Title: I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc.
1I/O Automaton Models Basic, Timed, Hybrid,
Probabilistic, Etc.
- Nancy Lynch, Dilsun Kirli, MIT
- University of Illinois, Urbana-Champaign,
MURI Meeting - October 4, 2002
- Based on work with Roberto Segala, Frits
Vaandrager
2I/O Automata
- Mathematical, infinite-state, automaton models.
- Describe states, transitions.
- Describe system modularity
- Parallel composition of interacting components.
- Levels of abstraction.
- Example Generic distributed system
- Diagram represents interfaces.
- IOA models also describe behavior.
- Abstract models for system components.
- Channel Implemented by TCP, modeled as reliable
FIFO queue. - Node Implemented by C program, modeled as
algorithm automaton.
3Reliable FIFO Channel Model
- Signature
- Inputs
- send(m), m in M
- Outputs
- receive(m), m in M
- States
- queue, a finite sequence of elements of M,
initially empty - Transitions
- send(m)
- Effect Add m to end of queue
- receive(m)
- Precondition m is first on queue
- Effect remove first element of queue
4Levels of Abstraction
- Used in system development by successive
refinement. - Top level Specification for allowed behaviors.
- Can write in same automaton style.
- Refine through many levels, to code-like,
detailed description. - Example Group communication
- Automata used to represent totally-ordered
reliable broadcast service, group communication
service, and algorithm. - Composition of algorithm and GCS automata
implements TO-Bcast automaton. - Continue, implementing GCS
in terms of lower-level network.
5Flavors of I/O Automaton Models
- Basic IOAs deal with
- What happens, in what order (not when).
- Discrete events (not continuous behavior).
- Timing TIOA
- For describing timeout-based algorithms.
- Local clocks, clock synchronization.
- Timing/performance analysis.
- Hybrid (continuous/discrete) HIOA
- Systems with real world computer components
- Vehicle control ground, air, space
- Embedded systems
- Probabilistic PIOA, PTIOA, PHIOA
- Randomized distributed algorithms
- Security protocols
- Safety-critical systems
6Talk Outline
- Brief overview of the models
- HIOA model, in more detail (Lynch)
- TIOA model (Kirli)
- PIOA model (Lynch)
- Future work on models
- Future work on applications
71. Brief Overview of the Models
8I/O Automata (IOA)
- Static description
- Actions a (input, output, internal)
- States s, start states
- Transitions (s, a, s') input actions enabled in
all states. - Dynamic description
- Execution s0 a1 s1 a2 s2
- Trace Sequence of input and output actions
externally visible behavior. - A implements B traces(A) ? traces(B).
- Operations for building automata
- Parallel composition, identifying inputs and
outputs. - Action hiding.
- Reasoning methods
- Invariant assertions Property holds in all
reachable states. - Simulation relations Imply one automaton
implements another. - Compositional methods
9Example Applications
- Theoretical distributed algorithms
- Mutual exclusion, Byzantine agreement, atomic
object implementation, resource allocation, data
management - Distributed systems
- Orca DSM system Two-layer model, following the
implementation. Found, fixed logical error.
Proofs. - Transis group communication system Models for
key layers. Proofs. Algorithmic improvements. - Ensemble GC system Models for key layers.
Found, fixed logical error. Proofs. - Algorithms for dynamic networks (new)
- RAMBO reconfigurable atomic memory algorithm
- Dynamic atomic broadcast algorithm
10Timed I/O Automata (TIOA)
- Add special time-passage actions, pass(t), to IOA
model. - Example Reliable FIFO channel that always
delivers messages within time d. - send(m)
- Effect Add (m, now d) to end of queue
- receive(m)
- Precondition (m,u) is first on queue (for some
u) - Effect remove first element of queue
- pass(t)
- Precondition for all (m,u) in queue, now t
? u - Effect now now t
- Can use standard automaton-based reasoning
methods - Invariant for all (m,u) in queue, now ? u ?
now d. - Inductive proofs.
