View
1
Download
0
Category
Preview:
Citation preview
Rohit Chadha , Umang Mathur , Stefan Schwoon – 1 of 17
ProPedTool for Symbolic Verification of Probablistic Recursive Programs
Rohit Chadha 1 Umang Mathur 2 Stefan Schwoon 3
1Computer Science DepartmentUniversity of Missouri
Columbia, Missouri, USA
2Department of Computer Science and EngineeringIndian Institute of Tchnology - Bombay
Mumbai
3LSV, ENS CachanFrance
January 23, 2014
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 2 of 17
ProPed: Symbolic Verification + Probablistic + Recursion
Figure: Comparison with existing state-of-the-art tools
– Moped: Recursion and symbolic program verification but no probability
– PRISM: Symbolic program analysis and probability but no recursion
– PReMo: Recursion and probability but explicit state model checking
ProPed = Moped ∪ PRISM ∪ PReMo
ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs
Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17
Probabilistic Recursive Programs
Analysis of Probabilistic Recursive Programs:
– Modeling the program
– Reachability Analysis and Property Checking
– Calculating Information Leakage
Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17
Probabilistic Recursive Programs
Analysis of Probabilistic Recursive Programs:
– Modeling the program
– Reachability Analysis and Property Checking
– Calculating Information Leakage
Rohit Chadha , Umang Mathur , Stefan Schwoon – 3 of 17
Probabilistic Recursive Programs
Analysis of Probabilistic Recursive Programs:
– Modeling the program
– Reachability Analysis and Property Checking
– Calculating Information Leakage
Rohit Chadha , Umang Mathur , Stefan Schwoon – 4 of 17
Example program
procedure p;
p0: if ? then
p1: call s;
p2: if ? then wp 0.2 -> call p;
wp 0.8 -> skip;end if;
else
p3: call p;
end if
P4: return
procedure s;
s0: if ? thenreturn;
end if;
s1: call p;
s2: return;
procedure main ;
m0: call s;
m1: return;
S = {p0, . . . , p
4, s
0, . . . , s
2, m
0, m
1} ∗ , initial state = m
0
m0 s0 m1
m1
s1 m1 p0 s2 m1
p1 s2 m1
p3 s2 m1 p0 p4 s2 m1
s0 p2 s2 m1
ε
Rohit Chadha , Umang Mathur , Stefan Schwoon – 4 of 17
Example program
procedure p;
p0: if ? then
p1: call s;
p2: if ? then wp 0.2 -> call p;
wp 0.8 -> skip;end if;
else
p3: call p;
end if
P4: return
procedure s;
s0: if ? thenreturn;
end if;
s1: call p;
s2: return;
procedure main ;
m0: call s;
m1: return;
S = {p0, . . . , p
4, s
0, . . . , s
2, m
0, m
1} ∗ , initial state = m
0
m0 s0 m1
m1
s1 m1 p0 s2 m1
p1 s2 m1
p3 s2 m1 p0 p4 s2 m1
s0 p2 s2 m1
ε
Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17
Analysis of Recursive Programs is not Straightforward
– Potentially infinite state space !
– Simple unrolling/inlining is not applicable
– Cannot be analyzed by naively searching all reachable states
– Some finite representation is required
Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17
Analysis of Recursive Programs is not Straightforward
– Potentially infinite state space !
– Simple unrolling/inlining is not applicable
– Cannot be analyzed by naively searching all reachable states
– Some finite representation is required
Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17
Analysis of Recursive Programs is not Straightforward
– Potentially infinite state space !
– Simple unrolling/inlining is not applicable
– Cannot be analyzed by naively searching all reachable states
– Some finite representation is required
Rohit Chadha , Umang Mathur , Stefan Schwoon – 5 of 17
Analysis of Recursive Programs is not Straightforward
– Potentially infinite state space !
