1 I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc. Nancy Lynch, Dilsun Kirli, MIT University of Illinois, Urbana-Champaign, MURI Meeting October 4, 2002 Based on work with Roberto Segala, Frits Vaandrager

2 I/O Automata Mathematical, infinite-state, automaton models. Describe states, transitions. Describe system modularity: –Parallel composition of interacting components. –Levels of abstraction. Example: Generic distributed system –Diagram represents interfaces. –IOA models also describe behavior. –Abstract models for system components. –Channel: Implemented by TCP, modeled as reliable FIFO queue. –Node: Implemented by C++ program, modeled as algorithm automaton.

3 Reliable FIFO Channel Model Signature: –Inputs: send(m), m in M –Outputs: receive(m), m in M States: –queue, a finite sequence of elements of M, initially empty Transitions: –send(m) Effect: Add m to end of queue –receive(m) Precondition: m is first on queue Effect: remove first element of queue Channel(M) send(m)receive(m)

4 Levels of Abstraction Used in system development by successive refinement. Top level: Specification for allowed behaviors. Can write in same automaton style. Refine through many levels, to code-like, detailed description. Example: Group communication: –Automata used to represent totally-ordered reliable broadcast service, group communication service, and algorithm. –Composition of algorithm and GCS automata implements TO-Bcast automaton. –Continue, implementing GCS in terms of lower-level network. TO-Bcast GCS

5 Flavors of I/O Automaton Models Basic IOAs deal with: –What happens, in what order (not when). –Discrete events (not continuous behavior). Timing: TIOA –For describing timeout-based algorithms. –Local clocks, clock synchronization. –Timing/performance analysis. Hybrid (continuous/discrete): HIOA –Systems with real world + computer components –Vehicle control: ground, air, space –Embedded systems Probabilistic: PIOA, PTIOA, PHIOA –Randomized distributed algorithms –Security protocols –Safety-critical systems

6 Talk Outline 1.Brief overview of the models 2.HIOA model, in more detail (Lynch) 3.TIOA model (Kirli) 4.PIOA model (Lynch) 5.Future work on models 6.Future work on applications

7 1. Brief Overview of the Models

8 I/O Automata (IOA) Static description: –Actions a (input, output, internal) –States s, start states –Transitions (s, a, s'); input actions enabled in all states. Dynamic description: –Execution: s 0 a 1 s 1 a 2 s 2 … –Trace: Sequence of input and output actions; externally visible behavior. –A implements B: traces(A)  traces(B). Operations for building automata: –Parallel composition, identifying inputs and outputs. –Action hiding. Reasoning methods: –Invariant assertions: Property holds in all reachable states. –Simulation relations: Imply one automaton implements another. –Compositional methods

9 Example Applications Theoretical distributed algorithms: –Mutual exclusion, Byzantine agreement, atomic object implementation, resource allocation, data management… Distributed systems: –Orca DSM system: Two-layer model, following the implementation. Found, fixed logical error. Proofs. –Transis group communication system: Models for key layers. Proofs. Algorithmic improvements. –Ensemble GC system: Models for key layers. Found, fixed logical error. Proofs. Algorithms for dynamic networks (new): –RAMBO reconfigurable atomic memory algorithm –Dynamic atomic broadcast algorithm

10 Timed I/O Automata (TIOA) Add special time-passage actions, pass(t), to IOA model. Example: Reliable FIFO channel that always delivers messages within time d. –send(m) Effect: Add (m, now + d) to end of queue –receive(m) Precondition: (m,u) is first on queue (for some u) Effect: remove first element of queue –pass(t) Precondition: for all (m,u) in queue, now + t  u Effect: now := now + t Can use standard automaton-based reasoning methods: –Invariant: for all (m,u) in queue, now  u  now + d. –Inductive proofs.

11 Example Applications Theoretical distributed algorithms: –Mutual exclusion, consensus,… Timeout-based communication protocols: –TCP,… Group communication systems: –Using GCS to build TO-Bcast: Conditional performance analysis. –Scalable GCS: Performance analysis. R AMBO : Performance analysis. Hybrid (continuous/discrete) systems: –RR crossing, steam boiler controller –Stretched TIOA capabilities; motivated HIOA.

