Yu Jiang,Houbing Song,Rui Wang,Ming Gu,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1109/tii.2016.2573762

IF: 12.3

2017-01-01

IEEE Transactions on Industrial Informatics

Abstract:Wireless medical cyber-physical systems are widely adopted in the daily practices of medicine, where huge amounts of data are sampled by the wireless medical devices and sensors, and is passed to the decision support systems (DSSs). Many text-based guidelines have been encoded for work-flow simulation of DSS to automate health care based on those collected data. But for some complex and life-critical diseases, it is highly desirable to automatically rigorously verify some complex temporal properties encoded in those data, which brings new challenges to current simulation-based DSS with limited support of automatical formal verification and real-time data analysis. In this paper, we conduct the first study on applying runtime verification to cooperate with current DSS based on real-time data. Within the proposed technique, a user-friendly domain specific language, named DRTV, is designed to specify vital real-time data sampled by medical devices and temporal properties originated from clinical guidelines. Some interfaces are developed for data acquisition and communication. Then, for medical practice scenarios described in DRTV model, we will automatically generate event sequences and runtime property verifier automata. If a temporal property violates, real-time warnings will be produced by the formal verifier and passed to medical DSS. We have used DRTV to specify different kinds of medical care scenarios and have applied the proposed technique to assist existing wireless medical cyber-physical system. As presented in experiment results, in terms of warning detection, it outperforms the only use of DSS or human inspection, and improves the quality of clinical health care of hospital.

Liang Cheng,Zhangtan Li,Yi Zhang,Yang Zhang,Insup Lee

DOI: https://doi.org/10.1145/3076125.3076129

2017-01-01

Abstract:The Integrated Clinical Environment (ICE) is a standard dedicated to promote open coordination of heterogeneous medical devices in a plug-and-play manner. This carries the potential to radically improve medical care through coordinating, cooperating devices, but also to undermine the patient safety by giving rise to security vulnerabilities in the cyber world. In this paper, we propose an authentication framework as the first step to build an ICE security architecture. This framework is designed in a three-layered structure, allowing it to fit in the variety of authentication requirements from different ICE entities and of networking middleware from ICE instantiations. We implement the authentication framework on OpenICE, an open source ICE instantiation. Our experiments shows that the framework can help OpenICE mitigate the vulnerabilities caused by forged identity with negligible performance overload.

Zhangtan Li,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00034

2019-01-01

Abstract:Integrated Clinical Environment (ICE) is a standardized framework for achieving device interoperability in medical cyber-physical systems. The ICE utilizes high-level supervisory apps and a low-level communication middleware to coordinate medical devices. The need to design complex ICE systems that are both safe and effective has presented numerous challenges, including interoperability, context-aware intelligence, security and privacy. In this paper, we present a data flow analysis framework for the ICE systems. The framework performs the combination of static and dynamic analysis for the sensitive data and operations in the ICE systems. Our experiments demonstrate that the data flow analysis framework can record how the medical devices transmit sensitive data and perform misuse detection by tracing the runtime context of the sensitive operations.

Xijiao Xiong,Jing Liu,Zuohua Ding

DOI: https://doi.org/10.1016/j.entcs.2010.08.050

2010-01-01

Electronic Notes in Theoretical Computer Science

Abstract:Developing an advanced medical informatics system is a grand challenge in the 21st century. In this paper, we construct and analyze a trustable medical system by Refinement Calculus of Object Systems (rCOS) in a model-driven development process. Our method greatly improves the dependability and efficiency of the complicate system. This implies that the formal techniques developed in rCOS can be integrated into a model-driven development process. For the verification, a tool, called UPPAAL, is used to ensure the safety and correctness of the medical system. Our result suggests a way to corporate design and verification in system development process.

