Analysis of Distributed Probabilistic Systems: Limitations and - - PowerPoint PPT Presentation

analysis of distributed probabilistic systems limitations
SMART_READER_LITE
LIVE PREVIEW

Analysis of Distributed Probabilistic Systems: Limitations and - - PowerPoint PPT Presentation

Mar 11, 2024 91 likes •809 views

Analysis of Distributed Probabilistic Systems: Limitations and Possibilities Pedro R. DArgenio ! Universidad Nacional de Crdoba ! CONICET ! ! Joint work with Sergio Giro, Luis M. Ferrer Fioriti, Georgel Calin, Pepijn Crouzen, Ernst Moritz

slide-1
SLIDE 1 Analysis of Distributed Probabilistic Systems: Limitations and Possibilities Pedro R. D’Argenio! Universidad Nacional de Córdoba! CONICET! ! Joint work with Sergio Giro, Luis M. Ferrer Fioriti, Georgel Calin, Pepijn Crouzen, Ernst Moritz Hahn, Lijun Zhang, Silvia Pelozo! ! 19-Jun-2014 - OPCT - Bertinoro
slide-2
SLIDE 2 Overview Motivation! Distributed Schedulers! Strongly Distributed Schedulers! Distributed Schedulers under secrecy! (Un)decidability results! Concluding remarks
slide-3
SLIDE 3 Model Checking! Probabilistic Concurrent Systems Nondeterminism resolved through schedulers ⅓ ⅓ ⅓ ! " ! " ! "
slide-4
SLIDE 4 Model Checking! Probabilistic Concurrent Systems Nondeterminism resolved through schedulers ⅓ ⅓ ⅓ ! " ! " ! "
slide-5
SLIDE 5 Model Checking! Probabilistic Concurrent Systems Nondeterminism resolved through schedulers! Quantifies over all possible schedulers sup P(F!) = 1 ⅓ ⅓ ⅓ ! " ! " ! "
slide-6
SLIDE 6 Model Checking! Probabilistic Concurrent Systems Nondeterminism resolved through schedulers! Quantifies over all possible schedulers sup P(F!) = 1 inf P(F!) = 0 ⅓ ⅓ ⅓ ! " ! " ! "
slide-7
SLIDE 7 Model Checking! Probabilistic Concurrent Systems choose door
  • pen door
keep door switch door Monty Hall problem sup P(F!) = 2/3 inf P(F!) = 1/3 ⅓ ⅓ ⅓ ! " ! " ! "
slide-8
SLIDE 8 Model Checking! Probabilistic Concurrent Systems choose door
  • pen door
keep door switch door Monty Hall problem sup P(F!) = 2/3 inf P(F!) = 1/3 All schedulers are too many! ⅓ ⅓ ⅓ ! " ! " ! " Probabilistic model checking provides a safe over- approximation of the actual probability value
slide-9
SLIDE 9 k! s!
  • ?
c! You Monty Hall || ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k?
slide-10
SLIDE 10 k! s!
  • ?
c! You Monty Hall || Little knowledge about other processes internal state

?

