## **Naval Research Laboratory** Washington, DC 20375-5320 NRL/5540/MR—2022/5 # Spider for a Traffic Light DR. GERARD ALLWEIN CHRISTOPHER BELMONTE Center for High Assurance Computer Systems Branch Information Technology Division June 23, 2022 **DISTRIBUTION STATEMENT A:** Approved for public release; distribution is unlimited. ## **REPORT DOCUMENTATION PAGE** Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. | 1. REPORT DATE (DD-MM-YYYY) | 2. REPORT TYPE | 3. DATES COVERED (From - To) | |-----------------------------------------------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------| | 23-06-2022 | NRL Memorandum Report | 1 Oct 2021 – 30 Sept 2022 | | 4. TITLE AND SUBTITLE | | 5a. CONTRACT NUMBER | | Spider for a Traffic Light | | 5b. GRANT NUMBER | | | | <b>5c. PROGRAM ELEMENT NUMBER</b> 062235N | | 6. AUTHOR(S) | | 5d. PROJECT NUMBER | | Dr. Gerard Allwein and Christopher Bel | Imonte | 5e. TASK NUMBER | | | | <b>5f. WORK UNIT NUMBER</b> 6C59 | | | | | | 7. PERFORMING ORGANIZATION NAME | E(S) AND ADDRESS(ES) | 8. PERFORMING ORGANIZATION REPORT NUMBER | | 7. PERFORMING ORGANIZATION NAME Naval Research Laboratory 4555 Overlook Avenue, SW Washington, DC 20375-5320 | E(S) AND ADDRESS(ES) | | | Naval Research Laboratory<br>4555 Overlook Avenue, SW<br>Washington, DC 20375-5320 | | NRL/5540/MR2022/5 | | Naval Research Laboratory<br>4555 Overlook Avenue, SW | | NUMBER | | Naval Research Laboratory 4555 Overlook Avenue, SW Washington, DC 20375-5320 9. SPONSORING / MONITORING AGENO Office of Naval Research | | NRL/5540/MR2022/5 | | Naval Research Laboratory 4555 Overlook Avenue, SW Washington, DC 20375-5320 9. SPONSORING / MONITORING AGENC | | NUMBER NRL/5540/MR2022/5 10. SPONSOR / MONITOR'S ACRONYM(S) | **DISTRIBUTION STATEMENT A:** Approved for public release; distribution is unlimited. #### 13. SUPPLEMENTARY NOTES #### 14. ABSTRACT This is a report on a spider for a traffic light application. A spider is a realtime monitor of field programmable gate array (FPGA) or complex programmable logic device (CPLD) code written in VHDL. Each spider is associated with specific logic statements expressing conditions in the code being monitored. Each spider also contains mechanisms for mitigating the effects of an exploit, either malicious, due to an error in design, or due to a hardware fault. The spider for this example was hand compiled from logic statements into VHDL code that is combined with the traffic light code before vendor tools compile everything into an internal representation. Spiders can be written in any language provided there is a translator into a language vendor supplied tools support. Eventually, spiders will be automatically compiled from logic statements and mitigation code to produce either VHDL code or ReWire code. ReWire has its own compiler that produces either VHDL or Verilog code, which would then subsequently be included in the application. #### 15. SUBJECT TERMS | 16. SECURITY CLASSIFICATION OF: | | 17. LIMITATION<br>OF ABSTRACT | 18. NUMBER<br>OF PAGES | 19a. NAME OF RESPONSIBLE PERSON Dr. Gerard Allwein | | |---------------------------------|------------------|-------------------------------|------------------------|----------------------------------------------------|----------------------------------------------------------| | a. REPORT<br>U | b. ABSTRACT<br>U | c. THIS PAGE<br>U | U | 25 | 19b. TELEPHONE NUMBER (include area code) (202) 404-3748 | This page intentionally left blank. ## **CONTENTS** | EX | KECUTIVE SUMMARY | E-1 | |----|------------------------------|-----| | | INTRODUCTION | | | 2. | TRAFFIC LIGHT | 2 | | | 2.1 Code Structure | | | | 2.2 Controller | 4 | | | 2.3 Monitoring Conditions | 7 | | | 2.4 Distributed Structure | 10 | | 3. | CONCLUSIONS | 10 | | 4. | APPENDIX | | | | 4.1 Wrapper Code | 11 | | | 4.2 Traffic Light Controller | 14 | | | 4.3 Spider | 17 | | RE | EFERENCES | 21 | This page intentionally left blank #### **EXECUTIVE SUMMARY** This is a report on a spider for a traffic light application. A spider is a realtime monitor of field programmable gate array (FPGA) or complex programmable device (CPLD) an application. The application and the spider are both written in VHDL. Generically, a spider is associated with specific logic statements expressing high assurance conditions in the application being monitored. The spider also contained mechanisms for mitigating the effects of an exploit, either malicious, due to an error in design, or due to a hardware fault. The spider for the traffic light controller was hand compiled from logic statements into VHDL code and combined with the traffic light code. The combination was then compiled by vendor tools into an internal representation that is downloaded into the FPGA. Eventually, spiders will be automatically compiled to produce either VHDL code or ReWire code. ReWire has its own compiler that produces either VHDL or Verilog code, which would then subsequently be included in the application. The NRL Memo Report "Spiders for FPGA Applications" is a prelude to this current report and covers theoretical ground. This page intentionally left blank ### Spider for a Traffic Light #### 1. INTRODUCTION This is the second report for the NRL Base Program 6.2 (Work Unit 55 T012) Realtime Monitors (Spiders) for FPGA Applications. The first report, "Spiders for FPGA Applications", detailed the logical prelude necessary to understand this report. That report also covered spider features not used in the spider for traffic light controller. Intuitively, the notion is that spider sits above an application with its legs embedded in the application. The legs are signal lines and the body is the center for recognition of error conditions and mitigation of those conditions. The FPGA application will be be called the *plant*, a term lifted from realtime control of industrial machines. We also use the term *spider* as verb, i.e., to *spider an application* is the have a realtime monitor for that application. The intuitive picture is Figure 1.1: Intuitive Diagram of Spider and its Plant The code itself is not structured according to the diagram. The structure of the system as seen from the VHDL code is usually different. The signal lines between the spider and the plant are not drawn. The hierarchical structure is showing a possible code architecture, not the actual connections (as in the previous diagram). Manuscript approved June 17, 2022. 