ProPed - Umang Mathurumathur3.web.engr.illinois.edu/documents/slides/proped-presentatio… · Rohit Chadha , Umang Mathur , Stefan Schwoon { 1 of 17 ProPed Tool for Symbolic Veri

Rohit Chadha , Umang Mathur , Stefan Schwoon – 1 of 17

ProPedTool for Symbolic Verification of Probablistic Recursive Programs

Rohit Chadha 1 Umang Mathur 2 Stefan Schwoon 3

1Computer Science DepartmentUniversity of Missouri

Columbia, Missouri, USA

2Department of Computer Science and EngineeringIndian Institute of Tchnology - Bombay

Mumbai

3LSV, ENS CachanFrance

January 23, 2014


ProPed: Symbolic Verification + Probablistic + Recursion

Figure: Comparison with existing state-of-the-art tools

– Moped: Recursion and symbolic program verification but no probability

– PRISM: Symbolic program analysis and probability but no recursion

– PReMo: Recursion and probability but explicit state model checking

ProPed = Moped ∪ PRISM ∪ PReMo

ProPed is a MTBDD-based tool that analyzes probabilistic recursive programs










































Probabilistic Recursive Programs

Analysis of Probabilistic Recursive Programs:

– Modeling the program

– Reachability Analysis and Property Checking

– Calculating Information Leakage














Example program

procedure p;

p0: if ? then

p1: call s;

p2: if ? then wp 0.2 -> call p;

wp 0.8 -> skip;end if;

else

p3: call p;

end if

P4: return

procedure s;

s0: if ? thenreturn;

end if;

s1: call p;

s2: return;

procedure main ;

m0: call s;

m1: return;

S = {p0, . . . , p

4, s

0, . . . , s

2, m

0, m

1} ∗ , initial state = m

0

m0 s0 m1

m1

s1 m1 p0 s2 m1

p1 s2 m1

p3 s2 m1 p0 p4 s2 m1

s0 p2 s2 m1

ε


Example program

procedure p;

p0: if ? then

p1: call s;

p2: if ? then wp 0.2 -> call p;

wp 0.8 -> skip;end if;

else

p3: call p;

end if

P4: return

procedure s;

s0: if ? thenreturn;

end if;

s1: call p;

s2: return;

procedure main ;

m0: call s;

m1: return;

S = {p0, . . . , p

4, s

0, . . . , s

2, m

0, m

1} ∗ , initial state = m

0

m0 s0 m1

m1

s1 m1 p0 s2 m1

p1 s2 m1

p3 s2 m1 p0 p4 s2 m1

s0 p2 s2 m1

ε


Analysis of Recursive Programs is not Straightforward

– Potentially infinite state space !

– Simple unrolling/inlining is not applicable

– Cannot be analyzed by naively searching all reachable states

– Some finite representation is required




















Computation Model for Probabilistic Recursive Programs

– Control flow:– Sequential (probabilistic) program– Procedures– Mutual procedure calls (possibly recursive)

– Data:– Global Variables (finite memory)– Local Variables in each procedure (one copy per call)


Computation Model for Probabilistic Recursive Programs

– Control flow:– Sequential (probabilistic) program– Procedures– Mutual procedure calls (possibly recursive)

– Data:– Global Variables (finite memory)– Local Variables in each procedure (one copy per call)


Pushdown Systems: Syntax and Semantics

A pushdown system is a triple (P,Γ, δ), where

– P is a finite set of control locations (states)

– Γ is a finite stack alphabet

– δ ⊆ (P × Γ)× (P × Γ∗) is a finite set of rules

A configuration is a pair pα, where p ∈ P and α ∈ Γ∗

Semantics: A (possibly infinite) transition system with configurations as states andtransitions given by

If pX ↪→ qα ∈ δ, then pXβ → qαβ for every β ∈ Γ∗

Normalization |α| ≤ 2 (each transition pushes atmost 2 symbols on the stack),termination only by empty stack.






















Probabilistic Pushdown Systems: Syntax and Semantics

A probabilistic pushdown system is a tuple P = (P,Γ, δ, Prob), where

– (P,Γ, δ) is a PDS

– Prob : δ → (0, 1] such that for every pair pX, we havePpX↪→qα Prob(pX ↪→ qα) = 1

pXx↪→ qα to denote Prob(pX ↪→ qα) = x

Semantics: A (possibly infinite) Markov chain with configurations as states andtransition probabilities given by

If pXx↪→ qα ∈ δ, then pXβ

x−→ qαβ for every β ∈ Γ∗


Probabilistic Pushdown Systems: Syntax and Semantics

A probabilistic pushdown system is a tuple P = (P,Γ, δ, Prob), where

– (P,Γ, δ) is a PDS

– Prob : δ → (0, 1] such that for every pair pX, we havePpX↪→qα Prob(pX ↪→ qα) = 1

pXx↪→ qα to denote Prob(pX ↪→ qα) = x

Semantics: A (possibly infinite) Markov chain with configurations as states andtransition probabilities given by

