I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc.

1
I/O Automaton Models Basic, Timed, Hybrid,
Probabilistic, Etc.

• Nancy Lynch, Dilsun Kirli, MIT
• University of Illinois, Urbana-Champaign,
  MURI Meeting
• October 4, 2002
• Based on work with Roberto Segala, Frits
  Vaandrager

2
I/O Automata

• Mathematical, infinite-state, automaton models.
• Describe states, transitions.
• Describe system modularity
• Parallel composition of interacting components.
• Levels of abstraction.
• Example Generic distributed system
• Diagram represents interfaces.
• IOA models also describe behavior.
• Abstract models for system components.
• Channel Implemented by TCP, modeled as reliable
  FIFO queue.
• Node Implemented by C program, modeled as
  algorithm automaton.

3
Reliable FIFO Channel Model

• Signature
• Inputs
• send(m), m in M
• Outputs
• receive(m), m in M
• States
• queue, a finite sequence of elements of M,
  initially empty
• Transitions
• send(m)
• Effect Add m to end of queue
• receive(m)
• Precondition m is first on queue
• Effect remove first element of queue

4
Levels of Abstraction

• Used in system development by successive
  refinement.
• Top level Specification for allowed behaviors.
• Can write in same automaton style.
• Refine through many levels, to code-like,
  detailed description.
• Example Group communication
• Automata used to represent totally-ordered
  reliable broadcast service, group communication
  service, and algorithm.
• Composition of algorithm and GCS automata
  implements TO-Bcast automaton.
• Continue, implementing GCS
  
  in terms of lower-level network.

5
Flavors of I/O Automaton Models

• Basic IOAs deal with
• What happens, in what order (not when).
• Discrete events (not continuous behavior).
• Timing TIOA
• For describing timeout-based algorithms.
• Local clocks, clock synchronization.
• Timing/performance analysis.
• Hybrid (continuous/discrete) HIOA
• Systems with real world computer components
• Vehicle control ground, air, space
• Embedded systems
• Probabilistic PIOA, PTIOA, PHIOA
• Randomized distributed algorithms
• Security protocols
• Safety-critical systems

6
Talk Outline

1. Brief overview of the models
2. HIOA model, in more detail (Lynch)
3. TIOA model (Kirli)
4. PIOA model (Lynch)
5. Future work on models
6. Future work on applications

7
1. Brief Overview of the Models
8
I/O Automata (IOA)

• Static description
• Actions a (input, output, internal)
• States s, start states
• Transitions (s, a, s') input actions enabled in
  all states.
• Dynamic description
• Execution s0 a1 s1 a2 s2
• Trace Sequence of input and output actions
  externally visible behavior.
• A implements B traces(A) ? traces(B).
• Operations for building automata
• Parallel composition, identifying inputs and
  outputs.
• Action hiding.
• Reasoning methods
• Invariant assertions Property holds in all
  reachable states.
• Simulation relations Imply one automaton
  implements another.
• Compositional methods

9
Example Applications

• Theoretical distributed algorithms
• Mutual exclusion, Byzantine agreement, atomic
  object implementation, resource allocation, data
  management
• Distributed systems
• Orca DSM system Two-layer model, following the
  implementation. Found, fixed logical error.
  Proofs.
• Transis group communication system Models for
  key layers. Proofs. Algorithmic improvements.
• Ensemble GC system Models for key layers.
  Found, fixed logical error. Proofs.
• Algorithms for dynamic networks (new)
• RAMBO reconfigurable atomic memory algorithm
• Dynamic atomic broadcast algorithm

10
Timed I/O Automata (TIOA)

• Add special time-passage actions, pass(t), to IOA
  model.
• Example Reliable FIFO channel that always
  delivers messages within time d.
• send(m)
• Effect Add (m, now d) to end of queue
• receive(m)
• Precondition (m,u) is first on queue (for some
  u)
• Effect remove first element of queue
• pass(t)
• Precondition for all (m,u) in queue, now t
  ? u
• Effect now now t
• Can use standard automaton-based reasoning
  methods
• Invariant for all (m,u) in queue, now ? u ?
  now d.
• Inductive proofs.

11
Example Applications

• Theoretical distributed algorithms
• Mutual exclusion, consensus,
• Timeout-based communication protocols
• TCP,
• Group communication systems
• Using GCS to build TO-Bcast Conditional
  performance analysis.
• Scalable GCS Performance analysis.
• RAMBO Performance analysis.
• Hybrid (continuous/discrete) systems
• RR crossing, steam boiler controller
• Stretched TIOA capabilities motivated HIOA.

12
Hybrid I/O Automata (HIOA)

• TIOA plus facilities for representing continuous
  behavior.
• Static description
• States input, output, internal variables start
  states
• Actions input, output, internal
• Discrete steps (s, a, s')
• Trajectories ?, mapping time intervals to states
• Dynamic description
• Execution ?0 a1 ?1 a2 ?2
• Trace Project on external variables, external
  actions.
• A implements B if traces(A) ? traces(B).
• Operations Composition, hiding
• Reasoning methods Invariants, simulation
  relations, compositional methods

13
Example Applications

• Ground transportation
• People-mover (Raytheon)
• California PATH automated highway system
  (Berkeley)
• Aircraft control
• TCAS (Lincoln Labs)
• Qwanser helicopter system (MIT Aero/Astro)

14
Probabilistic I/O Automata Segala

• Adds probabilistic transitions (s, a, P), where P
  is a probability distribution on states.
• Includes both nondeterminism and probability.
• External behavior represented by a set of trace
  distributions (one for each adversary, who
  resolves nondeterminism).
• Implementation represented by subset (of sets of
  trace distributions).
• Example applications
• Randomized distributed algorithms
• Rabin-Lehmann Dining Philosophers
• Aspnes-Herlihy randomized consensus
• Security protocols

15
2. Hybrid I/O AutomataLynch, Segala, Vaandrager
16
Hybrid Systems

• Hybrid systems Continuous, real-world
  components discrete, computer components
• Examples
• Automated transportation systems
• Robots
• Factory control systems
• Embedded systems
• Mobile systems
• Complex
• Strong safety, performance requirements

17
The HIOA Model

• States, discrete transitions, trajectories.
• Model plants, controllers, sensors, actuators,
  computer software, communication services, human
  operators.
• Support for decomposing hybrid system
  descriptions
• External behavior Models discrete and
  continuous interactions of component with its
  environment.
• Composition Synchronize external events,
  external trajectories.
• Levels of abstraction Implementation notion,
  respects external behavior.
• Incorporate methods from control theory, computer
  science
• Control theory Invariant sets, stability
  analysis using Lyapunov functions, robust control
  methods
• Computer science Invariants, simulation
  relations, compositional methods

18
Related Work

• Phase transition systems Maler, Manna, Pnueli
  92, Alur, Courcoubetis, Halbwachs,95,
  Kesten, Manna, Pnueli 98
• Hybrid control systems Branicky 95, 98
• Hybrid reactive modules Alur, Henzinger 96, 97

19
Example Hybrid Control System
20
Describing Hybrid Behavior

• Universal set of variables
• Static type type(v), set of values v may take
  on.
• Dynamic type dtype(v), allowed trajectories
  for v
• Set of functions from left-closed intervals of R
  to type(v).
• Closed under time shift, subinterval, countable
  pasting.
• Examples Pasting closure of constant functions,
  of continuous functions, of differentiable
  functions, of integrable functions.

21
Trajectories

• Model evolution of variables over time intervals.
• Valuation for V Assigns value in type(v) to
  each v in V.
• Trajectory Let J be a left-closed interval,
  left endpoint 0. A J-trajectory for V is a
  function from J to valuations for V whose
  restriction to each variable v is in dtype(v).
• Lemma The set of trajectories for V together
  with the prefix ordering is an algebraic cpo.
• Concatenation At common point, use value from
  first trajectory.

22
Hybrid Sequences

• Let A be a set of actions, V a set of variables.
  An (A,V)-sequence is an alternating sequence,
  ?0 a1 ?1 a2 ?2 of trajectories
  over V and actions in A.
• Models a series of discrete and continuous
  changes.
• Lemma The set of (A,V)-sequences together with
  the prefix ordering is an algebraic cpo.
• Concatenation At common point, use value from
  first (A,V)-sequence.

