The Formal Verification of SPIDER

1

The Formal Verification of SPIDER

Lee Pike

Department of Computer Science

Indiana University, Bloomington

[email protected]

1

Thanks to● Steven Johnson,

Indiana University, Bloomington● The National Institute of Aerospace● The NASA LaRC Formal Methods Team,

especially Paul Miner

1

Overview● SPIDER Overview● Reasoning about Faults● The Old vs. New Interactive Consistency (IC) Protocol● SPIDER Formal Verification Goals & Future Work● References

1

SPIDER OverviewWhy?

● Develop a fault-tolerant architecture based on an ultra-reliable bus ●Scalable●Handle a large number of possibly-simultaneous faults, specifically transient faults from electromagnetic effects. ●Provide reintegration services

● Case study for the FAA●Developed in accordance with RTCADO-254: Design Assurance Guidance for Airborne Electronic Hardware.●Provide a test-bed for techniques in the specification and verification of safety-critical electronic systems.

These sort of architectures are the foundation of tomorrow's X-by wire safety-critical systems.

1

SPIDER OverviewWhat?

● Scalable Processor-Independent Design for Electromagnetic Resilience

1


● Scalable Processor-Independent Design for Electromagnetic Resilience● Processor Elements (PEs)

PE

PE PE

1


● Scalable Processor-Independent Design for Electromagnetic Resilience● Processor Elements (PEs) ● Reliable Optical BUS (ROBUS)

●Time Division Multiple Access (TDMA) bus●Maintains Synchrony between PEs.●Prevents Babbling Idiots & PE-to-PE interference●The services of the ROBUS are the focus of the verification effort.

ROBUS PE

PE PE

1

ROBUS OverviewTopology

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

● n Bus Interface Units (BIUs) ● m Redundancy Management Units (RMUs)● The BIUs and RMUs are called nodes.● Every BIU and RMU is directly connected.● No two BIUs are directly connected. Similarly for the RMUs.

1

ROBUS OverviewServices (Protocols)

● Interactive Consistency Purpose: Reliably broadcast messages between PEs.

● Clock Synchronization Purpose: Maintain synchrony between all nodes and PEs.

● Distributed Diagnosis Purpose: Convict faulty nodes in the ROBUS.

The focus of this talk is Interactive Consistency.

1

Global Fault Classifications● Good Not faulty

node d

d

d

1

Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably faulty messages

node garbage

garbage

garbage

1

Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably faulty messages● Symmetric Broadcasts the same arbitrary message to all

node d'

d'

d'

1

Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably bad messages● Symmetric Broadcasts the same arbitrary message to all● Asymmetric (Byzantine) Arbitrarily sends arbitrary messages

node d'

d''

d

1

Local Fault InformationEach Node Maintains

● Accusations A node accuses other nodes based on the messages it receives as well as indirect information.

1



● Convictions Periodically, the distributed diagnosis protocol is executed; nodes exchange accusations to produce convictions.

● NOTE: While a good node knows that all good nodes have the same convictions, it does not know that all good nodes have the same accusations.

1



● Convictions Periodically, the distributed diagnosis protocol is executed; nodes exchange accusations to produce convictions.

● NOTE: While a good node knows that all good nodes have the same convictions, it does not know that all good nodes have the same accusations.

● Eligible Voters For each BIU, the set of RMUs that it neither accuses nor convicts. Similarly for each RMU.

1

Interactive Consistency ProtocolExternal View

● Purpose: Reliably communicate data between processing elements (PEs) over the ROBUS.

ROBUS

PE

PE

PE

1


● A PE sends its data to the ROBUS.

ROBUS

PE

PE

PE

sender

data in

1


● The IC Protocol is executed in the ROBUS.

ROBUS

PE

PE

PE

...IC Protocol...

1


● The ROBUS broadcasts data back out to the PEs.

ROBUS

PE

PE

PE

sender

data out

...IC Protocol...

data out

data out

1

Old Interactive Consistency ProtocolInternal View

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

senderdata in

ROBUS

RMU3

1

1. A BIU broadcasts data to the RMUs.If the BIU is good, the same value is broadcast to all RMUs.

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

senderdata in

ROBUS

data

data RMU3

data

1

2. For each good RMU, if it receives data that isn't detectably faulty, then it passes the data received back to each BIU. Otherwise, source_error is sent.

