Formal Verification of Mobile Network Protocols

Similar documents
A Brief Introduction to Model Checking

PSPACE-completeness of LTL/CTL model checking

Model Checking. Boris Feigin March 9, University College London

Model Checking: An Introduction

Finite-State Model Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Model for reactive systems/software

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Verification Using Temporal Logic

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking

Temporal Logic Model Checking

Linear Temporal Logic and Büchi Automata

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

ESE601: Hybrid Systems. Introduction to verification

Lecture 16: Computation Tree Logic (CTL)

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Algorithmic verification

Automata-Theoretic Model Checking of Reactive Systems

MODEL CHECKING. Arie Gurfinkel

Lecture 2: Symbolic Model Checking With SAT

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Sanjit A. Seshia EECS, UC Berkeley

Computation Tree Logic (CTL)

Methods for Software Verification. Andrea Corradini Gian Luigi Ferrari. Second Semester 6 CFU

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Automata-based Verification - III

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

T Reactive Systems: Temporal Logic LTL

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

3-Valued Abstraction-Refinement

The State Explosion Problem

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Revising Specifications with CTL Properties using Bounded Model Checking

Crash course Verification of Finite Automata CTL model-checking

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Linear Temporal Logic (LTL)

Model Checking with CTL. Presented by Jason Simas

CS357: CTL Model Checking (two lectures worth) David Dill

Model checking the basic modalities of CTL with Description Logic

Computer-Aided Program Design

Automata-based Verification - III

PLEASE DO NOT REMOVE THIS PAGE

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Chapter 4: Computation tree logic

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Part I. Principles and Techniques

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Postprint.

Partial model checking via abstract interpretation

Lecture Notes on Emptiness Checking, LTL Büchi Automata

FAIRNESS FOR INFINITE STATE SYSTEMS

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Lecture 4 Event Systems

Modal and Temporal Logics

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

An Introduction to Temporal Logics

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

A Game-Theoretic Approach to Simulation of Data-Parameterized Systems

Decidability of Inferring Inductive Invariants

A tableau-based decision procedure for a branching-time interval temporal logic

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Monitoring Distributed Controllers

Timo Latvala. February 4, 2004

Computer Aided Verification

Logic Model Checking

Counterexample-Guided Abstraction Refinement

Ranking Verification Counterexamples: An Invariant guided approach

Software Verification with Abstraction-Based Methods

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Using Patterns and Composite Propositions to Automate the Generation of LTL Specifications

Overview. overview / 357

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Learning to Verify Branching Time Properties

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Reasoning about Time and Reliability

Testing with model checkers: A survey

Recent results on Timed Systems

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

7. Queueing Systems. 8. Petri nets vs. State Automata

Computation Tree Logic

Topics in Verification AZADEH FARZAN FALL 2017

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Linear-time Temporal Logic

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Generating Linear Temporal Logic Formulas for Pattern-Based Specifications

SBMC : Symmetric Bounded Model Checking

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Transcription:

Dipartimento di Informatica, Università di Pisa, Italy milazzo@di.unipi.it Pisa April 26, 2005

Introduction Modelling Systems Specifications Examples Algorithms

Introduction Design validation ensuring the correctness of systems at design time simulation Complex systems digital circuits communication protocols software Formal verification exhaustive exploration of all possible behaviours

Formal verification techniques model checking theorem proving... Model checking fully automatic systems modelled by finite state automata (Kripke structures) specifications given as logical formulas model checking algorithms return true if the system satisfies the specification give a counterexample otherwise

The Process of

Modelling Systems Specifications Examples Algorithms Modelling Systems: Kripke Structures Kripke structures are finite state automata in which states are labelled with atomic propositions Example: a washing machine open closed wash closed wash close start finish closed wash variables: boolean closed, wash; initial state: closed = wash = false; transitions: [closed=false] closed = true; [closed=true and wash=false] wash = true; [closed=true and wash=false] closed = false; [wash=true] wash = false;

