Logic-Based Methods for Assurance of
Complex System Performance (DRAFT)
NASA IV&V Workshop
11–13 September 2012
Morgantown, WV
Dr. Ralph L. WojtowiczShepherd University Baker Mountain Research Corporation
Shepherdstown, WV Yellow Spring, WV
[email protected] [email protected]
BakerMountainScience Technology Service
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Outline
1 IntroductionAutonomous SystemsModel CheckingCategorical Logic
2 Model CheckingProbabilistic Model CheckingExample: Knuth-Yao SimulationHistory
3 IPv4 ProtocolConceptDTMC ModelProtocol DetailsPTA Model
4 τN TheoriesSyntaxCategorical SemanticsModels and Morphisms
5 Conclusions
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 1/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Examples of Autonomous Platforms
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 2/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Failures of Autonomous Systems
Loss of the Mars Climate Orbiter in 1999
Deaths of six cancer patients subjected to overdoses by the Therac-25computerized radiation therapy machine in 1985–1987
Airshow crash of Airbus A320 in 1988 in Mulhouse, France
Airshow crash of China Airlines Airbus A-300 in 1994
Temporary loss of the Dallas-Fort Worth air traffic system in 1990
British destroyer H.M.S. Sheffield was sunk by exocet missile as aresult of errors in the ship’s missile defense software
Araine 5 exploded forty seconds after liftoff on 4 June 1996 due tosoftware error
Gemini V capsule in 1965 missed its landing point in the Atlantic by100 miles due to software error
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 3/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Formal Approaches to Software Verification
Type theory
Type system gives a tractable syntactic method for proving the absenceof certain program behaviorsCan be used to enforce highest level of system conformance tospecificationComplete, formal system specifications are usually not availableLogical inference in rich type systems has high computationalcomplexity
Model checking
Finite-state model is exhaustively analyzed to test certain aspects ofsystem behaviorState explosion problem resulting from aggregation of systemcomponents
Research objective: develop syntactic inference systems that areapplicable to model checking logics
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 4/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Logics
Logics are mathematical models of inference. Like models of physical phenomena,logics are developed with varying levels of fidelity in response to their intendedapplications.
Mathematical logic plays fundamental roles in aspects of machine learning(Mitchell), AI (Russell & Norvig) and programming language theory (Pierce)
Fundamental insight: Logics are interpreted in categories (Lawvere: 1963)
logic semantic category example
Horn Cartesian meet semi-latticefirst-order intuitionistic Heyting open setsλ-calculus Cartesian closed group actionsfirst-order S4 modal sheaf on topological space infinite helixhigher-order intuitionistic topos directed graphslinear ∗-autonomous relations
• **false :: •jj
trueDD
B
E
π
∀
π∗∃
EA
•A
EA×B
•A×B
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 5/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Categorical Logic Success Story: Modal Logic
Modal logicModalities: logical operations that qualify assertions about the truth of statementsNecessity and possibility ♦Knowledge of autonomous agentsSafety, security, and correctness of programs
Semantics of S4 modal logic
propositional
Kripke semanticsKripke (1964)
topological spaces
Boolean algebrawith operatorMcKinsey-
Tarski (1944)
quantified
Kripke sheavesShehtman-
Skvortsov (1990)
•
completionRasiowa-
Sikorski (1963)
first-order
•
multi-sorted
higher-order
sheavesAwodey-
Kishida (2006)
Counterexamples to Barcan formulae: ∃ ⊢ ∃ and ∀ ⊢ ∀
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 6/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Outline
1 IntroductionAutonomous SystemsModel CheckingCategorical Logic
2 Model CheckingProbabilistic Model CheckingExample: Knuth-Yao SimulationHistory
3 IPv4 ProtocolConceptDTMC ModelProtocol DetailsPTA Model
4 τN TheoriesSyntaxCategorical SemanticsModels and Morphisms
5 Conclusions
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 7/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Probabilistic Model Checking Concept
system
accuracy goal
property
systemmodel
propertyspecification Model Check
er
satisfied?
