The JKind Model Checker

Gacek, Andrew; Backes, John; Whalen, Michael W.; Wagner, Lucas; Ghassabani, Elaheh

doi:10.1007/978-3-319-96142-2_3

Cited by 46 publications

(25 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Algorithm A: Using AGREE configured to utilize the JKind k-induction model checker [7] and the Z3 SMT solver, we have proven Theorem 1, that Algorithm A converges within 2T , for N = 1, 2, 3, 4, 5, and 6 UAVs. Computation time prevented us from analyzing more than six UAVs.…”

Section: Formal Analysis Resultsmentioning

confidence: 97%

“…AGREE then attempts to verify that (a) component assumptions hold given system assumptions, and (b) system guarantees hold given component guarantees. AGREE poses this verification problem as a satisfiability modulo theory (SMT) problem [4] and uses a k-induction model checking approach [7] to search for counterexamples that violate system-level guarantees given system-level assumptions and component-level assume/guarantee contracts. The language used by AGREE is an "annex" to the Architecture Analysis and Design Language (AADL) [5].…”

Section: Formal Modelsmentioning

confidence: 99%

See 1 more Smart Citation

When Human Intuition Fails: Using Formal Methods to Find an Error in the “Proof” of a Multi-agent Protocol

Davis¹,

Humphrey

Kingston

2019

Computer Aided Verification

View full text Add to dashboard Cite

Designing protocols for multi-agent interaction that achieve the desired behavior is a challenging and error-prone process. The standard practice is to manually develop proofs of protocol correctness that rely on human intuition and require significant effort to develop. Even then, proofs can have mistakes that may go unnoticed after peer review, modeling and simulation, and testing. The use of formal methods can reduce the potential for such errors. In this paper, we discuss our experience applying model checking to a previously published multi-agent protocol for unmanned air vehicles. The original publication provides a compelling proof of correctness, along with extensive simulation results to support it. However, analysis through model checking found an error in one of the proof's main lemmas. In this paper, we start by providing an overview of the protocol and its original "proof" of correctness, which represents the standard practice in multi-agent protocol design. We then describe how we modeled the protocol for a three-vehicle system in a model checker, the counterexample it returned, and the insight this counterexample provided. We also discuss benefits, limitations, and lessons learned from this exercise, as well as what future efforts would be needed to fully verify the protocol for an arbitrary number of vehicles.

show abstract

Section: Formal Analysis Resultsmentioning

confidence: 97%

Section: Formal Modelsmentioning

confidence: 99%

When Human Intuition Fails: Using Formal Methods to Find an Error in the “Proof” of a Multi-agent Protocol

Davis¹,

Humphrey

Kingston

2019

Computer Aided Verification

View full text Add to dashboard Cite

show abstract

“…Two software tools are used to initiate the cyber-attack scenarios generation and visualization, as shown in Figure 2. These tools are JKind model checker [45] and Microsoft Visual Studio [46]. JKind is an infinite state model checker for verifying safety properties of synchronous systems [47], which are written in the Lustre, a formally determined, declarative, and synchronous dataflow programming language for programming reactive systems [48].…”

Section: Implementation Of Cyber-attack Scenariosmentioning

confidence: 99%

Attack Graph Implementation and Visualization for Cyber Physical Systems

et al. 2019

View full text Add to dashboard Cite

Cyber-attacks threaten the safety of cyber physical systems (CPSs) as a result of the existence of weaknesses in the multiple structural units constituting them. In this paper, three cyber physical systems case studies of a pressurized water nuclear power plant (NPP), an industrial control system (ICS), and a vehicular network system (VNS) are examined, formally presented, and implemented utilizing Architecture Analysis and Design Language, determining system design, links, weaknesses, resources, potential attack instances, and their pre-and post-conditions. Then, the developed plant models are checked with a security property using JKind model checker embedded software. The attack graphs causing plants disruptions for the three applications are graphically visualized using a new graphical user interface (GUI) windows application.Processes 2020, 8, 12 2 of 22 aiding designers in implementing prevention strategies through making risk analysis [6]. The novelty of this work lies in presenting a model-based technique for implementing attack graphs for three cyber physical systems (CPSs): a nuclear power plant (NPP) control system, an industrial control system (ICS), and a vehicular network system (VNS). This demands a general specification of systems models and the security properties being studied. The models and their security properties are encoded using Architecture Analysis and Design Language (AADL) [7] and verified using JKind model checker embedded software [8]. The generated graphs are visualized using a new graphical user interface (GUI) windows application implemented with C# language in Microsoft Visual Studio (VS) [9]. This paper extends the conference version [10] significantly by introducing a newly developed visualizer Windows application that creates a GUI that is encoded using C# within Microsoft VS. The JKind model checker generates significantly large spreadsheet attack scenarios. Therefore, the visualizer Windows application manages the number of rows of the produced attack scenarios and represents them in an appealing, user friendly, graphical way. Simulation results are shown for the NPP system, the ICS, and the VNS.The contribution of this work is twofold. First, system models are formalized for three CPS case studies. The formal descriptions capture the architectural specifications of the systems-their elements and their connectivity. In addition to that, the descriptions capture systems behaviors-their dynamic state variables, pre and post conditions of the attacks instances, and the security properties. The models are encoded using AADL, translated to Lustre using Assume Guarantee Reasoning Environment (AGREE), and finally checked using JKind. The generated attack scenarios are fed to a newly developed visualizer Windows application that can graphically illustrate a specific attack sequence of interest, its spread sheet, and the complete attack graph. The remainder of this paper is assembled as follows. Section 1.1 revises the related work. Section 2 describes the NPP system. Section 3 pre...

show abstract

“…There exist different types of model checkers but for our use cases (checking safety properties on embedded software), the most suitable are the ones that use induction and SMT (Satisfiability Modulo Theories) solvers, for example Kind2 (University of Iowa) [5], JKind (Rockwell Collins) [10], Prover Plugin also known as Design Verifier (Prover Technologies) and GATeL (CEA). They generally translate a model written in a synchronous dataflow formal language such as Lustre [3] into first-order logic formulas which are then checked for satisfiability by the solver.…”

Section: Model Checkingmentioning

confidence: 99%

Formal verification of automotive embedded software

Todorov

Boulanger

Taha

2018

Proceedings of the 6th Conference on Formal Methods in Software Engineering

View full text Add to dashboard Cite

The ever-increasing complexity of automotive embedded systems and the need for safe advanced driver assistance systems (ADAS) represent a great challenge for car manufacturers. Furthermore, we expect that in the near future, authorities require a software certification in order to get convinced that ADAS are safe enough. Theoretical research and experience show that when using conventional design approaches it is impossible to guarantee high confidence to those systems. The way taken by some industries (e.g. aerospace, railway, nuclear) was by partially using formal verification techniques.In this paper, we first present a background of the formal verification techniques and how they can contribute to achieve the requirements of some safety standards. Next, we share our experience with the application of those techniques that seem to be mature enough to be used in an industrial context: Static analysis based on Abstract Interpretation, SMT-based software Model checking and Deductive proof. Finally, we make a detailed analysis about our experiments and propose an approach introducing formal methods into the development of automotive embedded software.

show abstract

The JKind Model Checker

Cited by 46 publications

References 25 publications

When Human Intuition Fails: Using Formal Methods to Find an Error in the “Proof” of a Multi-agent Protocol

When Human Intuition Fails: Using Formal Methods to Find an Error in the “Proof” of a Multi-agent Protocol

Attack Graph Implementation and Visualization for Cyber Physical Systems

Formal verification of automotive embedded software

Contact Info

Product

Resources

About