Verified systems by composition from verified components
Download
1 / 38

Verified Systems by Composition from Verified Components - PowerPoint PPT Presentation


  • 290 Views
  • Uploaded on

Verified Systems by Composition from Verified Components. Fei Xie and James C. Browne. Research Goal. Goal: Construction of reliable and secure software systems from reliable and secure components; Framework: Composition of verified systems from verified components. Research Challenges.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Verified Systems by Composition from Verified Components' - victoria


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Research goal l.jpg
Research Goal

  • Goal:

    • Construction of reliable and secure software systems from reliable and secure components;

  • Framework:

    • Composition of verified systems from verified components.


Research challenges l.jpg
Research Challenges

  • How to verify components?

  • How to compose verified components to build larger verified components effectively?


Synergism between cbd and mc l.jpg
Synergism between CBD and MC

  • Component-Based Development (CBD)

    • Introduces compositional structures to software;

    • Helps minimizing state spaces to be explored.

  • Model Checking (MC)

    • Provides exhaustive state space coverage;

    • Strong at detection of composition errors.


Agenda l.jpg
Agenda

  • Motivations

  • Our Approach

  • Component Model for Verification

  • Case Study: TinyOS

  • Verification of Components

  • Related Work

  • Conclusions and Future Work


Highlights of our approach l.jpg
Highlights of Our Approach

  • Temporal properties are specified, verified, and packaged with components.

  • Larger components are composed incrementally.

  • Component reuse considers component properties.

  • Verification of a property of a composed component

    • Reuses verified properties of its sub-components;

    • Follows abstraction-refinement paradigm;

    • Is based on compositional reasoning.


Compositional reasoning l.jpg
Compositional Reasoning

  • To verify a property on a software system

  • Step 1: Verification of component properties;

  • Step 2: Validation of circular dependencies;

  • Step 3: Derivation of the system property from component properties.

  • Previous work: in top-down system decomposition;

  • Our approach: inbottom-up component composition.


Why validate circular dependencies between component properties l.jpg

C1

C2

Eventually (A)

Eventually (B)

A = FALSE

B = FALSE

X

X

?

Eventually (A) and Eventually (B)

Why validate circular dependenciesbetween component properties?


Agenda9 l.jpg
Agenda

  • Motivations

  • Our Approach

  • Component Model for Verification

  • Case Study: TinyOS

  • Verification of Components

  • Related Work

  • Conclusions and Future Work


Component l.jpg
Component

  • A component, C, has four parts:

    • Executable representation (models or sources);

    • Interface (procedural, messaging, …);

    • A set of externally visible variables;

    • A set of verified temporal properties of C.


Component property l.jpg
Component Property

  • A property of C, is a pair, (p, A(p)).

    • p is a temporal property;

    • A(p) is a set of assumptions on environment of C.

    • pis verified assumingA(p)hold.

  • The environment of C

    • is the set of components that C interacts with;

    • varies in different compositions.


Component composition l.jpg
Component Composition

  • Connect executable representations of sub-components through their interfaces;

  • Selectively merge interfaces and visible variable sets of sub-components;

  • Verify properties of composed component by reusing properties of sub-components.


Instantiation of component model on aim computation model l.jpg
Instantiation of Component model on AIM Computation Model

  • Asynchronous Interleaving Message-passing

    • A system consists of a finite set of processes.

    • Processes execute asynchronously.

    • At any moment, only one process executes.

    • Interactions via asynchronous message-passing.


Instantiation of component model on aim computation model cont l.jpg
Instantiation of Component model on AIM Computation Model (cont.)

  • Component

    • Represented in Executable UML (xUML);

    • Messaging interface;

  • Composition

    • Establishing mappings among input and output message types of sub-components.


Agenda15 l.jpg
Agenda (cont.)

  • Motivations

  • Our Approach

  • Component Model for Verification

  • Case Study: TinyOS

  • Verification of Components

  • Related Work

  • Conclusions and Future Work


Tinyos hill et al 00 l.jpg
TinyOS (cont.)[Hill, et. al, `00]

  • A run-time system for network sensors from UC Berkeley;

  • Component-based

    • Different requirements of sensors;

    • Physical limitations of sensors;

  • High reliability required

    • Concurrency-intensive operations;

    • Installation to many sensors.


Agenda17 l.jpg
Agenda (cont.)

  • Motivations

  • Our Approach

  • Component Model for Verification

  • Case Study: TinyOS

  • Verification of Components

  • Related Work

  • Conclusions and Future Work


Background verification of closed aim system l.jpg

Designer (cont.)

Property

xUML Model

Error Report

S/R Query

S/R Model

Error Track

Background:Verification of Closed AIM System

Property Specification Interface

xUML IDE

Error Visualizer

xUML-to-S/R Translator

Error Report Generator

COSPAN Model Checker


Verification of primitive components l.jpg
Verification of Primitive Components (cont.)

  • Given a component and a property:

    • Create a closed system from the component and an environment process, env;

    • Constrain env with assumptions of the property;

    • Verify the property on the constrained system.

Compositional Reasoning: Step 1


Sensor component l.jpg

AIM (cont.)

Process

Input message

Type

Component

Boundary

Output message

Type

Sensor Component


Sensor component cont l.jpg
Sensor Component (cont.) (cont.)

