Design and Analysis of Discrete Computational Systems

1
Design and Analysis of Discrete Computational
Systems

• John Mitchell
• Stanford University

2

• Mahesh Viswanathan
• Analysis of software
• Formal models for system specification
• Implementation of software tools forprogram
  analysis

• Nancy Lynch
• Distributed computing
• Real-time computing
• Formal modeling and verification

3
Abstraction in Computer Science

• A natural computer scientist can rapidly
  change levels of abstraction, simultaneously
  seeing things in the large and in the small.
• Don Knuth

4
ISO OSI Reference Model
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Host B
Router
Host A
5
Varieties of models and systems
Probabilistic
Timed
Conventional
Hybrid
State-transition models
Logic-based models
Input-output functions
outside the computer
6
State-transition models

• Automata
• Pushdown automata
• Turing machine
• Probabilistic, polynomial-time TM
• Program-based models
• process calculus, ?-calculus
• Term-rewriting systems
• Operational semantics of programs
• Represent state execution changes state

7
Input-output functions

• Represent observable behavior
• Denotational semantics of programs
• Program function from inputs to outputs
• Use topological version of computability
• Continuous function on complete partial order
• Effective topos

8
Logic-based models

• Represent computation by its properties
• Floyd-Hoare logic of programs
• Before-after conditions describe program
• Temporal logic
• First-order assertions ? ? ? ? ? ?
• Modal operators
• Always F
• Eventually F ? ? (Always ?F)
• Linear logic, Curry-Howard isomorphism,

9
Example Hoare Logic

• Before-after assertion F P G
• If F before executing P, then G after
• x2 y x y2
• Sample programs
• P x e if B then P1 else P2 P1 P2
• while B do P
• Logic
• Associate assertions with programs

10
Assertion about assignment

• Assignment axiom
• F(t) x e F(x)
• Examples
• 77 x 7 x7
• (y1)gt0 x y1 xgt0
• x12 x x1 x2

11
Conditional

• F ? B P1 G
• F ??B P2 G
• F if B then P1 else P2 G
• Example
• true if y ? 0 then x y else x -y
  x ? 0

12
Sequence

• F P1 G
• G P2 H
• F P1 P2 H
• Example
• x0 x x1 x x1 x2

13
Loop Invariant

• F ? B P F
• F while B do P F ??B
• Example
• true while x ? 0 do x x-1 x0

14
Facts about Hoare logic

• Compositional
• Proof follows structure of program
• Sound
• Relative completeness
• Properties of computation over N provable from
  properties of N
• Some technical issues
• Important concept Loop invariant
• Common practice beyond Hoare logic

15
Software Theory
OperationalSemantics
Axiomatic Semantics
Denotational Semantics
Program Language
16
Formal Verification

• Are all possible behaviors of implementation
  compatible with specification?

Specification (what we want)
Design
Verification
Implementation (what weve got)
17
The Dream
void add(Object o) bufferhead o head
(head1)size Object take()
tail(tail1)size return buffertail
OK
Program
or
Error trace
Checker
Property 1 Property 2
Requirement
18
Model-Checking Approaches

• Implementation (program)
• Finite-state model
• Logical description (formula)
• Specification (requirement)
• Temporal logic formula.
• Comparison Criteria
• Model satisfies temporal logic formula
• Logical description implies specification
• Algorithms
• Evaluates the formula against FSM
• Construct model to test implication

19
Model Checking
OK
Finite-state model
or
Model Checker
(F W)
Temporal logic formula
20
Temporal logic (LTL)

• A logical notation that allows us to
• specify relations in time
• express finite control properties
• Temporal operators
• G p henceforth p
• F p eventually p
• X p p at the next time
• p W q p unless q

Reference Ken McMillan CAV survey
21
Types of temporal properties

• Safety (nothing bad happens)
• G ?(ack1 ? ack2) mutual exclusion
• G (req ? (req W ack)) req pending until ack
• Liveness (something good happens)
• G (req ? F ack) if req,
  eventually ack
• Fairness
• GF req ? GF ack if infinitely often req,
• then
  infinitely often ack

