SHF: Small: A Hybrid Synchronous Language for Verifiable Execution of Cyber-Physical Systems

SHF：Small：一种用于网络物理系统可验证执行的混合同步语言

• 批准号: 2348706
• 负责人: Jean-Baptiste Jeannin
• 金额: $ 60万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-04-01 至 2027-03-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2348706&HistoricalAwards=false
• 关键词: SHF; Small; Hybrid; Synchronous; Language

Modern cyber-physical systems (CPSs) such as cars and aircraft are responsible for expensive equipment and human lives. To ensure that they operate in a safe manner, it is therefore important to formally verify the underlying code. However today, tools for verification, execution and simulation of cyber-physical systems are largely disconnected, and difficult to reconcile. As a result, formal verification often ends up verifying a model of the code rather than the code that is actually executed, creating a gap in the verification. The project creates MARVeLus, a programming language unifying verification, execution and simulation of cyber-physical systems. The project's novelties are to bridge the gap between verification, execution and simulation, to offer a methodology for end-to-end verification of cyber-physical systems, and to ensure that the code that is executed is also the code that was verified. The project's impacts are to empower tomorrow's engineers to design cyber-physical systems with strong, formally verified guarantees applicable to real-world systems, and to democratize the use of formal verification in the design of cyber-physical systems. The investigator maintains strong ties with industry, which facilitates industry evaluation and feedback. The project also includes a collaboration with a Detroit-area Title 1 middle school to make the students aware of safety issues in engineering.The difficulty to achieve verification, execution and simulation together stems from multiple fronts: the intricacies of the semantics of languages for cyber-physical systems, including machine arithmetic; the complication of modeling and communicating with sensors and actuators; and the challenges in accurately modeling, simulating and proving properties about continuous dynamics, especially when coupled with discrete programs. To resolve those challenges, the project models cyber-physical systems as hybrid systems, with both discrete and continuous dynamics. MARVeLus is first designed as a synchronous language, in the tradition of languages such as Lustre, Esterel and Signal. Synchronous languages are stream-based languages built around a synchronous clock and targeted to cyber-physical systems and embedded systems. They come with strong runtime and memory guarantees. By building MARVeLus on a synchronous platform, we leverage their success based on decades of research, and encourage industry adoption. Second, MARVeLus enables verification through refinement types and an external Satisfiability Modulo Theories (SMT) solver. The project builds a dedicated refinement type system to reason about different properties of hybrid systems, including safety and liveness. Third, the project adds ordinary differential equations to the synchronous language, inspired by the recent development of the synchronous language Zelus. The project builds refinement typing rules allowing the user to reason about those differential equations using explicit solutions and invariants. Finally, the project performs verified simulation by formally verifying numerical algorithms approximating differential equations, and formally bounding their errors. As a result, MARVeLus is a synchronous language with differential equations and refinement types, with a verified simulation capability. The project applies and evaluates the design of MARVeLus on a small ground robot and a quadcopter in the laboratory, on the industrial aircraft collision avoidance system ACAS X.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代的网络物理系统（CPS），例如汽车和飞机，负责昂贵的设备和人类生活。为了确保它们以安全的方式运行，因此必须正式验证基础代码。但是，如今，用于验证，执行和模拟网络物理系统的工具在很大程度上已经断开，并且难以调和。结果，正式验证通常最终验证代码模型，而不是实际执行的代码，从而在验证中造成差距。该项目创建了Marvelus，这是一种编程语言，统一了网络物理系统的验证，执行和模拟。该项目的新颖性是弥合验证，执行和仿真之间的差距，提供一种用于端到端网络物理系统验证的方法，并确保执行的代码也是已验证的代码。该项目的影响是使明天的工程师能够设计具有强大，正式验证的确保适用于现实世界系统的网络物理系统，并在设计网络物理系统设计中使用正式验证的使用民主化。研究人员与行业保持着紧密的联系，这有助于行业评估和反馈。该项目还包括与底特律地区标题1中学的合作，以使学生意识到工程的安全问题。难以实现验证，执行和模拟共同源于多个方面：网络物理系统语言语言语言语言语言的复杂性，包括机器算术；建模和与传感器和执行器进行交流的复杂性；以及准确建模，模拟和证明有关连续动态的属性的挑战，尤其是在与离散程序结合在一起时。为了解决这些挑战，该项目将网络物理系统作为混合系统建模，并具有离散和连续动力学。 Marvelus首先以语言的传统（例如光泽，酯和信号）的传统设计为同步语言。同步语言是围绕同步时钟构建的基于流的语言，并针对网络物理系统和嵌入式系统。它们具有强大的运行时间和记忆保证。通过在同步平台上建立Marvelus，我们根据数十年的研究利用了它们的成功，并鼓励行业采用。其次，Marvelus可以通过细化类型和外部满足模式理论（SMT）求解器进行验证。该项目建立了专用的改进类型系统，以推理混合系统的不同特性，包括安全性和livesice。第三，该项目为同步语言的启发，为同步语言添加了普通的微分方程。该项目构建了改进分型规则，允许用户使用明确的解决方案和不变性来对这些微分方程进行推理。最后，该项目通过正式验证近似微分方程的数值算法并正式界定其误差来执行验证的仿真。结果，Marvelus是一种具有微分方程和改进类型的同步语言，具有经过验证的仿真能力。该项目在小型地面机器人和实验室中的Quadcopter上应用并评估了工业飞机碰撞避免系统ACAS X的设计。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子优点和更广泛的影响审查标准来通过评估来通过评估来获得支持的。