Machine Checked Formal Proof of a Scheduling Protocol for Smartcard Personalization

K eyw ord s: verification, theorem proving, cyclic scheduling, sim ulation, PVS 1 In tr o d u ctio n Form al m ethods provide the kind of rigor in software engineering th a t is needed to move the software developm ent process to a level com parably to o ther engi­ neering professions. There are m any kinds of formal m ethods th a t can be employed a t different stages of the developm ent process. In the specification phase, a model can be constructed using some kind of formal language. This model can be used as a sta rtin g point for model based testing. Model checking, which proves properties for the entire s ta te space of a finite p a rt of the formal model by m eans of an ex­ haustive test, can elim inate a lot of errors. B oth model based testing and model checking can be perform ed autom atically. Theorem proving can be used for full verification of models th a t can have an infinite num ber of states. However, em­ ploying theorem proving is considerably more costly th an the earlier m entioned m ethods. Form al verification of models is gaining ground w ithin the industrial world. For instance, C ybernetix partic ipated in the A M ETIST project, in order to im­ prove the quality of their systems. This p ro jec t’s aim was to develop m odeling m ethodology supported by efficient com puterized problem -solving tools for the m odeling and analysis of complex, distributed , real-tim e systems. A personaliza­ tion m achine was one of the case studies supplied by C ybernetix. This machine consists of a conveyor belt w ith sta tions th a t personalize blank sm artcards. The num ber of sta tions is variable. The A M ETIST partic ipan ts modeled the m achine in several model check­ ing environm ents: Spin, U ppaal and SMV. However, w ithin these system s, the models were checked and proven optim al and safe w ith respect to an ordering criterion for only a lim ited num ber of personalization stations. The m ost im por­ ta n t reasons why it is interesting to look a t the case study using o ther formal m ethods besides model checking are: — In some production configurations the num ber of sta tions exceeds the am ount of sta tions the model has been checked for. So there is not yet com plete as­ surance th a t the scheduling algorithm is indeed safe and optim al for actually used configurations. — Model checking is lim ited to a finite s ta te space. A lthough there are m ethods allowing model checking to abstrac t away from the d a ta or even to employ inductive reasoning on the model, so far no one has generalized to N stations. A stronger result would be to prove th a t for any num ber of stations, the scheduling algorithm is safe and optim al. — Using a theorem prover to prove th a t a suitable invariant is correct usually gives more insight into why the m achine satisfies its safety and optim ality properties, instead of ju s t checking them autom atically. In this paper we will present a formalized model of the machine in PVS (P ro to type Verification System) [ORS92]. This is an environm ent for precise specification and verification of models. The specification language is based on sim ply typed higher order logic, bu t the type system has been extended w ith subtypes and dependent types. PVS also employs decision procedures to assist the user in a verification effort. These procedures take care of the bureaucracy associated w ith a formal proof and are usually able to discharge obvious proof obligations autom atically. The specification language also allows for sim ulations and other m eans of anim ating the model if the model is composed out of an executable subset of the specification language. We will come up w ith an invariant and use PVS to prove th a t this invariant holds for the model. This invariant is strong enough to prove all safety criteria and to prove th a t the algorithm guarantees optim al th roughpu t for any num ­ ber of personalization stations. We will also provide a sim ulation package. This makes it possible to verify th a t the model behaves as one would expect from a regular m achine and which could form the basis of software th a t actually runs the machine. In th is article we present the sm artcard personalization machine in section 2. The model of the m achine is decribed in section 3 and we show by m eans of a sim ulation th a t this model is valid in section 4. Then, in section 5, the invariant is presented, followed by its proof in section 6. Safety and optim ality are deduced from th a t invariant in section 6.1. A sum m ary of related work by other people is given in section 7. An overview of future work can be found in section 8. All code and proofs referred to in this paper are available. 1 1 h t t p : //www. c s . ru.nl/~leonard/papers/cybernetix/cybernetix. tar.gz 2 Personalization machine A sm art card personalization m achine takes blank sm art cards as inpu t and program s them w ith personalized data . Subsequently, the cards are p rin ted and tested . Typically, a m achine has a th roughpu t of several thousands of cards per hour. The m achine has a conveyor belt transpo rting the cards. There is an uploader sta tion pu ttin g cards onto the belt and an unloader sta tion taking them off again. D irectly above the belt are posts th a t can m anipulate the cards, either by lifting them off the belt, like personalization stations, or by processing the cards while they rem ain on the belt, like graphical trea tm en t stations. An exam ple configuration is given in figure 1. 1 0 Personalization stations T R 1 2 3 * 5 |<o I 7 1 00 R J flip J flip T L | Reject station |TJ Test station |Tj Laser engraving |oj Unloader | | Personalization |jJ Inkjet station |TJ Loader F ig . 1. E xam ple of a s ta n d a rd configuration flip Flipover station There are different kinds of operations possible on the cards: — Personalization sta tions program the chip on the card. These sta tions are able to detect if a card is defective. C ards need to be lifted into a personal­ ization sta tion by a lifting device. — G raphical trea tm en t sta tions are either laser engravers or inkjet stations. They can graphically personalize the cards. G raphical trea tm ents happen while the card rem ains on the belt. — Flipover sta tions can tu rn cards over to allow a graphical trea tm en t of bo th sides of a card. — Test sta tions determ ine w hether the chip th a t is on the card functions prop­ erly. — Rejection sta tions are used to ex trac t cards th a t have been judged to be defective. Due to the high num ber of cards th a t need to be personalized and the way the m achine is structu red , there are several requirem ents th a t need to be met by the sm artcard personalization system: — The o u tp u t of the cards should happen in a predefined order, since further graphical trea tm en t of the card m ay depend on the kind of personalization th a t has been received by the card. In the rem ainder of the paper we shall refer to th is requirem ent as safety. — The th roughpu t of the m achine should be optim al. — The m achine should allow for defective cards to be replaced. — The system should be configurable and m odular. The num ber of personal­ ization and graphical trea tm en t sta tions can vary according to the needs of the custom ers. N either is the placem ent of the sta tions fixed. This means th a t the personalization sta tions can be spaced or appear interleaved w ith graphical trea tm en t stations. C ybernetix has developed and paten ted a scheduling protocol called “Super Single M ode” . This particu lar scheduling protocol pu ts each tim e un it a new blank card on first position of the belt for N consecutive tim e units, where N is the num ber of personalization stations. After N tim e units, it leaves the first position of the belt em pty for one tim e un it and then repeats itself by pu tting N new cards on the belt followed by leaving one slot empty. 3 P V S M o d e l o f th e p erso n a liz a tio n m ach in e In the previous section, we have given a general description of the personalization machine. In this section we will discuss the model we have developed. The personalization m achine is modeled as a conveyor belt th a t tran sp o rts cards underneath a set of M personalization stations. Each of these sta tions can pick up and drop cards onto the conveyor belt. The belt is synchronized w ith the personalization sta tions in order to enable picking up and dropping the cards.