1 / 28

Panagiotis Katsaros katsaros@csd.auth.gr - delab.csd.auth.gr/~katsaros/

Towards a formal analysis approach based on the use of Colored Petri Nets, Timed Colored Petri Nets and the CPN Tools. Panagiotis Katsaros katsaros@csd.auth.gr - http://delab.csd.auth.gr/~katsaros/ Department of Informatics Aristotle University of Thessaloniki G R E E C E.

edith
Download Presentation

Panagiotis Katsaros katsaros@csd.auth.gr - delab.csd.auth.gr/~katsaros/

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a formal analysis approach based on the use of Colored Petri Nets, Timed Colored Petri Nets and the CPN Tools Panagiotis Katsaros katsaros@csd.auth.gr - http://delab.csd.auth.gr/~katsaros/ Department of Informatics Aristotle University of Thessaloniki G R E E C E MdH, Västerås, Sweden, Apr 06

  2. Few words for CP-nets • Colored Petri Nets is a Petri Net (PT-net) based modeling language that as all other PT-net languages • provides an explicit representation of both states (markings) and events (transitions) • provides an easy to understand and intuitively appealing graphical representation • has a well-defined formal semantics that builds upon true concurrency, instead of interleaving • use of appropriate tools to generate interactive simulations of the modeled systems and to apply a wide range of formal analysis alternatives MdH, Västerås, Sweden, Apr 06

  3. Few words for CP-nets • CP-nets compared to simple PT-nets • provide a more compact and much more convenient modeling language, in a similar way as high-level programming languages are much more adequate for practical programming than assembly code • have been developed over the last 28 years (research team lead by Prof. K. Jensen in Aarhus Un., Denmark) and today constitute a mature modeling languagesupported by an advanced toolset (CPN Tools with about 3500 worldwide installations used in academic & industrial problems) MdH, Västerås, Sweden, Apr 06

  4. Few words for CP-nets • CP-nets compared to simple PT-nets • provide a compact description of control and synchronization, integrated with a description of data manipulation • provide support for building large system models, by relating smaller CP-nets to each other in a well-defined way (hierarchical CP-nets) • provide a CP-net variant called Timed CP-nets to analyze systems with time-dependent behavior, like for example systems with timing constraints • in CPN Tools, models are saved in an XML representation (possible to automatically generate CP-nets) MdH, Västerås, Sweden, Apr 06

  5. places (their markings, that is, their tokens collectively represent CP-net’s states) they are typed (tokens have data values) and they can have initial values transitions represent events (incoming arcs remove tokens – outgoing arcs add tokens) Few words for CP-nets (* declarations *) colset E = with e; colset INT = int; colset BOOL = bool; colset STRING = string; colset daytime = with day | night; colset sList=list STRING; var anInt:INT; var messages:sList; var aDayTime:daytime; A very simple CP-net MdH, Västerås, Sweden, Apr 06

  6. Our approach use an automaton-driven model building approach for individual CP-net components build the CP-net model hierarchy generate the state space graph and perform the standard state space analysis (standard report) check the system’s safety and liveness properties (terminal self loops, deadlocks, livelocks, fairness properties etc) model check other correctness properties by querying the state space graph or by applying a Computation Tree Temporal Logic (CTL) formula over the generated graph possible to be extended in building CP-nets for component-based software and for systems with timing constraints (Timed CP-nets) and then in model checking the required correctness properties MdH, Västerås, Sweden, Apr 06

  7. Case study: electronic payment transactions we model check the NetBill electronic payments system with respect to a range of transaction atomicity guarantees that the system should provide in all circumstances we build the state machines for each one of the three transaction parties, namely the Consumer (C), the Merchant (M) and the Trusted Third Party (TTP) we assume that the TTP fulfills a range of trust assumptions and we model check the transaction guarantees of interest in all cases of participants’ system failures (fail-stop failures), message losses and fraudulent behavior Katsaros, P. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach, Technical Report, Department of Informatics, Aristotle University of Thessaloniki, Greece, 2006 (50 pages - available in http://delab.csd.auth. gr/~katsaros/publications.htm) MdH, Västerås, Sweden, Apr 06

