# An Extensible Approach to Verification of Embedded Network Systems\*

Daniel Welch School of Computing, Clemson University Clemson, South Carolina, 29634 {dtwelch}@clemson.edu Takumi Bolte
School of Computing, Clemson University
Clemson, South Carolina, 29634
{tbolte}@clemson.edu

#### **ABSTRACT**

In this paper we present a flexible means of specifying and verifying the correctness of software for embedded network systems. Our approach uses RESOLVE, an imperative, component based programming and mathematical specification language, to verify the functional correctness of embedded applications. In doing so, we enrich the work originally presented in [1] with the following: A model view controller (MVC) based implementation of a RESOLVE to C translator, a dynamic memory allocation scheme tailored towards embedded systems running the code generated by our tool, and the addition of a new language keyword that enables users to pair custom RESOLVE specifications with 'externally' implemented (non-native RESOLVE) realizations. We demonstrate these additions on an LED (Light emitting diode) driver that showcases recent mathematical developments, as well as formal verification of a toggling capability enhancement that we demonstrate running on a Telos mote

#### Categories and Subject Descriptors

D.2.8 [Software Engineering and Data Communication]: Verification—VCs, automated proving, modular software

#### **General Terms**

Reliability, Verification, Languages, Networks

#### Keywords

automation, components, formal methods, specification, verifying compiler, embedded networks, wireless sensing

#### 1. INTRODUCTION

Within little more than a decade, the area of embedded network systems and wireless sensing has exploded in popularity within industry and academia alike. Tempering however this extremely quick rise in popularity is the inherent

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

Clemson 2014 7th Clemson University Mini-Conference on Embedded Network Systems

Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...\$15.00.

difficulties in developing applications that function as intended in low power, event-driven environments. In response to these difficulties, a variety of tools and languages have been put forth to help ease the burden on developers. On one end of this effort are languages such as NesC, (Network embedded sensor C) which strive to minimize concurrency issues and other common sources of error by hiding libraries of pre-written drivers underneath hierarchies of software and interface level abstractions. The other end of this effort is largely comprised of simulation tools such as TOSSIM, Cooja, and Arora that make use of high-fidelity simulations to model networks offline in controlled, repeatable environments. Though these and other tools have indeed proven invaluable in allowing users to test and reason about eventdriven code prior to deployment, they remain incapable of providing complete assurance that code will behave as expected when deployed in the field.

We approach this problem by using RESOLVE (Reusable SOftware Language with VErification) as means of authoring, specifying, and ultimately verifying code for embedded network systems. Our decision to use RESOLVE as a language frontend – as opposed to verifying C code directly – ultimately stems from a verification amenability standpoint: Not only does RESOLVE prohibit verification crippling operations such as uncontrolled referencing and aliasing (prevalent in C and many other current languages)[2], but also embodies a number of other characteristics ideal for embedded platforms including:

- Modularity RESOLVE enforces a strict separation of concerns between module specifications and client implementations. As a result, for any one particular specification, there can be any number of interchangeable implementations. This separation is ideal considering that many embedded applications happen to fit this pattern nicely: Various drivers oftentimes provide a common set of functionality, but in general have many distinct implementations that vary arbitrarily from platform to platform, vendor to vendor.
- Mathematical flexibility RESOLVE offers a rich, mathematical type system that allows users to either draw from a library of preexisting mathematical units when writing specifications, or simply create their own. This is ideal in a setting where drivers might encompass a wide spectrum possible applications, where each might require unique, new mathematical developments.

The paper is organized as follows: First, we open with a brief overview of the Telos mote platform. Next, we present

revised specifications of an LED driver component with a formally verified enhancement. This section is concluded with a review of verification results, and a discussion of any relevant theorems and verification conditions (VCs) used. The remainder of the paper is spent detailing the model of C code generated by the tool, giving a quick overview of generation process itself, and detailing a dynamic, stack-based memory allocation tool utilized by the translated code. We conclude with suggestions for tool improvements, as well as a review of some longer term research goals.