22
Computation tree logic (CTL)

• Branching time model
• Path quantifiers
• A for all future paths
• E for some future path
• Example AF p inevitably p

p
p
AFp
p
23
CTL model checking algorithm

• Example AF p inevitably p
• Complexity
• linear in size of model (FSM)
• linear in size of specification formula

AFp
AFp
Note LTL is exponential in formula size
24
Example traffic light controller

• Guarantee no collisions
• Guarantee eventual service

S
E
N
25
Specifications

• Safety (no collisions)
• AG Ø (E_Go Ù (N_Go S_Go))
• Liveness
• AG (Ø N_Go Ù N_Sense Þ AF N_Go)
• AG (Ø S_Go Ù S_Sense Þ AF S_Go)
• AG (Ø E_Go Ù E_Sense Þ AF E_Go)
• Fairness constraints
• infinitely often Ø(N_Go Ù N_Sense)
• infinitely often Ø(S_Go Ù S_Sense)
• infinitely often Ø(E_Go Ù E_Sense)
• (assume each sensor off infinitely often)

26
Counterexample

• East and North lights on at same time...

N light goes on at same time S light goes off. S
takes priority and resets NS_Lock
27
Model checking

• Summary
• Check correctness of finite model
• Advantages
• Automatic practical algorithms and tools
• Disadvantages
• Finite state approximation is conservative
• Error found ? System has error
• Error not found ? ???
• Finite model must be fairly small

28
Alternatives and Extensions

• Infinite-state transition systems
• Denotational models
• Logical methods

• Security
• Probability
• Timing
• Continuous Phenomena

29
Example Security Protocols

• Example
• Needham-Schroeder public-key protocol
• Model checking
• Finite-state analysis of protocol attacker
• General model
• Rewrite semantics of protocol attacker
• Protocol logic
• Probabilistic, polynomial-time model

30
Needham-Schroeder Key Exchange

• A, Noncea
• Noncea, Nonceb
• Nonceb

Kb
A
B
Ka
Kb
Result A and B share two private numbers not
known to any observer without Ka-1, Kb-1
31
Anomaly in Needham-Schroeder
Lowe
A, Na
Ke
A
E
Na, Nb
Ka
Nb
Ke
A, Na
Na, Nb
Evil agent E tricks honest A into
revealing private key Nb from B.
Kb
Ka
B
Evil E can then fool B.
32
State Reduction on N-S Protocol
33
Contract-signing protocol
Other case studies SSL, Needham-Sch.,
Kerberos, TMN,

• Finite state analysis
• Formalize protocol
• Formalize correctness
• Find errors in protocol (bounded size only)

Attack Dishonest A uses data intercepted from T
to abort and receive contract sigB(text)
34
MSR framework for protocol study
Linear Logic ( ? ? ? ? ? )
Proof search (Horn clause)
Multi-set Rewriting
Process Calculus
Finite Automata

• Multiset rewriting unifies previous models
• SRI CAPSL, Lowes CASPER, NRL Analyzer
• Analysis Examined power and limitations
• Proved fundamental complexity, undecidability
  results
• Algorithms for decidable cases

Transition Millens CAPSL project and tools
developed at SRI.
35
Technical results using MSR
NP complete
Undecidable
??
DExp time
Finite number of different roles, finite length
roles, bounded message size

• Key insight existential quantification (?)
  captures cryptographic nonce main source of
  complexity

Durgin, Lincoln, Mitchell, Scedrov
36
Protocol logic
Honest Principals, Attacker
Protocol
Private Data
Send
Receive

• Alices information
• Protocol
• Private data
• Sends and receives

37
Intuition

• Reason about local information
• I chose a new number
• I sent it out encrypted
• I received it decrypted
• Therefore someone decrypted it
• Incorporate knowledge about protocol
• Protocol Server only sends m if it got m
• If server not corrupt and I receive m signed by
  server, then server received m

38
Logical assertions

• Modal operator
• actions P ? - after actions, P reasons ?
• Predicates in ?
• Sent(X,m) - principal X sent message m
• Created(X,m) X assembled m from parts
• Decrypts(X,m) - X has m and key to decrypt m
• Knows(X,m) - X created m or received msg
  containing m and has keys to extract m from msg
• Source(m, X, S) Y?X can only learn m from set S
• Honest(X) X follows rules of protocol

39
Correctness of NSL

• Bob knows hes talking to Alice
• recv encrypt( Key(B), ?A,m? )
• new n
• send encrypt( Key(A), ?m, B, n? )
• recv encrypt( Key(B), n )
• B
• Honest(A) ? Csent(A, msg1) ? Csent(A, msg3)
• where Csent(A, ) ? Created(A, ) ? Sent(A, )

40
Poly-time calculus

• Probability is important
• Protocols use probabilistic primitives
• Key generation, nonce, probabilistic encryption,
  ...
• Adversary may be probabilistic
• Probabilistic polynomial time processes
• Variation of standard process calculi
• Complexity bound needed to model attacks
• Modal type system bounds complexity
• Study security using observ. equivalence
• Probabilistic, asymptotic form of equivalence
• Example proofs general proof principles

41
Protocol analysis spectrum
Hand proofs
?
High
Poly-time calculus
Multiset rewriting with ?
Spi-calculus
?
Sophistication of attacks
Athena
Paulson
?
?
?
?
NRL
?
Bolignano
BAN logic
?
Low
Model checking
?
?
Murj
FDR
Low
High
Protocol complexity
42

• Mahesh Viswanathan
• Monitoring and checking framework
• Probabilistic sampling of data streams
• Checking network simulations
• Nancy Lynch
• Timed automata
• Probabilistic automata
• Hybrid automata

43
System monitoring architecture
System Spec
Requirement Spec (MEDL)
Formal verification
Design Consistency
System Code
Monitoring Script (PEDL)
Implementation Consistency
System
Filter
Event Recognizer/ Checker
Run-time Consistency
Communication
Improve system design and execution
44
Efficient checking of large data streams

• Possible tests on streams
• Closeness of distributions
• Approximate entropy
• Statistical independence
• Example algorithm
• Efficient test for closeness
• Sample points on distribution
• Runtime is sublinear

close OR far?
Pass test if two distributions are close overall
Application embedded device in sensor net
computes useful statistical properties of
collected data
45
MaC for ns simulation analysis

• Logical analysis of network simulations in ns
• Apply monitoring techniques to simulation traces
• We performed a series of experiments aimed at
  assessing the approach

Data
NS Simulator
Checker
Monitor
Trace
Metatrace
Properties MEDL
Monitoring Script
46
Lynch Automata Models

• I/O Automata
• States, start states, actions, transitions
• Used for asynchronous distributed systems
• Timed I/O Automata
• Timing-based distributed algorithms
• Case studies RR-Xing, Steam Boiler
• Hybrid I/O Automata
• Add explicit trajectories
• Probabilistic I/O Automata
• Compositionality remains active area

47
Composition and Refinement

• Composition
• Model system by composing parts
• Derive properties of system from properties of
  parts
• Refinement
• Show abstract system correct
• Replace abstract model by concrete model
• Maintaining modular structure
• Conclude concrete model is correct

Well understood for simple cases only
48
Probabilistic discrete systems
Lynch

• Compositional modeling
• Special case
• Bisimulation-style characterization of weakest
  precongruence included in trace distribution
  inclusion relation
• General case is open problem
• Environment should only see external behavior of
  components, not internal decisions
• Goal combine Timed/Hybrid/Probabil.
• How do these all fit together?
• How orthogonal are various features?

49
Where do we go from here?

• Many techniques for discrete systems
• State-transition models
• Logical characterizations of behavior
• Some input-output function models
• Some work on continuous properties
• Combine hybrid and probabilistic models?
• Apply techniques to new problems
• Several applications reduce to shared
  mathematical problem (e.g., probability)

50
(No Transcript)