The TIOA Language and Toolset for System Design

A Long-Term Theme: l l 2 We use interacting automaton models: – I/O Automata

I/O Automata [Lynch, Tuttle] l l l A mathematical modeling framework Based on interacting

IOA [Garland, Lynch] l l A formal language for describing I/O automata. A set

Example: Model for FIFO Channel l Channel(M, i, j) – Signature: l l –

Timed I/O Automata [Kaynar, Lynch, Segala, Vaandrager] l l l l Math modeling framework,

TIOA [Garland, Kaynar, Lynch, Mitra] l l A formal language for describing Timed I/O

Planned TIOA tools, applications l l Engineer the TIOA language, theorem-prover, and simulator for

Hybrid I/O Automata Segala, Vaandrager] l l [Lynch, Math framework, extension of Timed I/O

Hybrid I/O Automata used to analyze: l Automated vehicle control systems: – – l

HIOA l Current/planned work: – – Define HIOA modeling language, by extending TIOA language.

Probabilistic I/O Automata [Lynch, Segala, Vaandrager] l Math framework. l Extension of I/O Automata;

Probabilistic I/O Automata: Future work l More applications: – – 13 More security protocols

Relevance to Aero/Astro? l Use existing tools/techniques for TIOA and HIOA, to model, analyze

Slides: 14

Download presentation

The TIOA Language and Toolset for System Design and Analysis Nancy Lynch Massachusetts Institute of Technology, CSAIL Workshop on Critical Research Areas in Aerospace Software MIT August 9, 2005 1

A Long-Term Theme: l l 2 We use interacting automaton models: – I/O Automata (IOA) – Timed I/O Automata (TIOA) – Hybrid… (HIOA) – Probabilistic… (PIOA) To represent, analyze, simulate, … various kinds of complex systems, for example: – Distributed algorithms – Communication systems, traditional and wireless – Robots, vehicles, aircraft – Security protocols

I/O Automata [Lynch, Tuttle] l l l A mathematical modeling framework Based on interacting discrete, asynchronous state machines. Supports parallel composition, levels of abstraction. Supports correctness proofs, using invariant assertions and simulation relations. Used extensively for describing, verifying complicated distributed algorithms [see my book]. Also, practical communication systems – 3 – Group communication systems Air Force fault-tolerant chat system [Khazan] [Lincoln Labs]

IOA [Garland, Lynch] l l A formal language for describing I/O automata. A set of tools: – – – Connection to the Larch theorem-prover [Bogdanov, Garland]. Home-grown simulator [Ramirez]. Automatic code-generator for distributed code [Tauber, Mavrommatis, Tsai]. l l l 4 l Generates Java code for machines in a LAN. Have generated implementations of complex distributed algorithms, e. g. , Gallager et al. Minimum Spanning Tree. We can write a distributed algorithm in IOA, test it with the simulator, verify it completely using theorem-prover, and generate a runnable version automatically using the code-generator. Student projects.

Example: Model for FIFO Channel l Channel(M, i, j) – Signature: l l – State: l – Input send(m), m in M Output receive(m), m in M queue, finite sequence of M Transitions l Send(m) – l Receive(m) Precondition: m = head(queue) – Effect: remove head(queue) – 5 Effect: Add m to queue

Timed I/O Automata [Kaynar, Lynch, Segala, Vaandrager] l l l l Math modeling framework, extension of I/O Automata. Adds “trajectories”, which describe how the state evolves between discrete events. Timed I/O Automata interact via discrete events (only). Parallel composition, levels of abstraction. Proofs, same methods: invariant assertions, simulation relations. Major monograph just completed: Theory of Timed I/O Automata. Used for modeling – – – Communication protocols Other timing-sensitive distributed algorithms Some hybrid systems l 6 l Toy examples, like railroad crossing, steam-boiler controller. Algorithms for mobile networks.

