Network Protocols
Download
Report
Transcript Network Protocols
BDDs & Theorem Proving
Binary Decision Diagrams
Dr. Eng. Amr T. Abdel-Hamid
Network Protocols
NETW 703
Lectures are based on slides by:
• K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU.
• E. Clarke, Formal Methods, to be updated by course name
•S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”.
Winter 2012
Binary Decision Diagrams
Network Protocols
Ordered binary decision diagrams (OBDDs) are a canonical fo
rm for Boolean formulas.
OBDDs are often substantially more compact than traditional n
ormal forms.
Moreover, they can be manipulated very efficiently.
Introduced at:
R. E. Bryant. Graph-based algorithms for boolean function manip
ulation. IEEE Transactions on Computers, C-35(8), 1986.
Dr. Amr Talaat
Binary Decision Trees
Network Protocols
A Binary decision tree is a rooted, directed tree with two types
of vertices, terminal vertices and nonterminal vertices.
Each nonterminal vertex v is labeled by a variable var(v) and h
as two successors:
low (v) corresponding to the case where the variable is assign
ed 0, and high (v) corresponding to the case where the variabl
e is assigned 1.
Each terminal vertex v is labeled by value(v) which is either 0
or 1
Dr. Amr Talaat
Example
Network Protocols
BDT for a two-bit comparator, f(a1,a2,b1,b2) = (a1 b1) (a
2 b2)
Dr. Amr Talaat
Binary Decision Diagram
Network Protocols
i.e. exactly like decision TREE
Dr. Amr Talaat
Reduced Ordered BDDs
Network Protocols
In practical applications, it is desirable to have a canonical repr
esentation for Boolean functions.
This simplifies tasks like checking equivalence of two formulas
and deciding if a given formula is satisfiable or not.
Such a representation must guarantee that two Boolean functi
ons are logically equivalent if and
only if they have isomorphic representations.
Dr. Amr Talaat
Reduced Ordered BDD
Network Protocols
Dr. Amr Talaat
Canonical Form property
A canonical representation for Boolean functions is desirable:
two Boolean functions are logically equivalent iff they have isomo
rphic representations
This simplifies checking equivalence of two formulas and deciding if
a formula is satisfiable
Two BDDs are isomorphic if there exists a bijection h between the g
raphs such that
Terminals are mapped to terminals and nonterminals are mapped to
nonterminals
For every terminal vertex v, value(v) = value(h(v)), and
For every nonterminal vertex v: var(v) = var(h(v)), h(low(v)) = low(
h(v)), and h(high(v)) = high(h(v))
Canonical Form property
Network Protocols
Bryant (1986) showed that BDDs are a canonical repr
esentation for Boolean functions under two restrictions:
the variables appear in the same order along each path from th
e root to a terminal
there are no isomorphic subtrees or redundant vertices
Dr. Amr Talaat
Reduced Ordered Binary Decision D
iagrams (ROBDDs): CREATION
Network Protocols
Canonical Form Property
Requirement (1): Impose total order “<” on the variables in the for
mula: if vertex u has a nonterminal successor v, then var(u) < var(
v)
Requirement (2): repeatedly apply three transformation rules (or i
mplicitly in operations such as disjunction or conjunction)
Dr. Amr Talaat
RoBDD Creation
Network Protocols
1) Remove duplicate terminals: eliminate all but one terminal v
ertex with a given label and redirect all arcs to the eliminated v
ertices to the remaining one
Dr. Amr Talaat
Comparator Example
Network Protocols
Dr. Amr Talaat
RoBDD Creation
Network Protocols
2. Remove duplicate nonterminals: if nonterminals u and v hav
e var(u) = var(v), low(u) = low(v) and high(u) = high(v), eliminat
e one of the two vertices and redirect all incoming arcs to the o
ther vertex
Dr. Amr Talaat
Network Protocols
3. Remove redundant tests: if nonterminal vertex v has low(v) =
high(v), eliminate v and redirect all incoming arcs to low(v)
Dr. Amr Talaat
ROBDD Example
Network Protocols
Creating the ROBDD for (x⊕y⊕z)
Dr. Amr Talaat
Canonical Form Property (cont’d)