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

similarly for RMUs 2 and 3

data orsource_error

data orsource_error

data orsource_error

RMU1 good

1

3. Each BIU eliminates from its EV those RMUs that sent detectably faulty messages.

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

21

3

BIUs 2 and 3 do likewise

d

d

garbage

RMU1 good

RMU2benign faulty

1

4. For each BIU, it votes on the majority data sent from each RMU in its EV.

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

21

3

BIUs 2 and 3 do likewise

vote = d

d

d

1

5. IF the majority of RMUs sent the same data, then it is sent to the BIU's PE. ELSE source_error is sent to the BIU's PE.

BIU1

to PE

to PE

to PE

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

BIUs 2 and 3 similarly send data

vote = d

d

1

IC Protocol Guarantees

●Validity If the broadcasting BIU is good, not convicted, and sends data d, then the result of the vote for a good BIU is be d.●Agreement Any two good BIUs vote the same result for the broadcasted value (even if the sender is asymmetric!).

1

Old Assumptionsto ensure guarantees hold

Environment AssumptionsThe Maximum Fault Assumption (MFA):

1. There are more good BIUs than symmetric + asymmetric BIUs.2. Similarly for the RMUs.3. There are either no asymmetric BIUs or no asymmetric RMUs.

1

Old Assumptionsto ensure guarantees hold

Environment AssumptionsThe Maximum Fault Assumption (MFA):

1. There are more good BIUs than symmetric + asymmetric BIUs.2. Similarly for the RMUs.3. There are either no asymmetric BIUs or no asymmetric RMUs.

System Assumptions●Symmetric Agreement If a node is not asymmetric, then all good nodes assign it the same accusation.●Good Trusting Good nodes aren't accused by good nodes.●Conviction Agreement All good nodes have the same convictions.

1ValidityProof Sketch

Assume the broadcasting BIU is good and sends data d.

BIU1

BIU2

BIU3

RMU1

RMU2

sender good

ROBUS

d

d RMU3

d


BIU1

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

similarly for RMUs 2 and 3

d

d

d

Thus, all good RMUs send d back to the BIUs.

RMU1 good


BIU1

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

21

3

d

d

Each good BIU filters out the bad messages received. By the MFA, most of its EV then contains good RMUs.

garbage

similarly for BIUs 2 and 3


BIU1

BIU2

BIU3

RMU1

RMU2

ROBUS

RMU3

21

3vote = d

d

d

Since all good RMUs sent d, the result of the vote yields d. q.e.d.

1Agreement

Proof Sketch

BIU1

BIU2

BIU3

RMU1

RMU2

sender asym

ROBUS

d

d'' RMU3

d'

Either the broadcasting BIU is asymmetric or not. Suppose it is.

1Agreement

Proof Sketch

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

Then no RMU is asymmetric, by the MFA. So every RMU sends the same data to every BIU.

21

3

x

z

y

BIUs 2 and 3 receive the same values

1Agreement

Proof Sketch

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

Since no RMU is asymmetric, by symmetric trusting, the EV of each BIU is the same. Thus, the result of the vote for each BIU is the same.

21

3

x

z

y

BIUs 2 and 3 receive the same values

1Agreement

Proof Sketch

BIU1

BIU2

BIU3

RMU1

RMU2

sender not asym

ROBUS

d

d RMU3

d

For the other case, suppose the sending BIU is not asymmetric.

1Agreement

Proof Sketch

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

Most of the RMUs are good, by the MFA. Since all good RMUs received the same values, they send the same values.

RMU1 good

RMU3 good

BIU1 good

BIU3 good

x

x

1Agreement

Proof Sketch

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

By good trusting, no good BIU accuses a good RMU. Since most RMUs are good, there are a majority of good RMUs in the EV of each good BIU, after filtering benign RMUs.

RMU1 good

RMU3 good

21

3 x

21

3 x

x

x

BIU1 good

BIU3 good

1Agreement

Proof Sketch

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

Thus, the result of the votes will be the same for all good BIUs. q.e.d.