23
Hybrid I/O Automaton

• U, Y, X input, output, and internal (state)
  variables
• V U ? Y ? X
• Q states, a set of valuations of X
• ? start states
• I, O, H input, output, and internal actions
• A I ? O ? H
• D ? Q ? A ? Q discrete transitions
• T trajectories for V, in which the valuations
  of X are in Q. Closed under prefix, suffix, and
  countable concatenation.

24
Input-Enabling Axioms

• Input action enabling
  For every state q and every
  input action a, there is some discrete transition
  (q,a,q).
  As for ordinary I/O automata.
• Input trajectory enabling
  For every state s and every input
  trajectory ?, there is some trajectory ? that
  starts with x, and either
• Spans all of ?, or
• Spans a prefix of ?, after which some
  locally-controlled action is enabled.

25
Executions and Traces

• Execution fragment of HIOA A
• An (A,V)-sequence ?0 a1 ?1 a2 ?2 , where
• Each ?i is a trajectory of A, and
• Each (?i.lstate, ai , ?i1.fstate) is a discrete
  step of A.
• A,V are all the actions and variables of A.
• Only states need match up.
• Execution of A
• Fragment beginning in a start state.
• Trace of an execution fragment
• Restrict to external actions E, external
  variables W.
• (E,W)-sequence.
• A implements B if they have the same external
  interface and tracesA ? tracesB.

26
Notation

• We specify sets of trajectories using
  differential and algebraic equations (or
  inclusions).
• Trajectory ? satisfies algebraic equation v e
  if the constraints on the variables expressed by
  this equation hold in every state of ?.
• Trajectory ? satisfies differential equation d(v)
  e if for every t in the domain of ?
  v(t) v(0) ?0t e(t) dt
• (weak solutions)
• Algebraic/differential inclusions are handled
  similarly.

27
Example Vehicle HIOA

• Follows a suggested acceleration to within an
  error of ? ? 0. Reports real velocity.
• U acc-in
• Y vel-out
• X vel, acc Q all valuations of X
• ? vel 0, acc 0
• I, O, H, D empty
• Trajectories T
• d(vel) acc
• acc(t) ? acc-in(t) - ?, acc-in(t) ?, for t gt
  0
• vel-out vel
• No constraints on input variables in initial
  states of trajectories.

28
Example Controller HIOA

• Suggests accelerations for a vehicle with the
  intention of ensuring that the velocity does not
  exceed a pre-specified velocity, vmax.
• Monitors velocity, computes suggestion every time
  d.
• Q Valuations in which clock ? d.
• ? 0 everywhere
• H suggest
• D suggest transitions where
• clock d, clock 0,
• vel-sensed vel-sensed
• vel-sensed (acc-suggested ?) d ? vmax

29
Controller Trajectories

• d(acc-suggested) 0
• d(clock) 1
• vel-sensed(t) vel-out(t), for t gt 0
• acc-in acc-suggested

30
Simulation Relation

• Let A, B be HIOAs with the same external
  interface.
• Relation R from states of A to states of B
  satisfying
• Every start state of A is related to some start
  state of B.
• If xA R xB and ? is an execution fragment of A
  consisting of one action surrounded by two point
  trajectories, with ?.fstate xA, then B has a
  closed execution fragment ? with ?.fstate xB,
  trace(?) trace(?), and ?.lstate R ?.fstate.
• If xA R xB and ? is an execution fragment of A
  consisting of a single closed trajectory, with
  ?.fstate xA, then B has a closed execution
  fragment ? with

31
Simulation relation

• Theorem If there is a simulation relation from
  A to B then A implements B (inclusion of trace
  sets).
• Example
• Vehicle(?1) implements Vehicle(?2), if ?1 ? ?2
• Show using simulation relation identity mapping

32
Composition

• Assume A1 and A2 are compatible (no common
  outputs, internal actions/variables are private).
• Compose A1 and A2 by matching up external
  actions, variables
• Y Y1 ? Y2 X X1 ? X2 U (U1 ? U2 ) - (Y1 ?
  Y2 )
• O O1 ? O2 H H1 ? H2 I (I1 ? I2 ) - (O1 ?
  O2 )
• Start states ? Projections in ?1, ?2
• Discrete steps D Projections in D1, D2
• Trajectories T Projections in T1, T2
• Technicality Composition need not satisfy input
  flow enabling, pre-HIOA. Assume strong
  compatibility. Holds in many interesting
  special cases.

