modelplex verified runtime monitors and verified test
play

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for - PowerPoint PPT Presentation

Dec 21, 2022 •225 likes •537 views

ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems Stefan Mitsch Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop 2017 May 12, 2017 joint work with Andr e

  1. ModelPlex: Verified Runtime Monitors and Verified Test Oracles for Safety of Cyber-Physical Systems Stefan Mitsch Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop 2017 May 12, 2017 joint work with Andr´ e Platzer Stefan Mitsch—ModelPlex 1 of 9

  2. Formal Verification of Cyber-Physical Systems Analyze the physical effect of software Proof guarantees KeYmaera Control Proof Strategy Hybrid System Model Counterexample Sensors Actuators Monitor correctly checks deviation Discrete computation + continuous physics 6 9 4 0 − 1 t − 3 t 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Stefan Mitsch—ModelPlex 2 of 9

  3. Formal Verification of Cyber-Physical Systems Theorem proving ensures correct model Proof guarantees correct model KeYmaera X Proof Strategy Proof Hybrid System Monitor Model Specification Counterexample Monitor correctly checks deviation of model from reality Safety Proof Never collide Stefan Mitsch—ModelPlex 2 of 9

  4. Formal Verification of Cyber-Physical Systems Runtime monitoring ensures model compliance KeYmaera X Control Proof Monitor Specification Counterexample Sensors Monitor Actuators checks deviation of model from reality Monitor desired effect + safe environment ◮ Runtime: ensure safety and detect anomalies ◮ Testing: generate and analyze test cases Stefan Mitsch—ModelPlex 2 of 9

  5. How to Achieve Safety Guarantees at Runtime? Real CPS safe Proof Reachability Analysis . . . Verification Results Stefan Mitsch—ModelPlex 3 of 9

  6. How to Achieve Safety Guarantees at Runtime? Real CPS safe abstract Model α ∗ Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch—ModelPlex 3 of 9

  7. How to Achieve Safety Guarantees at Runtime? Real CPS safe synthesize abstract Model α ∗ Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch—ModelPlex 3 of 9

  8. How to Achieve Safety Guarantees at Runtime? Real CPS safe synthesize abstract Model α ∗ Proof v := K p e ( t ) + � t 0 e ( τ ) d τ + K d de Reachability K i dt safe sense Analysis act x ′ ≤ v , v ′ = . . . Te xg xd n − 1 2 C d A ρ v 2 rw Verification Results Stefan Mitsch—ModelPlex 3 of 9

  9. How to Achieve Safety Guarantees at Runtime? Real CPS Challenge safe ◮ Others may not satisfy the model assumptions ◮ Non-verified implementation may have bugs synthesize abstract Model α ∗ � Verification results about models Proof only apply if CPS fits to the model v := K p e ( t ) + � t 0 e ( τ ) d τ + K d de Reachability K i dt safe sense Analysis act x ′ ≤ v , v ′ = . . . Te xg xd n − 1 2 C d A ρ v 2 rw Verification Results Stefan Mitsch—ModelPlex 3 of 9

  10. ModelPlex at Runtime Controller Sensors Actuators Stefan Mitsch—ModelPlex 4 of 9

  11. ModelPlex at Runtime Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Compliance Monitor Checks CPS for compliance with model at runtime Want: Monitor satisfied at runtime → Real state safe ModelPlex Which conditions guarantee safety? Derive monitoring conditions from model by proof Fallback Safe control, executed when monitor is not satisfied Stefan Mitsch—ModelPlex 4 of 9

  12. Principle Behind a ModelPlex Monitor Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  13. Principle Behind a ModelPlex Monitor Hard to execute, impossible to check Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  14. Principle Behind a ModelPlex Monitor v + , ˆ p + ) Monitor: efficient arithmetic check F ( p , v , ˆ ⇑ derive Hard to execute, impossible to check Model p v + v + ˆ check ∋ { v := − v . . . . . . . . . ∪ ? v = 0 } p + p + v p ′ = v ˆ measure measure evolve, e.g., p move p + prior state posterior state Stefan Mitsch—ModelPlex 5 of 9

  15. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α . . . i − 2 i − 1 i Stefan Mitsch—ModelPlex 6 of 9

  16. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Stefan Mitsch—ModelPlex 6 of 9

  17. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν ( ω, ν ) ∈ ρ ( α ) reachability relation of α Semantical: Stefan Mitsch—ModelPlex 6 of 9

  18. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): Stefan Mitsch—ModelPlex 6 of 9

  19. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): � d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  20. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? a prior state a posterior state ⊆ characterized by x + characterized by x Model α ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: exists a run of α to a � Lemma state where x = x + ? = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  21. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � α Stefan Mitsch—ModelPlex 6 of 9

  22. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � � α = � if ( z > 7) y := − y else z ′ = y � ( y = y + ∧ z = z + ) ( ω, ν ) | Logic (d L ): Stefan Mitsch—ModelPlex 6 of 9

  23. How to Construct Monitor F ( x , x + ) When are two states linked through a run of model α ? ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ (if ( z > 7) y := − y else z ′ = y ) Semantical: � �� � � α = � if ( z > 7) y := − y else z ′ = y � ( y = y + ∧ z = z + ) ( ω, ν ) | Logic (d L ): ⇑ = z > 7 ∧ − y = y + ∨ � z ≤ 7 ∧ z + y ∆ t = z + � Real arithmetic: ( ω, ν ) | Stefan Mitsch—ModelPlex 6 of 9

