面向SPARC处理器架构的操作系统异常管理验证

航天器等安全关键系统是典型的嵌入式系统,具有多任务并发、中断频发等特点,操作系统是其最基础的软件,构建一个正确的操作系统是保障航天器系统高可信运行的关键.异常管理作为操作系统最底层的功能负责引导系统控制流的突变来响应处理器状态中的某些变化,异常管理的正确性是整个操作系统正确性的基础.本文提出了一种基于Hoare-logic的验证框架,用于证明面向SPARC处理器架构操作系统异常管理的正确性,特别针对多任务并发和中断频发实时操作系统异常嵌套与异常中发生任务切换的情况,将异常管理划分为五个阶段进行全面的形式化建模,并且在Coq证明定理辅助工具中实现了此框架.基于该框架验证了我国北斗三号在轨实际应用的航天器嵌入式实时操作系统SpaceOS异常管理功能的正确性.     

基于异常检测和处理的动态适应性工作流

异常的检测和处理是工作流系统执行过程中必须解决的关键性问题之一.给出了异常的分类,并给出了异常自身及其处理方法的形式化描述;实现了利用消息传递机制作为异常的检测方法,并结合异常适应库来提供异常处理的执行策略和处理措施;通过为相应的措施设计特定的操作原语,从而为其转变为实际的编码提供了可能.     

Web interface-driven cooperative exception handling in ADOME workflow management system

Exception handling in workflow management systems (WFMSs) is a very important problem since it is not possible to specify all possible outcomes and alternatives. Effective reuse of existing exception handlers can greatly help in dealing with workflow exceptions. On the other hand, cooperative support for user-driven computer supported resolution of unexpected exceptions and workflow evolution at run-time is vital for an adaptive WFMS. We have been developing ADOME-WFMS as a comprehensive framework in which the problem of workflow exception handling can be adequately addressed. In this article, we present an adaptive exception manager and its web-based interface for ADOME-WFMS with procedures for supporting the following: reuse of exception handlers, thorough and automated resolution of expected exceptions, effective management of Problem Solving Agents, cooperative exception handling, user-driven computer supported resolution of unexpected exceptions, and workflow evolution.     

工作流异常处理的形式描述

异常处理是工作流执行中要解决的主要问题之一，清楚地描述异常处理的过程是最终得到实现的基础。Petri-net对工作流的描述适合于对过程定义进行正确性验证和评价，但描述各种不同条件下的处理策略却很繁琐，采用了一种直观的描述方法对异常处理过程中的元素，即活动、异常处理策略以及处理措施进行了形式化描述，特别是对不同处理策略下的处理过程进行了描述。结合消息机制，分析了一个异常事件出现时，如何处理一个活动实例产生的中间数据，并对事务处理和异常处理的补偿策略进行了比较。描述方法为编码实现提供了很大的方便。     

Toward Compositional Verification of Interruptible OS Kernels and Device Drivers

An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified general-purpose kernels, but it is unclear how to extend their work to verify the functional correctness of device drivers, due to the non-local effects of interrupts. In this paper, we present a novel compositional framework for building certified interruptible OS kernels with device drivers. We provide a general device model that can be instantiated with various hardware devices, and a realistic formal model of interrupts, which can be used to reason about interruptible code. We have realized this framework in the Coq proof assistant. To demonstrate the effectiveness of our new approach, we have successfully extended an existing verified non-interruptible kernel with our framework and turned it into an interruptible kernel with verified device drivers. To the best of our knowledge, this is the first verified interruptible operating system with device drivers.     

面向安全关键内存管理系统分层验证方法

安全关键系统的失败会造成很严重的后果,确保其正确性非常重要.空间嵌入式操作系统是一个典型的安全关键系统,在其内存管理的设计上,必须保障其高效的分配与回收,同时对系统资源的占用降到最低.在传统的软件开发过程中,通常是在整个软件开发结束后再进行集中测试及验证,这样势必会造成开发进展的不确定性.因此,将形式化验证方法和软件工程领域内的“需求-设计-实现”的3层开发框架相结合,通过性质分层传递验证的方法,保证了各个层次间的一致性.首先,从需求层面的需求分析开始,引入形式化证明的思路,证明对需求层逻辑的正确性,从而可以更好地指导程序的设计.其次,在设计层面的验证可以极大地减少开发代码的错误率,证明设计算法和需要实现的函数之间调用逻辑的正确性.最后,在实现层,证明所实现代码与函数设计的一致性,并且证明代码实现的正确性.使用交互式定理证明辅助工具Coq,以某一国产空间嵌入式操作系统的内存管理模块为例,证明了其内存管理算法的正确性以及需求、设计、实现的一致性.     

