Models and Theory of Computation (MTC) EPFL

1
Models and Theory of Computation (MTC)
EPFL

Dirk Beyer, Jasmin Fisher, Nir Piterman
Simon Kramer Logic
for cryptography
Marc Schaub Models for
biological systems
Vasu Singh Software interface
derivation
Gregory Theoduloz Combining model checking
and program analysis Arindam Chakrabarti Web
service interfaces
Krishnendu Chatterjee Stochastic games
Slobodan Matic
Time-triggered programming
Vinayak Prabhu Robust hybrid
systems

2
Model Checking
From Graphs to Games
Tom Henzinger
EPFL
3
Graph Models of Systems
vertices states edges transitions paths
behaviors
4
Game Models of Systems
vertices states edges transitions paths
behaviors players components
5
Game Models of Systems
FAIRNESS ?-automaton
?-regular game
INDEPENDENT COMPONENTS game
graph
stochastic game
PROBABILITIES Markov decision process
6
Graphs vs. Games
a
a
a
b
b
a
7
Game Models enable
-synthesis Church, Rabin, Ramadge/Wonham,
Pnueli/Rosner et al. -receptiveness Dill,
Abadi/Lamport -semantics of interaction
Abramsky -reasoning about adversarial behavior
-interface-based design -modular reasoning
Kupferman/Vardi et al. -early error detection
deAlfaro/H/Mang -model-based testing Gurevich
et al. -scheduling Sifakis et al. -reasoning
about security Raskin et al. -etc.
8
Game Models
Always about open systems -players processes
/ components / agents -input vs. output
-demonic vs. angelic nondeterminism
9
Game Models

• Always about open systems
• -players processes / components / agents
• -input vs. output
• -demonic vs. angelic nondeterminism
• Output games input demonic (adversarial)
• Input games output demonic

10
Output Games
P1 init x 0 loop choice
x x1 mod 2 x 0 end
choice end loop S1 ? ( x y )
P2 init y 0 loop choice
y x y x1 mod 2
end choice end loop S2 ? even(y)
11
Graph Questions
8 ? (x y) 9 ? (x y)
12
Graph Questions
8 ? (x y) 9 ? (x y)
X
00
01
?
10
11
13
Zero-Sum Game Questions
hhP1ii ? (x y) hhP2ii ? even(y)
14
Zero-Sum Game Questions
00
00
00
hhP1ii ? (x y) hhP2ii ? even(y)
X
?
10
01
10
01
10
01
11
11
ATL Alur/H/Kupferman
11
15
Nonzero-Sum Game Questions
00
hhP1ii ? (x y) ? hhP2ii ? even(y)
00
00
10
01
10
01
10
01
11
11
11
16
Nonzero-Sum Game Questions
00
hhP1ii ? (x y) ? hhP2ii ? even(y)
00
00
?
10
01
10
01
10
01
11
Secure equilibrium Chatterjee/H/Jurdzinski
11
11
17
Classical Notion of Rationality

• Nash equilibrium none of the players gains by
  deviation.

3,1
1,0
(row, column)
4,2
3,2
18
Refined Notion of Rationality

• Nash equilibrium none of the players gains by
  deviation.
• Secure equilibrium none hurts the opponent by
  deviation.

3,1
1,0
(row, column)
4,2
3,2
19
Secure Equilibrium

• Natural notion of rationality for multi-component
  systems
• First, a component tries to meet its
  specification.
• Second, a component may obstruct the other
  components.
• A secure equilibrium is a contract
• if one player deviates to lower the other
  players payoff, then her own payoff
  decreases as well, and vice versa.

20
Theorem
W00
W01 hhP2ii (S2 Æ S1)
W11
W10 hhP1ii (S1 Æ S2 )
hhP1iiS1 ? hhP2iiS2
21
Generalization of Determinacy
Zero-sum games S1 S2
Nonzero-sum games S1, S2
W00
W1
hhP1iiS1
W01
W11
W10
W2
hhP2iiS2
22
Game Models

• Always about open systems
• -players processes / components / agents
• -input vs. output
• -demonic vs. angelic nondeterminism
• Output games input demonic (adversarial)
• Input games output demonic

23
Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
24
Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
25
Input Games
Control objective ? z
x!
y!
x!
z!
b?
a?
a?
b?
26
Input Games
Controller
x!
y!
x!
z!
x?
y?
b?
a?
a?
b?
a!
b!
Ramadge/Wonham et al.
27
Input Games
x!
y!
Not input enabling
x!
z!
a?
a?
b?
28
Input Games
Environment avoids deadlock Input
assumption
x!
y!
x!
z!
a?
a?
b?
Interface automata deAlfaro/H
29
Input Games
x!
y!
x,y?
x!
z!
a?
a?
a!
b?
Legal environment
30
Input Games
x!
y!
x,y?
x!
z!
a?
a?
b!
b?
Illegal environment
31
Interface Compatibility
File server
open
close
open?
close?
read
read?
data!
data
32
Interface Compatibility
Good client
File server
open
open!
close
open?
close?
read!
close!
read
read?
data!
data?
data
33
Interface Compatibility
Bad client
File server
open
close
open?
close?
open!
read
read?
data!
open!
data
34
Incremental Design
35
Incremental Design
36
Incremental Design
37
Incremental Design
Input assumption
Input assumption
38
Incremental Design
Propagated weakest input assumption
39
Input Assumption Propagation
a
b
a?
x
y!
x!
a?
b?
a?
b?
y
x!
y!
y!
x!
40
Input Assumption Propagation
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
41
Input Assumption Propagation
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
42
Two interfaces are compatible if they can be used
together in some environment.
a
a
b
b
a?
a?
x
y!
x!
x,y?
a?
b?
a?
b?
a,b?
y
x!
y!
y!
x!
y?
43
The Composite Interface
a
b
a?
x!
y!
b?
a?
y!
y!
x
y
44
Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
45
Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
46
Refinement
x!
y!
x,y?
x!
z!
y!
b?
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
47
Refinement
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
48
Refinement
z!
x!
y!
x,y?
x!
z!
y!
a?
a?
a!
b?
x,z?
y?
Every legal environment should be a legal
environment of the refined process.
49
Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
50
Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
51
Interface Refinement
I/O Alternating Simulation
A ? A iff 1. for all inputs i, if A i?-gt B ,
then there exists B such that A i?-gt B and
B ? B , and 2. for all outputs o, if A o!-gt
B , then there exists B such that A o!-gt B
and B ? B .
Every environment (i.e., input strategy that
avoids deadlock) for A is an environment for A
Alur/H/Kupferman/Vardi.
52
The Principle of Independent Implementability
If A and B is are compatible and A' ? A and B' ?
B, then A and B' are compatible and A'B' ?
AB.
A A A refines / implements A
53
The Principle of Independent Implementability
If A and B is are compatible and A' ? A and B' ?
B, then A and B' are compatible and A'B' ?
AB.
A A A refines / implements A

• This is a theorem if
• A, B, A, B are two-player games Input vs.
  Output
• two games are compatible if player Input has a
  winning strategy in the composite game
  

54
Interface-based Design
55
Interface-based Design
56
Interface-based Design
57
Interface-based Design
58
Interface-based Design
59
Summary
There are many models of computation (e.g.
pushdown, timed, stochastic) and many models of
interaction (e.g. synchronous). Similarly, there
are many variants of games (e.g. concurrent vs.
turn-based moves pure vs. randomized strategies).
60
Summary
There are many models of computation (e.g.
pushdown, timed, stochastic) and many models of
interaction (e.g. synchronous). Similarly, there
are many variants of games (e.g. concurrent vs.
turn-based moves pure vs. randomized strategies).
The technical details are different, but to ask
and answer the kind of questions we discussed,
the only important feature of a model is the
presence of multiple players.
61
References
Interface Automata de Alfaro, H FSE 2001
Secure
Equilibria Chatterjee, H, Jurdzinski LICS 2004