Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with...

transcript

Dynamic Analysis of Cyber-Physical SystemsPARASARA SRIDHAR DUGGIRALA

Trends in Air Traffic Air traffic is going to double in next 20-25 years

Improving throughput of airports

Cost of adding runways ~ $15B+

Packing more planes on runways

Physical limits to packing e.g. wake vortices

Human in the loop

Packing more planes on runways

Physical limits to packing e.g. wake vortices

Human in the loop

Solution: Software

Safe Parallel Landing From NASA:Ensuring Safe Separation

Ensure safety among ownship and intruder

Intruder

Ownship

(𝑥0, 𝑦0)

(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩

⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

Safe Parallel Landing From NASA:Ensuring Safe Separation

Fail-safe alarming system ALAS by NASA (similar to TCAS)

◦ Issues an alarm 4 seconds before aircraft violate safe separation

Did they get it right?

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

ALAS: New Alerting Mechanism

Motion described by ODEs: 𝑑

𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;

𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

ALAS: New Alerting MechanismA Typical Cyber-Physical System

Software changes the type of motion

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

approach 𝑥 = 𝑓𝑎(𝑥)

ALAS: New Alerting MechanismA Typical Cyber-Physical System

ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

turn 𝑥 = 𝑓𝑏(𝑥)

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

𝑡 = 3

Intruder

Ownship

(𝑥0, 𝑦0)

𝑠𝑥 𝑠𝑦

𝑡 = 3

Continuous behavior + software control = CPS

CPS Everywhere!

Problems in CPS

Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)

FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)

Northeast blackout of 2003 caused due to a race condition

CPS Everywhere!

Problems in CPS

Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)

FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)

Northeast blackout of 2003 caused due to a race condition

My Research: Develop Tools, Techniques, and Algorithms for Design, Analysis, and Verification of CPS

Outline Introduction

◦ Need for Verification of Cyber-Physical Systems and it’s Challenges

◦ Overview of My Research

Overview of Abstraction-Refinement

Dynamic Analysis

◦ Algorithm for Dynamic Analysis

◦ Verifying the Alerting Protocol in Parallel Landing

◦ Verifying Powertrain Control System

Future Work

Simulation/Testing Based Design Methodology

Modeling•Build a model, e.g. Simulink/Stateflow

Analysis

•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft

Deployment

•Prototype deployment

• Industrial production

Simulation/Testing Does Not Find All Bugs

Simulations do not give coverage guarantees

Manifestation of bugs in the deployment stage is catastrophic

Analysis

Deployment

Simulation/Testing Does Not Find All Bugs

Simulations do not give coverage guarantees

Manifestation of bugs in the deployment stage is catastrophic

Are there any alternative techniques to provide guarantees in safety critical CPS?

Analysis

Deployment

Formal Verification Can Give Guarantees

Formal Verification: Prove that the system does not have any bugs

Checking all possible behaviors of the system

Model Checking – industrial practice in Hardware

Reachable Set: Set of all possible states that can be reached

Intruder

Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)

𝑡 = 3

Intruder

𝑡 = 3

Intruder

𝑡 = 3

Intruder

𝑡 = 3

Represent the reachable set in a symbolic formatEx: 𝑥𝑖 ≥ 4 ∧ 𝑥𝑖 ≤ 10 ∧ 𝑦𝑖 ≥ 20 ∧ 𝑦𝑖 ≤ 25

Undecidability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS

◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]

Scalability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS

◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]

For linear systems 𝑣 = 𝐴𝑣, analytical solution is given by 𝑣 𝑡 = 𝑒𝐴𝑡𝑣 0

Matrix exponentials 𝑒𝐴𝑡 cannot be computed exactly

Symbolic and numerical techniques suffer curse of dimensionality [Frehse‘12]

Toyota Powertrain Control System

𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝

2 + 𝑐5𝜔𝑝2))

𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐

2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝

2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11

𝐹𝑐 =1

𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝

2 + 𝑐5𝜔𝑝2)

𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

No closed form solution for nonlinear systems

2 + 𝑐5𝜔𝑝2))

𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐

2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11

𝐹𝑐 =1

𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝

2 + 𝑐5𝜔𝑝2)

𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

No closed form solution for nonlinear systems

My Research: Developing scalable verification techniques to handle industrial CPS

Verification Tools [UPPAAL, HyTech, SpaceEx, … ]

Research Overview: Verification of CPS

Simple Continuous Dynamics Complex Nonlinear Dynamics

Simple computation

Distributedcomputation

[EMSOFT’13]*

[ICCPS’11] [HSCC’12]

[VMCAI’13]

*best paper award at EMSOFT 2013

[EMSOFT’13]

[TACAS’15]

[RTSS’12]

[FM’14]

[CAV’15]

Dynamic Analysis

Abstraction-Refinement

Research Overview: Verification of CPS

Simple computation

[EMSOFT’13]

[TACAS’15]

[RTSS’12]

[FM’14]

[EMSOFT’13]*

[VMCAI’13]

[CAV’15]

Abstraction Refinement - Overview

Abstract

Verify

Refine

Validate

Concrete System

AbstractSystem

Certificate

AbstractCounterexample

Concrete Counterexample

SpuriousCounterexample

NewAbstraction

𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)

Abstract

Verify

Refine

Validate

Concrete System

CertificateConcrete

Counterexample

Abstract

Verify

Refine

Validate

Concrete System

CertificateConcrete

Counterexample

Region Stability

ICCPS’11

HSCC’12

Safety

VMCAI’13

EMSOFT’13*

*won the best paper award at EMSOFT 2013

Abstract

Verify

Refine

Validate

Concrete System

CertificateConcrete

Counterexample

Region Stability

New techniques for proving stability of systems with

unstable modes

Safety

Discovered new decidable class of linear systems.Proved systems with 28

dimensions

Region Stability

ICCPS’11

HSCC’12

Safety

VMCAI’13

EMSOFT’13*

*won the best paper award at EMSOFT 2013

Dynamic Analysis

Future Work

Dynamic Analysis

NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA

Ownship and Intruder landing on nearby parallel runways

Intruder

Ownship

(𝑥0, 𝑦0)

Unexpected trajectory of Intruder

Intruder

Ownship

𝑡 = 3

Validation of ALAS by performing several simulations – no proof

Intruder

Ownship

𝑡 = 3

Proving that ALAS works

1. Compute all trajectories that violate safe separation (unsafe)

2. For unsafe trajectories, prove that alarm is issued 4 seconds before

safe separation is violated

Intruder

Ownship

𝑡 = 3

2. For unsafe trajectories, prove that alarm is issued 4 seconds before

safe separation is violated

Intruder

Ownship

𝑡 = 3

Computing Unsafe Trajectories Let us consider a simple motion of intruder and compute all

trajectories that are unsafe

Intruder

Ownship

Let us consider a simple motion of intruder and compute all

Compute unsafe trajectories (overapproximation) from samples

Intruder

Ownship

Dynamic Analysis:Computing Unsafe Trajectories From Samples

Let us consider a simple motion of intruder and compute all

Continuity property

Intruder

Ownship

Exploiting Continuity for Dynamic Analysis

Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all

Continuity property

◦ Trajectories starting close stay close

𝑥1𝑥2

𝑥2(𝑡)

𝑥1(𝑡)

Intruder

Ownship

Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all

Continuity property

◦ In the limit, the distance between trajectories goes to zero

𝑥1𝑥2

Intruder

Ownship

Discrepancy Function Let us consider a simple motion of intruder and compute all

Continuity property

Discrepancy function 𝛽 that captures continuity

◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)

𝑥1𝑥2

𝑥2(𝑡)

𝑥1(𝑡)

Intruder

Ownship

𝛽(|𝑥1 − 𝑥2|, 𝑡)

Discrepancy Function Let us consider a simple motion of intruder and compute all

Continuity property

◦ In the limit, the distance between trajectories goes to zero

Discrepancy function 𝛽 that captures continuity

◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)

◦ 𝛽 𝑥1 − 𝑥2 , 𝑡 → 0 as 𝑥1 − 𝑥2 → 0

𝑥1𝑥2

Intruder

Ownship

Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from

sample simulations

Intruder

Ownship

sample simulations

Partition the initial set into 𝛿-neighborhoods

Intruder

Ownship

sample simulations

Simulate from the center of each neighborhood

Intruder

Ownship

sample simulations

Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)

Check if all trajectories are safe

Intruder

Ownship

sample simulations

Intruder

Ownship

sample simulations

If all neighborhoods are safe, return safe

If any neighborhood violates safety, return violated

Else, refine the partitioning.

