Software Verification for Sensor Nodes

We look at software written for wireless sensor nodes, and specialize and develop on the state of the art in software verification techniques for standard C programs (CBMC and SatAbs from the CProver suite) in order to locate programming errors in sensor applications before the software’s deployment on motes. Ensuring the reliability of sensor applications is an exemplary difficult problem for the validation and verification field: low-level, interrupt-driven or multithreaded code runs without memory protection in dynamic environments, and the difficulties lie with: 1. being able to automatically extract standard C models out of the particular flavours of embedded C used for one sensor programming solution or another, 2. decreasing the program’s state space to a degree that allows the resulting tool to be practically useful, and 3. writing specifications which capture non-trivial behaviour. This report describes two such approaches. One is a software verification tool for platform-independent, OS-dependent sensor programs: multithreaded TinyOS applications written over the C TOSThreads library. This approach of verifying one module at a time naturally decreases the program’s state space, such that—even as the application is multithreaded—safety specifications over fairly complex monitoring applications can be verified in under one hour’s time. In order to automatically extract a correct model out of the single TOSThreads module, we need to manually construct brief models of those OS driver modules called by the application. The resulting program is then passed to SatAbs [8], a software verifier for multithreaded ANSI C, with specifications (written as C assertions) pinpointing incorrect interface use and incorrect adaptation to environmental input. The other is a platform-dependent, OS-independent orthogonal approach: a software verification tool for large, OS-wide programs written in MSP430 embedded C with asynchronous hardware interrupts. Our tool automatically translates the program into standard C by replacing direct memory access with a model of the MCU’s memory map. A number of calls to hardware interrupt handlers are inserted into the main application to emulate the existence of hardware, and their occurrence is minimized with a partial-order reduction technique, in order to decrease the program’s state space. Safety specifications are written as C assertions embedded in the code. The resulting sequential program is then passed to CBMC [7], a bounded software verifier for sequential ANSI C. Besides memory-related errors (e.g., out-of-bounds arrays, null-pointer dereferences), this tool chain verifies application-specific assertions, including low-level assertions upon the state of the registers and peripherals. Verification for wireless sensor network applications is an emerging field of research. To the publication date of our tools [4, 5], little specialized work existed on the topic; we overview both background and subsequent work on the topic and draw a comparison.