Title: Model Checking and Theorem Proving: A Unified Framework
1Model Checking and Theorem Proving A Unified
Framework
- Sergey Berezin
- Computer Science Department
- Carnegie Mellon University
Thesis Committee Edmund Clarke, Chair Randal
Bryant Todd Mowry Ken McMillan, Cadence Natarajan
Shankar, SRI International
2Thesis Contributions
SyMP
MCTP general methodology
3Combining Model Checking and Theorem Proving
SyMP
MCTP general methodology
MCTP general methodology
4Defining the Problem Domain
- Hardware-oriented designs
- Parameterized
- Large or infinite data types
- Non-trivial control
- First-Order Temporal Logic
- Formal verification is much harder
- than it seemingly needs to be
5Memory with Cache
M0(a)M0(a) and Mt(a)Mt(a) ? Mt1(a)Mt1(a)
?a. AG M(a)M(a)
6Memory with Cache
M
M
Cache
M0(a)M0(a) and Mt(a)Mt(a) ? Mt1(a)Mt1(a)
7Problems to Solve
- Parameterized specification language
- Uninterpreted functions and types
- Expressive property language
- First-Order CTL or LTL
- Verification techniques
8Formal Verification Options
Model Checking Theorem Proving
M F (F is true in M) F (F must be valid in general)
Model and property are cleanly separated M F Model has to be encoded as a formula Enc(M) ? Enc(F)
State reduction techniques extremely complex behaviors State explosion Model structure lost, hard to apply similar reductions General, infinite-state properties
- Integrate efficient decision procedures with
- high expressiveness and generality of theorem
proving - Eliminate bottlenecks in both techniques
9MC TP Related Work
- Adding model checker into existing theorem prover
as an inference rule - PVS (N. Shankar et al.), ACL2 (J Moore et al.),
... - Adding deductive reasoning to existing model
checker - Cadence SMV (K. McMillan)
- Specialized theories and tools
- STeP (Z. Manna et al.), Mocha (T. Henzinger, ...)
- Predicate Abstraction (Graf Saidi, et al., S.
Das D. Dill)
10So, Whats Missing?
- Implementations
- Adding MC or TP as an after-thought, or
- Specialized to a narrow problem domain
- There was no general framework for combining MC
and TP
11Combining MC TPWhere Do We Start?
- Theorem Proving is more expressive
- Lets try to modify it to fit model checking in
- What to change?
- One of the main reasons for inefficiency is
inadequate problem representation - Try changing the Gentzen sequent...
12Gentzen Sequent
A1, A2, ..., An gt B1, B2, ..., Bn
Semantics A1? A2? ...?An ? B1? B2? ...?Bn
Inference rules Conclusion and premisses
G gt D, A1 G gt D, A2 ?R
G gt D, A1 ? A2 ?R
Axiom Inference rule with no premisses
Axiom
G gt D, true Axiom
13Proof Example
Proof Complete derivation tree from the
initial sequent to axioms
Axiom
Axiom
a2 gt 2gt0
a2 gt 224
Replace
Replace
a2 gt agt0
a2 gt aa4
?R
a2 gt agt0 ? aa4
?R
gt a2 ? agt0 ? aa4
?R
gt ?x. x2 ? xgt0 ? xx4
14Modifying Gentzens Sequent
Theorem proving uses Gentzens Sequent format
A1, A2, gt B1, B2,
The model from model checking has to be
translated into HOL to fit into this
sequent. Instead, we can add the model as an
assumption
M A1, A2, gt B1, B2,
Also, make the logic temporal, not just HOL.
15Adding Model Checking
Model checking becomes just another rule
MC
M G gt D MC
where ModelCheck(M, G, D) true
Other transformations from model checking are
added as rules, e.g. Cone of Influence reduction
MV G gt D Cone
M G gt D Cone
where V COI(M, G, D)
16Other Types of Rules
Induction on time
M G gt D, A M A gt AX A AG Induct,
M G gt D, AG A AG Induct,
where M(S, ?, S)
Abstraction
Abstract(M) G gt D Abstract
M G gt D Abstract
17Memory with CacheSample Proof Sketch
MV ? gt spec(a) impl(a)
M spec(a) impl(a) gt AX spec(a)
impl(a)
M ? gt spec(a) impl(a)
M ? gt AG spec(a) impl(a)
M ? gt ?a. AG spec(a) impl(a)
18New Methodology Features
- Adequate representation for the problem domain
- MC and TP at the same prompt
- Right level of abstraction
- Rules perform exactly the transformations we have
in mind while doing verification - Specialized rules for temporal logic
- Efficient use of model structure
- Interactive proof construction
- Full user control with possibility of automation
19Implementation of MCTP
MCTP general methodology
SyMP Implementation hardware-oriented
20Implementation Architecture
Specification language
P1
Pn
P2
...
Cache1
Cache2
Cachen
Home Node
...
Shared
ExclGranted
User Interface
21Verified Example Cache Coherence Protocol
P1
Pn
P2
...
Cache2
Cache1
Cachen
Home Node
...
Shared
ExclGranted
22Mutual Exclusion Property
At any point in time, if any cache is Exclusive
then all the other caches are Invalid
AG ?c1,c2 c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P1
Pn
P2
...
Cache2
Cache1
Cachen
Home Node
...
Shared
ExclGranted
23Reducing the Model
AG ?c1,c2 c1 ! c2 c1.state Exclusive ?
c2.state Invalid
?c1,c2 AG c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P2
P1
Pn
...
Cache2
Cache1
Cachen
Home Node
Home Node
...
Shared
ExclGranted
24Reducing the Model
?c1,c2 AG c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P2
P1
Cache2
Cache1
Home Node
Shared
ExclGranted
25Verifying Cache Coherence
- Property in First-Order CTL
- AG(?c1,c2 c1 ! c2 c1.state
Exclusive - ?
c2.state Invalid) - 2 ways to prove
- Find an inductive invariant, prove like in PVS
- Strong induction on time Abstraction
- (like in Cadence SMV)
- Both are done in our tool SyMP
26Specializing TP to Other Problem Domains
Specializing TP to different problem domains
MCTP general methodology
27Generalizing Further
- What made it possible to integrate Model Checking
and Theorem Proving? - Customized sequent and proof system
- Adequate representation for the problem domain
- How about other problem domains? (Security
protocols, Software verification, highly
specialized hardware, etc.) - The same guidelines should work
- But do I have to code a new prover from scratch?
- There is certainly some common core that can be
reused - Meta-Framework!
28Architecture with Shared Core
Specification language-2
Specification language-1
P1
Pn
P2
Register File
Dispatch
...
Cache1
Cache2
Cachen
Instructions
Reservation stations
Home Node
F1
Ff
Common Data Bus
...
Shared
ExclGranted
29SyMP Implementation
SyMP
SyMP
MCTP general methodology
30SyMP Symbolic Model Prover
- Theorem prover generator
- Common proof management core
- Common interactive user interface
- Implements the Meta-Framework
- Plug-in proof systems
- well-defined interface to custom proof system
modules - Each proof system defines custom sequent and
custom set of rules
31SyMP Proof Systems
- Currently implemented proof systems
- Default combines MC TP
- Athena security protocol verification
- Cprover verification of embedded software
(Kröning) - Bitvector prototype of bit-vector Presburger
decision procedure (in progress) - Analytica reimplementation of prover in
Mathematica - (Edmund Clarke, in progress)
32Athena Proof System
MCTP general methodology
Athena
Athena
33Athena Security Protocols
- Original idea Dawn Song
- Based on Strand Space Model
- Protocol runs are data flow graphs
- Rules transformations on the graphs
- In most cases completely automatic
- Totally different from MC or TP
- Reimplemented in SyMP
34Athena Examples
- Needham-Schroeder Authentication
- Public key (broken and fixed) and symmetric key
- New attack on Symmetric Key version
- Andrew Secure RPC Protocol
- Otway-Rees Protocol (manual guidance)
- SSH Public Key Client Authentication
- Bluetooth Authentication Protocol
- Various toy / academic protocols
35Conclusion
- New methodology for combining model checking and
theorem proving - New framework for specializing theorem proving to
various problem domains - In particular, MC TP is one such problem domain
- A tool SyMP that implements the framework
- Implementation of MC TP system in the tool
- Many existing methodologies can be expressed in
the framework and implemented in SyMP
36Future Work
- Finish the default proof system
- Ideally, it should include all basic theorem
proving for FO temporal logic and most of known
model checking transformations - Implement more proof systems for other problem
domains - Presburger arithmetic bit-vectors (in progress)
- SAL-like system in SyMP (Stanford SRI)
- Re-implementation Analytica (in progress)
- Toy systems natural deduction, CFG, etc.
