Sosp19. I4: Incremental Inference Of Inductive Invariants For Verification Of Distributed Protocols
This newspaper is yesteryear Haojun Ma (University of Michigan), Aman Goel (University of Michigan), Jean-Baptiste Jeannin (University of Michigan), Manos Kapritsos (University of Michigan), Baris Kasikci (University of Michigan), Karem A. Sakallah (University of Michigan).
This newspaper is almost formal verification of distributed systems. Writing proofs manually is cumbersome. Existing tools for formal verification all require the human to regain the inductive invariant.
I4 combines ability of Ivy (a tool for interactive verification of infinite-state systems) in addition to model checking inwards fellowship to regain inductive invariant without relying on human intuition. Ivy takes every bit input a protocol description in addition to a security property, in addition to guides the user interactively to regain an inductive invariant. The destination for finding an inductive invariant is to attempt out that the security holding e'er holds. An inductive proof has a base of operations case, which proves initial nation is safe, in addition to an inductive step, which proves if nation k is safe, attempt out nation k+1 is safe. Once that inductive invariant is found, Ivy automatically verifies that it is indeed inductive.
The insight inwards I4 is that the safety/correctness conduct of a distributed organization does non fundamentally modify every bit the size increases. I witness this regularly inwards my utilisation of TLA+ for model checking protocols. TLA+ is able to position whatsoever work (sometimes requiring upto twoscore steps) yesteryear finding a counterexample involving 3 nodes. Three nodes is oftentimes what it takes. One node initializes a coordination operation, in addition to the other 2 nodes meet a dissimilar perspective of the ongoing computation, perchance due to exchanging messages amongst each other (i.e. doing stale reads) at inopportune times, in addition to brand it to conflicting decisions that violate the destination of the coordination operation.
I4 uses inductive invariants from modest instances in addition to apply/generalize to large instances, in addition to automates this amongst model-checking. More specifically, I4 starting fourth dimension creates a finite instance of the protocol; utilisation a model checking tool to automatically derive the inductive invariant for this finite instance; in addition to generalize this invariant to an inductive invariant for the infinite protocol. This amends the I4 approach inwards that it automates the inductive invariant regain process. This amends the model checking approach every bit well. While model checking is fully automated, it doesn’t scale to distributed systems. I4 applies model checking to small, finite instances in addition to thus generalizes the effect to all instances.
The figure higher upwards shows an overview of the I4 catamenia for the invariant generation on a finite instance.
Safety holding P may live on an invariant exactly non an inductive one. "The verification proof requires the derivation of additional invariants that are used to constrain P until it becomes inductive. These additional invariants are viewed every bit strengthening assertions that take those parts of P that are non unopen nether the system's transition relation." In other words, piece the security holding holds for reachable states, it may non live on unopen nether programme actions exterior the reachable states. This makes security invariant unsuitable for verification since proving properties is non constrained to the reachable states (as it is difficult to enumerate/identify reachable states inwards a proof). So, the inductive invariant is a version of the security holding that is unopen nether the programme actions. The figure below illustrates this relationship. I intend this concept is explored farther inwards the Ivy paper.
If the security holding holds, thus Averroes generates an inductive invariant for the finite instance; minimizes the invariant yesteryear removing redundant clauses; in addition to thus passes it on to the side yesteryear side mensuration to live on generalized. However, occasionally the finite instance may withal live on every bit good large for the Averroes model checker, in addition to it may run out of memory. This is where human interest is needed again. The human helps concretize the modest finite version of the protocol farther to avoid nation infinite explosion. Symmetry plays a large utilisation here. FIRST is the keyword that denotes the node that sends the starting fourth dimension message. The model checker tin flaming endeavor instances where all the 3 nodes inwards the finite instances mightiness live on the ane that sends the message. The human tin flaming notice a symmetry in addition to laid "FIRST = Node1" to assist trim back the nation space. (The squad is working on automating this mensuration every bit well.)
Then I4 uses Ivy for the proof generation every bit shown below, in addition to the verification is complete.
I4 is available every bit opensource at https://github.com/GLaDOS-Michigan/I4. They applied I4 to several examples every bit shown inwards the table.
I4 improves on manual verification via using Coq in addition to interactive verification using Ivy.
A restriction inwards I4 is that it applies to verification of security properties, in addition to non to liveness properties.
I am happy to regain thus many verification papers at SOSP. This newspaper appeared inwards the distributed systems inwards the afternoon of Day 2. Scaling Symbolic Evaluation for Automated Verification of Systems Code amongst Serval" in addition to "Verifying Concurrent, Crash-safe Systems amongst Perennial". It looks similar the verification community at SOSP is quick to conduct keep results from to a greater extent than full general in addition to theoretic verification conferences, in addition to integrate those tools in addition to amend upon them to lay them inwards utilisation for verification of practical systems.
This newspaper is almost formal verification of distributed systems. Writing proofs manually is cumbersome. Existing tools for formal verification all require the human to regain the inductive invariant.
I4 combines ability of Ivy (a tool for interactive verification of infinite-state systems) in addition to model checking inwards fellowship to regain inductive invariant without relying on human intuition. Ivy takes every bit input a protocol description in addition to a security property, in addition to guides the user interactively to regain an inductive invariant. The destination for finding an inductive invariant is to attempt out that the security holding e'er holds. An inductive proof has a base of operations case, which proves initial nation is safe, in addition to an inductive step, which proves if nation k is safe, attempt out nation k+1 is safe. Once that inductive invariant is found, Ivy automatically verifies that it is indeed inductive.
