The Move Prover (MVP) is a formal verifier for smart contracts written in the Move programming la... more The Move Prover (MVP) is a formal verifier for smart contracts written in the Move programming language. MVP has an expressive specification language, and is fast and reliable enough that it can be run routinely by developers and in integration testing. Besides the simplicity of smart contracts and the Move language, three implementation approaches are responsible for the practicality of MVP: (1) an alias-free memory model, (2) fine-grained invariant checking, and (3) monomorphization. The entirety of the Move code for the Diem blockchain has been extensively specified and can be completely verified by MVP in a few minutes. Changes in the Diem framework must be successfully verified before being integrated into the open source repository on GitHub.
This file is to be referred by the author's TACAS19 paper. This file shows the verification r... more This file is to be referred by the author's TACAS19 paper. This file shows the verification result that Linear Controller Verifier (LCV) produces for the Erle-Copter controller in the paper.
This file is to be referred by the author's TACAS19 paper. This file shows the verification r... more This file is to be referred by the author's TACAS19 paper. This file shows the verification result that Linear Controller Verifier (LCV) produces for the controller PID4 in the paper.
Many safety-critical cyber-physical systems have a software-based controller at their core. Since... more Many safety-critical cyber-physical systems have a software-based controller at their core. Since the system behavior relies on the operation of the controller, it is imperative to ensure the correctness of the controller to have a high assurance for such systems. Nowadays, controllers are developed in a model-based fashion. Controller models are designed, and their performances are analyzed first at the model level. Once the control design is complete, software implementation is automatically generated from the mathematical model of the controller by a code generator. To assure the correctness of the controller implementation, it is necessary to check that the code generation is correctly done. Commercial code generators are complex black-box software that are generally not formally verified. Subtle bugs have been found in commercially available code generators that consequently generate incorrect code. In the absence of verified code generators, it is desirable to verify instances of implementations against their original models. Such verification is desired to be performed from the input-output perspective because correct implementations may have different state representations to each other for several possible reasons (e.g., code generator\u27s choice of state representation, optimization used in code generator and code transformation). In this dissertation, we propose several methods to verify a given controller implementation against its given model from the input-output perspective. First of all, we propose a method to derive assertions from the controller model, and check if the assertions are invariant to the controller implementation via a proposed toolchain based on a popular deductive program verification framework. Moreover, we propose an alternative more scalable method that extracts a model from the controller implementation using the symbolic execution technique, and compare the extracted model to the original controller model using state-of-the-art constraint solvers. Lastly, we extend our latter method to correctly account for the rounding errors in the floating-point computation of the controller implementation. We demonstrate the scalability of our proposed approaches through evaluation with randomly generated controller specifications of realistic size
In order to design a resilient system with multiple sensors, one of the important hings we should... more In order to design a resilient system with multiple sensors, one of the important hings we should consider is the sensor fusion model. Two main classes of sensor models are usually considered: probabilistic [1] and abstract [2]. The difference between two models is the assumption of noise distr ibution. In the former, it assumes the pre-designed noise distr ibutions (e.g., Gaussian). In the later, it less assumes noise dist ribution. In the typical environment, the sensor noise usually follo ws a certain noise distribution. However, the former model might no work well in practice under the certain environment as a large number of noise factors can easily affects the sour ce of noise. Therefore, we propose a noise adaptive system which exploits the process of switching between the abstract and p robabilistic model according to the measurement distributions.
2016 IEEE 22nd International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 2016
Since Cyber Physical Systems (CPS) are widely used inmany safety-critical domains these days, cri... more Since Cyber Physical Systems (CPS) are widely used inmany safety-critical domains these days, critical properties such as robustness and resilience are required for such systems. To increase the robustness and the resilience of CPS, various sensor fusion techniques have been studied [1], [2],[3], [4]. These fusion techniques are based on certain sensor models, which broadly fall into two categories: probabilistic model and abstract model. The probabilistic sensor model [1] uses certain noise distributions on sensors (e.g., Gaussian), which is wellsuited for analyzing the systems' expected performance inthe average case. However, wrong assumptions on noise distributions may be in danger of being vulnerable to sensor attacks. On the other hand, the abstract sensor model [2] usesthe worst-case error bound of sensors. Thus, this model iswell suited for the systems' worst-case performance, whichis highly relevant to the case of sensor attacks [3].In this work, we study a hybrid s...