Local decisions can only be taken based on local knowledge ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k?
slide-11
SLIDE 11 k! s!
  • ?
c! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? A distributed scheduler is a scheduler that respects the local decisions of each
  • component. !
Local decisions are only taken with the information available to each component.
slide-12
SLIDE 12 k! s!
  • ?
c! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k?
  • ?
c! Two different choices with the same local knowledge!! ⅓ ⅓ ⅓ ! " ! " ! "
slide-13
SLIDE 13 k! s!
  • ?
c! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k?
  • ?
c! Two different choices with the same local knowledge!! Any acceptable scheduler can do either “keep” or “switch” but not both ⅓ ⅓ ⅓ ! " ! " ! "
slide-14
SLIDE 14 Probabilistic I/O automata set of states! initial state, s ∈ S! set of labels partitioned in inputs ( I ) and
  • utputs ( O )!
is the (probabilistic) transition relation → ∈ S × L × Dist(S) input enabled:! label deterministic: ∀a ∈ I : s a − → (S, ¯ s, L, →) ∀a ∈ L : (s a − → µ0 ∧ s a − → µ00) → µ0 = µ00
slide-15
SLIDE 15 Composition of PIOA Two PIOA are compatible if . Their parallel composition is defined by with and , and A1, A2 O1 ∩ O2 = ∅ Because of compatibility, at most one component produces an
  • utput in the composed
transition s1 a − → µ1 (s1, s2) a −→ µ1 × δs2 a ∈ L1 \ L2 s1 a − → µ1 s2 a − → µ2 (s1, s2) a −→ µ1 × µ2 a ∈ L1 ∩ L2 O = O1 ∪ O2 A1 || A2 = (S1 × S2, (s1, s2), L1 ∪ L2, →) I = (L1 ∪ L2) \ O Extends to multiple components as expected
slide-16
SLIDE 16 Execution of PIOA ! ! An execution fragment of a PIOA is a sequence! ! such that and si ai − − → µi µi(si+1) > 0 s0a0µ0s1a1µ1s2 . . . sm−1am−1µm−1sm
slide-17
SLIDE 17 Schedulers A scheduler is a mapping from execution fragments to distributions on transitions enabled in the current state. Two steps to construct distributed schedulers:!
  • 1. choose the active component Ai (i.e. the one that will
produce an output),!
  • 2. let Ai choose one output transition according to the
local knowledge (suppose its label is a). All other Aj matching a (as an input) will do so in a parallel composition (ensured by input enabledness and determinism)
slide-18
SLIDE 18 Schedulers For each component we consider an output scheduler For the system we define the interleaving scheduler , s.t.! Ai Θi : Fragi → Dist(Oi), s.t.! Schedules output transitions provided this component is chosen to execute. I : Frag → Dist({1, . . . , n}) Selects randomly the component that will execute an output I(σ)(i) > 0 implies ∃a ∈ Oi : last(σ) a − → Θi(σ)(a) > 0 implies last(σ) a − →i A1 || · · · || An
slide-19
SLIDE 19 Projection of an execution The projection on a compnent of an execution fragment σ of a system is defined inductively by! ! ! ! Ai [σ a (µ1×· · ·×µn) (s1, . . ., sn)]i = [(¯ s1, . . . , ¯ sn)]i = ¯ si = [σ]i a µi si if a ∈ Li [σ]i if a / ∈ Li It defines the idea of “local knowledge” A1 || · · · || An
slide-20
SLIDE 20 Distributed Scheduler A distributed schedulers is a mapping! s.t. there is a family of output schedulers and an interleaving scheduler so that for all : {Θi}i σ ∈ F r a g η : Frag → Dist(O) I η(σ)(a) = Pn i=1 I(σ)(i) · Θi([σ]i)(a) = I(σ)(j) · Θj([σ]j)(a) provided a ∈ Oj
slide-21
SLIDE 21 I ( (•,•) ) = You Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-22
SLIDE 22 I ( (•,•) ) = You ΘY ( [(•,•)]Y ) = ΘY (•) = c! Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-23
SLIDE 23 I ( (•,•) ) = You ΘY ( [(•,•)]Y ) = ΘY (•) = c! I ( (•,•)c(•,•)) = MH Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-24
SLIDE 24 I ( (•,•) ) = You ΘY ( [(•,•)]Y ) = ΘY (•) = c! I ( (•,•)c(•,•)) = MH ΘMH ( [(•,•)c(•,•)]MH ) = ΘMH (•c•) = o! Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-25
SLIDE 25 I ( (•,•) ) = You ΘY ( [(•,•)]Y ) = ΘY (•) = c! I ( (•,•)c(•,•)) = MH ΘMH ( [(•,•)c(•,•)]MH ) = ΘMH (•c•) = o! I ( (•,•)c(•,•)o(•,•) ) = You Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-26
SLIDE 26 I ( (•,•) ) = You! ΘY ( [(•,•)]Y ) = ΘY (•) = c!! I ( (•,•)c(•,•)) = MH! ΘMH ( [(•,•)c(•,•)]MH ) = ΘMH (•c•) = o!! I ( (•,•)c(•,•)o(•,•) ) = You! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-27
SLIDE 27 I ( (•,•) ) = You! ΘY ( [(•,•)]Y ) = ΘY (•) = c!! I ( (•,•)c(•,•)) = MH! ΘMH ( [(•,•)c(•,•)]MH ) = ΘMH (•c•) = o!! I ( (•,•)c(•,•)o(•,•) ) = You! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! Example revisited ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-28
SLIDE 28 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-29
SLIDE 29 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-30
SLIDE 30 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-31
SLIDE 31 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c!
slide-32
SLIDE 32 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) =
slide-33
SLIDE 33 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) =