2 Gerard Allwein Figure 1.2: Code Structure of Spider and its Plant The reason for this structure is that we wish to hide internal signal connections from the outside world. This structure also makes it relatively easy to place the spider and the plant into a larger system. There may be several spiders for any one plant, and spiders can spider other spiders. It is also possible to have a spider observing two different plants if, say, it is required to watch over interaction between the two plants. #### 2. TRAFFIC LIGHT The traffic light is a relatively simple application that allowed us to see what is required for building a spider. The traffic light controller works on a four-way intersection controlling the usual green-yellow-red lights for all directions. There is a timer so that the lights do not stay in one configuration over a time limit. The specification of the traffic light controller is as follows. Consider the traffic intersection below: Figure 2.1: Traffic Flow Diagram #### **Requirements:** - 1. Produce source code exhibiting the following behavior: - a. The North/South lights act as a pair and the East/West lights act as a pair, the lights will be in synchronization at all times. There is no turn signal. - b. The light is a standard traffic and should follow the typical sequencing of green, yellow, red light, repeat. - c. By default each pair shall be active (green) for 10 seconds, after which it will begin the transition through yellow to inactive (red) before the other light pair becomes active. - d. If a car shows up at the red light pair, and there are no cars present at the green light pair, then the green light shall only be active for a total of 5 seconds before switching; i.e., a car arriving at the red light before the green light pair was active for 5 seconds would cause the green light pair to change at 5 seconds, a car arriving at the red light after the green light pair was active for 5 seconds would immediately cause the green light pair to switch. - 2. Provide a test bench that verifies the above behavior, and includes at a minimum the following cases: - a. The default behavior of the light. - b. A car arrives at the red light and a car is already present at the green light. - c. A car arrives at the red light before the 5 second mark and no car is present at the green light. - d. A car arrives at the red light after the 5 second mark and no car is present at the green light. The spider for this controller will only attempt to watch over the sequencing of the lights with minimal attention paid to time intervals. The reason for this is that not much would have been learned by the spider being more intrusive. Also, there is a trade off in how complicated the spider can be with respect to the number of conditions being spidered in the controller. The code for both the spider and the controller is compiled together by vendor tools. The code is recorded in the Appendix to this report. It is divided into the top wrapper, the traffic light controller, and the spider. The code is written in VHDL and would require you understand that language in order to make sense of the code. The spider has two general conditions that it watches for: C1: detecting invalid outputs, e.g., both sets of lights being green at the same time, C2: monitoring FSM timed transitions, e.g., tracking the max time for each state and flagging deviations, etc. Note that in C2, minimum times spent in each traffic light color are not monitored. A more intrusive spider would check for this. Mitigation should include upon recognition of an exploit: M1: Flashing red lights in all (some) directions. M2: Forcing the FSM controller into a start state. 4 Gerard Allwein #### 2.1 Code Structure The intuitive diagram of the spider and the light controller is Figure 2.2: Traffic Light Spider + Controller The VHDL code has three files, top\_wrap, top\_modded, and light\_spider\_modded, which, in this instance, correspond to three components, called entities in VHDL. VHDL allows for entities to contain other entities, i.e., components containing other components but we do not need such extra structure here. From now on, we will revert to using the term *component*, and the files will be called wrapper, controller, and spider. We will also use these names for the components whose names are eponymous with the files containing them. The component structure is Figure 2.3: Traffic Light Component Structure #### 2.2 Controller The controller has five states: - S0: North/South lights green, East/West lights red. - S1: North/South lights yellow, East/West lights red. - S2: North/South lights red, East/West lights green. - S3: North/South lights red, East/West lights yellow. #### S4: Fault detected by spider, flash the red lights. The states of the controller have the above descriptive comments as to what they represent. However, these are only comments and without formal proof, they may or may not be correct; they are in this instance, but in general require proof. The reason they are descriptive is that the main process that decides on state changes is not the process that