modelplex verified runtime monitors and verified test
play

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for - PowerPoint PPT Presentation

Dec 21, 2022 •225 likes •537 views

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems Stefan Mitsch Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop 2017 May 12, 2017 joint work with Andr e

  1. ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems Stefan Mitsch Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop 2017 May 12, 2017 joint work with Andr´ e Platzer Stefan Mitsch—ModelPlex 1 of 9

  2. Formal Verification of Cyber-Physical Systems Analyze the physical effect of software Proof guarantees KeYmaera Control Proof Strategy Hybrid System Model Counterexample Sensors Actuators Monitor correctly checks deviation Discrete computation + continuous physics 6 9 4 0 − 1 t − 3 t 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Stefan Mitsch—ModelPlex 2 of 9

  3. Formal Verification of Cyber-Physical Systems Theorem proving ensures correct model Proof guarantees correct model KeYmaera X Proof Strategy Proof Hybrid System Monitor Model Specification Counterexample Monitor correctly checks deviation of model from reality Safety Proof Never collide Stefan Mitsch—ModelPlex 2 of 9

  4. Formal Verification of Cyber-Physical Systems Runtime monitoring ensures model compliance KeYmaera X Control Proof Monitor Specification Counterexample Sensors Monitor Actuators checks deviation of model from reality Monitor desired effect + safe environment ◮ Runtime: ensure safety and detect anomalies ◮ Testing: generate and analyze test cases Stefan Mitsch—ModelPlex 2 of 9

  5. How to Achieve Safety Guarantees at Runtime? Real CPS safe Proof Reachability Analysis . . . Verification Results Stefan Mitsch—ModelPlex 3 of 9

  6. How to Achieve Safety Guarantees at Runtime? Real CPS safe abstract Model α ∗ Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch—ModelPlex 3 of 9

  7. How to Achieve Safety Guarantees at Runtime? Real CPS safe synthesize abstract Model α ∗ Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch—ModelPlex 3 of 9

  8. How to Achieve Safety Guarantees at Runtime? Real CPS safe synthesize abstract Model α ∗ Proof v := K p e ( t ) + � t 0 e ( τ ) d τ + K d de Reachability K i dt safe sense Analysis act x ′ ≤ v , v ′ = . . . Te xg xd n − 1 2 C d A ρ v 2 rw Verification Results Stefan Mitsch—ModelPlex 3 of 9

  9. How to Achieve Safety Guarantees at Runtime? Real CPS Challenge safe ◮ Others may not satisfy the model assumptions ◮ Non-verified implementation may have bugs synthesize abstract Model α ∗ � Verification results about models Proof only apply if CPS fits to the model v := K p e ( t ) + � t 0 e ( τ ) d τ + K d de Reachability K i dt safe sense Analysis act x ′ ≤ v , v ′ = . . . Te xg xd n − 1 2 C d A ρ v 2 rw Verification Results Stefan Mitsch—ModelPlex 3 of 9

  10. ModelPlex at Runtime Controller Sensors Actuators Stefan Mitsch—ModelPlex 4 of 9

  11. ModelPlex at Runtime Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Compliance Monitor Checks CPS for compliance with model at runtime Want: Monitor satisfied at runtime → Real state safe ModelPlex Which conditions guarantee safety? Derive monitoring conditions from model by proof Fallback Safe control, executed when monitor is not satisfied Stefan Mitsch—ModelPlex 4 of 9

  12. Principle Behind a ModelPlex Monitor Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  13. Principle Behind a ModelPlex Monitor Hard to execute, impossible to check Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  14. Principle Behind a ModelPlex Monitor v + , ˆ p + ) Monitor: efficient arithmetic check F ( p , v , ˆ ⇑ derive Hard to execute, impossible to check Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  15. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α . . . i − 2 i − 1 i Stefan Mitsch—ModelPlex 6 of 9

  16. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Stefan Mitsch—ModelPlex 6 of 9

  17. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν ( ω, ν ) ∈ ρ ( α ) reachability relation of α Semantical: Stefan Mitsch—ModelPlex 6 of 9

  18. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): Stefan Mitsch—ModelPlex 6 of 9

  19. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): � d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  20. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  21. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � α Stefan Mitsch—ModelPlex 6 of 9

  22. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � � α = � if ( z > 7) y := − y else z ′ = y � ( y = y + ∧ z = z + ) ( ω, ν ) | Logic (d L ): Stefan Mitsch—ModelPlex 6 of 9

  23. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � � α = � if ( z > 7) y := − y else z ′ = y � ( y = y + ∧ z = z + ) ( ω, ν ) | Logic (d L ): ⇑ = z > 7 ∧ − y = y + ∨ � z ≤ 7 ∧ z + y ∆ t = z + � Real arithmetic: ( ω, ν ) | Stefan Mitsch—ModelPlex 6 of 9

  24. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  25. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν ν ∈ [ [ S ] ] Safe Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  26. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν ω ∈ [ [ A ] ] Init Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  27. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α d L proof A → [ α ] S ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  28. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α Conclusion ω ν Runtime validation is required to guarantee safety Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University RV14, Sept. 24, 2014 Simplex for Hybrid System Models Stefan Mitsch ,

