# Past Time LTL Runtime Verification for Microcontroller Binary Code

Thomas Reinbacher<sup>1</sup>, Jörg Brauer<sup>2</sup>, Martin Horauer<sup>3</sup>, Andreas Steininger<sup>1</sup>, and Stefan Kowalewski<sup>2</sup>

<sup>1</sup> Institute of Computer Engineering Vienna University of Technology, Austria

<sup>2</sup> Embedded Software Laboratory RWTH Aachen University, Germany

<sup>3</sup> Department of Embedded Systems University of Applied Sciences Technikum Wien, Austria



Introduction

Motivation

#### Approach

Requirements Evaluation

Example

Specification Code







# Outline



#### Introduction

Motivation

#### Approach

Requirements

Evaluation

#### Example

Specification Code

- 1 Requirements for Practical Applicability
- 2 Past Time LTL
- 3 Non-Intrusive Monitoring
  - 1 Online: Observer synthesized from VHDL
  - 2 Offline: Java application on host computer
- 4 Example

# Setting the Scene

# **Binary Code Verification**

- 1 Embedded software mostly not in plain ANSI C
  - side effects, embedded assembler, direct hardware register access



#### Introduction

Motivation

#### Approach

Requirements Evaluation

#### Example

Specification Code

Conclusion

- Who verified your compiler?
  - GCC 4.3.5 has 8M loc (2.5M C, 1.5M C++, 1.5M Java, 60k Assembler, ...)
  - Good SW has about 1 error in 250 loc  $\rightarrow \frac{8M}{250} = 33k$  flaws
  - Proving correctness of the compiler is typically infeasible
  - Even translation validation is hard (and not really widespread in industry)

3 Binary code is as close as possible to the actual execution

# Setting the Scene II

# Runtime Verification (RV)

RV is less ambitious than pure formal SW verification. Aim is to prove conformance of a single execution w.r.t. a specification.

Testing is based on a check and guess paradigm.

- Guess a configuration of the program's input
- Check the result of an individual test run

RV bridges the gap between rigorous software verification and dynamic testing.

Intuition:

- Use formal methods to derive a set of test-cases (guess)
- Execute the test cases, use RV to check validity of test-case (check)



Introduction

Motivation

Approach

Requirements Evaluation

Example

Specification Code

## **CevTes Approach**

- 1 use AI to derive an over-approximation of the reachable states
- 2 find program locations where the specification is violated
- 3 backward analysis derives counterexamples (test-cases)
- interface a hardware unit attached to the SUT to replay a CE and automatically identify spurious warnings





#### Introduction

Motivation

#### Approach

Requirements Evaluation

#### Example

Specification Code

# Requirements to RV of Microcontroller Code



 $\rightsquigarrow$  not bound to a certain high-level language

No Code instrumentation ~ extract event sequences without code instrumentation

4 Automated Observer Synthesis

 $\rightsquigarrow$  push button solution

6 Usability

 $\rightsquigarrow$  applicable to industrial SW development process



Introduction

Motivation

Approach Requirements Evaluation

Example Specification

Code

## **Runtime Verification**

Past time LTL (ptLTL) [Emerson; Handbook of Theoretical CS'90]

### Monitoring operators

Ų

$$\psi ::= \uparrow \psi \mid \downarrow \psi \mid [\psi, \psi)_{s} \mid [\psi, \psi)_{w}$$
 Conclusi

ptLTL

### Approach



- Synthesize HW+SW monitors for ptLTL [Havelund&Rosu; TACAS'02]
- 2 Evaluate Atomic Propositions AP of  $\psi$  with our invariant checker



#### Introduction

Motivation

Approach

Requirements

Evaluation

Example

Specification

Code

ion

### ptLTL Specifications

### **Atomic Propositions**

Properties  $\varphi$  are a form of two-variable-per-inequality constraints:

$$\alpha \cdot m_1 + \beta \cdot m_2 \bowtie C$$

where:

- $\alpha, \beta \in \{0, \pm 2^n \mid n \in \mathbb{N}\}$
- $\bullet \quad \bowtie \in \{<,>,\leq,\geq,=,\neq\}$

