A formal verification of dynamic updating in a Java-based embedded system

Abstract

Dynamic software updating (DSU) consists in updating running programs on the fly without any downtime. This feature is interesting in critical applications that must run continuously. Because updates may lead to safety errors and security breaches, the question of their correctness is raised. Formal methods are a rigorous means to ensure the correctness required by applications using DSU. In this paper, we present a formal verification of correctness of DSU in a Java-based embedded system. Our approach is based on three major contributions. First, a formal interpretation of the semantic of update operations to ensure type safety of the update. Secondly, we rely on a functional representation of bytecode, the predicate transformation calculus and a functional model of the update mechanism to ensure the behavioural correctness of the updated programs. It is based on the use of Hoare predicate transformation to derive a specification of an updated bytecode. Thirdly, we use the functional representation to model the safe update point detection mechanism. This mechanism guarantees that none of the updated methods are active. This property is called activeness safety. We propose a functional specification that allows to derive proof obligations that guarantee the safety of the mechanism.