Model Checking Game System Model Reqs + Init States - - PDF document

1

1

Enrico Tronci WIRTES 2007

WIRTES 2007

Pisa, Italy – July 2, 2007

Automatic Verification of Embedded Automatic Verification of Embedded Systems Systems

Enrico Tronci

Dipartimento di Informatica – Università di Roma “La Sapienza”

2

Enrico Tronci WIRTES 2007

Model Checking Game

Model Checker System Model +

• Param. Ranges

+ Disturbances Init States Reqs (undesired/desired states) Yes I.e. no sequence of events (states) can possibly lead to an undesired state. Counterexample I.e. sequence of events (states) leading to undesired state.

2

3

Enrico Tronci WIRTES 2007

Model Checking Flavors

Hardware Symbolic (OBDD) based model checking or SAT based Bounded Model Checking. Examples: SMV, VIS Protocols Explicit Model Checking. Examples: SPIN, Murphi Software Explicit Model Checking, Bounded Model Checking Examples: SPIN, CBMC Hybrid Systems, Embedded Systems Linear Hybrid Automata, Timed Automata, Symbolic Model Checking, Explicit Model Checking, Bounded Model Checking. Examples: Hytech, UPPAAL, SMV, CMurphi, HSMV Stochastic Systems Symbolic Model Checking, Explicit Model Checking. Examples: PRISM, FHP-Murphi

4

Enrico Tronci WIRTES 2007

Our Focus

Protocol Verification, Hybrid Systems We designed Cache based and Disk based explicit verification algorithms. We implemented our algorithms inside the Murphi Verifier. The resulting model checker is named CMurphi (for Caching Murphi). CMurphi turns out to be quite effective for protocols and hybrid systems verification. Automatic Synthesis of Controllers and Supervisory Controllers We designed and implemented symbolic (OBDD) as well as explicit algorithms for automatic synthesis (source code generation) of controllers and supervisory controllers starting from closed loop specifications. Stochastic Hybrid Systems We designed and implemented a disk based Finite Horizon Probabilistic model checker (FHP-Murphi) for Discrete Time Markov Chains. FHP-Murphi turns out to be quite effective for stochastic hybrid systems verification. Hybrid Systems, Embedded Systems We designed and implemented a SAT based bounded model checker (HSMV) for Discrete Time Piecewise Affine Hybrid Systems. HSMV can handle systems out of reach for others state-of-the-art model checkers for hybrid systems.

3

5

Enrico Tronci WIRTES 2007

Example

Automatic Verification of a Turbogas Control System

Our goal is to verifiy the control system for a 2MW Co-generative Power Plant (ICARO). Verification consists in checking that the system under normal working conditions never reaches an undesired state. An undesired state is one in which the turbine rotation speed or the exhaust smokes temperature or the compressor pressure are out of range. Because of size and dynamics the system at hand cannot be handled using Hytech or

• UPPAAL. We succeded in modeling and verifying it using CMurphi extended with finite

precision real numbers.

6

Enrico Tronci WIRTES 2007

Gas Turbine System

Controller Gas Turbine (Turbogas) Disturbances: electric users, param. var, etc

Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

Settings Fuel Valve Opening FG102 Vrot, Texh, Pel, Pmc

4

7

Enrico Tronci WIRTES 2007

Controller

MIN ADJ

Offset Valve FG102 Opening Command

12MW N1Gov PowLim ExTLim

Winner Vrot Pel Pmc Texh Limiter

Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

8

Enrico Tronci WIRTES 2007

Cell i

+ 1/s X X AND +

• S

P >0?

Reset at u + 4kW u = min(

• utput N1Gov,
• utput PowLim,
• utput ExTLim)
• Cell

Output

Kp Ki Winner != i?

Winner name

• 10MW

10MW B A A B

SAT SAT

5

9

Enrico Tronci WIRTES 2007

Power Limiter (PowLim)

Electric Power Controller

Pel Setpoint (+2MW) Winner Output PowLim

Pel

S

P Cell i = “Power Limiter” A = 3000kW B = 10Mw

Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

10

Enrico Tronci WIRTES 2007

N1 Governor (N1Gov)

Turbine Rotation Speed Controller

1/s X S P

Accelleration Deceleration Pel

Kdr

network Vrot

• +

Output N1 Governor

105%

Winner Cell i = “N1 Governor” A = 0 B = 10MW isle

6% Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

6

11

Enrico Tronci WIRTES 2007

Exhaust Temperature Limiter (ExTLim)

Exhaust Smoke Temperature Controller

+

Pmc Offset

P S

Winner Texh Cell i = “Exhaust Temperature Limiter” A = 0 B = 10MW Output Exhaust Temperature Limiter

Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

12

Enrico Tronci WIRTES 2007

Gas Turbine

Gas Turbine FG102 Texh Vrot Pel Disturbances: el. users, par. var, etc.

