ProPed Tool for Symbolic Verification of Probablistic Recursive - - PowerPoint PPT Presentation

Rohit Chadha , Umang Mathur , Stefan Schwoon – 1 of 17

ProPed

Tool for Symbolic Verification of Probablistic Recursive Programs Rohit Chadha 1 Umang Mathur 2 Stefan Schwoon 3

1Computer Science Department

University of Missouri Columbia, Missouri, USA

2Department of Computer Science and Engineering

Indian Institute of Tchnology - Bombay Mumbai

3LSV, ENS Cachan

France

January 23, 2014

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability – PRISM: Symbolic program analysis and probability but no recursion

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability – PRISM: Symbolic program analysis and probability but no recursion – PReMo: Recursion and probability but explicit state model checking

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability – PRISM: Symbolic program analysis and probability but no recursion – PReMo: Recursion and probability but explicit state model checking ProPed = Moped ∪ PRISM ∪ PReMo

Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17

ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability – PRISM: Symbolic program analysis and probability but no recursion – PReMo: Recursion and probability but explicit state model checking ProPed = Moped ∪ PRISM ∪ PReMo ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs

Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17

Probabilistic Recursive Programs

Analysis of Probabilistic Recursive Programs: – Modeling the program

Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17

Probabilistic Recursive Programs

Analysis of Probabilistic Recursive Programs: – Modeling the program – Reachability Analysis and Property Checking

Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17

Probabilistic Recursive Programs

Analysis of Probabilistic Recursive Programs: – Modeling the program – Reachability Analysis and Property Checking – Calculating Information Leakage

Rohit Chadha , Umang Mathur , Stefan Schwoon – 4 of 17

Example program

procedure p; p0: if ? then p1: call s; p2: if ? then wp 0.2 -> call p; wp 0.8 -> skip; end if; else p3: call p; end if P4: return procedure s; s0: if ? then return; end if; s1: call p; s2: return; procedure main ; m0: call s; m1: return; S = {p0, . . . , p4, s0, . . . , s2, m0, m1}

∗, initial state = m0

Rohit Chadha , Umang Mathur , Stefan Schwoon – 4 of 17

Example program

procedure p; p0: if ? then p1: call s; p2: if ? then wp 0.2 -> call p; wp 0.8 -> skip; end if; else p3: call p; end if P4: return procedure s; s0: if ? then return; end if; s1: call p; s2: return; procedure main ; m0: call s; m1: return; S = {p0, . . . , p4, s0, . . . , s2, m0, m1}

∗, initial state = m0

m0 s0 m1 m1 s1 m1 p0 s2 m1 p1 s2 m1 p3 s2 m1 p0 p4 s2 m1 s0 p2 s2 m1 ε

Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17

Analysis of Recursive Programs is not Straightforward

– Potentially infinite state space !

Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17

Analysis of Recursive Programs is not Straightforward

– Potentially infinite state space ! – Simple unrolling/inlining is not applicable

Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17

Analysis of Recursive Programs is not Straightforward

– Potentially infinite state space ! – Simple unrolling/inlining is not applicable – Cannot be analyzed by naively searching all reachable states

Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17

Analysis of Recursive Programs is not Straightforward

– Potentially infinite state space ! – Simple unrolling/inlining is not applicable – Cannot be analyzed by naively searching all reachable states – Some finite representation is required

Rohit Chadha , Umang Mathur , Stefan Schwoon – 6 of 17

Computation Model for Probabilistic Recursive Programs

– Control flow:

– Sequential (probabilistic) program – Procedures – Mutual procedure calls (possibly recursive)

Rohit Chadha , Umang Mathur , Stefan Schwoon – 6 of 17

Computation Model for Probabilistic Recursive Programs

– Control flow:

– Sequential (probabilistic) program – Procedures – Mutual procedure calls (possibly recursive)

– Data:

– Global Variables (finite memory) – Local Variables in each procedure (one copy per call)

Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17

Pushdown Systems: Syntax and Semantics

A pushdown system is a triple (P, Γ, δ), where – P is a finite set of control locations (states) – Γ is a finite stack alphabet – δ ⊆ (P × Γ) × (P × Γ∗) is a finite set of rules

Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17

Pushdown Systems: Syntax and Semantics

A pushdown system is a triple (P, Γ, δ), where – P is a finite set of control locations (states) – Γ is a finite stack alphabet – δ ⊆ (P × Γ) × (P × Γ∗) is a finite set of rules A configuration is a pair pα, where p ∈ P and α ∈ Γ∗ Semantics: A (possibly infinite) transition system with configurations as states and transitions given by If pX ֒ → qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗

Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17

Pushdown Systems: Syntax and Semantics

A pushdown system is a triple (P, Γ, δ), where – P is a finite set of control locations (states) – Γ is a finite stack alphabet – δ ⊆ (P × Γ) × (P × Γ∗) is a finite set of rules A configuration is a pair pα, where p ∈ P and α ∈ Γ∗ Semantics: A (possibly infinite) transition system with configurations as states and transitions given by If pX ֒ → qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗ Normalization |α| ≤ 2 (each transition pushes atmost 2 symbols on the stack), termination only by empty stack.

Rohit Chadha , Umang Mathur , Stefan Schwoon – 8 of 17

Probabilistic Pushdown Systems: Syntax and Semantics

A probabilistic pushdown system is a tuple P = (P, Γ, δ, Prob), where – (P, Γ, δ) is a PDS – Prob : δ → (0, 1] such that for every pair pX, we have P

pX֒ →qα Prob(pX ֒

→ qα) = 1 pX

x

֒ → qα to denote Prob(pX ֒ → qα) = x

Rohit Chadha , Umang Mathur , Stefan Schwoon – 8 of 17

Probabilistic Pushdown Systems: Syntax and Semantics

A probabilistic pushdown system is a tuple P = (P, Γ, δ, Prob), where – (P, Γ, δ) is a PDS – Prob : δ → (0, 1] such that for every pair pX, we have P

pX֒ →qα Prob(pX ֒

→ qα) = 1 pX

x

֒ → qα to denote Prob(pX ֒ → qα) = x Semantics: A (possibly infinite) Markov chain with configurations as states and transition probabilities given by If pX

x

֒ → qα ∈ δ, then pXβ

x

− → qαβ for every β ∈ Γ∗

Rohit Chadha , Umang Mathur , Stefan Schwoon – 9 of 17

From programs to pushdown systems

State of a procedural program: (g, n, l, (n1, l1) · · · (nk, lk)), where – g is a valuation of the global variables, – n is the value of the program counter, – l is a valuation of local variables of the current active procedure, – ni is a return address, and – li is a saved valuation of the local variables of a calling procedure Modeled as a configuration pXY1 · · · Yk where p = g X = (n, l) Yi = (ni, li)

Rohit Chadha , Umang Mathur , Stefan Schwoon – 10 of 17

From programs to pushdown systems

The following correspondence between a program and PDS holds: – State p corresponds to valuations of global variables – Γ corresponds to tuples of the form (program counter, local valuations) – Configuration pAw can be interpreted with globals in p, current procedure with local variables in A and suspended procedures in w – Rule pX ֒ → qY corresponds to a sequential statement within a procedure – Rule pX ֒ → qY Z corresponds to a call to some procedure – Rule pX ֒ → qε corresponds to a return from some procedure

Rohit Chadha , Umang Mathur , Stefan Schwoon – 11 of 17

Probabilistic Verification

– Qualitative properties: Does a program property hold with probability 1?

Rohit Chadha , Umang Mathur , Stefan Schwoon – 11 of 17

Probabilistic Verification

– Qualitative properties: Does a program property hold with probability 1? – Quantitative properties: What is the probability with which a certain property hold?

