Conference PaperPDF Available

Runtime Verification for Hybrid Analysis Tools

Authors:

Abstract and Figures

We present the first steps towards a runtime verification framework for monitoring hybrid and cyber-physical systems (CPS) development tools—such as hybrid systems reachability analysis tools, model-based development environments like Simulink/Stateflow (SLSF), etc.— based on randomized differential testing. First, hybrid automaton models are randomly generated. Next, these hybrid automaton models are translated to a number of different tools (currently, dReach, Flow*, HyCre-ate, SpaceEx, and the MathWorks' Simulink/Stateflow) using the HyST source transformation and translation tool. Then, the hybrid automaton models are executed in the different tools and their outputs are parsed. The final step is the differential comparison: the outputs of the different tools are compared; if the results do not agree (in the sense that an analysis or verification result from one tool does not match that of another tool, ignoring timeouts, etc.), a candidate bug is flagged and the model is saved for future analysis by the user. The process then repeats and the random differential testing approach for monitoring continues until the user terminates the process. We present preliminary results that have been useful in identifying several bugs in the analysis methods of the different development tools, and in an earlier version of HyST.
Content may be subject to copyright.
Runtime Verification for Hybrid Analysis Tools
Luan Viet Nguyen1, Christian Schilling2, Sergiy Bogomolov3, and Taylor T.
Johnson1
1University of Texas at Arlington, USA
2Albert-Ludwigs-Universit¨at Freiburg, Germany
3IST Austria, Austria
Abstract. We present the first steps towards a runtime verification
framework for monitoring hybrid and cyber-physical systems (CPS) de-
velopment tools—such as hybrid systems reachability analysis tools, model-
based development environments like Simulink/Stateflow (SLSF), etc.—
based on randomized differential testing. First, hybrid automaton models
are randomly generated. Next, these hybrid automaton models are trans-
lated to a number of different tools (currently, dReach, Flow*, HyCre-
ate, SpaceEx, and the MathWorks’ Simulink/Stateflow) using the HyST
source transformation and translation tool. Then, the hybrid automaton
models are executed in the different tools and their outputs are parsed.
The final step is the differential comparison: the outputs of the different
tools are compared; if the results do not agree (in the sense that an anal-
ysis or verification result from one tool does not match that of another
tool, ignoring timeouts, etc.), a candidate bug is flagged and the model
is saved for future analysis by the user. The process then repeats and the
random differential testing approach for monitoring continues until the
user terminates the process. We present preliminary results that have
been useful in identifying several bugs in the analysis methods of the
different development tools, and in an earlier version of HyST.
1 Introduction
Runtime verification is an approach to ensure the correctness and reliability of
a system during its execution. It can check and analyze executions of a system
under scrutiny that violate or satisfy a given correctness property by using a
decision procedure called a monitor. A monitor can also be considered as a
device that can read finite traces and outputs a truth value derived from a
truth domain [3]. Runtime verfication can be used broadly in many purposes
such as debugging, testing, verification, validation, fault protection, and online
system repair. In this paper, we describe preliminary work towards a randomized
differential testing framework [5] that may be used as a runtime monitor for
various components (from parsers to analysis algorithms) in hybrid and cyber-
physical systems (CPS) analysis tools such as SpaceEx, dReach, Flow*, and
Mathworks’ Simulink/Stateflow (SLSF). A test subject is the hybrid automaton
randomly generated in the input format for SpaceEx using a prototype tool called
2
Random Generation
(HyRG)
Model Translation
(HYST)
SpaceEx HyCreatedReachFlow*
Execute a Random Model on Different Tools
SLSF
Compare Analysis Results by Calling reachCheck
Sat
Report a Candidate Bug
Unsat
Other Tools
Fig. 1: Overview of monitoring framework for hybrid systems analysis tools with
randomized differential testing.
HyRG [4]4, which is then translated to other formats including dReach, Flow*,
and SLSF using the HyST model transformation tool [1]. Our contributions
include the first steps toward a randomized differential testing framework to
monitor CPS development and verification tools, and identifying several bugs in
existing tools, including a semantic difference between SpaceEx and SLSF that
we did not know about and a couple bugs in Flow* and dReach that have been
corrected by the tool authors (for more details, see [1]).
2 Monitoring with Randomized Differential Testing
We first describe how the hybrid systems are randomly generated in HyRG
so they have diverse continuous and discrete behaviors. We then analyze these
examples with different hybrid systems development and verification tools, and
then compare their outputs to identify possible bugs in the tools.
Figure 1shows the overview of our framework for randomized differential
testing to monitor hybrid systems development tools. First, a random hybrid
automaton randomly generated by HyRG will be translated to different formats
of other tools with HyST. Next, we analyze the automaton with different ver-
ification tools such as SpaceEx, Flow*, dReach, and HyCreate, and simulate it
with SLSF. Then we compare all analysis results by using a function reachCheck
shown in Figure 3. The reachCheck function has an input Reach, which is a list
4The tool and examples are available online: http://verivital.uta.edu/hyrg/
3
1fu n c ti o n randHA(m,n)
AR← ∅
3AR.Var ← { x1,...,xn}// ge n er a te s t a t e va r i a b l e s
{AR.Loc,AR.Trans} ← discreteStructure(m)// gen . lo c at i on s and t r an s it i o ns
5fo r eac h l o c at i on li n AR.Loc
l.flow randFlow(AR.Var)// ge n er a te fl o w s o ve r s t a t e v a r i a b l e s
7l.inv randInv(AR.Var)// ge n er a te an i n va r i a nt ov er st a t e v a r i a b l e s
AR.Flow ← AR.Flow ∪ {l.flow}
9AR.Inv ← AR.Inv ∪ {l.inv}
fo r eac h t r a ns i t io n ti n AR.Trans
11 t.grd randGrd(AR.Var)// gen . g uar d c on d i ti o n o ve r s t a t e v a r i a b l e s
t.rst randRst(AR.Var)// gen . up da te a c ti o n o ve r s t a t e v a r i a b l e s
13 AR.Trans.tt// add g uard and u pd at e t o t r a n s i t i o n
AR.Init randInit(m,AR.Var)// ge ne ra te an i n i t i a l c on di ti on
15 return AR
Fig. 2: Pseudo-code overview of HyRG method to randomly generate hybrid
automata. The output hybrid automaton ARis generated as a tuple of random
locations, flows, invariants, transitions, guards, updates, and initial conditions.
of sets of time-bounded reachable states computed by different tools (e.g., the
output of SpaceEx, Flow*, etc.). Each set of reachable states, R(t), is the set of
states that may be visited by following the model’s trajectories and transitions,
at a given time t[0, β], where βis the time bound. That is, for a given time
t,R(t) is the set of states reachable at time t(sometimes referred to as a time-
slice). The input Trace is a set of all simulation traces produced by SLSF up to
a maximum simulation time β. The reachCheck function can check whether the
reachable states or simulation traces computed by different tools at each time
have non-empty intersections. If the reachable sets computed by these tools have
a non-empty intersection (pairwise over all the tools), then reachCheck will re-
turn SAT, and the monitoring continues by generating a different random model.
Otherwise, there is possibly a bug in the HyST translation, the verification tools,
or in SLSF. For the simulation traces, if some portion of a trace is not contained
in any of the reachable states, reachCheck will return UNSAT. Obviously all
these tools have numerous parameters, so numerical issues, accuracies, etc. must
be taken into account by the user to determine whether a candidate bug is real.
We define the structure of a hybrid automaton [2] and then describe a few
details of the framework
Definition 1. A hybrid automaton His a tuple, H
=hLoc,Var,Flow,Inv,
Trans,Initi, consisting of following components: (a) Loc: a finite set of dis-
crete locations. (b) Var: a finite set of ncontinuous, real-valued variables, where
xVar,v(x)∈ R and v(x)is a valuation—a function mapping xto a
point in its type—here, R; and Q
=Loc × Rnis the state space. (c) Inv:
a finite set of invariants for each discrete location, lLoc,Inv(l)⊆ Rn.
(d) Flow: a finite set of derivatives for each continuous variable xVar, and
Flow(l, x)⊆ Rnthat describes the continuous dynamics in each location lLoc.
(e) Trans: a finite set of transitions between locations; each transition is a tuple
τ=hsrc,dst,Grd,Rsti, which can be taken from source location src to destina-
tion location dst when a guard condition Grd is satisfied, and a state is updated
by an update map Rst. (f) Init: an initial condition, Init ⊆ Q.
4
1fu n c ti o n reachCheck(Reach,Trace)
result SA T
3foreach se t of r e a ch a b le st a te s Riin Reach
foreach se t of r e a ch a b le st a te s Rjin Reach
5if i6=ja nd t[0, β ]Ri(t)∧ Rj(t)is U NS A T th e n result UNS AT
foreach ex e c ut i o n t r ac e Rki n Trace
7if t[0, β ]Rk(t)6⊂ Ri(t)is UN S AT t h en result UN S AT
return result
Fig. 3: reachCheck checks whether the set of reachable states and traces computed
by different tools overlap (have non-empty intersection) at every time instant.