11Example Applications
- Theoretical distributed algorithms
- Mutual exclusion, consensus,
- Timeout-based communication protocols
- TCP,
- Group communication systems
- Using GCS to build TO-Bcast Conditional
performance analysis. - Scalable GCS Performance analysis.
- RAMBO Performance analysis.
- Hybrid (continuous/discrete) systems
- RR crossing, steam boiler controller
- Stretched TIOA capabilities motivated HIOA.
12Hybrid I/O Automata (HIOA)
- TIOA plus facilities for representing continuous
behavior. - Static description
- States input, output, internal variables start
states - Actions input, output, internal
- Discrete steps (s, a, s')
- Trajectories ?, mapping time intervals to states
- Dynamic description
- Execution ?0 a1 ?1 a2 ?2
- Trace Project on external variables, external
actions. - A implements B if traces(A) ? traces(B).
- Operations Composition, hiding
- Reasoning methods Invariants, simulation
relations, compositional methods
13Example Applications
- Ground transportation
- People-mover (Raytheon)
- California PATH automated highway system
(Berkeley) - Aircraft control
- TCAS (Lincoln Labs)
- Qwanser helicopter system (MIT Aero/Astro)
14Probabilistic I/O Automata Segala
- Adds probabilistic transitions (s, a, P), where P
is a probability distribution on states. - Includes both nondeterminism and probability.
- External behavior represented by a set of trace
distributions (one for each adversary, who
resolves nondeterminism). - Implementation represented by subset (of sets of
trace distributions). - Example applications
- Randomized distributed algorithms
- Rabin-Lehmann Dining Philosophers
- Aspnes-Herlihy randomized consensus
- Security protocols
152. Hybrid I/O AutomataLynch, Segala, Vaandrager
16Hybrid Systems
- Hybrid systems Continuous, real-world
components discrete, computer components - Examples
- Automated transportation systems
- Robots
- Factory control systems
- Embedded systems
- Mobile systems
- Complex
- Strong safety, performance requirements
17The HIOA Model
- States, discrete transitions, trajectories.
- Model plants, controllers, sensors, actuators,
computer software, communication services, human
operators. - Support for decomposing hybrid system
descriptions - External behavior Models discrete and
continuous interactions of component with its
environment. - Composition Synchronize external events,
external trajectories. - Levels of abstraction Implementation notion,
respects external behavior. - Incorporate methods from control theory, computer
science - Control theory Invariant sets, stability
analysis using Lyapunov functions, robust control
methods - Computer science Invariants, simulation
relations, compositional methods
18Related Work
- Phase transition systems Maler, Manna, Pnueli
92, Alur, Courcoubetis, Halbwachs,95,
Kesten, Manna, Pnueli 98 - Hybrid control systems Branicky 95, 98
- Hybrid reactive modules Alur, Henzinger 96, 97
19Example Hybrid Control System
20Describing Hybrid Behavior
- Universal set of variables
- Static type type(v), set of values v may take
on. - Dynamic type dtype(v), allowed trajectories
for v - Set of functions from left-closed intervals of R
to type(v). - Closed under time shift, subinterval, countable
pasting. - Examples Pasting closure of constant functions,
of continuous functions, of differentiable
functions, of integrable functions.
21Trajectories
- Model evolution of variables over time intervals.
- Valuation for V Assigns value in type(v) to
each v in V. - Trajectory Let J be a left-closed interval,
left endpoint 0. A J-trajectory for V is a
function from J to valuations for V whose
restriction to each variable v is in dtype(v). - Lemma The set of trajectories for V together
with the prefix ordering is an algebraic cpo. - Concatenation At common point, use value from
first trajectory.
22Hybrid Sequences
- Let A be a set of actions, V a set of variables.
An (A,V)-sequence is an alternating sequence,
?0 a1 ?1 a2 ?2 of trajectories
over V and actions in A. - Models a series of discrete and continuous
changes. - Lemma The set of (A,V)-sequences together with
the prefix ordering is an algebraic cpo. - Concatenation At common point, use value from
first (A,V)-sequence.