 $m_1, m_2$  are locations within RAM  $C \in \mathbb{Z}$  is a constant







Introduction

Motivation

Approach

Requirements

Evaluation

Example

Specification Code

### **Evaluate Atomic Propositions**

• ripple carry adder: **Add**( $\langle a \rangle, \langle b \rangle, c$ )

relational operators are similar

• subtraction of  $\langle a \rangle - \langle b \rangle$  is equivalent to  $\mathbf{Add}(\langle a \rangle, \langle \overline{b} \rangle, 1)$ 

## **Invariant Checker**



#### Introduction

Motivation

#### Approach

Requirements

Evaluation

Example

Specification Code



# System Overview

- 1 SUT is a COTS microcontroller IP core
- 2 Invariant checker is attached to the SUT on an FPGA





Introduction

# Offline vs. Online Monitoring

Online mode:

- synthesize VHDL code for ptLTL evaluation
- evaluate specification in parallel to execution

Offline mode:

- send event updates to host computer
- store microcontroller states to evaluate (arbitrary) APs
- evaluate specification on the execution trace (delayed)



Introduction

Motivation

Approach

Requirements

Evaluation

Example

Specification Code

### **Runtime Verification**

# **Emergency Stop (IEC 61131-3)**





Introduction

Motivation

#### Approach

Requirements Evaluation

- . . I

#### Example

Specification Code

Code

Conclusion

ptLTL properties:

$$\begin{array}{lll} \psi^1 & := & \uparrow (\Theta_6) \rightarrow \left[ \uparrow (\Theta_2 \vee \Theta_4 \vee \Theta_7 \vee \Theta_8), \ \uparrow (\Theta_1 \vee \Theta_3 \vee \Theta_5 \vee \Theta_9) \right)_{\mathcal{S}} \\ \psi^2 & := & \uparrow (\Theta_5) \rightarrow \downarrow (\Theta_4) \\ \psi^3 & := & \uparrow (\Theta_9) \rightarrow \downarrow (\Theta_8) \end{array}$$

e.g.,  $\Theta_8 \triangleq (\mathsf{currState} == \mathtt{ST}_{WAIT}_{FOR}_{RESET2})$ 

### Example

# Emergency Stop (IEC 61131-3)



```
Introduction
1 case ST WAIT FOR ESTOPIn2:
                                                 case ST WAIT FOR ESTOPIn2:
                                                                                            Motivation
    Ready = true;
                                                   Ready = true:
2
    S EStopOut = false;
                                                   S EStopOut = false;
3
                                                                                           Approach
    Error = false:
                                                   Error = false:
4
                                                                                            Requirements
    DiagCode = 0 \times 8004:
                                                   DiagCode = 0 \times 8004:
                                                                                            Evaluation
5
    if (! Activate)
                                                   if (! Activate)
6
                                                                                           Example
    currState = ST IDLE:
                                                     currState = ST IDLE:
7
                                                                                            Specification
    if (S_EStopIn && !S_AutoReset)
                                                   if (S_EStopIn && !S_AutoReset)
8
                                                                                            Code
      currState = ST_WAIT_FOR_RST2;
                                                      currState = ST WAIT FOR RST2;
9
                                                                                           Conclusion
    if (S_EStopIn && S_AutoReset)
                                                   if (S_EStopIn && S_AutoReset)
10
     currState = ST SAFETY OUTP EN;
                                                     currState = ST RST ERR2;
11
12 break:
                                                 break:
```

- The ptLTL observer will check the validity of  $\psi^1$
- The invariant monitor will trace the state changes of the variable currState

The transition ST\_WAIT\_FOR\_ESTOPIn2  $\rightarrow$  ST\_RST\_ERR2 is illegal and causes  $\psi^1$  to evaluate to false.

### **Conclusion & Future Work**



#### Introduction

Motivation

#### Approach

Requirements Evaluation

Example

Specification Code

- Non-intrusive monitoring framework for ptLTL
  - Atomic propositions evaluated in hardware
  - Code for ptLTL monitor synthesized in Java or VHDL
- Monitoring an IP-core running on FPGA
  - Handles unmodified embedded programs
  - on off-the-shelf IP core
- More recent work
  - Reprogrammable  $\mu$ CPU for checking properties (see RV'11)
  - CFG recovery a priori instead of on-the-fly (see EMSOFT'11)
  - ptLTL verification for PLCs (with S. Biallas)
- Orthogonal but related future work: automatic test-case / trace generation