Model checking for probabilistic real-time systems Marta - - PowerPoint PPT Presentation
Model checking for probabilistic real-time systems Marta Kwiatkowska School of Computer Science www.cs.bham.ac.uk/~mzk ETR 2005, Nancy Overview Motivation Probabilistic model checking The models Specification languages
Marta Kwiatkowska School of Computer Science www.cs.bham.ac.uk/~mzk ETR 2005, Nancy
Overview
– The models – Specification languages – What does it involve? – The PRISM model checker
– IPv4 Zeroconf dynamic configuration protocol – Bluetooth device discovery
For more information…
www.cs.bham.ac.uk/~dxp/prism/
feature PRISM…
Mathem atical Techniques for Analyzing Concurrent and Probabilistic System s
CRM Monograph Series, vol. 23, AMS March 2004
The future: ubiquitous computing
Mobile, wearable, wireless devices (WiFi, Bluetooth) Ad hoc, dynamic, ubiquitous computing environment Security, privacy, anonymity protection on the Internet Self-configurable - no need for men/women in white coats! Fast, responsive, power efficient, …
The Internet
Correct design a challenge for formal methods?
Motivation
– As a symmetry breaker – In gossip-based routing and multicasting
– To measure delays and time-outs
– Probabilistic timed automata combine
– Quantitative probability, timing and non-determinism
Real-world protocol examples
nondeterminism
– Randomised back-off schemes
– Random choice of waiting time
– Random choice of a timing delay
– Random choice over a set of possible addresses
traffic, random delays…
www.cs.bham.ac.uk/~dxp/prism
Probability elsewhere
– Pioneered by Erlang, in telecommunications, ca 1910 – Models: typically continuous time Markov chains – Emphasis on steady-state and transient probabilities
– Cf Bellman equations, ca 1950s – Models: Markov decision processes – Emphasis on finding optimum policies
– Distinctive, on automated verification for probabilistic systems – Temporal logic specifications, automata-theoretic techniques – Shared models – Exchanging techniques with the other two areas
Verification via model checking…
The model
Model Checker
Temporal logic specification send → ◊deliver
Error trace
Line 5: … Line 21: … Line 15: … … Line 27: … Line 45: ...
Probabilistic model checking…
Probabilistic Model Checker
Probabilistic temporal logic specification send → P¸ 0.9(◊deliver)
The probability
State 5: 0.6789 State 6: 0.9789 State 7: 1.0 … State 12: 0 State 13: 0.1245
in a nutshell
Probabilistic model
0.4 0.3
– Discrete probability, nondeterminism – No real-time
– S finite set of states – s0 initial state – Steps maps states s to sets of probability distributions μ over S – Act labelling of steps with actions – L: S ! 2AP atomic propositions – c: S x Act ! R¸0 cost function
mapping finite path s0a0μ0s1a1μ1…sn to a distribution from sn
Markov Decision Processes (MDPs)
s2 s0 s3 s1
1 1 1 0.02 0.98 1 init try fail succ
a b c d e
– Sample space = infinite paths PathA
s from s
– Event = set of paths – Basic event = cone
s, Ω, PrA)
– Assign probability P(.) to finite paths ω = s0a0μ0s1a1μ1s2a2…sn – Define PrA (C(ω)) = P(ω), for cones C(ω): C(ω) = { π 2 PathA
s | ω is prefix of π}
cost(F)(ω) =
Probability and cost
s0 … sk
Σi=0
min{i : ω(i) 2 F} c(a) if 9 i. ω(i) 2 F,
(a,μ) 2 Steps(ω(i-1)) 1 otherwise
The logic PCTL: syntax
– Based on CTL, for DTMCs/MDPs – Add probabilistic operator, e.g. send → P¸ 0.9(◊deliver) – and expected cost operator, e.g. E > 1(heads)
φ ::= true | a | φ Æ φ | :φ | P» p(α) | E» c(φ) α ::= X φ | φ U φ where p 2 [0,1] is a probability threshold, c 2 R¸0 is a cost bound and » 2 { <, >, … }
– “under any scheduling, the probability/cost is … at state s” – reasoning about worst-case/best-case scenario
s ²Adv P» p(α) , PrA
s { π 2 PathA s j π ²Adv α } » p
for all A 2 Adv
s ²Adv E» c(φ) , EA
s (cost{ s’ 2 S j s’ ²Adv φ }) » c
wrt PrA
s, for all A 2 Adv
The logic PCTL: semantics
– pmax
s (α), pmin s (α), defined sup/inf over all adversaries
Sat( P¸ p(φ1 U φ2) ) , {s 2 S | xs ¸ p} Maximise ∑s 2 S? xs subject to the constraints: xs · ∑s’ 2 S? μ(s’) ¢ xs’ + ∑s’ 2 Syes μ(s’) for all s 2 S?, (a, μ) 2 Steps(s)
– Syes, Sno , S? = Sn(Sno [ Syes) can be precomputed by graph traversal (BDD fixed point) [dA97,dAKNP00] – Combine graph-theoretic traversal and simplified value iteration
PCTL Until model checking for MDPs
– emax
s (φ), emin s (φ), defined sup/inf over all adversaries
problems solvable iteratively, e.g.
