Model-Driven Verifying Compilation of Synchronous Distributed Applications

Similar documents
Model-Driven Verifying Compilation of Synchronous Distributed Applications

Verifying Periodic Programs with Priority Inheritance Locks

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

ARINC653 AADL Annex Update

Modeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL

Fall 2014 SEI Research Review Verifying Evolving Software

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

Effecting Large-Scale Adaptive Swarms Through Intelligent Collaboration (ELASTIC)

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

SEI/CMU Efforts on Assured Systems

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

Inference of Memory Bounds

Design Pattern Recovery from Malware Binaries

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

Encounter Complexes For Clustering Network Flow

Modeling the Implementation of Stated-Based System Architectures

Time-Bounded Analysis of Real- Time Systems

Semantic Importance Sampling for Statistical Model Checking

Advancing Cyber Intelligence Practices Through the SEI s Consortium

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

Panel: Future of Cloud Computing

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

Julia Allen Principal Researcher, CERT Division

The Spin Model Checker : Part I/II

Software Assurance Education Overview

Model checking Timber program. Paweł Pietrzak

The CERT Top 10 List for Winning the Battle Against Insider Threats

Providing Information Superiority to Small Tactical Units

OSATE Analysis Support

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Defining Computer Security Incident Response Teams

Analyzing 24 Years of CVD

Verifying Distributed Adaptive Real-Time (DART) Systems

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Roles and Responsibilities on DevOps Adoption

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Situational Awareness Metrics from Flow and Other Data Sources

Prioritizing Alerts from Static Analysis with Classification Models

Smart Grid Maturity Model

Passive Detection of Misbehaving Name Servers

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Pharos Static Analysis Framework

Engineering Improvement in Software Assurance: A Landscape Framework

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Automated Provisioning of Cloud and Cloudlet Applications

Researching New Ways to Build a Cybersecurity Workforce

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Sérgio Campos, Edmund Clarke

Non-blocking Array-based Algorithms for Stacks and Queues. Niloufar Shafiei

The ComFoRT Reasoning Framework

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Denial of Service Attacks

CSE Traditional Operating Systems deal with typical system software designed to be:

Cyber Hygiene: A Baseline Set of Practices

Model Checking: Back and Forth Between Hardware and Software

Current Threat Environment

Proving the Correctness of Distributed Algorithms using TLA

The SPIN Model Checker

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Tool demonstration: Spin

Cyber Threat Prioritization

Formal Verification by Model Checking

Secure Coding Initiative

SPIN, PETERSON AND BAKERY LOCKS

Foundations for Summarizing and Learning Latent Structure in Video

2013 US State of Cybercrime Survey

Building Program Verifiers from Compilers and Theorem Provers

Components and Considerations in Building an Insider Threat Program

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Distributed Algorithms. Partha Sarathi Mandal Department of Mathematics IIT Guwahati

Model Checking VHDL with CV

Tutorial on Model Checking Modelling and Verification in Computer Science

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

CSE 153 Design of Operating Systems

CPSC/ECE 3220 Fall 2017 Exam Give the definition (note: not the roles) for an operating system as stated in the textbook. (2 pts.

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Report Writer and Security Requirements Finder: User and Admin Manuals

Model Checking with Automata An Overview

Flight Systems are Cyber-Physical Systems

Application of Propositional Logic II - How to Test/Verify my C program? Moonzoo Kim

Using CERT-RMM in a Software and System Assurance Context

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Designing Memory Consistency Models for. Shared-Memory Multiprocessors. Sarita V. Adve

Concurrency: Mutual Exclusion and

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering

The Priority Ceiling Protocol: A Method for Minimizing the Blocking of High-Priority Ada Tasks

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Introduction to CBMC: Part 1

Verifying Concurrent Programs

Measuring the Software Security Requirements Engineering Process

More on Verification and Model Checking

Design and Analysis of Distributed Interacting Systems

Carnegie Mellon University Notice

Information Security Is a Business

Non-blocking Array-based Algorithms for Stacks and Queues!

Software Model Checking. From Programs to Kripke Structures

Transcription:

Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0001691 2

Outline Motivation Approach Sequentialization : SEQSEM & SEQDBL Examples Experimental Results Synchronizer Protocol : 2BSYNC Tool Overview & Demo Future Work 3

Motivation Distributed algorithms have always been important File Systems, Resource Allocation, Internet, Increasingly becoming safety-critical Robotic, transportation, energy, medical Prove correctness of distributed algorithm implementations Pseudo-code is verified manually (semantic gap) Implementations are heavily tested (low coverage) 4

Approach : Verification + Code Generation Program in Domain Specific Language Distributed Application Safety Specification Debug Application, Refine Specification Failure Verification Success Code Generation The Verifying Compiler: A Grand Challenge for computing research Tony Hoare Binary Run on Physical Device Run within simulator 5

Verification Model Checking Program in Domain Specific Language Distributed Application Safety Specification Automatic verification technique for finite state concurrent systems. Assume Synchronous Model of Computation Sequentialization Single-Threaded C Program Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980 s. ACM Turing Award 2007 Specifications are written in propositional temporal logic. (Pnueli 77) Failure Software Model Checking (CBMC, BLAST etc.) Success Computation Tree Logic (CTL), Linear Temporal Logic (LTL), Verification procedure is an intelligent exhaustive search of the state space of the design 6

Code Generation Program in Domain Specific Language MADARA Middleware A database of facts: DB = Var Value Distributed Application Safety Specification Node i has a local copy: DB i update DB i arbitrarily publish new variable mappings Immediate or delayed Guarantee Synchronous Model of Computation Add synchronizer protocol C++/MADARA Program Compile (g++,clang,msvc, etc.) Binary Multiple variable mappings transmitted atomically Implicit receive thread on each node Receives and processes variable updates from other nodes Updates ordered via Lamport clocks Portable to different OSes (Windows, Linux, Android etc.) and networking technology (TCP/IP, UDP, DDS etc.) 7

Synchronous Distributed Application (SDA) Node 0 = f 0 () Shared Variables:GV = GV 0, GV[1] Node 1 = f 1 () GV 0 Round 1 GV 1 [0] = f 0 GV 0 GV 1 1 = f 1 (GV 0 ) GV 1 Round 2 GV 2 [0] = f 0 GV 1 GV 2 1 = f 1 (GV 1 ) GV 2 GV i 1 Round i GV i [0] = f 0 GV i 1 GV i 1 = f 1 (GV i 1 ) GV i 8

SDA Verification Program with n nodes : P(n) Each node has a distinct id 1, n Array GV has n elements, GV[i] writable only by node with id i Each element of GV is drawn from a finite domain In each round, node with id id executes function ρ whose body is a statement stmt skip lval = exp (assignment) ITE exp, stmt, stmt (if, then, else) ALL IV, stmt (iterate over nodes use to check existence) stmt + (iteration of statements) lval GV id w (lvalues) exp lval GV iv w id IV (exp + ) (expressions) Initial states and ERROR states of the program are define State value assigned to all variables Verification decide if there is an execution of the program that starts in an initial state and ends in an ERROR state 9

Semantic Sequentialization: SEQSEM Node 0 = f 0 () Shared Variables:GV = GV 0, GV[1] Node 1 = f 1 () Assume n nodes Use n copies of GV GV 0 GV 1 GV n 1 O n 2 variables State Explosion GV 0 0 = f 0 GV 0 GV 0 i = GV i i, i 0 GV 1 1 = f 1 (GV 1 ) GV 1 i = GV i i, i 1 GV n 1 n 1 = f n 1 (GV n 1 ) GV n 1 i = GV i i, i n 1 Round 1 GV 0 GV 1 GV n 1 Operations have independence reordered sequentially. Rounds are repeated in a loop. 10

Double Buffering Sequentialization: SEQDBL Node 0 = f 0 () Shared Variables:GV = GV 0, GV[1] Node 1 = f 1 () Use 2 copies of GV Use each copy as input in alternate rounds GV 0 Round 1 GV 1 0 = f 0 GV 0 GV 1 1 = f 1 (GV 0 ) GV 1 n 1 = f n 1 (GV 0 ) O n variables GV 1 Round 2 GV 0 0 = f 0 GV 1 GV 0 1 = f 1 (GV 1 ) GV 0 n 1 = f n 1 (GV 1 ) GV 0 11

Y Example: 2D Synchronous Collision Avoidance (0,3) (3,3) Reserve Reserve Reserve (0,0) X (3,0) 12

Y Example: 2D Synchronous Collision Avoidance (0,3) (3,3) Reserve Reserve (0,0) X Reserve (3,0) 13

Y Example: 2D Synchronous Collision Avoidance (0,3) (3,3) Reservation Contention Resolved based on Node ID. No collision possible if no over-booking. Potential Collision (0,0) X (3,0) 14

2D Collision Avoidance Protocol If time to move to next coordinate REQUEST If no other node is locking the next coordinate NEXT WAITING Reached the next coordinate MOVE If no other node with higher id is trying to lock the next coordinate Moving to the next coordinate Other Examples 3D Collision Avoidance Mutual Sagar Chaki, October Exclusion 1, 2014 15

Results: 3D Collision Avoidance SEQDBL is better T S, T D = model checking time with SEQSEM, SEQDBL μ, σ = Avg, StDev of T S T D n = #of nodes R = #of rounds G G = grid size 16

Results: 2D Collision Avoidance Depends on the example T S, T D = model checking time with SEQSEM, SEQDBL μ, σ = Avg, StDev of T S T D n = #of nodes R = #of rounds G G = grid size 17

Results: Mutual Exclusion SEQSEM and SEQDBL similar T S, T D = model checking time with SEQSEM, SEQDBL μ, σ = Avg, StDev of T S T D n = #of nodes R = #of rounds G G = grid size 18

Synchronizer Protocol: 2BSYNC Node 0 = f 0 () Shared Variables:GV = GV 0, GV[1] Node 1 = f 1 () Use barrier variables: b 0, b 1 Initialized to 0 Atomic Send. Either both GV 0 [0] and b 0 are received, or none is received. Can be implemented on existing network stack, e.g., TPC/IP GV 0, b 0 b 0 b 0 + 1 b 0! Barr 0 GV 0 0 = f 0 GV 0 GV 1 1 = f 1 (GV 1 ) b 0 b 0 + 1 GV 0 0, b 0! Barr 0 GV 1, b 1 b 1 b 1 + 1 b 1! Barr 1 b 1 b 1 + 1 GV 1 1, b 1! Barr 1 Barr 0 while b 1 < b 0 skip; Implicit thread receiving messages and updating variables Proof of correctness in paper 19

Tool Overview Project webpage (http://mcda.googlecode.com) Tutorial (https://code.google.com/p/mcda/wiki/tutorial) Verification daslc --nodes 3 --seq --rounds 3 --seq-dbl --out tutorial-02.c tutorial- 02.dasl cbmc tutorial-02.c (takes about 10s to verify) Code generation & simulation daslc --nodes 3 --madara --vrep --out tutorial-02.cpp tutorial-02.dasl g++ mcda-vrep.sh 3 outdir./tutorial-02 DEMO 20

Future Work Improving scalability and verifying with unbounded number of rounds Verifying for unbounded number of nodes (parameterized verification) Paper at SPIN 2014 Symposium Asynchronous and partially synchronous network semantics Scalable model checking Abstraction, compositionality, symmetry reduction, partial order reduction Fault-tolerance, uncertainty, Combine V&V of safety-critical and mission-critical properties 21

QUESTIONS?

Contact Information Slide Format Sagar Chaki Principal Researcher SSD/CSC Telephone: +1 412-268-1436 Email: chaki@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 23

Synchronous Collision Avoidance Code MOC_SYNC; CONST X = 4; CONST Y = 4; CONST NEXT = 0; CONST REQUEST = 1; CONST WAITING = 2; CONST MOVE = 3; EXTERN int MOVE_TO (unsigned char x, unsigned char y); NODE uav (id) { } void INIT () { } void SAFETY { } NODE uav (id) { GLOBAL bool lock [X][Y][#N]; LOCAL int state,x,y,xp,yp,xf,yf; void NEXT_XY () { } void ROUND () { if(state == NEXT) { state = REQUEST; } else if(state == REQUEST) { state = WAITING; } else if(state == WAITING) { state = MOVE; } else if(state == MOVE) { state = NEXT; } } } INIT { FORALL_NODE(id) state.id = NEXT; //assign x.id and y.id non-deterministically //assume they are within the correct range //assign lock[x.id][y.id][id] appropriately //nodes don t collide initially FORALL_DISTINCT_NODE_PAIR (id1,id2) ASSUME(x.id1!= x.id2 y.id1!= y.id2); } SAFETY { FORALL_DISTINCT_NODE_PAIR (id1,id2) ASSERT(x.id1!= x.id2 y.id1!= y.id2); } 24

Synchronous Collision Avoidance Code if(state == NEXT) { //compute next point on route if(x == xf && y == yf) return; NEXT_XY(); state = REQUEST; } else if(state == REQUEST) { //request the lock but only if it is free if(exists_other(idp,lock[xp][yp][idp]!= 0)) return; lock[xp][yp][id] = 1; else if(state == MOVE) { //now we have the lock on (xp,yp) if(move_to()) return; lock[x ][y][id] = 0; x = xp; y = yp; state = NEXT; } state = WAITING; } else if(state == WAITING) { //grab the lock if we are the highest //id node to request or hold the lock if(exists_higher(idp, lock[xp][yp][idp]!= 0)) return; state = MOVE; } 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback