Model Checking and Theorem Proving: A Unified Framework

1
Model Checking and Theorem Proving A Unified
Framework

• Sergey Berezin
• Computer Science Department
• Carnegie Mellon University

Thesis Committee Edmund Clarke, Chair Randal
Bryant Todd Mowry Ken McMillan, Cadence Natarajan
Shankar, SRI International
2
Thesis Contributions
SyMP
MCTP general methodology
3
Combining Model Checking and Theorem Proving
SyMP
MCTP general methodology
MCTP general methodology
4
Defining the Problem Domain

• Hardware-oriented designs
• Parameterized
• Large or infinite data types
• Non-trivial control
• First-Order Temporal Logic
• Formal verification is much harder
• than it seemingly needs to be

5
Memory with Cache
M0(a)M0(a) and Mt(a)Mt(a) ? Mt1(a)Mt1(a)
?a. AG M(a)M(a)
6
Memory with Cache
M
M
Cache
M0(a)M0(a) and Mt(a)Mt(a) ? Mt1(a)Mt1(a)
7
Problems to Solve

• Parameterized specification language
• Uninterpreted functions and types
• Expressive property language
• First-Order CTL or LTL
• Verification techniques

8
Formal Verification Options
Model Checking Theorem Proving
M F (F is true in M) F (F must be valid in general)
Model and property are cleanly separated M F Model has to be encoded as a formula Enc(M) ? Enc(F)
State reduction techniques extremely complex behaviors State explosion Model structure lost, hard to apply similar reductions General, infinite-state properties

• Integrate efficient decision procedures with
• high expressiveness and generality of theorem
  proving
• Eliminate bottlenecks in both techniques

9
MC TP Related Work

• Adding model checker into existing theorem prover
  as an inference rule
• PVS (N. Shankar et al.), ACL2 (J Moore et al.),
  ...
• Adding deductive reasoning to existing model
  checker
• Cadence SMV (K. McMillan)
• Specialized theories and tools
• STeP (Z. Manna et al.), Mocha (T. Henzinger, ...)
• Predicate Abstraction (Graf Saidi, et al., S.
  Das D. Dill)

10
So, Whats Missing?

• Implementations
• Adding MC or TP as an after-thought, or
• Specialized to a narrow problem domain
• There was no general framework for combining MC
  and TP

11
Combining MC TPWhere Do We Start?

• Theorem Proving is more expressive
• Lets try to modify it to fit model checking in
• What to change?
• One of the main reasons for inefficiency is
  inadequate problem representation
• Try changing the Gentzen sequent...

12
Gentzen Sequent
A1, A2, ..., An gt B1, B2, ..., Bn
Semantics A1? A2? ...?An ? B1? B2? ...?Bn
Inference rules Conclusion and premisses
G gt D, A1 G gt D, A2 ?R
G gt D, A1 ? A2 ?R
Axiom Inference rule with no premisses
Axiom
G gt D, true Axiom
13
Proof Example
Proof Complete derivation tree from the
initial sequent to axioms
Axiom
Axiom
a2 gt 2gt0
a2 gt 224
Replace
Replace
a2 gt agt0
a2 gt aa4
?R
a2 gt agt0 ? aa4
?R
gt a2 ? agt0 ? aa4
?R
gt ?x. x2 ? xgt0 ? xx4
14
Modifying Gentzens Sequent
Theorem proving uses Gentzens Sequent format
A1, A2, gt B1, B2,
The model from model checking has to be
translated into HOL to fit into this
sequent. Instead, we can add the model as an
assumption
M A1, A2, gt B1, B2,
Also, make the logic temporal, not just HOL.
15
Adding Model Checking
Model checking becomes just another rule
MC
M G gt D MC
where ModelCheck(M, G, D) true
Other transformations from model checking are
added as rules, e.g. Cone of Influence reduction
MV G gt D Cone
M G gt D Cone
where V COI(M, G, D)
16
Other Types of Rules
Induction on time
M G gt D, A M A gt AX A AG Induct,
M G gt D, AG A AG Induct,
where M(S, ?, S)
Abstraction
Abstract(M) G gt D Abstract
M G gt D Abstract
17
Memory with CacheSample Proof Sketch
MV ? gt spec(a) impl(a)
M spec(a) impl(a) gt AX spec(a)
impl(a)
M ? gt spec(a) impl(a)
M ? gt AG spec(a) impl(a)
M ? gt ?a. AG spec(a) impl(a)
18
New Methodology Features