Sat(E ¸ c(φ)) , {s 2 S | xs ¸ p} Maximise ∑s 2 S? xs subject to the constraints: xs · c(a) + ∑s’ 2 Syes μ(s’) ¢ xs’ for all s 2 S?, (a, μ) 2 Steps(s)
– Syes, Sno , S? = Sn(Sno [ Syes) can be precomputed as before – Unique solution, cost possibly 1 – Algorithm of [dAlf’97]
Expected cost model checking
Continuous Time Markov Chains (CTMCs)
– Discrete states and real time – Exponentially distributed random delays
– Set of states S plus rates R(s,s’) > 0 of moving from s to s’ – Probability of moving from s to s’ by time t > 0 is 1 - e-R(s,s’)¢ t – Transition rate matrix S £ S ! R¸0
– probs (s’), probability of being in s’ in the long-run, starting in s – probs (s’,t), probability of being in s’ at time instant t
empty full 1 3 3 4 4 4 3 2 3
The logic CSL: syntax
– For CTMCs, based on PCTL, for example
“the probability of queue becoming full within 15 secs is < 0.85”
“in the long run, the probability the system is down is less than 1%”
φ ::= true | a | φ Æ φ | :φ | S» p(φ) | P» p(α) α ::= X φ | φ U· t φ | φ U φ where p 2 [0,1] is a probability bound, t 2 R¸0 and » 2 { <, >, … }
expectation operator E» c(φ)
π ² φ1 U· t φ2 , iff φ2 satisfied at time instant t along π = s0L and φ1 satisfied at all preceding time instants
s ² S» p(φ) , Σs’ ² φ probs (s’) » p where probs (s’) is prob. of being in s’ in the long-run, having started in s s ² P» p(α) , Pr { π 2 Paths j π ² α } » p where Pr is probability measure on paths as for PCTL
CSL semantics
–
S» p(φ) and P» p(φ1 U· t φ2)
– Requires computation of steady-state probabilities – Reduces to graph traversal and (iterative) solution of linear equation system
– Reduces to transient analysis – Transform CTMC by removing all outgoing transitions from states satisfying φ2 or :φ1
– Then Pr { π 2 Paths j π ² φ U· t φ } = Σs’ ² φ2 probs (s’,t)
– Computed by using uniformisation – More efficient and stable, iterative computation
The logic CSL: model checking
Time, clocks and zones
– Increase at the same rate as real time – Assume finite set X of clocks, maximum const kmax – If n clocks, v,v’ 2 Rn
¸0 are clock valuations
– v+t is time increment, v[X:=0] clock reset of all clocks in X 2 X
ζ ::= x ~ c j x-y ~ c j ζ Æ ζ j ζ Ç ζ j : ζ – Consider only in canonical form – Closed, diagonal-free if do not feature x < c, x > c, x-y ~ c – Convex, or non-convex (cf [Tripakis98])
Probabilistic Timed Automata: syntax
– Clocks, x, real-valued – Can be reset, e.g. {x:=0} – Invariants, e.g. x·8 – Probabilistic transitions, guarded e.g. x¸4, x=8
– Loc finite set of locations – s0 initial location – Inv maps locations s to invariant clock constraints – prob probabilistic edge relation that yields the probability of moving from s to s’ if enabled at s, resetting specified clocks – Act action labelling of transitions μ (probability distribution) – L: S ! 2AP atomic propositions
0.01 0.99 send wait fail {x:=0} x=8 x¸4
true x≤8 true
1
waited transmit
PTAs: semantics
– t,t’ 2 R¸0, v,v’ 2 Rn
¸0
– (S,s0,Steps,L,Act[R¸0) – S, states (s,v), where
– Label discrete steps by t = 0, and t > 0 for time elapse – Steps, distributions μ time points t: time elapse (s,v) ! t, μ (s,v+t), μ point distribution