#### 2. THE TELOS PLATFORM

The Telos mote [3] is a programmable, low power, wireless sensing device developed at UC Berkeley. Its hardware includes an msp430 microcontroller containing 128 bytes of RAM and 10kB of programmable flash memory. A cc2420 radio stack provides the mote with broadcast and receiving capabilities, while optional sensing capabilities may be added in the form of light, humidity, and temperature sensors. The mote also contains three onboard LEDs: One blue, one red, and one green.

# 3. SPECIFIYING LED BEHAVIOR IN RE-SOLVE

In this section, we provide mathematical and programmatic elements of an LED strip component to give readers both a concrete look at the language, and introduce some new features aimed at making it more amenable to the development of embedded applications. Note that while we provide the level of detail necessary to understand the current example, readers interested in gaining a more complete, in depth knowledge of the language are encouraged to refer to [4, 5].

## 3.1 Concepts

In RESOLVE, programs are composed of several different modules that range from interfaces and realizations, to client (facility) modules. A *concept* module in RESOLVE defines a specification for a mathematical, abstract type. Similar to an interface in Java, a concept provides a number of operation signatures that implementors are expected to realize. Shown below is a LED\_Template concept that provides a light strip abstraction.

```
requires 0 <= i < |L|;
ensures Status = Element_At(i, L);</pre>
```

end LEDs\_Template;

We model our conceptual LED strip using a mathematical string (finite sequence) of booleans, denoted Str(B), where each boolean within the string indicates the status of that particular LED: On (true) or off (false). The exemplar clause located immediately below provides a handle to this abstract model, and is used throughout the remainder of the specification.

It's worth noting that unlike the LED\_Template presented in [1] which models an LED as the *cartesian product* of booleans  $b_0, b_1, \ldots, b_4$ , the strip model we present here instead uses strings for the following reasons:

- Strings are indexible, and thus do not require separate
   Set and Status operations for each individual LED.
- This approach demonstrates the benefits of reusable mathematical theories. The specifications listed here are based (almost) entirely in String\_Theory and are therefore able to make use of RESOLVE's pre-existing math libraries.

Finally, the concept provides two operations. The first, Set, takes as a parameter an instance of an LED strip L, a boolean b, and an integer i. The operation requires that i falls within the length of the strip, and ensures two things upon completion: The length of the outgoing strip L is the same as the incoming strip, #L, and that the LED in position i of L is set to boolean b. The Status operation is specified similarly.

#### 3.2 Enhancements

RESOLVE also allows users to extend the functionality provided by the base concept through *enhancements* – a form of specification inheritance. The enhancement we provide here, Toggling\_Capability, allows users to flip a specific LED to its complement.

Shown below is a specification for Toggling\_Capability and one particular realization of it.

Enhancement Toggling\_Capability for LEDs\_Template;

```
Oper Toggle(upd L : LED; eval i : Integer);
    requires 0 <= i < |L|;
    ensures Element_At(i, L) =
        not(Element_At(i, #L));
end Toggling_Capability;

Realization Toggling_Realiz for
        Toggling_Capability of LEDs_Template;

Proc Toggle(upd L : LED; eval i : Integer);
    Var Content : Boolean;

Content := Status(L, Replica(i));
    Set(L, Not(Content), Replica(i));
    end Toggle;
end Toggling_Realiz;</pre>
```

The enhancement specifies a single operation, Toggle, which states that upon termination, the LED located at position i

in L is the complement of that same location in the incoming LED, #L.

Note that the enhancement specifications themselves look and function largely the same as a normal concept: Each specifies a purely conceptual module, and hence is implementation neutral.

Enhancement realizations are neutral as well since any method called within the context of an enhancement realization refers to the operation specified in the concept—meaning no knowledge of implementation details is required.