An event-based approach for formally verifying runtime adaptive real-time systems

Real-time and embedded systems are required to adapt their behavior and structure to runtime unpredicted changes in order to maintain their feasibility and usefulness. These systems are generally more difficult to specify and verify owning to their execution complexity. Hence, ensuring the high-level design and the early verification of system adaptation at runtime is very crucial. However, existing runtime model-based approaches for adaptive real-time and embedded systems suffer from shortcoming linked to efficiently and correctly managing the adaptive system behavior, especially that a formal verification is not allowed by modeling languages such as UML and MARTE profile. Moreover, reasoning about the correctness and the precision of high-level models is a complex task without the appropriate tool support. In this work, we propose an MDE-based framework for the specification and the verification of runtime adaptive real-time and embedded systems. Our approach stands for Event-B method to formally verify resources behavior and real-time constraints. In fact, thanks to MDE M2T transformations, our proposal translates runtime models into Event-B specifications to ensure the correctness of runtime adaptive system properties, temporal constrains and nonfunctional properties using Rodin platform. A flood prediction system case study is adopted for the validation of our proposal.

     

A Ravenscar-Compliant Run-time Kernel for Safety-Critical Systems*

The Ravenscar tasking profile for Ada 95 has been designed to allow implementation of highly safety critical systems. Ravenscar defines a tasking system with deterministic behavior and low complexity. We provide a formal model using UPPAAL of the primitives provided by Ravenscar including exceptions. This formal model is used to verify the correctness of the Ravenscar model and can be used to verify safety properties of applications using the Ravenscar profile. As an illustration of this, we model a sample application using all features of Ravenscar and formally verify its correctness. Furthermore, an introduction to the Ravenscar model is given.     

Dynamic Verification of Memory Consistency in Cache-Coherent Multithreaded Computer Architectures

Multithreaded servers with cache-coherent shared memory are the dominant type of machines used to run critical network services and database management systems. To achieve the high availability required for these tasks, it is necessary to incorporate mechanisms for error detection and recovery. Correct operation of the memory system is defined by the memory consistency model. Errors can therefore be detected by checking if the observed memory system behavior deviates from the specified consistency model. Based on recent work, we design a framework for dynamic verification of memory consistency (DVMC). The framework consists of mechanisms to verify three invariants that are proven to guarantee that a specified memory consistency model is obeyed. We describe an implementation of the framework for the SPARCv9 architecture, and we experimentally evaluate its performance using full-system simulation of commercial workloads.     

流程违例处理的行为及分析

业务流程运行期间,外部或运行环境中的某些属性与流程设计时所设定的条件不一致时,将导致流程运行时的违例,违例处理方法涉及流程运行时违例的发现和处理。首先介绍了流程的违例及其分类;基于流程违例处理模式,使用CCS偶图对流程工作项级、案例级违例处理以及相关补偿处理进行分析和表述;在违例处理策略讨论的基础上,总结了违例处理模式的基本形式,并通过CCS偶图的动态特征分析了违例处理的动态行为。     

Extended event–condition–action rules and fuzzy Petri nets based exception handling for workflow management

Exception handling plays a key role in dynamic workflow management that enables streamlined business processes. Handling application-specific exceptions is a knowledge-intensive process involving different decision-making strategies and a variety of knowledge, especially much fuzzy knowledge. Current efforts in workflow exception management are not adequate to support the knowledge-based exception handling. This paper proposes a hybrid exception handling approach based on two extended knowledge models, i.e., generalized fuzzy event–condition–action (GFECA) rule and typed fuzzy Petri net extended by process knowledge (TFPN-PK). The approach realizes integrated representation and reasoning of fuzzy and non-fuzzy knowledge as well as specific application domain knowledge and workflow process knowledge. In addition, it supports two handling strategies, i.e., direct decision and analysis-based decision, during exception management. The approach fills in the gaps in existing related researches, i.e., only providing the capability of direct exception handling and neglecting fuzzy knowledge. Based on TFPN-PK, a weighted fuzzy reasoning algorithm is designed to address the reasoning problem of uncertain goal propositions and known goal concepts by combining forward reasoning with backward reasoning and therefore to facilitate cause analysis and handling of workflow exceptions. A prototype system is developed to implement the proposed approach.     

Windows安全之SEH安全机制分析

SHE（结构化异常处理）,是Windows操作系统所提供的对错误或异常的一种处理机制。但是,由于SEH设计存在缺陷,使得在存在缓冲区溢出时,攻击者可以利用SEHC-J异常处理链结构实施成功的攻击。所以,微软在不同版本的Windows操作系统中分别都SEH实现上做了相应的改动,分别出现了SafeSEH和SEHOP两个改进机制。但是,在改进之后的SEH机制中又分别出现了不同程度的缺陷。本文结合微软的GS、ASLR等技术对不同版本的SEH机制的实现以及其存在的安全缺陷进行深入研究,并针对安全缺陷提出相应的修改意见。     

Inheritance systems with exceptions

In this paper, we are interested in the representation and management of multiple inheritance systems with exceptions in both semantic networks and object-oriented languages. Exception management raises different problems, particularly in the presence of contradictions. Three types of contradictions, which constitute the problematics of exception management, may be identified. The different methods used to solve these contradictions are presented; two approaches in particular are underscored: a logic approach and an algebraic approach.     