Properties:

Repeatedly (Output);After (Output) Never (Output) UntilAfter (OP_Ack);After (Done) Eventually (Done_Ack);Never (Done_Ack) UntilAfter (Done);After (Done_Ack) Never (Done_Ack) UntilAfter(Done);

Assumptions:After (Output) Eventually (OP_Ack);Never (OP_Ack) UntilAfter (Output);After (OP_Ack) Never (OP_Ack) UntilAfter (Output);After (Done) Never (Done) UntilAfter (Done_Ack);Repeatedly (C_Intr);After (C_Intr) Never (C_Intr + A_Intr + S_Schd) UntilAfter (C_Ret);After (ADC.Pending) Eventually (A_Intr);After (A_Intr) Never (C_Intr + A_Intr + S_Schd) UntilAfter (A_Ret);After (STQ.Empty = FALSE) Eventually (S_Schd);After (S_Schd) Never (C_Intr + A_Intr + S_Schd) UntilAfter (S_Ret);


Verification of sensor component l.jpg

Output (cont.)

Env

Output_Ack

Done

Done_Ack

Assumptions

Verification of Sensor Component

Sensor

Component



Network component cont l.jpg
Network Component (cont.) (cont.)

Properties:

IfRepeatedly (Data) Repeatedly (RFM.Pending);

IfRepeatedly (Data) Repeatedly (Not RFM.Pending);

After (Data) Eventually (Data_Ack); Never (Data_Ack) UntilAfter (Data);

After (Data_Ack) Never (Data_Ack) UntilAfter (Data);

After (Sent) Never (Sent) UntilAfter (Sent_Ack);

Assumptions:

After (Data) Never (Data) UntilAfter (Data_Ack);

After (Sent) Eventually (Sent_Ack); Never (Sent_Ack) UntilAfter (Sent);

After (Sent_Ack) Never (Sent_Ack) UntilAfter} (Sent);

After (NTQ.Empty = FALSE) Eventually (N_Schd);

After (N_Schd) Never (N_Schd +R_Intr) UntilAfter (N_Ret);

After (RFM.Pending) Eventually (R_Intr);

After (R_Intr) Never (N_Schd +R_Intr) UntilAfter (R_Ret);


Verification of composed components l.jpg

(3) Refinement (cont.)

(2) Verification

Verification of Composed Components

(1) Abstraction


Abstraction refinement paradigm l.jpg

Abstract through (cont.)

removing details

Abstraction

Refine through

adding details

Refined Abstraction

What is it?

How to create it?

How to refine it?

Abstraction-Refinement Paradigm

Component



Sensor to network component28 l.jpg
Sensor-to-Network Component (cont.)

Properties:

Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);

Assumptions:

Repeatedly (C_Intr);

After (C_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (C_Ret);

After (ADC.Pending) Eventually (A_Intr);

After (A_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (A_Ret);

After (STQ.Empty = FALSE) Eventually (S_Schd);

After (S_Schd) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (S_Ret);

After (NTQ.Empty = FALSE) Eventually (N_Schd);

After (N_Schd) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (N_Ret);

After (RFM.Pending) Eventually (R_Intr);

After (R_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (R_Ret);


Abstraction l.jpg

Verified Properties (cont.)

Verified Properties

SP

(Sensor)

NP

(Network)

AIM

Processes

Assumptions

Abstraction

Env

(Environment)


Abstraction cont l.jpg
Abstraction (cont.) (cont.)

  • A sub-component property is included if it is

    • In thecone-of-influence;

    • Not involved in invalid circular dependencies;

    • Enabled: Its environment assumptions hold on

      • Other components in the composition;

      • Environment of the composition.

Compositional Reasoning: Step 2


Verification and complexity l.jpg
Verification and Complexity (cont.)

  • Check the property of SN on the abstraction.

Compositional Reasoning: Step 3 and Step 1


Abstraction refinement l.jpg
Abstraction Refinement (cont.)

  • An abstraction can refined by

    • (Introducing, verifying, and) enabling additional sub-component properties;

  • A property can be enabled by

    • enabling its assumptions on other components.

  • Currently requires user interactions.


Refinement example l.jpg
Refinement Example (cont.)

  • To check Property P1on Sensor-to-Network

    SN transmits any sensor reading exactly once.

  • Property P2 has been verified on Network.

    Network transmits any input exactly once.

    Assumption: A new input arrives only after Network acks the last input with a Sent message.

  • P2 is not enabled in the composition of SN.


Refinement example cont l.jpg
Refinement Example (cont.) (cont.)

  • To enable P2, introduce and checkProperty P3 on Sensor:

    Sensor outputs any sensor reading exactly once;

    After an output, Sensor will not output again until a done message is received.

  • A bug was found in Sensor and fixed. P3 was verified on the revised Sensor.

  • Inclusion of P2 and P3 into the abstraction leads to verification of P1.


Property and assumption formulation l.jpg
Property and Assumption Formulation (cont.)

  • Properties

    • Currently manually guided;

    • Derived from component specifications;

    • Added incrementally in component reuses.

  • Assumptions

    • Manual formulation;

    • Automatic generation

      • Often lead to complex assumptions.

  • Automatic generation heuristics in progress.


Agenda36 l.jpg
Agenda (cont.)

  • Motivations

  • Our Approach

  • Component Model for Verification

  • Case Study: TinyOS

  • Verification of Components

  • Related Work

  • Conclusions and Future Work


Related work l.jpg
Related Work (cont.)

  • Compositional Reachability Analysis (CRA)

    [Graf and Steffen, Yeh and Young, Cheung and Kramer]

    • Compose and minimize the LTS of a software system from LTSs of its components.

  • Modular Feature Verification [Fisler and Krishnamurthi]

    • Verification of layered composition of features.


Conclusions and future work l.jpg
Conclusions and Future Work (cont.)

  • An important step towards composition of verified systems from verified components.

  • Results are promising:

    • Detection of composition errors;

    • Significant reduction on verification complexity.

  • Future work

    • Automatic property and assumption generation;

    • Extended case studies.


ad