We denote a hybrid automaton that has been randomly generated by AR. The
various syntactic components (Definition 1) of ARare randomly generated as
shown in Figure 2. We use the dot (.) notation to refer to different components
of tuples, e.g., AR.Loc refers to the set of locations Loc of AR.
We randomly generate each syntactic component of the automaton to gener-
ate AR. The inputs include a number of locations m, and a number of variables
n. First, we generate a set of state variables AR.Var ={x1,...,xn}(line 3). Next,
we randomly generate sets of locations AR.Loc and transitions AR.Trans based
on an arbitrary discrete structure (line 4). Rather than picking only random
matrices and vectors for the affine functions used in flows, guards, invariants,
assignments, etc., we instead partition these affine functions into interesting
classes. While we assume affine functions making up the automaton, the gen-
eral method may be extended to nonlinear functions. Next, for each location
l∈ AR.Loc (line 5), we randomly generate its flow l.flow (line 6) and invariant
l.inv (line 7) over the state variables AR.Var. Next, we iterate over each transi-
tion t∈ AR.Trans (line 10) to randomly generate a guard condition t.grd and
an update t.rst as expressions over AR.Var (lines 11 through 12). Finally, we
generate a random initial condition AR.Init for AR(line 14). We highlight that
all structural components of the automaton are selected randomly (i.e., the tran-
sitions and continuous dynamics), and are not simply parameters. For brevity,
we do not describe in detail the random generation of all structural components
here, but refer to Appendix A.
3 Preliminary Experimental Results
We evaluate our preliminary5monitoring framework in several scenarios to
compare differences among several hybrid systems verification tools including
SpaceEx, dReach, and Flow*, as well as SLSF simulation. Consider a randomly
generated ARwith the results shown in Figure 4(details and the model are
in Appendix A). The reachable states of x1and x2computed by the STC and
LGG algorithms in SpaceEx do not contain a simulation trace for an equiva-
lent SLSF model when ARtakes a transition. This happens because of semantic
differences in resets between SpaceEx and SLSF. In SLSF, the variables x1and
x2are updated in order, so that x1will be first updated to a new value, and
then x2will be updated using the new (updated) value of x1. However, these
5Some of the steps are currently manual, particularly the parsing of reachable states
and comparison thereof, but the generation with HyRG and translation with HyST
is fully automatic.
5
0 20 40 60 80 100
-5
0
5
10
15
20
Time (s)
x1
(a)
0 20 40 60 80 100
-10
0
10
20
30
40
Time (s)
x2
(b)
Fig. 4: SLSF simulation (blue), reachable states computed by SpaceEx’s LGG
algorithm (red), and reachable states computed by SpaceEx’s STC algorithm
(green) for ARshowing x1and x2versus time, respectively. The SLSF simu-
lation traces and the reachable states computed by SpaceEx’s LGG and STC
algorithms do not line up (i.e., have an empty intersection) at some time points
(so reachCheck returns unsat) due to a semantic difference.
variables are updated concurrently in SpaceEx, so x2will be updated by using
the previous value of x1. Based on this, we fixed this translation error in HyST.
4 Conclusion and Future Work
In this paper, we describe our preliminary results toward building a random-
ized differential testing framework to monitor hybrid and cyber-physical systems
(CPS) development tools like SLSF and verification tools like SpaceEx, dReach,
Flow*, etc. Our preliminary results include identifying semantic mismatches be-
tween tools automatically that have been integrated into subsequent versions of
HyST. Additionally, we have found several bugs in Flow* and dReach that have
been corrected by the tool authors. Based on our promising preliminary results,
we plan to fully automate every step of the framework in the future.
References
1. Bak, S., Bogomolov, S., Johnson, T.T.: HyST: A source transformation and trans-
lation tool for hybrid automaton models. In: Proc. of the 18th Intl. Conf. on Hybrid
Systems: Computation and Control (HSCC). ACM (2015)
2. Frehse, G., Le Guernic, C., Donz´e, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R.,
Girard, A., Dang, T., Maler, O.: SpaceEx: Scalable verification of hybrid systems.