  8. The top-level CP-net (* declarations *) colset validORnValid = with v | i; colset accBalance = with gValue | lessMoney; colset State = with IDLE | WAIT | W_FAILED | ABORTED | COMMITTED| C_FAILED | COMPLETED| DISPUTED_TR | LISTEN | NO_RECORD| L_FAILED| STARTED_TR | ST_FAILED| N_FAILED; colset NetBillMSg= union gRequest:validORnValid + eGoods:validORnValid+ pORequest:validORnValid + trResult:STRING+ dKey:validORnValid + query:E; colset NetBillMQ= list NetBillMSg; var p,q,r,s: NetBillMQ;var mes,mes2: NetBillMSg; var gReq:validORnValid;var pOrder:validORnValid; var enGoods: validORnValid; var balance: accBalance;var timer,timer2: BOOL; var key: validORnValid;var st: State; MdH, Västerås, Sweden, Apr 06

  9. Consumer’s state machine and CP-net irrespective of the occurred site failures a consumer either aborts or completes a purchase transaction and the received goods are either the ordered ones or are not as expected for the ordered ones MdH, Västerås, Sweden, Apr 06

  10. Consumer’s state machine and CP-net MdH, Västerås, Sweden, Apr 06

  11. Merchant’s state machine and CP-net we abstract from candidate recovery mechanisms (which would result in loss of generality) by adopting the assumption that merchant’s site does not provide recovery with respect to the ongoing purchase transaction MdH, Västerås, Sweden, Apr 06

  12. Merchant’s state machine and CP-net MdH, Västerås, Sweden, Apr 06

  13. TTP’s state machine and CP-net trust assumptions imply that irrespective of the occurred site failures or message losses the TTP either aborts or completes the purchase transaction and delivers the transaction result as expected MdH, Västerås, Sweden, Apr 06

  14. TTP’s state machine and CP-net MdH, Västerås, Sweden, Apr 06

  15. Strongly Connected Components Graph upper and lower bounds of all token values that is possible to appear in the CP-net’s places in all reachable states (markings) Standard state space analysis Statistics ------------------------------------------------------------------------ State Space Nodes: 6439 Arcs: 18915 Secs: 30 Status: Full Scc Graph Nodes: 2678 Arcs: 11257 Secs: 2 Boundedness Properties ------------------------------------------------------------------------ Best Integers Bounds Upper Lower Consumer'decrKey 1 1 0TTP'TTP 1 1 1 Consumer'encrGoods 1 1 0TTP'amount 1 1 0 Consumer'goodsReq 1 1 1TTP'decrKey 1 1 0 Consumer'pOrderReq 1 1 0TopLevel'ConToMer 1 1 1 Merchant'Merchant 1 1 1 TopLevel'ConToTTP 1 1 1 Merchant'decrKey 1 1 0 TopLevel'Consumer 1 1 1 Merchant'pOrderReq 1 1 0 TopLevel'MerToCon 1 1 1 MdH, Västerås, Sweden, Apr 06

  16. information about how often the individual transitions occur (impartial, fair, just) markings or sets of markings to which it is always possible to return - markings with no enabled transitions - transitions not enabled in a reachable marking - transitions that always can become enabled once more Standard state space analysis Home Properties ------------------------------------------------------------------------ Home Markings: None Liveness Properties ------------------------------------------------------------------------ Dead Markings: 72 [963,665,592,5905,5890,...] Dead Transitions Instances: None Live Transitions Instances: None Fairness Properties ------------------------------------------------------------------------ MdH, Västerås, Sweden, Apr 06

  17. Model checking system’s safety & liveness properties CPN Tools provides appropriate functions for querying the generated state space graph to find the dead markings (valid termination states or deadlocks): MdH, Västerås, Sweden, Apr 06

  18. Model checking system’s safety & liveness properties to verify the absence of self-loop terminal nodes: MdH, Västerås, Sweden, Apr 06