probability
out of memory
Model Specification Language
Discrete Time Markov Chain Probabilistic Computation Tree LogicMarkov Decision Process Probabilistic Computation Tree Logic
Continuous Time Markov Chain Continuous Stochastic LogicProbabilistic Timed Automaton Probabilistic Timed Computation Tree Logic
Research effort has focused on
Syntactic inference rules (sequent calculus)
Applications: networking protocols, social network dynamics, etc.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 8/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Knuth-Yao 6-Sided Die Simulation
start
0
1
2
3
4
5
6
7
8
9
10
11
12
bb
bb
b
b
b
b
b
b
b bb b
b
b
b
b
b
b
b b
b
b
b
b
b
b
b
b
b
b
b
bb
b
b
b
b
b
bb
bb bb
b
b
b
b
b
b
b
b
b
b
b
b
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 9/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Properties of the Knuth-Yao Simulation
PCTL formula type satisfied by
start state s = 0
bb
bbb
bb
state s = 7
X [ bb
bbb
b
b
] path (s0, s1, . . . ) with s1 = 7
♦ bb
bbb
bb
path sn = 7 for some n
P>0[♦ bb
bbb
bb
] state states from which bb
bbb
bb
can occur: 0, 1, 3, 7
start ∧ P=1/6[♦ bb
bbb
b
b
] state 0 iff bb
bbb
b
b
has probability 1/6
start ∧ P=1[♦ bb
bbb
b
b
∨ · · · ∨ ♦ b
b
bbb
bbbb
bbb
] state 0 iff termination withprobability 1
start
0
1
2
3
4
5
6
7
8
9
10
11
12
bb
bb
b
b
b
b
b
b
b bb b
b
b
b
b
b
b
b b
b
b
b
b
b
b
b
b
b
b
b
bb
b
b
b
b
b
bb
bb bb
b
b
b
b
b
b
b
b
b
b
b
b
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 10/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
PRISM: GPL Probabilistic Model Checker
www.prismmodelchecker.org
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 11/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Model Checking Historical Sketch1932 A. Church introduced untyped λ-calculus1959 C. Lee introduced binary decision diagrams1966 C. A. Petri wrote dissertation on Petri nets. D. Scott and P. Krauss wrote “Assigning Probabilities to Logical Formulas”1968 Minsky introduced labeled transition systems1969 D. Scott defined logic of computable functions of higher types1974 D. E. Knuth received A.C.M. Turing Award1976 D. Scott received Turing Award1977 A. Pneuli proposed temporal logic model checking concept1979 Computer Aided Verification colloquium started at Grenoble, FR1980 R. Milner defined CSS (calculus of communicating systems)1981 Clarke and Emerson and Sifakis independently published papers on temporal logic model checking1982 CESAR Sifakis logic model checker developed at Grenoble1984 P. Martin-Lof introduced intuitionistic type theory1986 EMC CTL model checker developed at CMU1986 R. Bryant popularized binary decision diagram in model checking1987 Estelle model checker developed1987 MEC Dicky calculus model checker developed at Bordeaux1991 R. Milner received Turning Award1992 Esterel real-time model checker developed1993 Multi-terminal decision diagrams developed1994 R. Alur and D. L. Dill defined timed automata1994 J. Sifakis et al. introduced TCTL1996 A. Pneuli received Turing Award