sets the light colors. The only reason we can with confidence say they are accurate is that the the process that sets the states does so when the state variable in the main processes changes state to a state, say, s2, and the lights sets the lights for the state s2. Still, this is not formal proof. For a real formal proof, we would have to axiomatize VHDL, which we will not be doing in this project. Rather, we will eventually use ReWire in which case we can use equational logic where the equations can be lifted directly from the code. In the conclusions, we note that mitigation would be best kept in the spider. If this is the case, this state would cease to exist in the plant. However, then more care must be taken to construct the plant so as not to interfere when mitigation is taking place. The controller has a wrapper called top and three processes: main, lights, and timer for respectively (1) deciding on state changes, (2) setting the lights, and (3) timer to flash the lights when necessary. The main process does not really have that name but is unnamed and residing in the top wrapper. These items have the following configuration: Figure 2.4: Controller Process Structure The controller has two variables used for controlling the lights, ns\_lights and ew\_lights for north-south and east-west lights. The north and south light always mirror each other as do the east-west lights. Each can be in green, yellow, or red. The next-state relations in the main process of controller can be enumerated. The code could be automatically processed to produce the enumeration. In general, large state machines in applications are avoided due to code complexity. This entails that the next-state relations are relatively small as well. The trade-off comes in concurrence relations (see Spiders for FPGA Applications and Section 2.4 below), as there are more of them with many small FSMs. Processing the machines to extract the concurrence relations will be necessary. The state machine of Figure 2.5 below has several event types that are generated from conditionals in the code. An example of how this occurs is ``` case state is when s0 => if ((t0 = '1') and (t1 = '1')) then state <= s1; elsif (t2 = '1') then state <= s0;</pre> ``` 6 Gerard Allwein where we let $$e_0 \stackrel{\text{def}}{=} (t_0 = 1) \wedge (t_1 = 1)$$ $e_1 \stackrel{\text{def}}{=} (t_2 = 1) \wedge \neg e_0$ Note that the extra conjunction $\neg e_0 = \neg((t_0 = 1) \land (t_1 = 1))$ is needed in defining $e_1$ since VHDL executes the **elsif** only when the **if** fails. Event types generate next-state relations. The entire next state relation is the set theoretical union of the individual next-state relations. However, the union washes out the contribution of the individual event types and hence only useful for more abstract properties than we deal with here. We list the event types (next-state relations) here: | <b>Next-State Relation</b> | <b>Event Type</b> | Prescription | |----------------------------|-----------------------|--------------------------------------------------------------| | $\mathcal{H}_0$ | $e_0$ | rst = '1' <b>or</b> fault = '1' | | $\mathcal{H}_1$ | $e_1$ | (ew_car = '0' and count < clk_limit) or | | | | (ns_car = '1' and count < clk_limit) or (count < " $0100$ ") | | $\mathcal{H}_2$ | $e_2$ | $ eg \mathcal{H}_1$ | | $\mathcal{H}_3$ | $e_3$ | count < "0101" | | $\mathcal{H}_4$ | $e_4$ | $ eg \mathcal{H}_3$ | | $\mathcal{H}_5$ | <i>e</i> <sub>5</sub> | (ns_car = '0' and count < clk_limit) or | | | | (ew_car = '1' and count < clk_limit) or (count < "0100") | | $\mathcal{H}_6$ | $e_6$ | $ eg\mathcal{H}_5$ | | $\mathcal{H}_7$ | $e_7$ | rst = '0' | | $\mathcal{H}_8$ | $e_8$ | $ eg \mathcal{H}_7$ | The state machine (see code for traffic light controller in the Appendix) has only four states. Those four states now have outbound arrows indicating the event types. The event types represent the **if** statement structure in the code. Figure 2.5: Traffic Light FSM The process of the controller that sets the lights has a state machine which is isomorphic to the main controller process. That process uses the same state symbols as the main process and so the isomorphism is identifying the correct states. Hence we can safely elide this and consider that process as folded into the main process. There is another process of the controller that handles counting clock cycles for flashing the light and has no internal states; so this process can safely thought of as being folded into the main controller process. The local next state relations for the locality of the controller are $H_0$ through $H_{10}$ and can be read off the diagram: | Next State Relation ${\mathcal K}$ | | | |------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--| | Relation | Tuples | | | $\mathcal{H}_0$ | $\{\langle s0, s4 \rangle, \langle s1, s4 \rangle, \langle s2, s4 \rangle, \langle s3, s4 \rangle, \langle s4, s4 \rangle\}$ | | | $\mathcal{H}_1$ | $\{\langle s0, s0 \rangle\}$ | | | $\mathcal{H}_2$ | $\{\langle s0, s1 \rangle\}$ | | | $\mathcal{H}_3$ | $\{\langle s1, s1 \rangle, \langle s3, s3 \rangle\},\$ | | | $\mathcal{H}_4$ | $\{\langle s1s2\rangle, \langle s3, s0\rangle\}$ | | | $\mathcal{H}_5$ | $\{\langle s2, s2 \rangle\}$ | | | $\mathcal{H}_6$ | $\{\langle s2, s3 \rangle\}$ | | | $\mathcal{H}_7$ | $\{\langle s4, s0 \rangle\}$ | | | $\mathcal{H}_8$ | $\{\langle s4, s4 \rangle\}$ | | Table 2.1: Next State Relations for the Traffic Light Controller Were we to check state sequencing in the spider of the controller, these relations would be used for designing the checks. We did not do so in order to get a lightweight spider. We bring them up here to show the relationship between event types and next state relations. The overall next state relation for the controller is $$\mathcal{H} \stackrel{def}{=} \bigcup_{0 \leq i \leq 8} \mathcal{H}_i.