slide-34
SLIDE 34 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) =
slide-35
SLIDE 35 Example revisited ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ⅓ ⅓ ! " ! " ! " c?
  • !
  • !
  • !
s? k? s? k? s? k? s? k? k! s!
  • ?
c! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) = s! ΘY ( [(•,•)c(•,•)o(•,•)]Y ) = ΘY (•c•o•) =
slide-36
SLIDE 36 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! h! t! c!
slide-37
SLIDE 37 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c!
slide-38
SLIDE 38 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2
slide-39
SLIDE 39 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2
slide-40
SLIDE 40 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2 Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h!
slide-41
SLIDE 41 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h!
slide-42
SLIDE 42 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) b! (tT, iZ, iA, eB) ) = 2 Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h!
slide-43
SLIDE 43 Θ2 ( [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB) b! (tT, iZ, iA, eB)]2 ) = Θ2 ( iZ b! iZ ) = t! Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) b! (tT, iZ, iA, eB) ) = 2

  • Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h!
slide-44
SLIDE 44 Θ2 ( [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB) b! (tT, iZ, iA, eB)]2 ) = Θ2 ( iZ b! iZ ) = t! Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB) ) = 2 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) b! (tT, iZ, iA, eB) ) = 2

  • Θ2 ( [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB) a! (hT, iZ, eA, iB)]2 ) = Θ2 ( iZ a! iZ ) = h!

