1 i/o automaton models: basic, timed, hybrid, probabilistic, etc. nancy lynch, dilsun kirli, mit...
TRANSCRIPT
1
I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc.
Nancy Lynch, Dilsun Kirli, MIT
University of Illinois, Urbana-Champaign, MURI Meeting
October 4, 2002
Based on work with Roberto Segala, Frits Vaandrager
2
I/O Automata
• Mathematical, infinite-state, automaton models.
• Describe states, transitions.
• Describe system modularity:– Parallel composition of interacting components.
– Levels of abstraction.
• Example: Generic distributed system– Diagram represents interfaces.
– IOA models also describe behavior.
– Abstract models for system components.
– Channel: Implemented by TCP, modeled as reliable FIFO queue.
– Node: Implemented by C++ program, modeled as algorithm automaton.
3
Reliable FIFO Channel Model
• Signature:– Inputs:
• send(m), m in M
– Outputs:
• receive(m), m in M
• States:– queue, a finite sequence of elements of M, initially empty
• Transitions:– send(m)
• Effect: Add m to end of queue
– receive(m)
• Precondition: m is first on queue
• Effect: remove first element of queue
Channel(M) send(m) receive(m)
4
Levels of Abstraction
• Used in system development by successive refinement.
• Top level: Specification for allowed behaviors.
• Can write in same automaton style.
• Refine through many levels, to code-like, detailed description.
• Example: Group communication:– Automata used to represent totally-ordered reliable broadcast service,
group communication service, and algorithm.
– Composition of algorithm and GCS automata implements TO-Bcast automaton.
– Continue, implementing GCS in terms of lower-level network. TO-Bcast
GCSGCS
5
Flavors of I/O Automaton Models
• Basic IOAs deal with:– What happens, in what order (not when).– Discrete events (not continuous behavior).
• Timing: TIOA– For describing timeout-based algorithms.– Local clocks, clock synchronization.– Timing/performance analysis.
• Hybrid (continuous/discrete): HIOA– Systems with real world + computer components– Vehicle control: ground, air, space– Embedded systems
• Probabilistic: PIOA, PTIOA, PHIOA– Randomized distributed algorithms– Security protocols– Safety-critical systems
6
Talk Outline
1. Brief overview of the models
2. HIOA model, in more detail (Lynch)
3. TIOA model (Kirli)
4. PIOA model (Lynch)
5. Future work on models
6. Future work on applications
7
1. Brief Overview of the Models
8
I/O Automata (IOA)
• Static description:– Actions a (input, output, internal)– States s, start states– Transitions (s, a, s'); input actions enabled in all states.
• Dynamic description:– Execution: s0 a1 s1 a2 s2 …– Trace: Sequence of input and output actions; externally visible behavior.– A implements B: traces(A) traces(B).
• Operations for building automata:– Parallel composition, identifying inputs and outputs.– Action hiding.
• Reasoning methods:– Invariant assertions: Property holds in all reachable states.– Simulation relations: Imply one automaton implements another.– Compositional methods
9
Example Applications
• Theoretical distributed algorithms:– Mutual exclusion, Byzantine agreement, atomic object
implementation, resource allocation, data management…
• Distributed systems:– Orca DSM system: Two-layer model, following the
implementation. Found, fixed logical error. Proofs.– Transis group communication system: Models for key
layers. Proofs. Algorithmic improvements.– Ensemble GC system: Models for key layers. Found,
fixed logical error. Proofs.
• Algorithms for dynamic networks (new):– RAMBO reconfigurable atomic memory algorithm– Dynamic atomic broadcast algorithm
10
Timed I/O Automata (TIOA)
• Add special time-passage actions, pass(t), to IOA model.
• Example: Reliable FIFO channel that always delivers messages within time d.– send(m)
• Effect: Add (m, now + d) to end of queue
– receive(m)
• Precondition: (m,u) is first on queue (for some u)
• Effect: remove first element of queue
– pass(t)
• Precondition: for all (m,u) in queue, now + t u• Effect: now := now + t
• Can use standard automaton-based reasoning methods:– Invariant: for all (m,u) in queue, now u now + d.
