The Formal Verification of SPIDER
description
Transcript of The Formal Verification of SPIDER
1
The Formal Verification of SPIDER
Lee Pike
Department of Computer Science
Indiana University, Bloomington
1
Thanks to● Steven Johnson,
Indiana University, Bloomington● The National Institute of Aerospace● The NASA LaRC Formal Methods Team,
especially Paul Miner
1
Overview● SPIDER Overview● Reasoning about Faults● The Old vs. New Interactive Consistency (IC) Protocol● SPIDER Formal Verification Goals & Future Work● References
1
SPIDER OverviewWhy?
● Develop a fault-tolerant architecture based on an ultra-reliable bus ●Scalable●Handle a large number of possibly-simultaneous faults, specifically transient faults from electromagnetic effects. ●Provide reintegration services
● Case study for the FAA●Developed in accordance with RTCADO-254: Design Assurance Guidance for Airborne Electronic Hardware.●Provide a test-bed for techniques in the specification and verification of safety-critical electronic systems.
These sort of architectures are the foundation of tomorrow's X-by wire safety-critical systems.
1
SPIDER OverviewWhat?
● Scalable Processor-Independent Design for Electromagnetic Resilience
1
SPIDER OverviewWhat?
● Scalable Processor-Independent Design for Electromagnetic Resilience● Processor Elements (PEs)
PE
PE PE
1
SPIDER OverviewWhat?
● Scalable Processor-Independent Design for Electromagnetic Resilience● Processor Elements (PEs) ● Reliable Optical BUS (ROBUS)
●Time Division Multiple Access (TDMA) bus●Maintains Synchrony between PEs.●Prevents Babbling Idiots & PE-to-PE interference●The services of the ROBUS are the focus of the verification effort.
ROBUS PE
PE PE
1
ROBUS OverviewTopology
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
● n Bus Interface Units (BIUs) ● m Redundancy Management Units (RMUs)● The BIUs and RMUs are called nodes.● Every BIU and RMU is directly connected.● No two BIUs are directly connected. Similarly for the RMUs.
1
ROBUS OverviewServices (Protocols)
● Interactive Consistency Purpose: Reliably broadcast messages between PEs.
● Clock Synchronization Purpose: Maintain synchrony between all nodes and PEs.
● Distributed Diagnosis Purpose: Convict faulty nodes in the ROBUS.
The focus of this talk is Interactive Consistency.
1
Global Fault Classifications● Good Not faulty
node d
d
d
1
Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably faulty messages
node garbage
garbage
garbage
1
Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably faulty messages● Symmetric Broadcasts the same arbitrary message to all
node d'
d'
d'
1
Global Fault Classifications● Good Not faulty● Benign Broadcasts only detectably bad messages● Symmetric Broadcasts the same arbitrary message to all● Asymmetric (Byzantine) Arbitrarily sends arbitrary messages
node d'
d''
d
1
Local Fault InformationEach Node Maintains
● Accusations A node accuses other nodes based on the messages it receives as well as indirect information.
1
Local Fault InformationEach Node Maintains
● Accusations A node accuses other nodes based on the messages it receives as well as indirect information.
● Convictions Periodically, the distributed diagnosis protocol is executed; nodes exchange accusations to produce convictions.
● NOTE: While a good node knows that all good nodes have the same convictions, it does not know that all good nodes have the same accusations.
1
Local Fault InformationEach Node Maintains
● Accusations A node accuses other nodes based on the messages it receives as well as indirect information.
● Convictions Periodically, the distributed diagnosis protocol is executed; nodes exchange accusations to produce convictions.
● NOTE: While a good node knows that all good nodes have the same convictions, it does not know that all good nodes have the same accusations.
● Eligible Voters For each BIU, the set of RMUs that it neither accuses nor convicts. Similarly for each RMU.
1
Interactive Consistency ProtocolExternal View
● Purpose: Reliably communicate data between processing elements (PEs) over the ROBUS.
ROBUS
PE
PE
PE
1
Interactive Consistency ProtocolExternal View
● A PE sends its data to the ROBUS.
ROBUS
PE
PE
PE
sender
data in
1
Interactive Consistency ProtocolExternal View
● The IC Protocol is executed in the ROBUS.
ROBUS
PE
PE
PE
...IC Protocol...
1
Interactive Consistency ProtocolExternal View
● The ROBUS broadcasts data back out to the PEs.