- Improve proof search techniques
37Questions?
38Outline
- Combining Model Checking and Theorem Proving
- Motivation and existing methodologies
- Our new methodology
- Implementation in the tool
- Specializing Theorem Proving meta-framework
- SyMP the Tool putting it all together
- Examples systems verified and extensions
implemented - Conclusion Future Work
39Common Features
- Examples are parameterized by
- Number of components
- Data width (may be infinite)
- Both synchronous and asynchronous composition
- First-Order Temporal Properties
- At any time ?c1,c2 c1 ! c2 c1.state
Exclusive - ? c2.state Invalid
- Need both deductive and finite-state reasoning
40ExamplesOther Proof Systems
- Reedpipe / Cprover embedded software
- Bitvector prototype of a decision procedure
- Demonstrate flexibility of SyMP framework
41Coding the Model in SyMP
module Mtype Index begin datatype State
Invalid Shared Excl stateVar (cache Index
-gt State), (channel Index -gt Message),
(exclGranted bool), (Shared Index -gt
bool) init(cache) fn _ gt Invalid
init(exclGranted) false choose i
channel(i) Invalidate gt next(cache)
(fn x gt if xi then Invalid else cache x
endif) !exclGranted channel(i) reqExcl
gt next(channel i) grantExcl
next(exclGranted) true ......
endchoose theorem coherence self
AG(forall i,j i!j cache(i) Excl -gt cache(j)
Invalid) end
42Verification Idea
- Reason about each memory cell separately
- Isolate relevant components
- Abstract away all the rest
- Verify the remaining finite-state model
43Tomasulos Algorithm
Register File
Dispatch
Instructions
Reservation stations
Common Data Bus
44Tomasulos Algorithm
- Correctness equivalent to sequential ISA
- Parameters
- Num. of registers
- Num of reservation stations
- Num. of functional units
- Data width
- Instruction set
- Length of reorder buffer (if present)
45Why designers believe it is correct?
- Each component provides some guarantees
- Assumptions environment (other components)
- Cyclic dependency?
- Several control data intensive subproblems
46Tomasulos Algorithm
Register File
Dispatch
Instructions
Reservation stations
2
Common Data Bus
128
47Tomasulos Algorithm
Dispatch
Instructions
2
Common Data Bus
128
48Verified Example IBM Cache Coherence
- PVS style
- Very close to original PVS proof
- optimizations with model check and COI rules
- SMV style
- Very close to Cadence SMV proof
- No additional lemmas one lemma in a cut rule
49Compare to Other Tools
- In PVS proof is shorter, mostly due to powerful
GRIND strategy - complete expansion would be much longer
- Specifications and proofs in SyMP are much easier
to understand than in PVS - In Cadence SMV proof needs only one extra lemma
(Ken McMillans idea) - Uses many automatic heuristics
- Need to try this in SyMP to compare
50Model Checking
- Problem M F (model satisfies the formula)
- Model M(S, ?, I)
- S finite set of states, I set of initial
states - ? transition relation
- Logic for F CTL (Computational Tree Logic)
- propositional temporal operators
- AG f AX f, ...
- Approach Automatic Decision Procedure
- State enumeration, explicit or symbolic
- Tools SMV, Spin, Murphi, etc.
51Model Checking Algorithms
- For M (S, ?, I) A, compute set of states
where A holds - Check that A holds in all initial states I
- Use efficient data structures like BDDs
- Can handle up to 10100 states and more
- About 300 boolean state variables...
52Theorem Proving
- Problem F (the formula must be valid in
general) - Logic for F HOL (Higher-Order Logic)
- propositional higher-order quantifiers
- ?x. ?y. x gt y ? f(x) gt f(y)
- Working representation Gentzen sequent or
Logical Framework - Approach Derivation in a Proof System
- Interactive (user-guided)
- Proof tactics, in general undecidable
- Tools PVS, Isabelle, HOL, STeP, Cadence SMV, ...