  19. Model checking system’s safety & liveness properties to verify the absence of unexpected dead markings (deadlocks): MdH, Västerås, Sweden, Apr 06

  20. Model checking system’s safety & liveness properties • to verify the absence of livelocks (reachable cycles with no exit): • if the state space and its Scc graph are isomorphic and also there are no self-loops, then the protocol model is free of livelocks • if the state space contains self-loops or if there is at least one strongly connected component that consists of more than one node, then we need to show that all terminal components are trivial that is, they consist of a single node and no arcs. MdH, Västerås, Sweden, Apr 06

  21. Model validation model validation is performed by model checking the system’s model assumptions (e.g. trust assumptions for the shown payment system) for system properties that imply certain temporal dependencies for the occurrence of certain events we use the ASK-CTL library to express them as Computation Tree Temporal Logic formulae MdH, Västerås, Sweden, Apr 06

  22. Computation Tree Temporal Logic Formulae • money atomicity: there is no possibility of creation or destruction of money, while electronic cash is being transferred we model check that there is no reachable path, where for every state neither M nor C has the money and there is also no reachable path, where for every state both M and C have the money MdH, Västerås, Sweden, Apr 06

  23. Computation Tree Temporal Logic Formulae Other transaction guarantees verified as CTL formulae: • goods atomicity or fairness: includes money atomicity and also ensures that there is no possibility of paying without having received goods or vice versa • certified delivery: includes money atomicity and goods atomicity and also allows C and M to prove the details of the transaction (not proved before in related work) • protection of participants’ interests: C’s protection guarantee: if M is entitled to a payment, then C actually receives the goods, or C can claim them in an offline dispute handling M’s protection guarantee: . . . (not proved before in related work) MdH, Västerås, Sweden, Apr 06

  24. Additional model checking tasks • to generate a property violation scenario (counterexample), if any: in the NetBill payment system we generated a replay attack scenario (double spending) by the use of appropriate state space querying functions (countermeasures had already been proposed by the system’s inventors) • model checking concurrent payment transactions and intruder attack scenarios main problem: inappropriate model structure is easy to result in a computationally expensive state space solution alternatives: - to generate the state space only partially, according to specific search criteria - to apply clever state space reduction techniques MdH, Västerås, Sweden, Apr 06

  25. CP-net analysis alternatives • place invariant or transition invariant analysis place invariant analysis aims to formulate some equations which we postulate to be satisfied independently of the steps that occur transition invariants are similar to place invariants, but they are use to determine transition occurrence sequences that have no total effect, i.e. they have the same start and end markings • make possible to prove general system properties without fixing system parameters • it is possible to check invariants without considering the set of all reachable markings (no need to generate the state space) • formulating appropriate equations for a system property is not a easy task in all cases • very limited tool support MdH, Västerås, Sweden, Apr 06

  26. Timed CP-nets • Each token, in addition to its data value carries a time stamp. The time stamp tells us when the token is ready to be used by a transition. • We specify how the different activities and states “consume” time. It is possible to specify al kinds of delays (constant, interval, or probability distribution). • The nodes in the generated state space graph contain a time value and a timed marking. MdH, Västerås, Sweden, Apr 06

  27. Timed CP-nets • Possible analyses: - to prove properties like for example: “for each instance of a given transition firing (activity start) exists an instance of the corresponding transition firing (activity end) such that the deadline of execution is less than a fixed time value” - to calculate the maximal time used for the execution of certain activities (worst execution time analysis) - simulation based performance evaluation MdH, Västerås, Sweden, Apr 06

  28. Conclusion • CP-nets seem to be a modeling language for many different types of analysis • need to invest on a systematic (and possibly automated) model building approach which should possibly employ specialized state space reduction techniques Future research prospects: • possibilities to exploit Timed CP-net model analysis for the schedulability analysis of systems with timing constraints • possibilities to exploit existing know-how in order to systematically generate CP-nets for component-based software • to investigate the effectiveness of existing or new state space reduction techniques in different component software cases MdH, Västerås, Sweden, Apr 06

More Related