ROBUS
PE
PE
PE
sender
data out
...IC Protocol...
data out
data out
1
Old Interactive Consistency ProtocolInternal View
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
senderdata in
ROBUS
RMU3
1
1. A BIU broadcasts data to the RMUs.If the BIU is good, the same value is broadcast to all RMUs.
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
senderdata in
ROBUS
data
data RMU3
data
1
2. For each good RMU, if it receives data that isn't detectably faulty, then it passes the data received back to each BIU. Otherwise, source_error is sent.
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
similarly for RMUs 2 and 3
data orsource_error
data orsource_error
data orsource_error
RMU1 good
1
3. Each BIU eliminates from its EV those RMUs that sent detectably faulty messages.
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
21
3
BIUs 2 and 3 do likewise
d
d
garbage
RMU1 good
RMU2benign faulty
1
4. For each BIU, it votes on the majority data sent from each RMU in its EV.
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
21
3
BIUs 2 and 3 do likewise
vote = d
d
d
1
5. IF the majority of RMUs sent the same data, then it is sent to the BIU's PE. ELSE source_error is sent to the BIU's PE.
BIU1
to PE
to PE
to PE
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
BIUs 2 and 3 similarly send data
vote = d
d
1
IC Protocol Guarantees
●Validity If the broadcasting BIU is good, not convicted, and sends data d, then the result of the vote for a good BIU is be d.●Agreement Any two good BIUs vote the same result for the broadcasted value (even if the sender is asymmetric!).
1
Old Assumptionsto ensure guarantees hold
Environment AssumptionsThe Maximum Fault Assumption (MFA):
1. There are more good BIUs than symmetric + asymmetric BIUs.2. Similarly for the RMUs.3. There are either no asymmetric BIUs or no asymmetric RMUs.
1
Old Assumptionsto ensure guarantees hold
Environment AssumptionsThe Maximum Fault Assumption (MFA):
1. There are more good BIUs than symmetric + asymmetric BIUs.2. Similarly for the RMUs.3. There are either no asymmetric BIUs or no asymmetric RMUs.
System Assumptions●Symmetric Agreement If a node is not asymmetric, then all good nodes assign it the same accusation.●Good Trusting Good nodes aren't accused by good nodes.●Conviction Agreement All good nodes have the same convictions.
1ValidityProof Sketch
Assume the broadcasting BIU is good and sends data d.
BIU1
BIU2
BIU3
RMU1
RMU2
sender good
ROBUS
d
d RMU3
d
1ValidityProof Sketch
BIU1
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
similarly for RMUs 2 and 3
d
d
d
Thus, all good RMUs send d back to the BIUs.
RMU1 good
1ValidityProof Sketch
BIU1
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
21
3
d
d
Each good BIU filters out the bad messages received. By the MFA, most of its EV then contains good RMUs.
garbage
similarly for BIUs 2 and 3
1ValidityProof Sketch
BIU1
BIU2
BIU3
RMU1
RMU2
ROBUS
RMU3
21
3vote = d
d
d
Since all good RMUs sent d, the result of the vote yields d. q.e.d.
1Agreement
Proof Sketch
BIU1
BIU2
BIU3
RMU1
RMU2
sender asym
ROBUS
d
d'' RMU3
d'
Either the broadcasting BIU is asymmetric or not. Suppose it is.
1Agreement
Proof Sketch
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
Then no RMU is asymmetric, by the MFA. So every RMU sends the same data to every BIU.
21
3
x
z
y
BIUs 2 and 3 receive the same values
1Agreement
Proof Sketch
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
Since no RMU is asymmetric, by symmetric trusting, the EV of each BIU is the same. Thus, the result of the vote for each BIU is the same.
21
3
x
z
y
BIUs 2 and 3 receive the same values
1Agreement
Proof Sketch
BIU1
BIU2
BIU3
RMU1
RMU2
sender not asym
ROBUS
d
d RMU3
d
For the other case, suppose the sending BIU is not asymmetric.
1Agreement
Proof Sketch
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
Most of the RMUs are good, by the MFA. Since all good RMUs received the same values, they send the same values.
RMU1 good
RMU3 good
BIU1 good
BIU3 good
x
x
1Agreement
Proof Sketch
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
By good trusting, no good BIU accuses a good RMU. Since most RMUs are good, there are a majority of good RMUs in the EV of each good BIU, after filtering benign RMUs.
RMU1 good
RMU3 good
21
3 x
21
3 x
x
x
BIU1 good
BIU3 good
1Agreement
Proof Sketch
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
Thus, the result of the votes will be the same for all good BIUs. q.e.d.