In: Computer Aided Verification (CAV). LNCS, Springer (2011)
3. Leucker, M., Schallhart, C.: A brief account of runtime verification. Journal of Logic
and Algebraic Programming 78(5), 293–303 (May 2009)
4. Nguyen, L.V., Schilling, C., Bogomolov, S., Johnson, T.T.: Poster: Hyrg: A random
generation tool for affine hybrid automata. In: 18th International Conference on
Hybrid Systems: Computation and Control (HSCC 2015) (2015)
5. Yang, X., Chen, Y., Eide, E., Regehr, J.: Finding and understanding bugs in c com-
pilers. In: Proceedings of the 32Nd ACM SIGPLAN Conference on Programming
Language Design and Implementation. pp. 283–294. PLDI ’11, ACM, New York,
NY, USA (2011)
6
Loc1
t7
˙x1=0.7949x1+ 0.2722x2
˙x2= 0.2722x10.1835x2
˙
t= 1
Loc2
t9
˙x1=0.2936x10.1111x2
˙x2=0.1111x10.4496x2
˙
t= 1
Loc3
t5
˙x1=0.5679x10.1359x2
˙x2=0.1359x10.9269x2
˙
t= 1
start
t7
t:= 0 x1:= 2 x2:= 8
t9
t:= 0 x1:= x1+ 9 x2:= x2+ 15
t10
t:= 0
x1:= 7
x2:= 4
t5
t:= 0
x1:= x1+ 17
x2:= x1+ 18
Fig. 5: An example of a random time-dependent switching hybrid automaton AR
randomly generated with HyRG using negative definite matrices.
A Appendix: Additional Random Generation Details
In this appendix, we describe the case study presented in the paper and addi-
tional details on the random generation methods used in HyRG, described pre-
viously in the high-level overview of Figure 2. The empirical results presented
in Section 3are for the automaton in Figure 5. The initial state of ARis Loc3,
and the randomly initial values of its variables are respectively generated as
x1= 10, x2= 17, and t= 0. ARis nondeterministic. The continuous dynamics
of each location in system AR.Loc are randomly generated based on a negative
definite matrix A, so it is exponentially asymptotically stable.
HyRG takes as inputs the options specified in Figure 2. As output, HyRG
may produce a hybrid automaton in the input XML format of the SpaceEx
toolAdditionally, HyRG is integrated with SLSF via a hybrid automaton to
SLSF translation procedure.
Time-Dependent Switching Options ATime set includes all necessary
components for randomly generating a time-dependent switched system
Definition 2. A time-dependent switching set Time is a tuple Time
=hτ, β , θ, σ, φi,
where (a) τ: a time variable. (b) β: a first order linear equation over the time
variable, β˙τ= 1. (c) θ: an invariant randomly generated as θaτb.
(d) σ: a guard condition randomly generated as σcτd. (e) φ: an update
7
map randomly generated as φτ=e. (f) ι: a initial condition generated as
ιτ=f, where a,b,c,d,e,fare random constant numbers such that ab 0,
bc 0, and e, f 0.
Randomly Generating Discrete Structure. The discrete structure of a
hybrid automata is a set of locations and transition lines connected some pairs
of locations. It can be randomly generated using random adjacency matrices.If a
hybrid automata has a random mnumber of locations, so its transition graph is
an m×mrandom adjacency matrix adjMatrix , whose elements equal to either
0 or 1. If an element adjMatrix[i, j] is equal to 1, there is a transition from ith
location to jth location. Otherwise, there is no connection between these two
locations. An example of a discrete structure’s graph randomly generated by
a random adjacency matrix AGis shown in Figure 6. If any diagonal element
adjMatrix[i, i] is equal to 1, the ith location will be connected to itself. In other
words, it has a self-loop transition. Moreover, a number of transitions can also
be controlled by restricting the sum of rows and columns of adjacency matrix
less than some arbitrary constants.
The pseudo-code for generating a random discrete structure by creating an
arbitrary adjacency matrix shown in Figure 7—called from randHA (Figure 2,
line 4). We first call the function randAdjMatrix (line 2) to get a random adjacency
matrix adjMatrix. Next, we iterate over each row element iof an adjacency matrix
adjMatrix (line 3), and then create a corresponding location li(line 5). For each
row element iof adjMatrix , we iterate over each row element jof adjMatrix
(line 6), and then generate a corresponding transition ti,j(line 8) when the
value of adjMatrix[i, j] is equal to one.
The pseudo-code of randomly generating an arbitrary adjacency matrix shown
in Figure 8. A function randi([0,1],m) (line 6) generates an m×mrandom ma-
trix whose elements are equal to either 0 or 1. We use a boolean variable flag
to keep generating adjMatrix until we get our desired matrix (line 4), which pro-
vides at least one pair of ingoing and outgoing transitions for each location. We
can generate this desired matrix by putting constraints on the sum of each row
Loc1Loc2
Loc3
Loc4
AG=
1101
0010
0111
1000
Fig. 6: An example of the transition graph of the hybrid automaton model ran-
domly generated by the random adjacency matrix AG.
