Towards a formal analysis approach based on the use of Colored Petri Nets, Timed Colored Petri Nets and the CPN Tools Panagiotis Katsaros katsaros@csd. auth. gr - http: //delab. csd. auth. gr/~katsaros/ Department of Informatics Aristotle University of Thessaloniki GREECE Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 1
Few words for CP-nets n Colored Petri Nets is a Petri Net (PT-net) based modeling language that as all other PT-net languages Ø Ø provides an explicit representation of both states (markings) and events (transitions) provides an easy to understand intuitively appealing graphical representation has a well-defined formal semantics that builds upon true concurrency, instead of interleaving use of appropriate tools to generate interactive simulations of the modeled systems and to apply a wide range of formal analysis alternatives Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 2
Few words for CP-nets n CP-nets compared to simple PT-nets Ø Ø provide a more compact and much more convenient modeling language, in a similar way as high-level programming languages are much more adequate for practical programming than assembly code have been developed over the last 28 years (research team lead by Prof. K. Jensen in Aarhus Un. , Denmark) and today constitute a mature modeling language supported by an advanced toolset (CPN Tools with about 3500 worldwide installations used in academic & industrial problems) Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 3
Few words for CP-nets n CP-nets compared to simple PT-nets Ø Ø provide a compact description of control and synchronization, integrated with a description of data manipulation provide support for building large system models, by relating smaller CP-nets to each other in a well-defined way (hierarchical CP-nets) provide a CP-net variant called Timed CP-nets to analyze systems with time-dependent behavior, like for example systems with timing constraints in CPN Tools, models are saved in an XML representation (possible to automatically generate CP-nets) Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 4
(* declarations *) colset E = with e; colset INT = int; colset BOOL = bool; colset STRING = string; colset daytime = with day | night; colset s. List=list STRING; var an. Int: INT; var messages: s. List; var a. Day. Time: daytime; Few words for CP-nets A very simple CP-net places (their markings, that is, their tokens collectively represent CP-net’s states) they are typed (tokens have data values) and they can have initial values transitions represent events (incoming arcs remove tokens – outgoing arcs add tokens) Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 5
Our approach n n n use an automaton-driven model building approach for individual CP-net components build the CP-net model hierarchy generate the state space graph and perform the standard state space analysis (standard report) check the system’s safety and liveness properties (terminal self loops, deadlocks, livelocks, fairness properties etc) model check other correctness properties by querying the state space graph or by applying a Computation Tree Temporal Logic (CTL) formula over the generated graph possible to be extended in building CP-nets for component-based software and for systems with timing constraints (Timed CP-nets) and then in model checking the required correctness properties Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 6
Case study: electronic payment transactions n n n we model check the Net. Bill electronic payments system with respect to a range of transaction atomicity guarantees that the system should provide in all circumstances we build the state machines for each one of the three transaction parties, namely the Consumer (C), the Merchant (M) and the Trusted Third Party (TTP) we assume that the TTP fulfills a range of trust assumptions and we model check the transaction guarantees of interest in all cases of participants’ system failures (fail-stop failures), message losses and fraudulent behavior Katsaros, P. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach, Technical Report, Department of Informatics, Aristotle University of Thessaloniki, Greece, 2006 (50 pages - available in http: //delab. csd. auth. gr/~katsaros/publications. htm) Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 7
The top-level CP-net (* declarations *) colset valid. ORn. Valid = with v | i; colset acc. Balance = with g. Value | less. Money; colset State = with IDLE | WAIT | W_FAILED | ABORTED | COMMITTED| C_FAILED | COMPLETED| DISPUTED_TR | LISTEN | NO_RECORD | L_FAILED| STARTED_TR | ST_FAILED| N_FAILED; colset Net. Bill. MSg= union g. Request: valid. ORn. Valid + e. Goods: valid. ORn. Valid + p. ORequest: valid. ORn. Valid + tr. Result: STRING + d. Key: valid. ORn. Valid + query: E; colset Net. Bill. MQ= list Net. Bill. MSg; var p, q, r, s: Net. Bill. MQ; var mes, mes 2: Net. Bill. MSg; var g. Req: valid. ORn. Valid; var p. Order: valid. ORn. Valid; var en. Goods: valid. ORn. Valid; var balance: acc. Balance; var timer, timer 2: BOOL; var key: valid. ORn. Valid; var st: State; Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 8
Consumer’s state machine and CP-net irrespective of the occurred site failures a consumer either aborts or completes a purchase transaction and the received goods are either the ordered ones or are not as expected for the ordered ones Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 9
Consumer’s state machine and CP-net Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 10
Merchant’s state machine and CP-net we abstract from candidate recovery mechanisms (which would result in loss of generality) by adopting the assumption that merchant’s site does not provide recovery with respect to the ongoing purchase transaction Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 11
Merchant’s state machine and CP-net Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 12
TTP’s state machine and CP-net trust assumptions imply that irrespective of the occurred site failures or message losses the TTP either aborts or completes the purchase transaction and delivers the transaction result as expected Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 13
TTP’s state machine and CP-net Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 14
Standard state space analysis Statistics ------------------------------------Strongly Connected Components State Space Graph Nodes: 6439 Arcs: 18915 Secs: 30 upper and lower bounds of all token values that is Status: Full possible to appear in the CP-net’s places in all Scc Graph Nodes: 2678 reachable states (markings) Arcs: 11257 Secs: 2 Boundedness Properties ------------------------------------ Best Integers Bounds Upper Lower Consumer'decr. Key 1 1 0 TTP'TTP 1 1 Consumer'encr. Goods 1 1 0 TTP'amount 1 1 0 Consumer'goods. Req 1 1 TTP'decr. Key 1 1 0 Consumer'p. Order. Req 1 1 0 Top. Level'Con. To. Mer 1 1 Merchant'Merchant 1 1 Top. Level'Con. To. TTP 1 1 Merchant'decr. Key 1 1 0 Top. Level'Consumer 1 1 Merchant'p. Order. Req 1 1 0 Top. Level'Mer. To. Con 1 1 1 Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 15
information about how often the individual transitions occur (impartial, fair, just) Standard state space analysis Home Properties ------------------------------------ Home Markings: None markings or sets of markings to which it is always possible to Liveness Properties ------------------------------------return Dead Markings: 72 [963, 665, 592, 5905, 5890, . . . ] with no enabled transitions - markings Dead Transitions Instances : None - transitions not enabled in a reachable marking Live Transitions Instances : None - transitions that always can become enabled once more Fairness Properties ------------------------------------Consumer'C 18 1 Fair Consumer'C 1 1 No Fairness Consumer'C 10 1 No Fairness Consumer'C 19 1 Fair Consumer'C 11 1 Fair Consumer'C 2 1 No Fairness Consumer'C 12 1 Fair Consumer'C 3 1 No Fairness Consumer'C 13 1 Fair Merchant'M 13 1 No Fairness Consumer'C 14 1 Just Merchant'M 2 1 No Fairness Consumer'C 15 1 Just Merchant'M 3 1 No Fairness Consumer'C 16 1 Just TTP'TTP 1 1 No Fairness Consumer'C 17 1 No Fairness TTP'TTP 10 1 No Fairness Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 16
Model checking system’s safety & liveness properties n n CPN Tools provides appropriate functions for querying the generated state space graph to find the dead markings (valid termination states or deadlocks): Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 17
Model checking system’s safety & liveness properties n to verify the absence of self-loop terminal nodes: Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 18
Model checking system’s safety & liveness properties n to verify the absence of unexpected dead markings (deadlocks): Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 19
Model checking system’s safety & liveness properties n to verify the absence of livelocks (reachable cycles with no exit): Ø if the state space and its Scc graph are isomorphic and also there are no self-loops, then the protocol model is free of livelocks Ø if the state space contains self-loops or if there is at least one strongly connected component that consists of more than one node, then we need to show that all terminal components are trivial that is, they consist of a single node and no arcs. Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 20
Model validation n n model validation is performed by model checking the system’s model assumptions (e. g. trust assumptions for the shown payment system) for system properties that imply certain temporal dependencies for the occurrence of certain events we use the ASK-CTL library to express them as Computation Tree Temporal Logic formulae Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 21
Computation Tree Temporal Logic Formulae Ø money atomicity: there is no possibility of creation or destruction of money, while electronic cash is being transferred we model check that there is no reachable path, where for every state neither M nor C has the money and there is also no reachable path, where for every state both M and C have the money Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 22
Computation Tree Temporal Logic Formulae Other transaction guarantees verified as CTL formulae: Ø Ø Ø goods atomicity or fairness: includes money atomicity and also ensures that there is no possibility of paying without having received goods or vice versa certified delivery: includes money atomicity and goods atomicity and also allows C and M to prove the details of the transaction (not proved before in related work) protection of participants’ interests: C’s protection guarantee: if M is entitled to a payment, then C actually receives the goods, or C can claim them in an offline dispute handling M’s protection guarantee: . . . (not proved before in related work) Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 23
Additional model checking tasks Ø to generate a property violation scenario (counterexample), if any: in the Net. Bill payment system we generated a replay attack scenario (double spending) by the use of appropriate state space querying functions (countermeasures had already been proposed by the system’s inventors) Ø model checking concurrent payment transactions and intruder attack scenarios main problem: inappropriate model structure is easy to result in a computationally expensive state space solution alternatives: - to generate the state space only partially, according to specific search criteria - to apply clever state space reduction techniques Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 24
CP-net analysis alternatives Ø Ø Ø place invariant or transition invariant analysis place invariant analysis aims to formulate some equations which we postulate to be satisfied independently of the steps that occur transition invariants are similar to place invariants, but they are use to determine transition occurrence sequences that have no total effect, i. e. they have the same start and end markings make possible to prove general system properties without fixing system parameters it is possible to check invariants without considering the set of all reachable markings (no need to generate the state space) formulating appropriate equations for a system property is not a easy task in all cases very limited tool support Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 25
Timed CP-nets Ø Ø Ø Each token, in addition to its data value carries a time stamp. The time stamp tells us when the token is ready to be used by a transition. We specify how the different activities and states “consume” time. It is possible to specify al kinds of delays (constant, interval, or probability distribution). The nodes in the generated state space graph contain a time value and a timed marking. Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 26
Timed CP-nets Ø Possible analyses: - to prove properties like for example: “for each instance of a given transition firing (activity start) exists an instance of the corresponding transition firing (activity end) such that the deadline of execution is less than a fixed time value” - to calculate the maximal time used for the execution of certain activities (worst execution time analysis) - simulation based performance evaluation Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 27
Conclusion n n CP-nets seem to be a modeling language for many different types of analysis need to invest on a systematic (and possibly automated) model building approach which should possibly employ specialized state space reduction techniques Future research prospects: n possibilities to exploit Timed CP-net model analysis for the schedulability analysis of systems with timing constraints n n possibilities to exploit existing know-how in order to systematically generate CP-nets for component-based software to investigate the effectiveness of existing or new state space reduction techniques in different component software cases Md. H, Västerås, Sweden, Apr 06 Formal analysis based on the use of CP-nets 28
Скачать презентацию Towards a formal analysis approach based on the
3808007eb32db4e18e90fb6d7919b512.ppt