– Inductive proofs.
11
Example Applications
• Theoretical distributed algorithms: – Mutual exclusion, consensus,…
• Timeout-based communication protocols:– TCP,…
• Group communication systems:– Using GCS to build TO-Bcast: Conditional
performance analysis.– Scalable GCS: Performance analysis.
• RAMBO: Performance analysis.• Hybrid (continuous/discrete) systems:
– RR crossing, steam boiler controller– Stretched TIOA capabilities; motivated HIOA.
12
Hybrid I/O Automata (HIOA)
• TIOA plus facilities for representing continuous behavior.
• Static description:– States: input, output, internal variables; start states
– Actions: input, output, internal
– Discrete steps (s, a, s')
– Trajectories , mapping time intervals to states
• Dynamic description:– Execution 0 a1 1 a2 2 …
– Trace: Project on external variables, external actions.
– A implements B if traces(A) traces(B).
• Operations: Composition, hiding
• Reasoning methods: Invariants, simulation relations, compositional methods
13
Example Applications
• Ground transportation:– People-mover (Raytheon)
– California PATH automated highway system (Berkeley)
• Aircraft control:– TCAS (Lincoln Labs)
– Qwanser helicopter system (MIT Aero/Astro)
14
Probabilistic I/O Automata [Segala]
• Adds probabilistic transitions (s, a, P), where P is a probability distribution on states.
• Includes both nondeterminism and probability.
• External behavior represented by a set of trace distributions (one for each “adversary”, who resolves nondeterminism).
• Implementation represented by subset (of sets of trace distributions).
• Example applications:– Randomized distributed algorithms:
• Rabin-Lehmann Dining Philosophers
• Aspnes-Herlihy randomized consensus
– Security protocols
15
2. Hybrid I/O Automata[Lynch, Segala, Vaandrager]
16
Hybrid Systems
• Hybrid systems: Continuous, real-world components + discrete, computer components
• Examples:– Automated transportation systems
– Robots
– Factory control systems
– Embedded systems
– Mobile systems
• Complex• Strong safety, performance requirements
17
The HIOA Model
• States, discrete transitions, trajectories.
• Model plants, controllers, sensors, actuators, computer software, communication services, human operators.
• Support for decomposing hybrid system descriptions:– External behavior: Models discrete and continuous interactions of
component with its environment.
– Composition: Synchronize external events, external trajectories.
– Levels of abstraction: Implementation notion, respects external behavior.
• Incorporate methods from control theory, computer science: – Control theory: Invariant sets, stability analysis using Lyapunov
functions, robust control methods
– Computer science: Invariants, simulation relations, compositional methods
18
Related Work
• Phase transition systems [Maler, Manna, Pnueli 92], [Alur, Courcoubetis, Halbwachs,…95], [Kesten, Manna, Pnueli 98]
• Hybrid control systems [Branicky 95, 98]
• Hybrid reactive modules [Alur, Henzinger 96, 97]
19
Example: Hybrid Control System
Actuator Sensor
Plant
Controller
20
Describing Hybrid Behavior
• Universal set of variables• Static type: type(v), set of values v may take on.• Dynamic type: dtype(v), allowed “trajectories” for v:
– Set of functions from left-closed intervals of R to type(v).
– Closed under time shift, subinterval, countable pasting.
• Examples: Pasting closure of constant functions, of continuous functions, of differentiable functions, of integrable functions.
21
Trajectories
• Model evolution of variables over time intervals.• Valuation for V: Assigns value in type(v) to each v in
V.• Trajectory: Let J be a left-closed interval, left
endpoint 0. A J-trajectory for V is a function from J to valuations for V whose restriction to each variable v is in dtype(v).
• Lemma: The set of trajectories for V together with the prefix ordering is an algebraic cpo.
• Concatenation: At common point, use value from first trajectory.
22
Hybrid Sequences
• Let A be a set of actions, V a set of variables. An (A,V)-sequence is an alternating sequence, 0 a1 1 a2 2 …of trajectories over V and actions in A.
• Models a series of discrete and continuous changes.• Lemma: The set of (A,V)-sequences together with the
prefix ordering is an algebraic cpo.• Concatenation: At common point, use value from
first (A,V)-sequence.
23
Hybrid I/O Automaton
• U, Y, X: input, output, and internal (state) variables– V = U Y X
• Q: states, a set of valuations of X : start states• I, O, H: input, output, and internal actions
– A = I O H
• D Q A Q: discrete transitions
• T: trajectories for V, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.
24
Input-Enabling Axioms
• Input action enabling: For every state q and every input action a, there is some discrete transition (q,a,q’). As for ordinary I/O automata.
• Input trajectory enabling: For every state s and every input trajectory , there is some trajectory that starts with x, and either:– Spans all of , or
– Spans a prefix of , after which some locally-controlled action is enabled.
25
Executions and Traces
• Execution fragment of HIOA A:– An (A,V)-sequence 0 a1 1 a2 2 …, where:
• Each i is a trajectory of A, and
• Each (i.lstate, ai , i+1.fstate) is a discrete step of A.– A,V are all the actions and variables of A.– Only states need match up.
• Execution of A: – Fragment beginning in a start state.
• Trace of an execution fragment: – Restrict to external actions E, external variables W. – (E,W)-sequence.
• A implements B if they have the same external interface and tracesA tracesB.
26
Notation
• We specify sets of trajectories using differential and algebraic equations (or inclusions).
• Trajectory satisfies algebraic equation v = e if the constraints on the variables expressed by this equation hold in every state of .
• Trajectory satisfies differential equation d(v) = e if for every t in the domain of : v(t) = v(0) + 0
t e(t’) dt’
(“weak solutions”)• Algebraic/differential inclusions are handled
similarly.
27
Example: Vehicle HIOA
• Follows a suggested acceleration to within an error of 0. Reports real velocity.
• U: acc-in
• Y: vel-out
• X: vel, acc; Q: all valuations of X : vel = 0, acc = 0
• I, O, H, D: empty
• Trajectories T: – d(vel) = acc
– acc(t) [acc-in(t) - , acc-in(t) + ], for t > 0
– vel-out = vel
– No constraints on input variables in initial states of trajectories.
Vehicle
acc, vel
acc-in vel-out
28
Example: Controller HIOA
• Suggests accelerations for a vehicle with the intention of ensuring that the velocity does not exceed a pre-specified velocity, vmax.
• Monitors velocity, computes suggestion every time d.• Q: Valuations in which clock d. : 0 everywhere• H: suggest
• D: suggest transitions where– clock = d, clock’ = 0,
– vel-sensed’ = vel-sensed
– vel-sensed + (acc-suggested’ + ) d vmax
vel-out acc-in
Controller
vel-sensed
acc-suggested
clock
29
Controller Trajectories
• d(acc-suggested) = 0• d(clock) = 1• vel-sensed(t) = vel-out(t), for t > 0• acc-in = acc-suggested
30
Simulation Relation
• Let A, B be HIOAs with the same external interface.• Relation R from states of A to states of B satisfying:
– Every start state of A is related to some start state of B.
– If xA R xB and is an execution fragment of A consisting of one action surrounded by two point trajectories, with .fstate = xA, then B has a closed execution fragment with .fstate = xB, trace() = trace(), and .lstate R .fstate.
– If xA R xB and is an execution fragment of A consisting of a single closed trajectory, with .fstate = xA, then B has a closed execution fragment with …
31
Simulation relation
• Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets).
• Example: – Vehicle(1) implements Vehicle(2), if 1 2
– Show using simulation relation: identity mapping
32
Composition
• Assume A1 and A2 are compatible (no common outputs, internal actions/variables are private).
