Towards Certification of Network Calculus Marc Boyer, Lo c Fejoz, - - PowerPoint PPT Presentation

Towards Certification of Network Calculus

Marc Boyer, Lo¨ ıc Fejoz, Etienne Mabille, Stephan Merz Dagstuhl seminar 15182, April 2015

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 1 / 20

Contents

1

Motivation

2

Network Calculus

3

The Proof Assistant Isabelle/HOL

4

Certifying NC Computations in Isabelle/HOL

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 2 / 20

Application of Formal Methods in Industry

Scaling up for critical systems

◮ have a solid theory for system design:

great!

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 3 / 20

Application of Formal Methods in Industry

Scaling up for critical systems

◮ have a solid theory for system design:

great!

◮ implemented in working prototype:

even better!

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 3 / 20

Application of Formal Methods in Industry

Scaling up for critical systems

◮ have a solid theory for system design:

great!

◮ implemented in working prototype:

even better!

◮ apply it to the next Airbus design:

will you take the risk?

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 3 / 20

Application of Formal Methods in Industry

Scaling up for critical systems

◮ have a solid theory for system design:

great!

◮ implemented in working prototype:

even better!

◮ apply it to the next Airbus design:

will you take the risk?

Qualification of design tools (DO 178, ECSS-Q-ST-80, . . . )

◮ make sure your theory works in all border cases ◮ correctness of implementation: process-based quality assurance ◮ specification, documentation, tests, . . . Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 3 / 20

Application of Formal Methods in Industry

Scaling up for critical systems

◮ have a solid theory for system design:

great!

◮ implemented in working prototype:

even better!

◮ apply it to the next Airbus design:

will you take the risk?

Qualification of design tools (DO 178, ECSS-Q-ST-80, . . . )

◮ make sure your theory works in all border cases ◮ correctness of implementation: process-based quality assurance ◮ specification, documentation, tests, . . .

⇒ Are you convinced of costs vs. benefits?

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 3 / 20

Quality Assurance Through Result Certification

Check results of individual runs

◮ solver provides a trace that can be checked independently ◮ verifying a solution is simpler than proving the implementation ◮ trusted code base shifts from solver to checker ◮ solver software can evolve without being requalified Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 4 / 20

Quality Assurance Through Result Certification

Check results of individual runs

◮ solver provides a trace that can be checked independently ◮ verifying a solution is simpler than proving the implementation ◮ trusted code base shifts from solver to checker ◮ solver software can evolve without being requalified

Result certification using a proof assistant

⊕ formalizing background theory increases trust ⊕ kernels of proof assistants are small and stable ⊖ checking large traces by the kernel may be inefficient

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 4 / 20

Quality Assurance Through Result Certification

Check results of individual runs

◮ solver provides a trace that can be checked independently ◮ verifying a solution is simpler than proving the implementation ◮ trusted code base shifts from solver to checker ◮ solver software can evolve without being requalified

Result certification using a proof assistant

⊕ formalizing background theory increases trust ⊕ kernels of proof assistants are small and stable ⊖ checking large traces by the kernel may be inefficient ⇒ efficiency may be acceptable for off-line checking ⇒ use code generation for more efficient checkers

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 4 / 20

Result Certification for Network Calculus

Design of embedded networks

◮ regulated application domains: avionics, trains, cars (?) ◮ heterogeneous VLSI designs (NoC): errors are costly

Established theory: network calculus (Le Boudec et al., 1990s)

◮ algebraic theory for computing memory and delay bounds ◮ industrial / academic tool sets (Rockwell Collins ConfGen) ◮ widely used, e.g. for designing AFDX backbone of Airbus A380

Objective of this work

◮ explore suitability of result certification approach ◮ provide a path towards complementing standard tool qualification Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 5 / 20