23Hybrid I/O Automaton
- U, Y, X input, output, and internal (state)
variables - V U ? Y ? X
- Q states, a set of valuations of X
- ? start states
- I, O, H input, output, and internal actions
- A I ? O ? H
- D ? Q ? A ? Q discrete transitions
- T trajectories for V, in which the valuations
of X are in Q. Closed under prefix, suffix, and
countable concatenation.
24Input-Enabling Axioms
- Input action enabling
For every state q and every
input action a, there is some discrete transition
(q,a,q).
As for ordinary I/O automata. - Input trajectory enabling
For every state s and every input
trajectory ?, there is some trajectory ? that
starts with x, and either - Spans all of ?, or
- Spans a prefix of ?, after which some
locally-controlled action is enabled.
25Executions and Traces
- Execution fragment of HIOA A
- An (A,V)-sequence ?0 a1 ?1 a2 ?2 , where
- Each ?i is a trajectory of A, and
- Each (?i.lstate, ai , ?i1.fstate) is a discrete
step of A. - A,V are all the actions and variables of A.
- Only states need match up.
- Execution of A
- Fragment beginning in a start state.
- Trace of an execution fragment
- Restrict to external actions E, external
variables W. - (E,W)-sequence.
- A implements B if they have the same external
interface and tracesA ? tracesB.
26Notation
- We specify sets of trajectories using
differential and algebraic equations (or
inclusions). - Trajectory ? satisfies algebraic equation v e
if the constraints on the variables expressed by
this equation hold in every state of ?. - Trajectory ? satisfies differential equation d(v)
e if for every t in the domain of ?
v(t) v(0) ?0t e(t) dt - (weak solutions)
- Algebraic/differential inclusions are handled
similarly.
27Example Vehicle HIOA
- Follows a suggested acceleration to within an
error of ? ? 0. Reports real velocity. - U acc-in
- Y vel-out
- X vel, acc Q all valuations of X
- ? vel 0, acc 0
- I, O, H, D empty
- Trajectories T
- d(vel) acc
- acc(t) ? acc-in(t) - ?, acc-in(t) ?, for t gt
0 - vel-out vel
- No constraints on input variables in initial
states of trajectories.
28Example Controller HIOA
- Suggests accelerations for a vehicle with the
intention of ensuring that the velocity does not
exceed a pre-specified velocity, vmax. - Monitors velocity, computes suggestion every time
d. - Q Valuations in which clock ? d.
- ? 0 everywhere
- H suggest
- D suggest transitions where
- clock d, clock 0,
- vel-sensed vel-sensed
- vel-sensed (acc-suggested ?) d ? vmax
29Controller Trajectories
- d(acc-suggested) 0
- d(clock) 1
- vel-sensed(t) vel-out(t), for t gt 0
- acc-in acc-suggested
30Simulation Relation
- Let A, B be HIOAs with the same external
interface. - Relation R from states of A to states of B
satisfying - Every start state of A is related to some start
state of B. - If xA R xB and ? is an execution fragment of A
consisting of one action surrounded by two point
trajectories, with ?.fstate xA, then B has a
closed execution fragment ? with ?.fstate xB,
trace(?) trace(?), and ?.lstate R ?.fstate. - If xA R xB and ? is an execution fragment of A
consisting of a single closed trajectory, with
?.fstate xA, then B has a closed execution
fragment ? with
31Simulation relation
- Theorem If there is a simulation relation from
A to B then A implements B (inclusion of trace
sets). - Example
- Vehicle(?1) implements Vehicle(?2), if ?1 ? ?2
- Show using simulation relation identity mapping
32Composition
- Assume A1 and A2 are compatible (no common
outputs, internal actions/variables are private). - Compose A1 and A2 by matching up external
actions, variables - Y Y1 ? Y2 X X1 ? X2 U (U1 ? U2 ) - (Y1 ?
