NODE-CONSTANT//SRF-13 · SIGNALHARDEN
WICK / 04//45.5°N · 73.5°W
WICKTECHNOLOGYSECURITY
// proof infrastructure · est. mmxxv
ArtifactsDevelopersPolicingFINTRACConformitéBriefing
PLATFORM BRIEF →
ENFR
← SURFACES/SRF-13HARDEN
Critical Infrastructure

Signal

Formal safety certification for critical infrastructure.

No commercial platform formally verifies industrial control systems. Dragos detects. Claroty monitors. Signal proves. Signal applies Z3 formal verification to PLC ladder logic, SCADA control loops, and industrial protocol parsers — producing machine-verifiable safety certificates for the systems that keep reactors stable, pipelines flowing, and power grids online. When the CNSC requires a formal safety case, Signal generates it. When a pipeline operator needs proof that a pressure control loop cannot exceed design limits under any reachable input, Signal proves it. This is not a security scanner. It is an industrial certification engine — the first of its kind.

800B+
Lines COBOL in Prod
CNSC
Safety Case Target
0
Commercial Alternatives
§ SPECIFICATION
Input
  • PLC Ladder Logic / Structured Text / Function Block Diagram (IEC 61131-3)
  • SCADA configuration + process variable definitions (pressure, flow, temperature bounds)
  • Industrial protocol implementation source — Modbus, DNP3, IEC 61850, OPC-UA
  • Control loop specification + safety invariants
  • Optional: CODESYS runtime C source for deep static analysis
Constraints Verified
  • Process variable bounds — pressure, temperature, flow cannot exceed design limits under any reachable PLC state
  • Control loop termination — PERFORM UNTIL / scan cycle cannot diverge
  • Ladder logic rung reachability — dead rungs and unreachable safety interlocks formally identified
  • Protocol parser arithmetic — integer overflow in Modbus register parsing, DNP3 length fields
  • Safety interlock reachability — emergency shutdown logic cannot be bypassed under adversarial input sequence
  • State machine invariants — process cannot enter undefined or dangerous state under formal attacker model
Output
  • Z3 formal safety certificate per invariant (machine-verifiable)
  • Control loop reachability proof — states that cannot be entered under any input
  • Protocol parser overflow witness values (exact attacker-controlled bytes)
  • CNSC-formatted formal safety case document
  • Remediation path with re-verification of fix
§ SAMPLE PROOF ARTIFACT
ARTIFACT // SIGNAL-MODBUS-01FAILURE DETECTED
// SAMPLE PROOF — SIGNAL ENGINE

Natural gas pipeline — Modbus register overflow bypasses pressure safety interlock

TargetPipeline SCADA — libmodbus 3.1.x implementation
Conditionregister_addr: uint16 = 0xFFFF + offset 1 → wraps to 0x0000 → reads safety interlock register as process data → emergency shutdown logic unreachable
VerdictSAT
SummarySafety interlock bypass formally proved. Attacker-controlled Modbus register address wraps past array bounds, reading the emergency shutdown flag as a process variable. ESD logic becomes unreachable. Z3 witness: register_addr=0xFFFF, offset=1. CVE filed against libmodbus.
StatusReview-ready
→ View full artifact repository
§ FIELD VALIDATION
#TargetVulnerability ClassStatus
01libmodbus 3.1.x
Integer Overflow		Integer OverflowCVE Filed
02CANDU PLC Logic
Safety Interlock		Safety InterlockFormal Case
03Hydro-Québec SCADA
Control Loop		Control LoopTarget
Run Signal on your system.

Formal engagement starts with a technical intake. We scope, configure, and deliver a proof artifact within the agreed SLA.

Request Briefing →