Validation of Critical Systems Christiano Braga Instituto de - PowerPoint PPT Presentation

2nd School of Theoretical Computer Science and Formal Methods Validation of Critical Systems Christiano Braga Instituto de Computação with Rewriting Logic in Maude Universidade Federal Fluminense

s 0 n 1 n 2 start s 1 s 5 t 1 n 2 n 1 t 2 s 2 c 1 n 2 n 1 c 2 s 6 t 1 t 2 s 3 s 4 s 7 c 1 t 2 t 1 c 2 2nd School of Theoretical Computer Science and Formal Methods Validation of Critical Systems Christiano Braga Instituto de Computação with Rewriting Logic in Maude Universidade Federal Fluminense

Do you know… ❖ that shared resources should properly managed? ❖ how to convert from English units to the metric system? ❖ that coercing a 64-bit number into a 16-bit one implies loss of information? ❖ that static typing helps in the composition of software components? ❖ that one should be thorough and precise in early stages of the software development? ❖ that commands (in any formal language) should be well-formed? ❖ that security is an essential aspect of networked software components? ❖ that the functions a software implements should remain functions after 100 hours of the system execution? ❖ that division is a partial function? ❖ that we should specify our algorithms before implementing them? ❖ that we should specify our processes before implementing them? C. Braga, Validation of Critical Systems 3

Did you know… ❖ Therac-25 software, overdoses of radiation because of a race condition, several deaths between race condition 1985 and 1987? ❖ Mars Climate Orbiter, crashed, unit conversion error, $125M? ❖ Ariane 5 Flight 501, exploded, coercion error, $8B? ❖ UK's EDS Child Support System, component incompatibility, $1B? ❖ Heathrow Terminal 5 luggage system, system shutdown, over 500 flights canceled? ❖ Mariner 1 Spacecraft, self-destructed, command ill-formed, $18B? ❖ Morris Worm, coding error, crashed thousands of computers, $100M? ❖ U.S. Patriot missile defense system, failed, 28 soldiers killed? ❖ Pentium FDIV bug, cost $475M to Intel? ❖ Knight's stock trading algorithms, erratic trades, $440M in 30 min.? ❖ NOAA-19 Satellite, poor manhandling, $135M? C. Braga, Validation of Critical Systems 4

Some basic questions… ❖ How to specify a component? ❖ How to specify the properties a component should have? ❖ How to make sure that a component has the desired properties? C. Braga, Validation of Critical Systems 5

How to specify a component? L = ( Q , δ , L ) A = ( Σ , Q , δ , q 0 , F ) s 0 n 1 n 2 start ❖ Theory of computation to the rescue: automata theory! s 1 s 5 t 1 n 2 n 1 t 2 ❖ Example: a mutual exclusion s 2 c 1 n 2 n 1 c 2 s 6 t 1 t 2 protocol s 3 s 4 s 7 c 1 t 2 t 1 c 2 C. Braga, Validation of Critical Systems 6

How to specify the properties a component should have? Safety properties specify that “nothing bad” ever happens. Liveness properties are such that “something good” happens from time to time. ❖ Logic to the rescue: logics of change! Safety: G¬ ( c 1 ∧ c 2 ) Liveness: G ( t 1 → F c 1 ) ❖ Example: Temporal logic C. Braga, Validation of Critical Systems 7

How to specify the properties a component should have? G means “always” and F denotes “eventually”. Formulae are interpreted on Kripke structures, Kripke which are essentially graphs, and so are LTS! graphs LTS ❖ Logic to the rescue: logics of change! Safety: G¬ ( c 1 ∧ c 2 ) Liveness: G ( t 1 → F c 1 ) ❖ Example: Temporal logic L = ( Q , δ , L ) K = ( W, R ) C. Braga, Validation of Critical Systems 8

How to make sure that a component has the desired properties? Is formula satisfiable in model M starting at state s 0 ? ϕ M, s 0 | = ϕ ❖ Logic to the rescue: model checking! model checking ❖ Automatically, by the way! M, s 0 | = Liveness G ( t 1 → F c 1 ) C. Braga, Validation of Critical Systems 9

How to make sure that a component has the desired properties? ❖ If a property does not hold, a counter-example is produced. C. Braga, Validation of Critical Systems 10

How to make sure that a component has the desired properties? Liveness fails… s 0 n 1 n 2 start s 1 s 5 t 1 n 2 n 1 t 2 s 2 c 1 n 2 n 1 c 2 s 6 t 1 t 2 s 3 s 4 s 7 c 1 t 2 t 1 c 2 C. Braga, Validation of Critical Systems 11

How to make sure that a component has the desired properties? Fixing liveness s 0 n 1 n 2 start s 1 s 5 t 1 n 2 n 1 t 2 s 2 c 1 n 2 s 3 s 8 n 1 c 2 s 6 t 1 t 2 t 1 t 2 s 4 s 7 c 1 t 2 t 1 c 2 C. Braga, Validation of Critical Systems 12