RMU1 good

RMU3 good

21

3 x

21

3 x

x

x

BIU1 good

BIU3 good

1

New Assumptionsto reason about reintegration

Environment AssumptionsThe Dynamic Maximum Fault Assumption (DMFA):

1. For each good BIU, its EV consists of more good RMUs than symmetric + asymmetric RMUs.

2. Similarly for good RMUs.3. Either no asymmetric RMU is in the EV of a good BIU or no

asymmetric BIU is in the EV of a good RMU.

1

New Assumptionsto reason about reintegration

Environment AssumptionsThe Dynamic Maximum Fault Assumption (DMFA):

1. For each good BIU, its EV consists of more good RMUs than symmetric + asymmetric RMUs.

2. Similarly for good RMUs.3. Either no asymmetric RMU is in the EV of a good BIU or no

asymmetric BIU is in the EV of a good RMU.

System Assumptions●Symmetric Agreement If a node is not asymmetric, then all good nodes assign it the same accusation.●Good Trusting Good nodes aren't accused by good nodes.●Conviction Agreement All good nodes have the same convictions.

1Agreement Breaks!

Under the New Assumptions (courtesy of Wilfredo)

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

Suppose the sender is asymmetric, but is in no EV of all good RMUs. Suppose there is an asymmetric RMU in the EV of both good BIUs. This satisfies the DMFA.

asym

good &accuses BIU2

good &accuses BIU2

sender asym

d

d'

d''

good & trusts all

good & trusts all

1Agreement Breaks!

Under the New Assumptions

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

The two good RMUs relay the values received, and since RMU3 can relay arbitrary data, it sends d to BIU1 and d' to the other.

asym

good &accuses BIU2

good &accuses BIU2

sender asym

21

3

d

d

21

3

d

d'good &

trusts all

good & trusts all

d'

d'

1Agreement Breaks!

Under the New Assumptions

ROBUS

BIU1

BIU2

BIU3

RMU1

RMU2

RMU3

The result of the votes of BIU1 and BIU2 differ. Agreement is violated!

asym

good &accuses BIU2

good &accuses BIU2

sender asym

21

3

d

d

21

3

d

d'good &

trusts all

good & trusts all

d'

d'

vote = d

vote = d'

1

Revised IC ProtocolIn the new IC Protocol, the RMUs relay source_error when●They receive bad messages and●They accuse the sender.

1

Revised IC ProtocolIn the new IC Protocol, the RMUs relay source_error when●They receive bad messages and●They accuse the sender.

The revised IC protocol satisfies both validity and agreement (verified in PVS).

1

Formal VerificationWhy Level 3 Verification?

●A math proof is proof enough, right?

●Level 3 verification can require significant time to complete.

In other words...

1

Using PVS

1

Formal VerificationWhy Level 3 Verification?

●A math proof is proof enough, right?

●Level 3 verification can require orders of magnitude more time to complete than level 1 or level 2 verification.

But...●Proofs for fault-tolerant protocols for distributed architectures are tedious and large (there are nearly 400 lemmas & theorems in our current unfinished set of proofs).●Proofs are not checked by a community of mathematicians like other mathematical results are.

In other words...

1You don't have to be a Laurel or Hardy to make an

oversight in an informal proof.

Small changes in assumptions can obviate guarantees.

1

Some Goals & Current Workin verifying SPIDER

● Robust Specifications/Proofs●Hold for arbitrary configurations of SPIDER●Hold for all accusation & conviction policies satisfying the system requirements

1



● Specification/Proof “Reuse” (Economic specs/proofs)

1



● Specification/Proof “Reuse” (Economic specs/proofs)● Specification/Proof Hierarchy

●Property specifications●Relational specifications●Functional composition specifications●State machine specifications

1

References● SPIDER Homepage:

http://shemesh.larc.nasa.gov/fm/fm-now-spider.html.● PVS Homepage:

http://pvs.csl.sri.com/.● Butler, Ricky et al. NASA Langley's Research and Technology-

Transfer Program in Formal Methods. 2000. Available athttp://shemesh.larc.nasa.gov/fm/fm-welcome.html.

● Rushby, John. Formal Methods and Digital Systems Validation for Airborne Systems. NASA Contractor Report 4551. 1993. Available at: http://www.csl.sri.com/papers/csl-93-7/.

The Formal Verification of SPIDER

Documents

Transcript of The Formal Verification of SPIDER