Sebastian Biallas’s research while affiliated with RWTH Aachen University and other places

When a model checker detects a violation of an all-quantified specification, it generates a counterexample trace that explains how to reach a violating state. In the context of PLCs, the counterexample contains the required stimuli for the program to cause erroneous behavior. Although these counterexamples are tremendously helpful to assess the violation, the actual cause of the erroneous behavior, i. e., the faulty line in the program, can be hidden anywhere in the counterexample trace. Finding the cause manually still takes great effort if the counterexample is long. In this paper, we present a technique to automatically find possible causes of such a violation of PLC programs running in cyclic scanning mode.

Critical infrastructure such as chemical plants, manufacturing facilities or tidal barrages are usually operated using specialized control devices. These devices are programmed using domain-specific programming languages for which static code analysis techniques are not widely used yet. This paper compares a sophisticated academic tool to a lightweight compliance check approach regarding the detection of programming errors that only occur after program restart. As this is a common problem in industrial control code, the paper proposes a way to improve the accuracy of analyses for this class of errors.

Static code analysis techniques are a well-established tool to improve the efficiency of software developers and for checking the correctness of safety-critical software components. However, their use is often limited to general purpose or 'mainstream' programming languages. For these languages, static code analysis has found its way into many integrated development environments and is available to a large number of software developers. In other domains, e. g., for the programming languages used to develop many industrial control applications, tools supporting sophisticated static code analysis techniques are rarely used. This paper reports on the experience of the authors while adapting static code analysis to a software development environment for engineering the control software of industrial process automation systems. The applicability of static code analysis for industrial controller code is demonstrated by a case study using a real-world control system.

This paper presents an efficient static analysis for programmable logic controller code. For each program line (or each function block call), the analysis calculates an over-approximation of the possible values each variable can assume during all possible executions. This information can then be used to automatically check for certain critical program conditions such as division-by-zero and array-out-of-bounds. To make this approach applicable to large programs comprising many variables, we present a technique that only stores the values of a subset of the variables based on their context and liveness. We show how to detect typical problems in real PLC code.

In this paper, we present a predicate abstraction for programs for programmable logic controllers (PLCs) so as to allow for model checking safety related properties. Our contribution is twofold: First, we give a formalization of PLC programs in first order logic, which is then used to automatically derive a predicate abstraction using SMT solving. Second, we employ an abstraction called predicate scoping which reduces the evaluation of predicates to certain program locations and thus can be used to exploit the cyclic scanning mode of PLC programs. We show the effectiveness of this approach in a small case study using programs from industry and academia.

This paper introduces a Boolean and a modular abstraction of programs for programmable logic controllers in order to make them amenable for formal verification. In the Boolean abstraction, complex control-flow conditions are replaced by fresh Boolean input variables to defer the evaluation of such conditions. The modular abstraction replaces function block calls by so-called function block summaries, which over-approximate their possible return values. Both abstractions can subsequently be refined in an automatic process to allow for checking of complex programs using expressive formulae. The approach has been implemented in the Arcade.PLC model checker, which is used to show the effectiveness in a case-study.

Static program analysis for bug detection in industrial C/C++ code has many challenges. One of them is to analyze pointer and pointer structures efficiently. While there has been much research into various aspects of pointer analysis either for compiler optimization or for verification tasks, both classical categories are not optimized for bug detection, where speed and precision are important, but soundness (no missed bugs) and completeness (no false positives) do not necessarily need to be guaranteed.

Concurrently accessing shared data without locking is usually a subject to race conditions resulting in inconsistent or corrupted data. However, there are programs operating correctly without locking by exploiting the atomicity of certain operations on a specific hardware. In this paper, we describe how to precisely analyze lockless microcontroller C programs with interrupts by taking the hardware architecture into account. We evaluate this technique in an octagon-based value range analysis using access-based localization to increase efficiency.