Yu Jiang,Han Liu,Hui Kong,Rui Wang,Mohammad Hosseini,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1145/2889160.2889233

2016-01-01

Abstract:Clinical guidelines and decision support systems (DSS) play an important role in daily practices of medicine. Many text-based guidelines have been encoded for work-flow simulation of DSS to automate health care. During the collaboration with Carle hospital to develop a DSS, we identify that, for some complex and life-critical diseases, it is highly desirable to automatically rigorously verify some complex temporal properties in guidelines, which brings new challenges to current simulation based DSS with limited support of automatical formal verification and real-time data analysis. In this paper, we conduct the first study on applying runtime verification to cooperate with current DSS based on real-time data. Within the proposed technique, a user-friendly domain specific language, named DRTV, is designed to specify vital real-time data sampled by medical devices and temporal properties originated from clinical guidelines. Some interfaces are developed for data acquisition and communication. Then, for medical practice scenarios described in DRTV model, we will automatically generate event sequences and runtime property verifier automata. If a temporal property violates, real-time warnings will be produced by the formal verifier and passed to medical DSS. We have used DRTV to specify different kinds of medical care scenarios, and applied the proposed technique to assist existing DSS. As presented in experiment results, in terms of warning detection, it outperforms the only use of DSS or human inspection, and improves the quality of clinical health care of hospital.

Zhangtan Li,Liang Cheng,Yang Zhang

DOI: https://doi.org/10.1145/3357495.3357497

2019-01-01

ACM SIGBED Review

Abstract:Integrated Clinical Environment (ICE) is a standardized framework for achieving medical device interoperability. It utilizes high-level supervisory and medical apps and low-level communication middle-ware to coordinate medical devices to accomplish a shared clinical mission. With the potential to significantly improve healthcare productivity and reduce medical errors, the interoperability of medical devices also subjects ICE systems to unprecedented security threats. In this paper, we present a set of security attacks, namely interception, tampering, and replay attack, to the network level of ICE systems, which we identify through a threat modeling analysis on OpenICE, the best-known instantiation of ICE system. For these security attacks, we devise corresponding defense mechanisms on top of OpenICE. Our experiments demonstrate that these defense mechanisms can effectively protect OpenICE from the identified attacks with acceptable computational overhead.

Sufyan Samara,Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1007/978-3-642-15234-4_11

2010-01-01

Abstract:This paper presents a novel flexible, dependable, and reliable operating system design for distributed reconfigurable system on chip. The dependability and reliability are achieved by integrating online model checking technique. Each OS service has different implementations which are further partitioned into small blocks. This operating system design allows the OS service to be adapted at runtime according to the given resource requirements and response time. Such adaptable services may be required by real time safety-critical applications. The flexibility introduced in executing adaptable OS services also gives rise to a potential safety problem. Thus, online model checking is integrated to the operating system so as to improve the dependability, reliability, and fault tolerance of these adaptable OS services.

Zhangtan Li,Liang Cheng,Yang Zhang

2019-01-01

Abstract:Integrated Clinical Environment (ICE) is a standardized framework for achieving medical device interoperability. It utilizes high-level supervisory andmedical apps and low-level communication middleware to coordinate medical devices to accomplish a shared clinical mission. With the potential to significantly improve healthcare productivity and reduce medical errors, the interoperability of medical devices also subjects ICE systems to unprecedented security threats. In this paper, we present a set of security attacks, namely interception, tampering, and replay attack, to the network level of ICE systems, which we identify through a threat modeling analysis on OpenICE, the best-known instantiation of ICE system. For these security attacks, we devise corresponding defense mechanisms on top of OpenICE. Our experiments demonstrate that these defense mechanisms can effectively protect OpenICE from the identified attacks with acceptable computational overhead.

Ivan De Oliveira Nunes,Karim Eldefrawy,Norrathep Rattanavipanon,Gene Tsudik

DOI: https://doi.org/10.48550/arXiv.1908.02444

2019-08-07

Cryptography and Security

Abstract:Modern society is increasingly surrounded by, and accustomed to, a wide range of Cyber-Physical Systems (CPS), Internet-of-Things (IoT), and smart devices. They often perform safety-critical functions, e.g., personal medical devices, automotive CPS and industrial automation (smart factories). Some devices are small, cheap and specialized sensors and/or actuators. They tend to run simple software and operate under control of a more sophisticated central control unit. The latter is responsible for the decision-making and orchestrating the entire system. If devices are left unprotected, consequences of forged sensor readings or ignored actuation commands can be catastrophic, particularly, in safety-critical settings. This prompts the following three questions: (1) How to trust data produced by a simple remote embedded device? and (2) How to ascertain that this data was produced via execution of expected software? Furthermore, (3) Is it possible to attain (1) and (2) under the assumption that all software on the remote device could be modified or compromised? In this paper we answer these questions by designing, proving security of, and formally verifying, VAPE: Verified Architecture for Proofs of Execution. To the best of our knowledge, this is the first of its kind result for low-end embedded systems. Our work has a range of applications, especially, to authenticated sensing and trustworthy actuation, which are increasingly relevant in the context of safety-critical systems. VAPE architecture is publicly available and our evaluation demonstrates that it incurs low overhead, affordable even for lowest-end embedded devices, e.g., those based on MSP430 or ARV ATMega processors.

Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1109/isorc.2012.28

2012-01-01

Abstract:This paper presents a lightweight verification technique, which is applicable to dependable real-time systems, provided that the (abstract) model and the (concrete) implementation of the system under test are given in advance. In addition to the usual quality assurance techniques at design time (e.g., formal verification) and at implementation time (e.g., testing), we provide a special form of model checking at run time. That is, we check the correctness of an actual system execution by means of exploring a partial model space covering the current execution trace. In doing so, concrete state information is observed from time to time while the system to be checked is running. This runtime information is used to guide model checking to reduce the model space to be explored. In this sense, we call this method online model checking. Since we do not directly check the execution trace itself, our online checking at model level is capable of checking a running system some steps ahead of the actual state of execution. In this paper, we describe online model checking as well as the underlying system architecture in general, explain the basic algorithm and its extension to improve performance, and provide experimental results.

Wenjing Xu,Dianfu Ma

DOI: https://doi.org/10.3390/electronics10161934

IF: 2.9

2021-01-01

Electronics

Abstract:As the scale and complexity of safety-critical software continue to grow, it is necessary to ensure safety and reliability to avoid minor errors leading to catastrophic disasters. Meantime, the traditional method, such as testing and simulation alone is insufficient to ensure the correctness of systems. This leads to using formal methods to provide sufficient evidence for systems. However, design a high assurance safety-critical system by formal methods is challenging due to the complexity of operating systems. In addition, the traditional interactive theorem prover used in system verification requires hand-written proofs, which are more expensive. Therefore, the efforts of providing a standardized formal framework as well as safety proofs, are notable for the develop a safety-critical system. The purpose of this paper is to provide a safety framework to establish a highly reliable and safety-critical operating system based on the ARINC653 standard, a multilevel and standardized formal model. To verify the functional correctness of this model, we propose a context-based formal proof method for programs. To achieve this goal, we first model 57 core services of ARINC653 and define the high-level requirements as pre-and post-conditions. Then, we construct a set of specification statements a formal axiom system transformed into logical sentences, and the core service model is transformed into a logical sentence sequence to be proved. Finally, a context-based formal proof system for specification correctness is developed. We have verified the correctness of safety-critical operating system core services with this system. Experience shows that the verification system we developed can be achieved the functional correctness of a complete OS with a low implement burden, and that can simplify the difficulty of automated verification and increase the degree of automation of proof.

