LANGUAGES, LOGICS, TYPES AND TOOLS FOR CONCURRENT SYSTEM MODELLING

Transcription

1 LANGUAGES, LOGICS, TYPES AND TOOLS FOR CONCURRENT SYSTEM MODELLING Ramūnas Gutkovas NOVA LINCS

2 A LITTLE ABOUT MYSELF 2011 MSc 2016 PhD Uppsala, Sweden 2007 BSc Startup Kaunas, Lithuania

3 BUGS OR, WHEN MACHINES GO WRONG

4

5

6 EXPENSIVE BUGS Pentium FDIV bug, 1994 $475 million worth of recalls Ariane 5 went poof, 1996 Integer Overflow $ 500 million loss goo.gl/bu36b2

7 KILLER BUGS Therac-25, 1980s Toyota, 2010 Due to a race condition produced a lethal radiation burst 5 killed Unintended acceleration Software bug 89 killed

8 Many more: goo.gl/gvqilc Heartbleed Microsoft calls them 1 million dollar bugs! SECURITY CVE OpenSSL A bug that allows to obtain keys Most of the internet affected SSL is foundation for ecommerce. Data race in the linux kernel since 2007 allows to escalate privileges Millions of Android devices vulnerable

9 UNPRECEDENTED IMPLICATIONS Celebgate Influence foreign government elections Celebrity Apple s icloud accounts hacked Voldemord

10 STANDARD APPROACH: TESTING

11 TESTING CAN T BE COMPLETE Testing is essential, however, it is not sufficient! Suppose int is 32 bits int multiply (int x, int y) Thus, there are 2 64 inputs Intel Core i7 5960X (8 core) can do about 2 38 instructions per second It would take 2 26 sec ~ hours ~ 2 years to test

12 TESTING program testing can be used to show the presence of bugs, but never to show their absence! [EWD303] E. W. Dijkstra

13 CONCURRENT SYSTEMS

14

15 THE CHALLENGE find An adequate language for describing concurrent systems A mathematical theory for capturing dynamics, i.e. semantics Well-founded Verification Technique

16 CALCULUS OF [Milner 1980] COMMUNICATING SYSTEMS a 2 A action P,Q ::= a.p input Ex. a.p a.q a.p output 0 inaction t.p silent P Q parallel a P Q a P + Q sum/choice!p replication (can be extend with value passing)

17 OBSERVABLE BEHAVIOUR pay pay pay coffee tea coffee tea

18 OBSERVABLE BEHAVIOUR pay.(coffee.0 + tea.0) pay.coffee.0 + pay.tea.0 pay pay pay coffee.0 + tea.0 coffee.0 tea.0 coffee tea coffee tea

19 [Milner 1980] There is nothing canonical about the choice of the basic combinators, even though they were chosen with great attention to economy. What characterises our calculus is not the exact choice of combinators, but rather the choice of interpretation and of mathematical framework. R. Milner

20 ALGEBRA OF PROCESSES Equivalence based on the observable behaviour P Q Alg. properties P Q Q P 0 P P etc. Bisimilarity at each state P can perform all the actions of Q, and vice versa, and states continue to be P (Q R) (P Q) R bisimilar 0 + P P P + Q Q + P Weak bisimilarity P.P roughly, ignoring silent actions

21 COMPOSITIONALITY (Frege s principle) Systems built from smaller systems Component Modularity Under all contexts a processes behaviour is indistinguishable (ie. bisimilar) A congruence relation Ex. if P. Q Equivalence (bisimulation) then R P. R Q preserved under all operations

22 VERIFICATION TECHNIQUE Specification Implementation (weakly) bisimilar Specification = pay.(co ee.0+tea.0) Implementation = pay.( interal)(internal(amount). if amount =50 then co ee.0 + tea.0 else co ee.0 + tea.0 P )

23 CCS +mobility PI-CALCULUS [Milner et al. 1991] +security spi-calculus concurrent constraint calculus polyadic synch. pi-calculus +algebraic applied pi-calculus polyadic pi-calculus and myriad of other small extensions of pi

24 CCS +mobility PI-CALCULUS [Milner et al. 1991] +security spi-calculus concurrent + your extension constraint calculus polyadic synch. pi-calculus your pi-calculus +algebraic applied pi-calculus polyadic pi-calculus and myriad of other small extensions of pi

25 [Milner et al. ECS-LFCS-89-86] 10 pages of proof appendix + 30 main text and proofs

26 With cheats! [3] is self-reference. For examples of bugs in meta-theories see [Bengtson et al. 2011]

27 [Bengtson et al. 2011] PSI-CALCULUS FRAMEWORK Data structures Logics Logical environment Psi Framework Syntax Bisimulation Pi-calculus like semantics Congruence Weak bisimulation Weak congruence Bengtson and Pohjola

28 x 2 N name M, N 2 T term j 1,...,j n 2 C condition Y 2 A assertion Parameters. $ 2 T T! C channel equivalence 2 A A! A assertion composition ` A C entailment [ex := en] 2 T! T substitution function P, Q ::= M(l ex)n.p input MN.P output P Q parallel!p replication (nx)p LYM casej 1 : P 1 j n : P n case restriction assertion 0 inaction Syntax

29 MAC ( secret)( ( hash(hsecret, message)i = x ) ahmessage,xi a(y). generate a key sign a message send MAC receive MAC case hash(hsecret, fst(y)i) =snd(y) []hash(hsecret, fst(y)i) 6= snd(y) : b YES : b NO ) Verify

30 Languages, Logics, Types and Tools for Concurrent System Modelling RAMUNAS GUTKOVAS

31 Expanding generality of Psi-calculi with a type-system Providing a verification calculus for psi-calculus, and others Tool support for psi-calculi

32 SORT SYSTEM FOR PSI

33 [LMCS 2016] REPRESENTATION A direct encoding of a process calculus to a Psi-calculus No elaborate encodings No superfluous data terms No superfluous behaviour Many calculi were not representable Unsorted polyadic pi-calculus Sorted polyadic pi-calculus LINDA pattern matching Polyadic synchronisation pi-calculus Value-passing CCS Goal: extend psi-calculi to be capable of representing new calculi!

34 SYMMETRIC CRYPTO Computation dec(enc(m,k),k) M makes sense when it is typed ( a, k)(a foobar.0 a( y)y. c dec(y, k).0)! ( a, k)(0 c dec( foobar,k).0) ( a, k)(a enc(m,k).0 a( y)y. c dec(y, k).0)! ( a, k)(0 cm)

35 SORT SYSTEM Set of sorts S Sort assigning to params function Sort(X) 2 S Sorting relations for substitution and processes: can send can receive can restrict can substituted Consider only well sorted substitutions Sanity check: A well-sorted substitution preserves well-sortedness of a process.

36 RESULTS All the standard algebraic laws of bisimulation are preserved Weak bisimulation Weak congruence Congruence Bisimulation All the mentioned calculi are directly representable Unsorted polyadic pi-calculus LINDA pattern matching Sorted polyadic pi-calculus Polyadic synchronisation pi-calculus Value-passing CCS

37 MODAL LOGICS FOR PSI

38 MODAL LOGICS Find grained properties of a system Deadlock freedom Eventually coffee machine produces coffee A malicious message is eventually rejected == Process == Modal Logic Formula Process is a model P ' Modal logical formula formula φ is true for P

39 MODAL LOGICS Concurrent System Models CCS Value-Passing CCS Spi-calculus Applied pi-calculus Fusion calculus Multi-labelled Nominal transition systems Logics Hennessy, Milner 1985 Hennessy, Liu 1995 Frendrup et al.2002 Hüttel, Pedersen et al Haugstad et al De Nicola, Loreti 2008 Psi-calculi framework??? Concurrent constraint calc. Possibly others???

40 [CONCUR 2015] NOMINAL MODAL LOGIC Formulas depend on finite number of names P ' iff P ` ' P A iff not P A ^ P A i iff (8i 2 I) P A i i2i P h ia iff (9P 0 ) P! P 0,P 0 A Thm. Adequate for strong bisimilarity. What s new: finitely supported formulas

41 EXPRESSIVENESS Next step Quantifiers Fresh/New for any action there is a state for every value of a domain for a state where a name does not appear Recursion in Logic recx.a Ex. Eventually get coffee := rec X. <coffee>true next step, recurse on X

42 RESULTS Adequate Modal Logic for many transition systems The main proofs are machine checked Adequate for many variants of bisimilarity: hyper, open, early, late, weak Provide an adequate modal logic for psi-calculi, concurrent constraint calculus, and others

43 TOOL SUPPORT

44 AUTOMATED TOOLS Small specification: WSN secure aggr. Small spec. in Pwb 20 LOC Property There is no tempered data that the network accepts only 3 nodes Results in

45 PSI-CALCULI WORKBENCH Tool factory: define your own tool! [TECS 2015] Based on the parametric psi-calculi framework

46 PARAMETRIC Data Structures e.g., Names, Bits, Vectors, ADTs, Trees,... Logics e.g., EUF, FOL, Equational Theory,... Logical Assertions e.g., Knows a secret, Connectivity,

47 FEATURES Communication Primitives Execution of Processes Unicast (Weak) Bisimulation Checking Unreliable Broadcast [Borgström et al. 2011] Pluggable Architecture

48 EXAMPLE: WSN AGGREGATION Spatially distr. nodes Wireless communication Protocol: Establish routing tree Forward data

49 WORKBENCH MODEL Sink ( nodeid, bschan) <= init(nodeid)!<bschan>.! data(bschan) (x) ; A node listens on its broadcast cha Node ( nodeid, nodechan, datum ) <= init(nodeid)?(pchan). init(nodeid)!<nodechan>. data(pchan) <datum>. NodeForwardData<nodeChan, pchan> ; NodeForwardData (nodechan, pchan) <=! data(nodechan) (x). data(pchan) <x> ;

50 SYMBOLIC EXECUTION generated action gna! ( new bschan)bschan > Source : System3<d1, d2> Constraint : (new chan1, chan2, chans){ init(0)<gna } ^ (new chans, chan2, chan1){ gna>init (1) } ^ (new chans, chan1, chan2){ gna>init (2) } Solution : ([gna := init(0) ], 1) Derivative : (!( data(chans) (x))) (((new chan1)( init(1)!<chan1>. data(chans) <d1>. NodeForwardData<chan1, )) ((new chan2)( init(2)!<chan2>. data(chans) <d2>. ))) system with 3 nodes solution NodeForwardData<chan2, chans> chans> In the derivative the Sink successfully communicated its un constraints Execution: derived process

51 ARCHITECTURE Pwb Command Interpreter Symbolic Equivalence gen. Symbolic Execution Psi Calculi Core Supporting library

52 ARCHITECTURE Parameters Pwb Pretty Printer Parser Command Interpreter Plug in external solvers, Equivalence Constraint Solver e.g. SMT solvers Execution Constraint Solver Z3, CVC4, Yices2 Symbolic Equivalence gen. Symbolic Execution Data Logics Assertions Psi Calculi Core Supporting library

53 CONCLUSION

54 A widened applicability of psi-calculi via a type system A general and powerful modal logic that is applicable to systems such as psi-calculi Tool support for psi

55 QUESTIONS