• Compose A1 and A2 by matching up external actions, variables:– Y = Y1 Y2; X = X1 X2; U = (U1 U2 ) - (Y1 Y2 )
– O = O1 O2; H = H1 H2; I = (I1 I2 ) - (O1 O2 )
• Start states : Projections in 1, 2
• Discrete steps D: Projections in D1, D2
• Trajectories T: Projections in T1, T2
• Technicality: Composition need not satisfy input flow enabling, pre-HIOA. Assume “strong compatibility”. Holds in many interesting special cases.
33
Composition Theorems
• Projection and Pasting: Assume A = A1 || A2. Then tracesA is exactly the set of (E,W)-sequences whose restrictions to A1 and A2 are traces of A1 and A2, respectively.
• Substitutivity: If A1 implements A2 and both are compatible with B, then A1 || B implements A2 || B.
34
Example: Vehicle and Controller
• Vehicle || Controller:
• Invariant of Vehicle || Controller: vel vmax.
• Can prove this using a standard inductive argument.
• Uses auxiliary invariants, most importantly:
vel + (acc-suggested + ) (d – clock) vmax
Vehicle
acc, vel
vel-out
acc-in
Controller
vel-sensed
acc-suggested
clock
35
Hiding
• ActHide(E,A) reclassifies the external actions in E as internal actions.
• (New) VarHide(W,A) removes the external variables in W (but retains their induced constraints on the trajectories).
• (Previously) VarHide(W,A) reclassified external variables in W as internal (state) variables.
36
Example
• In the composition Vehicle || Controller, we may hide the acc-in variable, which is used for communication between the components:
A = VarHide({acc-in}, Vehicle || Controller)• In A, the only external variable is vel-out.• Express the correctness of A by showing that it
implements an abstract specification HIOA VSpec.• VSpec expresses just the constraints vel vmax,
and vel-out = vel.• Show correctness using a simulation relation.
37
Progressive HIOAs
• HIOAs should provide some response from any state, for any sequence of input actions and input trajectories.
• HIOAs should not block the passage of time: they should allow time to pass to infinity, if their environment does so.
• Definition: A pre-HIOA is progressive if it has no execution fragments in which it generates infinitely many locally-controlled actions in finite time.
• Theorem: A progressive HIOA A can accommodate any input hybrid sequence, from every state: For each state x of A and each (I,U)-sequence , there is some execution fragment from x such that (I U) = .
• Theorem: The composition of progressive pre-HIOAs is progressive.
38
Receptive HIOAs
• But progressiveness isn’t enough:– HIOAs involving only upper bounds on timing are not progressive.– Such specifications are common.
• Definition: A strategy for a pre-HIOA A is an HIOA A’ that is the same as A except that D’ D, and T’ T.– Nondeterministic, memoryless.
• Definition: A pre-HIOA is receptive if it has a progressive strategy.
• Theorem: A receptive pre-HIOA can accommodate any input hybrid sequence.
• Theorem: Let A1 and A2 be compatible receptive HIOAs with strongly compatible progressive strategies B1 and B2. Then A1 || A2 is a receptive HIOA with progressive strategy B1 || B2.
39
Applications
• Raytheon people-mover [Lynch, Weinberg, Delisle]• California PATH automated highway system:
Analysis of platoon maneuvers [Dolginova, Lygeros, Lynch]
• TCAS [Livadas, Lygeros, Lynch]• Qwanser helicopter system
[Mitra, Wang, Feron, Lynch]
40
TCAS model
Aircraft
Pilot
ChannelConflictresolver
Conflictdetector
Sensor Sensor
Aircraft
Conflictdetector
Conflictresolver
Pilot
Channel
41
3. Timed I/O Automata[Kirli, Lynch, Segala, Vaandrager]
42
From HIOA to TIOA
• Hybrid systems: continuous, real-world components + discrete, computer components
• Timed systems: continuous, time + discrete, computer components– Correctness depends not only on the order of events but
also on their timing.
• Example: Reliable FIFO channel that always delivers messages within time d.
