Verified Runtime Validation of Verified Cyber-Physical System Models - - PowerPoint PPT Presentation

Verified Runtime Validation

• f Verified Cyber-Physical System Models

Stefan Mitsch Andr´ e Platzer

Computer Science Department, Carnegie Mellon University

CPS V&V I&F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at RV’14

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 1 of 9

Formal Verification in CPS Development

Real CPS Proof Reachability Analysis . . . Verification Results safe

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9

Formal Verification in CPS Development

Real CPS Model α∗ Control αctrl v := v + 1 Plant αplant x′ = v sense act abstract Proof Reachability Analysis . . . Verification Results safe safe

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9

Formal Verification in CPS Development

Real CPS Model α∗ Control αctrl v := v + 1 Plant αplant x′ = v sense act abstract Proof Reachability Analysis . . . Verification Results safe safe Challenge Verification results about models

• nly apply if CPS fits to the model

Verifiably correct runtime model validation

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9

Runtime Model Validation

Ensures that verification results about models apply to CPS implementations i−1 i i+1 Model α ctrl plant . . . model adequate? control safe? until next cycle? turn predict

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 3 of 9

Runtime Model Validation

Ensures that verification results about models apply to CPS implementations i−1 i i+1 Model α ctrl plant . . . model adequate? control safe? until next cycle? turn predict Insights Verification results transfer to CPS when validating model compliance Compliance with model is characterizable in logic Compliance formula transformed by proof to executable monitor

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 3 of 9

Model Validation at Runtime

Sensors Controller Actuators “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators Compliance Monitor Checks CPS for compliance with model at runtime Fallback Safe action, executed when monitor is not satisfied Challenge What conditions do the monitors need to check to be safe? “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators

Challenge: Monitorability

Our current monitors compare two consecutive states (but: which conditions can we actually observe?) Monitoring a history of states: becomes necessary when using temporal operators in safety condition “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators

Challenge: Monitor assumptions if not modeled otherwise

Intercepts all communication: sensors - controller - actuators Untampered values, time-consistent and unit-consistent values No execution overhead, no clock drift No communication delays (sensor - controller - monitor - actuator) “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators

Challenge: Fallback and Enforceability

Cannot just disallow unsafe actions, need fallback (redundant) Which properties are enforceable with a specific fallback action? What is an appropriate fallback to enforce a specific property? Enforceability of temporal properties is tricky “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators

Challenge: Fallback assumptions if not modeled otherwise

Executable unconditionally Immediate reaction “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Model Validation at Runtime

ModelPlex Sensors Controller Compliance Monitor Fallback Actuators

Challenge: Platform assumptions

Reals vs. floats (currently: interval arithmetic) Correct compiler and processor “Simplex for Models”

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9

Monitor Characterization

When are two states linked through a run of model α? i−1 i Model α ⊆

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9

Monitor Characterization

When are two states linked through a run of model α? i−1 i a prior state char- acterized by x− a posterior state characterized by x+ Model α ⊆ (x−, x+) ∈ ρ(α) Semantical: reachability relation of α

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9

Monitor Characterization

When are two states linked through a run of model α? i−1 i a prior state char- acterized by x− a posterior state characterized by x+ Model α ⊆ Offline (x−, x+) ∈ ρ(α) Semantical: Theorem (x = x−) → α(x) (x = x+) Logic (dL): starting at x = x− exists a run of α to a state where x = x+

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9

Monitor Characterization

When are two states linked through a run of model α? i−1 i a prior state char- acterized by x− a posterior state characterized by x+ Model α ⊆ Offline (x−, x+) ∈ ρ(α) Semantical: Theorem (x = x−) → α(x) (x = x+) Logic (dL): starting at x = x− exists a run of α to a state where x = x+

• F (x−, x+)

Real arithmetic: check at runtime (efficient) dL proof

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9

Monitor Characterization

When are two states linked through a run of model α? i−1 i a prior state char- acterized by x− a posterior state characterized by x+ Model α ⊆ Offline (x−, x+) ∈ ρ(α) Semantical: Theorem (x = x−) → α(x) (x = x+) Logic (dL): starting at x = x− exists a run of α to a state where x = x+ ⇑ F (x−, x+) Real arithmetic: check at runtime (efficient) dL proof

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9

Challenges

What is missing to ensure that proofs apply to real CPS? Monitorability, fallback and enforceability, implementation Synthesis Model quality, model adaptation i−1 i i+1 Model α ctrl plant . . . Model Monitor model adequate? Controller Monitor control safe? Prediction Monitor until next cycle?

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 6 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically i−1 i prior state x− posterior state x+ Model α proof attempt (x = x−) → α(x) (x = x+)

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically Model α i−1 i prior state x− posterior state x+ climb descend proof attempt (x = x−) → climb ∪ descend (x = x+) ∪climbφ ∨ descendφ climb ∪ descendφ

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically Model α i−1 i prior state x− posterior state x+ climb descend proof attempt (x = x−) → climb ∪ descend (x = x+) ∨ climb (x = x+) descend (x = x+)

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically Model α i−1 i prior state x− posterior state x+ climb descend proof attempt (x = x−) → climb ∪ descend (x = x+) ∨ climb (x = x+) descend (x = x+) F1 (x−, x+) F2 (x−, x+)

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically Model α i−1 i prior state x− posterior state x+ climb descend proof attempt (x = x−) → climb ∪ descend (x = x+) ∨ climb (x = x+) descend (x = x+) F1 (x−, x+) F2 (x−, x+) F1(x−, x+) ∨ F2(x−, x+) Monitor: The subgoals that cannot be proved express all the conditions on the relations of variables imposed by the model execute at runtime

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Synthesis Challenges

Proof calculus of dL executes models symbolically Model α i−1 i prior state x− posterior state x+ climb descend proof attempt (x = x−) → climb ∪ descend (x = x+) ∨ climb (x = x+) descend (x = x+) F1 (x−, x+) F2 (x−, x+) F1(x−, x+) ∨ F2(x−, x+) Monitor: The subgoals that cannot be proved express all the conditions on the relations of variables imposed by the model execute at runtime Challenges Nested loops Differential equations without polynomial solutions requires cutting in differential (in)variants: need to make sure what is cut in is related to the model Proof tactics for full automation

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9

Model Quality and Adaptation Challenges

Useful features

Analyze and improve model quality

Unsatisfiable monitor ⇒ model has no runs Find largest satisfiable condition (but: what are core features?)

Analyze (near) monitor violations

In system conditions: bug reports to fix incorrect implementation In environment conditions: counterexamples to adapt inadequate model

For this, we need to

Collect violated subconditions Trace (violated) monitor conditions to model statements Distinguish between system and environment in the model Measure “degree” of monitor satisfaction/violation

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 8 of 9

Proof Model safe! safe! Stefan Mitsch smitsch@cs.cmu.edu www.cs.cmu.edu/∼smitsch

Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 9 of 9