#### 3.3 Verification

We now turn to the task of verifying our small toggling enhancement. The first step in doing so is to generate Verification Conditions (VCs) for Toggle\_Realiz, which, if proven, will establish the correctness of this particular implementation. One thing to note about the VCs themselves is that they are generated from specific lines of a realization, and exist to ensure that the content of the realization is consistent with its specification: This entails checking for things such as array access boundary violations, etc.

| Condition # | Time (ms) | Steps | Search |
|-------------|-----------|-------|--------|
| VC 0_1      | 4426      | 5     | 0      |
| $VC 0_2$    | 5039      | 5     | 0      |
| $VC 0_3$    | 6324      | 6     | 0      |

Figure 1: Verification results for operation Toggle

As the results summarized in Figure 1 indicate, using RE-SOLVE's integrated prover, we are able to mechanically and automatically dispatch all VCs for Toggling\_Realiz, thus verifying its correctness. In terms of proof difficulty, given the number of steps and time taken to establish each, we conclude that the VCs generated were of a straightforward variety. Readers interested however in learning more about the steps and specific actions the prover takes in transforming givens and dispatching similar (and more complex) VCs should refer to [6].

## 3.4 Facilities

With our formally specified LED strip component in place – and a verified enhancement on this component – we now turn to a small embedded application that combines these elements to iteratively toggle the lights within an LED strip.

Shown below is a RESOLVE facility module that implements the client logic of this embedded application.

```
(* Declare an LED strip *)
        Var L : Led;
        I1 := 1; I2 := 2; I3 := 3;
        Loop := True();
        While(Loop)
            changing Loop;
            maintaining ...
            Leds_Fac.Toggle(L, I1);
            Std_Clock_Fac.Wait_500_Milli_Seconds();
            Leds_Fac.Toggle(L, I2);
            Std_Clock_Fac.Wait_500_Milli_Seconds();
            Leds_Fac.Toggle(L, I3);
            Std_Clock_Fac.Wait_500_Milli_Seconds();
        end:
    end Main;
end LED_Telos_Demo;
```

Prior to using the LED component developed in the previous sections, we first must bind our LED\_Template specification with an appropriate realization. This is accomplished via the facility declaration located directly beneath the uses clause, which pairs the specification (LED\_Template) with a realization (Std\_Led\_Realiz). Note that the ability to toggle is added on top of this facility declaration in a similar fashion. The remaining bulk of logic driving the application rests in the non terminating busy loop inside operation Main, where we use our enhancement-provided Toggle operation to successively turn each light within the strip on, then off.

## 3.5 "External" Realization Support

Readers might note that we never presented a realization of LED\_Template. Indeed, after having written the concept, the RESOLVE programmer would ideally provide it with a verifiable, native RESOLVE implementation. However, as our target platform is embedded, and our concept aims to provide control for LEDs – a decidedly low level feature on embedded hardware – our realization is forced to operate at similarly low levels by directly manipulating hardware pins provided by the msp430's chipset.

RESOLVE, however, in its current state is too high level of a language to perform these tasks directly – meaning it lacks the appropriate driver and language support to do so. In an effort to address this, we introduce the notion of external realizations, which allow users to write their own realization of a concept in a language of their choosing.

The LED\_Telos\_Demo facility above demonstrates these developments through its use of the "externally realized" phrase. This signals to the RESOLVE compiler that the user is providing a non-native realization of LED\_Template, with the expectation that it conforms to the specifications dictated in the concept.

We feel this new keyword is beneficial for the following reasons:

The language no longer must "hide" the fact that some
of the lower level components relied upon are not written in straight-line, native RESOLVE code. The "externally" keyword now transparently indicates this.



Figure 2: A diagram illustrating inter-component relationships for the example in Section 3. The files listed in cloud shapes indicate externally realized components, while the dotted line separating these from others indicates the current boundary between the lowest-level, hardcoded components in RESOLVE, and native RESOLVE abstractions sitting on top of these hardcoded components.

 Provides flexibility for those users looking to wrap their low-level programs/drivers with formal RESOLVE interface specifications.

In the context of embedded systems, these developments are especially useful as we can now write custom, low level drivers of the sort required for most embedded applications (e.g. LED strip drivers) while still providing extensible, formally specified interfaces. It is our hope and intention that new (native) RESOLVE components will be layered on top of these low level, externally realized (yet specified) drivers – eventually reaching a level of abstraction where we can concern ourselves exclusively with verified, native RESOLVE components.