Y2 ) - O O1 ? O2 H H1 ? H2 I (I1 ? I2 ) - (O1 ?
O2 ) - Start states ? Projections in ?1, ?2
- Discrete steps D Projections in D1, D2
- Trajectories T Projections in T1, T2
- Technicality Composition need not satisfy input
flow enabling, pre-HIOA. Assume strong
compatibility. Holds in many interesting
special cases.
33Composition Theorems
- Projection and Pasting Assume A A1 A2.
Then tracesA is exactly the set of
(E,W)-sequences whose restrictions to A1 and A2
are traces of A1 and A2, respectively. - Substitutivity If A1 implements A2 and both are
compatible with B, then A1 B implements A2
B.
34Example Vehicle and Controller
- Vehicle Controller
- Invariant of Vehicle Controller vel ? vmax.
- Can prove this using a standard inductive
argument. - Uses auxiliary invariants, most importantly
- vel (acc-suggested ?) (d clock) ?
vmax
Vehicle
Controller
vel-out
- vel-sensed
- acc-suggested
- clock
acc-in
acc, vel
35Hiding
- ActHide(E,A) reclassifies the external actions in
E as internal actions. - (New) VarHide(W,A) removes the external
variables in W (but retains their induced
constraints on the trajectories). - (Previously) VarHide(W,A) reclassified external
variables in W as internal (state) variables.
36Example
- In the composition Vehicle Controller, we may
hide the acc-in variable, which is used for
communication between the components - A VarHide(acc-in, Vehicle
Controller) - In A, the only external variable is vel-out.
- Express the correctness of A by showing that it
implements an abstract specification HIOA VSpec. - VSpec expresses just the constraints vel ? vmax,
and vel-out vel. - Show correctness using a simulation relation.
37Progressive HIOAs
- HIOAs should provide some response from any
state, for any sequence of input actions and
input trajectories. - HIOAs should not block the passage of time they
should allow time to pass to infinity, if their
environment does so. - Definition A pre-HIOA is progressive if it has
no execution fragments in which it generates
infinitely many locally-controlled actions in
finite time. - Theorem A progressive HIOA A can accommodate any
input hybrid sequence, from every state For
each state x of A and each (I,U)-sequence ?,
there is some execution fragment ? from x such
that ? ? (I ? U) ?. - Theorem The composition of progressive
pre-HIOAs is progressive.
38Receptive HIOAs
- But progressiveness isnt enough
- HIOAs involving only upper bounds on timing are
not progressive. - Such specifications are common.
- Definition A strategy for a pre-HIOA A is an
HIOA A that is the same as A except that D ? D,
and T ? T. - Nondeterministic, memoryless.
- Definition A pre-HIOA is receptive if it has a
progressive strategy. - Theorem A receptive pre-HIOA can accommodate
any input hybrid sequence. - Theorem Let A1 and A2 be compatible receptive
HIOAs with strongly compatible progressive
strategies B1 and B2. Then A1 A2 is a
receptive HIOA with progressive strategy B1
B2.
39Applications
- Raytheon people-mover Lynch, Weinberg, Delisle
- California PATH automated highway system
Analysis of platoon maneuvers
Dolginova, Lygeros, Lynch - TCAS Livadas, Lygeros, Lynch
- Qwanser helicopter system
Mitra, Wang, Feron, Lynch
40TCAS model
Aircraft
Aircraft
Sensor
Sensor
Pilot
Pilot
Conflict detector
Conflict detector
Channel
Conflict resolver
Conflict resolver
Channel
413. Timed I/O AutomataKirli, Lynch, Segala,
Vaandrager
42From HIOA to TIOA
- Hybrid systems continuous, real-world components
discrete, computer components - Timed systems continuous, time discrete,
computer components - Correctness depends not only on the order of
events but also on their timing. - Example Reliable FIFO channel that always
delivers messages within time d.