Xiaoyan Du,Chenglie Du,Jinchao Chen,Mei Yang,Wenquan Yu

DOI: https://doi.org/10.3390/app122211533

2022-01-01

Applied Sciences

Abstract:Avionics systems, which determine the performance, stability, and safety of aircraft, are a crucial part of aircraft. With the rapid development of the aviation industry, there are many serious problems in the process of the traditional simulation and verification of avionics systems, especially in the aspects of poor reusability of the hardware and software, poor real-time data interaction, and the high cost of development. In order to solve these problems, a simulation and verification platform for avionics systems based on the Future Airborne Capability Environment (FACE) architecture has been designed by using component and memory database technology. First, a general architecture is designed by referencing the FACE architecture, which allows flexible access to software and hardware resources of avionics systems. Second, the key technologies involved in the platform are described in detail, including scheduling management, communication management, and configuration management, which provide technical support for the simulation and verification of avionics systems. Finally, the simulation and verification environment of avionics systems is established, which realizes data interaction and management of various models, and improves the efficiency of the development and implementation of avionics systems.

Yuhong Zhao,Simon Oberthür,Norma Montealegre,Franz J. Rammig,Martin Kardos

DOI: https://doi.org/10.1007/11752578_125

2006-01-01

Abstract:Component-based self-optimizing systems can adjust themselves over time to dynamic environments by means of exchanging components. In case that such systems are safety-critical, the dependability issue becomes paramountly significant. This paper presents a novel model-based runtime verification to increase dependability for the self-optimizing systems of this kind. The proposed verification approach plays a role of an alternative acceptance test transparently integrated in RTOS, named model-based acceptance test. The verification is performed at the level of (RT-UML) models representing the systems under consideration. The properties to be checked are expressed by RT-OCL where the underlying temporal logic is restricted to either time-annotated ACTL or LTL formulae. The applied technique is based on the on-the-fly model checking, which runs interleaved with the execution of the checked system in a pipelined manner. More specifically, for ACTL formulae this means an on-the-fly solution to the NHORNSAT problem, while in the case of LTL formulae, the emptiness checking method is applied.

Xiaoyan Du,Chenglie Du,Jinchao Chen,Yifan Liu,Pengcheng Han

DOI: https://doi.org/10.1109/imcec46724.2019.8983850

2019-01-01

Abstract:Avionics systems have to integrate and to manipulate numerous sensors, actuators and controllers while maintaining high quality of safety and reliability. Traditional chimney development method, which has shortages in the ability and efficiency, cannot be able to meet the increasing requirements of large scale avionics systems applications. In order to solve these problems, this paper proposes a FACE-based simulation and verification approach for avionics systems. First, by analysing the FACE standard, a FACE-based framework of avionics systems is designed to develop and deploy applications on different platforms. Then, based on the proposed framework, a simulation and verification approach for avionics systems designed by adopting the component packaging technology. Finally, the simulation and verification platform is established by integrating the component applications, exciter applications and display processing units in the avionics systems. Experimental results show that this approach not only guarantees the correctness and reliability of software applications, but also increases the flexibility, scalability and the cross-platform capability of avionics systems.

Ning Ge,Eric Jenn,Nicolas Breton,Yoann Fonteneau

DOI: https://doi.org/10.1007/s10009-017-0475-0

2017-01-01

International Journal on Software Tools for Technology Transfer

Abstract:This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test cases generation, and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection system implemented onboard a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code.

Robert Abela,Christian Colombo,Axel Curmi,Mattea Fenech,Mark Vella,Angelo Ferrando

DOI: https://doi.org/10.4204/EPTCS.391.7

2023-10-04

Abstract:Autonomous and robotic systems are increasingly being trusted with sensitive activities with potentially serious consequences if that trust is broken. Runtime verification techniques present a natural source of inspiration for monitoring and enforcing the desirable properties of the communication protocols in place, providing a formal basis and ways to limit intrusiveness. A recently proposed approach, RV-TEE, shows how runtime verification can enhance the level of trust to the Rich Execution Environment (REE), consequently adding a further layer of protection around the Trusted Execution Environment (TEE). By reflecting on the implication of deploying RV in the context of trustworthy computing, we propose practical solutions to two threat models for the RV-TEE monitoring process: one where the adversary has gained access to the system without elevated privileges, and another where the adversary gains all privileges to the host system but fails to steal secrets from the TEE.