Vrot: Turbine Rotation speed Texh: Exhaust smokes Temperature Pel: Generated Electric Power Pmc: Compressor Pressure

7

13

Enrico Tronci WIRTES 2007

Gas Turbine (as seen from Controller)

Generated Electric Power: P(t + 1) = P(t) + (a1(P(t) – P0) + a2FG102(t) – a3u(t))T Smokes Temperature: Tf(t + 1) = Tf(t) + (b1(P(t) – P0) + b2FG102(t) – b3u(t))T Turbine Rotation Speed: V(t + 1) = V(t) + (c1(P(t) – P0) + c2FG102(t) – c3u(t))T User demand u(t + 1) = u(t) + MAX_D_U *ud (t)*T MAX_D_U = Max variation speed (time derivative) of user el. demand ud (t) = -1, 0, 1 (uncontrolled load disturbance) Coefficients a, b, c computed by fitting with plant log data.

14

Enrico Tronci WIRTES 2007

Experimental Results

FAIL 271.77 804 109,015 36,801 5000 FAIL 12548.25 1533 5,186,047 1,739,719 2500 PASS 54012.18 7423 22,477,16 7 7,492,389 1750 PASS 16988.18 12904 6,738,984 2,246,328 1000

Result CPU (sec) Diameter Rules Fired Reachabl e States MAX_D_U (KW/sec)

Results on a INTEL Pentium 4, 2GHz Linux PC with 512 MB RAM. Murphi options: -b, -c, --cache, -m350

8

15

Enrico Tronci WIRTES 2007

Fail trace: MAX_D_U = 2500 KW/sec

10 ms time step (100 Hz sampling frequency) Electric user demand (KW) Rotation speed (percentage

• f

max = 22500 rpm) Allowed range for rotation speed: 40-120

16

Enrico Tronci WIRTES 2007

Fail trace: MAX_D_U = 5000 Kw/sec

10 ms time step (100 Hz sampling frequency) Electric user demand (KW) Rotation speed (percentage

• f

max = 22500 rpm) Allowed range for rotation speed: 40-120

9

17

Enrico Tronci WIRTES 2007

User Demand Distribution

Where: M = max user demand (MAX_U), a = speed of variation of user demand (MAX_D_U) 0.4 + b*(v – M)*|v – M| /M2 when i = 1 p(v, i) = 0.2 when i = 0 0.4 + b*(M - v)*|M - v| /M2 when i = -1

• 0.4 <= b <= 0.4

Let u(t) be the user demand at time t. We can define the (stochastic) dynamics of the user demand as follows: min(u(t) + a, M) with probability p(u(t), 1) u(t + 1) = u(t) with probability p(u(t), 0) max(u(t) - a, 0) with probability p(u(t), -1) The further u(t) from u0 (nominal user demand) the higher u(t) probability to return towards u0. That is to decrease when u(t) > u0, to increase when u(t) < u0.

18

Enrico Tronci WIRTES 2007

Finite Horizon Markov Chain Analysis

… of our turbogas

3.984375e-03 2212 900 246,285 83,189 5000 9.957147e-05 41403 1300 5,439,32 7 1,834,684 4500 1.076644e-04 50263 1400 6,602,76 3 2,226,036 3500 7.373292e-05 68562 1600 8,971,83 9 3,018,970 2500 Probability of violating spec CPU time (s) Horizon Rules Fired Visited States MAX_D_U (KW/sec)

10

19

Enrico Tronci WIRTES 2007

Example

Covert Channel Analysis

In Real Time Systems a Covert Channel may arise from ack’s of communication

• channels. This covert channel cannot be eliminated, however its band can be kept small.

We show how using FHP-Murphi it is possible to carry out a fine grain analysis of covert channel capacity for the well known NRL pump.

20

Enrico Tronci WIRTES 2007

Example

Buffer

LS HS Statistically modulated ACK Low System (e.g. public info) High System (e.g. private info) Data Data ACK NRL PUMP The NRL Pump is a special purpose-device that forwards data from a low (security) level system LS to a high (security) level system HS, but not conversely. Idea: LS ACK delay is probabilistically based on a moving average of HS ACK delays. Ready to send Waiting ACK

Got ACK Send Data

LS Ready to receive Done

Read Data Send ACK

HS Minimize information flow from HS to LS. Enforce reasonable performances, i.e.: <average ACK delay as seen from LS> = <average HS ACK delay> NRL Pump (Probabilistic) Properties:

11

21

Enrico Tronci WIRTES 2007

Covert Channel Experimental Results (1)

Pdec(h): probability of making a decision within h time units. Pwrong(h): probability of making the wrong decision within h time units We can compute the probability of making the right decision within h time units as: Pright(h) = Pdec(h)(1 - Pwrong(h)). Of course we want Pright(h) to be small. We studied the previous probabilities for various settings of our model parameters. BUFFER SIZE 3 5 WINDOW SIZE 3 5 OBS WINDOW SIZE 3 5 About 2 days of computation for each setting on a 2GHz Intel Pentium PC with Linux OS and 512MB of RAM).

22

Enrico Tronci WIRTES 2007

Covert Channel Exp: Pdec, Pwrong as a function of the number of steps h

12

23

Enrico Tronci WIRTES 2007

Covert Channel Exp: Pright as a Function of the number of steps h

Our time unit is about the time needed to transfer messages from/to the pump (about 1ms). Our experimental results show that the high system can send bits to the low system at a rate of about 1 bit every 10 seconds, i.e. 0.1 bits/sec. This is secure enough for many applications.

24

Enrico Tronci WIRTES 2007

Example

Pump-Thanks Controller

Our goal is to verifiy safety of a controller for a hybrid system consistings of pumps (producers) feeding a set of thanks (consumers). A situation arising un many settings. We use our SAT based bounded model checker for hybrid systems to tackle this problem which is out of reach for other model checkers.

13

25

Enrico Tronci WIRTES 2007

k Pumps on n Tanks: KPNT

P1 P2 P3 T1 T2 T3 T4 T5

tank

• pen sink

pumps move endlessly left to right and right to left

Water overflow or water underflow in a tank Error Condition

closed sink Controller opens and closes sinks 26

Enrico Tronci WIRTES 2007

MILP Problems for KPNT

k h rows real int non-bool bool non-zero 1 7 965 40 8 219 1826 2 4 1413 50 10 406 2764 3 4 2751 75 15 927 5550 3 98 64979 1485 297 21795 133014 3 99 65641 1500 300 22017 134370 4 71 82087 1440 288 30732 172856 4 72 83241 1460 292 31164 175288 5 54 100759 1375 275 40585 217330 5 55 102621 1400 280 41335 221350 6 48 136309 1470 294 57714 299844 6 49 139143 1500 300 58914 306084 Variables

Rows and Columns of MILP Problems

n = 2k h is the verification horizon

14

27

Enrico Tronci WIRTES 2007

GLPK vs MILP2SAT

k h

• utput

GLPK (s) MILP2SAT (s) CEGAR (s) 1 7 SAT 88,09 3,12 4,63 2 4 SAT 4,95 5,66 6,28 3 4 UNSAT 7256,42 13,63 3,09 3 5 UNSAT > 10800 15,72 3,89

Execution Times (GLPK, SAT & CEGAR)

GLPK OUT MILP: 2751 rows, 5550 non-zero variables Small Systems

28

Enrico Tronci WIRTES 2007

MILP2SAT vs CEGAR

k h

• utput

time (s) clauses memory (MB) time (s) clauses memory (MB) 3 23 UNSAT 1902,32 8,93E+06 837,253 21,43 2,13E+06 240,83 3 24 UNSAT Out of Mem 20,65 2,25E+06 241,557 3 98 UNSAT Out of Mem 153,35 9,08E+06 839,641 4 9 UNSAT 125,28 8,53E+06 833,473 9,79 1,10E+06 120,756 4 71 UNSAT Out of Mem 144,17 8,65E+06 836,938 5 3 UNSAT 62,44 6,75E+06 627,688 4,07 473834 47,8307 5 54 UNSAT Out of Mem 139,58 8,52E+06 836,518 6 1 UNSAT 46,99 5,21E+06 487,896 171,903 3,87E+06 381,539 6 48 UNSAT Out of Mem 157,57 8,20E+06 643,253 MILP2SAT CEGAR

Times, Clauses and Memory (SAT & CEGAR) Last verification horizons reached by MILP2SAT MILP: 136K rows, 299K non-zero variables Large Systems

Out of Mem : “1GB of RAM not enough to generate clauses”

15

29

Enrico Tronci WIRTES 2007

CEGAR

Times for KPNT with k = 3

20 40 60 80 100 120 140 160 180 10 20 30 40 50 60 70 80 90 verification horizon execution time (secs) CEGAR

Execution Times

30

Enrico Tronci WIRTES 2007

CEGAR

Generated Clauses for KPNT with k = 3

0.0E+00 1.0E+06 2.0E+06 3.0E+06 4.0E+06 5.0E+06 6.0E+06 7.0E+06 8.0E+06 9.0E+06 1.0E+07 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 verification horizon number of generated clauses SAT-CEGAR

Final number of Generated Clauses

16

31

Enrico Tronci WIRTES 2007

Example

Covert Channel Analysis

We designed and implemented symbolic (OBDD based) as well as explicit algorithms for automatic synthesis of controllers and supervisory controllers (a la Whonam) starting from closed loop specifications. Our focus here is on Finite State Discrete Event Systems (DES).

32

Enrico Tronci WIRTES 2007

Supervisory Control

Plant Supervisory Controller Controller Supervisory Controller: Only pass to the plant controller commands that are safe, i.e. that cannot possibly lead the plant to an undesired state. Controllers and Supervisory Controllers can be automatically synthesized from plant description using model checking algorithms.

17

33

Enrico Tronci WIRTES 2007

Thanks!