if Inv(s) satisfied by v+t and v+t’ for all 0 · t’ · t
discrete transition (s,v) ! t, μ (s’,v’)
if t=0 and 9 μ 2 prob enabled at (s,v) and probability of moving to (s’,v’) resetting clocks in X is induced from prob
– s0,L, initial state and state labelling induced from PTA
0.01 0.99 send wait fail {x:=0} x=8 x¸4
true x≤8 true
1
waited transmit
Paths and Adversaries
– divergent if for any t 2 R¸0 9 j 2 N s.t. D(j) > t where D(j) is duration up to j-th state
distribution pairs
– s.t. time divergent, i.e. for each state s, the probability of divergent paths under A is 1
s on paths π 2 PathA s generalises to
this case
Require non-zenoness, i.e. there must exist a divergent adversary
The logic PTCTL
– Based on TCTL [AD94] – Add probabilistic operator P » p(¢) of PCTL
φ ::= a | ζ | φ Ç φ | :φ | z.[φ] | P» p(φ U φ) where z ranges over formula clocks, ζ are clock constraints over formula and system clocks
“under any scheduling, with probability ¸ 0.85 the message is correctly delivered within 5 ms”
– “ under any scheduling, the probability bound is true at s,E ” s,E ² P» p(φ1 U φ2) , PrA { π 2 PathA
s j π,E ² φ1 U φ2 } » p
for all A 2 Adv
s,E ² a , a 2 L(s) s,E ² :φ , s,E 3 φ s,E ² φ1 Ç φ2 , s,E ² φ1 or s,E ² φ2 π,E ² φ1 U φ2 , π = s0L and 9 i 2 N, t · D(i+1)-D(i) s.t. π(i)+t,E+D(i)+t ² φ2 if t’<t, then π(i)+t’,E+D(i)+t’ ² φ1 Ç φ2 if j<i and t’<D(i+1)-D(i),then π(j)+t’,E+D(j)+t’ ² φ1 Ç φ2
PTCTL semantics
Model checking for PTAs
– Use standard TA constructs: regions, digitisation, zones – Model check the resulting MDP using standard methods
{s,E j s,E ²P» p(φ1 U φ2)} = where for any PTCTL formula α, fixed s,E:
pmax(α) = supA 2 Adv PrA { π 2 PathA
s j π,E ² α }
pmin(α) = infA 2 Adv PrA { π 2 PathA
s j π,E ² α }
{s,E j s,E ² pmax(φ1 U φ2)~p} if ~ 2 {·, <} {s,E j s,E ² pmin(φ1 U φ2 )~p} if ~ 2 {¸, >}
Model checking for PTAs: regions
– finite partition of TA state space – e.g. x=y=0, x=0 Æ 0<y<1 – time abstract region graph
satisfaction
– clock constraints – TCTL formulas
(kmax,kmax) (0,0) x y
Model checking: regions
– Can adapt the region graph construction [ACD93] to PTAs – Obtain time-abstract, finite-state MDP over regions – Full PTCTL is preserved via region quotient – Can translate PTCTL to PCTL, map H(.), extending PCTL with reset formulas such that φ satisfied in PTA iff H(φ) in the induced MDP over regions – Can model check the MDP using standard methods
clocks and size of largest constant
Model checking for PTAs: digital clocks
– restrict to closed, diagonal-free TAs – Time domain N, with integer-valued clocks – Define time increment by min{v(x)+t, kmax +1) – Integer-valued time elapse
(kmax,kmax) (0,0) y x
Model checking: digital clocks
– minimum/maximum reachability probability – minimum/maximum expected cost reachability
be represented as MDPs, and so can apply model checking directly on MDPs
case studies
give rise to very large state spaces
Model checking for PTAs: symbolic
– usually convex conjunctions of atomic constraints, – e.g. 0<x<2 Æ 0<y<1 – algebra of operations on zones: conjunctions, pre, post – time abstract zone graph
(kmax,kmax) (0,0) y x
– Forwards, using post (UPPAAL) – on the fly – Backwards, using pre (KRONOS)
