1 / 65

Time-Critical Systems with Timed Automata Approach

Explore the importance of time in critical systems using timed automata theory, covering Timed Automata, ω-automata, TLS Handshake Protocol, and more.

keisha
Télécharger la présentation

Time-Critical Systems with Timed Automata Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TLS: A TIMED AUTOMATA APPROACHGiuliana CarulloUniversità degli Studi di Salerno

  2. DID YOU KNOW

  3. that for a train crossing it is essential that on detecting the approach of a train, the gate is closed within a certain time bound in order to halt car and pedestrian traffic before the train reaches the crossing

  4. DID YOU KNOW

  5. that for a radiation machine the time period during which a cancer patient is subjected to a high dose of radiation is extremely important: a small extension of this period is dangerous and can cause the patient's death.

  6. Timeisimportantevenfor a toaster

  7. To put it in a nutshell: Correctness in time-critical systems not only depends on the logical result of the computation but also on the time at which the results are produced.

  8. Whatwillthatmean in termsofautomatatheory? TimedAutomata

  9. Talk outline The central theme of this discussion is timed automata, basically an extension of classical finite-state automata with clock variables. Topics include: • ω-automatarecap • Timedautomata • TLS Handshakeprotocol • Conclusions

  10. ωAutomata

  11. ω-automata in short Definition 2.1 A transition tableA is a tuple (∑, S, S0,E) where: • ∑ is an alphabet • S is a finite set of automaton states • S0 ⊆ S is a set of start states • E ⊆ S × S ×∑ is a set of edges The automaton starts in an initial state s ⊆ S0 and if (s, s’, a)∈ E, then the automaton can change its state from s to s’ reading the input symbol a.

  12. ω-automata in short Definition 2.2 Let be σ= σ1σ2… a word over the alphabet ∑ a run r of A over σ is r : s0σ1 s1σ2 … with s0 ⊆ S0 and (si-1, si, σi) ∈E for all i ≥ 1. For such a run r, the set inf(r) consists of the states s ⊆ Sfor each s= si for infinitely many i ≥ 0. Different types of ω-automata are defined by adding an acceptance condition to the definition of the transition table.

  13. Büchi and MullerAutomata A Büchi automatonA is a transition table (∑, S, S0,E) with additional set F ⊆ S of acceptance states. A run r is accepting iff some state s ⊆ F repeats infinitely often along r. In other words, a run r is an accepting run iffinf( r ) ∩ F ≠∅. A Muller automatonA is a transition table (∑, S, S0,E) with an acceptance family F ⊆ 2S. A run r is accepting iff the set of state repeating infinitely often along r equals some set in F. In other words, a run r is an accepting run iffinf(r) ⊆ F.

  14. Büchi AutomataProperties The class of regular ω-languages overagivenalphabetis closed under the Boolean operations and under projection. The emptiness problem (and the equivalence problem) for Büchi automataisdecidable. Deterministic Büchi automata are strictly weakerthannondeterministicones.

  15. TimedAutomata

  16. TA: intro A timed automaton is an automaton equipped with a clock structure. They can capture interesting aspects of real-time systems: qualitative features- liveness, fairness, nondeterminism. quantitative features - periodicity, bounded response, timing delays.

  17. TimedLanguages • Definition 3.1 • A timed sequenceτ = τ1 ,τ2,… is an infinite sequence of time values τi ∈ R with τi>0. • Following constraints are satisfied: • Monotonicity: τ increases strictly monotonically; that is τi < τi+1 for all i≥1; • Progress: For every t ∈ R, there is some i ≥1 such that τi>t.

  18. TimedLanguages Definition 3.2 A timed word over an alphabet ∑ is a pair (σ, τ) where σ = σ1σ2… is an infinite word over ∑ and τ is a time sequence. If a timed word (σ, τ) is viewed as an input to the automaton, it presents the symbol σi at time τi.

  19. TimedLanguages A simple example of timed language is: Let the alphabet be ∑={a, b}. Define a timed language L to consist of all timed words (σ, τ) where there is no b after time 5. Thus, the language L is given by: L = { (σ, τ) | ∀ ((τi> 5) (σi= a))}

  20. TimedLanguages • Definition 3.3 • Given a set C of clocks, the set of clock constraints, denoted by guard(C); is the set of formulas inductively defined by: • true, false, c ~ n where c ∈ C, n ∈Nand ~ ∈ {>, <, =}, • f1 Λ f2, f1 V f2 where f1 and f2 are formulas in guard(C). • A clock interpretation v for a set of clocks C, assigns a real value to each clock and we say that it satisfies a clock constraint guard(C) iffguard(C) evaluates to true using the value given by v.

  21. TimedAutomaton • Definition 3.4 • A timed automatonover an alphabet ∑ is a tuple A = (L; C; λ; μ; l0; F; E) where: • L is a finite set of locations, • C is a finite set of clocks, • λ: S→∑ is an output function, • μ: S→guard(C), assigns to each location a guard called invariantof the location, • l0∈ L is the initial location, • F ⊆ L is a set of final locations, • E ⊆L ×L × guard(C) × 2Cgives the set of edges between locations labeled by sets of clocks and formulas.