RMU1 good
RMU3 good
21
3 x
21
3 x
x
x
BIU1 good
BIU3 good
1
New Assumptionsto reason about reintegration
Environment AssumptionsThe Dynamic Maximum Fault Assumption (DMFA):
1. For each good BIU, its EV consists of more good RMUs than symmetric + asymmetric RMUs.
2. Similarly for good RMUs.3. Either no asymmetric RMU is in the EV of a good BIU or no
asymmetric BIU is in the EV of a good RMU.
1
New Assumptionsto reason about reintegration
Environment AssumptionsThe Dynamic Maximum Fault Assumption (DMFA):
1. For each good BIU, its EV consists of more good RMUs than symmetric + asymmetric RMUs.
2. Similarly for good RMUs.3. Either no asymmetric RMU is in the EV of a good BIU or no
asymmetric BIU is in the EV of a good RMU.
System Assumptions●Symmetric Agreement If a node is not asymmetric, then all good nodes assign it the same accusation.●Good Trusting Good nodes aren't accused by good nodes.●Conviction Agreement All good nodes have the same convictions.
1Agreement Breaks!
Under the New Assumptions (courtesy of Wilfredo)
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
Suppose the sender is asymmetric, but is in no EV of all good RMUs. Suppose there is an asymmetric RMU in the EV of both good BIUs. This satisfies the DMFA.
asym
good &accuses BIU2
good &accuses BIU2
sender asym
d
d'
d''
good & trusts all
good & trusts all
1Agreement Breaks!
Under the New Assumptions
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
The two good RMUs relay the values received, and since RMU3 can relay arbitrary data, it sends d to BIU1 and d' to the other.
asym
good &accuses BIU2
good &accuses BIU2
sender asym
21
3
d
d
21
3
d
d'good &
trusts all
good & trusts all
d'
d'
1Agreement Breaks!
Under the New Assumptions
ROBUS
BIU1
BIU2
BIU3
RMU1
RMU2
RMU3
The result of the votes of BIU1 and BIU2 differ. Agreement is violated!
asym
good &accuses BIU2
good &accuses BIU2
sender asym
21
3
d
d
21
3
d
d'good &
trusts all
good & trusts all
d'
d'
vote = d
vote = d'
1
Revised IC ProtocolIn the new IC Protocol, the RMUs relay source_error when●They receive bad messages and●They accuse the sender.
1
Revised IC ProtocolIn the new IC Protocol, the RMUs relay source_error when●They receive bad messages and●They accuse the sender.
The revised IC protocol satisfies both validity and agreement (verified in PVS).
1
Formal VerificationWhy Level 3 Verification?
●A math proof is proof enough, right?
●Level 3 verification can require significant time to complete.
In other words...
1
Using PVS
1
Formal VerificationWhy Level 3 Verification?
●A math proof is proof enough, right?
●Level 3 verification can require orders of magnitude more time to complete than level 1 or level 2 verification.
But...●Proofs for fault-tolerant protocols for distributed architectures are tedious and large (there are nearly 400 lemmas & theorems in our current unfinished set of proofs).●Proofs are not checked by a community of mathematicians like other mathematical results are.
In other words...
1You don't have to be a Laurel or Hardy to make an
oversight in an informal proof.
Small changes in assumptions can obviate guarantees.
1
Some Goals & Current Workin verifying SPIDER
● Robust Specifications/Proofs●Hold for arbitrary configurations of SPIDER●Hold for all accusation & conviction policies satisfying the system requirements
1
Some Goals & Current Workin verifying SPIDER
● Robust Specifications/Proofs●Hold for arbitrary configurations of SPIDER●Hold for all accusation & conviction policies satisfying the system requirements
● Specification/Proof “Reuse” (Economic specs/proofs)
1
Some Goals & Current Workin verifying SPIDER
● Robust Specifications/Proofs●Hold for arbitrary configurations of SPIDER●Hold for all accusation & conviction policies satisfying the system requirements
● Specification/Proof “Reuse” (Economic specs/proofs)● Specification/Proof Hierarchy
●Property specifications●Relational specifications●Functional composition specifications●State machine specifications
1
References● SPIDER Homepage:
http://shemesh.larc.nasa.gov/fm/fm-now-spider.html.● PVS Homepage:
http://pvs.csl.sri.com/.● Butler, Ricky et al. NASA Langley's Research and Technology-
Transfer Program in Formal Methods. 2000. Available athttp://shemesh.larc.nasa.gov/fm/fm-welcome.html.
● Rushby, John. Formal Methods and Digital Systems Validation for Airborne Systems. NASA Contractor Report 4551. 1993. Available at: http://www.csl.sri.com/papers/csl-93-7/.