Formal verification of SAM state machine implementation

To read the full-text of this research, you can request a copy directly from the authors.


This paper reports the results of an experiment about the formal verification of source code made according to an EMF model. Models define the semantics of a system whereas the source code defines its implementation. We applied this solution to a model of Automaton in SAM language and its C language implementation. The technical environment is close to an industrial operational context and all the tools are available. The experimentation has succeeded and has to be consolidated with bigger cases before an introduction in the operational development process. More generally, this solution must be extended to other model languages.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Notre approche se focalise sur la génération automatique des propriétés à vérifier sur le code à partir du modèle de conception afin d'obtenir une étape de vérification formelle entièrement automatisée d'un point de vue de l'utilisateur. Ce principe a déjà fait l'objet d'une expérience préalable par Atos à partir d'un langage dédié d'automate défini par Airbus [41]. Notre approche s'inscrit dans la philosophie de ces travaux mais intervient dans un contexte technique différent puisque nous allons travailler avec le langage de modélisation UML et plus précisément avec les machines à états UML qui sont particulièrement adaptées à la représentation comportementale de logiciel. ...
... D'autres ont exploré la génération automatique d'annotations à partir d'un modèle afin d'aboutir à une vérification formelle de la conformité d'un code source par rapport à sa conception. [41] propose un moyen d'annoter automatiquement un code C selon une spécification composée d'automates SAM 35 , en vue de sa vérification comportementale. SAM est un langage dédié pour la représentation comportementale de composants avioniques. ...
... Cependant, les contrats de fonction sont partiels, ils ne vérifient qu'une partie de la complétude de l'implémentation des transitions. 41. ...
During software development, and more specifically embedded avionics applications development, verification is very expensive. A promising lead to reduce its costs is the use of formal methods. Formal methods are mathematical techniques which allow performing rigorous and high-valued verification tasks during software development. They are already applied in industry. However, the high level of expertise required for their use is a major obstacle for their massive use. In addition to the verification costs issue, today software and their development are subject to an increase in complexity. Model Driven Engineering (MDE) allows dealing with these difficulties by offering models, and tasks to capitalize on these models all along the development lifecycle. The goal of this PhD thesis is to establish a link between formal methods and MDE in order to propose to non-expert users a formal and automatic software verification approach which helps to improve software verification processes. We propose to automatically generate annotations, corresponding to the expected behavioural properties of the software, from the design model to the source code. Then, these annotations can be verified using deductive proof tools in order to ensure that the behaviour of the code conforms to the design model. This PhD thesis takes place in the industrial context of Atos. So, it is necessary to take into account its technical specificities. We use UML for the design modeling, the C language for the software implementation and the Frama-C tool for the proof of this implementation. We also take into account the constraints of the avionics field in which Atos intervenes, and specifically the certification constraints. The contributions of this PhD thesis are the definition of a subset of UML state machine dedicated to the behavioural design of embedded avionics software and in line with current industrial practices, the definition of a C implementation pattern, the definition of generation patterns for the behavioural properties from the design model to the source code and the implementation of the whole approach in a prototype in accordance with the working environment of the potential users associated with Atos. The proposed approach is then assessed with respect to the starting goal of the thesis, to the expectation of the software engineering community and to related work.
... In this step, our main goal is to ensure that source code conforms to the specification. In the same vein as [5], we want to derive ACSL annotations from the design model (here in SysML) to the code and check them with static analysis. ...
Conference Paper
Full-text available
In a software development cycle, it is often more than half of the development time that is dedicated to verification activities. Formal methods offer new possibilities for verification. In the specification phase, simulation or model-checking allow users to detect errors in models. In the implementation phase, analysis techniques, like static analysis, make the verification tasks more exhaustive and more automatic. In that context, we propose to take advantage of these methods to improve embedded software development processes based on the V-model.
Conference Paper
To reduce the verification costs and to be more confident on software, static program analysis offers ways to prove properties on source code. Unfortunately, these techniques are difficult to apprehend and to use for non-specialists. Modelling allows users to specify some aspects of software in an easy way. More precisely, in embedded software, state machine models are frequently used for behavioural design. The aim of this paper is to bridge the gap between model and code by offering automatic generation of annotations from model to source code. These annotations are then verified by static analysis in order to ensure that the code behaviour conforms to the model-based design. The models we consider are UML state machines with a formal non-ambiguous semantics, the annotation generation and verification is implemented in a tool and applied to a case study.