If pXx↪→ qα ∈ δ, then pXβ

x−→ qαβ for every β ∈ Γ∗


From programs to pushdown systems

State of a procedural program: (g, n, l, (n1, l1) · · · (nk, lk)), where

– g is a valuation of the global variables,

– n is the value of the program counter,

– l is a valuation of local variables of the current active procedure,

– ni is a return address, and

– li is a saved valuation of the local variables of a calling procedure

Modeled as a configuration pXY1 · · ·Yk where

p = g X = (n, l) Yi = (ni, li)


From programs to pushdown systems

The following correspondence between a program and PDS holds:

– State p corresponds to valuations of global variables

– Γ corresponds to tuples of the form (program counter, local valuations)

– Configuration pAw can be interpreted with globals in p, current procedure withlocal variables in A and suspended procedures in w

– Rule pX ↪→ qY corresponds to a sequential statement within a procedure

– Rule pX ↪→ qY Z corresponds to a call to some procedure

– Rule pX ↪→ qε corresponds to a return from some procedure


Probabilistic Verification

– Qualitative properties: Does a program property hold with probability 1?

– Quantitative properties: What is the probability with which a certain propertyhold?

– Reachability of control states– simple PCTL properties such as ♦(l1 ∨ l2 · · · lk), where li are labels in the program


Probabilistic Verification

– Qualitative properties: Does a program property hold with probability 1?

– Quantitative properties: What is the probability with which a certain propertyhold?

– Reachability of control states– simple PCTL properties such as ♦(l1 ∨ l2 · · · lk), where li are labels in the program


Quantitative Verification: Formulating system of non-linearequations

Define a variable [pXq] as the probability of starting at the configuration pX andeventually reaching the configuration qε.

Theorem (J. Esparza, A. Kucera, R. Mayr)

The [pXq]s are the least solution of the following system of equations:

[pXq] =PpX

x↪→qε

x +PpX

x↪→rY

x.[rY q] +PpX

x↪→rY Z

x.Pt∈P [rY t].[tZq]

The system is of the form x = P (x), and the sequence 0, P (0), P 2(0) · · · convergesto the least solution.






[pXq] =PpX

x↪→qε

x +PpX

x↪→rY

x.[rY q] +PpX

x↪→rY Z








[pXq] =PpX

x↪→qε

x +PpX

x↪→rY

x.[rY q] +PpX

x↪→rY Z




Fixed-point Computation

– The variables [pXq] are just relations over the initial and final valuations ofvariables

– The statements of the program are also similar relations

x

x'

0x2c

0x29 0x2b

0 1

Stmt: x = !x

Stmt

– Can be represented efficiently as MTBBDs (= BDDs + real values on theterminal nodes)

– Fixed point computation - Jacobi Iterative Method

– Use of CUDD library for MTBDD (ADD) manipulations.


Information Leakage

– Leakage measured in terms of min-entropy (G. Smith)

– For a given set of inputs S and outputs O, min-entropy leakage, LSO =

log V (S|O)V (S)

, where

– S is a random variable on S and having distribution PS– O is a random variable on O and having distribution PO– V (S) = max

s∈SPS [s]

– V (S|O) =Po∈O PO[o].max

s∈SP [s|o]

– Computing the above metric is simply basic ADD manipulation !


Technical details about the tool

– Input language: Remopla with an additional pchoice construct

define N 32

define DEFAULT_INT_BITS N

unsigned int var1;bool g;

module void f(unsigned int v, bool z){

bool k;pchoice:: 0.2 -> label2: k = g && z;:: 0.8 -> var1 = var1 + v;choicep

}

module void main(){

var1 = 53;pchoice :: 0.3 -> label1: g = true; :: 0.7 -> f(var1, !g);choicep

}

Figure: An input program for ProPed

– Parser and other libraries (CUDD, etc.,) : C

– Analysis (Fixed point computation) : C++


More about MTBDDs

0

2

3

5

6

8

main

0x1943

0x19410x1942

0x1940

0

0x193f 0x1938

0x193b 0x193e 0x1937

0x193a 0x1935 0x19360x193d

0.140.56 0.7

Figure: An MTBDD

MTBDD = MultiTerminal Binary DecisionDiagram

– CUDD : ADD (Algebraic Decision Diagram) interface

– Provides important Utilities:– Cudd addTimes– Cudd addPlus– Cudd addPermute– Cudd addMatrixMultiply– Cudd addCmpl, Cudd addXnor, · · ·– Cudd addExistAbstract, Cudd addMaxAbstract, · · ·


Possible Improvements and Extensions

– Use faster iteration methods (Jacobi is too slow) such as Newton-Raphsoniterations

– Repeated Reachability : Buchi

– Information leakage by energy characterization

Documents

ProPed - Umang Mathurumathur3.web.engr.illinois.edu/documents/slides/proped-presentatio… · Rohit Chadha , Umang Mathur , Stefan Schwoon { 1 of 17 ProPed Tool for Symbolic Veri