$$ The relation $\mathcal{H}$ would be of use for abstract properties such as "is state i accessible from state j". ## 2.3 Monitoring Conditions The logic conditions in the spider that were monitored can be be collected into *invariants*. That is, they must hold throughout the entire state machine of the traffic light controller. This feature allowed us to not track in the spider the state transitions of the controller. In a more expensive spider, say one where we really want to know precisely what failed in the controller, we would need to track state transitions. The companion report explains some of the machinery necessary to do this. The spider has two states: 8 Gerard Allwein Q0: Checking for faults. Q1: Fault found, waiting for reset. The logic fault conditions are F0: $$((ns\_lights = green) \lor (ns\_lights = yellow)) \land (ew\_lights \neq red)$$ F1: $((ew\_lights = green) \lor (ew\_lights = yellow)) \land (ns\_lights \neq red)$ F2: $(ns\_lights = red) \land (ew\_lights = red)$ where $\vee$ stands for disjunction, i.e., or, and $\wedge$ stands for conjunction, i.e., and. Other logic fault conditions ``` F3: \ (ns\_lights = green) \land ((ns\_lights = red) \lor (ns\_lights = yellow)) F4: \ (ns\_lights = red) \land ((ns\_lights = green) \lor (ns\_lights = yellow)) F5: \ (ns\_lights = yellow) \land ((ns\_lights = red) \lor (ns\_lights = green)) F6: \ (ew\_lights = green) \land ((ew\_lights = red) \lor (ew\_lights = yellow)) F7: \ (ew\_lights = red) \land ((ew\_lights = green) \lor (ew\_lights = yellow)) F8: \ (ew\_lights = yellow) \land ((ew\_lights = red) \lor (ew\_lights = green)) ``` The check time limit event types are $$F9: (ns\_count > clk\_limit +1) \land (DBG\_TRIG\_ENBL \lor \neg (ns\_lights\_r(2) = '1' \land ns\_lights(2) = '0')) \\ \land (ns\_lights(0) = '1' \lor ns\_lights(1) = '1') \\ F10: (ew\_count > clk\_limit +1) \land (DBG\_TRIG\_ENBL \lor \neg (ew\_lights\_r(2) = '1' \land ew\_lights(2) = '0')) \\ \land (ew\_lights\_r(2) \neq '1' \land (ew\_lights(0) \neq '1' \lor ew\_lights(1) = '1')) \\ \end{cases}$$ The event types F9 and F10 require some explanation. The clock\_limit check is obviously checking for a timing fault. The DBG\_TRIG\_ENBL is for debugging the spider. When it is not set, extra checks are made. We left this in so that it is clear that the spider and its job of checking errors needs to be checked for bugs just as the plant. A further spider could have been written that would check for the conditions following the DBG\_TRIG\_ENBL under the right circumstances. We did not do so in the interest of simplicity. We define the event type $$t_0 \stackrel{\text{def}}{=} \bigvee_{0 \le i \le 10} F_i = F_0 \vee F_1 \vee \cdots \vee F_{10},$$ That is, $t_0$ is a label for the disjunction on the right. $t_0$ 's description is fault\_i = '1' because whenever one of these conditions is satisfied in the code, fault is set to 1. The event types for the spider state machine are | | <b>Next-State Relation</b> | <b>Event Type Prescription</b> | | |---|----------------------------|--------------------------------|-----------------------------------| | - | $\mathcal{K}_0$ | $t_0$ | fault_i = '1' | | | $\mathcal{K}_1$ | $t_1$ | $ eg \mathcal{K}_0$ | | | $\mathcal{K}_2$ | $t_2$ | spider_rst= '0' and fault_i = '0' | | | $\mathcal{K}_3$ | $t_3$ | $\neg \mathcal{K}_2$ | The state machine for the spider is Figure 2.6: Spider State Machine The local next state relations for the locality of the spider are $K_0$ through $K_3$ and can be read off the diagram: | Concurrence Relation ${\mathcal F}$ | | |-------------------------------------|----------------------------| | Relation | Tuples | | $\mathcal{K}_0$ | $\{\langle q0,q1\rangle\}$ | | $\mathcal{K}_1$ | $\{\langle q0,q0\rangle\}$ | | $\mathcal{K}_2$ | $\{\langle q1,q0\rangle\}$ | | $\mathcal{K}_3$ | $\{\langle q1,q1\rangle\}$ | Table 2.2: Next State Relations for the Spider The overall next state relation for the controller is $$\mathcal{K} \stackrel{def}{=} \bigcup_{0 \le i \le 3} \mathcal{K}_i.$$ The spider checked for fault conditions F0 through F10. If one of these faults occurred, the spider in state Q1 caused the lights to blink red by signaling to the controller to enter its state S4. 10 Gerard Allwein #### 2.4 Distributed Structure The sole distributed relation $\mathcal{F} \subseteq H \times K$ pairs possible states from each state machine that can operate in parallel. We do not use this relation in defining any distributed logic connectives for the reason that all we used were invariants that hold regardless of the states in which the spider and the controller find themselves. The distributed relation $\mathcal{F}$ would be of use if the spider checked state changes in the controller. The distributed relation $\mathcal F$ showing the states in the spider and controller that can concur is | Concurrence Relation ${\mathcal F}$ | | | |-------------------------------------|---------------------------------------------------|--| | Relation Tuples | | | | $\mathcal{F}$ | $\{\langle q0, s0\rangle, \langle q0, s1\rangle,$ | | | | $\langle q0, s2 \rangle, \langle q0, s3 \rangle,$ | | | | $\langle q1, s4 \rangle \}$ | | Table 2.3: Concurrence Relation for the Spider and the Traffic Light Controller #### 3. CONCLUSIONS We learned quite a bit about spiders and plants from the traffic light system. The notion of *invariants* came about by trying to write a simple spider and realizing that to check everything the traffic light controller did required essentially a copy of the controller in the spider. Disregarding mitigation code, a similar effect can be had by running two copies of the controller and comparing their outputs. However, this