MAXIMUM PROBABILIY IS 1

slide-45
SLIDE 45 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB)]3 = iA = [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB)]3 [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB)]4 = iB = [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB)]4
slide-46
SLIDE 46 Are distributed schedulers what we need? initB initA initT headsT tailsT 1/2 1/2 t! h! headsZ tailsZ initZ a?, b? a! b! I ( (iT, iZ, iA, iB) c! (hT, iZ, iA, iB) ) = 3 h! t! c! I ( (iT, iZ, iA, iB) c! (tT, iZ, iA, iB) ) = 4 [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB)]3 = iA = [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB)]3 [(iT, iZ, iA, iB) c! (hT, iZ, iA, iB)]4 = iB = [(iT, iZ, iA, iB) c! (tT, iZ, iA, iB)]4 None of components 3 and 4 can distinguish the system after these two executions
  • ... and yet they are
consider diferently
slide-47
SLIDE 47 Strongly distributed schedulers A strongly distributed scheduler is a distributed scheduler where I (the interleaving scheduler) meets the following condition:! for all and components ,! such that , it holds that! provided Ai, Aj σ, σ0 ∈ Frag [σ]i = [σ0]i, [σ]j = [σ0]j I(σ)(i) + I(σ)(j) 6= 0 6= I(σ0)(i) + I(σ0)(j) I(σ)(i) I(σ)(i) + I(σ)(j) = I(σ0)(i) I(σ0)(i) + I(σ0)(j)
slide-48
SLIDE 48 Strongly distributed schedulers A strongly distributed scheduler is a distributed scheduler where I (the interleaving scheduler) meets the following condition:! for all and components ,! such that , it holds that! provided Ai, Aj σ, σ0 ∈ Frag [σ]i = [σ0]i, [σ]j = [σ0]j I(σ)(i) + I(σ)(j) 6= 0 6= I(σ0)(i) + I(σ0)(j) I(σ)(i) I(σ)(i) + I(σ)(j) = I(σ0)(i) I(σ0)(i) + I(σ0)(j) If two components cannot distinguish two executions, their relative probabilities after such executions must be the same
slide-49
SLIDE 49 What about security? d1? p1? a1! p2? d2? a2! a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-50
SLIDE 50 What about security? d1? p1? a1! p2? d2? a2! a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-51
SLIDE 51 What about security? d1? p1? a1! p2? d2? a2! a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-52
SLIDE 52 What about security? d1? p1? a1! p2? d2? a2! I ( c p1 d2 ) = 1 a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-53
SLIDE 53 What about security? d1? p1? a1! p2? d2? a2! I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-54
SLIDE 54 What about security? d1? p1? a1! p2? d2? a2! I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-55
SLIDE 55 What about security? d1? p1? a1! p2? d2? a2! I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 a1? a2? g2! g1! a1? a2? Attacker 0.5 d2! p1! 0.5 d1! p2! c? c? c? c!
slide-56
SLIDE 56 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 Attacker a1? a2? g2! g1! a1? a2? c? c? c? c!
slide-57
SLIDE 57 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 Attacker a1? a2? g2! g1! a1? a2? c? c? c? c!
slide-58
SLIDE 58 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 Attacker a1? a2? g2! g1! a1? a2? c? c? c? c!
slide-59
SLIDE 59 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 [ c p1 d2 ]2 = p2 ≠ d2 = [ c d1 p2 ]2 [ c p1 d2 ]1 = p1 ≠ d1 = [ c d1 p2 ]1 Attacker a1? a2? g2! g1! a1? a2? I ( c d1 p2 ) = 2 c? c? c? c!
slide-60
SLIDE 60 What about security? I ( c d1 p2 a2 ) = 1 I ( c d1 p2 a2 a1 ) = Atck d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 I ( c p1 d2 ) = 1 I ( c p1 d2 a1 ) = 2 I ( c p1 d2 a1 a2 ) = Atck Atacker guesses 1 Atacker guesses 2 [ c p1 d2 ]2 = p2 ≠ d2 = [ c d1 p2 ]2 [ c p1 d2 ]1 = p1 ≠ d1 = [ c d1 p2 ]1 ☹ Attacker a1? a2? g2! g1! a1? a2? I ( c d1 p2 ) = 2 c? c? c? c!
slide-61
SLIDE 61 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 Attacker a1? a2? g2! g1! a1? a2? [ c p1 d2 ]2 = p2 ≠ d2 = [ c d1 p2 ]2 [ c p1 d2 ]1 = p1 ≠ d1 = [ c d1 p2 ]1 c? c? c? c!
slide-62
SLIDE 62 What about security? d1? p1? a1! p2? d2? a2! 0.5 p2! d2! d1! p1! 0.5 secret actions should not be distinguished by I Attacker a1? a2? g2! g1! a1? a2? [ c p1 d2 ]2 = p2 ≈ d2 = [ c d1 p2 ]2 [ c p1 d2 ]1 = p1 ≈ d1 = [ c d1 p2 ]1 c? c? c? c!
slide-63
SLIDE 63 A distributed scheduler under secrecy is a distributed scheduler where I meets the following condition:! for all and components ,! such that , it holds that! provided Distributed schedulers under secrecy Ai, Aj σ, σ0 ∈ Frag I(σ)(i) I(σ)(i) + I(σ)(j) = I(σ0)(i) I(σ0)(i) + I(σ0)(j) I(σ)(i) + I(σ)(j) 6= 0 6= I(σ0)(i) + I(σ0)(j) (∀a ∈ Oi : last([σ]i) a − →i) iff (∀a ∈ Oi : last([σ0]i) a − →i) (∀a ∈ Oj : last([σ]j) a − →j) iff (∀a ∈ Oj : last([σ0]j) a − →j) [σ]i ≈ [σ0]i, [σ]j ≈ [σ0]j [Pelozo & D’Argenio 2012]