  24. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  25. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν ν ∈ [ [ S ] ] Safe Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  26. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α ω ν ω ∈ [ [ A ] ] Init Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: check at runtime (efficient) Stefan Mitsch—ModelPlex 6 of 9

  27. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α d L proof A → [ α ] S ω ν Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

  28. Logical Reductions for Model Safety Transfer Logic reduces CPS safety to runtime monitor with offline proof ⊆ Model α Conclusion ω ν Runtime validation is required to guarantee safety Offline ( ω, ν ) ∈ ρ ( α ) Semantical: � Lemma = � α ( x ) � ( x = x + ) ( ω, ν ) | Logic (d L ): ⇑ d L proof = F ( x , x + ) ( ω, ν ) | Real arithmetic: Stefan Mitsch—ModelPlex 6 of 9

Recommend

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch

ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University RV14, Sept. 24, 2014 Simplex for Hybrid System Models Stefan Mitsch ,

844 views • 50 slides
Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e

Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr e Platzer Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at

504 views • 27 slides
Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on

Verified Runtime Monitoring: From Foundations to Practice Presenter: Brandon Bohrer 1 , based on works with: Yong Kiam Tan 1 , Stefan Mitsch 1 , Andrew Sogokon 1 , Edward Ahn 1 , David Held 1 , John Dolan 1 , Aman Khurana 1 , Magnus O. Myreen 2 ,

637 views • 44 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from

Model-Based Testing: Automated Generation of Test Cases, Test Data, and Test Procedures from SysML Models Jrg Brauer and Jan Peleska Verified Systems International GmbH support@verified.de Space Tech Expo Europe 2015-11-19 Motivation

499 views • 26 slides
Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j

Differential Refinement Logic Sarah M. Loos and Andr Platzer Computer Science Department Carnegie Mellon University 1 Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j p x k x i

1.97k views • 179 slides
Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus

From the office of Texas Conference of SDA Human Resources ___________________________________ Verified Volunteers Verified Volunteers New Volunteer Screening Coordinator Irene Lazarus She will be working with every church and

279 views • 5 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer 1 , Yong Kiam Tan 1 , Stefan Mitsch 1 , Magnus O. Myreen 2 , and Andr e Platzer 1 Carnegie Mellon University 1 Chalmers University of Technology 2

672 views • 44 slides
What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter

What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter

What sets Verified Users apart? Insights, Analysis and Prediction of Verified Users on Twitter Indraneil Paul (IIIT Hyderabad), Abhinav Khattar (IIIT Delhi), Shaan Chopra (IIIT Delhi), Ponnurangam Kumaraguru (IIIT Delhi), Manish Gupta

731 views • 39 slides
Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2

Verified Firewall Policy Transformations for Test Case Generation Achim D. Brucker 1 ugger 2 Lukas Br Paul Kearney 3 Burkhart Wolff 4 1 SAP Research, Germany 2 Information Security, ETH Z urich, Switzerland 3 Security Futures Practice, BT

629 views • 29 slides
Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016 Introducing Verified Boot and Related Issues Introducing Verified Boot and Related Issues Bootup Process BIOS History

947 views • 39 slides
What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo

What Use Is Verified Software? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I What Use Is Verified Software? 1 Software and Systems The world at large cares little for verified

734 views • 14 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft

How to get an efficient yet verified arbitrary-precision integer library Raphal Rieu-Helft (joint work with Guillaume Melquiond and Claude March) TrustInSoft Inria 1 / 20 Context, motivation, goals goal: efficient and formally verified

508 views • 22 slides
VGM Verified Gross Mass Presentation to: Road map to VGM Readiness workshop Presentation

VGM Verified Gross Mass Presentation to: Road map to VGM Readiness workshop Presentation

VGM Verified Gross Mass Presentation to: Road map to VGM Readiness workshop Presentation by: Klaus Hollaender Unifeeder corporate presentation 25/04/2016 1 VGM Verified Gross Mass Initially started project 1 st December, 2015.

357 views • 10 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
A Brief Comparison: some experimentally verified Generalize the key constraints and

A Brief Comparison: some experimentally verified Generalize the key constraints and

MN1 T. Metodiev D. Copsey F.T. Chong I.L. Chuang M. Oskin J. Kubiatowicz Motivation Many Proposed Technologies All work toward the same goal A Brief Comparison: some experimentally verified Generalize the key

361 views • 5 slides
Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics,

Introduction Unsatisfiability proof formats for SAT Verified efficient checking of clausal proofs Verified Efficient Clausal Proof Checking for SAT Filip Mari c, Faculty of Mathematics, Belgrade (joint work with Florian Haftmann, TU Munich)

516 views • 26 slides
CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek

CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek

SRC #14 CFSCQ: Extending a verified file system with concurrency Tej Chajed advised by Frans Kaashoek and Nickolai Zeldovich 1 Goal: verify a concurrent file system Existing verified file systems are sequential e.g. , FSCQ,

404 views • 12 slides
Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a

Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a

Verified Cruise Control on RC Vehicle Shashank Ojha and Yufei Wang 1/17 Objective Implement a verified model (static POV system) on real hardware Fill the gap between theory & practice 2/17 Motivation Cruise Control system is

209 views • 17 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides

More recommend