will not check design errors in the controller and there is no recovery mechanism when some error is detected. Our spider for the traffic light controller used a minimal set of states to watch over all the states of the controller. Put in different terms, we did not wish to trust that the outputs were set correctly. Rather, the conditions in which the spider is interested are sections of the cross product of the outputs. A section is a particular element of that cross product, i.e., a tuple of values for all the outputs, or at least the outputs in which the spider is interested. Apparently in VHDL, an architecture cannot read its own outputs. To read the values, those outputs must be stored in buffers. Hence the use of similar sounding signals in the architecture which record the values of those outputs. The use of those kinds of signals is slightly different between the spider and the controller. This can cause a confusion in anyone reviewing the spider + controller combination. The result is that at the clock strike, the similar signals get set to the current new values of the outputs as well as the outputs. Typically, the plant is produced first and then a spider written. Optimally, it would be best for the spider to be written at the same time as the plant. The main reason for this has to do with the signals a spider requires in order to adequately monitor a plant. Every signal the spider requires from the plant must be exported from the plant's code so that the spider can use it. This feature means that it is a good idea to build a wrapper module for the spider-plant combination with an eye toward's integrating this combination with a larger system. It might easily be the case that there is more than one spider in a system, each concerned with a specific module as its plant. It may even be that for increased high assurance, there are spiders monitoring other spiders or spider-plant combinations. There appear to be at least two philosophies for writing a spider with a specific plant in mind. One is that the mitigation code resides mostly in the spider and the other where the mitigation code resides mostly in the plant. Remember that both are usually compiled together by vendor tools. There must be a minimal amount of mitigation code in the spider even if most of it resides in the plant. That minimal amount directed the plant's mitigation code. There might also be a minimal amount of mitigation code in the plant for the case were the plant should not operate as normal while mitigation is occurring. However, it might be possible to put no mitigation code in the plant and have the spider gate the plant's signals to prevent the plant from interfering with the mitigation. One good reason for putting the mitigation entirely (if possible) in the spider is that this avoids touching the module being spidered, the con is that this would reduce the insight we have into that module. The primary reason that the separation would be useful is if/when the spider is autogenerated and integrated into the design at a higher level, the auto-generation of the spider would not involve updating existing modules. There is a security consideration that it might be good to keep the mitigation logic totally within the spider itself. Assume the plant consists of "secure" code with its own provenance. The spider acts as a 'gating' function for signals being protected and the untrusted module (spider) does not directly touch the secure code. This begs the question of how secure is the spider itself. This could be secured using the same mechanisms as the plant. However, the plant might come from a trusted source and access to the source code may not even be possible. In this latter case, mitigation necessarily must be performed in the spider. #### 4. APPENDIX #### 4.1 Wrapper Code ``` 1 library ieee; 2 use ieee.std logic 1164.all; 3 use ieee.std logic unsigned.all; 4 library xil defaultlib; entity top_wrap is generic ( blank : std logic vector(2 downto 0):= "000"; ——? blank? : std logic vector(2 downto 0):= "001"; green 9 yellow : std logic vector(2 downto 0):= "010" 10 : std_logic_vector(2 downto 0):= "100"; red 11 flash_red_period : std_logic_vector(3 downto 0):= "1000"; 12 clk limit : std logic vector(3 downto 0):= "1001"; 13 : std logic vector(2 downto 0):= "000"; error none : std logic vector(2 downto 0):= "001"; error req 15 : std_logic_vector(2 downto 0):= "010"); error_mit 16 17 port ( -- inputs 18 : in std logic; -- clock signal clk 19 : in std logic; spider rst -- spider reset signal to put spider 20 ``` ``` -- in quiesscent state 21 ns car : in std logic; -- signal to represent presence of 2.2 -- a car at N/S intersection 23 : in std logic; -- signal to represent presence of ew car 24 -- a car at E/W intersection 25 -- outputs 26 -- "001" = error, "010" = error in std logic vector (2 downto 0); 27 error : out -- mitigation 28 fault std_logic; -- signal to light controller that a fault 29 : out -- has been detected 30 ns lights std logic vector (2 downto 0) := "001"; — North/South intersection lights; 31 -- see generic above for values 32 : out std logic vector (2 downto 0) := "100"); — East/West intersection lights; 33 ew lights -- see generic above for values 34 35 end top wrap; architecture rtl of top_wrap is component top is 37 generic ( 38 -- "000"; -- ? blank? : std logic vector(2 downto 0):= blank; 39 blank : std logic vector(2 downto 0):= green; -- "001"; green 40 yellow : std logic vector(2 downto 0):= yellow; -- "010"; 41 : std_logic_vector(2 downto 0):= red ; -- "100"; red 42 flash red period: std logic vector(3 downto 0):= flash red period; --"1000"; 43 : std logic vector(3 downto 0):= "1001"); clk limit 44 port ( 45 — inputs 46 : in std_logic; -- clock signal clk 47 : in -- reset