– Simple unrolling/inlining is not applicable
– Cannot be analyzed by naively searching all reachable states
– Some finite representation is required
Rohit Chadha , Umang Mathur , Stefan Schwoon – 6 of 17
Computation Model for Probabilistic Recursive Programs
– Control flow:– Sequential (probabilistic) program– Procedures– Mutual procedure calls (possibly recursive)
– Data:– Global Variables (finite memory)– Local Variables in each procedure (one copy per call)
Rohit Chadha , Umang Mathur , Stefan Schwoon – 6 of 17
Computation Model for Probabilistic Recursive Programs
– Control flow:– Sequential (probabilistic) program– Procedures– Mutual procedure calls (possibly recursive)
– Data:– Global Variables (finite memory)– Local Variables in each procedure (one copy per call)
Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17
Pushdown Systems: Syntax and Semantics
A pushdown system is a triple (P,Γ, δ), where
– P is a finite set of control locations (states)
– Γ is a finite stack alphabet
– δ ⊆ (P × Γ)× (P × Γ∗) is a finite set of rules
A configuration is a pair pα, where p ∈ P and α ∈ Γ∗
Semantics: A (possibly infinite) transition system with configurations as states andtransitions given by
If pX ↪→ qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗
Normalization |α| ≤ 2 (each transition pushes atmost 2 symbols on the stack),termination only by empty stack.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17
Pushdown Systems: Syntax and Semantics
A pushdown system is a triple (P,Γ, δ), where
– P is a finite set of control locations (states)
– Γ is a finite stack alphabet
– δ ⊆ (P × Γ)× (P × Γ∗) is a finite set of rules
A configuration is a pair pα, where p ∈ P and α ∈ Γ∗
Semantics: A (possibly infinite) transition system with configurations as states andtransitions given by
If pX ↪→ qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗
Normalization |α| ≤ 2 (each transition pushes atmost 2 symbols on the stack),termination only by empty stack.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 7 of 17
Pushdown Systems: Syntax and Semantics
A pushdown system is a triple (P,Γ, δ), where
– P is a finite set of control locations (states)
– Γ is a finite stack alphabet
– δ ⊆ (P × Γ)× (P × Γ∗) is a finite set of rules
A configuration is a pair pα, where p ∈ P and α ∈ Γ∗
Semantics: A (possibly infinite) transition system with configurations as states andtransitions given by
If pX ↪→ qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗
Normalization |α| ≤ 2 (each transition pushes atmost 2 symbols on the stack),termination only by empty stack.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 8 of 17
Probabilistic Pushdown Systems: Syntax and Semantics
A probabilistic pushdown system is a tuple P = (P,Γ, δ, Prob), where
– (P,Γ, δ) is a PDS
– Prob : δ → (0, 1] such that for every pair pX, we havePpX↪→qα Prob(pX ↪→ qα) = 1
pXx↪→ qα to denote Prob(pX ↪→ qα) = x
Semantics: A (possibly infinite) Markov chain with configurations as states andtransition probabilities given by
If pXx↪→ qα ∈ δ, then pXβ
x−→ qαβ for every β ∈ Γ∗
Rohit Chadha , Umang Mathur , Stefan Schwoon – 8 of 17
Probabilistic Pushdown Systems: Syntax and Semantics
A probabilistic pushdown system is a tuple P = (P,Γ, δ, Prob), where
– (P,Γ, δ) is a PDS
– Prob : δ → (0, 1] such that for every pair pX, we havePpX↪→qα Prob(pX ↪→ qα) = 1
pXx↪→ qα to denote Prob(pX ↪→ qα) = x
Semantics: A (possibly infinite) Markov chain with configurations as states andtransition probabilities given by
If pXx↪→ qα ∈ δ, then pXβ
x−→ qαβ for every β ∈ Γ∗
Rohit Chadha , Umang Mathur , Stefan Schwoon – 9 of 17
From programs to pushdown systems
State of a procedural program: (g, n, l, (n1, l1) · · · (nk, lk)), where
– g is a valuation of the global variables,
– n is the value of the program counter,
– l is a valuation of local variables of the current active procedure,
– ni is a return address, and
– li is a saved valuation of the local variables of a calling procedure
Modeled as a configuration pXY1 · · ·Yk where
p = g X = (n, l) Yi = (ni, li)
Rohit Chadha , Umang Mathur , Stefan Schwoon – 10 of 17
From programs to pushdown systems
The following correspondence between a program and PDS holds:
– State p corresponds to valuations of global variables
– Γ corresponds to tuples of the form (program counter, local valuations)
– Configuration pAw can be interpreted with globals in p, current procedure withlocal variables in A and suspended procedures in w
– Rule pX ↪→ qY corresponds to a sequential statement within a procedure
– Rule pX ↪→ qY Z corresponds to a call to some procedure
– Rule pX ↪→ qε corresponds to a return from some procedure
Rohit Chadha , Umang Mathur , Stefan Schwoon – 11 of 17
Probabilistic Verification
– Qualitative properties: Does a program property hold with probability 1?
– Quantitative properties: What is the probability with which a certain propertyhold?
– Reachability of control states– simple PCTL properties such as ♦(l1 ∨ l2 · · · lk), where li are labels in the program
Rohit Chadha , Umang Mathur , Stefan Schwoon – 11 of 17
Probabilistic Verification
– Qualitative properties: Does a program property hold with probability 1?
– Quantitative properties: What is the probability with which a certain propertyhold?
– Reachability of control states– simple PCTL properties such as ♦(l1 ∨ l2 · · · lk), where li are labels in the program
Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17
Quantitative Verification: Formulating system of non-linearequations
Define a variable [pXq] as the probability of starting at the configuration pX andeventually reaching the configuration qε.
Theorem (J. Esparza, A. Kucera, R. Mayr)
The [pXq]s are the least solution of the following system of equations:
[pXq] =PpX
x↪→qε
x +PpX
x↪→rY
x.[rY q] +PpX
x↪→rY Z
x.Pt∈P [rY t].[tZq]
The system is of the form x = P (x), and the sequence 0, P (0), P 2(0) · · · convergesto the least solution.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17
Quantitative Verification: Formulating system of non-linearequations
Define a variable [pXq] as the probability of starting at the configuration pX andeventually reaching the configuration qε.
Theorem (J. Esparza, A. Kucera, R. Mayr)
The [pXq]s are the least solution of the following system of equations:
[pXq] =PpX
x↪→qε
x +PpX
x↪→rY
x.[rY q] +PpX
x↪→rY Z
x.Pt∈P [rY t].[tZq]
The system is of the form x = P (x), and the sequence 0, P (0), P 2(0) · · · convergesto the least solution.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 12 of 17
Quantitative Verification: Formulating system of non-linearequations
Define a variable [pXq] as the probability of starting at the configuration pX andeventually reaching the configuration qε.
Theorem (J. Esparza, A. Kucera, R. Mayr)
The [pXq]s are the least solution of the following system of equations:
[pXq] =PpX
x↪→qε
x +PpX
x↪→rY
x.[rY q] +PpX
x↪→rY Z
x.Pt∈P [rY t].[tZq]
The system is of the form x = P (x), and the sequence 0, P (0), P 2(0) · · · convergesto the least solution.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 13 of 17
Fixed-point Computation
– The variables [pXq] are just relations over the initial and final valuations ofvariables
– The statements of the program are also similar relations
x
x'
0x2c
0x29 0x2b
0 1
Stmt: x = !x
Stmt
– Can be represented efficiently as MTBBDs (= BDDs + real values on theterminal nodes)
– Fixed point computation - Jacobi Iterative Method
– Use of CUDD library for MTBDD (ADD) manipulations.
Rohit Chadha , Umang Mathur , Stefan Schwoon – 14 of 17
Information Leakage
– Leakage measured in terms of min-entropy (G. Smith)
– For a given set of inputs S and outputs O, min-entropy leakage, LSO =
log V (S|O)V (S)
, where
– S is a random variable on S and having distribution PS– O is a random variable on O and having distribution PO– V (S) = max
s∈SPS [s]
– V (S|O) =Po∈O PO[o].max
s∈SP [s|o]
– Computing the above metric is simply basic ADD manipulation !
Rohit Chadha , Umang Mathur , Stefan Schwoon – 15 of 17
Technical details about the tool
– Input language: Remopla with an additional pchoice construct
define N 32
define DEFAULT_INT_BITS N
unsigned int var1;bool g;
module void f(unsigned int v, bool z){
bool k;pchoice:: 0.2 -> label2: k = g && z;:: 0.8 -> var1 = var1 + v;choicep
}
module void main(){
var1 = 53;pchoice :: 0.3 -> label1: g = true; :: 0.7 -> f(var1, !g);choicep
}
Figure: An input program for ProPed
– Parser and other libraries (CUDD, etc.,) : C
– Analysis (Fixed point computation) : C++
Rohit Chadha , Umang Mathur , Stefan Schwoon – 16 of 17
More about MTBDDs
0
2
3
5
6
8
main
0x1943
0x19410x1942
0x1940
0
0x193f 0x1938
0x193b 0x193e 0x1937
0x193a 0x1935 0x19360x193d
0.140.56 0.7
Figure: An MTBDD
MTBDD = MultiTerminal Binary DecisionDiagram
– CUDD : ADD (Algebraic Decision Diagram) interface
– Provides important Utilities:– Cudd addTimes– Cudd addPlus– Cudd addPermute– Cudd addMatrixMultiply– Cudd addCmpl, Cudd addXnor, · · ·– Cudd addExistAbstract, Cudd addMaxAbstract, · · ·
Rohit Chadha , Umang Mathur , Stefan Schwoon – 17 of 17
Possible Improvements and Extensions
– Use faster iteration methods (Jacobi is too slow) such as Newton-Raphsoniterations
– Repeated Reachability : Buchi
– Information leakage by energy characterization
Recommended