Modeling and Analyzing Cyber-Physical Systems Using Hybrid Predicate Transition Nets

Cyber-Physical Systems (CPSs) are software controlled physical devices that are being used everywhere from utility features in household devices to safety-critical features in cars, trains, aircraft, robots, smart healthcare devices. CPSs have complex hybrid behaviors combining discrete states and continuous states capturing physical laws. Developing reliable CPSs are extremely difficult. Formal modeling methods are especially useful for abstracting and understanding complex systems and detecting and preventing early system design problems. To ensure the dependability of formal models, various analysis techniques, including simulation and reachability analysis, have been proposed in recent decades. This thesis aims to provide a unified formal modeling and analysis methodology for studying CPSs. Firstly, this thesis contributes to the modeling and analysis of discrete, continuous, and hybrid systems. This work enhances modeling of discrete systems using predicate transition nets (PrTNs) by fully realizing the underlying specification through incorporating the first-order logic with set theory, improving the type system, and providing incremental model composition. This work enhances the technique of analyzing discrete systems using PrTN by improving the simulation algorithm and its efficient implementation. This work also improves the analysis of discrete systems using SPIN by providing a more accurate and complete translation method. Secondly, this work contributes to the modeling and analysis of hybrid systems by proposing an extension of PrTNs, hybrid predicate transition nets (HPrTNs). The proposed method incorporates a novel concept of token evolution, which nicely addresses the continuous state evolution and the conflicts present in other related works. This work presents a powerful simulation capability that can handle linear, non-linear dynamics, transcendental functions through differential equations. This work also provides a complementary technique for reachability analysis through the translation of HPrTN models for analysis using SpaceEx

Towards an integrated tool support for the analysis of IOPT Nets using the Spin Model Checker

This paper presents a model translation to allow automatic simulation and verification of controller models for cyber-physical systems. The models are constructed using IOPT nets, a non-autonomous Petri nets class. Those models are then translated into Promela models to be executed by the Spin model checker, a widely used open-source software verification tool. Three illustrative examples are presented: one autonomous model and two non-autonomous models. As future work, it is foreseen the integration with the freely available IOPT-Tools framework

Symbolic Model-Checking using ITS-tools

International audienceWe present the symbolic model-checking toolset ITS-tools. The model-checking back-end engine is based on hierarchical set decision diagrams (SDD) and supports reachability, CTL and LTL model-checking, using both classical and original algorithms. As front-end input language, we promote a Guarded Action Language (GAL), a simple yet expressive language for concurrency. Transformations from popular formalisms into GAL are provided enabling fully symbolic model-checking of third party (Uppaal, Spin, Divine...) specifications. The tool design allows to easily build your own transformation, leveraging tools from the meta-modeling community. The ITS-tools additionally come with a user friendly GUI embedded in Eclipse

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

A Method and Tool for Finding Concurrency Bugs Involving Multiple Variables with Application to Modern Distributed Systems

Concurrency bugs are extremely hard to detect due to huge interleaving space. They are happening in the real world more often because of the prevalence of multi-threaded programs taking advantage of multi-core hardware, and microservice based distributed systems moving more and more applications to the cloud. As the most common non-deadlock concurrency bugs, atomicity violations are studied in many recent works, however, those methods are applicable only to single-variable atomicity violation, and don\u27t consider the specific challenge in distributed systems that have both pessimistic and optimistic concurrency control. This dissertation presents a tool using model checking to predict atomicity violation concurrency bugs involving two shared variables or shared resources. We developed a unique method inferring correlation between shared variables in multi-threaded programs and shared resources in microservice based distributed systems, that is based on dynamic analysis and is able to detect the correlation that would be missed by static analysis. For multi-threaded programs, we use a binary instrumentation tool to capture runtime information about shared variables and synchronization events, and for microservice based distributed systems, we use a web proxy to capture HTTP based traffic about API calls and the shared resources they access including distributed locks. Based on the detected correlation and runtime trace, the tool is powerful and can explore a vast interleaving space of a multi-threaded program or a microservice based distributed system given a small set of captured test runs. It is applicable to large real-world systems and can predict atomicity violations missed by other related works for multi-threaded programs and a couple of previous unknown atomicity violation in real world open source microservice based systems. A limitation is that redundant model checking may be performed if two recorded interleaved traces yield the same partial order model