33
Composition Theorems

• Projection and Pasting Assume A A1 A2.
  Then tracesA is exactly the set of
  (E,W)-sequences whose restrictions to A1 and A2
  are traces of A1 and A2, respectively.
• Substitutivity If A1 implements A2 and both are
  compatible with B, then A1 B implements A2
  B.

34
Example Vehicle and Controller

• Vehicle Controller
• Invariant of Vehicle Controller vel ? vmax.
• Can prove this using a standard inductive
  argument.
• Uses auxiliary invariants, most importantly
• vel (acc-suggested ?) (d clock) ?
  vmax

Vehicle
Controller
vel-out

• vel-sensed
• acc-suggested
• clock

acc-in
acc, vel
35
Hiding

• ActHide(E,A) reclassifies the external actions in
  E as internal actions.
• (New) VarHide(W,A) removes the external
  variables in W (but retains their induced
  constraints on the trajectories).
• (Previously) VarHide(W,A) reclassified external
  variables in W as internal (state) variables.

36
Example

• In the composition Vehicle Controller, we may
  hide the acc-in variable, which is used for
  communication between the components
• A VarHide(acc-in, Vehicle
  Controller)
• In A, the only external variable is vel-out.
• Express the correctness of A by showing that it
  implements an abstract specification HIOA VSpec.
• VSpec expresses just the constraints vel ? vmax,
  and vel-out vel.
• Show correctness using a simulation relation.

37
Progressive HIOAs

• HIOAs should provide some response from any
  state, for any sequence of input actions and
  input trajectories.
• HIOAs should not block the passage of time they
  should allow time to pass to infinity, if their
  environment does so.
• Definition A pre-HIOA is progressive if it has
  no execution fragments in which it generates
  infinitely many locally-controlled actions in
  finite time.
• Theorem A progressive HIOA A can accommodate any
  input hybrid sequence, from every state For
  each state x of A and each (I,U)-sequence ?,
  there is some execution fragment ? from x such
  that ? ? (I ? U) ?.
• Theorem The composition of progressive
  pre-HIOAs is progressive.

38
Receptive HIOAs

• But progressiveness isnt enough
• HIOAs involving only upper bounds on timing are
  not progressive.
• Such specifications are common.
• Definition A strategy for a pre-HIOA A is an
  HIOA A that is the same as A except that D ? D,
  and T ? T.
• Nondeterministic, memoryless.
• Definition A pre-HIOA is receptive if it has a
  progressive strategy.
• Theorem A receptive pre-HIOA can accommodate
  any input hybrid sequence.
• Theorem Let A1 and A2 be compatible receptive
  HIOAs with strongly compatible progressive
  strategies B1 and B2. Then A1 A2 is a
  receptive HIOA with progressive strategy B1
  B2.

39
Applications

• Raytheon people-mover Lynch, Weinberg, Delisle
• California PATH automated highway system
  Analysis of platoon maneuvers
  Dolginova, Lygeros, Lynch
• TCAS Livadas, Lygeros, Lynch
• Qwanser helicopter system
  Mitra, Wang, Feron, Lynch

40
TCAS model
Aircraft
Aircraft
Sensor
Sensor
Pilot
Pilot
Conflict detector
Conflict detector
Channel
Conflict resolver
Conflict resolver
Channel
41
3. Timed I/O AutomataKirli, Lynch, Segala,
Vaandrager
42
From HIOA to TIOA

• Hybrid systems continuous, real-world components
  discrete, computer components
• Timed systems continuous, time discrete,
  computer components
• Correctness depends not only on the order of
  events but also on their timing.
• Example Reliable FIFO channel that always
  delivers messages within time d.