844 views • 50 slides
Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at

504 views • 27 slides
Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on works with: Yong Kiam Tan 1 , Stefan Mitsch 1 , Andrew Sogokon 1 , Edward Ahn 1 , David Held 1 , John Dolan 1 , Aman Khurana 1 , Magnus O. Myreen 2 ,

637 views • 44 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from SysML Models Jrg Brauer and Jan Peleska Verified Systems International GmbH support@verified.de Space Tech Expo Europe 2015-11-19 Motivation

499 views • 26 slides
Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Differential Refinement Logic Sarah M. Loos and Andr Platzer Computer Science Department Carnegie Mellon University 1 Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j p x k x i

1.97k views • 179 slides
Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

From the office of Texas Conference of SDA Human Resources ___________________________________ Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus She will be working with every church and

279 views • 5 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer 1 , Yong Kiam Tan 1 , Stefan Mitsch 1 , Magnus O. Myreen 2 , and Andr e Platzer 1 Carnegie Mellon University 1 Chalmers University of Technology 2

672 views • 44 slides
What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter

What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter

What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter Indraneil Paul (IIIT Hyderabad), Abhinav Khattar (IIIT Delhi), Shaan Chopra (IIIT Delhi), Ponnurangam Kumaraguru (IIIT Delhi), Manish Gupta

731 views • 39 slides
Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2 Lukas Br Paul Kearney 3 Burkhart Wolff 4 1 SAP Research, Germany 2 Information Security, ETH Z urich, Switzerland 3 Security Futures Practice, BT

629 views • 29 slides
Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016 Introducing Verified Boot and Related Issues Introducing Verified Boot and Related Issues Bootup Process BIOS History

947 views • 39 slides
What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I What Use Is Verified Software? 1 Software and Systems The world at large cares little for verified

734 views • 14 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
Enabling Safety Upgrades That Reduce Risk David Lochbaum Director, Nuclear Safety Project

Enabling Safety Upgrades That Reduce Risk David Lochbaum Director, Nuclear Safety Project

Enabling Safety Upgrades That Reduce Risk David Lochbaum Director, Nuclear Safety Project www.ucsusa.org May 11, 2017 1 Newtons Third Law For e or ever ery action, y action, ther there is an e is an equal and equa l and oppo

358 views • 15 slides
Online Learning & Margins Instructor: Sham Kakade 1 Introduction There are two common

Online Learning & Margins Instructor: Sham Kakade 1 Introduction There are two common

CSE 546: Machine Learning Lecture 9 Online Learning & Margins Instructor: Sham Kakade 1 Introduction There are two common models of study: Online Learning No assumptions about data generating process. Worst case analysis. Fundamental

61 views • 3 slides
Emily Shen, David Wagner EVT/WOTE 2011 San Francisco, CA 8 August 2011 Voters rank (a subset

Emily Shen, David Wagner EVT/WOTE 2011 San Francisco, CA 8 August 2011 Voters rank (a subset

Thomas R. Magrino, Ronald L. Rivest Emily Shen, David Wagner EVT/WOTE 2011 San Francisco, CA 8 August 2011 Voters rank (a subset of) candidates by preference. In the US, used mostly for local elections. Sometimes called Ranked

554 views • 32 slides
Lecture 10 Support Vector Machines Oct - 20 - 2008 Linear Separators Linear Separators

Lecture 10 Support Vector Machines Oct - 20 - 2008 Linear Separators Linear Separators

Lecture 10 Support Vector Machines Oct - 20 - 2008 Linear Separators Linear Separators Which of the linear separators is optimal? p p + + + + + + + + + Concept of Margin

433 views • 15 slides
Chance-Constrained Path Planning with Continuous Time Safety Guarantees Kaito Ariu, Cheng Fang,

Chance-Constrained Path Planning with Continuous Time Safety Guarantees Kaito Ariu, Cheng Fang,

Chance-Constrained Path Planning with Continuous Time Safety Guarantees Kaito Ariu, Cheng Fang, Marcio Arantes, Claudio Toledo, and Brian Williams 2017/2/12 1 Outline Background (pSulu) Safety of trajectory mean Reflection

327 views • 30 slides
ACRS MEETING WITH CRS MEETING WITH THE U THE U.S. .S. NUCLEAR NUCLEAR REGULA REGULATOR ORY

ACRS MEETING WITH CRS MEETING WITH THE U THE U.S. .S. NUCLEAR NUCLEAR REGULA REGULATOR ORY

ACRS MEETING WITH CRS MEETING WITH THE U THE U.S. .S. NUCLEAR NUCLEAR REGULA REGULATOR ORY Y COMMISSION COMMISSION March 4, 2016 Ov Over erview view Dennis C. Bley Accomplishments Since our last meeting with the Commission on

497 views • 39 slides
Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th

Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th

Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th , 2017, 11 AM Eastern Blockchain and Cyber Risk Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides

537 views • 19 slides
Introduction to XML What markup languages have you used (or looked at) (or heard of)? What

Introduction to XML What markup languages have you used (or looked at) (or heard of)? What

Introduction to XML What markup languages have you used (or looked at) (or heard of)? What markup languages have you used (or looked at) (or heard of)? (X)HTML (Web pages) EAD (archival finding aids) DocBook (books, such as manuals)

410 views • 20 slides

More recommend