Model checking: forwards
– Can adapt the forwards zone graph construction to PTAs – Obtain time-abstract, finite-state MDP over zones – (Upper bounds) on reachability properties via quotient – Subset of PTCTL only – Maximum probabilities only – Can model check the MDP using standard methods – Loss of on-the fly, must construct MDP first
using KRONOS
Model checking: backwards
– Can adapt the backwards zone graph construction to PTAs – Can calculate both minimum and maximum probabilities – Must compute conjunctions of zones to preserve probabilistic branching – Obtain time-abstract, finite-state MDP over zones – Full PTCTL is preserved via quotient – Can model check the MDP using standard methods – Loss of on-the fly, must construct MDP first
PRISM input language using KRONOS
zones, i.e. lists of DBMs)
Continuous PTAs
to cont. probability distribution
[Alur]
– Set x to random[0,1], y to 0 – When x < 1, reset y to random[0,1] – Consider transitions x=1, y=1 – If y < 0.5, x = 1 first, else don’t know (error)
(Rmax,Rmax) (0,0)
x y 1 1
Probabilistic model checking in practice
– Enumerative
– Symbolic
– discrete probability/space models – CTMCs – Simulation admits more general distributions
The PRISM tool: overview
– Direct support for models: DTMCs, MDPs and CTMCs – Extension with costs/rewards, expectation operator – PTAs with digital clocks by manual translation – Connection from KRONOS to PRISM for PTAs – Experimental implementation using DBMs/DDDs for PTAs
– System description
– Probabilistic temporal logics: PCTL and CSL
– Symbolic model construction (MTBDDs), uses CUDD [Somenzi] – Three numerical computation engines – Written in Java and C++
The PRISM tool: implementation
– Symbolic, MTBDD based
– Enumerative, sparse-matrix based
– Hybrid
– Several large scale examples: 1010 - 1030 states – No engine wins overall – See www.cs.bham.ac.uk/~dxp/prism
PRISM real-world case studies
– Bluetooth device discovery [ISOLA’04, STTT] – Crowds anonymity protocol (by Shmatikov) [JSC 2003] – Randomised consensus [CAV’01,FORTE’02] – NAND multipl. for nanotech. (with Shukla) [VLSI’04,IEEE CAD ‘05] – Self-stabilising protocols
– Dynamic power management (with Shukla and Gupta) [HLDVT’02] – Dependability of embedded controller [INCOM’04] – thinkTeam groupware (by ter Beek, Massink & Latella) [DSVIS’05]
– IPv4 Zeroconf dynamic configuration [FORMATS’03] – Root contention in IEEE 1394 FireWire [FAC 2003, STTT 2004] – IEEE 802.11 (WiFi) Wireless LAN MAC protocol [PROBMIV’02]
Case study: IPv4 Zeroconf protocol
– New IETF standard for dynamic network self-configuration – Link-local (no routers within the interface) – No need for an active DHCP server – Aimed at home networks, wireless ad-hoc networks, hand-held devices – “Plug and play”
– Performs assignment of IP addresses – Symmetric, distributed protocol – Uses random choice and timing delays
IPv4 Zeroconf Standard
The Internet
– If positive reply received, restart – Otherwise, continue sending probes and listening (2 seconds)
– Send 2 packets, at 2 second intervals, asserting IP address is being used – If a conflicting assertion received, either:
57064? 57064?
