1 / 46

Automatic Non-interference Lemmas for Parameterized Model Checking

Automatic Non-interference Lemmas for Parameterized Model Checking. Jesse Bingham, Intel DEG FMCAD 2008. Classic CMP Approach. CMP approach [McMillan 99/01, Chou et al. 04, Krstic 05, Lv et al 07, Li 07, Talupur & Tuttle 08] human writes non-interference lemmas from counterexamples

alexander-boyd
Download Presentation

Automatic Non-interference Lemmas for Parameterized Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Non-interference Lemmas for Parameterized Model Checking Jesse Bingham, Intel DEG FMCAD 2008

  2. Classic CMP Approach • CMP approach [McMillan 99/01, Chou et al. 04, Krstic 05, Lv et al 07, Li 07, Talupur & Tuttle 08] • human writes non-interference lemmas from counterexamples • system is iteratively strengthened with lemmas until all lemmas and property hold

  3. Umm, me no think possible in real system Human writes “non-interference lemma”: CMP requires human to write lemmas

  4. What we do • our approach removes lemma-writing burden of human’s shoulders • start with “non-interference conjecture”False • abstract strengthened system • compute abstract reachability fixpoint • iterate, with concretized fixpoint as new conjecture • our contributions • general theory based on abstract interpretation • instantiation of theory for class of parameterized protocols using BDDs & prototype tool

  5. Roadmap • General Theory • Symmetric Parameterized Protocols • Case Studies/Final Thoughts

  6. Theory • concrete transition system (C,I,T) • C is the set of (concrete) states • I  C are the initial states • T  CC is the transition relation • Reach(C,I,T) denotes set of reachable states • p  C is called an invariant if Reach(C,I,T) p • for   Cdefinepost[T]() = {y | x.(x,y)  T and x   }

  7. Strengthening For   C, the strengthening of (C,I,T) by , is the transition system (C, I, T(  C)). We denote the strengthening byT # . Strengthen with  = blue states Theorem.  is an invariant of (C,I,T) if and only if  is an invariant of T # .

  8. Abstraction • finite abstract domain A along with partial order ⊑ , forming a lattice(A,⊑) • Think of ⊑ as subset ordering on represented sets • galois connection(,) defines association between concrete states and abstract domain •  : 2C  A •  : A  2C •  and  are order preserving • other technical properties

  9.  : Makes Abstract Posts for Strengthened Concrete Systems (1/2) set of concrete states () : A  A  Abstract post (a.k.a abstract interpretation) of post[T # ]

  10.  : Makes Abstract Posts for Strengthened Concrete Systems (2/2) ()(a) Abstract Domain A ⊑ a (post[T#]((a)) “best” post relative to (,) Concrete States C post[T#]((a)) (a)   C

  11. Reach((Init),(k)) = Reach((Init),(k-1)) (k) ⊑ Reach((Init),(1)) (property) Reach((Init),(0)) … 1 2 k The Method Abstract Domain A … Concrete States C 0= False

  12. Roadmap • General Theory • Parameterized Protocols • Case Studies/Final Thoughts

  13. State variable types • let Piddenote the process IDs • four types of variables • Bool e.g. global FSM state • Pid  Bool e.g. process FSM state, control arrays indexed by Pid • Pid e.g. global process pointer • Pid  Pid e.g. pre-process process pointer

  14. Transition relation syntax • atoms • w (w : Bool ) • x[p](x : Pid  Bool and quantifed var p ) • y=p (y : Pid and quantifed var p ) • z[p]=q (z : Pid  Pid and quant vars p & q) • plus any of the above with priming • transition formula syntax:where 0 and 1 are (restricted) boolean combinations of atoms

  15. Protocol Abstraction • abstract domain is symmetric sets of views • galois connection is straightfoward • similar to [Lahiri & Bryant 04]’s for universally quantified predicate abstraction • thanks to a small model theorem & symmetry, we can compute a best  using BDDs

  16. Views [Chou et al 04] • a view only includes info regarding a small number mof processes; Pid vars take values from {0,…,m-1,other} Pid  Bool Pid Bool 0 1 2 3 1 Concrete state 1 View (m=2) Pid  Bool Pid Bool 0 1 2 3 Concrete state 3 other View (m=2)

  17. if and only if 0 1 2 3 m+L+1(fixed & small!) 4 … 1 Small Model Theorem Pid  Bool Pid Bool 0 1 2 3 n (arbitrarily big) 4 … 1 … 0  -abstract away this state in BDD … 0

  18. Putting It All Together i (set of views as BDD) i+1= Reach((Init),(i)) (i) -quantify away all but first m processes Compute BDD for T  (i) of sizem+L+1 Computed using BDD techniques of [Pnueli et al 01]