43Work in Progress
- Canonical model for timing-based systems
- External behavior
- Composition
- Levels of abstraction
- Identify major ideas from related models and
express them in the common framework of TIOA - Timed automata Alur and Dill
- Timed transition systems Maler, Manna, Pnueli
- Clock GTA DePrisco
-
44Describing Timing Behavior
- Timing behavior is described by using the same
concepts as in HIOA - Variables
- Static and dynamic types
- Trajectories
- Hybrid sequences
45Timed I/O Automata
- X internal variables
- Q states, a set of valuations of X
- ? start states
- I, O, H input, output, internal actions
- A I ? O ? H
- D ? Q ? A ? Q discrete transitions
- T trajectories for X, in which the valuations
of X are in Q. Closed under prefix, suffix, and
countable concatenation.
46Execution and Traces
- Execution fragment of TIOA A
- An (A,V)-sequence ?0 a1 ?1 a2 ?2 , where
- Each ?i is a trajectory of A, and
- Each (?i.lstate, ai , ?i1.fstate) is a discrete
step of A. - A,V are all the actions and variables of A.
- Execution of A Fragment beginning in a start
state. - Trace of an execution fragment
- Restrict to external actions E, empty set of
variables. - (E,?)-sequence.
47Example Time bounded channel
- X clock, queue
- Q all valuations of X
- ? clock0, queue is empty
- I send(m)
- O receive(m)
- Transitions
- send(m)
- Effect add (m,clock d) to end of queue
- receive(m)
- Precondition (m,u) is first on queue and clock
? u - Effect remove the first element of queue
- Trajectories t satisfy
- d(clock)1
- (t ? queue) is a constant function
-
48Untiming Operation
- Transform a timed automaton A to an untimed
automaton Untime(A,R) - Define a notion of congruence.
- Let R be a congruence for A.
- States of Untime(A,R) the set of equivalence
classes of R. - Untime(A,R) has a special internal action to
represent time passage. - Theorem If ? is an execution of A, then
Untime(A,R) has an execution ? such that
trace(?)discrete(trace(?)) and vice versa. - Similar to region construction of Alur and Dill
- Theorem The equivalence relation used by
Alur-Dill in region construction is a congruence
49Properties for I/O Automata
- A property for A is a subset of the execution
fragments of A. - P is a liveness property provided that for any
state x of A, there is some execution fragment
from x that is in P. - We say that A is receptive for P provided that
there exists a strategy A for A such that every
execution fragment of A is in P. - Theorem If A1 is receptive for P1 and A2 is
receptive for P2 then A1 A2 is receptive for
P1 P2.
504. Probabilistic I/O AutomataLynch, Segala,
Vaandrager
51Probabilistic I/O Automata (PIOA)
- Probabilistic transitions (s, a, P), where P is a
probability distribution on states. - Includes both nondeterminism and probability.
- Scheduler (adversary) Resolves all
nondeterminism. - External behavior represented by a set of trace
distributions (one for each scheduler). - Trace distribution preorder ?D
- Subset (of sets of trace distributions).
- Not preserved by composition.
- Trace distribution precongruence ?DC
- Coarsest precongruence included in ?D.
- Preserved by composition.
- Not very informative.
52Characterization result for ?DC Segala,
Vaandrager, Lynch 02
- Define various kinds of simulation relations for
PIOAs. - Weak probabilistic forward simulation relation
from A1 to A2 - Relates states of A1 to distributions over states
of A2. - Transitions preserve probabilities.
- Weak Allows arbitrary internal actions.
- Theorem A1 ?DC A2 if and only if there exists
a weak probabilistic forward simulation
relation from A1 to A2 .
53Probabilistic Timed I/O Automata (PTIOA) Segala
- Include time-passage steps, with probability
distributions on new state (s,
pass(t), P) - Scheduler determines amount of time that passes
(nondeterministic, not probabilistic). - External behavior represented by a set of
distributions of timed traces (one for each
scheduler). - Timed trace distribution preorder.
