: An extensible architecture for building certified concurrent OS kernels. In Proceedings of the 12<sup>th</sup> USENIX Symposium on Operating Systems Design and Implementation (Savannah, GA, Nov. 2--4). ACM Press, New York, 2016. Google ScholarDigital Library
- Hales, T.C., Adams, M., Bauer, G., Dang, D.T., Harrison, J., Le Hoang, T., Kaliszyk, C., Magron, V., McLaughlin, S., Nguyen, T.T., Nguyen, T.Q., Nipkow, T., Obua, S., Pleso, J., Rute, J., Solovyev, A., Ta, A.H.T., Tran, T.N., Trieu, T.T., Urban, J., Vu, K.K., and Zumkeller, R. A formal proof of the Kepler Conjecture. Forum of Mathematics, Pi, Volume 5. Cambridge University Press, 2017.Google ScholarCross Ref
- Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., and Zill, B. IronFleet: Proving practical distributed systems correct. In Proceedings of the 25<sup>th</sup> ACM Symposium on Operating Systems Principles (Monterey, CA, Oct. 5--7). ACM Press, New York, 2015, 1--17. Google ScholarDigital Library
- Heiser, G. and Elphinstone, K. L4 microkernels: The lessons from 20 years of research and deployment. ACM Transactions on Computer Systems 34, 1 (Apr. 2016), 1:1--1:29. Google ScholarDigital Library
- Kanav, S., Lammich, P., and Popescu, A. A conference management system with verified document confidentiality. In Proceedings of the 26<sup>th</sup> International Conference on Computer Aided Verification (Vienna, Austria, July 18--22). ACM Press, New York, 2014, 167--183. Google ScholarDigital Library
- Klein, G., Andronick, J., Elphinstone, K., Murray, T., Sewell, T., Kolanski, R., and Heiser, G. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems 32, 1 (Feb. 2014), 2:1--2:70. Google ScholarDigital Library
- Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., and Winwood, S. seL4: Formal verification of an OS kernel. In Proceedings of the 22<sup>nd</sup> ACM Symposium on Operating Systems Principles (Big Sky, MT, Oct. 11--14). ACM Press, New York, 2009, 207--220. Google ScholarDigital Library
- Kumar, R., Arthan, R., Myreen, M.O., and Owens, S. Self-formalisation of higher-order logic: Semantics, soundness, and a verified implementation. Journal of Automated Reasoning 56, 3 (Apr. 2016), 221--259. Google ScholarDigital Library
- Kumar, R., Myreen, M., Norrish, M., and Owens, S. CakeML: A verified implementation of ML. In Proceedings of the 41<sup>st</sup> ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, CA, Jan. 22--24). ACM Press, New York, 2014, 179--191. Google ScholarDigital Library
- Kuz, I., Klein, G., Lewis, C., and Walker, A. capDL: A language for describing capability-based systems. In Proceedings of the First ACM Asia-Pacific Workshop on Systems (New Delhi, India, Aug. 30-Sept. 3). ACM Press, New York, 2010, 31--35. Google ScholarDigital Library
- Kuz, I., Liu, Y., Gorton, I., and Heiser, G. CAmkES: A component model for secure microkernel-based embedded systems. Journal of Systems and Software (Special Edition on Component-Based Software Engineering of Trustworthy Embedded Systems) 80, 5 (May 2007), 687--699. Google ScholarDigital Library
- Leroy, X. Formal verification of a realistic compiler. Commun. ACM 52, 7 (July 2009), 107--115. Google ScholarDigital Library
- Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., and Klein, G. seL4: From general-purpose to a proof of information flow enforcement. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (San Francisco, CA, May 19--22). IEEE Press, Los Alamitos, CA, 2013, 415--429. Google ScholarDigital Library
- Pnueli, A., Siegel, M., and Singerman, E. Translation validation. In Proceedings of the Fourth International Conference on Tools and Algorithms for Construction and Analysis of Systems (Lisbon, Portugal, Mar. 28-Apr. 4). Springer, Berlin, Germany, 1998, 151--166. Google ScholarDigital Library
- Rushby, J. Design and verification of secure systems. In Proceedings of the Eighth Symposium on Operating System Principles (Pacific Grove, CA, Dec. 14--16). ACM Press, New York, 1981, 12--21. Google ScholarDigital Library
- Ryzhyk, L., Chubb, P., Kuz, I., Le Sueur, E., and Heiser, G. Automatic device driver synthesis with Termite. In Proceedings of the 22<sup>nd</sup> ACM Symposium on Operating Systems Principles (Big Sky, MT, Oct. 11--14). ACM Press, New York, 2009, 73--86. Google ScholarDigital Library
- seL4 microkernel code and proofs; https://github.com/seL4/Google Scholar
- Sewell, T., Kam, F., and Heiser, G. Complete, high-assurance determination of loop bounds and infeasible paths for WCET analysis. In Proceedings of the 22<sup>nd</sup> IEEE Real Time and Embedded Technology and Applications Symposium (Vienna, Austria, Apr. 11--14). IEEE Press, 2016.Google ScholarCross Ref
- Sewell, T., Myreen, M., and Klein, G. Translation validation for a verified OS kernel. In Proceedings of the 34<sup>th</sup> Annual ACM SIGPLAN Conference on Programming Language Design and Implementation (Seattle, WA, June 16--22). ACM Press, New York, 2013, 471--481. Google ScholarDigital Library
- Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., and Klein, G. seL4 enforces integrity. In Proceedings of the International Conference on Interactive Theorem Proving (Nijmegen, the Netherlands, Aug. 22--25). Springer, Heidelberg, Germany, 2011, 325--340. Google ScholarDigital Library
Index Terms
- Formally verified software in the real world
Recommendations
Formally Verified Next-generation Airborne Collision Avoidance Games in ACAS X
The design of aircraft collision avoidance algorithms is a subtle but important challenge that merits the need for provable safety guarantees. Obtaining such guarantees is nontrivial given the unpredictability of the interplay of the intruder aircraft ...
A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system
The Next-Generation Airborne Collision Avoidance System (ACAS X) is intended to be installed on all large aircraft to give advice to pilots and prevent mid-air collisions with other aircraft. It is currently being developed by the Federal Aviation ...
A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System
Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9035The Next-Generation Airborne Collision Avoidance System ACASï X is intended to be installed on all large aircraft to give advice to pilots and prevent mid-air collisions with other aircraft. It is currently being developed by the Federal Aviation ...
Comments