Validation of UML Models for Interactive Systems with CPN and SPIN

Unified Modelling Language (UML) is considered to be the standard language for object-oriented modeling and analysis. However, UML cannot be used for automatic analysis and simulation. The system model developed on the basis of UML tool is not executable in nature. So, behavior of the model cannot be validated until it is implemented. In this thesis, an approach for transforming UML Interaction Overview Diagram (IOD) to Colored Petri Net (CPN) models is proposed. This transformation is used to bridge the gap between informal notation (UML diagrams) and more formal notation (CPN models) for analysis purpose. CPN model is validated by CPN tool. CPN tool is executable, and it is possible to inspect the behavior of the system by simulating CPN model. An interaction overview diagram has been designed for the different operation of an Automatic Teller Machine (ATM) using Magic Draw. Later, this diagram is transformed to CPN model. The specification of the proposed system has been analyzed by simulating the CPN model on CPN tool. Model checking is an important technique for ensuring the correctness of any system. This thesis presents a case study for model checking through an example of verifying ATM with Simple PROMELA Interpreter (SPIN). The ATM system was modeled in Process or Protocol Meta Language (PROMELA) for business flow of an ATM system. It is then checked for deadlock and unreachable code with SPIN model checker. Here the SPIN model checker is used to apply Linear Temporal Logic (LTL) formula on the ATM system and check for liveness and safety properties. The results showed that the ATM model did not have deadlock and unreachable code, and also satisfied the liveness and safety properties

Modeling and formal verification of gaming storylines

Video games are becoming more and more interactive with increasingly complex plots. These plots typically involve multiple parallel storylines that may converge and diverge based on player actions. This may lead to situations that are inconsistent or impassable. Current techniques for planning and testing game plots involve naive means such as text documents, spreadsheets, and critical path testing. Recent academic research [1] [2] [3] examines the design planning problems, but neglect testing and verification of the possible plot lines. These complex plots have thus until now been handled inadequately due to a lack of a formal methodology and tools to support them. In this dissertation, we describe how we develop methods to 1) characterize storylines (SChar), 2) define a storyline description language (SDL), and 3) create a storyline verification tool based in formal verification techniques (StoCk) that use our SDL as input. SChar (Storyline Characterization) help game developers characterize the category of story line they are working on (e.g. linear, branching and plot) through a tool that give a set of guided questions. Our SDL allows its users to describe storylines in a consistent format similar to how they reason about storylines, but in such a way that it can be used for formal verification. StoCk accepts storylines, described in SDL, to be formally verified using SPIN for errors. StoCk is also examined in three common use cases found in the gaming industry used as a tool 1) during storyline creation 2) during quality assurance and 3) during storyline implementation. The combination of SChar, SDL, and StoCk provides designers, writers, and developers a novel methodology and tools to verify consistency in large and complex game plots.Electrical and Computer Engineerin

Leveraging formal verification tools for DSML users: a process modeling case study

15 pagesIn the last decade, Model Driven Engineering (MDE) has been used to improve the development of safety critical systems by providing early Validation and Verification (V&V) tools for Domain Specific Modeling Languages (DSML). Verification of behavioral models is mainly addressed by translating domain specific models to formal verification dedicated languages in order to use the sophisticated associated tools such as model-checkers. This approach has been successfully applied in many different contexts, but it has a major draw- back: the user has to interact with the formal tools. In this paper, we present an illustrated approach that allows the designer to formally express the expected behavioral properties using a user oriented language -- a temporal extension of OCL --, that is automatically translated into the formal language; and then to get feedback from the assessment of these properties using its domain language without having to deal with the formal verification language nor with the under- lying translational semantics. This work is based on the metamodeling pattern for executable DSML that extends the DSML metamodel to integrate concerns related to execution and behavior