VeriPhy: Verified Controller Executables from Verified - PowerPoint PPT Presentation

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models Brandon Bohrer 1 , Yong Kiam Tan 1 , Stefan Mitsch 1 , Magnus O. Myreen 2 , and Andr´ e Platzer 1 Carnegie Mellon University 1 Chalmers University of Technology 2 PLDI’18

A Real Cyber-Physical System 2

A Scary Cyber-Physical System 2

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

VeriPhy: Automatic, Verified EXEs from Controllers (VeriPhy.org) 3

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } {

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Far Enough?

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Far Velocity Enough? Envelope

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Fallback Far Velocity Enough? Envelope

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Fallback Far Velocity Enough? Physics Envelope

HPs Model Control and Environment 4 drive stop � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Fallback Far Velocity Enough? Physics Constraint Envelope

KeYmaera X Enables Model Verification 5

ModelPlex: Provably Correct Monitors 6 x + are consistent with Monitor whether transitions from previous state � x to next state � control, environment models. stop drive � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Control Monitor

ModelPlex: Provably Correct Monitors 6 x + are consistent with Monitor whether transitions from previous state � x to next state � control, environment models. stop drive � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Control Monitor

ModelPlex: Provably Correct Monitors 6 x + are consistent with Monitor whether transitions from previous state � x to next state � control, environment models. stop drive � � �� � � �� � α ≡ ( ? d ≥ ε V ; v := ∗ ; ?0 ≤ v ≤ V ∪ v := 0); t := 0; env . � �� � � ∗ d ′ = − v , t ′ = 1 & t ≤ ε } { Control Monitor Plant Monitor

Provable Monitor � Provable Sandbox 7 Sandboxed controller uses external controller when decision is safe, else uses verified fallback. Detects non-compliant plants. � x := ∗ ; V := ∗ ; ε := ∗ ; d := ∗ ; t := ∗ ; ? φ ? d ≥ 0 ∧ V ≥ 0 ∧ ε ≥ 0; � � x + := extCtrl � t + := ∗ ; v + := ∗ ; d + := d ; x + ) ?ctrlMon( d , t , v , d + , t + , v + ) ( ?ctrlMon( � x ,� ( ∪ t + := 0; v + := 0 ); ∪ fallback ); x + t := t + ; v := v + ; � x := � x + := ∗ d + := ∗ ; t + := ∗ ; � x + ); ?plantMon( d , t , v , d + , t + , v + ); ?plantMon( � x ,� x + � ∗ � ∗ d := d + ; t := t + � x := �

Intervals Make ctrlMon and plantMon Computable 8 Example: Check whether π < e , efficiently. Solution: Conservative interval approximation Example Let ν I = { pi �→ [3 , 4] , e �→ [2 , 3] } , then • pi < w e is false ( ⊥ )

Intervals Make ctrlMon and plantMon Computable 8 Example: Check whether π < e , efficiently. Solution: Conservative interval approximation Example Let ν I = { pi �→ [3 , 4] , e �→ [2 , 3] } , then • pi < w e is false ( ⊥ ) • pi < w e + 3 is true ( ⊤ )

Intervals Make ctrlMon and plantMon Computable 8 Example: Check whether π < e , efficiently. Solution: Conservative interval approximation Example Let ν I = { pi �→ [3 , 4] , e �→ [2 , 3] } , then • pi < w e is false ( ⊥ ) • pi < w e + 3 is true ( ⊤ ) • pi < w e + 1 is a known unknown ( U )

Intervals Make ctrlMon and plantMon Computable 8 Example: Check whether π < e , efficiently. Solution: Conservative interval approximation Example Let ν I = { pi �→ [3 , 4] , e �→ [2 , 3] } , then • pi < w e is false ( ⊥ ) • pi < w e + 3 is true ( ⊤ ) • pi < w e + 1 is a known unknown ( U ) When truth values can be unknown, resulting logic is 3-valued

