ModelPlex: Verified Runtime Monitors and Verified Test Oracles for - - PowerPoint PPT Presentation

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems

Stefan Mitsch

Computer Science Department, Carnegie Mellon University

CPS V&V I&F Workshop 2017 May 12, 2017

joint work with Andr´ e Platzer

Stefan Mitsch—ModelPlex 1 of 9

Formal Verification of Cyber-Physical Systems

Analyze the physical effect of software

Proof guarantees Monitor correctly checks deviation Proof Strategy Hybrid System Model KeYmaera Counterexample Control Sensors Actuators

Discrete computation + continuous physics

1 2 3 4 5 6 7 −3 6 t 1 2 3 4 5 6 7 −1 4 9 t

Stefan Mitsch—ModelPlex 2 of 9

Formal Verification of Cyber-Physical Systems

Theorem proving ensures correct model

Proof guarantees correct model Monitor correctly checks deviation of model from reality Proof Strategy Hybrid System Model KeYmaera X Counterexample Monitor Specification Proof

Safety Proof

Never collide

Stefan Mitsch—ModelPlex 2 of 9

Formal Verification of Cyber-Physical Systems

Runtime monitoring ensures model compliance

checks deviation of model from reality KeYmaera X Counterexample Monitor Specification Proof Sensors Control Monitor Actuators

Monitor desired effect + safe environment

◮ Runtime: ensure safety and detect anomalies ◮ Testing: generate and analyze test cases

Stefan Mitsch—ModelPlex 2 of 9

How to Achieve Safety Guarantees at Runtime?

Real CPS Proof Reachability Analysis . . . Verification Results safe

Stefan Mitsch—ModelPlex 3 of 9

How to Achieve Safety Guarantees at Runtime?

Real CPS Model α∗ Control αctrl v := v + 1 Plant αplant x′ = v sense act abstract Proof Reachability Analysis . . . Verification Results safe safe

Stefan Mitsch—ModelPlex 3 of 9

How to Achieve Safety Guarantees at Runtime?

Real CPS Model α∗ Control αctrl v := v + 1 Plant αplant x′ = v sense act abstract synthesize Proof Reachability Analysis . . . Verification Results safe safe

Stefan Mitsch—ModelPlex 3 of 9

How to Achieve Safety Guarantees at Runtime?

Real CPS synthesize Model α∗

v := Kpe(t) + Ki

t

0 e(τ)dτ + Kd de dt

x′ ≤ v, v′ =

Te xg xd n rw

− 1

2 Cd Aρv2

sense act abstract Proof Reachability Analysis . . . Verification Results safe safe

Stefan Mitsch—ModelPlex 3 of 9

How to Achieve Safety Guarantees at Runtime?

Real CPS synthesize Model α∗

v := Kpe(t) + Ki

t

0 e(τ)dτ + Kd de dt

x′ ≤ v, v′ =

Te xg xd n rw

− 1

2 Cd Aρv2

sense act abstract Proof Reachability Analysis . . . Verification Results safe safe Challenge

◮ Others may not satisfy the model assumptions ◮ Non-verified implementation may have bugs

Verification results about models

• nly apply if CPS fits to the model

Stefan Mitsch—ModelPlex 3 of 9

ModelPlex at Runtime

Sensors Controller Actuators

Stefan Mitsch—ModelPlex 4 of 9

ModelPlex at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators Compliance Monitor Checks CPS for compliance with model at runtime Want: Monitor satisfied at runtime → Real state safe ModelPlex Which conditions guarantee safety? Derive monitoring conditions from model by proof Fallback Safe control, executed when monitor is not satisfied

Stefan Mitsch—ModelPlex 4 of 9

Principle Behind a ModelPlex Monitor

prior state p posterior state p+ evolve, e.g., move Model {v := −v ∪ ?v = 0} p′ = v v . . . p p+ . . . v+ ˆ p+ . . . ˆ v+ check ∋ measure measure

Stefan Mitsch—ModelPlex 5 of 9

Principle Behind a ModelPlex Monitor

Hard to execute, impossible to check prior state p posterior state p+ evolve, e.g., move Model {v := −v ∪ ?v = 0} p′ = v v . . . p p+ . . . v+ ˆ p+ . . . ˆ v+ check ∋ measure measure

Stefan Mitsch—ModelPlex 5 of 9

Principle Behind a ModelPlex Monitor

Hard to execute, impossible to check ⇑ derive Monitor: efficient arithmetic check F(p, v, ˆ v+, ˆ p+) prior state p posterior state p+ evolve, e.g., move Model {v := −v ∪ ?v = 0} p′ = v v . . . p p+ . . . v+ ˆ p+ . . . ˆ v+ check ∋ measure measure

Stefan Mitsch—ModelPlex 5 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? i−1 i i−2 . . . Model α ⊆

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ (ω, ν) ∈ ρ(α) Semantical: reachability relation of α

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ a prior state characterized by x a posterior state characterized by x+ (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): exists a run of α to a state where x = x+?

