1 / 26

Toward Unbounded Model Checking for Region Automata

Toward Unbounded Model Checking for Region Automata. Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan. Introduction. Symbolic model checking with Binary Decision Diagrams (BDDs). System and Specification. BDD-based Model Checker. Sequential Circuits Protocols

brook
Download Presentation

Toward Unbounded Model Checking for Region Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Toward Unbounded Model Checking for Region Automata Fang Yu, Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan

  2. Introduction • Symbolic model checking with Binary Decision Diagrams (BDDs) System and Specification BDD-based Model Checker Sequential Circuits Protocols … BDDs may grow exponentially

  3. SAT-based Model Checking • Bounded Model Checking • Biere et al.[BCCFZ99] • Boolean formula satisfiability • n steps: • Pros • Powerful SAT solvers developed • Many heuristic approaches • Hundreds of thousands of variables and millions of clauses capable A powerful support for verifying large systems!

  4. Motivation • SAT-based model checking from discrete systems to real-time systems • Challenges • From infinite to boolean • Region graph [YWH04] • Simple and precise transition relation  BMC efficiently • Large reachability diameter  Correctness guarantee infeasible • From bounded to unbounded • Induction • Sheeran et al. (2000) • Discrete systems xBMC

  5. Real-Time System • Discrete variables plus dense-time clocks • Real domain • A uniform rate increase • Reset X: Y: … 0 1 2

  6. Timed Automata • Alur et al. (1990) • Timed Automata <D, X, A, E, I>: • D: A set of discrete variables • X: A set of clocks • A: A set of actions • Each action is a series of discrete variable assignments • E: A set of edges, each edge is associated with • : Guarded condition • : An action • : A set of reset clocks • I: An initial condition ,

  7. Timed Automata • State • Discrete interpretation • Clock interpretation • Transition • Time elapse • Edge fire A positive real

  8. Region Automata • Alur et al (1990) • Equivalence class [ν] • The same integral part • The same fractional ordering • Region Graph • State • Transition y 0 x

  9. Region Encoding Each odd pair  a fraction relation [0,0] [1,1] [2,2] [3,3] X: (0,1) (1,2) (2,3) (3,∞] 0 1 2 3 Y: x Z: 0 1 2 3 7(Mx) Xd 3 1 5 2 0 6 4 Xd is evena point Xd is odd  an open interval Xd is Mx  X>Cx 7 3 1 5 2 0 6 4 Fraction relation: Xf>Yf, Xf>Zf, Yf>Zf X: Y: Z: … 0 1 2 3 4 … 7 8 3 1 5 2 0 6 4 Xd=3, Yd=5, Zd=4, Xf<Yf

  10. Successor Relation Encoding Xd’=Xd+1, Yd’=Yd, Xf’<Yf’ Xd’=Xd++, Yd’=Yd++, Xf’=Yf’ Xd’=Xd, Yd’ =Yd++ Xd is even, Yd is even Xd is even, Yd is odd or My Xd is odd, Yd is odd, and Xf<Yf : Two-clock system Pair conjunction and stuttering condition [YWH2004] : Multi-clock system

  11. Transition • Time elapse • Edge fire • One step condition 0

  12. Reachability Analysis BoundedFwdReach(I, R, , MaxBound) var i: 0.. MaxBound; begin i := 0; F := I(B0);loop foreverif(i=MaxBound) returnunreachable within MaxBound;if(SAT(FR(Bi))) returnreachable; F := FR(Bi)(BiBi+1) ; i := i+1; end. Results of each step are added until termination

  13. Theorem Given a TA having n regions, BoundedFwdReach() is sound and complete when MaxBound≥n. The number of regions is prohibitively high to reach! • This is the worst case of reachability diameters • A better option is the steps ofthe longest shortest path Loop-free termination

  14. Loop-Free Reachability Analysis LFFwdReach(I, R, , MaxBound) var i: 0.. MaxBound; begin i := 0; F := I(B0);loop foreverif(i=MaxBound) returnunreachable within MaxBound;if(SAT(FR(Bi))) returnreachable; F := FR(Bi)(BiBi+1)(∧j<i+1 BjBi+1);if(not SAT(F)) returnunreachable by loop-free; i := i+1; end. • Loop-free restrictions are added to enforce • searching distinct states • A loop-free path is a shortest path • Completeness is preserved

  15. Solve the problem? 0 0 • The tightest bound may be still too high to reach! • Can we prove correctness without considering the diameter? Construct an induction proof!

  16. Simple Induction Prove P always holds • An Induction Proof • Prove that P(0) is true (basis) • Prove that for all k, P(k) implies P(k+1) (Inductive step) Formal verification: • P holds in the initial states • P is maintained by the transition relation Constraints: • I(B0)P(B0) is unsatisfiable • For all k, P(Bk)(Bk→Bk+1)P(Bk+1) is unsatisfiable • Sound • When it succeeds, induction is able to handle larger models • However, in many cases, simple induction is infeasible

  17. Windowed Induction • An Induction Proof (window-size: N) • Prove that for 0≤k≤N, P(k) is true • Prove that for all k, (P(k)… P(k+N)) implies P(k+N+1) Formal Verification • P holds in all paths of length N starting from an initial state • For an arbitrary path of length N+1, if P holds in N+1 states, then it holds in state N+2 too Constraints • I(B0)((B0→B0+1)…(BN-1→BN))(P(B0)…P(BN)) is unsatisfiable • For all k, P(Bk) (Bk→Bk+1)  P(Bk+1) (Bk+1→Bk+2)  … P(BN+k)  (BN+k→BN+k+1) P(BN+k+1) is unsatisfiable N+1

  18. Inductive Reachability Analysis Given I, R, →, (Invariant property : R) Induction: If unsatisfiable, risk state is unreachable; else go on Reachability (B0→B1) R(B1)? R(B1) (B1→B2) R(B2) R(B2)? (B2→B3) R(B0) R(B0)? R(B3)? S0 S1 S2 … Reachability: If satisfiable, risk state is reachable; else basis is constructed and go on Induction R(B0)? (B0→B1) R(B1)? (B1→B2) R(B2)? I(B0) R(B0) R(B1) R(B2) S0 S1 S2 …

  19. Inductive Reachability Analysis IndFwdReach(I, R, ) var i: 0.. N; begin i := 0; F := I(B0);loop forever if(not SAT((F\I)R(Bi))) returnunreachable by induction;if(SAT(FR(Bi))) returnreachable; F := FR(Bi)  (BiBi+1) (∧j<i+1 BjBi+1);if(not SAT(F)) returnunreachable by loop-free; i := i+1; end. Remove the clauses of the initial condition from F • The negation of risk condition is inserted • Retain previous efforts • Build the constraint of inductive step

  20. Implementation • Implementation • Standard bit encoding • A circuit representation • xBMC • Makes use of zChaff • xBMC 2.0: supports real-time systems • xBMC 1.0: supports discrete systems, and has been used to verify program security (DSN2004)

  21. Experiments • A simplified client model of CorSSO[JSS04] • P: the id of the chosen policy • A: a bounded integer to record the number of the collected authentications • X, Y: local clocks • Safety property i,Access[i]k0.P[i]=kA[i]>THk • Experiments • A bug was inserted by mistyping TH2 to TH1 in transition 3. • Increase the number of clients 1. P:={1,2}; A:=0; reset {X,Y}; 2. P0X>TAA<Mx A:=A+1; reset {X}; Authentication 3. Y<TE( (P=1A>TH1)  (P=2A>TH2)) 4. P:=0; Access

  22. Time Performance • Induction proofs with window size 3 are constructed • All bugs are found at the 12th step • RED run against default values (sec) T/O: time out(>60000s), O/M: out of memory, N/A: not available TA=1, TE=10, TH1=2, TH2=3.P1.7 GHz, 256M, Linux

  23. Related Works • General zones/polyhedra • Seshia and Bryant (CAV’03) • Unbounded, fully symbolic model checking • Quantified separation logic to quantified Boolean formula • Tool: TMV (CUDD) • No SAT-based model checker available • Discretization of region automata • Penczek, Wozna and Zbrzezny (FTRTFT’02) • Reachability analysis • Divide a time unit into 2n segments • Tool: BBMC

  24. Compared to BBMC • BBMC’s data directly copied from [WPZ03] • “Checking reachability properties for timed automata via SAT.” • BBMC-ARG: forward projection is applied • BBMC found the witness at the 12th iteration • xBMC 2 found the witness at the 15th iteration Fischer’s Mutual Exclusion, A=1, B=2

  25. Conclusion • We try to migrate the success of the discrete-system verification to timing behavior analysis • Bounded model checking techniques • Induction algorithms • Discretization of region automata • Therefore, we get the best of both worlds: • We get a correctness proof • We get the ability to handle large real-time systems • Primitive experiments show some promise in correctness guarantee as well as bug hunting

  26. Limitation and Future Work • Using region graph • Pros: simple and precise transition relation • BMC is efficient • Tight induction step • Cons: a minor step might imply a deeper diameter • Correctness might be proved by induction • But once induction fails or bugs exist in a deep depth, what can we do? • Future work • Invariant strengthening [MRS03] • Interpolation [McMillan03] • Abstraction • Case study

More Related