slide-64
SLIDE 64 Results (finite state models)
  • Dist. Sched.
  • Str. Dist. Sched.
  • Distr. Sched.
with Secrecy Det = Random! sup P(F goal) Yes No No sup P(F goal)? Undecidable Undecidable Undecidable sup P(F goal) = 1 Undecidable Undecidable Undecidable sup P(F goal)? is NP-Hard for! ( locally | globally ) memoryless (deterministic | randomized)! distributed schedulers
slide-65
SLIDE 65 Results (finite state systems) Partial order reduction:! Peled’ s original conditions preserve strongly distributed schedulers! Apply classical algorithms for prob. MC on reduction! Counterexample guided refinement:! Check sup P(F goal) ≤ p with classical Prob. MC! If the result is true => the model sat. property! If not and counterexample is a DS => error! If not and counterexample is not a DS! => refine model and recalculate
slide-66
SLIDE 66 Results (finite behaviour systems) Bounded reachability reduces to a polynomial
  • ptimization problem!
For dist. schedulers variables take value in {0,1}! For SDS/DSS => quadratic restrictions! Anonymity can be encoded on SMTs! through a system of polynomial inequalities! A good thing:! Usually, security protocols are of finite behavior! A bad thing:! Inherently exponential
slide-67
SLIDE 67 Conclusion Distributed schedulers properly captures the idea
  • f partial observation among components.
Particularly suited for security. These observations has been acknowledge by other authors from different point of views:! Compositionality [de Alfaro, Henzinger, Jhala, 2001], [Cheung, Lynch, Segala, Vaandrager, 2006]! Security analysis [Chatzikokolakis, Palamidessi, 2007], [Andrés, Palamidessi, Rossum, Sokolova, 2011], [Chadha Sistla, Viswanathan, 2010]! Testing [Georgievska, Andova, 2010], [Hierons, Núñez 2012] Down side: undecidability and complexity Ignored by classical probabilistic model checking
slide-68
SLIDE 68 Conclusion Distributed schedulers properly captures the idea
  • f partial observation among components.
Particularly suited for security. These observations has been acknowledge by other authors from different point of views:! Compositionality [de Alfaro, Henzinger, Jhala, 2001], [Cheung, Lynch, Segala, Vaandrager, 2006]! Security analysis [Chatzikokolakis, Palamidessi, 2007], [Andrés, Palamidessi, Rossum, Sokolova, 2011], [Chadha Sistla, Viswanathan, 2010]! Testing [Georgievska, Andova, 2010], [Hierons, Núñez 2012] Down side: undecidability and complexity Ignored by classical probabilistic model checking They did not stop the automated theorem proving or SAT solving communities (among others)! ;-) They did not stop the automated theorem proving or SAT solving communities (among others) e.g.:tractable but interesting subclasses / abstraction techniques / appropriate data structures / etc.
slide-69
SLIDE 69 Analysis of Distributed Probabilistic Systems: Limitations and Possibilities Pedro R. D’Argenio! Universidad Nacional de Córdoba! CONICET! ! Joint work with Sergio Giro, Luis M. Ferrer Fioriti, Georgel Calin, Pepijn Crouzen, Ernst Moritz Hahn, Lijun Zhang, Silvia Pelozo! ! http:/ /dsg.cs.famaf.unc.edu.ar/! ! 19-Jun-2014 - OPCT - Bertinoro
slide-70
SLIDE 70 References:!
  • S. Giro, P.R. D'Argenio: On the Expressive Power of Schedulers in Distributed Probabilistic
  • Systems. QAPL 2009 (ENTCS 253(3):45-71).!
  • S. Giro, P.R. D'Argenio: Quantitative Model Checking Revisited: Neither Decidable Nor
  • Approximable. FORMATS 2007: 179-194.!
  • S. Giro, P.R. D'Argenio, L.M. Ferrer Fioriti: Partial Order Reduction for Probabilistic Systems:
A Revision for Distributed Schedulers. CONCUR 2009: 338-353.!
  • S. Giro: On the Automatic Verification of Distributed Probabilistic Automata with Partial
  • Information. PhD thesis, FaMAF
, UNC, 2010.! L.M. Ferrer Fioriti: Reducción de orden parcial en model checking probabilista simbólico. Lic. thesis, FaMAF , UNC, 2010.!
  • G. Calin, P. Crouzen, P.R. D'Argenio, E.M. Hahn, L. Zhang: Time-Bounded Reachability in
Distributed Input/Output Interactive Probabilistic Chains. SPIN 2010: 193-211.!
  • S. Pelozo, P.R. D'Argenio: Security analysis in probabilistic distributed protocols via bounded
  • reachability. TGC 2012: 182-197
.!
  • S. Giro, M.N. Rabe: Verification of Partial-Information Probabilistic Systems Using
Counterexample-Guided Refinements. ATVA 2012: 333-348. !
  • S. Giro, P.R. D’Argenio, and L.M. Ferrer Fioriti: Distributed probabilistic input/output
automata: Expressiveness, (un)decidability and algorithms. TCS 538:84-102, 2014.