signal to set N/W lights to rst std_logic; 48 -- green & E/W lights to red 49 -- signal to represent presence of 50 ns car : in std logic; -- a car at N/S intersection 51 ew car : in std logic; -- signal to represent presence of 52 -- a car at E/W intersection 53 fault : in std logic; -- signal from spider that a fault 54 -- has been detected by the spider 55 -- outputs 56 ns lights std logic vector (2 downto 0) := "001"; — North/South intersection 57 -- lights; see generic above 58 -- for values 59 ew_lights : out std logic vector (2 downto 0) := "100"); — East/West intersection 60 -- lights; see generic above 61 -- for values 62 end component; 63 64 component spider_top is 65 generic ( 66 -- "001"; green : std logic vector(2 downto 0):= green; 67 yellow : std logic vector(2 downto 0):= yellow; -- "010" : 68 : std logic vector(2 downto 0):= red ; -- "100" ; red 69 -- "1001"; : std_logic_vector(3 downto 0):= clk_limit ; clk limit 70 -- "000"; error none : std logic vector(2 downto 0):= error none; 71 error reg : std logic vector(2 downto 0):= error reg; -- "001" ; 72 ``` red 124 => red ``` -- "010" ); : std logic vector(2 downto 0):= error mit; 73 port ( 74 75 -- inputs clk : in std_logic; -- clock signal 76 spider_rst : in std_logic; -- spider reset signal to put spider 77 -- in quiesscent state 78 : in std_logic_vector (2 downto 0); ns lights — North/South intersection -- lights; "001" = green, "010" = yellow, "100" = red 80 : in std_logic_vector (2 downto 0); -- East/West intersection 81 ew_lights -- lights; "001" = green, "010" = yellow, "100" = red 82 -- outputs 83 -- "001" = error, "010" = error in mitigation : out std_logic_vector (2 downto 0); error 84 -- "001" = error, presumably we will want more 85 rst : out std logic; fault : out std_logic); -- signal to light controller that a fault 86 87 -- has been detected end component; 88 89 signal rst i : std logic; 90 91 signal fault i : std logic; signal ns lights i : std logic vector (2 downto 0); signal ew_lights_i : std_logic_vector (2 downto 0); signal error_i : std_logic_vector (2 downto 0); 95 begin 97 fault <= fault_i; ns_lights <= ns_lights_i;</pre> ew_lights <= ew_lights_i; 101 102 top_i: top 103 generic map ( 104 blank => blank 105 green => green 106 => yellow yellow red => red 108 flash_red_period => flash_red_period, 109 clk limit => clk_limit 110 port map ( 111 clk => clk 112 rst => rst i ns_car => ns car 114 ew_car => ew_car 115 fault => fault_i 116 ns_lights => ns_lights_i 117 ew_lights => ew_lights_i ); 118 119 spider_i: spider_top 120 generic map ( 121 green => green 122 yellow => yellow 123 ``` ``` clk limit => clk limit 125 error_none => error_none , 126 => error reg 127 error_reg => error_mit ) error_mit 128 port map ( clk => clk 130 spider_rst => spider_rst , 131 => ns_lights_i, ns_lights 132 => ew_lights_i, 133 ew_lights error => error 134 rst => rst i 135 fault => fault i ); 136 138 end rtl; ``` #### 4.2 Traffic Light Controller **type** state\_type **is** (s0, s1, s2, s3, s4); ``` -- Module to control traffic lights at a four-way intersection 4 library ieee; s use ieee.std logic 1164.all; 6 use ieee.std logic unsigned.all; use ieee.numeric std.all; entity top is generic ( 9 : std\_logic\_vector(2 downto 0):= "000"; --? blank? blank 10 green : std logic vector(2 downto 0):= "001"; 11 : std logic vector(2 downto 0):= "010"; yellow 12 : std logic vector(2 downto 0):= "100" red 13 flash red period: std logic vector(3 downto 0):= "1000"; : std_logic_vector(3 downto 0):= "1001"); clk limit 15 16 port ( -- inputs 17 : in std_logic; clk -- clock signal rst : in std_logic; -- reset signal to set N/W lights to 19 -- green & E/W lights to red 20 : in std_logic; -- signal to represent presence of ns_car 21 -- a car at N/S intersection 22 std_logic; -- signal to represent presence of ew_car : in 23 — a car at E/W intersection 24 : in fault std_logic; -- signal from spider that a fault has 2.5 — been detected by the spider 26 -- outputs 27 ns lights std_logic_vector (2 downto 0) := "001"; -- North/South intersection lights; : out 28 -- see generic above for values 29 ew lights : out std logic vector (2 downto 0) := "100"); -- East/West intersection lights; 30 -- see generic above for values 31 32 end top; 33 34 architecture rtl of top is ``` ``` signal state : state type; signal count : std logic vector(3 downto 0); 37 signal flash_count : std_logic_vector(3 downto 0):= (others => '0'); 38 39 signal ns_lights_i : std_logic_vector (2 downto 0); -- North/South intersection lights; see generic above 40 -- for values 41 signal ew_lights_i : std_logic_vector (2 downto 0); — East/West intersection lights; see generic above 42 -- for values 43 44 signal blank_r : std_logic:= '0'; 45 46 47 begin 48 --reset(rst) issue @rising edge make a transition to red light blanking state @falling edge make a transition to NS-GR EW-RD (s0) 50 --if fault exist make a transition to red light blanking state 51 52 ss ns lights <= ns lights i; 54 ew_lights <= ew_lights_i; 56 process (clk) 58 begin -- case s0: North/South lights green, East/West lights red 59 -- case s1: North/South lights yellow, East/West lights red 60 -- case s2: North/South lights red, East/West lights green 61 -- case s3: North/South lights red, East/West lights yellow 62 -- case s4: fault detected by spider, flash the red lights 63 if (clk'event and clk = '1') then 64 65 if (rst = '1' or fault = '1') then 66 state <= s4; -- (e9) flash red until the reset is taken away 67 count <= "0000"; 68 else 69 70 case state is 71 when s0 => 72 if ((ew_car = '0' and count < clk_limit) or --- (e1): no car present on EW and count less than 9 73 (ns_car = '1' and count < clk_limit) or --- car present on NS and count less than 9 (count < "0100")) then --- count less than 4 (car exist does