Some logics of change ❖ The structure (or ``data type'') where theories are interpreted over (a.k.a Kripke structure) is essentially a state-transition system. (A general form of automata.) ❖ Modal logics, where temporal logics form a subclass. ❖ Substructural logics, where different forms to organize formulae give rise to different logics. ❖ Rewriting logic , a computational logic that may Rewriting logic represent different logical and semantics frameworks. C. Braga, Validation of Critical Systems 13

What is Rewriting Logic? ❖ A logic to reason on concurrent systems. ❖ The state of a system is denoted by a term in a suitable rewrite theory. ❖ Computations are deductions in the given rewrite theory. C. Braga, Validation of Critical Systems 14

RWL rules of deduction, graphically ❖ Reflexivity t t ❖ Transitivity t 1 t 3 t 2 C. Braga, Validation of Critical Systems 15

RWL rules of deduction, graphically u v ❖ Equality = = u 0 v 0 C. Braga, Validation of Critical Systems 16

RWL rules of deduction, graphically f t 1 t 2 t 3 t 4 ❖ Congruence f t 0 t 0 t 0 t 0 1 2 3 4 C. Braga, Validation of Critical Systems Back to MUTEX 17

RWL rules of deduction, graphically t t 1 t 2 t 3 t 4 ❖ Replacement t 0 t 0 t 0 t 0 t 0 1 2 3 4 C. Braga, Validation of Critical Systems 18

Maude http://maude.cs.uiuc.edu ❖ A specification language and a system. ❖ Maude is an implementation of Rewriting Logic, such implementation that descriptions in Maude denote theories in RWL. ❖ Deductions in RWL correspond to rewrites in Maude. C. Braga, Validation of Critical Systems 19

MUTEX in Maude - Specification Signature Types (or sorts) for process state, configuration mod MUTEX is (set) of processes and a system of processes. The pr NAT . sort Proc is included in the sort of configuration of processes. sort Proc Conf System . subsort Proc < Conf . ops idle try critical : Nat -> Proc [ctor] . op empty : -> Conf [ctor] . op __ : Conf Conf -> Conf [ctor assoc comm id: empty ] . op {_} : Conf ~> System [ctor] . op inCrit? : Conf -> Bool . op dup? : Conf -> Bool . (…) 20

MUTEX in Maude - Specification Signature Processes, configurations of processes and System are declared with (constructor) operators. mod MUTEX is Configurations are constructed with associative, pr NAT . commutative (juxtaposition) operator, with empty as its identity operation. sort Proc Conf System . subsort Proc < Conf . ops idle try critical : Nat -> Proc [ctor] . op empty : -> Conf [ctor] . op __ : Conf Conf -> Conf [ctor assoc comm id: empty ] . op {_} : Conf ~> System [ctor] . op inCrit? : Conf -> Bool . op dup? : Conf -> Bool . 21

MUTEX in Maude - Specification Signature This operator is necessary to control de congruence rule . More on this when we discuss the mod MUTEX is rule-based specification of the behavior of the pr NAT . protocol. sort Proc Conf System . subsort Proc < Conf . ops idle try critical : Nat -> Proc [ctor] . op empty : -> Conf [ctor] . op __ : Conf Conf -> Conf [ctor assoc comm id: empty ] . op {_} : Conf ~> System [ctor] . op inCrit? : Conf -> Bool . op dup? : Conf -> Bool . 22

MUTEX in Maude - Specification Signature Predicates inCrit? and dup? are auxiliary mod MUTEX is operations, explained next… pr NAT . sort Proc Conf System . subsort Proc < Conf . ops idle try critical : Nat -> Proc [ctor] . op empty : -> Conf [ctor] . op __ : Conf Conf -> Conf [ctor assoc comm id: empty ] . op {_} : Conf ~> System [ctor] . op inCrit? : Conf -> Bool . op dup? : Conf -> Bool . 23

MUTEX in Maude - Specification Equations (Conditional) membership equations allow for the specification of partiality. Operator {_} is partial: terms of sort System are only those such that this equation hold. var C : Conf . vars N M : Nat . cmb { C } : System if not dup?(C) . eq dup?(idle(N) idle(N) C) = true . eq dup?(idle(N) try(N) C) = true . eq dup?(idle(N) critical(N) C) = true . eq dup?(try(N) critical(N) C) = true . eq dup?(C) = false [owise] . eq inCrit?(critical(N) C) = true . eq inCrit?(C) = false [owise] . 24

MUTEX in Maude - Specification Predicate dup? checks if a process Equations configuration has (at least) one repeated process id, denoted by a natural number. var C : Conf . vars N M : Nat . cmb { C } : System if not dup?(C) . eq dup?(idle(N) idle(N) C) = true . eq dup?(idle(N) try(N) C) = true . eq dup?(idle(N) critical(N) C) = true . eq dup?(try(N) critical(N) C) = true . eq dup?(C) = false [owise] . eq inCrit?(critical(N) C) = true . eq inCrit?(C) = false [owise] . 25