43
Work in Progress

• Canonical model for timing-based systems
• External behavior
• Composition
• Levels of abstraction
• Identify major ideas from related models and
  express them in the common framework of TIOA
• Timed automata Alur and Dill
• Timed transition systems Maler, Manna, Pnueli
• Clock GTA DePrisco

44
Describing Timing Behavior

• Timing behavior is described by using the same
  concepts as in HIOA
• Variables
• Static and dynamic types
• Trajectories
• Hybrid sequences

45
Timed I/O Automata

• X internal variables
• Q states, a set of valuations of X
• ? start states
• I, O, H input, output, internal actions
• A I ? O ? H
• D ? Q ? A ? Q discrete transitions
• T trajectories for X, in which the valuations
  of X are in Q. Closed under prefix, suffix, and
  countable concatenation.

46
Execution and Traces

• Execution fragment of TIOA A
• An (A,V)-sequence ?0 a1 ?1 a2 ?2 , where
• Each ?i is a trajectory of A, and
• Each (?i.lstate, ai , ?i1.fstate) is a discrete
  step of A.
• A,V are all the actions and variables of A.
• Execution of A Fragment beginning in a start
  state.
• Trace of an execution fragment
• Restrict to external actions E, empty set of
  variables.
• (E,?)-sequence.

47
Example Time bounded channel

• X clock, queue
• Q all valuations of X
• ? clock0, queue is empty
• I send(m)
• O receive(m)
• Transitions
• send(m)
• Effect add (m,clock d) to end of queue
• receive(m)
• Precondition (m,u) is first on queue and clock
  ? u
• Effect remove the first element of queue
• Trajectories t satisfy
• d(clock)1
• (t ? queue) is a constant function

48
Untiming Operation

• Transform a timed automaton A to an untimed
  automaton Untime(A,R)
• Define a notion of congruence.
• Let R be a congruence for A.
• States of Untime(A,R) the set of equivalence
  classes of R.
• Untime(A,R) has a special internal action to
  represent time passage.
• Theorem If ? is an execution of A, then
  Untime(A,R) has an execution ? such that
  trace(?)discrete(trace(?)) and vice versa.
• Similar to region construction of Alur and Dill
• Theorem The equivalence relation used by
  Alur-Dill in region construction is a congruence

49
Properties for I/O Automata

• A property for A is a subset of the execution
  fragments of A.
• P is a liveness property provided that for any
  state x of A, there is some execution fragment
  from x that is in P.
• We say that A is receptive for P provided that
  there exists a strategy A for A such that every
  execution fragment of A is in P.
• Theorem If A1 is receptive for P1 and A2 is
  receptive for P2 then A1 A2 is receptive for
  P1 P2.

50
4. Probabilistic I/O AutomataLynch, Segala,
Vaandrager
51
Probabilistic I/O Automata (PIOA)

• Probabilistic transitions (s, a, P), where P is a
  probability distribution on states.
• Includes both nondeterminism and probability.
• Scheduler (adversary) Resolves all
  nondeterminism.
• External behavior represented by a set of trace
  distributions (one for each scheduler).
• Trace distribution preorder ?D
• Subset (of sets of trace distributions).
• Not preserved by composition.
• Trace distribution precongruence ?DC
  
• Coarsest precongruence included in ?D.
• Preserved by composition.
• Not very informative.

52
Characterization result for ?DC Segala,
Vaandrager, Lynch 02

• Define various kinds of simulation relations for
  PIOAs.
• Weak probabilistic forward simulation relation
  from A1 to A2
• Relates states of A1 to distributions over states
  of A2.
• Transitions preserve probabilities.
• Weak Allows arbitrary internal actions.
• Theorem A1 ?DC A2 if and only if there exists
  a weak probabilistic forward simulation
  relation from A1 to A2 .

53
Probabilistic Timed I/O Automata (PTIOA) Segala

• Include time-passage steps, with probability
  distributions on new state (s,
  pass(t), P)
• Scheduler determines amount of time that passes
  (nondeterministic, not probabilistic).
• External behavior represented by a set of
  distributions of timed traces (one for each
  scheduler).
• Timed trace distribution preorder.
• Timed trace distribution precongruence.

