Probabilistic Model Checking Lecture 1 Prof. Marta Kwiatkowska - PowerPoint PPT Presentation

PhD Open, Warsaw April/May 2013 Probabilistic Model Checking Lecture 1 Prof. Marta Kwiatkowska Department of Computer Science University of Oxford

Probabilistic model checking • Probabilistic model checking… − is a formal verification technique for modelling and analysing systems that exhibit probabilistic behaviour • Formal verification… − is the application of rigorous, mathematics-based techniques to establish the correctness of computerised systems 2

Verification via model checking Finite-state model System Result Model checker e.g. SMV, Spin Counter- ¬EF fail example (error trace) System Temporal logic require- specification ments 3

Model checking in practice • Model checking now routinely applied to real-life systems − not just “verification”… − model checkers used as a debugging tool − at IBM, bugs detected in arbiter that could not be found with simulations • Now widely accepted in industrial practice − Microsoft, Intel, Cadence, Bell Labs, IBM,... • Many software tools, both commercial and academic − smv, SPIN, SLAM, FDR2, FormalCheck, RuleBase, ... − software, hardware, protocols, … • Extremely active research area − 2008 Turing Award won by Edmund Clarke, Allen Emerson and Joseph Sifakis for their work on model checking 4

New challenges for verification • Many properties other than correctness are important • Need to guarantee… − safety, reliability, performance, dependability − resource usage, e.g. battery life − security, privacy, trust, anonymity, fairness − and much more… • Quantitative, as well as qualitative requirements: − “how reliable is my car’s Bluetooth network?” − “how efficient is my phone’s power management policy?” − “how secure is my bank’s web-service?” • This course: probabilistic verification 5

Why probability? • Some systems are inherently probabilistic… • Randomisation, e.g. in distributed coordination algorithms − as a symmetry breaker, in gossip routing to reduce flooding • Examples: real-world protocols featuring randomisation − Randomised back-off schemes • IEEE 802.3 CSMA/CD, IEEE 802.11 Wireless LAN − Random choice of waiting time • IEEE 1394 Firewire (root contention), Bluetooth (device discovery) − Random choice over a set of possible addresses • IPv4 Zeroconf dynamic configuration (link-local addressing) − Randomised algorithms for anonymity, contract signing, … 6

Why probability? • Some systems are inherently probabilistic… • Randomisation, e.g. in distributed coordination algorithms − as a symmetry breaker, in gossip routing to reduce flooding • Modelling uncertainty and performance − to quantify rate of failures, express Quality of Service • For quantitative analysis of software and systems − to quantify resource usage given a policy “the minimum expected battery capacity for a scenario…” • And many others, e.g. biological processes 7

Probabilistic model checking Probabilistic model Result e.g. Markov chain System 0.4 0.5 0.1 Quantitative results Probabilistic model checker e.g. PRISM P <0.1 [ F fail ] Counter- example System Probabilistic temporal require- logic specification ments e.g. PCTL, CSL, LTL 8

FireWire: Analysis results “maximum expected time to elect a leader” (short wire length) Using a biased coin is beneficial! 9

Probabilistic model checking inputs • Models: variants of Markov chains − discrete-time Markov chains (DTMCs) • discrete time, discrete probabilistic behaviours only − Markov decision processes (MDPs) • DTMCs, plus nondeterminism − (and more) • Specifications − informally: • “probability of delivery within time deadline is …” • “expected time until message delivery is …” • “expected power consumption is …” − formally: • probabilistic temporal logics (PCTL, LTL, PCTL*, …) • e.g. P <0.05 [ F err/total>0.1 ], P =? [ F ≤t reply_count=k ] 10

Probabilistic model checking involves… • Construction of models − from a description in a high-level modelling language • Probabilistic model checking algorithms − graph-theoretical algorithms • e.g. for reachability, identifying strongly connected components − numerical computation • linear equation systems, linear optimisation problems • iterative methods, direct methods • uniformisation, shortest path problems − automata for regular languages − also sampling-based (statistical) for approximate analysis • e.g. hypothesis testing based on simulation runs 11

Probabilistic model checking involves… • Efficient implementation techniques − essential for scalability to real-life systems − symbolic data structures based on binary decision diagrams − algorithms for bisimulation minimisation, symmetry reduction • Tool support − PRISM: free, open-source probabilistic model checker − developed at Oxford and Birmingham Universities − supports several probabilistic models 12