• Adequate representation for the problem domain
• MC and TP at the same prompt
• Right level of abstraction
• Rules perform exactly the transformations we have
  in mind while doing verification
• Specialized rules for temporal logic
• Efficient use of model structure
• Interactive proof construction
• Full user control with possibility of automation

19
Implementation of MCTP
MCTP general methodology
SyMP Implementation hardware-oriented
20
Implementation Architecture
Specification language
P1
Pn
P2
...
Cache1
Cache2
Cachen
Home Node
...
Shared
ExclGranted
User Interface
21
Verified Example Cache Coherence Protocol
P1
Pn
P2
...
Cache2
Cache1
Cachen
Home Node
...
Shared
ExclGranted
22
Mutual Exclusion Property
At any point in time, if any cache is Exclusive
then all the other caches are Invalid
AG ?c1,c2 c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P1
Pn
P2
...
Cache2
Cache1
Cachen
Home Node
...
Shared
ExclGranted
23
Reducing the Model
AG ?c1,c2 c1 ! c2 c1.state Exclusive ?
c2.state Invalid
?c1,c2 AG c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P2
P1
Pn
...
Cache2
Cache1
Cachen
Home Node
Home Node
...
Shared
ExclGranted
24
Reducing the Model
?c1,c2 AG c1 ! c2 c1.state Exclusive ?
c2.state Invalid
P2
P1
Cache2
Cache1

Home Node
Shared
ExclGranted
25
Verifying Cache Coherence

• Property in First-Order CTL
• AG(?c1,c2 c1 ! c2 c1.state
  Exclusive
• ?
  c2.state Invalid)
• 2 ways to prove
• Find an inductive invariant, prove like in PVS
• Strong induction on time Abstraction
• (like in Cadence SMV)
• Both are done in our tool SyMP

26
Specializing TP to Other Problem Domains
Specializing TP to different problem domains
MCTP general methodology
27
Generalizing Further

• What made it possible to integrate Model Checking
  and Theorem Proving?
• Customized sequent and proof system
• Adequate representation for the problem domain
• How about other problem domains? (Security
  protocols, Software verification, highly
  specialized hardware, etc.)
• The same guidelines should work
• But do I have to code a new prover from scratch?
• There is certainly some common core that can be
  reused
• Meta-Framework!

28
Architecture with Shared Core
Specification language-2
Specification language-1
P1
Pn
P2
Register File
Dispatch
...
Cache1
Cache2
Cachen
Instructions
Reservation stations
Home Node
F1
Ff
Common Data Bus
...
Shared
ExclGranted
29
SyMP Implementation
SyMP
SyMP
MCTP general methodology
30
SyMP Symbolic Model Prover

• Theorem prover generator
• Common proof management core
• Common interactive user interface
• Implements the Meta-Framework
• Plug-in proof systems
• well-defined interface to custom proof system
  modules
• Each proof system defines custom sequent and
  custom set of rules

31
SyMP Proof Systems

• Currently implemented proof systems
• Default combines MC TP
• Athena security protocol verification
• Cprover verification of embedded software
  (Kröning)
• Bitvector prototype of bit-vector Presburger
  decision procedure (in progress)
• Analytica reimplementation of prover in
  Mathematica
• (Edmund Clarke, in progress)

32
Athena Proof System
MCTP general methodology
Athena
Athena
33
Athena Security Protocols

• Original idea Dawn Song
• Based on Strand Space Model
• Protocol runs are data flow graphs
• Rules transformations on the graphs
• In most cases completely automatic
• Totally different from MC or TP
• Reimplemented in SyMP

34
Athena Examples

• Needham-Schroeder Authentication
• Public key (broken and fixed) and symmetric key
• New attack on Symmetric Key version
• Andrew Secure RPC Protocol
• Otway-Rees Protocol (manual guidance)
• SSH Public Key Client Authentication
• Bluetooth Authentication Protocol
• Various toy / academic protocols

35
Conclusion

• New methodology for combining model checking and
  theorem proving
• New framework for specializing theorem proving to
  various problem domains
• In particular, MC TP is one such problem domain
• A tool SyMP that implements the framework
• Implementation of MC TP system in the tool
• Many existing methodologies can be expressed in
  the framework and implemented in SyMP