not matter) 75 state \langle = s0; --stay \text{ in the same state until condition are false } (0-5 \operatorname{sec don't check car}) -- is there) 77 count <= count + 1; 78 else ---(e2): 79 state \leq s1; 80 count <= "0000"; 81 end if: 82 when s1 => 83 if (count < "0101") then -- (e3) count less than 5? (error) 84 state \langle = s1; 85 count <= count + 1; 86 --(e4) else ``` ``` state \langle = s2; count <= "0000"; 89 end if: when s2 => 91 if ((ns_car = '0' and count < clk_limit) or --- (e5) no car present on NS and count less than 9 (ew car = '1' and count < clk limit) or --- car present on EW and count less than 9 93 (count < "0100")) then --- count less than 4? (error) state <= s2: 95 count <= count + 1; else --- (e6) 97 state \langle = s3; 98 count <= "0000"; 99 100 end if: when s3 => 101 if (count < "0101") then --- (e3) count is less than 5? (error) 102 state <= s3; 103 count <= count + 1; 104 ---(e4) else state \leq s0: 106 count <= "0000"; end if; 108 when s4 => --- (e7) note: a reset is required to get out of s4 if (rst = '0') then 110 state <= s0; --- (e8) no change in state end if: 112 when others => 113 state \leq s0; 114 end case; 115 end if: 116 117 end if; end process; 119 -- this special flsh counter is work only when reset is asserted. process (clk) 121 122 begin 123 if (clk'event and clk = '1') then --- flash_red_period is less than 8? (error) flash_count <= "0000"; if rst = '0' then 125 flash_count <= (others => '0'); blank r \le 0; 127 elsif (unsigned (flash_count) > unsigned(flash_red_period)) then flash count <= (others => '0'); 129 blank_r <= not blank_r; 130 --wf (blank_r = '0') then 131 -- blank_r <= '1'; 132 --else 133 -- blank_r <= '0'; 134 --end if; 135 else 136 flash_count <= flash_count + 1;</pre> 137 end if; 138 end if; 139 ``` ``` 140 end process; 141 lights: process(state, blank_r) 142 143 begin 144 case state is 145 when s0 \Rightarrow ns_lights_i <= green; 147 ew_lights_i <= red; 148 149 when s1 => 150 ns_lights_i <= yellow; 151 152 ew lights i <= red; 153 when s2 => 154 ns_lights_i <= red; 155 ew lights i <= green; 156 when s3 => 158 159 ns_lights_i <= red; ew_lights_i <= yellow; 160 when s4 => 162 if (blank_r = '0') then 164 ns_lights_i <= blank; 165 ew_lights_i <= blank; 166 167 else 168 ew lights i <= red; 169 ns_lights_i <= red; 170 171 end if; 172 173 when others => 174 175 ns lights i <= green; ew_lights_i <= red; end case; 177 end process; 179 181 end rtl; 4.3 Spider 1 — Spider Module (prenatal) for checking traffic light controller at a four—way intersection — In this version, only simple conditions are checked, namely invalid outputs. 4 — The idea was to construct the minimal spider; hence there is only a single state, q0 ``` 5 — Under the understanding of a minimal spider, the controller has not been changed. 6 — interested what we can see from the outside. Sooner or later, the internal states of the 7 — controller should be exported. ``` 9 library ieee: use ieee.std_logic_1164.all; use ieee.std_logic_unsigned.all; entity spider top is 13 generic ( DBG TRIG ENBL: boolean:=false; 15 : std_logic_vector(2 downto 0):= "001"; 16 yellow : std_logic_vector(2 downto 0):= "010"; 17 red : std logic vector(2 downto 0):= "100"; 18 : std_logic_vector(3 downto 0):= "1001"; clk limit 19 error none : std logic vector(2 downto 0):= "000"; 20 error_reg : std_logic_vector(2 downto 0):= "001"; 21 error mit : std logic vector(2 downto 0):= "010"); 22 port ( 23 -- inputs 24 -- clock signal clk : in std logic; spider rst: in std logic; — spider reset signal to put spider in 26 -- quiescent state 27 ns lights : in std_logic_vector (2 downto 0); -- North/South intersection 28 -- lights; "001" = green, "010" = yellow, "100" = red -- East/West intersection : in std logic vector (2 downto 0); ew lights 30 -- lights; "001" = green, "010" = yellow, "100" = red -- outputs 32 error : out std_logic_vector (2 downto 0); -- "001" = error, "010" = error 33 -- in mitigation 34 -- "001" = error, presumably we will rst : out std_logic; 35 -- want more 36 — signal to light controller that a 37 fault : out std logic); -- fault has been detected 38 end spider top; 39 40 architecture rtl of spider top is 41 42 type state type is (q0, q1); signal state : state type := q0; 43 signal ns count : std logic vector(3 downto 0); : std_logic_vector(3 downto 0); signal ew_count 45 signal error_count : std_logic_vector(3 downto 0); signal fault i : std logic; 47 signal error code: natural; signal ns_lights_r : std_logic_vector (2 downto 0); -- North/South intersection lights; 49 -- "001" = green, "010" = yellow, "100" = red 50 signal ew_lights_r : std_logic_vector (2 downto 0); -- East/West intersection lights; 51 -- "001" = green, "010" = yellow, "100" = red 52 53 begin fault <= fault i; process (clk, spider rst) 56 57 begin 58 — states for the spider 59 — case q0: fault conditions being checked normally ``` ``` -- case q1: fault detected, awaiting reset 61 -- Reset is a bit tricky to code without causing a race condition. We check for both rising and falling edges 62 -- with the idea that the rst to the controller should not be bouncing around, hence we waited until the 63 — spider's reset has fallen and then reset the controller. It is a bit unclear about how this is wired up -- external to the spider and the controller. Right now, it is assumed the rst the controller is only set 65 — in the spider. However, it could be both could be set at the same time external to the spider. 