1996 E ⊢ MC2 DTMC/PCTL and CTMC/CSL probabilistic model checker developed1996 KRONOS timed automata model checker developed1989 Edinburgh Concurrency Workbench developed1997 Katis, Sabadini, and Walters introduced bicategories of processes2000 A. C-C. Yao received Turing Award2002 RAPTURE MDP/PCTL probabilistic model checker developed2002 PRISM probabilistic model checker developed2007 E. M. Clarke (CMU), E. A. Emerson (UTA), and J. Sifakis (CNRS, FR) received Turing Award
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 12/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Outline
1 IntroductionAutonomous SystemsModel CheckingCategorical Logic
2 Model CheckingProbabilistic Model CheckingExample: Knuth-Yao SimulationHistory
3 IPv4 ProtocolConceptDTMC ModelProtocol DetailsPTA Model
4 τN TheoriesSyntaxCategorical SemanticsModels and Morphisms
5 Conclusions
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 13/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Dynamic Configuration of IPv4 Addresses
Isolated network on a single link (e.g., no routers)
No DHCP server or manual IP setup needed
Upon connection, new host must:
Randomly select IP from a pool of 65,024
169.254.1.0 – 169.254.254.255 (IANA assigned)
Probe for another host using that IPTry again if IP is already in useClaim IP if it is not in use
link = ethernet, IEEE 802.11, etc.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 14/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
DTMC Model of the IPv4 Link-Local Protocol
0 1 2 3 4 5
6
start error
ok
q
1− q
p p p p
2 2 2 R
2 n
21− p
q = (connected hosts count)/65,024p = probability of no reply
P : S → Dist(S)λ : Labels → P(S)C : S × S → R
−log10(r)
for
P=r[♦
error]
number of probes
p = 0.001p = 0.010
p = 0.100
1 2 3 4 5 6
0.1
0.2
0.3
0.4
r = 1.6× 10−3
r = 1.6× 10−5
hosts = 1000
Dynamic Configuration of IPv4 Link-Local Addresses. www.ietf.org/rfc/rfc3927.txt. 2005.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 15/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Probabilistic Computation Tree Logic (PCTL)
Presentation:sorts • S , Ωtypes • sorts, products, PS (states), PΩ (paths)function symbols • ǫ : Ω → S
• σ : Ω → Ω• P⊲⊳p : PΩ → PS for each p ∈ [0, 1]and ⊲⊳∈ <,≤, >,≥
• E⊲⊳c : PS → PS for each c ∈ R
relation symbols • a S
State formulae:
a P⊲⊳p[ψ] P⊲⊳p[X [ϕ]] P⊲⊳p[U≤k [ϕ1, ϕ2]]
P⊲⊳p[U[ϕ1, ϕ2]] E⊲⊳c [ϕ]
⊤ ⊥ ϕ1 ∧ ϕ2 ϕ1 ∨ ϕ2 ϕ1 ⇒ ϕ2
Path formulae:
X [ϕ] U≤k [ϕ1, ϕ2] U[ϕ1, ϕ2] [ϕ] ♦[ϕ]
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 16/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
DTMC Semantics of PCTL
S = set of states
Ω = set of paths ω = (s0, s1, . . . )
Paths = set of paths ω with s0 = s
Probability measure ps on Paths
Cylinder Γ(s0, . . . , sn) = all paths with given prefix
Disjoint unions of cylinders form an algebra on Paths
ps(Γ(s′)) =
1 if s = s ′
0 otherwise
ps(Γ(s0, . . . , sn)) = P(s0, s1) · · · · · P(sn−1, sn)
Extend ps to a measure on the generated σ-algebras |= a iff s has label a
s |= P⊲⊳p[ψ] iff ps (ψ) ⊲⊳ p
s |= E⊲⊳c [ϕ] iff
∫
Paths
cost(ϕ)(ω) dps ⊲⊳ c where
cost(ϕ)(ω) =
∑min j|sj∈ϕ
i=1 C(si−1, si ) if ∃j ∈ N. sj ∈ ϕ
∞ otherwise
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 17/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Protocol Details