36
Future Work

• Finish the default proof system
• Ideally, it should include all basic theorem
  proving for FO temporal logic and most of known
  model checking transformations
• Implement more proof systems for other problem
  domains
• Presburger arithmetic bit-vectors (in progress)
• SAL-like system in SyMP (Stanford SRI)
• Re-implementation Analytica (in progress)
• Toy systems natural deduction, CFG, etc.
• Improve proof search techniques

37
Questions?
38
Outline

• Combining Model Checking and Theorem Proving
• Motivation and existing methodologies
• Our new methodology
• Implementation in the tool
• Specializing Theorem Proving meta-framework
• SyMP the Tool putting it all together
• Examples systems verified and extensions
  implemented
• Conclusion Future Work

39
Common Features

• Examples are parameterized by
• Number of components
• Data width (may be infinite)
• Both synchronous and asynchronous composition
• First-Order Temporal Properties
• At any time ?c1,c2 c1 ! c2 c1.state
  Exclusive
• ? c2.state Invalid
• Need both deductive and finite-state reasoning

40
ExamplesOther Proof Systems

• Reedpipe / Cprover embedded software
• Bitvector prototype of a decision procedure
• Demonstrate flexibility of SyMP framework

41
Coding the Model in SyMP
module Mtype Index begin datatype State
Invalid Shared Excl stateVar (cache Index
-gt State), (channel Index -gt Message),
(exclGranted bool), (Shared Index -gt
bool) init(cache) fn _ gt Invalid
init(exclGranted) false choose i
channel(i) Invalidate gt next(cache)
(fn x gt if xi then Invalid else cache x
endif) !exclGranted channel(i) reqExcl
gt next(channel i) grantExcl
next(exclGranted) true ......
endchoose theorem coherence self
AG(forall i,j i!j cache(i) Excl -gt cache(j)
Invalid) end
42
Verification Idea

• Reason about each memory cell separately
• Isolate relevant components
• Abstract away all the rest
• Verify the remaining finite-state model

43
Tomasulos Algorithm
Register File
Dispatch
Instructions
Reservation stations
Common Data Bus
44
Tomasulos Algorithm

• Correctness equivalent to sequential ISA
• Parameters
• Num. of registers
• Num of reservation stations
• Num. of functional units
• Data width
• Instruction set
• Length of reorder buffer (if present)

45
Why designers believe it is correct?

• Each component provides some guarantees
• Assumptions environment (other components)
• Cyclic dependency?
• Several control data intensive subproblems

46
Tomasulos Algorithm
Register File
Dispatch
Instructions
Reservation stations
2
Common Data Bus
128
47
Tomasulos Algorithm
Dispatch
Instructions
2
Common Data Bus
128
48
Verified Example IBM Cache Coherence

• PVS style
• Very close to original PVS proof
• optimizations with model check and COI rules
• SMV style
• Very close to Cadence SMV proof
• No additional lemmas one lemma in a cut rule

49
Compare to Other Tools

• In PVS proof is shorter, mostly due to powerful
  GRIND strategy
• complete expansion would be much longer
• Specifications and proofs in SyMP are much easier
  to understand than in PVS
• In Cadence SMV proof needs only one extra lemma
  (Ken McMillans idea)
• Uses many automatic heuristics
• Need to try this in SyMP to compare

50
Model Checking

• Problem M F (model satisfies the formula)
• Model M(S, ?, I)
• S finite set of states, I set of initial
  states
• ? transition relation
• Logic for F CTL (Computational Tree Logic)
• propositional temporal operators
• AG f AX f, ...
• Approach Automatic Decision Procedure
• State enumeration, explicit or symbolic
• Tools SMV, Spin, Murphi, etc.

51
Model Checking Algorithms

• For M (S, ?, I) A, compute set of states
  where A holds
• Check that A holds in all initial states I
• Use efficient data structures like BDDs
• Can handle up to 10100 states and more
• About 300 boolean state variables...

52
Theorem Proving

• Problem F (the formula must be valid in
  general)
• Logic for F HOL (Higher-Order Logic)
• propositional higher-order quantifiers
• ?x. ?y. x gt y ? f(x) gt f(y)
• Working representation Gentzen sequent or
  Logical Framework
• Approach Derivation in a Proof System
• Interactive (user-guided)
• Proof tactics, in general undecidable
• Tools PVS, Isabelle, HOL, STeP, Cadence SMV, ...