1 / 21

Deep Random Search for Efficient Model Checking of Timed Automata

This research focuses on developing a deep random search algorithm for efficient model checking of timed automata. The algorithm aims to provide high-confidence verification of critical infrastructure systems, which are concurrent, distributed, and written in C programming language. It addresses the challenges of developing and maintaining complex systems, improving performance, and protecting against cyber-attacks.

ariell
Download Presentation

Deep Random Search for Efficient Model Checking of Timed Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep Random Search for Efficient Model Checking of Timed Automata Radu Grosu Stony Brook University Joint work with: X. Huang, S.A. Smolka, W. Tan and S. Tripakis

  2. Embedded Software Systems • Difficult to develop & maintain: • Concurrent and distributed (OS, ES, middleware), • Complicated by DS improving performance (locks, RC,...), • Mostlywritten inC programming language. • Have to be high-confidence: • Provide thecritical infrastructure for all applications, • Failuresare verycostly (business, reputation), • Have toprotect againstcyber-attacks.

  3. What is High-Confidence? Ability to guarantee that ? system-software Ssatisfies temporal property φ

  4. Temporal Properties • Safety (something bad never happens): • Airborne planes are at least 1 mile apart • Nuclear reactor core never overheats • Gamma knife never exceeds prescribed dose • Liveness (something good eventually happens): • Core eventually reaches nominal temperature • Dishwasher tank is eventually full • Airbag inflates within 5ms of collision

  5. Automata-Theoretic Approach to SP • Every safety formula can be translated to a finite automaton A¬ such that L(¬) = L(A¬). • State transition graph of S can also be viewed as a finite automaton AS(with all states accepting). • Satisfaction is reduced to language emptiness: S ⊨ ≅ L(AS)  L(A )≅L(ASA) =  • Language emptiness is reducedto reachability: is an accepting state reachable from an initial state?

  6. Checking Non-Emptiness: DFS Computation Tree (CT) of B recurrence diameter State explosion Explore and allreachable states in the CT Save all states time efficient Save current path memory efficient

  7. Checking Non-Emptiness: BFS Computation Tree (CT) of B recurrence diameter State explosion Explore and allreachable states in the CT Save all states: time efficient

  8. Randomized Algorithms Huge impacton CS: (distributed) algorithms, complexity theory, cryptography, etc. Takes of next step algorithm may depend on random choice(coin flip). Benefitsof randomization include simplicity,efficiency, and symmetry breaking.

  9. Randomized Algorithms • Monte Carlo: may produce incorrect result but with bounded error probability. • Example: Election’s result prediction • Las Vegas: always gives correct result but running time is a random variable. • Example: Randomized Quick Sort

  10. Monte Carlo Approach [TACAS’05] Computation tree (CT) of B recurrence diameter … deep error states??? flip a k-sided coin Explore N(,) independent lassos in the CT Error margin andconfidence ratio 

  11. DRS Las Vegas Approach • takeone (several) DRP from the root • while (open nodes o are in the fringe) • take a DRP from o • if (accepting) return path • return null • Adeep random path(DRP) is finished at node o if: • the maximum depth is reached at o • no unvisited node is a successor of o

  12. a: x = 7 / y := 0 q0 q1 x ≤ 7 b: x ≤ 3 / x := 0 Timed Automata • Finite set of clocks • Finite set of discrete states (modes) • Finite set of accepting states (accepting modes) • Finite set of edges • Guard: convex clock polyhedron • Reset: set of clocks to be reset • State invariant (convex clock polyhedron)

  13. TA and Clock Regions Reduction y r28 a: x≤1; x:=0 c: x≤2 1 q2 q0 q1 r16 b: y≤1 y≤1 x≤2 r1 1 2 x • The number of clock regions is exponential in: • the number of clocks • the largest clock-upper-bound constant

  14. TA and their Simulation Graph (q0, x ≤ 7  x = y) a a: x = 7 / y := 0 q0 q1 (q1, x ≥ 7  x = y + 7) b: x ≤ 3 / x := 0 x ≤ 7 b a (q0, x ≤ 7  x ≤ y ≤ x + 3)

  15. Experiments • DRS implementation: • Extension to Open-Kronos MC for TA • Open-Kronos: • Input:a system of TA and a bool exp (accepting states) • Translation: to a C-program compiled & linked to Profounder • Profounder: on-the-fly gen. of SG and DFS reachability anal. • Testbed: • PC equipped with Athlon 2.6GHz • 1Gbyte RAM • Linux 2.6.5 (Fedora Core)

  16. MutExcl: Buggy Fischer Protocol

  17. MutExcl: Correct Fischer Protocol

  18. Philips Audio Protocol

  19. B&O Audio/Video Protocol

  20. Related Work • Random walk testing: • Heimdahl et al: Lurch debugger. • P. Haslum: Monte Carlo MC by random walk. • Random walks to sample system state space: • Mihail & Papadimitriou (and others) • Monte Carlo Model Checking of Markov Chains: • Herault et al: LTL-RP, bonded MC, zero/one ET • Younes et al: Time-Bounded CSL, sequential analysis • Sen et al: Time-Bounded CSL, zero/one ET • Probabilistic Model Checking of Markov Chains: • ETMCC, PRISM, PIOAtool, and others. • Sat Solvers:randomization is not the main concern

  21. Conclusions • DRS is a complete randomized, MC algorithm for the classical problem of model checking safety properties. • DRS allows to fine tune theinitial numberof random paths from the root and the maximum search depth. • DRS is able to find extremely deep counterexamples while consistently outperformingKronosandUPPAALin the process. • DRS is best suited to find counterexamples and not to prove their absence.

More Related