Course information • Lecture slides are self-contained − subset of a course co-developed with Dave Parker and Gethin Norman, taught at Oxford • For further reading material… − two online tutorial papers also cover a lot of the material • Stochastic Model Checking Marta Kwiatkowska, Gethin Norman and David Parker • Automated Verification Techniques for Probabilistic Systems Vojtěch Forejt, Marta Kwiatkowska, Gethin Norman, David Parker − course material also based on Chapter 10 of: Principles of Model Checking Christel Baier and Joost-Pieter Katoen MIT Press − PRISM web site: http://www.prismmodelchecker.org/ 13

Overview of Lecture 1 • Probability basics • Discrete-time Markov chains (DTMCs) − definition, properties, examples • Formalising path-based properties of DTMCs − probability space over infinite paths • Probabilistic reachability − definition, computation • Transient state probabilities • Long-run / steady-state probabilities • Qualitative properties − repeated reachability − persistence • Sources/further reading: Section 10.1 of [BK08] 14

Probability basics • First, need an experiment − The sample space Ω is the set of possible outcomes − An event is a subset of Ω, can form events A ∩ B, A ∪ B, Ω ∖ A • Examples: − toss a coin: Ω = {H,T}, events: “H”, “T” − toss two coins: Ω = {(H,H),(H,T),(T,H),(T,T)}, event: “at least one H” − toss a coin ∞–often: Ω is set of infinite sequences of H/T event: “H in the first 3 throws” • Probability is: − Pr(“H”) = Pr(“T”) = 1/2, Pr(“at least one H”) = 3/4 − Pr(“H in the first 3 throws”) = 1/2 + 1/4 + 1/8 = 7/8 15

Probability example • Modelling a 6-sided die using a fair coin − algorithm due to Knuth/Yao: 0.5 0.5 − start at 0, toss a coin 3 0.5 − upper branch when H 1 0.5 − lower branch when T 4 0.5 − repeat until value chosen 0.5 0.5 0 0.5 0.5 • Is this algorithm correct? 5 0.5 − e.g. probability of obtaining a 4? 2 0.5 − obtain as disjoint union of events 6 0.5 − THH, TTTHH, TTTTTHH, … 0.5 0.5 − Pr(“eventually 4”) = (1/2) 3 + (1/2) 5 + (1/2) 7 + … = 1/6 16

Example… • Other properties? 0.5 0.5 1 − “what is the probability of termination?” s 3 0.5 s 1 0.5 • e.g. efficiency? 1 0.5 s 4 0.5 1 − “what is the probability of needing 0.5 s 0 0.5 more than 4 coin tosses?” 0.5 1 s 5 0.5 − “on average, how many s 2 0.5 1 coin tosses are needed?” s 6 0.5 0.5 1 0.5 • Probabilistic model checking provides a framework for these kinds of properties… − modelling languages − property specification languages − model checking algorithms, techniques and tools 17

Discrete-time Markov chains • State-transition systems augmented with probabilities • States − set of states representing possible configurations of the system being modelled • Transitions 1 {fail} − transitions between states model s 2 0.01 {try} evolution of system’s state; s 0 s 1 1 0.98 occur in discrete time-steps 1 s 3 • Probabilities {succ} 0.01 − probabilities of making transitions between states are given by discrete probability distributions 18

Simple DTMC example • Modelling a very simple communication protocol − after one step, process starts trying to send a message − with probability 0.01, channel unready so wait a step − with probability 0.98, send message successfully and stop − with probability 0.01, message sending fails, restart 1 {fail} s 2 {try} 0.01 1 s 0 s 1 0.98 1 s 3 0.01 {succ} 19

Discrete-time Markov chains • Formally, a DTMC D is a tuple (S,s init ,P P P,L) where: P − S is a set of states (“state space”) − s init ∈ S is the initial state − P P : S × S → [0,1] is the transition probability matrix P P where Σ s’∈S P P P P(s,s’) = 1 for all s ∈ S − L : S → 2 AP is function labelling states with atomic propositions (taken from a set AP) 1 {fail} s 2 0.01 {try} s 0 s 1 1 0.98 1 s 3 {succ} 0.01 20