Composing Safe Systems

  • John Rushby
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7253)


Failures in component-based systems are generally due to unintended or incorrect interactions among the components. For safety-critical systems, we may attempt to eliminate unintended interactions, and to verify correctness of those that are intended. We describe the value of partitioning in eliminating unintended interactions, and of assumption synthesis in developing a robust foundation for verification. We show how model checking of very abstract designs can provide mechanized assistance in human-guided assumption synthesis.


Model Check Bound Model Check Abstract State Machine State Model Check Uninterpreted Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Requirements and Technical Concepts for Aviation Washington, DC: DO-297: Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations (2005), Also issued as EUROCAE ED-124 (2007)Google Scholar
  2. 2.
    Rushby, J.: Bus Architectures for Safety-Critical Embedded Systems. In: Henzinger, T.A., Kirsch, C.M. (eds.) EMSOFT 2001. LNCS, vol. 2211, pp. 306–323. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Rushby, J.: The design and verification of secure systems. In: Eighth ACM Symposium on Operating System Principles, Asilomar, CA, pp. 12–21 (1981); ACM Operating Systems Review 15(5)Google Scholar
  4. 4.
    Boettcher, C., DeLong, R., Rushby, J., Sifre, W.: The MILS component integration approach to secure information sharing. In: 27th AIAA/IEEE Digital Avionics Systems Conference, St. Paul, MN. The Institute of Electrical and Electronics Engineers (2008)Google Scholar
  5. 5.
    Cristian, F.: Exception handling and software fault tolerance. IEEE Transactions on Computers C-31, 531–540 (1982)CrossRefGoogle Scholar
  6. 6.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys 41 (2009)Google Scholar
  7. 7.
    Rushby, J.: Kernels for safety? In: Anderson, T. (ed.) Safe and Secure Computing Systems, pp. 210–220. Blackwell Scientific Publications (1989)Google Scholar
  8. 8.
    Schneider, F.: Enforceable security policies. ACM Transactions on Information and System Security 3, 30–50 (2000)CrossRefGoogle Scholar
  9. 9.
    Havelund, K.: Program Monitoring; Course material for part II of Caltech CS 119 (May),
  10. 10.
    Littlewood, B., Rushby, J.: Reasoning about the reliability of fault-tolerant systems in which one component is “possibly perfect”. IEEE Transactions on Software Engineering (2011) (accepted for publication)Google Scholar
  11. 11.
    Jones, C.B.: Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems 5, 596–619 (1983)zbMATHCrossRefGoogle Scholar
  12. 12.
    Shankar, N.: Lazy Compositional Verification. In: de Roever, W.-P., Langmaack, H., Pnueli, A. (eds.) COMPOS 1997. LNCS, vol. 1536, pp. 541–564. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Giannakopoulou, D., Pasareanu, C.S., Barringer, H.: Component verification with automatically generated assumptions. International Journal on Automated Software Engineering 12, 297–320 (2005)CrossRefGoogle Scholar
  14. 14.
    Rushby, J.: Harnessing disruptive innovation in formal verification. In: Hung, D.V., Pandya, P. (eds.) Fourth International Conference on Software Engineering and Formal Methods (SEFM), Pune, India, pp. 21–28. IEEE Computer Society (2006)Google Scholar
  15. 15.
    Rushby, J.: A safety-case approach for certifying adaptive systems. In: AIAA Infotech@Aerospace Conference, Seattle, WA. American Institute of Aeronautics and Astronautics (2009); AIAA paper 2009-1992Google Scholar
  16. 16.
    Schlichting, R.D., Schneider, F.B.: Fail-stop processors: An approach to designing fault-tolerant computing systems. ACM Transactions on Computer Systems 1, 222–238 (1983)CrossRefGoogle Scholar
  17. 17.
    Leveson, N.G.: Safeware: System Safety and Computers. Addison-Wesley (1995)Google Scholar
  18. 18.
    Perrow, C.: Normal Accidents: Living with High Risk Technologies. Basic Books, New York (1984)Google Scholar
  19. 19.
    Chong, S., van der Meyden, R.: Using architecture to reason about information security. Technical report, University of New South Wales (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • John Rushby
    • 1
  1. 1.Computer Science LaboratorySRI InternationalMenlo ParkUSA

Personalised recommendations