54
5. Future Work on Models
55
Future work on HIOA

• Finish changing the hiding operator.
• Incorporate control theory methods
• Invariant sets, Lyapunov stability, robust
  control.
• Continue testing on a variety of examples.
• Linguistic support Mitra
• Language constructs for describing trajectories.
• Algebraic and differential equations/inclusions.
• Preconditions, invariants, stopping conditions.
• Add to IOA.
• Analysis tools
• Theorem-prover support, automated tools.

56
Future work on TIOA

• Express key concepts from other timed models
  using TIOA.
• Alur, Dill
• Maler, Manna, Pnueli
• Merrit, Modugno, Tuttle MMT automata
• De Prisco clock automata
• Receptiveness with general liveness properties.
• Linguistic support, tool support.
• Test on many examples.

57
Future work on PIOA

• Restrict the set of schedulers (adversaries) to
  those that can see only external behavior of the
  component automata. Yields a smaller set of
  trace distributions.
• For this restricted set, obtain a
  characterization of the trace distribution
  precongruence. Is it the same as the trace
  distribution preorder?

58
Future work on PTIOA, PHIOA

• PTIOA
• Reformulate in terms of trajectories, as in TIOA,
  HIOA.
• Characterize the timed trace distribution
  precongruence.
• Generalize TIOA results to include probabilities.
• Define simulation relations, show they imply
  timed trace distribution inclusion.
• Receptiveness?
• PHIOA
• Define a model that generalizes PTIOA and HIOA
• Define external behavior, composition,
  implementation,prove all the right theorems.

59
All the IOA models
PHIOA
HIOA
PTIOA
TIOA
PIOA
IOA
60
6. Future work on applications
61
Hybrid and Embedded Systems

• Aero/astro applications
• Embedded systems
• Sensor networks, mobile systems

62
Security Protocols

• Recent results Herzog 02 relating formal vs.
  computational approaches to analyzing correctness
  of security protocols.
• Not (yet) done explicitly in terms of PTIOA
  models.
• Formal approach
• Interacting non-probabilistic automata.
• Supports direct proofs, using induction.
• Computational approach
• Interacting probabilistic poly time Turing
  machines.
• Indirect proofs reductions of attacks to hard
  problems.
• How do the two approaches relate?

63
Formal Approach Dolev, Yao

• Adversary controls the network.
• Encryption, decryption treated as abstract,
  idealized operations.
• Cryptographic abilities of adversary made
  explicit
• Encrypt, decrypt with known keys
• Make random choices, create new keys
• Proof of security Adversary abilities do not
  combine to produce an unsafe operation.

64
Computational Approach

• Adversary controls the network
• Encryption instantiated with specific algorithms
• Adversary capable of any feasible (probabilistic
  poly time) computation.
• Proof of security If any adversary can violate
  security condition, an underlying computational
  problem is easy.

65
Relating the Two Approaches

• Would like to use computational view as semantics
  for formal view Show formal attack exists iff
  computational attack exists.
• Known Formal attacks imply computational
  attacks
• Open When do computational attacks imply
  formal attacks?
• Answer requires
• Semantics for adversary
• Semantics for honest participants
• Semantics for composition of previous two
• Focus of present work The adversary.

66
Formal Adversary

• Formal adversary makes queries to honest
  participants, receives responses
• Each query must be deducible from initial
  knowledge, responses, by sequence of
• Encryptions/decryptions with known key
• Pairing/separation of values
• Formal adversary modeled as closure operation on
  messages.

67
Ideal Encryption

• Computational encryption algorithm is ideal if
• no computational adversary, given any set of
  messages, can produce a message outside the
  closure of the set (with non-negligible
  probability)
• Theorem This limits computational adversary to
  formal adversary.
• Theorem This is achievable.

68
Future Work on Security Protocols

• Complete the work on formal vs. computational
  approaches
• Define semantics for honest participants
• How do they validate incoming messages?
• No information should be given away in error
  cases
• Define composition of adversary, honest
  participants
• Obtain general simulation theorems.
• Use the theorems to prove correctness of
  interesting security protocols.
• Express in terms of PTIOA.