Contents

1

Motivation

2

Network Calculus

3

The Proof Assistant Isabelle/HOL

4

Certifying NC Computations in Isabelle/HOL

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 6 / 20

Mathematical Basis

Representation of network flows

◮ F(t) : amount of data transmitted up to time t ◮ non-decreasing function

F : R∞

≥ 0 → R∞ ≥ 0

◮ actual flows are usually unknown, but consider upper bounds

Mathematical representation as a dioid

◮ pointwise minimum ⊓, addition +, ordering ≤ ◮ further operations on flows

convolution (F ∗ G)(t) = inf {F(t − s) + G(s) : 0 ≤ s ≤ t} deconvolution (F ⊘ G)(t) = sup {F(t + s) − G(s) : 0 ≤ s} sub-add. closure F∗ = F ⊓ (F ∗ F) ⊓ (F ∗ F ∗ F) ⊓ · · ·

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 7 / 20

Convolution: Example

F G

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 8 / 20

Convolution: Example

F G F * G

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 8 / 20

Common Classes of Functions

Step function δd(t) = if t ≤ d then 0 else ∞ Linear functions

◮ βR,T(t) = if t ≤ T then 0 else R(t − T) ◮ γr,b(t) = if t ≤ 0 then 0 else rt + b

γ β δ

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 9 / 20

Common Classes of Functions

Step function δd(t) = if t ≤ d then 0 else ∞ Linear functions

◮ βR,T(t) = if t ≤ T then 0 else R(t − T) ◮ γr,b(t) = if t ≤ 0 then 0 else rt + b

γ β δ

(Ultimately) periodic piecewise linear functions Explicit representation of NC operations for these functions

◮ closed-form formulas for computing (de)convolution etc. Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 9 / 20

Further Notions of Network Calculus

Distances between two flows

γ β

h(γ, β) v(γ, β)

◮ horizontal distance measures worst delay ◮ vertical distance measure buffer use Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 10 / 20

Further Notions of Network Calculus

Distances between two flows

γ β

h(γ, β) v(γ, β)

◮ horizontal distance measures worst delay ◮ vertical distance measure buffer use

Arrival curve of a flow F α

◮ upper bound on the rate of arrival of new data

∀t, s ≥ 0 : F(t + s) − F(t) ≤ α(s)

◮ equivalent formulation:

F ≤ F ∗ α

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 10 / 20

Servers and Service Curves

Representation of a simple server

S F G

◮ total relation S where (F, G) ∈ S implies G ≤ F ◮ S has service curve β if F ∗ β ≤ G whenever (F, G) ∈ S Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 11 / 20

Servers and Service Curves

Representation of a simple server

S F G

◮ total relation S where (F, G) ∈ S implies G ≤ F ◮ S has service curve β if F ∗ β ≤ G whenever (F, G) ∈ S

Compute arrival curves for server output

◮ assume given input arrival curve α and service curve β ◮ the following formulas are valid arrival curves for the output

α ⊘ β α ⊘ δh(α,β) (α ⊘ δh(α,β))∗

◮ choice based on shape of curves and effort of computation Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 11 / 20

Servers and Service Curves

Representation of a simple server

S F G

◮ total relation S where (F, G) ∈ S implies G ≤ F ◮ S has service curve β if F ∗ β ≤ G whenever (F, G) ∈ S

Compute arrival curves for server output

◮ assume given input arrival curve α and service curve β ◮ the following formulas are valid arrival curves for the output

α ⊘ β α ⊘ δh(α,β) (α ⊘ δh(α,β))∗

◮ choice based on shape of curves and effort of computation

Extensions to servers with multiple inputs/outputs

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 11 / 20

Contents

1

Motivation

2

Network Calculus

3

The Proof Assistant Isabelle/HOL

4

Certifying NC Computations in Isabelle/HOL

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 12 / 20

Isabelle’s Higher-Order Logic: Types

Type constructors

◮ primitive: bool, functions, idx ◮ ML-style polymorphism: type variables ◮ typedef constructs a new type from a characteristic predicate ◮ derived constructions for pairs, (co-)algebraic data types etc.