Modelling Systems Specifications Examples Algorithms Formal Specification A specification is a set of properties that the system must satisfy Temporal logics can assert how the behavior of a system must evolve over time LTL (Linear Temporal Logic) CTL, CTL* (Computational Tree Logics) Examples of properties an execution exists such that p is always true for all the possible executions, p is eventually true

LTL Linear Temporal Logic Modelling Systems Specifications Examples Algorithms Path Quantifiers Af ( always ) Ef ( exists ) Path Operators Xf ( next time ) Ff ( in the future ) Gf ( globally ) f 1 Uf 2 ( until ) Atomic propositions are properties of a state (tests on the values of variables) The standard operators,,, are included.

Modelling Systems Specifications Examples Algorithms LTL Linear Temporal Logic The (infinite) tree of all the possible paths (computation tree) is the unfolding of the Kripke structure A and E quantify over paths c w c w c w c w c w c w c w c w c w c w c w c w c w

LTL Linear Temporal Logic Modelling Systems Specifications Examples Algorithms Xf Ff Gf f 1 Uf 2 f f 1 f f f 1 f f f 1 f f 2 f

Examples Introduction Modelling Systems Specifications Examples Algorithms open closed wash closed wash close start closed wash E(F wash) A(G (wash closed)) A(G (wash X wash)) A( wash U (closed wash) finish

Examples Introduction Modelling Systems Specifications Examples Algorithms open closed wash closed wash close finish start finish open closed wash closed wash close E(F wash) A(G (wash closed)) A(G (wash X wash)) A( wash U (closed wash) Counterexample for both the false properties close,start,open,

Algorithms Modelling Systems Specifications Examples Algorithms Several techniques for verifying properties exist the first algorithms used an explicit representation of the Kripke structure, and visited it many other approaches use automata for specifications as well as for implementations automata can be sinthesized from logical formulas the system A satisfies the specification S when L(A) L(S), that is when L(A) L(S) = other approaches use observational equivalence or refinement relations

A network is a set of concurrent systems Problem: state space (exponential) explosion Concurrent systems communicate through message passing it can be modelled Problem: state space explosion The number of systems involved in a protocol can be unbounded Problem: infinite state space

A Network of Washing Machines closed 1 wash 1 closed 2 wash 2 open 1 close1 start 1 open 2 close2 start 2 closed 1 wash 1 closed 1 wash 1 finish 1 closed 2 wash 2 closed 2 wash 2 finish 2

A Network of Washing Machines c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2 c 1 w 1 c 2 w 2

State space explosion Problem: given a network of n finite state systems, the number of global states grows exponentially with n. (Partial) solutions: symbolic model checking on the fly model checking partial order reduction abstractions compositional reasoning...

Communicating Washing Machines closed 1 wash 1 closed 2 wash 2 open 1 close1 start 1 open 2 close2 rcvf(1) closed 1 wash 1 closed 1 wash 1 sendf(2) closed 2 wash 2 closed 2 wash 2 finish 2

Communicating Washing Machines closed 1 wash 1 closed n wash n open 1 close1 start 1 open n closen rcvf(n-1) closed 1 wash 1 closed 1 wash 1 closed n wash n closed n wash n sendf(2) finish n

Unbounded Number of Concurrent Systems Suppose that we want to prove that machine i + 1 starts after machine i for every i and for every number n of concurrent systems n A (( wash 1 Uwash 0 ) ( wash n Uwash n 1 )) We should verify the property once for every possible value of n, but n is unbounded Solutions (semi automatic): abstractions reduce the property to an invariant for pairs of components

Ad Hoc On Demand Distance Vector Protocol () : routing protocol for mobile ad hoc networks frequent changes in topology routes on demand analysis based on the version 2 draft specification property to verify: LOOP FREEDOM model checking tool: SPIN