Parameters
PROBE WAIT 1 sec PROBE NUM 3PROBE MIN 1 sec PROBE MAX 2 secANNOUNCE WAIT 2 sec ANNOUNCE NUM 2ANNOUNCE INTERVAL 2 sec MAX CONFLICTS 10RATE LIMIT INTERVAL 60 sec DEFEND INTERVAL 10 sec
Clocks and counters
x = local clock probes gratuitouscoll def
ARP Probe
destination ethernet address
ff ff ff ff ff ffhost ethernet address
frame type
08 06
hdw (eth)
00 01
prot (IP)
08 00
(eth)
06
(IP)
04
(ARP req)
00 01
host ethernet addresshost IP address
00 00 00 00
target ethernet address
00 00 00 00 00 00selected IP address
P : Loc → P(
Zones(X )× Σ×Dist(P(X )× Loc))
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 18/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Probabilistic Timed Automaton Modelreconfigure
⊥
IP chosenx < PROBE-WAIT
test IPx < PROBE-MAX
probes < PROBE-NUM
ready toannounce
announcegratuitous < ANNOUNCE-NUM
claimed
safe modeprobes < PROBE-NUM
defenddef < 1
iph = randcoll ≤ MAX-CONFLICTS
probes := 0
resetprobes := 0x:=0
recip = iphcol ++
probes = PROBE-NUM
x := 0coll := 0
probes := 0
resetcoll = MAX-CONFLICTS
probes := 0x := 0
probes = PROBE-NUM
x := 0
x ≥ ANNOUNCE-WAIT
def := 0
gratuitous ≥ ANNOUNCE-NUM
def := 0sendx > PROBE-MIN
x := 0probes ++
sendx > ANNOUNCE-INT
x := 0gratuitous ++
sendx > RATE-LIMIT-INT
x := 0probes ++
rec ip = iph x := 0
x ≥ DEFEND-INTdef := 0
recx < DEFEND-INT
ip = iphProbabilistic timed automata featuresClocks and countersTiming and counter constraints on states and transitionsClock and timer resetsDigital clocks and region graph model checking algorithms
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 19/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Outline
1 IntroductionAutonomous SystemsModel CheckingCategorical Logic
2 Model CheckingProbabilistic Model CheckingExample: Knuth-Yao SimulationHistory
3 IPv4 ProtocolConceptDTMC ModelProtocol DetailsPTA Model
4 τN TheoriesSyntaxCategorical SemanticsModels and Morphisms
5 Conclusions
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 20/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
τN-Theories — Syntax
SignatureTypes: sorts, 1, A× B, N , PAFunction and relation symbols
TermsVariables x :AFunction application f (t) :B if f : A → B and t :AProducts: ∗ :1, 〈s, t〉 : A× B for s :A and t :B and
fst(z) : A and snd(z) : B for z : A× B
Natural number: 0 :N , succ(t) :N if t :N and iterx(m, a, n) : A if m :A,a :A and n :N with x not free in a or n (or in iterx(m, a, n))
Power: x : A |ϕ : PA (with FV(ϕ)/x as set of free variables)
FormulaeAtomic: R(t), (t =A s) and (s ∈A t) for s : A and t : PACompound: ϕ ∗ ψ with ∗ one of ∧, ∨, ⇒Negated: ¬ϕQuantified: (∀x)ϕ and (∃x)ϕ
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 21/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
τN-Theories — Sequent Calculus
Structural Rules1
(ϕ ⊢~x ϕ)(ϕ ⊢~x ψ)
(
ϕ[~s/~x ] ⊢~y ψ[~s/~x ])
(ϕ ⊢~x ψ) (ψ ⊢~x χ)
(ϕ ⊢~x χ)
Implication
((ϕ ∧ ψ) ⊢~x χ)
(ϕ ⊢~x (ψ ⇒ χ))
Equality
(⊤ ⊢x (x = x))
((~x = ~y) ∧ ϕ ⊢~z ϕ[~y/~x ])
Quantification2
(
ϕ ⊢~x ,y ψ)
((∃y)ϕ ⊢~x ψ)
(
ϕ ⊢~x,y ψ)
(ϕ ⊢~x (∀y)ψ)
Conjunction
(ϕ ⊢~x ⊤) ((ϕ ∧ ψ) ⊢~x ϕ) ((ϕ ∧ ψ) ⊢~x ψ)(ϕ ⊢~x ψ) (ϕ ⊢~x χ)