Will it work?
– IP number chosen may be already in use, but:
– Self-configuration delays may become unacceptable
– No justification for parameters
– DTMC and Markov reward models, analytical [BvdSHV03,AK03] – TA model using UPPAAL [ZV02] – PTA model with digital clocks using PRISM [KNS03]
The IPv4 Zeroconf protocol model
clocks)
–
– environment (communication medium + other hosts)
– K (number of probes sent before the IP address is used) – the probability of message loss – the number of other hosts already in the network
Modelling the host
Modelling the environment
Expected costs
before obtaining a valid IP address?
– Time should be costly: the host should obtain a valid IP address as soon as possible – Using an IP address that is already in use should be very costly: minimise probability of error
– r=1 (t time units elapsing corresponds to a cost of t) – e=1012 for the event corresponding to using an address which is already in use – e=0 for all other events
Results for IPv4 Zeroconf
– increases delay before a fresh IP address can be used
– increases probability of using an IP address already in use
message loss = 0.001
message loss = 0.01
Case Study: Bluetooth Device Discovery
– Personal Area Networks (PANs) – Open standard, versions 1.1 and 1.2 – Widely available in phones, PDAs, laptops, …
– To avoid interference (uses unregulated 2.4GHz band) – Pseudo-random frequency selection over 32 of 79 frequencies – Inquirer hops faster – Must synchronise hopping frequencies
– Piconets (1 master, up to 7 slaves) – Self-configuring: devices discover themselves – Master-slave roles
States of a Bluetooth device
Frequency hopping
consecutive frequencies, then listens on the same two (plus margin)
bits of clock CLK (k defined on next slide):
freq = [CLK16-12+k+ (CLK4-2,0-CLK16-12) mod 16] mod 32
Frequency hopping sequence
freq = [CLK16-12+k+ (CLK4-2,0- CLK16-12) mod 16] mod 32
determines which train
every 2.56 sec
times
Sending and receiving in Bluetooth
frequency hopping sequence, then listens, and repeats
same frequency
frequency
Bluetooth modelling
– Genuine randomness, probabilistic modelling essential – Devices make contact only if listen on the right frequency at the right time! – Sleep/scan periods unbreakable, much longer than listening – Cannot scale constants (approximate results) – Cannot omit subactivities, otherwise oversimplification
– Initial configurations dependent on 28 bit clock – Cannot fix start state of receiver, clock value could be arbitrary – 17,179,869,184 possible initial states
More about this Bluetooth model…
– network simulation tools (BlueHoc), obtain averaged results – analytical approaches, require simplifications to the model – easy to make incorrect probabilistic assumptions…
– Assume negligible clock drift – Discrete time, obtain a DTMC – Divide into 32 separate cases
– Work with realistic constants, as in the standard – Analyse v1.2 and 1.1, confirm 1.1 slower – Show best/worst case values, can pinpoint scenarios which give rise to them – Also obtain power consumption analysis
Time to hear 1 reply
states, (Min 635μs)
receiver first starts to listen
Time to hear 2 replies
Huge probabilistic model, 17,179,869,184 possible initial states. Max time is 5.177sec (16,565 slots), in 444 initial states. Unlike simulation, model checking is exhaustive. The exact curve is obtained by model checking. Derived plot incorrectly assumes independence of events.
What we have learnt from practice
– Is capable of finding ‘corner cases’ and ‘unusual trends’ – Good for worst-case scenarios, for all initial states – Benefits from quantitative-style analysis for a range of parameters – Is limited by state space size – Useful for real-world protocol analysis, power management, performance, biological processes, …
– Limited by accuracy of the results, not state-space explosion – May need to rerun experiments for each possible start state, not always feasible – Statistical methods in conjunction with sampling help – Nested formulas may be difficult
Challenges for future
– Abstraction, data/equivalence quotient, (de)compositionality… – Parametric probabilistic verification?
– Continuous PTAs? Continuous time MDPs? LMPs?
– Probabilistic LTL/PCTL*/mu-calculus?
– Quantum cryptographic protocols – Mobile ad hoc network protocols
PRISM collaborators worldwide