异常处理——一种提高软件健壮性的方法

Exception handling is a technique that tests and handles exception events. Unlike the traditional methods that usually deal with exceptions at later design and implementation phases and easily result in many problems, we emphasis that sufficient attention should be paid to software exception handling during the development of the soft-ware requirements definition. By enforcing this policy through all phases of software development, the level of ro-bustness can be improved considerably. In this paper, the concepts of exception handling are firstly introduced, then the methods of exception handling are discussed, all kinds of exception handling methods and tools are also compared.The current problems and future directions are analyzed at the end of the paper.     

基于着色时间Petri网的实时系统的形式验证

嵌入式实时系统多数应用在安全性要求较高的场合,因此需要保证系统的正确性.复杂性不断增加的实时系统迫切需要在系统开发早期引入形式化分析技术来验证系统的期望性质.时间Petri网是有严格数学基础的图形表达工具,适合对实时系统建模;时间自动机(Timed Automata,TA)有成熟的验证工具,被广泛用于实时系统的模型检验和验证.本文提出一种基于着色时间Petri网(Colored Time Petri Net,CTPN)的实时系统的验证方法,用CTPN对带有控制流和数据流的实时系统建模,通过转换规则将CTPN模型转换成语义等价的TA模型,利用模型检验工具UPPAAL验证系统的性质.最后,用实例证明此方法有效.     

FORTRAN 2000异常处理机制的研究

异常处理是现代程序设计语言的一个重要特征，它为检测和恢复软件系统在运行时的错误、构建系统的容错处理提供了强有力的支持。本文分析了FORTRAN 2000的异常处理机制，并提出一种扩充方案，引入用户定义异常和异常处理区的概念，改进了异常的传播机制，从而使FORTRAN编程更好地实现普通代码和异常处理代码的分离，提高了程序的可读性和可维护性。     

A formal specification and verification framework for TimeWarp-based parallel simulation

The paper describes a formal framework developed using the Prototype Verification System (PVS) to model and verify distributed simulation kernels based on the Time Warp paradigm. The intent is to provide a common formal base from which domain specific simulators can be modeled, verified, and developed. PVS constructs are developed to represent basic Time Warp constructs. Correctness conditions for Time Warp simulation are identified, describing causal ordering of event processing and correct rollback processing. The PVS theorem prover and type-check condition system are then used to verify all correctness conditions. In addition, the paper discusses the framework's reusability and extensibility properties in support of specification and verification of Time Warp extensions and optimizations     

实时异常处理技术的探讨

在分析现有异常处理技术的基础上，比较了在程序语言及操作系统中实现异常处理的优缺点，然后讨论了实时系统中异常处理的本质需求、必要需求及性能目标。为设计出适合于实时系统的异常处理机制，从异常的表示、关键度的管理等几个方面进行了讨论，为实时异常处理的设计提供了指导原则。最后对实时异常设计进行了总结，同时展望了该领域内的相关工作及发展方向进行。     

A formal framework for business process modelling and design

We present a formal framework for enterprise and business process modelling. The concepts of our framework (objectives and goals, roles and actors, actions and processes, responsibilities and constraints) allow business analysts to capture enterprise knowledge in a way that is both intuitive and mathematically formal. We also outline the basic steps of a methodology that allows business analysts to produce detailed, formal specifications of business processes from high-level enterprise objectives. The use of a formal language permits us to verify that the specifications possess certain correctness properties, namely that the responsibilities assigned to roles are fulfilled, and that constraints are maintained as a result of process execution.     

CRDT协议的TLA+描述与验证

无冲突复制数据类型（conflict-free replicated data types，简称CRDT）是一种封装了冲突消解策略的分布式复制数据类型，它能保证分布式系统中副本节点间的强最终一致性，即执行了相同更新操作的副本节点具有相同的状态.CRDT协议设计精巧，不易保证其正确性.旨在采用模型检验技术验证一系列CRDT协议的正确性.具体而言，构建了一个可复用的CRDT协议描述与验证框架，包括网络通信层、协议接口层、具体协议层与规约层.网络通信层描述副本节点之间的通信模型，实现了多种类型的通信网络.协议接口层为已知的CRDT协议（分为基于操作的协议与基于状态的协议）提供了统一的接口.在具体协议层，用户可以根据协议的需求选用合适的底层通信网络.规约层则描述了所有CRDT协议都需要满足的强最终一致性与最终可见性（所有的更新操作最终都会被所有的副本节点接收并处理）.使用TLA+形式化规约语言实现了该框架，然后以Add-Wins Set复制数据类型为例，展示了如何使用框架描述具体协议，并使用TLC模型检验工具验证协议的正确性.