#### 4. IMPLEMENTATION

Development of our C translation tool can be logically partitioned into three distinct phases:

- 1. Arriving at a translation model (or, strategy) for an accurate C representation of RESOLVE.
- 2. Implementing reusable mechanisms for carrying out the C code generation process.
- Creation of a memory manager capable of safely allocating and freeing dynamic memory required by the generated code.

We conclude this section with a demonstration of each of these phases working in tandem on the LED component discussed in Section 3.

#### 4.1 C Translation Model

One of the primary challenges in translating from RE-SOLVE to C is finding a suitable C analog for each RE-SOLVE module and the constructs allowable in each. Indeed, since we are dealing with an environment where functional correctness is a primary concern, it is important that the code generated by our tool represents as closely as possible the original RESOLVE source. In an effort to make such



Figure 3: Relationship between RESOLVE module types and the C code generated from each.

considerations, at the highest level, the C code we generate makes special considerations for concepts, facilities, and realizations. This scheme is depicted in Figure 3 and briefly summarized in Sections 4.1.1 - 4.1.3.

#### 4.1.1 Concepts

Concept modules produce a single .h file, which provide function pointers for the operations specified in the original concept, as well as structs representing each user defined type.

#### 4.1.2 Facilities

Facilities produce an .h/.c pair: The header .h declares both a "create" and "destroy" method which, taken together,

encapsulates the creation and destruction of all global variables used within the facility. The .c provides an implementation of these methods. Note that these create and destroy methods are only responsible for freeing *global* variables — meaning all other translated functions are responsible for deallocating their own local variables.

#### 4.1.3 Realizations

We treat realizations of concepts and enhancements slightly different than facility modules. While a .h/.c pair is still produced, the create method designated in the header for realizations is designed to create instances of all types specified by the concept, while the destroy method deallocates these types – as opposed to simply destroying user created globals.

## 4.2 Translator Implementation

Translation itself occurs over the course of a traversal of RESOLVE's abstract syntax tree (AST) – an intermediate representation of RESOLVE code. The traversal mechanism utilized is a derivative of the visitor pattern that provides a pre post traversal over all nodes in the tree.

To illustrate the general process of producing runnable C from RESOLVE code, consider the following dummy operation:

```
Operation Nothing(); Procedure
     Var X : Integer;
     X := 3;
end Nothing;
```

Shown in Figure 4 is a high level depiction of steps taken in translating this operation to C. The first box depicts the AST of Nothing, where nodes are represented with boxes labeled by the constructs they contain. Throughout the walk of this tree, useful information (such as the operation's name, "Nothing") are extracted from the nodes containing these constructs, and added to a user defined string-template<sup>1</sup>, in this case: c\_function\_def.

In the context of RESOLVE to C translation, these templates, when filled during the aforementioned pre-post visitor traversal of RESOLVE's AST, help simplify the task of producing complicated, arbitrarily nested blocks of structured C output by keeping translation logic strictly within the C translator, and output logic strictly within the templates.

That is, the only actual work being performed within the C translator is forwarding information gathered from individual treenodes, to a series of externally defined templates. This allows us to exploit (in design pattern parlance) a strict model view controller (MVC) separation in the translator's codebase between the mechanism that does the AST visiting (controller), the tree nodes from which we're adding information to templates (model), and the external file containing all available C language templates which shape our output (view).

We feel this approach lends itself well to the challenge discussed in this paper, as this separation allows us to easily iterate changes to our generated C code without needing to concern ourselves with the Java written inside the compiler itself. This allows us to easily and iteratively tweak generated code – making arbitrarily complicated changes and optimizations, some of which are detailed later in Section #.

## 4.3 Memory Allocation

Any model seeking to convert RESOLVE to a lower level representation such as C demands a strategy for handling any memory utilized by the generated code. While dynamic allocation is typically the norm, it is not however the first choice for embedded applications. With the Telos mote constrained to 128 bytes of RAM, developers targeting embedded platforms tend to favor static memory allocation over dynamic, due the memory efficiency it affords.