43
Work in Progress
• Canonical model for timing-based systems– External behavior
– Composition
– Levels of abstraction
• Identify major ideas from related models and express them in the common framework of TIOA– Timed automata [Alur and Dill]
– Timed transition systems [Maler, Manna, Pnueli]
– Clock GTA [DePrisco]
44
Describing Timing Behavior
• Timing behavior is described by using the same concepts as in HIOA:– Variables
– Static and dynamic types
– Trajectories
– Hybrid sequences
45
Timed I/O Automata
• X: internal variables• Q: states, a set of valuations of X : start states• I, O, H: input, output, internal actions
– A = I O H
• D Q A Q: discrete transitions
• T: trajectories for X, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.
46
Execution and Traces
• Execution fragment of TIOA A:– An (A,V)-sequence 0 a1 1 a2 2 …, where:
• Each i is a trajectory of A, and
• Each (i.lstate, ai , i+1.fstate) is a discrete step of A.
– A,V are all the actions and variables of A.
• Execution of A: Fragment beginning in a start state.
• Trace of an execution fragment: – Restrict to external actions E, empty set of variables.
– (E,)-sequence.
47
Example: Time bounded channel
• X: clock, queue• Q: all valuations of X : clock=0, queue is empty• I: send(m) • O: receive(m)• Transitions:
– send(m) • Effect: add (m,clock + d) m,clock + d) to end of to end of queuequeue
– receive(receive(mm))• Precondition: (Precondition: (m,um,u) is first on ) is first on queuequeue and and clock clock u u • Effect: remove the first element of Effect: remove the first element of queue queue
• Trajectories satisfy:– d(clock)=1– ( queue) is a constant function
48
Untiming Operation
• Transform a timed automaton A to an untimed automaton Untime(A,R)– Define a notion of congruence.– Let R be a congruence for A.
• States of Untime(A,R): the set of equivalence classes of R.
• Untime(A,R) has a special internal action to represent time passage.
– Theorem: If is an execution of A, then Untime(A,R) has an execution ’ such that trace(’)=discrete(trace()) and vice versa.
• Similar to region construction of Alur and Dill– Theorem: The equivalence relation used by Alur-Dill in
region construction is a congruence
49
Properties for I/O Automata
• A property for A is a subset of the execution fragments of A.
• P is a liveness property provided that for any state x of A, there is some execution fragment from x that is in P.
• We say that A is receptive for P provided that there exists a strategy A’ for A such that every execution fragment of A’ is in P.
• Theorem: If A1 is receptive for P1 and A2 is receptive for P2 then A1 || A2 is receptive for P1 || P2.
50
4. Probabilistic I/O Automata[Lynch, Segala, Vaandrager]
51
Probabilistic I/O Automata (PIOA)
• Probabilistic transitions (s, a, P), where P is a probability distribution on states.
• Includes both nondeterminism and probability.
• Scheduler (adversary): Resolves all nondeterminism.
• External behavior represented by a set of trace distributions (one for each scheduler).
• Trace distribution preorder D: – Subset (of sets of trace distributions).
– Not preserved by composition.
• Trace distribution precongruence DC:
– Coarsest precongruence included in D.
– Preserved by composition.
– Not very informative.
52
Characterization result for DC
[Segala, Vaandrager, Lynch 02]
• Define various kinds of simulation relations for PIOAs.
• Weak probabilistic forward simulation relation from A1 to A2:
– Relates states of A1 to distributions over states of A2.
– Transitions preserve probabilities.
– Weak: Allows arbitrary internal actions.
• Theorem: A1 DC A2 if and only if there exists a “weak probabilistic forward simulation relation” from A1 to A2 .
53
Probabilistic Timed I/O Automata (PTIOA) [Segala]
• Include time-passage steps, with probability distributions on new state: (s, pass(t), P)
• Scheduler determines amount of time that passes (nondeterministic, not probabilistic).
• External behavior represented by a set of distributions of timed traces (one for each scheduler).