Network Protocols
A canonical form is obtained by applying the transformation rul
es until no further application is possible
Bryant showed how this can be done by a procedure called Re
duce in linear time
Applications:
checking equivalence: verify isomorphism between ROBDDs
non-satisfiability: verify if ROBDD has only one terminal node, lab
eled by 0
tautology: verify if ROBDD has only one terminal node, labeled by
1
Dr. Amr Talaat
Variable Ordering Problem
Network Protocols
Dr. Amr Talaat
Variable Ordering Problem
Network Protocols
The problem of finding the optimal variable order is NP-complete
Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier)
Heuristics for Variable Ordering
Heuristics developed for finding a good variable order (if it exists)
Intuition for these heuristics comes from the observation that ROBDDs tend to be
smaller when related variables are close together in the order
Variables appearing in a subcircuit are related: they determine the subcircuit’s out
put should usually be close together in the order
Dynamic Variable Ordering
Useful if no obvious static ordering heuristic applies
During verification operations (e.g., reachability analysis) functions change, hence
initial order is not good later on
Good ROBDD packages periodically internally reorder variables to reduce ROBD
D size
Dr. Amr Talaat
Basic approach based on neighboring variable exchange
Among a number of trials the best is taken, and the exchange is repeated
Model Checking
Network Protocols
The Good:
If it works, model checking (unlike theorem proving) is a pus
h-button tool.
The Bad:
If the system is too large, model checking cannot be applied
because of state explosion.
& The Ugly
The system (and/or property) then needs to be suitably “abst
racted” in order to use model checking.
Dr. Amr Talaat
Approximate Model Checking
Network Protocols
Representing exact state sets may involve large BDDs
Compute approximations to reachable states
Potentially smaller representation
Over-approximation :
No bugs found Circuit verified correct
Bugs found may be real or false
Under-approximation :
Bug found Real bug
No bugs found Circuit may still contain bugs
Dr. Amr Talaat
Reachable states
Buggy states
Theorem Proving
Network Protocols
Prove that an implementation satisfies a specification by mathematical re
asoning
Implementation and specification expressed as formulas in a formal logic
Required relationship (logical equivalence/logical implication) described as a
theorem to be proven within the context of a proof calculus
A proof system:
Dr. Amr Talaat
A set of axioms and inference rules (simplification, rewriting, induction, etc.)
Theorem Proving Idea
Network Protocols
Properties specified in a Logical Language (SPEC)
System behavior also in the same language (DES)
Establish (DES -> SPEC) as a theorem.
A logical System:
A language defining constants, functions and predicates
A no. of axioms expressing properties of the constants, function, types, e
tc.
Inference Rules
A Theorem
`follows' from axioms by application of inference rules has a proof
Dr. Amr Talaat
First-Order Logic
Network Protocols
Dr. Amr Talaat
Propositional logic: reasoning about complete sentences.
First-order logic: also reasoning about individual objects and rel
ationships between them.
Syntax
Objects (in FOL) are denoted by expressions called terms:
Constants a, b, c,... ; Variables u, v, w,... ;
f(t1, t2,..., tn) where t1, t2,..., tn are terms and f a function symbol
of n arguments
Predicates:
true (T) and false (F)
p(t1, t2,..., tn) where t1, t2,..., tn are terms and p a predicate symb
ol of n arguments
First-Order Logic (cont.)
Network Protocols
Formulas:
Predicates:
P and Q formulas, then P, P Q, P Q, P Q,
P Q are formulas
x a variable, P a formula, then x.P, x.Q are formulas
(x is not free in P, Q)
Dr. Amr Talaat
First-Order Logic (cont’d)
Network Protocols
Dr. Amr Talaat
The Validity Problem of FOL
To decide the validity for formulas of FOL, the truth table method
does not work!
