SHF: Small: A Hybrid Synchronous Language for Verifiable Execution of Cyber-Physical Systems

SHF：Small：一种用于网络物理系统可验证执行的混合同步语言

• 批准号: 2348706
• 负责人: Jean-Baptiste Jeannin
• 金额: $ 60万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-04-01 至 2027-03-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2348706&HistoricalAwards=false
• 关键词: SHF; Small; Hybrid; Synchronous; Language

Modern cyber-physical systems (CPSs) such as cars and aircraft are responsible for expensive equipment and human lives. To ensure that they operate in a safe manner, it is therefore important to formally verify the underlying code. However today, tools for verification, execution and simulation of cyber-physical systems are largely disconnected, and difficult to reconcile. As a result, formal verification often ends up verifying a model of the code rather than the code that is actually executed, creating a gap in the verification. The project creates MARVeLus, a programming language unifying verification, execution and simulation of cyber-physical systems. The project's novelties are to bridge the gap between verification, execution and simulation, to offer a methodology for end-to-end verification of cyber-physical systems, and to ensure that the code that is executed is also the code that was verified. The project's impacts are to empower tomorrow's engineers to design cyber-physical systems with strong, formally verified guarantees applicable to real-world systems, and to democratize the use of formal verification in the design of cyber-physical systems. The investigator maintains strong ties with industry, which facilitates industry evaluation and feedback. The project also includes a collaboration with a Detroit-area Title 1 middle school to make the students aware of safety issues in engineering.The difficulty to achieve verification, execution and simulation together stems from multiple fronts: the intricacies of the semantics of languages for cyber-physical systems, including machine arithmetic; the complication of modeling and communicating with sensors and actuators; and the challenges in accurately modeling, simulating and proving properties about continuous dynamics, especially when coupled with discrete programs. To resolve those challenges, the project models cyber-physical systems as hybrid systems, with both discrete and continuous dynamics. MARVeLus is first designed as a synchronous language, in the tradition of languages such as Lustre, Esterel and Signal. Synchronous languages are stream-based languages built around a synchronous clock and targeted to cyber-physical systems and embedded systems. They come with strong runtime and memory guarantees. By building MARVeLus on a synchronous platform, we leverage their success based on decades of research, and encourage industry adoption. Second, MARVeLus enables verification through refinement types and an external Satisfiability Modulo Theories (SMT) solver. The project builds a dedicated refinement type system to reason about different properties of hybrid systems, including safety and liveness. Third, the project adds ordinary differential equations to the synchronous language, inspired by the recent development of the synchronous language Zelus. The project builds refinement typing rules allowing the user to reason about those differential equations using explicit solutions and invariants. Finally, the project performs verified simulation by formally verifying numerical algorithms approximating differential equations, and formally bounding their errors. As a result, MARVeLus is a synchronous language with differential equations and refinement types, with a verified simulation capability. The project applies and evaluates the design of MARVeLus on a small ground robot and a quadcopter in the laboratory, on the industrial aircraft collision avoidance system ACAS X.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代网络物理系统（CPS），如汽车和飞机，是昂贵的设备和人类生命的原因。为了确保它们以安全的方式运行，因此正式验证底层代码非常重要。然而，今天，网络物理系统的验证，执行和模拟工具在很大程度上是脱节的，难以协调。因此，形式化验证通常以验证代码的模型而不是实际执行的代码结束，从而在验证中产生差距。该项目创建了MARVeLus，这是一种编程语言，统一了网络物理系统的验证，执行和模拟。该项目的新颖之处在于弥合验证、执行和仿真之间的差距，为网络物理系统的端到端验证提供方法，并确保执行的代码也是经过验证的代码。该项目的影响是使未来的工程师能够设计具有适用于现实世界系统的强大的正式验证保证的网络物理系统，并使网络物理系统设计中正式验证的使用民主化。调查员与行业保持密切联系，这有助于行业评估和反馈。该项目还包括与底特律地区的一所第一中学合作，让学生意识到工程中的安全问题。同时实现验证、执行和仿真的困难来自多个方面：网络物理系统语言语义的复杂性，包括机器运算;建模和与传感器和执行器通信的复杂性;以及在精确建模、模拟和证明连续动态特性方面的挑战，特别是在与离散程序相结合时。为了解决这些挑战，该项目将网络物理系统建模为混合系统，同时具有离散和连续动态。MARVeLus最初被设计为一种同步语言，继承了Lustre、Esterel和Signal等语言的传统。同步语言是围绕同步时钟构建的基于流的语言，针对网络物理系统和嵌入式系统。它们具有强大的运行时和内存保证。通过在同步平台上构建MARVeLus，我们利用他们基于数十年研究的成功，并鼓励行业采用。其次，MARVeLus通过细化类型和外部可满足性模理论（SMT）求解器实现验证。该项目构建了一个专用的精化类型系统来推理混合系统的不同属性，包括安全性和活性。第三，该项目将常微分方程添加到同步语言中，受到同步语言Zelus最近开发的启发。该项目构建了细化类型规则，允许用户使用显式解和不变量来推理这些微分方程。最后，该项目进行了验证模拟正式验证近似微分方程的数值算法，并正式界定其错误。因此，MARVeLus是一种具有微分方程和细化类型的同步语言，具有经过验证的仿真能力。该项目应用并评估了MARVeLus在实验室小型地面机器人和四轴飞行器上的设计，以及工业飞机防撞系统ACAS X。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。