Cryptography and Security,Robotics

Zhenjiang Qian,Wei Liu,Yiyang Yao

DOI: https://doi.org/10.1109/access.2020.3047411

IF: 3.9

2021-01-01

IEEE Access

Abstract:Formal verification can mathematically prove whether a software satisfies the requirements described in its design. In traditional software development, even if the software systems, especially the operating system for Internet of Things in smart cities, passes the verification test, it is difficult to explain its correctness. The implementation of formal verification after the design and development process proves that the software system meets the expected requirements. This will become a trend for future software development. In this paper, we model the system state of the X86 architecture on the assembly layer, and use a micro operating system prototype for Internet of Things in smart cities as an example to explain the proposed method that can verify operating systems for Internet of Things in smart cities on the assembly layer. The verification result shows that this method is feasible.

Abhishek Jain,Giuseppe Bonanno,Hima Gupta,Ajay Goyal

DOI: https://doi.org/10.48550/arXiv.1301.2858

2013-01-14

Other Computer Science

Abstract:In this paper,we present Generic System Verilog Universal Verification Methodology based Reusable Verification Environment for efficient verification of Image Signal Processing IP's/SoC's. With the tight schedules on all projects it is important to have a strong verification methodology which contributes to First Silicon Success. Deploy methodologies which enforce full functional coverage and verification of corner cases through pseudo random test scenarios is required. Also, standardization of verification flow is needed. Previously, inside imaging group of ST, Specman (e)/Verilog based Verification Environment for IP/Subsystem level verification and C/C++/Verilog based Directed Verification Environment for SoC Level Verification was used for Functional Verification. Different Verification Environments were used at IP level and SoC level. Different Verification/Validation Methodologies were used for SoC Verification across multiple sites. Verification teams were also looking for the ways how to catch bugs early in the design cycle? Thus, Generic System Verilog Universal Verification Methodology (UVM) based Reusable Verification Environment is required to avoid the problem of having so many methodologies and provides a standard unified solution which compiles on all tools. The main aim of development of this Generic and automatic verification environment is to develop an efficient and unified verification environment (at IP/Subsystem/SoC Level) which reuses the already developed Verification components and also sequences written at IP/Subsystem level can be reused at SoC Level both with Host BFM and actual Core using Incisive Software Extension (ISX) and Virtual Register Interface (VRI)/Verification Abstraction Layer (VAL) approaches. IP-XACT based tools are used for automatically configuring the environment for various imaging IPs/SoCs.

Yixiao Lv,Jiaqi Yin,Sini Chen,Huibiao Zhu

DOI: https://doi.org/10.1109/issrew60843.2023.00053

2023-01-01

Abstract:With the rapid development of mobile computing technology, Android System is widely used in smart devices, and the quantity of Android Apps continuously grows. The Inter-Component Communication (ICC) mechanism in the Android framework allows communication between components (inside the same App or on different Apps). However, some security issues are caused by this mechanism, especially in the case of Inter-App Communication (IAC). To ensure the security of the communication in Android System, we formally model the ICC mechanism using Communication Sequential Process (CSP). After that, we verify four properties of the model using the Process Analysis Toolkit (PAT) with the help of C#, including Deadlock Freedom, Data Reachability, Data Security, and Data Reliability.

Ye Lei,Fan Xiaoya,An Jianfeng,Zhang Shangang

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.15.031

2006-01-01

Abstract:As the complexity of high-performance microprocessor increases,its verification becomes more difficult and emerges as the bottleneck of the design cycle.In this paper,we propose a methodology to setup a system level verification platform based on Simics for compatible microprocessor.The method builds a system,applying ISS and related memory model and peripheral devices provided by Simics connected with external simulator by the controlling module developed by us.And the microprocessor supported by Simics plays as a reference model.The test stimuli comes from the real operating system and application programs.The platform compares the results from microprocessor and the IIS automatically.Thanks to the fast simulation speed and the instant scenario recovery ability provided by Simics,the platform advances the procedure of verification quickly.