1 / 19

Leveraging Static Analysis in Industrial Contexts

Leveraging Static Analysis in Industrial Contexts. The semantics of Software Verification. 26262. DO-178B/C for aerospace safety EN 50128 for rail safety ISO 26262 for road vehicles CENELEC 61508 Common Criteria EAL7 for security. Applying Software Verification.

danyl
Download Presentation

Leveraging Static Analysis in Industrial Contexts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LeveragingStaticAnalysis in IndustrialContexts

  2. The semantics of Software Verification 26262 DO-178B/C for aerospace safety EN 50128 for rail safety ISO 26262 for road vehicles CENELEC 61508 Common Criteria EAL7 for security

  3. Applying Software Verification Simple “press button” rule enforcement Partial runtime error or security flaw detection Complete validation against a given specification

  4. A source code analysis Platform Extensible via plug-ins Collaborative Designed at CEA & Inria Semantic analyses ANSI / ISO C 99

  5. The Frama-C Kernel

  6. Lingua Franca: the ACSL Specification language • Contract-based • Functional properties • User-friendly • Analysis-independent

  7. Caller-callee contract • Calleerequires some pre-conditions from the caller • Calleeensures some post-conditions hold when it returns unsigned intM ; /*@ requires \valid (p) && \valid (q); ensures M == (*p + *q) / 2; */ void mean ( unsigned int* p, unsigned int* q ) { if (* p >= * q ) M = (* p - * q ) / 2 + * q ; else M = (* q - * p ) / 2 + * p ; }

  8. Enforcing Coding Standards with Frama-C • Benefits : • Eases code review on syntactic or typing rules. • Validation of semantic rules: • dataflow related rules on variables, • runtime errors requiring a value analysis. ResultAirbus and Atos have designed the Taster plugin on top of Frama-C to enforce coding standards. ConclusionFrama-C yields productivity gains and ensures code quality.

  9. Semantical Analysis Automated process Integral & pointer ranges ACSL verifications Runtime-errors threats Side-effects & dependency analysis Program structure & transformations Confidentiality or integrity leaks

  10. Checking intrinsic faults in SCADA systems > 100+ kloc > C source code > Highest certification requirements > 80% code coverage > 200 alarms Result Researchers have demonstrated the absence of multiple fault families in safety-critical software. In additionderived analyses cover structural properties on memory separation and cyclic behaviors. ConclusionFrama-C enables highly-automated verification runs.

  11. Detection of a security flaw in a COTS compression library • Fixed a condition where QLZ_MEMORY_SAFE could fail detecting corrupted data. Thanks to Pascal Cuoq and Kerstin Hartig who usedFrama-C's value analysis! Result CEA researchers identified a bug in the QuickLZ library. This bug was acknowledged by the designer and corrected in version beta 1.5.1. ConclusionSoftware analysis can be applied to general-purpose COTS, enabling their use in security-critical systems.

  12. Advanced validation of a set of hypervisor properties ResultDesign-time security goals allow to specify and verify custom software properties. Conclusion A rigorous methodology can include the use of Frama-C to address strong software requirements. App Two App One HYPERVISOR 0101001101100101011000110111010101110010011001010100001101101100011011110111010101100100

  13. Runtime monitoring and verification • Result Use program analysis and transformations to synthesize: • security monitors • fault injectors • Conclusion Runtime code can be added to harden legacy software through hardware-enabled runtime verification.

  14. Formal Methods – Models • Formal algorithmic conformance proof % Conflict during interval [B,T] conflict_2D?(s,v) : bool= EXISTS (t: Lookahead): sqv(s+t*v) <sq(D) % 2-D Conflict Detection (cd2d) cd2d?(s,v) : bool = horizontal_los?(s+B*v) ORomega_vv(s)(v) < 0 % THEOREM: cd2d is correct and complete cd2d : THEOREM conflict_2D?(s,v) IFF cd2d?(s,v)

  15. More on frama-c.com

  16. Methods and tools for HCS&S Guided by industrialrequirements Scaling & Performance • Scientificroots and community • Prototyping and development of industrial-strengthtools • for academia • for the industry • Objectives • Raise the level of confidence in software • Lower the costs of verification • Enable the evaluation of academic prototypes on industrialproblems Technologicalstrategy: creation of collaborative platforms Scientificstrategy: combinationof approaches Applicative strategy: cross-domainfertilization – aero, space, rail, energy, banking, defense

  17. Frama-C for software safety and security www.trust-in-soft.com Software developers Industrial support Commercial licenses Preinstalled workstations Software integrators Off-the-shelf validation kits for common open-source packages Service providers Dedicated affiliate programs

  18. Laboratoirepour la Sûreté des Logiciels Départementd’Ingénierie des Logiciels et Systèmes CEA LIST Florent Kirchnerflorent.kirchne@cea.fr

More Related