Interpretation by disjoint universes

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 13 / 20

Isabelle’s Higher-Order Logic: Types

Type constructors

◮ primitive: bool, functions, idx ◮ ML-style polymorphism: type variables ◮ typedef constructs a new type from a characteristic predicate ◮ derived constructions for pairs, (co-)algebraic data types etc.

Interpretation by disjoint universes (Axiomatic) type classes

◮ collect types satisfying certain properties (`

a la Haskell)

◮ locales describe common algebraic structures: groups, monoids, . . . ◮ allows reuse of theorems for instances of type classes Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 13 / 20

Isabelle’s Higher-Order Logic: Terms and Definitions

Formulas of higher-order logic

◮ primitive: equality, implication, λ-abstraction, THE ◮ examples of derived connectives

True ≡ (λx :: bool. x) = (λx. x) All(P) ≡ P = (λx. True) (written ∀x. P x) False ≡ ∀P. P P ∧ Q ≡ ∀R. (P ⇒ Q ⇒ R) ⇒ R

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 14 / 20

Isabelle’s Higher-Order Logic: Terms and Definitions

Formulas of higher-order logic

◮ primitive: equality, implication, λ-abstraction, THE ◮ examples of derived connectives

True ≡ (λx :: bool. x) = (λx. x) All(P) ≡ P = (λx. True) (written ∀x. P x) False ≡ ∀P. P P ∧ Q ≡ ∀R. (P ⇒ Q ⇒ R) ⇒ R

Definitions of operators

◮ introduce new operator in terms of existing ones

definition P where P x y ≡ exp

◮ machinery for introducing recursive definitions ◮ introduce fix-point definitions and derive induction principles ◮ powerful heuristics for proving termination (or left to user) Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 14 / 20

Isabelle’s Proof Support

LCF-style proof kernel

◮ abstract ML type thm : constructors apply single proof rules ◮ creation of theorems restricted to small kernel ◮ users avoid writing axioms, ensuring preservation of consistency Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 15 / 20

Isabelle’s Proof Support

LCF-style proof kernel

◮ abstract ML type thm : constructors apply single proof rules ◮ creation of theorems restricted to small kernel ◮ users avoid writing axioms, ensuring preservation of consistency

Proof automation

◮ built-in, parameterizable provers (tableau, rewriting, . . . ) ◮ resulting proofs are certified by kernel functions ◮ sledgehammer: interface to state-of-the-art automatic provers Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 15 / 20

Isabelle’s Proof Support

LCF-style proof kernel

◮ abstract ML type thm : constructors apply single proof rules ◮ creation of theorems restricted to small kernel ◮ users avoid writing axioms, ensuring preservation of consistency

Proof automation

◮ built-in, parameterizable provers (tableau, rewriting, . . . ) ◮ resulting proofs are certified by kernel functions ◮ sledgehammer: interface to state-of-the-art automatic provers

Well-developed theorem library

◮ standard library for common mathematical constructs ◮ Archive of Formal Proofs: user-contributed developments Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 15 / 20

Contents

1

Motivation

2

Network Calculus

3

The Proof Assistant Isabelle/HOL

4

Certifying NC Computations in Isabelle/HOL

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 16 / 20

Encoding Network Calculus in Isabelle

Represent basic types and operations

typedef flow = { f :: ereal ⇒ ereal . (∀r < 0. f r = 0) ∧ mono f } typedef server = { S :: (flow × flow) set . (∀f. ∃g. (f, g) ∈ S) ∧ (∀(f, g)∈S. g ≤ f)} definition convol where convol f g = Abs-flow (λt. if (t < 0) then 0 else Inf { f · (t − s) + g · s | s. 0 ≤ s ∧ s ≤ t ∧ s = ∞ })

