model checking game
play

Model Checking Game System Model Reqs + Init States - PDF document

Automatic Verification of Embedded Automatic Verification of Embedded Systems Systems Enrico Tronci Dipartimento di Informatica Universit di Roma La Sapienza WIRTES 2007 Pisa, Italy July 2, 2007 Enrico Tronci 1 WIRTES 2007


  1. Automatic Verification of Embedded Automatic Verification of Embedded Systems Systems Enrico Tronci Dipartimento di Informatica – Università di Roma “La Sapienza” WIRTES 2007 Pisa, Italy – July 2, 2007 Enrico Tronci 1 WIRTES 2007 Model Checking Game System Model Reqs + Init States (undesired/desired states) Param. Ranges + Disturbances Model Checker Yes I.e. no sequence of Counterexample events (states) can I.e. sequence of possibly lead to an events (states) undesired state. leading to undesired state. Enrico Tronci 2 WIRTES 2007 1

  2. Model Checking Flavors Hardware Symbolic (OBDD) based model checking or SAT based Bounded Model Checking. Examples: SMV, VIS Protocols Explicit Model Checking. Examples: SPIN, Murphi Software Explicit Model Checking, Bounded Model Checking Examples: SPIN, CBMC Hybrid Systems, Embedded Systems Linear Hybrid Automata, Timed Automata, Symbolic Model Checking, Explicit Model Checking, Bounded Model Checking. Examples: Hytech, UPPAAL, SMV, CMurphi, HSMV Stochastic Systems Symbolic Model Checking, Explicit Model Checking. Examples: PRISM, FHP-Murphi Enrico Tronci 3 WIRTES 2007 Our Focus Protocol Verification, Hybrid Systems We designed Cache based and Disk based explicit verification algorithms. We implemented our algorithms inside the Murphi Verifier. The resulting model checker is named CMurphi (for Caching Murphi). CMurphi turns out to be quite effective for protocols and hybrid systems verification. Stochastic Hybrid Systems We designed and implemented a disk based Finite Horizon Probabilistic model checker (FHP-Murphi) for Discrete Time Markov Chains . FHP-Murphi turns out to be quite effective for stochastic hybrid systems verification. Hybrid Systems, Embedded Systems We designed and implemented a SAT based bounded model checker (HSMV) for Discrete Time Piecewise Affine Hybrid Systems . HSMV can handle systems out of reach for others state-of-the-art model checkers for hybrid systems. Automatic Synthesis of Controllers and Supervisory Controllers We designed and implemented symbolic (OBDD) as well as explicit algorithms for automatic synthesis (source code generation) of controllers and supervisory controllers starting from closed loop specifications. Enrico Tronci 4 WIRTES 2007 2

  3. Example Automatic Verification of a Turbogas Control System Our goal is to verifiy the control system for a 2MW Co-generative Power Plant (ICARO). Verification consists in checking that the system under normal working conditions never reaches an undesired state . An undesired state is one in which the turbine rotation speed or the exhaust smokes temperature or the compressor pressure are out of range. Because of size and dynamics the system at hand cannot be handled using Hytech or UPPAAL. We succeded in modeling and verifying it using CMurphi extended with finite precision real numbers. Enrico Tronci 5 WIRTES 2007 Gas Turbine System Disturbances: electric users, param. var, etc Settings Fuel Valve Opening FG102 Gas Turbine Controller (Turbogas) Vrot, Texh, Pel, Pmc Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure Enrico Tronci 6 WIRTES 2007 3

  4. Controller Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Vrot Pel: Generated Electric Power Pmc: Compressor Pressure N1Gov Offset Pel 12MW PowLim ADJ MIN Limiter Winner ExTLim Texh Valve FG102 Pmc Opening Command Enrico Tronci 7 WIRTES 2007 Cell i Kp Cell Output + 10MW S X + - -10MW SAT - Ki B P 1/s X SAT A A B >0? Reset at u + 4kW Winner AND u = min( name Winner != i? output N1Gov, output PowLim, output ExTLim) Enrico Tronci 8 WIRTES 2007 4

  5. Power Limiter (PowLim) Electric Power Controller Pel Setpoint (+2MW) Output S PowLim Cell Pel i = “Power Limiter” P A = 3000kW Winner B = 10Mw Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure Enrico Tronci 9 WIRTES 2007 N1 Governor (N1Gov) Turbine Rotation Speed Controller Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Accelleration Pmc: Compressor Pressure 105% 1/s Deceleration Output network N1 Governor 6% + Pel X - S Cell i = “N1 Governor” isle Kdr P A = 0 Vrot B = 10MW Winner Enrico Tronci 10 WIRTES 2007 5

  6. Exhaust Temperature Limiter (ExTLim) Exhaust Smoke Temperature Controller Texh Cell P Pmc i = “Exhaust Temperature Limiter” + S A = 0 B = 10MW Offset Winner Output Vrot: Turbine Rotation speed Exhaust Texh: Exhaust smokes Temperature Temperature Pel: Generated Electric Power Limiter Pmc: Compressor Pressure Enrico Tronci 11 WIRTES 2007 Gas Turbine Disturbances: el. users, par. var, etc. Texh FG102 Vrot Gas Turbine Pel Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure Enrico Tronci 12 WIRTES 2007 6

  7. Gas Turbine (as seen from Controller) Generated Electric Power: P(t + 1) = P(t) + (a 1 (P(t) – P 0 ) + a 2 FG102(t) – a 3 u(t))T Smokes Temperature: T f (t + 1) = T f (t) + (b 1 (P(t) – P 0 ) + b 2 FG102(t) – b 3 u(t))T Turbine Rotation Speed: V(t + 1) = V(t) + (c 1 (P(t) – P 0 ) + c 2 FG102(t) – c 3 u(t))T User demand u(t + 1) = u(t) + MAX_D_U *u d (t)*T MAX_D_U = Max variation speed (time derivative) of user el. demand u d (t) = -1, 0, 1 (uncontrolled load disturbance) Coefficients a , b , c computed by fitting with plant log data. Enrico Tronci 13 WIRTES 2007 Experimental Results MAX_D_U Reachabl Rules Diameter CPU Result e States Fired (sec) (KW/sec) 1000 2,246,328 6,738,984 12904 16988.18 PASS 1750 7,492,389 22,477,16 7423 54012.18 PASS 7 2500 1,739,719 5,186,047 1533 12548.25 FAIL 5000 36,801 109,015 804 271.77 FAIL Results on a INTEL Pentium 4, 2GHz Linux PC with 512 MB RAM. Murphi options: -b, -c, --cache, -m350 Enrico Tronci 14 WIRTES 2007 7

  8. Fail trace: MAX_D_U = 2500 KW/sec 10 ms time step (100 Hz sampling frequency) Electric user demand (KW) Rotation speed (percentage of max = 22500 rpm) Allowed range for rotation speed: 40-120 Enrico Tronci 15 WIRTES 2007 Fail trace: MAX_D_U = 5000 Kw/sec 10 ms time step (100 Hz sampling frequency) Electric user demand (KW) Rotation speed (percentage of max = 22500 rpm) Allowed range for rotation speed: 40-120 Enrico Tronci 16 WIRTES 2007 8

  9. User Demand Distribution Let u(t) be the user demand at time t. We can define the (stochastic) dynamics of the user demand as follows: min(u(t) + a, M) with probability p(u(t), 1) u(t + 1) = u(t) with probability p(u(t), 0) max(u(t) - a, 0) with probability p(u(t), -1) Where: M = max user demand (MAX_U), a = speed of variation of user demand (MAX_D_U) 0.4 + b*(v – M)*|v – M| /M 2 when i = 1 p(v, i) = 0.2 when i = 0 0.4 + b*(M - v)*|M - v| /M 2 when i = -1 -0.4 <= b <= 0.4 The further u(t) from u 0 (nominal user demand) the higher u(t) probability to return towards u 0 . That is to decrease when u(t) > u 0 , to increase when u(t) < u 0 . Enrico Tronci 17 WIRTES 2007 Finite Horizon Markov Chain Analysis … of our turbogas MAX_D_U Visited Rules Horizon CPU time (s) Probability of States violating spec (KW/sec) Fired 2500 3,018,970 8,971,83 1600 68562 7.373292e-05 9 3500 2,226,036 6,602,76 1400 50263 1.076644e-04 3 4500 1,834,684 5,439,32 1300 41403 9.957147e-05 7 5000 83,189 246,285 900 2212 3.984375e-03 Enrico Tronci 18 WIRTES 2007 9

  10. Example Covert Channel Analysis In Real Time Systems a Covert Channel may arise from ack’s of communication channels. This covert channel cannot be eliminated, however its band can be kept small. We show how using FHP-Murphi it is possible to carry out a fine grain analysis of covert channel capacity for the well known NRL pump. Enrico Tronci 19 WIRTES 2007 Example Low System High System (e.g. public info) (e.g. private info) NRL PUMP Statistically modulated ACK ACK Buffer LS HS Data Data The NRL Pump is a special purpose-device that forwards data from a low (security) level system LS to a high (security) level system HS, but not conversely. Idea: LS ACK delay is probabilistically based on a moving average of HS ACK delays. NRL Pump (Probabilistic) Properties: LS HS Minimize information flow from HS to Ready to send Ready to receive LS. Read Data Got ACK Send Data Send ACK Enforce reasonable performances, i.e.: <average ACK delay as seen from LS> Waiting ACK Done = <average HS ACK delay> Enrico Tronci 20 WIRTES 2007 10

  11. Covert Channel Experimental Results (1) Pdec(h): probability of making a decision within h time units. Pwrong(h): probability of making the wrong decision within h time units We can compute the probability of making the right decision within h time units as: Pright(h) = Pdec(h)(1 - Pwrong(h)). Of course we want Pright(h) to be small. We studied the previous probabilities for various settings of our model parameters. BUFFER SIZE 3 5 WINDOW SIZE 3 5 OBS WINDOW SIZE 3 5 About 2 days of computation for each setting on a 2GHz Intel Pentium PC with Linux OS and 512MB of RAM). Enrico Tronci 21 WIRTES 2007 Covert Channel Exp: Pdec, Pwrong as a function of the number of steps h Enrico Tronci 22 WIRTES 2007 11

Recommend


More recommend