verified systems by composition from verified components fei xie and james c. browne

38
Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

Upload: korbin-kessell

Post on 01-Apr-2015

217 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

Verified Systems by Composition from Verified Components

Fei Xie and James C. Browne

Page 2: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

2

Research Goal

• Goal:– Construction of reliable and secure software

systems from reliable and secure components;

• Framework:– Composition of verified systems from verified

components.

Page 3: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

3

Research Challenges

• How to verify components?

• How to compose verified components to build larger verified components effectively?

Page 4: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

4

Synergism between CBD and MC

• Component-Based Development (CBD) – Introduces compositional structures to software;– Helps minimizing state spaces to be explored.

• Model Checking (MC)– Provides exhaustive state space coverage;– Strong at detection of composition errors.

Page 5: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

5

Agenda

• Motivations

• Our Approach

• Component Model for Verification

• Case Study: TinyOS

• Verification of Components

• Related Work

• Conclusions and Future Work

Page 6: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

6

Highlights of Our Approach

• Temporal properties are specified, verified, and packaged with components.

• Larger components are composed incrementally. • Component reuse considers component properties.

• Verification of a property of a composed component – Reuses verified properties of its sub-components;

– Follows abstraction-refinement paradigm;

– Is based on compositional reasoning.

Page 7: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

7

Compositional Reasoning

• To verify a property on a software system

• Step 1: Verification of component properties;• Step 2: Validation of circular dependencies;• Step 3: Derivation of the system property from

component properties.

• Previous work: in top-down system decomposition; • Our approach: in bottom-up component composition.

Page 8: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

8

Why validate circular dependenciesbetween component properties?

Eventually (A) Eventually (B)

Eventually (A) and Eventually (B)?

C1 C2

X X A = FALSEB = FALSE

Page 9: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

9

Agenda

• Motivations

• Our Approach

• Component Model for Verification

• Case Study: TinyOS

• Verification of Components

• Related Work

• Conclusions and Future Work

Page 10: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

10

Component

• A component, C, has four parts:– Executable representation (models or sources);– Interface (procedural, messaging, …); – A set of externally visible variables;– A set of verified temporal properties of C.

Page 11: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

11

Component Property

• A property of C, is a pair, (p, A(p)).– p is a temporal property;– A(p) is a set of assumptions on environment of C.– p is verified assuming A(p) hold.

• The environment of C– is the set of components that C interacts with;– varies in different compositions.

Page 12: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

12

Component Composition

• Connect executable representations of sub-components through their interfaces;

• Selectively merge interfaces and visible variable sets of sub-components;

• Verify properties of composed component by reusing properties of sub-components.

Page 13: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

13

Instantiation of Component model on AIM Computation Model

• Asynchronous Interleaving Message-passing– A system consists of a finite set of processes.– Processes execute asynchronously. – At any moment, only one process executes. – Interactions via asynchronous message-passing.

Page 14: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

14

Instantiation of Component model on AIM Computation Model (cont.)• Component

– Represented in Executable UML (xUML); – Messaging interface;

• Composition – Establishing mappings among input and output

message types of sub-components.

Page 15: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

15

Agenda

• Motivations

• Our Approach

• Component Model for Verification

• Case Study: TinyOS

• Verification of Components

• Related Work

• Conclusions and Future Work

Page 16: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

16

TinyOS [Hill, et. al, `00]

• A run-time system for network sensors from UC Berkeley;

• Component-based– Different requirements of sensors; – Physical limitations of sensors;

• High reliability required – Concurrency-intensive operations;– Installation to many sensors.

Page 17: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

17

Agenda

• Motivations

• Our Approach

• Component Model for Verification

• Case Study: TinyOS

• Verification of Components

• Related Work

• Conclusions and Future Work

Page 18: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

18

Background:Verification of Closed AIM System

Property Specification Interface xUML IDE Error Visualizer

xUML-to-S/R Translator Error Report Generator

COSPAN Model Checker

S/R ModelS/R Query

Error Report

Error Track

Designer

xUML ModelProperty

Page 19: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

19

Verification of Primitive Components

• Given a component and a property:– Create a closed system from the component and

an environment process, env;– Constrain env with assumptions of the property;– Verify the property on the constrained system.

Compositional Reasoning: Step 1

Page 20: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

20

Sensor Component

Output messageType

Input messageType

ComponentBoundary

AIMProcess

Page 21: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

21

Sensor Component (cont.)Properties:

Repeatedly (Output);After (Output) Never (Output) UntilAfter (OP_Ack);After (Done) Eventually (Done_Ack);Never (Done_Ack) UntilAfter (Done);After (Done_Ack) Never (Done_Ack) UntilAfter(Done);

Assumptions: After (Output) Eventually (OP_Ack);Never (OP_Ack) UntilAfter (Output);After (OP_Ack) Never (OP_Ack) UntilAfter (Output);After (Done) Never (Done) UntilAfter (Done_Ack);Repeatedly (C_Intr);After (C_Intr) Never (C_Intr + A_Intr + S_Schd) UntilAfter (C_Ret);After (ADC.Pending) Eventually (A_Intr);After (A_Intr) Never (C_Intr + A_Intr + S_Schd) UntilAfter (A_Ret);After (STQ.Empty = FALSE) Eventually (S_Schd);After (S_Schd) Never (C_Intr + A_Intr + S_Schd) UntilAfter (S_Ret);

Page 22: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

22

Verification of Sensor Component

Sensor Component

Assumptions

Env

OutputOutput_Ack

DoneDone_Ack…

Page 23: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

23

Network Component

Page 24: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

24

Network Component (cont.)Properties:

IfRepeatedly (Data) Repeatedly (RFM.Pending);IfRepeatedly (Data) Repeatedly (Not RFM.Pending);After (Data) Eventually (Data_Ack); Never (Data_Ack) UntilAfter (Data);After (Data_Ack) Never (Data_Ack) UntilAfter (Data);After (Sent) Never (Sent) UntilAfter (Sent_Ack);

Assumptions:After (Data) Never (Data) UntilAfter (Data_Ack);After (Sent) Eventually (Sent_Ack); Never (Sent_Ack) UntilAfter (Sent);After (Sent_Ack) Never (Sent_Ack) UntilAfter} (Sent);After (NTQ.Empty = FALSE) Eventually (N_Schd);After (N_Schd) Never (N_Schd +R_Intr) UntilAfter (N_Ret);After (RFM.Pending) Eventually (R_Intr);After (R_Intr) Never (N_Schd +R_Intr) UntilAfter (R_Ret);

Page 25: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

25

Verification of Composed Components

(1) Abstraction

(2) Verification(3) Refinement

Page 26: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

26

Abstraction-Refinement Paradigm

Component

AbstractionAbstract throughremoving details

Refined Abstraction

Refine throughadding details

What is it?How to create it?How to refine it?

Page 27: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

27

Sensor-to-Network Component

Page 28: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

28

Sensor-to-Network Component

Properties:Repeatedly (RFM.Pending); Repeatedly (Not RFM.Pending);

Assumptions:Repeatedly (C_Intr);After (C_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (C_Ret);After (ADC.Pending) Eventually (A_Intr);After (A_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (A_Ret);After (STQ.Empty = FALSE) Eventually (S_Schd);After (S_Schd) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (S_Ret);After (NTQ.Empty = FALSE) Eventually (N_Schd);After (N_Schd) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (N_Ret);After (RFM.Pending) Eventually (R_Intr);After (R_Intr) Never (C_Intr+A_Intr+S_Schd+N_Schd+R_Intr) UntilAfter (R_Ret);

Page 29: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

29

Abstraction

SP(Sensor)

NP(Network)

Env(Environment)

Verified Properties Verified Properties

Assumptions

AIM Processes

Page 30: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

30

Abstraction (cont.)

• A sub-component property is included if it is – In the cone-of-influence;– Not involved in invalid circular dependencies;

– Enabled: Its environment assumptions hold on • Other components in the composition;

• Environment of the composition.

Compositional Reasoning: Step 2

Page 31: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

31

Verification and Complexity

Component Time Memory

1 Sensor-to-Network 89m15.45s 208.48M

2 Sensor 10m41.01s 33.673M

3 Network 18.0S 6.8239M

4 Abstraction 0.1s 0.1638M

• Check the property of SN on the abstraction.

Compositional Reasoning: Step 3 and Step 1

Page 32: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

32

Abstraction Refinement

• An abstraction can refined by – (Introducing, verifying, and) enabling

additional sub-component properties;

• A property can be enabled by – enabling its assumptions on other components.

• Currently requires user interactions.

Page 33: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

33

Refinement Example

• To check Property P1 on Sensor-to-NetworkSN transmits any sensor reading exactly once.

• Property P2 has been verified on Network. Network transmits any input exactly once.

Assumption: A new input arrives only after Network acks the last input with a Sent message.

• P2 is not enabled in the composition of SN.

Page 34: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

34

Refinement Example (cont.)

• To enable P2, introduce and check Property P3 on Sensor:

Sensor outputs any sensor reading exactly once;After an output, Sensor will not output again until a done message is received.

• A bug was found in Sensor and fixed. P3 was verified on the revised Sensor.

• Inclusion of P2 and P3 into the abstraction leads to verification of P1.

Page 35: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

35

Property and Assumption Formulation

• Properties– Currently manually guided;– Derived from component specifications;– Added incrementally in component reuses.

• Assumptions– Manual formulation;– Automatic generation

• Often lead to complex assumptions.

• Automatic generation heuristics in progress.

Page 36: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

36

Agenda

• Motivations

• Our Approach

• Component Model for Verification

• Case Study: TinyOS

• Verification of Components

• Related Work

• Conclusions and Future Work

Page 37: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

37

Related Work

• Compositional Reachability Analysis (CRA)[Graf and Steffen, Yeh and Young, Cheung and Kramer] – Compose and minimize the LTS of a software

system from LTSs of its components.

• Modular Feature Verification [Fisler and Krishnamurthi]

– Verification of layered composition of features.

Page 38: Verified Systems by Composition from Verified Components Fei Xie and James C. Browne

38

Conclusions and Future Work

• An important step towards composition of verified systems from verified components.

• Results are promising: – Detection of composition errors;– Significant reduction on verification complexity.

• Future work – Automatic property and assumption generation;– Extended case studies.