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 17 / 20

Encoding Network Calculus in Isabelle

Represent basic types and operations

typedef flow = { f :: ereal ⇒ ereal . (∀r < 0. f r = 0) ∧ mono f } typedef server = { S :: (flow × flow) set . (∀f. ∃g. (f, g) ∈ S) ∧ (∀(f, g)∈S. g ≤ f)} definition convol where convol f g = Abs-flow (λt. if (t < 0) then 0 else Inf { f · (t − s) + g · s | s. 0 ≤ s ∧ s ≤ t ∧ s = ∞ })

Arrival and service curves

F α ≡ F ≤ F ∗ α S β ≡ ∀ (in, out)∈S. in ∗ β ≤ out

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 17 / 20

Derive Elementary NC Theorems in Isabelle

Instantiate algebraic type classes

◮ make library theorems available for Network Calculus ◮ simplifies subsequent reasoning about introduced entities

instantiation flow :: comm-monoid-add instantiation flow :: ord

Prove theorems that underlie computation

theorem d-h-bound: assumes f α and S β shows worst-delay f S ≤ h-dev α β

Our existing formalization is far from complete

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 18 / 20

Certifying Network Calculus Computations

Producer MFS=8000 T=20ms

✲

in 1 MBit/s Switch1 θ1 = 1µs

✲

mid 10 MBit/s Switch2 θ2 = 20µs

✲

• ut

5 MBit/s Consumer

Network Calculus representation

◮ input flow has arrival curve γr,b where b = MFS, r = MFS

T

◮ switches have service curves βRi,θi where Ri equals bandwidth Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 19 / 20

Certifying Network Calculus Computations

Producer MFS=8000 T=20ms

✲

in 1 MBit/s Switch1 θ1 = 1µs

✲

mid 10 MBit/s Switch2 θ2 = 20µs

✲

• ut

5 MBit/s Consumer

Network Calculus representation

◮ input flow has arrival curve γr,b where b = MFS, r = MFS

T

◮ switches have service curves βRi,θi where Ri equals bandwidth

Results of analysis

◮ delay at switch 1:

h(γr,b, βR1,θ1) = 801 µs

◮ arrival curve mid:

γr,b ⊘ δ801 = γ 2

5 , 41602 5 ◮ delay at switch 2:

h(γ 2

5 , 41602 5 , βR2,θ2) = 42102

25

µs

◮ overall delay:

801 µs + 42102

25

µs = 62127

25

µs

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 19 / 20

Certifying Network Calculus Computations

Producer MFS=8000 T=20ms

✲

in 1 MBit/s Switch1 θ1 = 1µs

✲

mid 10 MBit/s Switch2 θ2 = 20µs

✲

• ut

5 MBit/s Consumer

Network Calculus representation

◮ input flow has arrival curve γr,b where b = MFS, r = MFS

T

◮ switches have service curves βRi,θi where Ri equals bandwidth

Results of analysis

λ → ∀

=

Isabelle

β α

H O L

◮ delay at switch 1:

h(γr,b, βR1,θ1) = 801 µs

◮ arrival curve mid:

γr,b ⊘ δ801 = γ 2

5 , 41602 5 ◮ delay at switch 2:

h(γ 2

5 , 41602 5 , βR2,θ2) = 42102

25

µs

◮ overall delay:

801 µs + 42102

25

µs = 62127

25

µs

Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 19 / 20

Conclusions So Far

Elementary prototype

◮ developed in 8 months (Java analyzer + Isabelle checker) ◮ restricted to simple classes of functions

Run on “industrial” configuration (8 switches, 5000 flows)

◮ overly pessimistic results (2 times larger bounds) ◮ checking time: 8h ⇒ bottleneck: real-number computations

Result certification

◮ decouple computation and checking of correctness ◮ preserve IP of tool vendors vs. open-source, shared checkers ◮ should simplify certification (CC, DO-178C)

Future work

◮ support for more interesting classes of functions ◮ complete formal proofs of Network Calculus theorems ◮ integrate into state-of-the-art tool Boyer, Fejoz, Mabille, Merz Towards Certification of Network Calculus Dagstuhl 2015 20 / 20