active learning of state machines
play

Active Learning of State Machines tutorial Frits Vaandrager - PowerPoint PPT Presentation

Active Learning of State Machines tutorial Frits Vaandrager Radboud University Nijmegen Dagstuhl, March 2018 Goal Active Automaton Learning Informationsteknologi Informationsteknologi What state machine reset governs the behavior of this


  1. Active Learning of State Machines tutorial Frits Vaandrager Radboud University Nijmegen Dagstuhl, March 2018

  2. Goal Active Automaton Learning Informationsteknologi Informationsteknologi What state machine reset governs the behavior of this black box? SUT input 1 input 2 output 1 output 2

  3. Why Study Automata Learning? Informationsteknologi Informationsteknologi  Fundamental: System Identification  Useful  Often we don’t have models of software components  When we have models we often don’t know whether they are correct

  4. Informationsteknologi Informationsteknologi Machine Learning in General

  5. Informationsteknologi Informationsteknologi Learning Regular Languages

  6. Minimally Adequate Teacher Informationsteknologi Informationsteknologi Membership Queries Yes / No Teacher Learner Equivalence Queries Yes / No + Counterexample

  7. Informationsteknologi Informationsteknologi Regular Sets and Congruences

  8. Informationsteknologi Informationsteknologi Angluin’s L* Algorithm

  9. Black Box Checking (Peled, Vardi & Yannakakis , ‘99) Informationsteknologi Informationsteknologi Learner: Formulate hypothesis Model-Based Testing: Test hypothesis

  10. Informationsteknologi Informationsteknologi

  11. Informationsteknologi Informationsteknologi Our Research Method Tools Theory Applications

  12. Application 1: EMV protocol Informationsteknologi Informationsteknologi  Inference of EMV protocol  Credit card with EMV chip   EMV = Europay, Mastercard and Visa  Compatibility between smartcards and terminals  EMV-compliance required for

  13. Model of SecureCode app on Dutch banking card EMV standard has over 700 pages Informationsteknologi Informationsteknologi At most 1500 membership queries, less than 30 minutes

  14. Different cards, different state machines Learned models provide unique Informationsteknologi Informationsteknologi fingerprints of cards! Specification?

  15. Informationsteknologi Informationsteknologi Application 2: E.dentifier2

  16. State Machines for Old and New E.dentifier2 Informationsteknologi Informationsteknologi

  17. A Theory of Abstractions (Aarts, Jonsson, Uijen & Vaandrager, 2015) Informationsteknologi Informationsteknologi abstract concrete input input Learner Mapper Teacher small ∑ probably abstract concrete large ∑ output output

  18. Application 3-5: Protocol Implementations Informationsteknologi Informationsteknologi We found standard violations in implementations of major protocols:  TCP (CAV’16, FMICS’17)  TLS (Usenix Security ‘15)  SSH (Spin’17)

  19. Informationsteknologi Informationsteknologi SSH Learning Results

  20. Informationsteknologi Informationsteknologi SSH Model Checking Results

  21. Application 6: Power Control Service of Philips Informationsteknologi Informationsteknologi  Legacy component  Refactored component  Equivalent?

  22. Our Approach Legacy Refactored Implementation Implementation model learner model learner Model Model equivalence checker Adapt models N N counter equiv model(s) correct example  ? for  ? using  Y Y done Adapt implementations(s)

  23. Application 7: Engine Status Manager Océ Printer Informationsteknologi Informationsteknologi Goal: learn models of realistic printer controllers Possible use: regression testing, generation of new implementations,..

  24. Adaptive Distinguishing Sequences (Lee & Yannakakis, 1994) Informationsteknologi Informationsteknologi

  25. Results  Learned model from SUT equivalent to handcrafted Informationsteknologi Informationsteknologi model  114 hypotheses generated  8.5 hours needed  29.933.643 membership queries with ≈35 inputs  30.629.711validity queries with ≈30 inputs

  26. Theory+Tools: Learning Register Automata Informationsteknologi Informationsteknologi Three approaches: 1. Using adapted Myhill-Nerode (LearnLib, RALib) 2. Using mappers and CEGAR (Tomte) 3. Using NLambda Haskell library for nominal automata

  27. Theory: Learning Timed Mealy Machines (Jonsson & Vaandrager, 2018) Informationsteknologi Informationsteknologi

  28. Future Work: Opening the Box Informationsteknologi Informationsteknologi Some possible approaches: 1. Fuzzing 2. Static analysis 3. Tainting

  29. Other Research Challenges Informationsteknologi Informationsteknologi  I/O transition systems  Nondeterminism  More complex (operations on) data  Quality of learned models  …

  30. Conclusions Informationsteknologi Informationsteknologi  Nice mix of theory and applications  Numerous challenges

Recommend


More recommend