TIOA [Garland, Kaynar, Lynch, Mitra] l l A formal language for describing Timed I/O Automata Extension of IOA language. – l A set of tools, based on the IOA tools: – – l – – 7 Connection to PVS theorem-prover [Lim] Extension of simulator [Mavrommatis] Examples: – l Adds trajectory descriptions, using differential equations, differential inclusions. Many small verification examples DHCPv. 6 communication protocol, other Internet protocols [Griffeth] NASA SATS-HVO [Umeno] Started Vero. Modo, to engineer the tools for wider use.

Planned TIOA tools, applications l l Engineer the TIOA language, theorem-prover, and simulator for wider use. Add new tools: – – – l Monte-Carlo model checker MC 2 [Grosu, Smolka] Other automated checking tools. [Alur, Lee] Automatic code generator? Initial target applications/customers: – – Educational: Distributed algorithms, networking courses. Communications standards community l l 8 – Specifications from RFCs [Griffeth, Lynch, Droms] [CISCO] Protocol conformance testing [Griffeth] Air-traffic management, other safety-critical systems. [NASA, DOD]

Hybrid I/O Automata Segala, Vaandrager] l l [Lynch, Math framework, extension of Timed I/O Automata. Hybrid I/O Automata interact via discrete events and/or continuous signals S l l 9 Parallel composition, levels of abstraction. Proofs, using invariant assertions and simulation relations. A

Hybrid I/O Automata used to analyze: l Automated vehicle control systems: – – l Aero/Astro systems: – – – l – Implementing Virtual Stationary Nodes [Gilbert, Nolte, …] Motion coordination for mobile robots [Lynch, Mitra, Nolte] Control-theory examples – 10 Quanser helicopter [Feron, Lynch, Mitra] TCAS collision-avoidance system [Livadas, Lygeros, Lynch] Guidance systems [Lynch, Ha] [Draper] Algorithms for mobile networks: – l People movers [Livadas, Lynch] [Raytheon] Platoons of cars [Branicky, Dolginova, Lygeros, Lynch] Stability analysis for hybrid systems [Mitra, Liberzon] l Mode switches, lower bound on average dwell time.

HIOA l Current/planned work: – – Define HIOA modeling language, by extending TIOA language. Extend TIOA tools to hybrid systems: l – – 11 Theorem-prover, simulator, model-checker, … Integrate with control theory methods (stability, robustness). Integrate with U. Penn. Charon language and tools

Probabilistic I/O Automata [Lynch, Segala, Vaandrager] l Math framework. l Extension of I/O Automata; transitions allow probabilistic choice of new state. l Composition: Tricky l – Special case: Switched automata [Lynch, Cheung, Segala, Vaandrager] – General case: Harder, have weaker results. Levels of abstraction: – 12 New kinds of simulation relations to prove implementation relationships between PIOAs [Kaynar, Lynch, Segala] l Time-bound restrictions, approximate knowledge [Canetti, Lynch, Pereira] l Applications: Security protocols – Oblivious Transfer protocol [Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala] – Complete proof of correctness and secrecy. – Weak adversary model (eavesdropper). – Uses cryptographic primitive: trap-door function.

Probabilistic I/O Automata: Future work l More applications: – – 13 More security protocols l Stronger adversary models l Other cryptographic primitives l Zero knowledge protocols Randomized distributed algorithms l Formal PIOA language and tools? l Combine PIOA with TIOA and HIOA: PTIOA, PHIOA l Use PTIOA, PHIOA to prove probabilistic safety guarantees for safetycritical hybrid systems. l E. g. : “With probability 1 -p, the airplanes remain at least distance d apart. ”

Relevance to Aero/Astro? l Use existing tools/techniques for TIOA and HIOA, to model, analyze aircraft control systems: – – l Extend the methods to be more useful for Aero/Astro: – – – l Automated methods. Better integration with control theory methods. Probabilistic safety guarantees. Use the models to help in system design. – – 14 Model all components: Physical world, computer software, communication services, pilots and other humans. Use invariants, simulation relations, differential equations/inclusions. Testing, validation of models. Automatic code generation for aircraft control software.