1 / 13

Symbolic Model Checking of Network Protocols: A Temporal Logic Approach

This presentation explores symbolic model checking techniques for analyzing network protocols using temporal logic. Based on foundational slides by Jim Kurose and Keith Ross, it delves into the use of temporal operators as functions, fixpoint characterization, and computation methods. The presentation outlines examples and properties of temporal logic operators, such as AG and AF, detailing their practical application in checking protocol correctness. Essential concepts are illustrated with finite state machines (FSMs) and examples of failed properties to demonstrate the verification process and provide counterexamples.

blenda
Télécharger la présentation

Symbolic Model Checking of Network Protocols: A Temporal Logic Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETW 703 Network Protocols Symbolic Model Checking Revision Slides Dr. Eng. Amr T. Abdel-Hamid • Slides based on slides of: • Jim Kurose, Keith Ross, “Computer Networking: A Top Down Approach Featuring the Internet”, 2nd edition, Addison-Wesley, July 2002. • Jiangchuan (JC) Liu , Assistant Professor, SFU & others Winter 2012

  2. Functionals • Now, we can think of all temporal operators also as functions from sets of states to sets of states • For example: or if we use the set notation AX p = (S - EX(S - p)) • Logic Set • p  q p  q • p  q p  q • p S – p False  True S

  3. Fixpoint Characterization Equivalences AG p =  y . p  AX y AG p = p  AX AG p EG p =  y . p  EX y EG p = p  EX EG p AF p =  y . p  AX y AF p = p  AX AF p EF p =  y . p  EX y EF p = p  EX EF p A(pUq) =  y . q  A (p  X (y)) A(pUq)=q  (p  AX (p AU q)) E(pUq) =  y . q  E (p  X (y)) E(pUq) = q  (p  EX (p EU q)) Fixpoint Characterizations

  4. EF Fixpoint Computation EF p =  y . p  EX y is the limit of the sequence: , pEX , pEX(pEX ) , pEX(pEX(p EX )) , ... which is equivalent to , p, p  EX p , p  EX (p  EX (p) ) , ...

  5. EF Fixpoint Computation p s1 s2 s3 s4 p Start  1st iteration pEX  = {s1,s4} EX()= {s1,s4}   ={s1,s4} 2nd iteration pEX(pEX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4} 3rd iteration pEX(pEX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4} 4th iteration pEX(pEX(pEX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4}  {s1,s2,s3,s4} = {s1,s2,s3,s4}

  6. EF Fixpoint Computation EF(p)states that can reach p  p EX(p)  EX(EX(p))  ... p • • • EF(p)

  7. Greatest Fixpoint Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements:  y. F y =  { y | F y  y } The greatest fixpoint  y . F y is the limit of the following sequence (assuming F is -continuous): S, F S, F2 S, F3 S, ... If S is finite, then we can compute the greatest fixpoint using the above sequence

  8. EG Fixpoint Computation Similarly, EG p =  y . p  EX y is the limit of the sequence: S, pEX S, pEX(p  EX S) , pEX(p  EX (p  EX S)) , ... which is equivalent to S, p, p  EX p , p  EX (p  EX (p) ) , ...

  9. EG Fixpoint Computation p p s1 s2 s3 s4 p Start S = {s1,s2,s3,s4} 1st iteration pEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4} 2nd iteration pEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4} 3rd iteration pEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}

  10. EG Fixpoint Computation EG(p)  states that can avoid reaching pp EX(p)  EX(EX(p))  ... • • • EG(p)

  11. Example • For the FSM below, formally check the following properties, using Fixpoint Theorm: • AG(a ∨c ∨b) • AF(ab) • If failed show the subset of the design the property holds for as well as the counter example 1 2 4 3 c a a,b b,c d c 6 S = {1,2,3,4,5,6}, AP = {a,b,c,d}, R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)} L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d} 5

  12. Example (cont.) • Remember that: • H(a∪b) = H(a) ∪ H(b) ∪ H(c) ={1,4} ∪ {2,3,5} ∪ {1,3} = {1,2,3,4,5} • AG(a ∨c ∨b) = AG p =  y . p  AX y =  y . p  AX y • AX p = EX(p) • I0  S = {1,2,3,4,5,6} • I1  {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} • I2  {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5} • This is because that : AX(1,2,3,4,5) =  EX((1,2,3,4,5)) =  EX(6) =  (2) = S- {2 } = {1,3,4,5,6} • I3  {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} • This is because that : AX(1,3,4,5) =  EX((1,3,4,5)) = **** • I3 = I2  H(AG(a∨b ∨ c)) = {1,3,4,5} • The property does not hold, except for the above states, and it is clear that states {2,6} can be considered as counter examples. • state 6 does not contain neither a,c,b and state 2 does not have a proceeding one on one of its pathes path (2,6)

  13. Example (AF(ab))

More Related