The Move Prover (MVP) is a formal verifier for smart contracts written in the Move programming la... more The Move Prover (MVP) is a formal verifier for smart contracts written in the Move programming language. MVP has an expressive specification language, and is fast and reliable enough that it can be run routinely by developers and in integration testing. Besides the simplicity of smart contracts and the Move language, three implementation approaches are responsible for the practicality of MVP: (1) an alias-free memory model, (2) fine-grained invariant checking, and (3) monomorphization. The entirety of the Move code for the Diem blockchain has been extensively specified and can be completely verified by MVP in a few minutes. Changes in the Diem framework must be successfully verified before being integrated into the open source repository on GitHub.
This file is to be referred by the author's TACAS19 paper. This file shows the verification r... more This file is to be referred by the author's TACAS19 paper. This file shows the verification result that Linear Controller Verifier (LCV) produces for the Erle-Copter controller in the paper.
This file is to be referred by the author's TACAS19 paper. This file shows the verification r... more This file is to be referred by the author's TACAS19 paper. This file shows the verification result that Linear Controller Verifier (LCV) produces for the controller PID4 in the paper.
Many safety-critical cyber-physical systems have a software-based controller at their core. Since... more Many safety-critical cyber-physical systems have a software-based controller at their core. Since the system behavior relies on the operation of the controller, it is imperative to ensure the correctness of the controller to have a high assurance for such systems. Nowadays, controllers are developed in a model-based fashion. Controller models are designed, and their performances are analyzed first at the model level. Once the control design is complete, software implementation is automatically generated from the mathematical model of the controller by a code generator. To assure the correctness of the controller implementation, it is necessary to check that the code generation is correctly done. Commercial code generators are complex black-box software that are generally not formally verified. Subtle bugs have been found in commercially available code generators that consequently generate incorrect code. In the absence of verified code generators, it is desirable to verify instances of implementations against their original models. Such verification is desired to be performed from the input-output perspective because correct implementations may have different state representations to each other for several possible reasons (e.g., code generator\u27s choice of state representation, optimization used in code generator and code transformation). In this dissertation, we propose several methods to verify a given controller implementation against its given model from the input-output perspective. First of all, we propose a method to derive assertions from the controller model, and check if the assertions are invariant to the controller implementation via a proposed toolchain based on a popular deductive program verification framework. Moreover, we propose an alternative more scalable method that extracts a model from the controller implementation using the symbolic execution technique, and compare the extracted model to the original controller model using state-of-the-art constraint solvers. Lastly, we extend our latter method to correctly account for the rounding errors in the floating-point computation of the controller implementation. We demonstrate the scalability of our proposed approaches through evaluation with randomly generated controller specifications of realistic size
In order to design a resilient system with multiple sensors, one of the important hings we should... more In order to design a resilient system with multiple sensors, one of the important hings we should consider is the sensor fusion model. Two main classes of sensor models are usually considered: probabilistic [1] and abstract [2]. The difference between two models is the assumption of noise distr ibution. In the former, it assumes the pre-designed noise distr ibutions (e.g., Gaussian). In the later, it less assumes noise dist ribution. In the typical environment, the sensor noise usually follo ws a certain noise distribution. However, the former model might no work well in practice under the certain environment as a large number of noise factors can easily affects the sour ce of noise. Therefore, we propose a noise adaptive system which exploits the process of switching between the abstract and p robabilistic model according to the measurement distributions.
2016 IEEE 22nd International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 2016
Since Cyber Physical Systems (CPS) are widely used inmany safety-critical domains these days, cri... more Since Cyber Physical Systems (CPS) are widely used inmany safety-critical domains these days, critical properties such as robustness and resilience are required for such systems. To increase the robustness and the resilience of CPS, various sensor fusion techniques have been studied [1], [2],[3], [4]. These fusion techniques are based on certain sensor models, which broadly fall into two categories: probabilistic model and abstract model. The probabilistic sensor model [1] uses certain noise distributions on sensors (e.g., Gaussian), which is wellsuited for analyzing the systems' expected performance inthe average case. However, wrong assumptions on noise distributions may be in danger of being vulnerable to sensor attacks. On the other hand, the abstract sensor model [2] usesthe worst-case error bound of sensors. Thus, this model iswell suited for the systems' worst-case performance, whichis highly relevant to the case of sensor attacks [3].In this work, we study a hybrid s...
Uploads
Papers by Junkil Park