Java in sicherheits-kritischen Systemen: Das HIJA-Profil... Korrektheitsnachweis für (echtzeit-) Java Anwendungen Dr. Fridtjof Siebert Director of Development, aicas GmbH Java Forum, Stuttgart, 7. Juli 2005
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Who is aicas GmbH? Founded in March 2001 in Karlsruhe, Germany Products: Realtime Java implementations Today: 18 employees, offices in Karlsruhe (D), Berlin (D) and New Haven/CT (USA)
Java in sicherheits-kritischen Systemen: Das HIJA-Profil HIJA-Project: High-Integrity Java Project overview: 6th FP EC-funded project started June '04 duration: 27 months, until Aug'06 Project coordinator: The Open Group
HIJA-Project Project partners:
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Project Overview Goals Identify suitable computational models Contribute to functional and nonfunctional analysis Develop profile based reference implementations Work based on results of earlier projects: HIDOORS, AJACS, Expresso, KeY, etc.
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Project Overview Three main profiles are defined: All are subsetting the Java language, standard APIs and Realtime Specification for Java (RTS) Safety-Critical profile certification up to the highest criticality level (DO178B-A). Business-Critical applications Flexible Dynamic Systems (OSGi, etc.)
Java in sicherheits-kritischen Systemen: Das HIJA-Profil HIJA SC-Java Profile Guiding Principles: Conservative Approach no concepts that go too far for SC community Do not fragment the market: Base specification on standard Java and RTSJ SC-Java programs should run on any RTSJ JVM Use of annotations for off-line checking
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Safety-Critical Profile Severe restrictions on Java and RTSJ: Clear distinction: initialization phase, mission phase No dynamic loading, thread creation, etc. during mission phase No GC Strict Partitioning: Memory: Local memory area for each task CPU utilization Use of annotations to document correctness of classes
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Business-Critical Profile Relaxations compared to safety-critical profile: no distinction of phases (initialization vs. mission) dynamic features (GC, thread creation, etc.) permitted for non-critical tasks Strict Partitioning for critical tasks: Memory: Local memory area for each task CPU utilization Use of tools to proof correctness of critical tasks
Java in sicherheits-kritischen Systemen: Das HIJA-Profil HIJA Tools: Tools for correctness proof of application: DFA analysis to proof absence of runtime errors Formal verification using JML annotations (KeY) Model-Checker based tools to verify distributed system and multi-threading
HIJA Tool Chain Java in sicherheits-kritischen Systemen: Das HIJA-Profil Annotated Java Code Auxilary Annotations Network Analyzer javac Schedule Analyzer Model Checker *.class Data Flow Analyzer KeY Annotation Parser/Editor Builder Flow Information Annotation Checker WC Memory Usage Analyzer Constraints Executable WC Execution Time Analyzer Runtime Monitoring
Java in sicherheits-kritischen Systemen: Das HIJA-Profil HIJA Tools: DFA Start with the following calls = { main() (set of calls) values = { (set of variables value) Iterate do { calls := calls {m c calls "m()" c values := values { (a,x) : c calls "a = new X()" c) { (a,v) : c calls "a = b" c (b,v) values until fix point is reached;
Java in sicherheits-kritischen Systemen: Das HIJA-Profil HIJA Tools: DFA Difficulties that need to be managed Analysis accuracy has to be high enough Analysis effort must not explode for non-trivial applications Solution Store context information with each value and call Reduce context information for types that cause explosion
HIJA Tools: DFA... new Thread() { public void run() { synchronized(o1) { synchronized (o2) {.start(); new Thread() { public void run() { synchronized(o2) { synchronized (o1) {.start();...
Example DFA results > jamaica test -dfa NEEDEDSYNCS : 17 (17 locations out of 326) DEADLOCKS : 2 (2 locations out of 326) SCOPE CYCLES : 0 (0 locations out of 0) ILLEGAL ASSIGNMENTS : 0 (0 locations out of 167) CLASSCAST EXCEPTIONS : 0 (0 locations out of 33) ARRAY STORE EXCEPTIONS : 0 (0 locations out of 18) NULL POINTER EXCEPTIONS: 0 (0 locations out of 953) STACK USE: 1264 FOR THREAD: java/lang/finalizerthread STACK USE: 104 FOR THREAD: test$1: (test.java:6) STACK USE: 104 FOR THREAD: test$2: (test.java:14) STACK USE: 1764 FOR THREAD: INITIAL THREAD HEAP USE: 39680 FOR THREAD: java/lang/finalizerthread HEAP USE: 0 FOR THREAD: test$1: (test.java:6) HEAP USE: 0 FOR THREAD: test$2: (test.java:14) HEAP USE: 851200 FOR THREAD: INITIAL THREAD DFA DONE: 6431ms TRACED 334 VALUES and 1032 VALUE SETS.
HIJA Tools: KeY Formal verification using JML and KeY verifier private int[] array; public int size() { return array.length; public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* */ int size() { return array.length; /* */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* */ int size() { return array.length; /* public normal_behavior */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; ensures true; */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; ensures true; also public exceptional_behavior */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; ensures true; also public exceptional_behavior requires (index < 0) (index >= size()); */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; ensures true; also public exceptional_behavior requires (index < 0) (index >= size()); assignable \nothing; */ public int getelement(int index) { return array[index];
HIJA Tools: Formal verification using JML and KeY verifier private int[] array; public /* pure */ int size() { return array.length; /* public normal_behavior requires (index >= 0) && (index < size()); assignable \nothing; ensures true; also public exceptional_behavior requires (index < 0) (index >= size()); assignable \nothing; signals (ArrayIndexOutOfBoundsException) true; */ public int getelement(int index) { return array[index];
Java in sicherheits-kritischen Systemen: Das HIJA-Profil Current Status: First phase completed: Requirements document finished Methodology handbook draft Design Documents finished Tools development has started, first prototypes running
Conclusion The RTSJ is now the established standard for realtime Java development. The HIJA project will permit to extend the application of RTSJ to safety- and business-critical applications. Complementary tools for correctness verification of applications are provided. Project homepage: www.hija.info. www.aicas.com