8
fu n c ti o n discreteStructure(m)
2adjMatrix randAdjMatrix(m,Opt)
foreach row element ii n adjMatrix
4// gen era te a co rr es p on di ng l o c a t ion
AR.Loc ← AR.Loc ∪ {li}
6foreach row element ji n adjMatrix
// ge ner ate a t r a nsit i o n from l oca t i o n i t o l o c a t i on j
8if adjMatrix[i, j ]=1 then AR.Trans ← AR.Trans ∪ {ti,j}
return AR.Loc, AR.Trans
Fig. 7: Randomly generated discrete structure pseudo-code. The input is a num-
ber of locations m. And, the output are random sets of locations AR.Loc and
transitions AR.Trans.
1fu n c ti o n randAdjMatrix(m,Opt)
adjMatrix ← ∅
3flag 1
wh i le flag = 1
5flag 0
adjMatrix randi([0,1],m)// Figure 6
7foreach row element ii n adjMatrix
// wi t ho ut s e l f lo op i mpl eme nt ati on , ze ro a l l di ag o na l el eme nt s
9if Opt.F=then adjMatrix[i, i]0
// ge n er at e a t le a s t one in g oi n g t r a n si t i o n
11 if PadjMatrix[i, :] = 0 then flag 1
// ge n er at e a t le a s t one ou tg o in g t r a n s it i o n
13 foreach co l um n el em e n t jin adjMatrix
if PadjMatrix[:, j ]=0 then flag 1
15 return adjMatrix
Fig. 8: Randomly generated adjacency matrix pseudo-code. The input includes
a number of locations m, and a set of options Opt. The output is an adjacency
matrix adjMatrix.
1fu n c ti o n randFlow(n,AR.Var,Opt,optFlw)
X← AR.Var // as s i g n a ve c to r of s t a t e va r i a b l e s
3if Opt.F6=t hen ra nd o m ly se l ec t ζoptFlw
// re tur n a random mat ri x f o r a co rr esp on din g random f l ow
5AΛ(n, ζ)
// ge ner ate a new c on ti nu ous f l ow
7flow ← {˙
X=AX+B}
return flow
Fig. 9: Randomly generated flow pseudo-code. The input includes the number of
variables n, a set of state variables AR.Var, a set of options Opt, and a set of
different classes of matrix’s definiteness optFlw.
and column of adjMatrix (lines 7through 14). Additionally, If we want to gener-
ate a random hybrid automaton without self-loop transition (line 9), we set all
diagonal elements of adjMatrix equal to zero.
Randomly Generating Continuous Flow Dynamics. A randomly gen-
erated affine hybrid automaton ARhas continuous dynamics defined as ˙x=
Ax+B, x∈ Rn, where nis a random number of state variables, xis an n-vector
of state variables, and ˙xis an n-vector of the derivatives of these variables w.r.t.
time. Furthermore, Ais an n×n-matrix of real coefficients and Bis an n-vector
of real constants. We denote Ψ(t) as a fundamental matrix of a linear system
of differential equations ˙x=Ax, where tdenotes time. Moreover, Ψ(t) = eAt
9
can be considered as one fundamental matrix of the system. By using the eigen-
decomposition theorem, a matrix Acan be written as A=vDv1, where D
is an n×ndiagonal matrix whose diagonal elements correspond to neigen-
values λiof the matrix A, and vis an n×n-matrix where each column viis
a corresponding eigenvector of A. Note that v1is an n×nconstant matrix
and its determinant is non-zero. If Ψ(t) = eAt is a fundamental matrix, so
Ψ(t) = eAtv=evDv1tv=ve Dt v1v=veDt is also a fundamental matrix.
Therefore, the general solution of a system of differential equations ˙x=Axis
x(t) = veDtC, where Cis an n-vector of real values determined by the initial con-
ditions of x(t). If x(t0) = x0is a vector of initial conditions, then C=Ψ(t0)1x0.
For linear systems, the continuous dynamics may be described as an exponen-
tial function of eigenvalues, and the eigen-decomposition theorem allows us to
generate a random matrix Afrom sets of arbitrarily given eigenvalues and eigen-
vectors.