Reason: must deal with structures not just truth assignments.
Structures need not be finite ...
Semi-decidable (partially solvable)
There is an algorithm which starts with an input, and
1. if the input is valid then it terminates after a finite number of
steps, and outputs the correct value (Yes or No)
2. if the input is not valid then it reaches a reject halt or loops fo
rever
Theorem (Church-Turing, 1936)
The validity problem for formulas of FOL is undecidable, but semi-de
cidable.
Some subsets of FOL are decidable.
Higher-Order Logic
Network Protocols
Dr. Amr Talaat
First-order logic: only domain variables can be quantified.
Second-order logic: quantification over subsets of variables (i.e., over
predicates).
Higher-order logics: quantification over arbitrary predicates and functi
ons.
Higher-Order Logic:
Variables can be functions and predicates,
Functions and predicates can take functions as arguments a
nd return functions as values,
Quantification over functions and predicates.
Since arguments and results of predicates and functions can the
mselves be predicates or functions, this imparts a first-class stat
us to functions, and allows them to be manipulated just like or
dinary values
HOL
Network Protocols
Example 1: (mathematical induction)
P. [P(0) (n. P(n) P(n+1))] n.P(n)
(Impossible to express it in FOL)
Example 2: Function Rise defined as
Rise (c, t) = c(t) c(t+1)
Rise expresses the notion that a signal c rises at time t.
Dr. Amr Talaat
Higher-Order Logic
Network Protocols
Dr. Amr Talaat
Advantage:
high expressive power!
Disadvantages:
Incompleteness of a sound proof system for most higher-order log
ics
Theorem (Gödel, 1931)
“There is no complete deduction system for the second-order logi
c”
Inconsistencies can arise in higher-order systems if semantics not ca
refully defined
“Russell Paradox”:
Let P be defined by P(Q) = ¬Q(Q).
By substituting P for Q, leads to P(P) = ¬P(P),
Theorem Proving Systems
Network Protocols
Some theorem proving systems:
Boyer-Moore (first-order logic)
HOL (higher-order logic)
PVS (higher-order logic)
Lambda (higher-order logic)
From PVS website:
Dr. Amr Talaat
“PVS is a large and complex system and it takes a l
ong while to learn to use it effectively. You should b
e prepared to invest six months to become a modera
tely skilled user”
HOL
Network Protocols
HOL (Higher-Order Logic) developed at University of Cambridge
Interactive environment (in ML, Meta Language) for machine assiste
d theorem proving in higherorder logic (a proof assistant)
Steps of a proof are implemented by applying inference rules chosen
by the user; HOL checks that the steps are safe
All inferences rules are built on top of eight primitive inference rules
Mechanism to carry out backward proofs by applying built-in ML func
tions called tactics and tacticals
By building complex tactics, the user can customize proof strategies
Numerous applications in software and hardware verification
Dr. Amr Talaat
HOL
Network Protocols
HOL provides considerable built-in theorem-proving infrastructure:
a powerful rewriting subsystems
library facility containing useful theories and tools for general use
Decision procedures for tautologies and semi-decision
procedure for linear arithmetic provided as libraries
The approach to mechanizing formal proof used in HOL is due to Ro
bin Milner.