Ad Hoc On Demand Distance Vector Protocol () Each node maintains 2 counters seqno incremented at each local topology change broadcast id incremented each time the node makes a route discovery broadcast and one route record for every currently active destination next d next node on the route hops d hops count to d seqno d last known sequence number of the destination lifetime d remaining time before route expiration

Ad Hoc On Demand Distance Vector Protocol () When a node wants to communicate with a destination d, it broadcast a route request message (RREQ). RREQ(hops to src, broadcast id, d, seqno, s, src seq no ) hops to src hops to the initiating node s broadcast id broadcast id of the initiating node s (if a node receives two messages from the same source and the same broadcast id, the second message is discarded) seqno least accepted sequence number for the route src seq no sequence number of the initiating node s

Ad Hoc On Demand Distance Vector Protocol () When a node t receives an RREQ if t has not a fresh enough route to d, it rebroadcast the RREQ with incremented hops to src field if t has a fresh enough route to d, it replies with RREP(hops d, d, seqno d, lifetime d ) where hops d, seqno d and lifetime d are the corresponding attributes of t s route to d if t = d, it replies with RREP(0, d, big seq no, MY ROUTE TIMEOUT ) where big seq no is max(seqno, seqno in RREQ) and MY ROUTE TIMEOUT is the default timeout, locally configured at d

Ad Hoc On Demand Distance Vector Protocol () If a route expires (i.e. lifetime d generates a timeout event) it is marked invalid hops d is set to infinity lifetime d is reset BAD LINK LIFETIME, which is a locally configured constant When the BAD LINK LIFETIME timer expires, if the route is still invalid it is erased

Instance Verification Introduction Simple 3 node scenario SPIN found a number of looping scenarios!!!

Loop Conditions Introduction

Loop Conditions Introduction

Loop Conditions Introduction

Assumption for loop freedom Assumption (suggested by the discovered scenarios) under which we prove loop freedom: A1. When a node discovers and expired or broken route, it increments the sequence number for that route A2. Nodes never delete routes A3. Nodes always detect when a neighbor reboots Theorem 1 (Loop freedom). Consider an arbitrary network of nodes running. If all nodes conform to the assumptions A1 A3, there will be no routing loops formed.

Loop freedom invariant The following is an invariant (over time) of the process at a node n, for every destination d Theorem 2 (Loop freedom invariant). If next d (n) = n, then 1. seqno d (n) seqno d (n ), and 2. seqno d (n) = seqno d (n ) hops d (n) > hops d (n ) This invariant implies: 1. Loop Freedom (Theorem 1) At each hop either the sequence number must increase or the hop count must decrease 2. Route Validity If all the sequence numbers along a path are the same, hop counts must strictly decrease

Loop freedom invariant Theorem 2 can be translated in Lemma 3. If t 1 t 2, then seqno d (n)(t 1 ) seqno d (n)(t 2 ) Lemma 4. If t 1 t 2 and seqno d (n)(t 1 ) = seqno d (n)(t 2 ), then hops d (n)(t 1 ) hops d (n)(t 2 ) Lemma 5. If next d (n)(t) = n, then seqno d (n)(t) = seqno d (n )(lut) and hops d (n)(t) = 1 + hops d (n )(lut) Where lut is the last time before t when next d (n) changed to n

Introduction The loop freedom property (Theorem 1) has been reduced to an invariant on pairs on nodes (Theorem 2). As a consequence an unbounded n node verification has been reduced to a 2 node verification The 2 node verification can be performed automatically with SPIN Loop freedom of under assumptions A1 A3 is verified

References Introduction D. Obradovic. Formal Analysis of Routing Protocols. PhD Thesis, University of Pennsylvania, 2002. K. Bhargavan, D. Obradovic and C.A. Gunter. Formal verification of standards for distance vector routing protocols. Journal of ACM, 2000. E.M. Clarke Jr, O. Grumberg and D.A. Peled. Model Checking. MIT Press, 1999.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback