Software verification for ubiquitous computing

Similar documents
Probabilistic Model Checking

Analysis of a Gossip Protocol in PRISM

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

PRISM: A Tool For Stochastic Model Checking

Incremental Runtime Verification of Probabilistic Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

PRISM 4.0: Verification of Probabilistic Real-Time Systems

Probabilistic Model Checking. Mohammad Roohitavaf

CONTROLLER DEPENDABILITY ANALYSIS BY PROBABILISTIC MODEL CHECKING. Marta Kwiatkowska, Gethin Norman and David Parker

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

Overview of Timed Automata and UPPAAL

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

On Reasoning about Finite Sets in Software Checking

Real-Time and Embedded Systems (M) Lecture 19

PRISM-games 2.0: A Tool for Multi-Objective Strategy Synthesis for Stochastic Games

On Exploiting Transient Contact Patterns for Data Forwarding in Delay Tolerant Networks

Quan%ta%ve Verifica%on: Formal Guarantees for Timeliness, Reliability and Performance

Stochastic Games for Verification of Probabilistic Timed Automata

Failure Modelling in Software Architecture Design for Safety

TIMO: Timed Mobility in Distributed Systems

Model-Checking and Simulation for Stochastic Timed Systems

Verifying Concurrent Programs

A Multi-Modal Composability Framework for Cyber-Physical Systems

Formal Verification of Embedded Software in Medical Devices Considering Stringent Hardware Constraints

Software Model Checking. From Programs to Kripke Structures

Interference avoidance in wireless multi-hop networks 1

Software Model Checking. Xiangyu Zhang

Introduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011

Verifying C & C++ with ESBMC

Lecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University

By: Chaitanya Settaluri Devendra Kalia

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Grid-enabled Probabilistic Model Checking with PRISM

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

2. LITERATURE REVIEW. Performance Evaluation of Ad Hoc Networking Protocol with QoS (Quality of Service)

J. A. Drew Hamilton, Jr., Ph.D. Director, Information Assurance Laboratory and Associate Professor Computer Science & Software Engineering

CS551 Ad-hoc Routing

Duet: Static Analysis for Unbounded Parallelism

More on Verification and Model Checking

Introduction to Model Checking

Probabilistic Formal Verification of Communication Network-based Fault Detection, Isolation and Service Restoration System in Smart Grid

CS 510/13. Predicate Abstraction

Bounded Model Checking Of C Programs: CBMC Tool Overview

Introduction to Real-Time Communications. Real-Time and Embedded Systems (M) Lecture 15

Verification in Continuous Time Recent Advances

The Embedded Systems Design Challenge. EPFL Verimag

6.033 Computer Systems Engineering: Spring Quiz II THIS IS AN OPEN BOOK, OPEN NOTES QUIZ. NO PHONES, NO COMPUTERS, NO LAPTOPS, NO PDAS, ETC.

Green Hills Software, Inc.

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Introduction to Distributed Systems

Towards Automated Verification of Autonomous Networks: A Case Study in Self-Configuration

ISCASMC: A Web-Based Probabilistic Model Checker

A Tutorial on Runtime Verification and Assurance. Ankush Desai EECS 219C

Automated Freedom from Interference Analysis for Automotive Software

Modeling, Testing and Executing Reo Connectors with the. Reo, Eclipse Coordination Tools

Temporal logic-based decision making and control. Jana Tumova Robotics, Perception, and Learning Department (RPL)

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

Process groups and message ordering

JAVA Projects. 1. Enforcing Multitenancy for Cloud Computing Environments (IEEE 2012).

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

Assignment 12: Commit Protocols and Replication Solution

15-441: Computer Networking. Wireless Networking

Theoretical Computer Science

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Lecture 04 Introduction: IoT Networking - Part I

Petri Nets ~------~ R-ES-O---N-A-N-C-E-I--se-p-te-m--be-r Applications.

Using Quantitative Analysis to Implement Autonomic IT Systems

Trust in Ad hoc Networks A Novel Approach based on Clustering

Introduction to Formal Methods

Infrastructure for Autonomous Mobile Robots Communication and Coordination

Having a BLAST with SLAM

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Quantifying Information Leaks in Software

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Archna Rani [1], Dr. Manu Pratap Singh [2] Research Scholar [1], Dr. B.R. Ambedkar University, Agra [2] India

Ad hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport

Time Triggered and Event Triggered; Off-line Scheduling

Sl.No Project Title Year

Part I. Wireless Communication

Resource-Definition Policies for Autonomic Computing

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Elimination Of Redundant Data using user Centric Data in Delay Tolerant Network

Practical Lazy Scheduling in Wireless Sensor Networks. Ramana Rao Kompella and Alex C. Snoeren

Model Checking Embedded C Software using k-induction and Invariants

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2.

RESOURCE MANAGEMENT MICHAEL ROITZSCH

SUMMERY, CONCLUSIONS AND FUTURE WORK

Verification of Tree-Based Hierarchical Read-Copy Update in the Linux Kernel

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May ISSN

Delay Performance of Multi-hop Wireless Sensor Networks With Mobile Sinks

PRISM-games: Verification and Strategy Synthesis for Stochastic Multi-player Games with Multiple Objectives

Magpie: Distributed request tracking for realistic performance modelling

General-Purpose Autonomic Computing

An Ant-Based Routing Algorithm to Achieve the Lifetime Bound for Target Tracking Sensor Networks

Evaluation of Temporal and Performance Aspects

Java PathFinder JPF 2 Second Generation of Java Model Checker

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

02 - Distributed Systems

CS 556 Advanced Computer Networks Spring Solutions to Midterm Test March 10, YOUR NAME: Abraham MATTA

Transcription:

Software verification for ubiquitous computing Marta Kwiatkowska Computing Laboratory, University of Oxford QA 09, Grenoble, June 2009

Software everywhere Electronic devices, ever smaller Laptops, phones, sensors Networking Wireless & Internet everywhere Intelligent spaces Buildings, vehicles Systems Self-* Adaptive Context-aware From hardware and software, to everyware Household objects do information processing Software is central 2

Challenges Communication: increased rate of failure Wireless medium Low power, mobility Coordination: increased use of randomisation Distributed computation, de-centralisation Mobility, highly dynamic behaviour Context: increased intelligence to ensure smart adaptation Sensors are integral components of devices and more How to ensure correctness, safety, dependability, security, performability? Complex scenarios, recovery from faults, resource usage, 3

Formal verification to the rescue Prevailing paradigm: Model, Analyse, Improve Design Is it appropriate? Must include quantitative, as well as qualitative, requirements: For battery, expected power consumption is For denial of service, expected cost of response is For communication protocols with transmission failures, maximum probability of delivery within time deadline is Models are typically extensions of automata annotated with quantitative information, e.g. Probability of taking a transition Time deadline Amount of resource 4

Quantitative probabilistic model checking in a nutshell 0.4 0.3 Probabilistic model, with resources send P p [F deliver] Probabilistic temporal logic specification Probabilistic Model Checker or or Probability/Expectation State 5: 0.6789 State 6: 0.9789 State 7: 1.0 State 12: 0 State 13: 0.1245 5

Why quantitative verification? Analysis combines quantitative and exhaustive aspects Best/worst-case scenarios, not possible with simulation Computing values for a range of states maximum expected run-time over all possible initial configurations All possible resolutions of nondeterminism maximum expected number of bits revealed under any eavesdropping strategy Identifying trends and anomalies Counterexamples (error traces) Experiments: ranges of model/property parameters e.g. N=1..5, T=1..100, for N model parameter and T a time bound identify patterns, trends, anomalies in quantitative results 6

Some achievements - Bluetooth Bluetooth device discovery - Huge model! complex interaction between sender/receiver genuine randomness - discrete time Markov chain model sender/receiver not initially synchronised, huge number of possible initial configurations (17,179,869,184) initially, model checking infeasible partition into 32 scenarios, i.e. 32 separate DTMCs on average, approx. 3.4 x 10 9 states, 536,870,912 initial Property model checked: worst-case (maximum) expected time to hear K replies, over all possible initial configurations also: how many initial states for each possible expected time and: cumulative distribution function assuming equal probability for each initial state 7

Bluetooth - Time to hear 1 reply Worst-case expected time = 2.5716s in 921,600 possible initial states Best-case expected time = 635μs 8

Bluetooth - Time to hear 2 replies Worst-case expected time = 5.177s in 444 possible initial states Compare actual CDF with derived version which assumes times to reply to first/second messages are independent 9

Some achievements - Gossip Gossip protocols: work by spreading rumours N nodes, each with address nodes maintain a partial view of network topology: list of up to c (<N) node descriptors (addresses and freshness) nodes periodically exchange information with a number of its peers, keep c newest views Markov decision process model random peer selection freshness based on hop-counts Analyse performance and how network topology varies over time through partial views (minimum and maximum) expected path length (longest route between nodes) (minimum and maximum) expected number of gossiping rounds required to reach connectivity 10

Gossip - Results The expected path length for N=3 11

Gossip - Results The expected path length for N=4 12

Gossip - Results The expected path length for N=4 (zoomed in) 13

Gossip - Results Average simulation results for N=4 (zoomed in) 14

What have we learnt? Realistic ubiquitous computing scenarios! Bluetooth device discovery [DKNP06] State space explosion only 2 devices (sender and receiver), up to K=2 messages Independence assumptions can be misleading Nevertheless, able to calculate detailed best/worst case time Gossip protocols [KNP08] State space explosion (again), only 3 and 4 nodes Complexity of the scenario Great variability of expected path length Simulation results (averaged) often not indicative of true performance characteristics See www.prismmodelchecker.org for more information 15

But can we deal with everyware? Current state of affairs Models: mostly manually derived, not real software Agents: no self, cooperation/negotiation little studied Requirements: pre-hoc, violated under system adaptation Quantitative verification: offline, largely monolithic Some possible directions Software verification for randomisation/failures Quantitative run-time verification for autonomous systems and more Software verification for context-awareness Synthesis from quantitative objectives Game-based quantitative approaches Quantitative component-based design 16

Software verification for randomisation Combine software verification via model checking efficient verification of C/Java via abstraction-refinement e.g. buffer overflow does not occur in this program, for all executions existing tools: SLAM, BLAST, SATABS, Terminator with quantitative probabilistic model checking focus on software where failure is unavoidable e.g. network protocols, esp. wireless aim for network utilities and quantitative properties concurrency, user input -> nondeterministic choice failure, randomisation -> probabilistic choice also include real-time and resources 17

Probabilistic software Consider ANSI C programs support functions, pointers, arrays, but not dynamic memory allocation, unbounded recursion, floating point ops no concurrency, yet Add function bool coin(double p) for probabilistic choice for modelling e.g. failures, randomisation Add function int ndet(int n) for nondeterministic choice for modelling e.g. user input, unspecified function calls Focus on software where failure is unavoidable e.g. network protocols/utilities, esp. wireless Quantitative properties based on probabilistic reachability e.g. minimum expected number of packets sent 18

Probabilistic program example bool fail = false; int c = 0; int main () { // nondeterministic c = ndet (3); while (! fail && c > 0) { // probabilistic fail = coin (0.1); c --; } } Probabilistic program 19

Probabilistic program as MDP Probabilistic program MDP semantics minimum/maximum probability of the program terminating with fail being true is 0 and 0.19, respectively 20

How it works the tool chain Model extraction: goto-cc SAT-based abstraction: SATABS Model checking: PRISM Abstraction/refinement: stochastic games [QEST06] For more information, see [VMCAI09] 21

Experimental results Successfully applied to several Linux network utilities: PING (tool for establishing network connectivity) TFTP (file-transfer protocol client) Code characteristics 1 KLOC of non-trivial ANSI-C code Loss of packets modelled by probabilistic choice Linux kernel calls modelled by nondeterministic choice Example properties maximum probability of establishing a write request maximum expected amount of data that is sent before timeout maximum expected number of echo requests required to establish connectivity 22

Quantitative run-time verification Autonomic systems (ubicomp, legacy systems, etc) Require increasingly demanding non-functional requirements performance, dependability, utility, Need to adapt to changing scenarios workload, environment, objectives, Key observations: offline qualitative verification methods do not suffice Instead integrate [ICSE09] [FASE09]: Multi-objective quantitative run-time analysis rigorous exhaustive checks Self-* adaptive system capabilities adaptation decisions based on (non-linear) behaviour 23

Background: autonomic systems System objectives (policies) monitor-analyseplan-execute autonomic control loop 24

Integration System objectives (policies) PRISM-driven monitor-analyseplan-execute autonomic control loop 25

Integration System objectives (policies) Monitor Select subset of models and configurations Carry out PRISM experiment Choose best configuration Enforce chosen configuration 26

How it works Development method Assume exposed control parameters Model-driven generation of adaptor code System objectives specified by administrator/designer E.g. minimise power consumption and maximise duration At run-time, monitor via quantitative verification and influence the system by modifying control parameters Case study: adaptive power-management Adjust configuration automatically to satisfy objectives (energy, response time), and to reflect workload changes (inter-arrival rate) Simulation based, applicable to disk drives (Fujitsu data), etc 27

Conclusions and further work Quantitative verification for adaptive systems combine with statistical inference develop incremental verification methods Software verification for sensor networks working with NesC/TinyOS with threads focus on software errors due to interface misuse, context changes and/or concurrency adaptation of goto-cc and SATABS What about everyware? We are only just beginning to realise the true complexity of ubicomp systems stochastic behaviours, continuous/discrete evolution, cooperation/negotiation and self-*, etc 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback