Probabilistic Automata and Wh F Why Formal Analysis? l A l i ? E Equivalences i l Roberto Segala University of Verona Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 1 2 Why Formal Analysis? Why Formal Analysis? • 1994: The pentium processor computes wrong • 1995: Problems in Denver Airport divisions – INTEL forced to replace most processors – The fully automated baggage system fails – Economic damage of 450 million US Dollars – Scheduled to open in 1993 – The system looses or tears apart luggage The system looses or tears apart luggage – Considerable congestion • 1995: The software MacInTax spreads the – Considerable lack of design secrets of US tax payers – In 2005 the system is still not working – Error in the debug code distributed with MacInTax – Users can use it to access the server of Intuit – The system is too complex – Everybody can read and modify any tax form – Extensive research activity is necessary Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 3 4 Why Formal Analysis? Why Formal Analysis? • 1982 Mutual exclusion solved with small shared variables • 1996: Vector Ariane 5 explodes during take-off – Rabin proposes a randomized distributed algorithm – The proof is semi-formal but credible – The control software assigns a 64 bit number to a 16 bit variable • 1990 Some problems appear – The code was recycled from Ariane 4 – Nancy Lynch gives a lecture on Rabin’s algorithm – Ariane 5 is fast and its lateral speed does not fit in 16 bits Ariane 5 is fast and its lateral speed does not fit in 16 bits – Roberto Segala is the scribe and tries to formalize the proof R b t S l i th ib d t i t f li th f – Result: overflow – the system shuts down – Problem in an informally obvious step – The back up computer is started • Two events are compared but they belong to different probability spaces – … but the software is the same – Nondeterminsm is the cause of the problem – Result: again overflow – the system shuts down – Ariane, without guidance, self destroyes • 1991 An attack is found – Damage: 1 billion Euros • Later many other algorithms turned out to be bogus Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 5 6 1
Why Formal Analysis? Lessons that we can Learn • Formal methods are useful (necessary) • 1978: Needham and Schroeder – Propose an authentication protocol – Need to define what we want – The correctness proof is semi-formal • Objectives should be clear and accepted • We should communicate with others • 1981: Problems with freshness – Replay attacks are possible eplay attac s are poss ble – Need to prove properties rigorously N d t p p p ti s i sl • We may miss pieces otherwise • 1995: An attack found • We need techniques – Parallel sessions may lead to attack – Need modular verification techniques • Needham: you changed my definitions • We want to reuse existing proofs – Need ways to automate the analysis • Later: many protocols have been attacked • Large systems require considerable effort Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 7 8 Hierarchical Compositional Verification S Modules verified Some properties Hierarchical separately verified here and S 1 S 2 S 3 Compositional Approach I 11 I 12 I 2 I 3 Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 9 10 Implementation Proving Implementation • Behavioral inclusion • Typically some form of behavioral inclusion – Traces – Behaviors are full computations • Ordinary, complete, quiescent, fair • Possibly infinite length – Failures • Traces followed by actions the system refuses to perform – Properties of complex objects – Tests • Global reasoning • Occurrence of some success event in appropriate contexts – Easy to end up with “proofs by intuition” • Nice properties – Transitive • Simulation relations – Compositional – Affine with logical implication – Sound for behavioral inclusion • … when properties are sets of behaviors – Properties of single computational steps • Hard to check • Local reasoning – Usually Pspace-complete – Easier to be rigorous – But simulation relations help Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 11 12 2
Why Nondeterminism with Probability? Distributed Algorithms • Some problems are unsolvable – Consensus [FLP85] • … but are solvable with randomization – Probabilistic consensus [Ben83,AH90] • Probability and nondeterminism coexist • Probability and nondeterminism coexist Why Nondeterminism with Probability? – Probability: • Processes flip coins – Nondeterminism: • Several processes in parallel • Do not care whether the coin is fair • Quantitative analysis – What is the worst expected complexity? Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 13 14 Why Nondeterminism with Probability? Why Nondeterminism with Probability? Stochastic Games Security • Nondeterminism – User behavior (adversary in Dolev-Yao) • Nondeterminism – Relative speeds of agents – Each player has several moves available – Agent behavior (usually deterministic) • Probability P b bili • Probability – Moves may involve coin flipping – Users and agents flip coins • Nonces, keys, random protocols • Quantitative analysis • Quantitative analysis – What is the best probability to win the game? – Probability of attack (negligible) Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 15 16 Why Nondeterminism with Probabililty? Concurrency Theory • Nondeterminism – Scheduling within parallel composition – Unknown behavior of the environment – Underspecification How Probability with Nondeterminism? • Probability – Environment may be stochastic – Processes may flip coins Probabilistic Automata and Equivalences Probabilistic Automata and Equivalences Bertinoro, June 21, 2010 Roberto Segala - University of Verona Bertinoro, June 21, 2010 Roberto Segala - University of Verona 17 18 3
Recommend
More recommend