Suppose that Ais a symmetric real matrix with all of its eigenvalues are
real numbers. If Ais considered as: (a) positive definite (pd), then all of its
eigenvalues are positive, (b) negative definite (nd), then all of its eigenvalues are
negative, (c) semipositive definite(psd), then all of its eigenvalues are non-nega-
tive, (d) seminegative definite(nsd), then all of its eigenvalues are non-positive,
(e) and indefinite (ind), then its eigenvalues have both positive and negative
values. More generally, if Ais equal to its self-adjoin. Then Ais a Hermitian
matrix, and its definiteness is considered based on the real part of its eigenvalues
Definition 3. Let A Cn×nbe an Hermitian matrix, and U,UCnbe
a complex vector and its conjugate transpose vector respectively. (a) For every
nonzero vector U (i) if U AU>0, then A is pd (ii) if U AU<0, then A is
nd (b) For every vector U (i) if U AU0, then A is psd (ii) if UAU0,
then A is nsd
According to Definition 3, suppose that (λ, v) is an eigenpair of A, so vAv=
λvv=λ. Thus a sign of λdepends on a definiteness of A. For example, if
Ais negative define, then λ=vAv<0 for all eigenpairs (λ, v) of A. In
other words, a Hermitian matrix Ais considered negative define. This type of
Hermitian matrix is also considered as a Hurwitz matrix that has all negative
real part eigenvaluesCorrespondingly, the continuous dynamic of each location
in system ARgenerated based this matrix will be exponentially asymptotically
stableOtherwise, if Ais randomly generated as a skew-Hamiltonian matrix, then
all eigenvalues of Ahave only imaginary parts.
The pseudo-code of a randomly generated flow dynamic for each location
l∈ AR.Loc shown in Figure 9—called from randHA(Figure 2, line 6). The inputs
include a set of different classes of matrix’s definiteness optFlw that includes all
possible classes of flows for every location in AR. We define optFlw as a tuple
optFlw
=hpd,nd ,psd ,nsd,indi. For each definiteness ζoptFlw,Λ(n, ζ) is a
function that returns an n×nrandom matrix corresponding ζ. For randomly
generating a flow of location l, we first generate the vector of state variable X
(line 2). Next, we randomly select a different classes of definiteness in optFlw
10
fu n c ti o n randInv(d,AR.Var,Opt,optInv)
2if Opt.I6=t hen ra nd o m ly se l ec t ρoptInv
// re t ur n s a se t of random li n e a r in e q u a l i t i e s
4inv Γ(d,AR.Var, ρ)
return inv
Fig. 10: Randomly generated invariant pseudo-code. The input includes a dimen-
sion dof a invariant polytope, a set of variable x, a set of option choices Opt,
and a set of different ddimensional polytopes optInv.
1fu n c ti o n randGrd(inv,AR.Var,Opt)
Opt.G6=then grd (inv,AR.Var)
3return grd
Fig. 11: Randomly generated guard condition pseudo-code. The input are an
invariant polytope inv , a set of option choices Opt and a set of variable AR.Var.
(line 3), and then assign a random matrix corresponding to this class of defi-
niteness (line 5). The continuous dynamics flow is generated by the first order
differential equation {˙
X=AX+B}(line 7), where ˙
Xis an n×1 vector of the
first derivatives of state variables X, and Bis an n×1 arbitrary constant vector.
Randomly Generating Invariants. An invariant for each location of AR
is randomly generated based on the concept of convex polytopes. Let xRnis
a vector of state variables of AR, then a convex polytope is defined as a solution
set of a finite system of linear inequalities CxDwhere Cis an k×nconstant
matrix, kis a number of linear inequalities, Dis either an k×1 vector of constants
or symbolic expression algebra of state variables. Each linear inequality divides
the whole space in two separately halves called a half-space.Suppose that we have
an knumber of half-spaces generated by an krandom linear inequalities. An
invariant Inv Rdof a hybrid system ARis an ddimensional convex polytope
randomly generated as an intersection of khalf-spaces. We investigate a polytope
generated from system of linear inequalities, which is not full-dimensional. Then,
there exists at least one state variable missing from all linear inequalities. Thus,
this polytope contains a ray, and is unboundedAn unbounded polytope (upo) can
be randomly generated as a slab between two arbitrary parallel hyperplanes, an
arbitrary infinite prism, or an arbitrary infinite cone. On the other hand, we
also investigate several bounded polytopes including: (a) ddimensional simplex
polytope (spo): the convex hull of d+ 1 affinely independent points in Rd, or an
intersection of d+ 1 half-spaces. (b) ddimensional cubical polytope (opo): the
family of polytopes that analogues to a cube, and is defined as an intersection of
2dhalf-spaces. (c) ddimensional cross polytope (cpo): the family of polytopes
that analogues to a octahedron, and is defined as an intersection of 2d+ 2
half-spaces The pseudo-code of randomly generated invariant polytope for each
location in ARshown in Figure 10. If a location in ARhas an invariant, we
randomly select one type of ddimensional polytope in optInv (line 2), and then
assign a corresponding set of random linear inequalities to generate an arbitrary
invariant inv (line 4).