– Reachability of control states – simple PCTL properties such as ♦(l1 ∨ l2 · · · lk), where li are labels in the program

Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17

Quantitative Verification: Formulating system of non-linear equations

Define a variable [pXq] as the probability of starting at the configuration pX and eventually reaching the configuration qε.

Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17

Quantitative Verification: Formulating system of non-linear equations

Define a variable [pXq] as the probability of starting at the configuration pX and eventually reaching the configuration qε.

Theorem (J. Esparza, A. Kuc˘ era, R. Mayr)

The [pXq]s are the least solution of the following system of equations: [pXq] = P

pX

x

֒ →qε x + P pX

x

֒ →rY x.[rY q] + P pX

x

֒ →rY Z x. P t∈P [rY t].[tZq]

Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17

Quantitative Verification: Formulating system of non-linear equations

Define a variable [pXq] as the probability of starting at the configuration pX and eventually reaching the configuration qε.

Theorem (J. Esparza, A. Kuc˘ era, R. Mayr)

The [pXq]s are the least solution of the following system of equations: [pXq] = P

pX

x

֒ →qε x + P pX

x

֒ →rY x.[rY q] + P pX

x

֒ →rY Z x. P t∈P [rY t].[tZq]

The system is of the form x = P(x), and the sequence 0, P(0), P 2(0) · · · converges to the least solution.

Rohit Chadha , Umang Mathur , Stefan Schwoon – 13 of 17

Fixed-point Computation

– The variables [pXq] are just relations over the initial and final valuations of variables – The statements of the program are also similar relations

x x' 0x2c 0x29 0x2b

1

Stmt: x = !x Stmt

– Can be represented efficiently as MTBBDs (= BDDs + real values on the terminal nodes) – Fixed point computation - Jacobi Iterative Method – Use of CUDD library for MTBDD (ADD) manipulations.

Rohit Chadha , Umang Mathur , Stefan Schwoon – 14 of 17

Information Leakage

– Leakage measured in terms of min-entropy (G. Smith) – For a given set of inputs S and outputs O, min-entropy leakage, LSO = log V (S|O)

V (S) , where

– S is a random variable on S and having distribution PS – O is a random variable on O and having distribution PO – V (S) = max

s∈S PS[s]

– V (S|O) = P

• ∈O PO[o].max

s∈S P[s|o]

– Computing the above metric is simply basic ADD manipulation !

Rohit Chadha , Umang Mathur , Stefan Schwoon – 15 of 17

Technical details about the tool

– Input language: Remopla with an additional pchoice construct

define N 32 define DEFAULT_INT_BITS N unsigned int var1; bool g; module void f(unsigned int v, bool z){ bool k; pchoice :: 0.2 -> label2: k = g && z; :: 0.8 -> var1 = var1 + v; choicep } module void main(){ var1 = 53; pchoice :: 0.3 -> label1: g = true; :: 0.7 -> f(var1, !g); choicep }

Figure: An input program for ProPed

– Parser and other libraries (CUDD, etc.,) : C – Analysis (Fixed point computation) : C++

Rohit Chadha , Umang Mathur , Stefan Schwoon – 16 of 17

More about MTBDDs

2 3 5 6 8 main 0x1943 0x1941 0x1942 0x1940 0x193f 0x1938 0x193b 0x193e 0x1937 0x193a 0x1935 0x1936 0x193d 0.14 0.56 0.7

Figure: An MTBDD

MTBDD = Multi Terminal Binary Decision Diagram – CUDD : ADD (Algebraic Decision Diagram) interface – Provides important Utilities:

– Cudd addTimes – Cudd addPlus – Cudd addPermute – Cudd addMatrixMultiply – Cudd addCmpl, Cudd addXnor, · · · – Cudd addExistAbstract, Cudd addMaxAbstract, · · ·

Rohit Chadha , Umang Mathur , Stefan Schwoon – 17 of 17

Possible Improvements and Extensions

– Use faster iteration methods (Jacobi is too slow) such as Newton-Raphson iterations – Repeated Reachability : B¨ uchi – Information leakage by energy characterization