(ϕ ⊢~x (ψ ∧ χ))
Disjunction
(⊥ ⊢~x ϕ) (ϕ ⊢~x (ϕ ∨ ψ)) (ψ ⊢~x (ϕ ∨ ψ))(ϕ ⊢~x χ) (ψ ⊢~x χ)
((ϕ ∨ ψ) ⊢~x χ)
Product
(⊤ ⊢x (x =1 ∗)) (⊤ ⊢x ,y (fst(〈x , y〉) = x))
(⊤ ⊢x ,y (snd(〈x , y〉) = y))
(⊤ ⊢z (〈fst(z), snd(z)〉 = z))
Power3
(⊤ ⊢w (w =PA x : A | x ∈A w))(
(z ∈A y : A |ϕ) ⊣⊢~x,z ϕ[z/y ])
Natural Numbers(
⊤ ⊢~y (iterx(m, a, 0) = a)) (
⊤ ⊢~y (iterx(m, a, succ(n)) = m[iterx(m, a, n)/x ]))
(((0 ∈N z) ∧ (∀y) ((y ∈N z) ⇒ (succ(y) ∈N z))) ⊢z :PN (∀y)(y ∈N z))
Con
textsaresuitab
lefortheform
ulaethat
occuron
bothsides
of⊢.
1In
thesubstitution
rule,~ ycontainsallthevariab
lesof~ x.
2Bou
ndvariab
lesdonot
also
occurfree
inan
ysequent.
3w:PA
isavariab
le.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 22/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
τN-Theories — Models and Morphisms
Any topos with natural number object is a suitable semantic category.
Soundness: If σ is provable in T, then it is satisfied in all T-models insuch toposes. D4.3.17Completeness: If σ is satisfied in all T-models in such toposes, then itis provable. D4.3.19(b)Peano Arithmetic: Any such topos has a model of PA. A2.5.4, A2.5.5Recursive Partial Functions: Nk N have interpretations.
Logical Functors: cartesian and preserves exponentials, Ω and N
Preserve satisfaction of τN sequents
Geometric morphisms: adjoint pairsF
f∗E
f ∗OO
with f ∗ cartesian
Preserve satisfaction of Hornsequents of F (⊤, ∧)Preserve satisfaction of regular sequents of E (⊤, ∧, ∃)Reflect natural number objects of E
Citations in green are from Johnstone’s Sketches of an Elephant. 2002.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 23/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Outline
1 IntroductionAutonomous SystemsModel CheckingCategorical Logic
2 Model CheckingProbabilistic Model CheckingExample: Knuth-Yao SimulationHistory
3 IPv4 ProtocolConceptDTMC ModelProtocol DetailsPTA Model
4 τN TheoriesSyntaxCategorical SemanticsModels and Morphisms
5 Conclusions
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 24/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
Conclusions
Forthcoming
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 25/26
Introduction Model Checking IPv4 Protocol τN Theories Conclusions
References
S. Awodey and K. Kishida. “Topology and Modality: The Topological Interpretation ofFirst-Order Modal Logic”. 2007. www.andrew.cmu.edu/user/awodey
S. Eilenberg and C. C. Elgot. Recursiveness. Academic Press. 1970.
B. Jacobs. Categorical Logic and Type Theory. Elsevier. 1999.
P. E. Johnstone. Sketches of an Elephant: A Topos Theory Compendium. OxfordUniversity Press. 2002.
T. M. Mitchell. Machine Learning. 1997.
B. C. Pierce. Types and Programming Languages. 2002.
B. C. Pierce. Advanced Types in Programming Languages. 2004.
PRISM web site: www.prismmodelchecker.org
S. Russell and P. Norvig. Artificial Intelligence: A Modern Approach. 1995.
J. J. M. M. Rutten, M. Kwiatkowska, G. Norman, and D. Parker. Mathematical
Techniques for Analyzing Concurrent and Probabilistic Systems. American MathematicalSociety. 2004.
www.bakermountain.org/talks/nasa2012.pdf [email protected] 11–13 September 2012 26/26