Course on Protocol Validation Frits Vaandrager Institute for - PowerPoint PPT Presentation

Course on Protocol Validation Frits Vaandrager Institute for Computing and Information Sciences Radboud University Nijmegen http://www.cs.ru.nl/~fvaan/

Overview 1. Introduction 2. Model checking of (timed) automata 3. Safe IOAs, invariants, and composition 4. Fairness, liveness, and implementation 5. Simulation proof techniques

6. Real-time, hybrid and probabilistic extensions

Introduction

Reliability in System Design • Computer systems are getting more complex and pervasive • Safety-critical applications: bugs are unacceptable. Mission control (ARIANE-5), medicine, etc, etc • Bugs are expensive: earlier we catch them, the better. E.g. FDIV in Pentium • Testing takes more time than designing. Automation key to im- prove time-to-market • Increasing use of programmable components shifts focus from low-level optimizations to high-level designs

Goal Formal Verification Provide tools and techniques as design aids to produce reliable systems

Coping with Complexity • Design reuse • Separation of concerns: logical vs physical, logical vs timing, etc • Formalization – precise unambiguous semantics • Abstraction – eliminate unnecessary details • Decomposition – divide and conquer • Incremental refinements

What is Formal Verification? • Build mathematical model of system: what are possible behaviors? • Write correctness requirements in specification language: what are desirable behaviors? • Analysis: check that model satisfies specification • Formal ⇒ Correctness claim is precise mathematical statement • Verification ⇒ Analysis either proves or disproves correctness claim

Limitations of FV • Appropriate only for control-intensive applications with interesting interaction among components • Decidability and complexity remain obstacles; great progress in finding heuristics; flexibility in setting up the problem • Falsification rather than verification: model, and not system, is verified; only stated requirements are checked • Finding appropriate abstractions requires expertise

The Formal Methods Jungle ACL2, ACP, ACSR, Action Semantics, Argos, ASM, ADLT, BDDs, B, Boyer-Moore, Caesar/Aldebaran, CCS, Circal, COLD, Coq, COSPAN, CSP, FDR2, CWB, DisCo, DC, Estelle, EVES, GIL, HOL, HyTech, IMPS, I/O Automata, ITL, Isabelle, JAPE, KIV, Kronos, LAMBDA, Larch, LeanTaP, LEGO, LOTOS, Lustre, MALPAS, Meije, Mizar, µ CRL, Murphi, NP-tools, Nqthm, Nuprl, OBJ, Otter, Petri Nets, Pi- calculus, Pobl, ProofPower, PVS, RAISE, Rapide, Refinement Calcu- lus, SDL, SGM, Signal, SMV, SPARK, SPIN, STeP, TAM, TAM97, Temporal-Rover, TLA, TPS, TRIO, TTM/RTTL, Unity, Uppaal, VeriSoft, VDM, VIS, Z, ..

The Trinity of Formal Methods Theory Tools ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � Applications

I/O Automata (Lynch & Tuttle, ’87; Jonsson ’87) Purpose Formal model for specification+verification of distributed algorithms Characteristics: • Both system and specification modelled as transition system • Language inclusion as implementation relation ( ⇒ stepwise refinement!) • Compositionality • Distinction between input and output actions • Fairness/liveness • Assertional reasoning (invariants, simulations, etc) • Extensions deal with real-time, hybrid, and probabilistic aspects

Stepwise Refinement implementation preorder ✏ ✏ ✏ � ❅ ✏ ✏ ✏ ✮ � ❅ � ✠ ❅ ❘ · · · ⊑ S 2 ⊑ S 1 ⊑ S 0

Compositionality S 1 ⊑ S 0 ⇒ S 1 S 0 ⊑

Extensions and Restrictions of IOA model (S= Safe, F=Fair, L=Live, T=Timed, H=Hybrid, P=Probabilistic) PIOA LIOA t ❩ ⑥ t ❩ ✓ ✼ ✼ ✓ ✓ PA SPIOA ✓ ❩ ✓ ✲ ✓ ❩ FIOA ❩ ⑥ ⑥ ❩ t ❩ t ❩ ❩ ✓ t ❩ ❩ ❩ ✓ ❩ ❩ ❩ ✓ ❩ ❩ ❩ ❩ ❩ ❩ ✓ ❩ ❩ ❩ IOA ✓ ❩ ❩ t ✓ ❩ ❩ ❩ ✲ ❩ ✓ A SIOA t t ❄ LTIOA t ✼ ✓ ✓ PTA PTIOA ✓ ❄ ✲ ❄ t ❩ ⑥ ❩ t ⑥ ❩ ❩ ✓ ❩ ❩ ✓ ❩ ❩ ✓ ❩ ❩ ❩ ❩ ✓ ❩ ❩ ✓ ❩ ❩ ✓ ❩ ❩ ❩ ❄ ❩ ✲ ✓ ❄ TA TIOA t t ❄ ✲ ❄ HA HIOA t t

Timed Automata • Model of finite automata enriched with real-values clock variables proposed by Rajeev Alur and David Dill in 1990 • Model checking tools under development since then; enormous progress has been made! • Especially UPPAAL has become quite mature (for an academic prototype) • Dozens of industrial applications: embedded controllers, distributed algorithms and protocols, scheduling problems,...

Applications: Communication Protocols 1. At most once message delivery 2. Bounded retransmission 3. IEEE 1394 tree identify 4. Audio control 5. Biphase mark 6. Rambo

Applications: Transportation 1. Railroad crossing 2. Personal rapid transit 3. Automated highway systems (PATH) 4. Traffic Alert and Collision Avoidance System (TCAS) 5. Height control in BMW

More Applications 1. Distributed operating systems 2. Database concurrency control 3. Steam boiler controller 4. Lego car 5. etc. etc.