12 Hybrid I/O Automata (HIOA) TIOA plus facilities for representing continuous behavior. Static description: –States: input, output, internal variables; start states –Actions: input, output, internal –Discrete steps (s, a, s') –Trajectories , mapping time intervals to states Dynamic description: –Execution  0 a 1  1 a 2  2 … –Trace: Project on external variables, external actions. –A implements B if traces(A)  traces(B). Operations: Composition, hiding Reasoning methods: Invariants, simulation relations, compositional methods

13 Example Applications Ground transportation: –People-mover (Raytheon) –California PATH automated highway system (Berkeley) Aircraft control: –TCAS (Lincoln Labs) –Qwanser helicopter system (MIT Aero/Astro)

14 Probabilistic I/O Automata [Segala] Adds probabilistic transitions (s, a, P), where P is a probability distribution on states. Includes both nondeterminism and probability. External behavior represented by a set of trace distributions (one for each “adversary”, who resolves nondeterminism). Implementation represented by subset (of sets of trace distributions). Example applications: –Randomized distributed algorithms: Rabin-Lehmann Dining Philosophers Aspnes-Herlihy randomized consensus –Security protocols

15 2. Hybrid I/O Automata [Lynch, Segala, Vaandrager]

16 Hybrid Systems Hybrid systems: Continuous, real-world components + discrete, computer components Examples: –Automated transportation systems –Robots –Factory control systems –Embedded systems –Mobile systems Complex Strong safety, performance requirements

17 The HIOA Model States, discrete transitions, trajectories. Model plants, controllers, sensors, actuators, computer software, communication services, human operators. Support for decomposing hybrid system descriptions: –External behavior: Models discrete and continuous interactions of component with its environment. –Composition: Synchronize external events, external trajectories. –Levels of abstraction: Implementation notion, respects external behavior. Incorporate methods from control theory, computer science: –Control theory: Invariant sets, stability analysis using Lyapunov functions, robust control methods –Computer science: Invariants, simulation relations, compositional methods

18 Related Work Phase transition systems [Maler, Manna, Pnueli 92], [Alur, Courcoubetis, Halbwachs,…95], [Kesten, Manna, Pnueli 98] Hybrid control systems [Branicky 95, 98] Hybrid reactive modules [Alur, Henzinger 96, 97]

19 Example: Hybrid Control System ActuatorSensor Plant Controller

20 Describing Hybrid Behavior Universal set of variables Static type: type(v), set of values v may take on. Dynamic type: dtype(v), allowed “trajectories” for v: –Set of functions from left-closed intervals of R to type(v). –Closed under time shift, subinterval, countable pasting. Examples: Pasting closure of constant functions, of continuous functions, of differentiable functions, of integrable functions.

21 Trajectories Model evolution of variables over time intervals. Valuation for V: Assigns value in type(v) to each v in V. Trajectory: Let J be a left-closed interval, left endpoint 0. A J-trajectory for V is a function from J to valuations for V whose restriction to each variable v is in dtype(v). Lemma: The set of trajectories for V together with the prefix ordering is an algebraic cpo. Concatenation: At common point, use value from first trajectory.

22 Hybrid Sequences Let A be a set of actions, V a set of variables. An (A,V)-sequence is an alternating sequence,  0 a 1  1 a 2  2 …of trajectories over V and actions in A. Models a series of discrete and continuous changes. Lemma: The set of (A,V)-sequences together with the prefix ordering is an algebraic cpo. Concatenation: At common point, use value from first (A,V)-sequence.

23 Hybrid I/O Automaton U, Y, X: input, output, and internal (state) variables –V = U  Y  X Q: states, a set of valuations of X  : start states I, O, H: input, output, and internal actions –A = I  O  H D  Q  A  Q: discrete transitions T: trajectories for V, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.

24 Input-Enabling Axioms Input action enabling: For every state q and every input action a, there is some discrete transition (q,a,q’). As for ordinary I/O automata. Input trajectory enabling: For every state s and every input trajectory , there is some trajectory  that starts with x, and either: –Spans all of , or –Spans a prefix of , after which some locally-controlled action is enabled.

25 Executions and Traces Execution fragment of HIOA A : –An (A,V)-sequence  0 a 1  1 a 2  2 …, where: Each  i is a trajectory of A, and Each (  i.lstate, a i,  i+1.fstate) is a discrete step of A. –A,V are all the actions and variables of A. –Only states need match up. Execution of A: –Fragment beginning in a start state. Trace of an execution fragment: –Restrict to external actions E, external variables W. –(E,W)-sequence. A implements B if they have the same external interface and traces A  traces B.

26 Notation We specify sets of trajectories using differential and algebraic equations (or inclusions). Trajectory  satisfies algebraic equation v = e if the constraints on the variables expressed by this equation hold in every state of . Trajectory  satisfies differential equation d(v) = e if for every t in the domain of  : v(t) = v(0) +  0 t e(t’) dt’ (“weak solutions”) Algebraic/differential inclusions are handled similarly.

27 Example: Vehicle HIOA Follows a suggested acceleration to within an error of   0. Reports real velocity. U: acc-in Y: vel-out X: vel, acc; Q: all valuations of X  : vel = 0, acc = 0 I, O, H, D : empty Trajectories T: –d(vel) = acc –acc(t)  [acc-in(t) - , acc-in(t) +  ], for t > 0 –vel-out = vel –No constraints on input variables in initial states of trajectories. Vehicle acc, vel acc-invel-out

28 Example: Controller HIOA Suggests accelerations for a vehicle with the intention of ensuring that the velocity does not exceed a pre-specified velocity, vmax. Monitors velocity, computes suggestion every time d. Q: Valuations in which clock  d.  : 0 everywhere H: suggest D : suggest transitions where –clock = d, clock’ = 0, –vel-sensed’ = vel-sensed –vel-sensed + (acc-suggested’ +  ) d  vmax vel-outacc-in Controller vel-sensed acc-suggested clock

29 Controller Trajectories d(acc-suggested) = 0 d(clock) = 1 vel-sensed(t) = vel-out(t), for t > 0 acc-in = acc-suggested

30 Simulation Relation Let A, B be HIOAs with the same external interface. Relation R from states of A to states of B satisfying: –Every start state of A is related to some start state of B. –If x A R x B and  is an execution fragment of A consisting of one action surrounded by two point trajectories, with .fstate = x A, then B has a closed execution fragment  with .fstate = x B, trace(  ) = trace(  ), and .lstate R .fstate. –If x A R x B and  is an execution fragment of A consisting of a single closed trajectory, with .fstate = x A, then B has a closed execution fragment  with …

31 Simulation relation Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets). Example: –Vehicle(  1 ) implements Vehicle(  2 ), if  1   2 –Show using simulation relation: identity mapping

32 Composition Assume A 1 and A 2 are compatible (no common outputs, internal actions/variables are private). Compose A 1 and A 2 by matching up external actions, variables: –Y = Y 1  Y 2 ; X = X 1  X 2 ; U = (U 1  U 2 ) - (Y 1  Y 2 ) –O = O 1  O 2 ; H = H 1  H 2 ; I = (I 1  I 2 ) - (O 1  O 2 ) Start states  : Projections in  1,  2 Discrete steps D : Projections in D 1, D 2 Trajectories T : Projections in T 1, T 2 Technicality: Composition need not satisfy input flow enabling, pre-HIOA. Assume “strong compatibility”. Holds in many interesting special cases.

33 Composition Theorems Projection and Pasting: Assume A = A 1 || A 2. Then traces A is exactly the set of (E,W)-sequences whose restrictions to A 1 and A 2 are traces of A 1 and A 2, respectively. Substitutivity: If A 1 implements A 2 and both are compatible with B, then A 1 || B implements A 2 || B.

34 Example: Vehicle and Controller Vehicle || Controller: Invariant of Vehicle || Controller: vel  vmax. Can prove this using a standard inductive argument. Uses auxiliary invariants, most importantly: vel + (acc-suggested +  ) (d – clock)  vmax Vehicle acc, vel vel-out acc-in Controller vel-sensed acc-suggested clock

35 Hiding ActHide(E,A) reclassifies the external actions in E as internal actions. (New) VarHide(W,A) removes the external variables in W (but retains their induced constraints on the trajectories). (Previously) VarHide(W,A) reclassified external variables in W as internal (state) variables.

36 Example In the composition Vehicle || Controller, we may hide the acc-in variable, which is used for communication between the components: A = VarHide({acc-in}, Vehicle || Controller) In A, the only external variable is vel-out. Express the correctness of A by showing that it implements an abstract specification HIOA VSpec. VSpec expresses just the constraints vel  vmax, and vel-out = vel. Show correctness using a simulation relation.

37 Progressive HIOAs HIOAs should provide some response from any state, for any sequence of input actions and input trajectories. HIOAs should not block the passage of time: they should allow time to pass to infinity, if their environment does so. Definition: A pre-HIOA is progressive if it has no execution fragments in which it generates infinitely many locally- controlled actions in finite time. Theorem: A progressive HIOA A can accommodate any input hybrid sequence, from every state: For each state x of A and each (I,U)-sequence , there is some execution fragment  from x such that   (I  U) = . Theorem: The composition of progressive pre-HIOAs is progressive.

38 Receptive HIOAs But progressiveness isn’t enough: –HIOAs involving only upper bounds on timing are not progressive. –Such specifications are common. Definition: A strategy for a pre-HIOA A is an HIOA A ’ that is the same as A except that D ’  D, and T ’  T. –Nondeterministic, memoryless. Definition: A pre-HIOA is receptive if it has a progressive strategy. Theorem: A receptive pre-HIOA can accommodate any input hybrid sequence. Theorem: Let A 1 and A 2 be compatible receptive HIOAs with strongly compatible progressive strategies B 1 and B 2. Then A 1 || A 2 is a receptive HIOA with progressive strategy B 1 || B 2.

39 Applications Raytheon people-mover [Lynch, Weinberg, Delisle] California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lygeros, Lynch] TCAS [Livadas, Lygeros, Lynch] Qwanser helicopter system [Mitra, Wang, Feron, Lynch]

40 TCAS model Aircraft Pilot Channel Conflict resolver Conflict detector Sensor Aircraft Conflict detector Conflict resolver Pilot Channel

41 3. Timed I/O Automata [Kirli, Lynch, Segala, Vaandrager]

42 From HIOA to TIOA Hybrid systems: continuous, real-world components + discrete, computer components Timed systems: continuous, time + discrete, computer components –Correctness depends not only on the order of events but also on their timing. Example: Reliable FIFO channel that always delivers messages within time d.

43 Work in Progress Canonical model for timing-based systems –External behavior –Composition –Levels of abstraction Identify major ideas from related models and express them in the common framework of TIOA –Timed automata [Alur and Dill] –Timed transition systems [Maler, Manna, Pnueli] –Clock GTA [DePrisco]

44 Describing Timing Behavior Timing behavior is described by using the same concepts as in HIOA: –Variables –Static and dynamic types –Trajectories –Hybrid sequences

45 Timed I/O Automata X: internal variables Q: states, a set of valuations of X  : start states I, O, H: input, output, internal actions –A = I  O  H D  Q  A  Q: discrete transitions T: trajectories for X, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.

46 Execution and Traces Execution fragment of TIOA A : –An (A,V)-sequence  0 a 1  1 a 2  2 …, where: Each  i is a trajectory of A, and Each (  i.lstate, a i,  i+1.fstate) is a discrete step of A. –A,V are all the actions and variables of A. Execution of A: Fragment beginning in a start state. Trace of an execution fragment: –Restrict to external actions E, empty set of variables. –(E,  )-sequence.

47 Example: Time bounded channel X: clock, queue Q: all valuations of X  : clock=0, queue is empty I: send(m) O: receive(m) Transitions: –send(m) m,clock + d) to end of queueEffect: add (m,clock + d) to end of queue –receive(m) Precondition: (m,u) is first on queue and clock  uPrecondition: (m,u) is first on queue and clock  u Effect: remove the first element of queueEffect: remove the first element of queue Trajectories t satisfy: –d(clock)=1 –( t  queue) is a constant function

48 Untiming Operation Transform a timed automaton A to an untimed automaton Untime( A, R) –Define a notion of congruence. –Let R be a congruence for A. States of Untime( A, R): the set of equivalence classes of R. Untime( A, R) has a special internal action to represent time passage. –Theorem: If  is an execution of A, then Untime( A, R) has an execution  ’ such that trace(  ’)=discrete(trace(  )) and vice versa. Similar to region construction of Alur and Dill –Theorem: The equivalence relation used by Alur-Dill in region construction is a congruence

49 Properties for I/O Automata A property for A is a subset of the execution fragments of A. P is a liveness property provided that for any state x of A, there is some execution fragment from x that is in P. We say that A is receptive for P provided that there exists a strategy A ’ for A such that every execution fragment of A ’ is in P. Theorem: If A 1 is receptive for P 1 and A 2 is receptive for P 2 then A 1 || A 2 is receptive for P 1 || P 2.

50 4. Probabilistic I/O Automata [Lynch, Segala, Vaandrager]

51 Probabilistic I/O Automata (PIOA) Probabilistic transitions (s, a, P), where P is a probability distribution on states. Includes both nondeterminism and probability. Scheduler (adversary): Resolves all nondeterminism. External behavior represented by a set of trace distributions (one for each scheduler). Trace distribution preorder  D : –Subset (of sets of trace distributions). –Not preserved by composition. Trace distribution precongruence  DC : –Coarsest precongruence included in  D. –Preserved by composition. –Not very informative.

52 Characterization result for  DC [Segala, Vaandrager, Lynch 02] Define various kinds of simulation relations for PIOAs. Weak probabilistic forward simulation relation from A 1 to A 2 : –Relates states of A 1 to distributions over states of A 2. –Transitions preserve probabilities. –Weak: Allows arbitrary internal actions. Theorem: A 1  DC A 2 if and only if there exists a “weak probabilistic forward simulation relation” from A 1 to A 2.

53 Probabilistic Timed I/O Automata (PTIOA) [Segala] Include time-passage steps, with probability distributions on new state: (s, pass(t), P) Scheduler determines amount of time that passes (nondeterministic, not probabilistic). External behavior represented by a set of distributions of timed traces (one for each scheduler). Timed trace distribution preorder. Timed trace distribution precongruence.

54 5. Future Work on Models

55 Future work on HIOA Finish changing the hiding operator. Incorporate control theory methods –Invariant sets, Lyapunov stability, robust control. Continue testing on a variety of examples. Linguistic support [Mitra] –Language constructs for describing trajectories. –Algebraic and differential equations/inclusions. –Preconditions, invariants, stopping conditions. –Add to IOA. Analysis tools –Theorem-prover support, automated tools.

56 Future work on TIOA Express key concepts from other timed models using TIOA. –Alur, Dill –Maler, Manna, Pnueli –Merrit, Modugno, Tuttle MMT automata –De Prisco clock automata Receptiveness with general liveness properties. Linguistic support, tool support. Test on many examples.

57 Future work on PIOA Restrict the set of schedulers (adversaries) to those that can see only external behavior of the component automata. Yields a smaller set of trace distributions. For this restricted set, obtain a characterization of the trace distribution precongruence. Is it the same as the trace distribution preorder?

58 Future work on PTIOA, PHIOA PTIOA: –Reformulate in terms of trajectories, as in TIOA, HIOA. –Characterize the timed trace distribution precongruence. –Generalize TIOA results to include probabilities. Define simulation relations, show they imply timed trace distribution inclusion. Receptiveness? PHIOA –Define a model that generalizes PTIOA and HIOA –Define external behavior, composition, implementation,…prove all the right theorems.

59 All the IOA models TIOA HIOA IOA PIOA PTIOA PHIOA

60 6. Future work on applications

61 Hybrid and Embedded Systems Aero/astro applications Embedded systems Sensor networks, mobile systems

62 Security Protocols Recent results [Herzog 02] relating formal vs. computational approaches to analyzing correctness of security protocols. Not (yet) done explicitly in terms of PTIOA models. Formal approach: –Interacting non-probabilistic automata. –Supports direct proofs, using induction. Computational approach: –Interacting probabilistic poly time Turing machines. –Indirect proofs: reductions of attacks to hard problems. How do the two approaches relate?

63 Formal Approach [Dolev, Yao] Adversary controls the network. Encryption, decryption treated as abstract, idealized operations. Cryptographic abilities of adversary made explicit: –Encrypt, decrypt with known keys –Make random choices, create new keys Proof of security: Adversary abilities do not combine to produce an unsafe operation.

64 Computational Approach Adversary controls the network Encryption instantiated with specific algorithms Adversary capable of any feasible (probabilistic poly time) computation. Proof of security: If any adversary can violate security condition, an underlying computational problem is easy.

65 Relating the Two Approaches Would like to use computational view as semantics for formal view: Show formal attack exists iff computational attack exists. Known: Formal attacks imply computational attacks Open: When do computational attacks imply formal attacks? Answer requires: –Semantics for adversary –Semantics for honest participants –Semantics for composition of previous two Focus of present work: The adversary.

66 Formal Adversary Formal adversary makes queries to honest participants, receives responses Each query must be deducible from initial knowledge, responses, by sequence of: –Encryptions/decryptions with known key –Pairing/separation of values Formal adversary modeled as closure operation on messages.

67 Ideal Encryption Computational encryption algorithm is ideal if: no computational adversary, given any set of messages, can produce a message outside the closure of the set (with non-negligible probability) Theorem: This limits computational adversary to formal adversary. Theorem: This is achievable.

68 Future Work on Security Protocols Complete the work on formal vs. computational approaches: –Define semantics for honest participants How do they validate incoming messages? No information should be given away in error cases –Define composition of adversary, honest participants –Obtain general simulation theorems. –Use the theorems to prove correctness of interesting security protocols. Express in terms of PTIOA.