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ a prior state characterized by x a posterior state characterized by x+ (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): exists a run of α to a state where x = x+?

• (ω, ν) |

= F (x, x+) Real arithmetic: dL proof check at runtime (efficient)

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ a prior state characterized by x a posterior state characterized by x+ Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): exists a run of α to a state where x = x+? ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof check at runtime (efficient)

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ Offline (ω, ν) ∈ ρ(if (z>7) y := −y else z′=y

• α

) Semantical:

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ Offline (ω, ν) ∈ ρ(if (z>7) y := −y else z′=y

• α

) Semantical:

• (ω, ν) |

= if (z>7) y := −y else z′=y (y=y+ ∧ z=z+) Logic (dL):

Stefan Mitsch—ModelPlex 6 of 9

How to Construct Monitor F(x, x +)

When are two states linked through a run of model α? ω ν Model α ⊆ Offline (ω, ν) ∈ ρ(if (z>7) y := −y else z′=y

• α

) Semantical:

• (ω, ν) |

= if (z>7) y := −y else z′=y (y=y+ ∧ z=z+) Logic (dL): ⇑ (ω, ν) | = z>7 ∧ −y = y+ ∨

z≤7 ∧ z + y∆t = z+

Real arithmetic:

Stefan Mitsch—ModelPlex 6 of 9

Logical Reductions for Model Safety Transfer

Logic reduces CPS safety to runtime monitor with offline proof ω ν Model α ⊆ Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof

Stefan Mitsch—ModelPlex 6 of 9

Logical Reductions for Model Safety Transfer

Logic reduces CPS safety to runtime monitor with offline proof ω ν Model α ⊆ ν ∈ [ [S] ] Safe Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof

Stefan Mitsch—ModelPlex 6 of 9

Logical Reductions for Model Safety Transfer

Logic reduces CPS safety to runtime monitor with offline proof ω ν Model α ⊆ ω ∈ [ [A] ] Init Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof check at runtime (efficient)

Stefan Mitsch—ModelPlex 6 of 9

Logical Reductions for Model Safety Transfer

Logic reduces CPS safety to runtime monitor with offline proof ω ν Model α ⊆ A → [α]S dL proof Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof

Stefan Mitsch—ModelPlex 6 of 9

Logical Reductions for Model Safety Transfer

Logic reduces CPS safety to runtime monitor with offline proof ω ν Model α ⊆ Offline (ω, ν) ∈ ρ(α) Semantical: Lemma (ω, ν) | = α(x) (x = x+) Logic (dL): ⇑ (ω, ν) | = F (x, x+) Real arithmetic: dL proof Conclusion Runtime validation is required to guarantee safety

Stefan Mitsch—ModelPlex 6 of 9

Measure Distance to Safety Boundary

Related to Robustness in (Metric/Signal) Temporal Logic ModelPlex synthesis pre-processes dL to predicates over real arithmetic easy metric definition Proof ModelPlex synthesis, normal form transformation, and metric derivation by proof Terms, formulas e.g., d(t ≥ s) = t − s, d(p ∧ q) = min(d(p), d(q)) Safety monitor p ≤ S

1 2 3 4 5 6 7 8 9 −1 1 t Acceleration Velocity Position Safety Margin

Safety monitor v ≥ 0 ∧ p ≤ S

1 2 3 4 5 6 7 8 9 −1 1 t Acceleration Velocity Position Safety Margin Stefan Mitsch—ModelPlex 7 of 9

Test Case Analysis and Synthesis

Test input Expected outcome Test Analysis Run monitor on input/expected outcome Generate Tests Pick input and synthesize expected values

1 2 3 4 5 6 7 8 9 −1 1 t Acceleration Velocity Position Safety Margin Boundary

Safe Boundary Unsafe

Stefan Mitsch—ModelPlex 8 of 9

Summary

Proof guarantees correct model Monitor correctly checks deviation of model from reality Proof Strategy Hybrid System Model KeYmaera X Counterexample Monitor Specification Proof Control Sensors Actuators Sensors Control Monitor Actuators

Dynamics Analyze software for physical effects Validation Offline proofs hold at system runtime Tool ModelPlex implemented as tactic in KeYmaera X Stefan Mitsch smitsch@cs.cmu.edu www.keymaeraX.org

Stefan Mitsch—ModelPlex 9 of 9