In spite of this, our reasoning for choosing to pursue dynamic allocation over static, rests in the language itself. Being a language that relies heavily on the notion of formally specified objects (components), everything in RESOLVE from the 'primitive' types such as booleans and integers, to the more complicated (user defined) ones such as Stacks and Queues, are modeled, specified, and implemented in the same way: Using the standard RESOLVE machinery discussed in Section 3.

As such, even the simplest RESOLVE programs still rely heavily on the notion of objects coming and going. Thus, from a verification perspective, creating a tool that allows our translated code to create and destroy such objects in the manner the language itself uses is an important component to capture in formally verified code.

#### 4.3.1 Allocation using salloc

The particular allocation scheme that we chose to use is salloc(): A first fit memory allocator. Rather than allocating memory on the heap, salloc() instead uses the stack. At compilation, the allocator provisions a fixed size of memory. It requires a small section of meta-data called a block which contains information of about the size of memory allocated, neighboring blocks, as well if the block is free or not. A sample representation of the stack shown in figure 4.3.1, is a typical example of allocated memory on the stack.



Figure 5: Representation of memory stack

#### 4.3.2 Deallocation using sfree

A memory allocator must provide a mechanism to release, or free memory in order to indicate that it is not being used and can be reallocated for something else. The sfree() operation is an analogous implementation to the standard C free() function for the stack.

#### 4.3.3 Optimizations

A common problem that can occur in memory allocation is fragmentation. As shown in figure 4.3.3, fragmentation can lead to inefficient and increased memory usage. This problem is magnified on embedded systems with limited memory capabilities. Simple optimizations can be made however to reduce fragmentation. Splitting is one optimization that salloc() to maximize memory usage. Shown in figure 4.3.3,

<sup>&</sup>lt;sup>1</sup>A template can simply be thought of as a "document with holes" which the user choses when and how to fill.



Figure 4: The general flow of information from the AST (first), to user defined templates (middle), ending with formed output (last).



Figure 6: sfree to free memory

blocks can be split to the size that is required. Another means of optimizing memory usage is joining together freed blocks. When a call to sfree() is made, neighboring blocks are coalesced together, as shown in figure 4.3.3.



Figure 7: fragmentation



Figure 8: block splitting

## 4.4 An LED Implementation

```
void LED_Telos_create() {
Std_Boolean_Fac_create();
```



Figure 9: block fusing

```
Std_Integer_Fac_create();
Std_Clock_Fac_create();
r_type_ptr __arg_0 = Std_Integer_Fac_Var.core->createFromInteget
LED_Telos_Facility_Var.core = new_Std_LED_Realiz_for_Leds_Templ
LED_Telos_Facility_Var.Toggling_Capability = new_Toggling_Capability_Std_Integer_Fac_Var.core->Integer->destroy(__arg_0, Std_Integer_})
```

#### 5. ACKNOWLEDGEMENTS

Special thanks to Mike Kabanni, Mark Todd, and Bruce Weide whose suggestions and initial contributions in constructing the current model of RESOLVE to C translation made this work possible.

#### 6. REFERENCES

- Kalyan Regula. A verifying compiler for embedded networked systems. Master's thesis, Clemson University, 2010.
- [2] Gregory W. Kulczycki. Direct Reasoning. PhD thesis, Clemson University, 2004.
- [3] J. Polastre, R. Szewczyk, and D. Culler. Telos: enabling ultra-low power wireless research. In Information Processing in Sensor Networks, 2005. IPSN 2005. Fourth International Symposium on, pages 364–369, April 2005.
- [4] Murali Sitaraman, Bruce Adcock, Jeremy Avigad, Derek Bronish, et al. Building a push-button RESOLVE verifier: Progress and challenges. Form. Asp. Comput., 23(5):607–626, September 2011.

- [5] Gregory Kulczycki, Murali Sitaraman, Kimberly Roche, and Nighat Yasmin. Formal specification. In Wiley Encyclopedia of Computer Science and Engineering. John Wiley & Sons, Inc., 2008.
- [6] Hampton Smith. Engineering Specifications and Mathematics for Verified Software. PhD thesis, Clemson University, 2013.