- Timed trace distribution precongruence.
545. Future Work on Models
55Future work on HIOA
- Finish changing the hiding operator.
- Incorporate control theory methods
- Invariant sets, Lyapunov stability, robust
control. - Continue testing on a variety of examples.
- Linguistic support Mitra
- Language constructs for describing trajectories.
- Algebraic and differential equations/inclusions.
- Preconditions, invariants, stopping conditions.
- Add to IOA.
- Analysis tools
- Theorem-prover support, automated tools.
56Future work on TIOA
- Express key concepts from other timed models
using TIOA. - Alur, Dill
- Maler, Manna, Pnueli
- Merrit, Modugno, Tuttle MMT automata
- De Prisco clock automata
- Receptiveness with general liveness properties.
- Linguistic support, tool support.
- Test on many examples.
57Future work on PIOA
- Restrict the set of schedulers (adversaries) to
those that can see only external behavior of the
component automata. Yields a smaller set of
trace distributions. - For this restricted set, obtain a
characterization of the trace distribution
precongruence. Is it the same as the trace
distribution preorder?
58Future work on PTIOA, PHIOA
- PTIOA
- Reformulate in terms of trajectories, as in TIOA,
HIOA. - Characterize the timed trace distribution
precongruence. - Generalize TIOA results to include probabilities.
- Define simulation relations, show they imply
timed trace distribution inclusion. - Receptiveness?
- PHIOA
- Define a model that generalizes PTIOA and HIOA
- Define external behavior, composition,
implementation,prove all the right theorems.
59All the IOA models
PHIOA
HIOA
PTIOA
TIOA
PIOA
IOA
606. Future work on applications
61Hybrid and Embedded Systems
- Aero/astro applications
- Embedded systems
- Sensor networks, mobile systems
62Security Protocols
- Recent results Herzog 02 relating formal vs.
computational approaches to analyzing correctness
of security protocols. - Not (yet) done explicitly in terms of PTIOA
models. - Formal approach
- Interacting non-probabilistic automata.
- Supports direct proofs, using induction.
- Computational approach
- Interacting probabilistic poly time Turing
machines. - Indirect proofs reductions of attacks to hard
problems. - How do the two approaches relate?
63Formal Approach Dolev, Yao
- Adversary controls the network.
- Encryption, decryption treated as abstract,
idealized operations. - Cryptographic abilities of adversary made
explicit - Encrypt, decrypt with known keys
- Make random choices, create new keys
- Proof of security Adversary abilities do not
combine to produce an unsafe operation.
64Computational Approach
- Adversary controls the network
- Encryption instantiated with specific algorithms
- Adversary capable of any feasible (probabilistic
poly time) computation. - Proof of security If any adversary can violate
security condition, an underlying computational
problem is easy.
65Relating the Two Approaches
- Would like to use computational view as semantics
for formal view Show formal attack exists iff
computational attack exists. - Known Formal attacks imply computational
attacks - Open When do computational attacks imply
formal attacks? - Answer requires
- Semantics for adversary
- Semantics for honest participants
- Semantics for composition of previous two
- Focus of present work The adversary.
66Formal Adversary
- Formal adversary makes queries to honest
participants, receives responses - Each query must be deducible from initial
knowledge, responses, by sequence of - Encryptions/decryptions with known key
- Pairing/separation of values
- Formal adversary modeled as closure operation on
messages.
67Ideal Encryption
- Computational encryption algorithm is ideal if
- no computational adversary, given any set of
messages, can produce a message outside the
closure of the set (with non-negligible
probability) - Theorem This limits computational adversary to
formal adversary. - Theorem This is achievable.
68Future Work on Security Protocols
- Complete the work on formal vs. computational
approaches - Define semantics for honest participants
- How do they validate incoming messages?
- No information should be given away in error
cases - Define composition of adversary, honest
participants - Obtain general simulation theorems.
- Use the theorems to prove correctness of
interesting security protocols. - Express in terms of PTIOA.