11
1fu n c ti o n randRst(n,AR.Var,Opt)
X← AR.Var
3Opt.R6=th e n r a ndo m ly se l ec t ψoptRst
rst ← {X=(n,AR.Var, ψ)}
5return rst
Fig. 12: Randomly generated update map pseudo-code. The input are a number
variables n, a set of option choices Opt and a set of variable AR.Var.
1fu n c ti o n randInit(n,AR.Var,Opt)
X← AR.Var
3init ← {X=rand(n,1)}
return init
Fig. 13: Randomly generated initial condition pseudo-code. The input are a num-
ber variables n, a set of option choices Opt and a set of variable AR.Var.
Randomly Generating Guard Conditions. For each location l∈ AR.Loc,
its invariant inv is randomly generated as a ddimensional convex polytope Pby
the pseudo-code shown in Figure 10. If Sis a random convex hull of any set of ver-
tices of P, so Sis considered as a ddimensional sub-polytope of PThen, a random
outgoing guard condition of location lis a set of linear inequalities represented
the complement between a vector space Rdand S. A function (inv,AR.Var)
whose inputs are an invariant inv and a set of state variables AR.Var returns a
set of random linear inequalities JxK, where J, K are defined similar to C,
and Drespectively. The pseudo-code of randomly generated a guard condition
for an outgoing transition of each location lshown in Figure 11. If there exists
an outgoing transition from location l, then we will assign a corresponding set
of random linear inequalities for its arbitrary guard condition grd by calling the
function (line 2).
Randomly Generating Update Map. A update map can be randomly
generated by assigning either a random constant or an arbitrary symbolic ex-
pression algebra of state variables to each state variable in AR.Var. Suppose that
a set of update map optRst is a tuple optRst
=hconst,symboi. For each type of
an update ψoptRst,Φ(n,AR.Var, ψ) is a function that returns an n×1 vector
of random constants or symbolic expression algebra of state variables. Figure 12
shows the pseudo-code for randomly generating a update map. If any transition
of system ARhas an update action, we first randomly select whether to update
state variables to constants or assign them to any symbolic expression algebra
of state variables (line 3). And then, we set an equality between a vector of state
variables Xand a random vector returned by calling Φfunction to be an update
action rst (line 4).
Randomly Generating Initial Conditions. The pseudo-code for gener-
ating a random initial condition init is shown in Figure 13. We use a random
function rand(n,1) (line 3) to generate an n×1 vector of constants, and then
assign it to a vector of state variables X.
... Flow* [23] on behalf of a typical Prover can computes Taylor model flow pipes for non-linear ODEs described hybrid systems. Finally, Convertor (HyST) which is only referred in S50 [66]. HyST is a source-to-source translation tool, currently taking input in the SpaceEx model format, and translating to the formats of HyCreate, Flow*, or dReach. ...
... For this target, this section tries to extract application scenarios mentioned in primary studies and classified these application scenarios into 12 types, in Figure 10, including 'vehicles', 'circuit", 'robots', 'Wireless Sensor Network', 'smart grid', 'financial server', 'smarter healthcare', 'database' and 'others' which is referred only once. The following part will give VOLUME X, 2018 13 and engine design [66]). When comeing to train controls system, European Train Control (ETC) System are widely used as verification scenarios [40][45] [76]. ...
... In such a situation, the propagation of the input and output signals is not negligible and may affect the interbank bidding processes [19]. Medhat et al. applied their verification technique in a bluetooth mobile payment system to make sure of trade security [66]. • Database: Two primary studies paid attention to applications in database, such as, data timeliness in real-time database management systems (RTDBMS) [30] and invasion attack on database server [68]. ...
Article
Full-text available
Cyber-Physical System (CPS) is a kind of complex real-time hybrid system which involves deep interactions between computation processors, communication network and physical environments are deemed as key enablers of next generation computer applications. However, how to verify CPS effectively is always a great challenge. Based on current scientific works about CPS verification, this paper aims at identifying the gap of current researches and suggesting promising areas for future works. For this purpose, we conduct a systematic mapping study over the topic on verification of cyber-physical system. We carry out a widely search of publications from 2006 to April of 2018 in 11 electronic databases. After the step of study selection, 80 papers are selected as primary studies for answering proposed research questions, focused questions, and statistical questions. According to these questions and their answers, this paper not only presents a quantitative and comprehensive analysis of verification challenges, abstraction methods, verification techniques, assistance tools and verification scenarios that represent each step of verification works, but also summarizes CPS systematic natures, main routine of verification and future research directions. We believe that this survey can identify gaps in current research works and reveal new insights for the future works.