The insight inwards I4 is that the safety/correctness conduct of a distributed organization does non fundamentally modify every bit the size increases. I witness this regularly inwards my utilisation of TLA+ for model checking protocols. TLA+ is able to position whatsoever work (sometimes requiring upto twoscore steps) yesteryear finding a counterexample involving 3 nodes. Three nodes is oftentimes what it takes. One node initializes a coordination operation, in addition to the other 2 nodes meet a dissimilar perspective of the ongoing computation, perchance due to exchanging messages amongst each other (i.e. doing stale reads) at inopportune times, in addition to brand it to conflicting decisions that violate the destination of the coordination operation.
I4 uses inductive invariants from modest instances in addition to apply/generalize to large instances, in addition to automates this amongst model-checking. More specifically, I4 starting fourth dimension creates a finite instance of the protocol; utilisation a model checking tool to automatically derive the inductive invariant for this finite instance; in addition to generalize this invariant to an inductive invariant for the infinite protocol. This amends the I4 approach inwards that it automates the inductive invariant regain process. This amends the model checking approach every bit well. While model checking is fully automated, it doesn’t scale to distributed systems. I4 applies model checking to small, finite instances in addition to thus generalizes the effect to all instances.
The figure higher upwards shows an overview of the I4 catamenia for the invariant generation on a finite instance.
Given a protocol description--written inwards Ivy--and an initial size, I4 starting fourth dimension generates a finite instance of that protocol amongst a given initial size. For example, ... I4 volition generate a finite instance of the protocol amongst ane server in addition to 2 clients. It thus uses the Averroes model checker to either generate an inductive invariant that proves the correctness of the protocol for that detail instance, or make a counterexample demonstrating how the protocol tin flaming live on violated in addition to which tin flaming live on used to debug the protocol. If the protocol is every bit good complex, the model checker may neglect to make an respond inside a reasonable total of fourth dimension or it may run out of memory. If this occurs, the finite encoding is simplified—using a concretization technique—to farther constrain it in addition to brand it easier for the model checker to run to completion. This mensuration is currently done manually exactly is easily automatable. Once an inductive invariant has been identified, I4 generalizes it to apply non solely to the finite instance that produced it, exactly also to all instances of the protocol.It is of import to banking concern annotation that if the security invariant does non hold, Averroes produces a counterexample in addition to the human should run on the protocol to come upwards up amongst a security invariant that holds for the protocol. I4 is automatic, inwards that if the protocol security invariant holds, thus the inductive invariant is generated automatically yesteryear the Averroes tool. But, wait, what is the departure betwixt security invariant in addition to inductive invariant? Isn't security invariant already inductive?
Safety holding P may live on an invariant exactly non an inductive one. "The verification proof requires the derivation of additional invariants that are used to constrain P until it becomes inductive. These additional invariants are viewed every bit strengthening assertions that take those parts of P that are non unopen nether the system's transition relation." In other words, piece the security holding holds for reachable states, it may non live on unopen nether programme actions exterior the reachable states. This makes security invariant unsuitable for verification since proving properties is non constrained to the reachable states (as it is difficult to enumerate/identify reachable states inwards a proof). So, the inductive invariant is a version of the security holding that is unopen nether the programme actions. The figure below illustrates this relationship. I intend this concept is explored farther inwards the Ivy paper.
If the security holding holds, thus Averroes generates an inductive invariant for the finite instance; minimizes the invariant yesteryear removing redundant clauses; in addition to thus passes it on to the side yesteryear side mensuration to live on generalized. However, occasionally the finite instance may withal live on every bit good large for the Averroes model checker, in addition to it may run out of memory. This is where human interest is needed again. The human helps concretize the modest finite version of the protocol farther to avoid nation infinite explosion. Symmetry plays a large utilisation here. FIRST is the keyword that denotes the node that sends the starting fourth dimension message. The model checker tin flaming endeavor instances where all the 3 nodes inwards the finite instances mightiness live on the ane that sends the message. The human tin flaming notice a symmetry in addition to laid "FIRST = Node1" to assist trim back the nation space. (The squad is working on automating this mensuration every bit well.)
Then I4 uses Ivy for the proof generation every bit shown below, in addition to the verification is complete.
I4 is available every bit opensource at https://github.com/GLaDOS-Michigan/I4. They applied I4 to several examples every bit shown inwards the table.
I4 improves on manual verification via using Coq in addition to interactive verification using Ivy.
A restriction inwards I4 is that it applies to verification of security properties, in addition to non to liveness properties.
I am happy to regain thus many verification papers at SOSP. This newspaper appeared inwards the distributed systems inwards the afternoon of Day 2. Scaling Symbolic Evaluation for Automated Verification of Systems Code amongst Serval" in addition to "Verifying Concurrent, Crash-safe Systems amongst Perennial". It looks similar the verification community at SOSP is quick to conduct keep results from to a greater extent than full general in addition to theoretic verification conferences, in addition to integrate those tools in addition to amend upon them to lay them inwards utilisation for verification of practical systems.
0 Response to "Sosp19. I4: Incremental Inference Of Inductive Invariants For Verification Of Distributed Protocols"
Post a Comment