With the increasing importance of software in the aerospace field, as evidenced by its growing size and complexity, a rigorous and reliable software verification and validation process must be applied to ensure conformance with the strict requirements of this software. Although important, traditional validation activities such as testing and simulation can only provide a partial verification of behavior in critical real-time software systems, and thus, formal verification is an alternative to complement these activities. Two useful formal software verification approaches are deductive verification and abstract interpretation, which analyze programs statically to identify defects. This paper explores abstract interpretation and deductive verification by employing Frama-C’s value analysis and Jessie plug-ins to verify embedded aerospace control software. The results indicate that both approaches can be employed in a software verification process to make software more reliable.
Cryptosystems are highly sensitive to physical attacks, which lead security developers to design more and more complex countermeasures. Nonetheless, no proof of flaw absence has been given for any implementation of these countermeasures. This paper aims to formally verify an implementation of one published countermeasure against fault injection attacks. More precisely, the formal verification concerns Vigilant’s CRT-RSA countermeasure which is designed to sufficiently protect CRT-RSA implementations against fault attacks. The goal is to formally verify whether any possible fault injection threatening the pseudo-code is detected by the countermeasure according to a predefined attack model.
Conference Paper
Full-text available
Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in various software verification and analysis applications.
Full-text available
This paper provides a detailed description of the automatic theorem prover Simplify, which is the proof engine of the Extended Static Checkers ESC/Java and ESC/Modula-3. Simplify uses the Nelson-Oppen method to combine decision procedures for several important theories, and also employs a matcher to reason about quantifiers. Instead of conventional matching in a term DAG, Simplify matches up to equivalence in an E-graph, which detects many relevant pattern instances that would be missed by the conventional approach. The paper describes two techniques, labels and counterexample contexts, for helping the user to determine the reason that a false conjecture is false. The paper includes detailed performance figures on conjectures derived from realistic program-checking problems
Conference Paper
This paper reports an industrial experiment of formal proof techniques applied to avionics software. This application became possible by using Caveat, a tool dedicated to assistance in comprehension and formal verification of safety critical applications written in C. With this approach it is possible to reduce significantly the actual verification effort (based on test) in achieving the verification objectives defined by the DO 178B [4].
Conference Paper
We present the Why/Krakatoa/Caduceus set of tools for deductive verification of Java and C source code.
Présentation du langage SAM d'Airbus
  • D Thivolle
  • H Garavel
  • X Clerc
D. Thivolle, H. Garavel, X. Clerc. : "Présentation du langage SAM d'Airbus", Technical report, INRIA/VASY, 2008.
Caveat: a Formal Proof Tool to Validate Software
  • C Antoine
  • A Trotin
  • P Baudin
  • J M Collard
  • J Raguideau
C. Antoine, A. Trotin, P. Baudin, J.M. Collard, J. Raguideau: "Caveat: a Formal Proof Tool to Validate Software", IAEA Conference, IAEA'94, Helsinki, May 1994.
Specification and Proof of C Programs using ACSL and Frama-C
  • V Prevosto
V. Prevosto: "Specification and Proof of C Programs using ACSL and Frama-C", CEA LIST, Avignon, France.
Formal verification workbench for airbus avionics software
  • Stéphane Duprat
  • Jean Souyris
  • Denis Favre-Felix
Stéphane Duprat, Jean Souyris, Denis Favre-Felix: "Formal verification workbench for airbus avionics software". ERTS, Toulouse, 2006.
CC(X): Efficiently Combining Equality and Solvable Theories without Canonizers
  • Evelyne Sylvain Conchon
  • Johannes Contejean
  • Kanig
Sylvain Conchon, Evelyne Contejean, and Johannes Kanig. "CC(X): Efficiently Combining Equality and Solvable Theories without Canonizers". In 5th International Workshop on Satisfiability Modulo, Berlin, Germany, July 2007.
Proving Temporal Properties at Code Level for Basic Operators of Control / Command Program
  • Patrick Baudin
  • David Delmas
  • Stéphane Duprat
  • Benjamin Monate
Patrick Baudin, David Delmas, Stéphane Duprat, Benjamin Monate: "Proving Temporal Properties at Code Level for Basic Operators of Control / Command Program". ERTS, (Toulouse, France), 2008.
Caveat: a Formal Proof Tool to Validate Software Specification and Proof of C Programs using ACSL and Frama-C
  • A Antoine
  • P Trotin
  • J M Baudin
  • J Collard
  • Raguideau
References [1] C. Antoine, A. Trotin, P. Baudin, J.M. Collard, J. Raguideau: " Caveat: a Formal Proof Tool to Validate Software ", IAEA Conference, IAEA'94, Helsinki, May 1994. [2] V. Prevosto: " Specification and Proof of C Programs using ACSL and Frama-C ", CEA LIST, Avignon, France. [3]
  • Claude Marché
  • Yannick Moy
Claude Marché, Yannick Moy: Jessie Plugin Tutorial, February 2010.