  19. Non-best  • small model theorem allows for best  • can cause BDD blow-up • two orthogonal techniques allow for non-best , which typically yields smaller BDDs • strengthen with subset of variables • also reduces small model theorem bound by 1 • only strengthen “guarded commands” that depend on abstracted state in the guards, or even fewer

  20. Roadmap • General Theory • Symmetric Parameterized Protocols • Case Studies/Final Thoughts

  21. Prototype Tool • built prototype tool using Intel’s forte formal verification system [Seger et al 05] • protocols modeled in forte’s language reFLect • user specifies “ingredients” • number of concrete processes m=2 • variables to constraint during strengthening • transitions to strengthen • dynamic BDD var ordering useful [Rudell 93]

  22. Case Studies (1/3) • GERMAN [German 00] • “hello world” for parameterized verification • just one Pid var; no Pid Pid vars • control & data properties verified totally automatically with “best”  • GERMAN2004 • more complex than GERMAN • has Pid Pid vars (network) • previously verified by [Lv et al 07], who needed human to add history vars • we verified the control property with non-best 

  23. Case Studies (2/3) • FLASH [Kuskin et al 94] • “…if [a parameterized verification method] works on FLASH, then there is a good chance that it will also work on many real-world cache coherence protocols.” [Chou et al 04] • first automatically verified by [Lv et al 07] • we verified the control property using non-best 

  24. Case Studies (3/3) outter loop iterations abstract reach iterations

  25. Final Thoughts • presented a method that automatically computers non-interference lemmas • general theory • applied to symmetric protocols • related to Invisible Invariants [Pnueli et al 01] • BDDs aren’t necessarily bad for protocols • especially parameterized model checking • original work [McMillan 99/01] used SMV/BDDs • automation: intellectually pleasing…but probably won’t scale

  26. Foil graveyard…

  27. Want to prove invariance of something like: Motivating Example …

  28. Abstracts behavior of processes {2,…,n} for arbitrary n Model Check: Abstract Process other

  29. Umm, me no think possible in real system Human writes “non-interference lemma”: Counterexample Analysis

  30. Guard Strengthening Strengthen with: Model Check:

  31. () ()  Order Preservation of Abstraction Abstract Domain A ⊑ Concrete States C 

  32. a ⊑ a Order Preservation of Concretization Abstract Domain A Concrete States C  (a) (a)

  33. Proving Invariants with  & (a different view from in the paper & talk) Abstracts Reach(I,T#i) Abstract Domain A Reach((Init),(i)) (i) Abstracts T#i (Reach((Init),(i))) = i+1 Concrete States C i Theorem.i+1  iimplies i is a (concrete) invariant

  34. Abstracts T#i Abstracts i (i) (i) Abstracts Reach(I,T#i) Proving Invariants with  &  Abstract Domain A ⊑ Reach((Init),(i)) Concrete States C i Theorem. Reach((Init),(i)) ⊑ (i) implies iis an invariant

  35. Weakening with  &  Abstracts Reach(I,T#i) Abstract Domain A Reach((Init),(i)) (i) Abstracts T#i (Reach((Init),(i))) = i+1 Concrete States C i

  36. Abstract Post ap() ap(a) Abstract Domain A ⊑ a (post((a))) Concrete States C post((a)) (a)

  37.  : Makes Abstract Posts for Strengthened Concrete Systems Abstract Domain A Abstract post image ofT# () : A  A Concrete States C 

  38. | The Method (1/3) Abstracts T#i Abstract Domain A (i) Reach((Init),(i)) (i) Abstracts Reach(I,T#i) Concrete States C i (Reach((Init),(i))) = i+1

  39. The Method • start with 0 = False; iteratively compute 1, 2, 3,… until a provable invariant  is found • this  is the strongest provable invariant • provable is relative to  and  • if we use  that is “best” then  is the strongest invariant provable using 

  40. Protocol Abstraction • abstract domain is symmetric sets of views • galois connection is conceptually straightforward; similar to [Lahiri & Bryant 04] • () = {View(s) | s and  is a view map} • thanks to a small model theorem & symmetry, we can compute a best …

  41. Small Model “cut-off” can be done away With in certain circumstances number of concrete processes in view m+ L + 1 number of existentially quantified vars in protocol transition relation

  42. Views abstract domain is sets of views [Chou et al 04], which are assignments to protocol vars with different typing m a small constant (typically 2) Pidm= {0,…,m-1} Pidother = Pidm {other}

  43. other 0 1 1 other 0 other Abstraction Pid  Bool Pid Bool 0 1 2 3 2 Concrete state s (with n=4) Set of views (s)

  44. Views (2/2) Replace this slide!!! State of the form array[other] is abstracted away Pid vars have type {0,1,other} m = 2 “concrete” processes

  45. Small Model Theorem arbitrarily large n view (m = 2) … above can do any “view transition” iff below can hence we  -abstract these processes away … m+ L + 1

  46. TODO…

More Related