Information Flow Analysis of Combined Simulink/Stateflow Models


  • Marcus Mikulcak Technische Universität Berlin Software and Embedded Systems Engineering Group
  • Paula Herber University of Münster Computer Science Department
  • Thomas Göthel Technische Universität Berlin Software and Embedded Systems Engineering Group
  • Sabine Glesner Technische Universität Berlin Software and Embedded Systems Engineering Group



Embedded Systems, Information Flow Analysis, UPPAAL, MATLAB, Simulink, Stateflow, Safety


Simulink and its state machine design toolbox Stateflow are widely-used industrial tools for the development of complex embedded systems. Due to the strongly differing execution semantics of Simulink and Stateflow, the analysis of combined models poses a difficult challenge. In this paper, we present a novel approach to relate the semantics of both the dynamic and the controller components and use it to perform an information flow analysis on a combined model consisting of discrete Simulink components and Stateflow controllers. The key idea of our approach is that we analyze the information flow in a given model by computing an over-approximation of the control flow, and deduce whether all control flow conditions combined permit information to flow on a given path or not. Our control flow analysis approach is threefold: (1) we identify timed path conditions which capture the conditions for time-dependent information flow on paths of interest for (discrete) Simulink components, and translate them into a UPPAAL timed automata representation, (2) we translate the Stateflow components to UPPAAL timed automata, and (3) we perform model checking on the resulting set of automata to analyze the existence of paths in the combined model. With our approach, we safely rule out the existence of information flow on specific paths through a model, which enables us to reason about non-interference between model parts and the compliance with security policies. Furthermore, our approach presents a starting point to generate feasible, efficient test cases and to perform compositional verification. We demonstrate the applicability of our approach using two versions of a complex case study from the automotive domain consisting of multiple safety-critical components communicating over a shared bus system.