Dr. Amr Talaat
Proof Styles in HOL
Network Protocols
Forward proof style:
Goal-directed (or Backward) proof style:
Dr. Amr Talaat
Backward Proofs
Network Protocols
Dr. Amr Talaat
Example 1: Logic AND
Network Protocols
AND Specification:
AND_SPEC (i1,i2,out) := out = i1 ∧ i2
NAND specification:
NAND (i1,i2,out) := out = ¬(i1 ∧ i2)
NOT specification:
NOT (i, out) := out = ¬ I
AND Implementation:
AND_IMPL (i1,i2,out) := ∃x. NAND (i1,i2,x) ∧ NOT (x,
out)
Dr. Amr Talaat
Example 1: Logic AND
Network Protocols
Dr. Amr Talaat
Proof Goal:
∀ i1, i2, out. AND_IMPL(i1,i2,out) ⇒ ANDSPEC(i1,i2,out)
Proof (forward)
AND_IMP(i1,i2,out) {from above circuit diagram}
∃ x. NAND (i1,i2,x) ∧ NOT (x,out) {by def. of AND impl}
NAND (i1,i2,x) ∧ NOT(x,out) {strip off “∃ x.”}
NAND (i1,i2,x) {left conjunct of line 3}
x =¬ (i1 ∧ i2) {by def. of NAND}
NOT (x,out) {right conjunct of line 3}
out = ¬ x {by def. of NOT}
out = ¬(¬(i1 ∧ i2) {substitution, line 5 into 7}
out =(i1 ∧ i2) {simplify, ¬¬ t=t}
AND (i1,i2,out) {by def. of AND spec}
AND_IMPL (i1,i2,out) ⇒ AND_SPEC (i1,i2,out)
Q.E.D.
Inductive Proofs
Network Protocols
Inductive Proofs Must Have:
Base Case (value):
where you prove it is true about the base case
Inductive Hypothesis (value):
where you state what will be assume in this proof
Inductive Step (value)
show:
where you state what will be proven below
proof:
Dr. Amr Talaat
where you prove what is stated in the show portion
this proof must use the Inductive Hypothesis sometime during th
e proof
Example 2
Network Protocols
Prove this statement:
Base Case (n=1):
Inductive Hypothesis (n=p):
Inductive Step (n=p+1):
Show:
Dr. Amr Talaat
Example 3 N-Bit Adder
Network Protocols
Verification of Generic Circuits
used in datapath design and verification
idea: verify n-bit circuit then specialize proof for specific value of
n, (i.e., once proven for n, a simple instantiation of the theorem fo
r any concrete value, e.g. 32, gets a proven theorem for that insta
nce).
use of induction proof
Specification
N-ADDER_SPEC (n,in1,in2,cin,sum,cout):=
(in1 + in2 + cin = 2n+1 * cout + sum)
Dr. Amr Talaat
Example 3 N-Bit Adder
Implementation
Network Protocols
Dr. Amr Talaat
38/8
Example 3 N-Bit Adder
Network Protocols
Recursive Definition:
N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout):=
∃ w. N-ADDER_IMP(n-1,in1[0..n-2],in2[0..n-2],cin,sum[0..n-2],w) ∧ N-AD
DER_IMP(1,in1[n-1],in2[n-1],w,sum[n-1],cout)
Notes:
N-ADDER_IMP(1,in1[i],in2[i],cin,sum[i],cout) = ADDER_IMP(in1[i],in2
[i],cin,sum[i],cout)
Dr. Amr Talaat
Data abstraction function (vn: bitvec → nat) to relate bit vectors to
natural numbers:
vn(x[0]):= bn(x[0])
vn(x[0,n]):= 2n * bn(x[n]) + vn(x[0,n-1]
39/8
Example 3 N-Bit Adder
Network Protocols
Proof goal:
∀ n, in1, in2, cin, sum, cout. N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],ci
n,sum[0..n-1],cout) ⇒ N-ADDER_SPEC(n, vn(in1[0..n-1]), vn(in2[
0..n-1]), vn(cin), vn(sum[0..n-1]), vn(cout))
As an example can be instantiated with n = 32:
∀ in1, in2, cin, sum, cout. N-ADDER_IMP(in1[0..31],in2[0..31],cin,sum[0.