  22. Timedtransitiontable • Definition 3.5 • A timed transition tableA is a tuple (∑, S, S0, C, E) where: • ∑is a finite alphabet, • S is a finite set of states • S0 ⊆ S is a set of start states • C is a finite set of clocks, • E ⊆S × S × ∑ × guard(C) × 2C. • An edge (s, s’, a, c, guard(C)) represents a transition from state s to state s’ on input symbol a. The set λ ⊆ C gives the clocks to be reset with this transition, and guard(C) is a clock constraints over C.

  23. Howitworks Model Event lifetime Event sequence eventi event.setLifetime(int x) event.resetLifetime()

  24. Howitworks The triggering event at a given state is the one with the smallest clock value among all events that are active at that state. When the triggering event occurs, all other event clocks are reduced by the amount of time elapsed since the previous event occurrence, unless an event is deactivated. The age of a currently active event is the time elapsed since its most recent activation. Its residual lifetime is the time remaining until its next occurrence. The clock value of an active event is always its residual lifetime

  25. Howitworks • In order to properly capture the semantics of a timed model, it is required to represent a the set of timed transitions of the automaton as a set of triples in the following form: • ( guard(C), event, reset ) • Where: • guard(C) component is a pre-condition: it specifies the timing condition that need to be satisfied on some of the clocks for transition to occur; • event∈ E component denotes the event executed by the system upon a certain transition; • reset⊆ C component is a set that lists which clocks are reset to 0 upon completion of a given transition.

  26. Simpleexample

  27. Anotherexample

  28. Crossingtrain scenario • Required steps: • Train comes along the tracks towards an intersection • Gate comes down, train comes in • Train exits the gate area • Gate raises back up Central Controller

  29. Crossingtrain scenario • Two conditions need to be met: • Safety : The train never enters unless the gate is down and the gate never go up until the train l eaves. • Real time liveness: The gate never stays closed for more than 10 minutes.

  30. Crossingtrain scenario • Büchi automata are closed under union, intersection and complement. C2 C1 S C3

  31. Trainmodel Event set Communicationwith CC Train’s events Safety Liveness

  32. Gatemodel Communicationwith CC Gate’s events Timing Event set

  33. Controller model Event set Messageexchange

  34. Model safety

  35. Modeling real-time liveness

  36. TimedAutomataProperties • Undecidability:The language inclusion checking problem i.e. to check L(A) µ L(B) is undecidable. • Closure properties: NTA are closed under union and intersection but, surprisingly, not under complementation. The deterministic classes are closed under all Boolean operations. Expressiveness Properties Every DTBAs can be expressed as a DTMA simply by rewriting its acceptance condition. However the converse does not hold

  37. TimedAutomataImplementability Implementation Digitalclocks Delayedsynchronization Reactiontime = ε Model Perfectcontinuousclocks Instantaneoussynchronization Reactiontime = 0 ? CorrectmodelCorrectimplementation

  38. Transport Layer Security

  39. Cryptology Cryptography Cryptoanalysis

  40. Whatif I don’t knowanythingaboutcrypto?

  41. Confusion

  42. Diffusion

  43. Secret key

  44. Transport Layer Security • Transport Layer Security (TLS) and itspredecessor, SecureSockets Layer (SSL), are cryptographicprotocolsthatprovidecommunication security over the Internet. • The encrypt the segmentsof network connectionsabove the Transport Layer, using: • asymmetriccryptographyfor key exchange, • symmetricencryptionfor privacy, • and messageauthenticationcodesformessageintegrity. • The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping.

  45. TLS handshakeprotocol

  46. UPPAAL UPPAAL is an integrated suite for modeling, validation and automatic verification of safety and bounded liveness properties of real-time systems modeled as networks of timed automata.

  47. UPPAAL-Atomic clock constraint Definition 1. Let C be a set of real valued clocks an I a set of integer valued variables. An atomic clock constraint over C is a constraint of the form: x ~ n, for x ∈ C, ~ ∈ { ≤ , ≥ , = } and n ∈ N. An atomic integer constraint over I is a constraint of the form: i~ n, for i ∈ I, ~ ∈ { ≤ , ≥ , =} and n ∈ Z. By Cc(C) we denote the set of all clock constraints over C, and Ci(I) denotes the set of all integer constraints over I.

  48. UPPAAL-guard Definition 2. Let C be a set of real valued clocks and I a set of integer valued variables. A guard g over C and I is a formula generated by the following syntax: g ::= c|g ∧ g, where c ∈ (Cc(C) U Ci(I)). B(C, I) stands for the set of all guards over C and I.

  49. UPPAAL-clockassignment Definition 3. Let C be a set of real valued clocks and I a set of integer valued variables. A clock assignment over C is a tuple (v, c), where v ∈ C and c ∈ N. An integer assignment over I is a tuple (v, c1, c2) representing the assignment v = C1· v + c2, where v ∈ I and C1, c2 ∈ Z. We will use A(C, I) to denote the power-set of all assignments over I and C.

  50. UPPAAL-timedautomaton Definition 4. A timed automaton A over a finite set of actions Act, clocks C, and integer variables I is a tuple (L, l0,E) , where L is a finite set of nodes (control-nodes), l0 is the initial node, and E ⊆ L×B(C, I)×Act×A(C, I)×L is the set of edges. We will write: to denote

More Related