Intruder

Ownship

sample simulations

Else, refine the partitioning.

Intruder

Ownship

sample simulations

Else, refine the partitioning (better overapproximation)

Intruder

Ownship

Safety Verification AlgorithmGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from

sample simulations

Else, refine the partitioning (better overapproximation)

Intruder

Ownship

Algorithm can be applied for any nonlinear systems with given discrepancy function

Intruder

Ownship

Soundness and Completeness Results

Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)

Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)

Intruder

Ownship

Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer

Intruder

Ownship

Improving the partitioning improves the approximation

𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎

Intruder

Ownship

𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎

Intruder

Ownship

𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎

Intruder

Ownship

Algorithm can be applied for any nonlinear systems with given discrepancy function

C2E2: A Tool For Verifying Stateflow Models

Comparison with Existing Approaches on Academic Benchmarks

Benchmark Variables Sims. C2E2(time)

Flow*(time)

Ariadne(time)

Moore-G. Jet Engine 2 36 1.56 10.54 56.57

BrussellatorSystem 2 115 5.26 16.77 72.75

VanDerPolOscillator 2 17 0.75 8.93 98.36

Coupled VanDerPol 4 62 1.43 90.96 270.61

Sinusoidal Tracking 6 84 3.68 48.63 763.32

Linear Adaptive 3 16 0.47 NA NA

Nonlinear Adaptive 2 32 1.23 NA NA

Nonlinear Disturbance 3 48 1.52 NA NA

C2E2 Flow*

Overview Introduction

Dynamic Analysis

Future Work

Back To Parallel Landing Fail-safe alarming system ALAS by NASA

2. For unsafe trajectories, prove that alarm is issued 4 seconds

before safe separation is violated

How to analyze 𝐴𝑙𝑎𝑟𝑚 predicate?

Intruder

Ownship

Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖

𝑟 =𝑣𝑥𝑖

2+𝑣𝑦𝑖2

𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×

𝑣𝑦𝑖

𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×

𝑣𝑥𝑖

𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2

< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0

𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1

𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )

𝑡𝑜=1

𝑣𝑥𝑜2+𝑣𝑦𝑜

2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦

2− 𝑟2) ]

𝑡𝑖 = 𝑎𝑏𝑠(𝑟

𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜

2× acos(𝑁))

𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜

2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1

𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜

2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1

𝑟 =𝑣𝑥𝑖

2+𝑣𝑦𝑖2

𝑣𝑦𝑖

𝑣𝑥𝑖

< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0

𝑡𝑜=1

2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦

2− 𝑟2) ]

2× acos(𝑁))

Current state-of-the-artsolvers cannot handled this

predicate

Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder

If any of the projected behaviors can violate the

safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚

Ownship

Intruder

𝑝𝑟𝑜𝑗1

𝑝𝑟𝑜𝑗2

Points of intersection

Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder

If any of the projected behaviors can violate the

safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚

Ownship

Intruder

𝑝𝑟𝑜𝑗1

𝑝𝑟𝑜𝑗2

A common design principle in MPC : Estimate the worst possible behavior and correct your trajectory

𝑟 =𝑣𝑥𝑖

2+𝑣𝑦𝑖2

𝑣𝑦𝑖

𝑣𝑥𝑖

< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0

𝑡𝑜=1

2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦

2− 𝑟2) ]

2× acos(𝑁))

Implicit solution Of differential

equation

𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖

𝑟 =𝑣𝑥𝑖

2+𝑣𝑦𝑖2

𝑣𝑦𝑖

𝑣𝑥𝑖

< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0

𝑡𝑜=1

2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦

2− 𝑟2) ]

2× acos(𝑁))

equation

Time if intersectionof trajectories

Alarm Predicate Closed Form

𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖

𝑟 =𝑣𝑥𝑖

2+𝑣𝑦𝑖2

𝑣𝑦𝑖

𝑣𝑥𝑖

< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0

𝑡𝑜=1

2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜

2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦

2− 𝑟2) ]

2× acos(𝑁))

equation

Time if intersectionof trajectories

Condition forIssuing 𝐴𝑙𝑎𝑟𝑚

Alarm Predicate Closed Form

Analyzing Predictive Predicate Alarm Implicit solutions → numerical solutions

Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖

Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′

Implicit solutions → numerical solutions

Ownship

Intruder

𝑝𝑟𝑜𝑗1

𝑝𝑟𝑜𝑗2

Analyzing Predictive Predicate Alarm

Ownship

Intruder

𝑝𝑟𝑜𝑗1

𝑝𝑟𝑜𝑗2

𝐴𝑙𝑎𝑟𝑚𝑖 𝑥 ≡ 𝑡𝑖 > 𝑡𝑜 then Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖

2 < 𝐵𝑎𝑐𝑘2

else Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖

2 < 𝐹𝑟𝑜𝑛𝑡2

𝐴𝑙𝑎𝑟𝑚𝑖′ 𝑥 ≡ 𝑇𝑖 > 𝑇𝑜 then Δ𝑇2 × 𝑣𝑥𝑖

2 + 𝑣𝑦𝑖2 < 𝐵𝑎𝑐𝑘2

else Δ𝑇2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖

2 < 𝐹𝑟𝑜𝑛𝑡2

Ownship

Intruder

𝑝𝑟𝑜𝑗1

𝑝𝑟𝑜𝑗2

Verifying ALAS System Verified the property that Alarm is raised

at least 4 time units before safety violation

for different configurations in the order

of minutes

Identified False Alarm configuration and

Missed Alarm configurations

ScenarioAlarm ≼4

UnsafeRunning time

(mins:sec) Alarm ≼?

Unsafe

6 False 3:27 2.16

7 True 1:13 –

8 True 2:21 –

6.1 False 7:18 1.54

7.1 True 2:34 –

8.1 True 4:55 –

9 False 2:18 1.8

10 False 3:04 2.4

9.1 False 4:30 1.8

10.1 False 6:11 2.4

Verifying ALAS System Verified the property that Alarm is raised

at least 4 time units before safety violation

for different configurations in the order

of minutes

Identified False Alarm configuration and

Missed Alarm configurations

ScenarioAlarm ≼4

UnsafeRunning time

(mins:sec) Alarm ≼?

Unsafe

6 False 3:27 2.16

7 True 1:13 –

8 True 2:21 –

6.1 False 7:18 1.54

7.1 True 2:34 –

8.1 True 4:55 –

9 False 2:18 1.8

10 False 3:04 2.4

9.1 False 4:30 1.8

10.1 False 6:11 2.4

How do we get discrepancy functions?

Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)

◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡

◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡

◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)

Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)

◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡

◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡

◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)

Finding such discrepancy function automatically

◦ Nonlinear optimization for Lipschitz continuity

◦ For 𝑣 = 𝐴𝑣 that are exponentially stable, compute Lyapunov function

◦ Solving LMIs using Sum-Of-Squares tools to compute contraction metric

For the benchmark nonlinear systems automatic techniques could find discrepancy functions

2 + 𝑐5𝜔𝑝2))

𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐

2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11

𝐹𝑐 =1

𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝

2 + 𝑐5𝜔𝑝2)

𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

Is it possible to find discrepancy functions automatically for this system?

2 + 𝑐5𝜔𝑝2))

𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐

2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11

𝐹𝑐 =1

𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝

2 + 𝑐5𝜔𝑝2)

𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝

Is it possible to find discrepancy functions automatically for this system?

SOS Tools failed to find any discrepancy functions

On-The-Fly-Discrepancy Computing discrepancy function from simulations and static analysis [Fan.et.al.’15]

Sketch:

◦ Simulate from a given neighborhood

◦ Compute Overestimate of behaviors – Lipschitz constant

◦ Compute better bounds by analyzing eigenvalues of Jacobian

We apply on-the-flyDiscrepancy function for verifying

Powertrain control system

Powertrain Verification ResultsVerified many key specification for a given set of driver behaviors (First to do so!)

Property Mode Sat Sim. Time

□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] all modes Yes 53 11m58s

□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] startup Yes 50 10m21s

□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] normal Yes 50 10m21s

□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power Yes 53 11m12s

□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power No 4 0m43s

𝑟𝑖𝑠𝑒 ⇒ □(𝜂,𝜉)𝜆 ∈ [0.98 𝜆𝑟𝑒𝑓, 1.02𝜆𝑟𝑒𝑓] normal Yes 50 10m15s

(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power Yes 53 11m35s

(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂/2,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power No 4 0m45s

Safety properties

Performance properties

Dynamic Analysis

Future Work

Doomsday in 10 Years!

With great software, comes great risks!

Avoiding The Doomsday

Building Certified CPS

Software Verification + Dynamic Analysis = Certified CPS

Dynamic Analysis – taming complex dynamics

Software Verification + Dynamic Analysis of Continuous Systems

Software Verification + Dynamic Analysis = Certified CPS

Dynamic Analysis – taming complex dynamics

Software Verification + Dynamic Analysis of Continuous Systems

+ Dynamic Analysis

Challenges in Bridging Software Verification and Dynamic Analysis

SOFTWARE VERIFICATION

Time abstract notion of execution

Assertions/Invariants hold at discrete places in program

Exact computations

DYNAMIC ANALYSIS

Continuous time notion of execution

Invariants/Lyapunov functions should be satisfied globally

Noisy environments

Challenges in Bridging Software Verification and Dynamic Analysis

SOFTWARE VERIFICATION

Time abstract notion of execution

Assertions/Invariants hold at discrete places in program

Exact computations

DYNAMIC ANALYSIS

Continuous time notion of execution

Invariants/Lyapunov functions should be satisfied globally

Noisy environments

Solution: Software Verification Techniques+ Control Theory (Dynamic Analysis)+ Proof Composition Techniques

Collaborators Mahesh Viswanathan (UIUC)

Sayan Mitra (UIUC)

Ashish Tiwari (SRI)

Pavithra Prabhakar (IMDEA)

Cesar Munoz (NASA Langley)

Taylor Johnson (UT Arlington)

Le Wang (UIUC)

Matthew Potok (UIUC)

Aarti Gupta (Princeton)

Vineet Kahlon (Google)

Khalil Ghorbal (CMU)

Franjo Ivancic (Google)

Dynamic Analysis

Thank You

Simple computation

[EMSOFT’13]

[TACAS’15]

[RTSS’12]

[FM’14]

[EMSOFT’13]*

[VMCAI’13]

[CAV’15]

Backup Slides

Annotations – conservative upper bound among distance between

trajectories

Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that

∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)

Computing ReachTubes

𝑥2𝜉 𝑥2, 𝑡

𝜉 𝑥1, 𝑡

𝛽 𝑥1, 𝑥2, 𝑡

Verification of Annotated Models From Executions [DMV’13]

Annotations – conservative upper bound among distance between trajectories

Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that

∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)

Utility of annotation:

𝝃 𝒚, 𝒕 ∈ 𝑩𝒍𝒐𝒂𝒕𝝐(𝝃(𝒙, 𝒕)) where 𝝐 = 𝒔𝒖𝒑𝒚∈𝑩𝜹(𝒙)

{𝜷 𝒙, 𝒚, 𝒕 }

Computing ReachTubes

𝜉 𝑥1, 𝑡

𝛽 𝑥1, 𝑥2, 𝑡

Verification of Annotated Models From Executions [DMV’13]

𝜉(𝑥0, 𝑡) – general analytical solution does not exist

Validated simulation engines generate regions for time intervals

ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖

ReachTubes From Simulations And Annotations

𝜉 𝑥1, 𝑡

𝜉(𝑥0, 𝑡) – general analytical solution does not exist

Validated simulation engines generate regions for time intervals

ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖

ReachTube 𝜓 = 𝐵𝜖 𝜌 where 𝜖 = sup𝑦∈𝐵𝛿(𝑥)

{𝛽 𝑥, 𝑦, 𝑡 }

Overapproximation can be madearbitrarily small

How to infer temporal propertiesfrom such ReachTubes

ReachTubes From Simulations And Annotations

𝜉 𝑥1, 𝑡

𝛽 𝑥1, 𝑥2, 𝑡

For a predicate 𝑃, and ReachTube 𝜓 = 𝑂1, 𝑡0, 𝑡1 , … , 𝑂𝑙 , 𝑡𝑙−1, 𝑡𝑙 the

interval [𝑡𝑖−1, 𝑡𝑖] is

in 𝑀𝑢𝑠𝑡(𝑃) if 𝑂𝑖 ⊆ 𝑃

in 𝑁𝑜𝑡(𝑃) if 𝑂𝑖 ∩ 𝑃 = ∅

in 𝑀𝑎𝑦 𝑃 otherwise

Must, Not, and MayIntervals

𝑃1 ≡ 𝐹1 > 0

𝑴𝒖𝒔𝒕

𝑴𝒂𝒚

𝑵𝒐𝒕

𝜉 𝑥1, 𝑡

𝑃2 ≡ 𝐹2 > 0

𝜉 𝑥1, 𝑡

𝑵𝒐𝒕

𝑴𝒂𝒚

𝑴𝒖𝒔𝒕

Temporal precedence 𝑃1 ≺𝑏 𝑃2 is satisfied by ReachTube 𝜓 if

∀ 𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 ∪𝑀𝑎𝑦 𝑃2 , ∃𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 , 𝐼1 < 𝐼2 − 𝑏

Temporal precedence 𝑃1 ≺𝑏 𝑃2 is violated by ReachTube 𝜓 if∃𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 , ∀ 𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 ∪𝑀𝑎𝑦 𝑃1 , 𝐼1 > 𝐼2 − 𝑏

Checking Temporal Precedence

Property 𝑃1 ≺0 𝑃2 is satisfied𝑃1 ≡ 𝐹1 > 0

𝑴𝒖𝒔𝒕

𝑴𝒂𝒚

𝑵𝒐𝒕

𝜉 𝑥1, 𝑡

𝑃2 ≡ 𝐹2 > 0

𝜉 𝑥1, 𝑡

𝑵𝒐𝒕

𝑴𝒂𝒚

𝑴𝒖𝒔𝒕

Simulation Guided Synthesis

Incomplete model of CPS

+Specification

Infeasible

Synthesizer

Model Generator

Satisfying Model

Verifier

Simulation Guided Synthesis

Intuition for system designer comes from simulations

Learning Linear and Nonlinear control theory

◦ Learned the basic principles about controls

◦ Design iterations guided by simulations

Incomplete model of CPS

+Specification

Infeasible

Synthesizer

Model Generator

Satisfying Model

Verifier

Simulation Guided Synthesis: Classroom Experiment

slow down

turnspeed up

Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied

Parameter Synthesis:Classroom Experiment

slow down

turnspeed up

Goals of the course included

◦ Familiarize students with different tools in CPS verification (interactive demos)

◦ Push new research directions – handling a nontrivial verification problem

Results

◦ 90% of students solved it without a single office hour

◦ Students researched literature, provided new techniques we did not anticipate

Parameter Synthesis:Classroom Experiment

slow down

turnspeed up

Goals of the course included

◦ Familiarize students with different tools in CPS verification (interactive demos)

◦ Push new research directions – handling a nontrivial verification problem

Results

◦ 90% of students solved it without a single office hour

◦ Students researched literature, provided new techniques we did not anticipate

Inspiration to future research directions: Simulation Guided Synthesis

Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with...

Documents