.31],cout) ⇒ N-ADDER_SPEC(vn(in1[0..31]), vn(in2[0..31]), vn(cin)
, vn(sum[0..31]), vn(cout))
Dr. Amr Talaat
40/8
Example 3 N-Bit Adder
Network Protocols
Proof by induction over n:
basis step:
N-ADDER_IMP(1,in1[0],in2[0],cin,sum[0],cout) ⇒ N-ADDER_SPEC(
1,vn(in1[0]),vn(in2[0]),vn(cin),vn(sum[0]),vn(cout))
Induction Step:
Dr. Amr Talaat
[N-ADDER_IMP(n,in1[0..n-1],in2[0..n-1],cin,sum[0..n-1],cout) ⇒ N-A
DDER_SPEC(n,vn(in1[0..n-1]),vn(in2[0..n-1]),vn(cin),vn(sum[0..n-1]),
vn(cout)) ] ⇒ [N-ADDER_IMP(n+1,in1[0..n],in2[0..n],cin,sum[0..n],co
ut) ⇒ N-ADDER_SPEC(n+1,vn(in1[0..n]),vn(in2[0..n]),vn(cin),vn(sum
[0..n]),vn(cout))]
41/8
Conclusions
Network Protocols
Dr. Amr Talaat
Advantages of Theorem Proving
High abstraction and expressive notation
Powerful logic and reasoning, e.g., induction
Can exploit hierarchy and regularity, puts user in control
Can be customized with tactics (programs that build larger proofs steps from ba
sic ones)
Useful for specifying and verifying parameterized (generic) datapath-dominated
designs
Unrestricted applications (at least theoretically)
Limitations of Theorem Proving:
Interactive (under user guidance): use many lemmas, large numbers of comma
nds
Large human investment to prove small theorems
Usable only by experts: difficult to prove large / hard theorems
Requires deep understanding of the both the design and HOL (while-box verific
ation)
must develop proficiency in proving by working on simple but similar problems.
We are not alone
Network Protocols
Theorem
proving
Dr. Amr Talaat
Model che
cking
Testin
g
Hybrid Verification
Network Protocols
Formal Verification using
Theorem Proving + Model Checking
Theorem
Proving
Model
Checking
Dr. Amr Talaat
Hybrid Verification
Network Protocols
|-Goal Imp. Spec.
|-Goal Imp.(x y ….) Spec.((y= ..) (…..))
G1
G1’
G1’’ G2’
G2
G2’’ G3’
G3
…….
G3’’
Gn
Gn’
Dr. Amr Talaat
Use model checking to verify Sub-Goals
Gn’’
Different Verification Methods
Network Protocols
Testing (Simulation/Emulation)
Theorem Proving
Model checking (automatic verification)
Testing
Dr. Amr Talaat
Theorem
Proving
Model
Checking
Semi-formal Verification
Network Protocols
Simulation
Driver
Simulation
Engine
Simulation
Monitor
Symbolic
Simulation
Guided vector
generation
Diagnosis of
Unverified
Portions
Conventional
Coverage
Analysis
Dr. Amr Talaat
Devadas and Keutzer’s proposal:
A pragmatic suggestion for SOC verification
Extension
Semi-formal Verification
Network Protocols
Smart simulation:
Use properties to generate directed test vectors.
Maximize chances of detecting bugs at small cost
Coverage metrics crucial?
Use metrics to determine
Unexercised parts of design: Guide vector generation
Adequacy of verification: When to stop?
Dr. Amr Talaat
Did you find the BUG yet?
Network Protocols
Verification and testing problem is an open question with multi-Billion
$ Research per year.
A great Masters Research Topic
Dr. Amr Talaat
A Final Proof
Network Protocols
Software engineers want to be real engineers.
Real engineers use mathematics.
Formal methods are the mathematics of software engineering.
Therefore, software engineers should use formal methods.
Mike Holloway,
NASA
Dr. Amr Talaat
Scientists Quotes
Network Protocols
“Teaching to unsuspecting youngsters the effective
use of formal methods is one of the joys of life be
cause it is so extremely rewarding”
“A formula is worth a thousand pictures”
Edsger Wybe Dijkstra
(1930–2002)
Dr. Amr Talaat