Interval d L is 3-Valued (� Lukasiewicz) 9 ∧ ⊤ U ⊥ ∨ ⊤ U ⊥ ⊤ ⊤ U ⊥ ⊤ ⊤ ⊤ ⊤ U U U ⊥ U ⊤ U U ⊥ ⊥ ⊥ ⊥ ⊥ ⊤ U ⊥ ] = [ l 1 ˇ + w l 2 , u 1 ˆ ω I [ ( θ 1 + θ 2 ) + w u 2 ] where ω I [ ( θ i ) ] = [ l i , u i ]  ⊤ if ω I [ ( θ i ) ] = ( l i , u i ) and u 1 < l 2    ω I [ ( θ 1 <θ 2 ) ] = ⊥ if ω I [ ( θ i ) ] = ( l i , u i ) and l 1 ≥ u 2    otherwise U ( ω I , ν I ) ∈ [ ( α ∪ β ) ] iff ( ω I , ν I ) ∈ [ ( α ) ] or ( ω I , ν I ) ∈ [ ( β ) ]

Interval d L is a Sound Approximation 10 Theorem (Interval Soundness for Formulas) • If ω ∈ ω I and ω I [ ( φ ) ]= ⊤ then ω ∈ [ [ φ ] ] • If ω ∈ ω I and ω I [ ( φ ) ]= ⊥ then ω / ∈ [ [ φ ] ] • No claims when ω I [ ( φ ) ]= U Generalizes naturally to programs, but CakeML sandbox only runs simpler formula case

Sandbox HP Already Verified 11 // � V := ∗ ; ε := ∗ ; d := ∗ ; t := ∗ ; x := ∗ ? d ≥ 0 ∧ V ≥ 0 ∧ ε ≥ 0; // ? φ t + := ∗ ; v + := ∗ ; d + := d ; x + := extCtrl � // � ?ctrlMon( d , t , v , d + , t + , v + ) ( ∪ t + := 0; v + := 0 ); x + := fallback // � t := t + ; v := v + ; x + // � x := � d + := ∗ ; t + := ∗ ; x + := ∗ // � � � 0 ≤ t + ≤ ε ∧ d + ≥ v ( ε − t + ) x + ) ? ; // ?plantMon( � x ,� x + � ∗ d := d + ; t := t + // � x := �

Verified CakeML Source is Generated 11 CakeML source incorporates external control, actuation, sensing fun cmlSandbox state = if not (stop ()) then state.ctrl + := extCtrl state; state.ctrl := if intervalSem ctrlMon state = ⊤ then state.ctrl + else fallback state; actuate state.ctrl; state.sensors + := sense (); if intervalSem plantMon state = ⊤ then Runtime.fullGC (); state.sensors := state.sensors + ; cmlSandbox state else violation "Plant Violation"

CakeML Sandbox is Sound 12 Theorem (Soundness for CakeML Sandbox, Main Case) � ∈ [ � [ If { ω } ] , [ { ν } ] { cmlSandbox } ] then ([ ( ω ) ] , [ ( ν ) ]) ∈ [ (sandbox) ]

CakeML Compiler Preserves Guarantees 13

Code Executed on GoPiGo Robot 14 Operational Suitability? Arithmetic Precision? distance [ cm ] distance [ cm ] 70 70 Controller A (correct) Controller A (correct) Controller B (faulty) Controller B (faulty) 60 60 Malicious obstacle Approaching obstacle Small disturbance Robot follows obstacle C † C † 50 C † Large disturbance Ob0 50 C † C † 40 40 Ob+ 30 30 Ob+ 20 20 C � 10 10 C � C � C � C � C � 0 1 2 3 P � 4 5 6 P � 7 8 9 C � time [ s ] 1 2 3 4 Ob- 5 6 7 8 9 time [ s ] Control Fault C � , Plant Fault P � , Control Spike C † , Obstacle Motion Ob

Proof Chain Justifies Transformations 15 ν | = ψ ⇑ Real arithmetic, ( ω, ν ) ∈ [ [sandbox] ] nondeterministic d L (KeYmaera X) ⇑ Interval word arithmetic, � � ω I , ν I ∈ [ (sandbox) ] nondeterministic d L (Isabelle/HOL) ⇑ Interval word arithmetic, � � [ { ω } ] , [ { ν } ] ∈ [ { cmlSandbox } ] deterministic CakeML (HOL4) ⇑ Interval word arithmetic, � � { | ω | } , { | ν | } ∈ { | CML (cmlSandbox) | } machine-executable ARM/x64

Takeaway Metaphor 16

Takeaway Metaphor 16