• Timed trace distribution preorder.• Timed trace distribution precongruence.
54
5. Future Work on Models
55
Future work on HIOA
• Finish changing the hiding operator.• Incorporate control theory methods
– Invariant sets, Lyapunov stability, robust control.
• Continue testing on a variety of examples.• Linguistic support [Mitra]
– Language constructs for describing trajectories.
– Algebraic and differential equations/inclusions.
– Preconditions, invariants, stopping conditions.
– Add to IOA.
• Analysis tools– Theorem-prover support, automated tools.
56
Future work on TIOA
• Express key concepts from other timed models using TIOA.– Alur, Dill
– Maler, Manna, Pnueli
– Merrit, Modugno, Tuttle MMT automata
– De Prisco clock automata
• Receptiveness with general liveness properties.• Linguistic support, tool support.• Test on many examples.
57
Future work on PIOA
• Restrict the set of schedulers (adversaries) to those that can see only external behavior of the component automata. Yields a smaller set of trace distributions.
• For this restricted set, obtain a characterization of the trace distribution precongruence. Is it the same as the trace distribution preorder?
58
Future work on PTIOA, PHIOA
• PTIOA: – Reformulate in terms of trajectories, as in TIOA, HIOA.
– Characterize the timed trace distribution precongruence.
– Generalize TIOA results to include probabilities.
• Define simulation relations, show they imply timed trace distribution inclusion.
• Receptiveness?
• PHIOA– Define a model that generalizes PTIOA and HIOA
– Define external behavior, composition, implementation,…prove all the right theorems.
59
All the IOA models
TIOA
HIOA
IOA
PIOA
PTIOA
PHIOA
60
6. Future work on applications
61
Hybrid and Embedded Systems
• Aero/astro applications• Embedded systems• Sensor networks, mobile systems
62
Security Protocols
• Recent results [Herzog 02] relating formal vs. computational approaches to analyzing correctness of security protocols.
• Not (yet) done explicitly in terms of PTIOA models.• Formal approach:
– Interacting non-probabilistic automata.
– Supports direct proofs, using induction.
• Computational approach:– Interacting probabilistic poly time Turing machines.
– Indirect proofs: reductions of attacks to hard problems.
• How do the two approaches relate?
63
Formal Approach [Dolev, Yao]
• Adversary controls the network.• Encryption, decryption treated as abstract, idealized
operations. • Cryptographic abilities of adversary made explicit:
– Encrypt, decrypt with known keys
– Make random choices, create new keys
• Proof of security: Adversary abilities do not combine to produce an unsafe operation.
64
Computational Approach
• Adversary controls the network• Encryption instantiated with specific algorithms• Adversary capable of any feasible (probabilistic
poly time) computation.• Proof of security: If any adversary can violate
security condition, an underlying computational problem is easy.
65
Relating the Two Approaches
• Would like to use computational view as semantics for formal view: Show formal attack exists iff computational attack exists.
• Known: Formal attacks imply computational attacks
• Open: When do computational attacks imply formal attacks?
• Answer requires:– Semantics for adversary– Semantics for honest participants– Semantics for composition of previous two
• Focus of present work: The adversary.
66
Formal Adversary
• Formal adversary makes queries to honest participants, receives responses
• Each query must be deducible from initial knowledge, responses, by sequence of:– Encryptions/decryptions with known key
– Pairing/separation of values
• Formal adversary modeled as closure operation on messages.
67
Ideal Encryption
• Computational encryption algorithm is ideal if:
no computational adversary, given any set of messages, can produce a message outside the closure of the set (with non-negligible probability)
• Theorem: This limits computational adversary to formal adversary.
• Theorem: This is achievable.
68
Future Work on Security Protocols
• Complete the work on formal vs. computational approaches:– Define semantics for honest participants
• How do they validate incoming messages?
• No information should be given away in error cases
– Define composition of adversary, honest participants
– Obtain general simulation theorems.
– Use the theorems to prove correctness of interesting security protocols.
• Express in terms of PTIOA.