67 — There is also an assumption that the controller's clock is sufficiently fast to catch the rising edge of 68 its spider's reset and the falling edge will have of the spider's reset will have sufficient time elapsed 69 — for the controller to recognize its reset before the spider sets that signal back to '0'; 70 71 72 if (spider_rst = '1') then 73 74 ns\_count <= "0000"; -- counter for ns_light duration since changed from last change 75 ew count <= "0000"; -- counter for ew_light duration since changed from last change 76 error count <= "0000"; 77 error <= error none; 78 rst <= '1'; 79 fault i \leq '0'; 80 state \leq q1; 81 --error code to distinguish the fault why it is generated. error code \langle = 0; 82 ns_lights_r <= "000"; --register ns_lights and ew_lights to detect the light has been changed. ew lights r \le "000"; 84 85 elsif (clk'event and clk = '1') then 86 rst <= '0'; 87 --register ns_lights and ew_lights to detect the light has been changed. 88 89 ns lights r \le ns lights; ew_lights_r <= ew_lights; 90 91 if (ns_lights_r /= ns_lights) then --register ns_lights and ew_lights to detect the light 92 — has been changed. 93 94 ns count <= (others => '0'); else 95 ns count <= ns count + 1; 97 if (ew_lights_r /= ew_lights) then --register ns_lights and ew_lights to detect the light -- has been changed. 99 ew count <= (others => '0'); else 101 ew_count <= ew_count + 1; 102 end if; 103 case state is 104 when q0 => 105 106 if (((ns_lights = green) or (ns_lights = yellow)) and (ew_lights /= red)) then 107 error <= error reg; 108 fault_i \leftarrow '1'; 109 error count <= error count + 1; 110 error code <= 1; 111 ``` ``` elsif (((ew lights = green) or (ew lights = yellow)) and (ns lights /= red)) then 112 error <= error reg; 113 fault i <= '1'; 114 error_count <= error_count + 1; 115 error_code <= 2; elsif ((ns lights = red) and (ew lights = red)) then 117 error <= error_reg; fault_i \leftarrow '1'; 119 120 error_count <= error_count + 1; error_code <= 3; 121 end if; 122 123 if (((ns lights and red) = red) and (((ns lights and green) = green) or 124 ((ns_lights and yellow) = yellow))) then 125 error <= error reg; 126 fault_i <= '1'; 127 error count <= error count + 1; 128 error code <= 4; elsif (((ns lights and green) = green) and (((ns lights and red) = red) or 130 ((ns_lights and yellow) = yellow))) then 131 error <= error reg; 132 fault_i <= '1'; error count <= error count + 1; 134 error code <= 5; elsif (((ns_lights and yellow) = yellow) and (((ns_lights and red) = red) or 136 ((ns_lights and green) = green))) then 137 error <= error_reg; 138 fault_i \langle = '1'; 139 error_count <= error_count + 1; 140 141 error code <= 6; end if: 142 143 if (((ew_lights and red) = red) and (((ew_lights and green) = green) or ((ew lights and yellow) = yellow))) then 145 error <= error reg; fault i <= '1'; 147 error_count <= error_count + 1; error code \langle = 7; 149 elsif (((ew_lights and green) = green) and (((ew_lights and red) = red) or ((ew lights and yellow) = yellow))) then 151 error <= error reg; fault_i \leftarrow '1'; 153 error_count <= error_count + 1; 154 error_code <= 8; 155 elsif (((ew_lights and yellow) = yellow) and (((ew_lights and red) = red) or 156 ((ew lights and green) = green))) then 157 error <= error reg; 158 fault i \langle = '1'; 159 error count <= error count + 1; 160 error_code <= 9; 161 end if; 162 ``` 163 ``` — We choose a minimal condition here in lieu of recreating the entire controller's time checks 164 if (ns count > clk limit+1 and (DBG TRIG ENBL or not (ns lights r(2) = '1' and ns lights(2) = '0')) 165 and (ns lights(0) = '1' or ns lights (1)='1')) 166 or (ew_count > clk_limit+1 and (DBG_TRIG_ENBL or not (ew_lights_r(2) = '1' and ew_lights(2) = '0')) 167 and (ew_lights_r(2) /= '1') and ( ew_lights(0) /= '1' or ew_lights (1)='1')) 169 fault i \langle = '1'; error code <= 10; 171 end if; 172 173 if (fault i = '1') then 174 — flip to the main fault_i state 175 state \langle = q1; 176 end if: 177 178 when q1 => 179 if (spider rst= '0' and fault i = '0') then 180 state \langle = q0; end if: 182 -- awaiting reset, we minimally spider the flashing red lights 183 if ((ns_lights /= red) and (ew_lights = red)) then 184 error <= error_mit; elsif ((ns lights = red) and (ew lights /= red)) then 186 error <= error mit; end if: 188 189 when others => 190 state \leq q0; 191 end case: 192 193 end if: 194 end process; 195 196 197 end rtl; ``` #### REFERENCES - A. Procter, W. L. Harrison, I. Graves, M. Becchi, and G. Allwein, "A Principled Approach to Secure Multi-Core Processor Design with ReWire," Proceedings of the Proceedings of the ACM SIG-PLAN/SIGBED Conference on Languages, Compilers, Tools and Theory for Embedded Systems (ACM Digital Library), 2016. - 2. W. L. Harrison, A. Procter, I. Graves, M. Becchi, and G. Allwein, "A Programming Model for Reconfigurable Computing Based in Functional Concurrency," Proceedings of the Proceedings of the 11th International Symposium on Reconfigurable Communication-centric Systems-on-Chip (ReCoSoC 2016) (IEEE), 2016, pp. 1–8. - 3. P. Cousot and R. Cousot, "Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints," Proceedings of the Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, Los Angeles, California, USA (ACM Press), 1977, pp. 238?–252. 4. G. Allwein and W. L. Harrison, "Distributed Modal Logic," in K. Bimbó, ed., *J. Michael Dunn on Information Based Logic: Outstanding Contributions to Logic*, pp. 331–362 (Springer-Verlag, 2016). - 5. J. M. Dunn and G. Hardegree, *Algebraic Methods in Philosophical Logic*, Oxford Logic Guides 41 (Oxford University Press, 2001). - 6. C. A. R. Hoare, "An Axiomatic Basis for Computer Programming," *Communications of the ACM* **12**, 576–580, 583 (1969). - 7. K. R. Apt, "Ten Years of Hoare's Logic: A Survey–Part 1," *ACM Transactions on Programming Languages and Systems* **3**, 431–483 (1981). - 8. D. Barker-Plummer, J. Barwise, and J. Etchemendy, *Language, Proof, and Logic*, second ed. (CSLI Publications, 2011). - 9. P. J. Freyd and A. Scedrov, Categories, Allegories (North-Holland, 1990).