# Automated SysML v2 System Model to Memory-Safe Language Code Generation with Integrated AI Assistance

**DARPA PROVERS** 



David S. Hardin, Ph.D. Applied Research & Technology

© 2025 Collins Aerospace. | This document does not include any export controlled technical data

## **Collaborators on this Presentation**

- Collins Aerospace: Isaac Amundson, Junaid Babar, Darren Cofer, Saqib Hasan, Karl Hoech, Amer Tahat
- Kansas State University: Jason Belt, John Hatcliff, Robby
- Aarhus University (Denmark): Stefan Hallerstede



## **DARPA PROVERS**

**Pipelined Reasoning of Verifiers Enabling Robust Systems** 

Develop automated, scalable **formal methods** tools that are integrated into traditional development pipelines using "proof engineering" techniques

Enable traditional product engineers to incrementally produce and maintain **high-assurance** national security systems



## So How Did We Get Here?

**DARPA High Assurance Cyber Military Systems (HACMS)** 

#### **DEF CON 29** Ground Control Station DARPA @DARPA We brought a hackable quadcopter with defenses built on our HACMS program to @defcon #AerospaceVillage. As program manager @raymondrichards reports, many attempts to breakthrough were made but none were successful. Formal methods FTW! . Tuni HACMS ULB 10:20 AM · Aug 9, 2021 · Hootsuite Inc. 0500 Loonwerks.com/projects/hacms 9:59 / 25:07 I 1 2:19 / 3:43 croll for details CC 🚛

Collins Aerospace An **RTX** Business

© 2025 Collins Aerospace. | This document does not include any export controlled technical data.

## Compositional Reasoning for Model-Based Systems Engineering Assume Guarantee REasoning Environment (AGREE)

- Assume-Guarantee annex for AADL architecture models
  - Assumptions describe the expectations that a component has on the environment
  - Guarantees describe bounds on the behavior of the component when assumptions are valid
- Compositional analysis to prove correctness of:
  - Component interfaces (component assumptions are satisfied by upstream guarantees)
  - Component implementations (component assumptions and subcomponent guarantees satisfy guarantees)



## Resolute

An Assurance Pattern Language and Evaluation Tool for Architecture Models

- The structure of the system architecture dictates the structure of the assurance case
  - Design patterns → Assurance patterns
- Extension of AADL language
  - Assurance case instantiated with elements from AADL model
- Specify logical rules for evaluating evidence
  - Automated evaluation



## **Oops!**



#### 🔐 Problems 🔲 Properties 📮 Console 🏙 Assurance Case 🕱 🍋 AGREE Results

#### 🕶 🛄 Req\_WellFormed\_OperatingRegion(MissionComputer\_Impl\_Instance : MC::MissionComputer.Impl, "Req\_Wellformed\_OperatingRegion", MissionComputer\_Impl\_Instance : MC::MissionCom

- ▼ [] [permit\_well\_formed\_OR\_data] UxAS component shall only receive well-formed messages
  - ▼ AGREE properties passed
    - 🔢 AGREE analysis was run
  - ▼ II Filter OR\_Filter : SW::OperatingRegion\_Filter.Impl is properly added to component UxAS : Waterways\_UxAS::Waterways.i
    - A CASE\_Filter OR\_Filter : SW::OperatingRegion\_Filter.Impl is connected to component UxAS : Waterways\_UxAS::Waterways.i by connection SW::SW.Filter.filter\_out\_connection
    - Component OR\_Filter : SW::OperatingRegion\_Filter.Impl cannot be bypassed
    - Component property implemented
      - OR\_Filter : SW::OperatingRegion\_Filter.Impl implementation is appropriate for OS
      - Component proof checked



### seL4 Formally Verified Microkernel

- seL4 microkernel guarantees partitioning of components and communication, backed by computer-checked proofs
- seL4 guarantees no infiltration, exfiltration, eavesdropping, interference, and provides fault containment for untrusted code
- Ensures soundness of the MBSE design process – components can be analyzed separately and composed safely



#### University of New South Wales Proofcraft



seL4 is...

- An operating system microkernel
- A hypervisor
- Proved correct
- Provably secure
- Fast

Collins Aerospace An RTX Business 2025 Collins Aerospace. | This document does not include any export controlled technical data

## **DARPA Cyber Assured Systems Engineering (CASE)**

- Objective: develop the necessary design, analysis and verification tools that enable engineers to build cyber-resilient systems, including legacy elements
- BriefCASE
  - Integrated **model-based systems engineering** tool suite based on AADL models
  - Analyze architecture models for cyber vulnerabilities and generate cyber resiliency requirements
  - Transform system architecture models to satisfy cyber-resiliency requirements
  - Synthesize high-assurance component implementations from formal specifications
  - Generate **software integration code** directly from verified architecture models
  - Build to a formally verified secure microkernel target (seL4)
  - Assurance:
    - Check model conformance to standards
    - Verify system design and implementation using formal methods
    - Document proof of correctness with an assurance case





### **Resolint** A linter tool for AADL models

- Define *rules* in Resolute that correspond to modeling guidelines
- Group rules into rulesets corresponding to organizational process, customer requirements, certification guidelines, and tool constraints
- Automatically check compliance with modeling guidelines in OSATE





| 1 pac  | :kage System_Build                                 |
|--------|----------------------------------------------------|
| 2      |                                                    |
| 3⊜ put | blic                                               |
| 4      |                                                    |
| 50     | annex resolute {**                                 |
| 6      |                                                    |
| 7⊖     | ruleset HAMR {                                     |
| 80     | <pre>info (print("Linting HAMR ruleset"))</pre>    |
| 9      |                                                    |
| 10     | error (one process())                              |
| 11     |                                                    |
| 12     | <pre>warning (dispatch_protocol_specified())</pre> |
| 13     | error (valid dispatch protocol())                  |
| 14     | error (valid_dispacen_prococol())                  |
|        | concer (bounded interest())                        |
| 15     | <pre>error (bounded_integers())</pre>              |
| 16     | <pre>error (bounded_floats())</pre>                |
| 17     |                                                    |
| 18     | <pre>warning (data_type_specified())</pre>         |
| 19     | <pre>warning (subcomponent type specified())</pre> |
| 20     |                                                    |
| 21     | <pre>error (array_dimension())</pre>               |
| 22     | error (one_dimensional_arrays())                   |
| ~ ~    | error (one_uimensional_arrays())                   |

| 🛐 Problems 🔀        | Properties 📃 Console                                                                                             |       |
|---------------------|------------------------------------------------------------------------------------------------------------------|-------|
| 2 errors, 54 warnin | gs, 1 other                                                                                                      |       |
| Description         | ^                                                                                                                |       |
| ✓ Ø Errors (2 ite   | ems)                                                                                                             |       |
| 😣 Compo             | nents bound to a virtual processor may only communicate with components bound to other processors via event data | ports |
| 😣 Only on           | e processor-bound process can contain thread or thread-group subcomponents                                       |       |
| > 💧 Warnings (      | 54 items)                                                                                                        |       |
|                     | 1                                                                                                                | 0     |

#### Kansas State University

#### HAMR High-Assurance Modeling and Rapid Engineering for Embedded Systems



## HAMR: infrastructure code generation and target platform build tool



Tux logo: lewing@isc.tamu.edu

## **DARPA PROVERS: INSPECTA Team**

Industrial-Scale Proof Engineering for Critical Trustworthy Applications





An RTX Business

© 2025 Collins Aerospace. | This document does not include any export controlled technical data.

## **INSPECTA** Team

- Collins Aerospace, Team Lead
  - Darren Cofer, PI
- Carnegie Mellon University
- Dornerworks
- Kansas State University
  - with Aarhus University
- Proofcraft
- University of Kansas
- University of New South Wales





## **Technical Areas**

#### **TA1: Proof Engineering**



#### **TA2: Platform Development**

- Open Platform
  - Developed and supported by DornerWorks
  - Unrestricted UAV mission software, system model with formal properties, multiple VMs, Rust software components, seL4 kernel







- Restricted Platform
  - Collins Launched Effects (LE) Mission Computer
  - Based on same computer hardware as the Open Platform



## **INSPECTA Proof Chain**

With INSPECTA, engineers are able to generate comprehensive formal assurance across the entire development stack without requiring deep formal methods expertise



Collins Aerospace
An RTX Business
2025 Collins Aerospace. | This document does not include any export controlled technical data

# SysML v2

- SysML v2 is the second major version of the Systems Modeling Language
  - Standarized under the auspices of the Object Management Group
- Improved expressiveness relative to SysML v1
  - Now similar in expressiveness to AADL
- Standard textual form in addition to the graphical form
  - Promotes third party tool interaction
- Supported by major tool vendors: Siemens, The Mathworks, etc.
  - Necessary for mass adoption by the Defense Industrial Base



## AADL to SysML v2 Transition Example



#### Kansas State University



https://github.com/loonwerks/INSPECTA-models/tree/main/isolette/sysml

## **GUMBO Contract Language**

- Inspired by AGREE and BLESS
- Aligns with MBSE run-time semantics
- Programming language independent
- Supports multiple quality assurance techniques
- Language Features:
  - Data type invariants
  - Port invariants (integration constraints)
  - Event-based / Shared-data based inter-thread communication
  - Local state declarations with invariants
  - Pre/Post conditions for thread code entry points
  - Support for fixed width scalars (e.g., Float32)



GUMBO contracts are specified in

Kansas State University / Galois



#### LLMs for MBSE Contract Verification: Counterexample Analysis/Resolution

- Counterexamples generated from MBSE contract verification can be difficult to analyze by non-experts
- We are utilizing LLMs to analyze these counterexamples, and suggest repairs
- Any LLM hallucinations are rejected, because assume/guarantee contract analysis is performed by a mathematically rigorous model checker
- · We are also exploring use of LLMs for:
  - Proof repair
  - Documentation assistance
  - Model updates

Collins Aerospace

An RTX Business

· Help writing formal properties



© 2025 Collins Aerospace. | This document does not include any export controlled technical data

19

## **Memory-Safe Programming Languages**

- An emerging consensus amongst computer science thought leaders is that memory-safe programming language technology needs to be adopted more broadly:
- "NSA recommends using a memory safe language when possible." (Nov. 2022)
- The White House has published a report championing the adoption of memory safe programming languages to enhance software security. (Feb. 2024)
- Microsoft, Google, and Amazon have all announced significant Rust initiatives.
- Memory-safe language requirements are beginning to appear in U.S. Government contracting.

## Collins Aerospace



## Why Memory-Safe Languages? Why now?

- Memory-safe languages are not new
  - For example, Collins successfully used Ada in major commercial and government avionics products in the 1980s and 1990s
  - Collins used SPARK effectively on high-assurance products for the intelligence community in the 2000s
- Recent improvements in compiler technology have made memory safety very low cost
- Additionally, novel memory ownership models (e.g, in Rust) have allowed references to be used safely
- Development organizations have tired of continual memory errors, causing a neverending parade of security vulnerabilities, despite the use of increasingly sophisticated analysis tools



## The Rust Programming Language

- The INSPECTA team is focusing our memory-safe language research on Rust
- Rust has several assurance advantages over C/C++, including:
  - Improved type safety
  - · Vastly improved memory safety
  - · No arbitrary pointer arithmetic
  - ...in short, 80% of C/C++ security flaws are eliminated outright!
- Rust supports modern programming idioms such as a match primitive, traits, immutability by default, etc.
- Basic Rust syntax is familiar to C/C++ developers, easing the transition
- The Rust compiler produces code which is competitive in speed to C/C++





## **Verus: Rust Code Verification**

- Verus is an open source Rust code verification environment under development by Carnegie Mellon University and numerous other researchers
- Verus has been utilized in a number of operating system, concurrent data structure, and distributed algorithm verification efforts
- Verus utilizes Rust syntax to express precondition and postcondition annotations, loop invariants, etc.
- Verus employs an SMT solver to attempt to prove postconditions, given the preconditions



## **Rust-Related Work on INSPECTA**

- HAMR now supports the generation of Rust source code from SysML v2 models
  - For seL4, we use a new Rust userspace API developed by Nick Spinale
  - The KSU/Aarhus team is translating GUMBO system model contracts to the Verus Rust verification environment
- The University of Kansas is developing Rust code generation for their attestation protocol specifications written in the Rocq theorem prover
- Dornerworks is writing open model application code in Rust
- CMU is enhancing Verus to support INSPECTA, reducing fragility in their SMT backend, and creating a connection to the Lean theorem prover



# SysML v2 model with GUMBO contracts translated to Rust/Verus by the KSU HAMR tool



Carnegie Mellon University 25

 $\ensuremath{\mathbb{C}}$  2025 Collins Aerospace. | This document does not include any export controlled technical data.

## Conclusion

- The INSPECTA team is making formal verification across the entire software development stack accessible to non-formal methods experts through automated analysis, DevOps integration, a ProofOps console, and improved user feedback
- Keys to achieving this goal include integration with the SysML v2 System Modeling Language, and support for modern memory-safe languages, specifically Rust
- Much important INSPECTA Research was not mentioned in this talk, including:
  - AGREE/GUMBO contract language harmonization (Collins / KSU)
  - Verified Component Synthesis (KU)
  - Lifecycle Attestation (KU / Collins)
  - seL4 proof engineering (Proofcraft), Microkit, and Lions OS (UNSW)
- Check it out code, papers, links:
  - https://loonwerks.com/projects/inspecta.html



# **Thank You!**

Contact: david.hardin@collins.com

This work was funded by DARPA contract FA8750-24-9-1000.

The views, opinions and/or findings expressed are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