... With the root access the applications can access APIs without any restrictions. It can also perform more operations by acquiring access to those resources which are normally protected from the application (Nguyen et al., 2015). Malware then steal information, download more malware and can also target other devices. ...
Article
Full-text available
Abstract: Mobile devices have become widespread computing technology, people prefer to use than desktop devices. These connected devices and their features like an exchange of data, video calling etc have made our lives simple but, this has also increased data security concerns. At present, Google’s Android is dominating the market share of mobile devices; as a result, it has become a big target for malware writers. Android users can download applications from official or third-party stores. Google implements various security policies to ensure secure distribution of applications but third-party application stores have less efficient or no such policies. This makes such markets more attractive for malware writers. This paper investigates Android application security by analysing 1,946 free most downloaded Android applications in the year 2016: 1,300 from Google Play store and 646 from third-party Android applications. 100 samples from 33 different malware families (with variants) prominent in the Android market during January 2016 to April 2016 were also collected that acted as a template for malware detection. Further, based on detected malware samples, an evaluation-based study on ten anti-malware applications is performed to identify how well they protect users from malware. Keywords: Android; malware; applications; permission; anti-malware software.
... With the root access the applications can access APIs without any restrictions. It can also perform more operations by acquiring access to those resources which are normally protected from the application (Nguyen et al., 2015). Malware then steal information, download more malware and can also target other devices. ...
Article
Full-text available
Mobile devices have become widespread computing technology, people prefer to use than desktop devices. These connected devices and their features like an exchange of data, video calling etc. have made our lives simple but, this has also increased data security concerns. At present, Google's Android is dominating the market share of mobile devices; as a result, it has become a big target for malware writers. Android users can download applications from official or third-party stores. Google implements various security policies to ensure secure distribution of applications but third-party application stores have less efficient or no such policies. This makes such markets more attractive for malware writers. This paper investigates Android application security by analysing 1,946 free most downloaded Android applications in the year 2016: 1,300 from Google Play Store and 646 from third-party Android applications. 100 samples from 33 different malware families (with variants) prominent in the Android market during January 2016 to April 2016 were also collected that acted as a template for malware detection. Further, based on detected malware samples, an evaluation-based study on ten anti-malware applications is performed to identify how well they protect users from malware.
... Besides CDL, hybrid automata [26,2] are another widely adopted formalism for precise modelling of the real world. They do not solve the question of whether the model accurately captures the environment, and although RV of cyber-physical systems modelled with hybrid automata is a lively and promising research field [31,36], we are not aware of proposals where the same hybrid automaton model undergoes both a model checking and a RV process, to both formally prove system properties and validate the correctness of the environment model. ...
Chapter
When applying formal verification to a system that interacts with the real world we must use a model of the environment. This model represents an abstraction of the actual environment, but is necessarily incomplete and hence presents an issue for system verification. If the actual environment matches the model, then the verification is correct; however, if the environment falls outside the abstraction captured by the model, then we cannot guarantee that the system is well-behaved. A solution to this problem consists in exploiting the model of the environment for statically verifying the system’s behaviour and, if the verification succeeds, using it also for validating the model against the real environment via runtime verification. The paper discusses this approach and demonstrates its feasibility by presenting its implementation on top of a framework integrating the Agent Java PathFinder model checker. Trace expressions are used to model the environment for both static formal verification and runtime verification.
Chapter
Full-text available
Safety-critical chemical processes are well-studied in the formal methods literature, including hybrid systems models which combine discrete and continuous dynamics. This paper is the first to use a theorem-prover to verify hybrid chemical models: the KeYmaera X prover for differential dynamic logic. KeYmaera X provides parametric results that hold for a whole range of parameter values, non-linear physical dynamics, and a small trusted computing base.We tell a general story about KeYmaera X: recent advances in automated reasoning about safety and liveness for differential equations have enabled elegant proofs about reaction dynamics.KeywordsHybrid SystemsTheorem ProvingChemical Reactor
Article
When applying formal verification to a system that interacts with the real world, we must use a model of the environment. This model represents an abstraction of the actual environment, so it is necessarily incomplete and hence presents an issue for system verification. If the actual environment matches the model, then the verification is correct; however, if the environment falls outside the abstraction captured by the model, then we cannot guarantee that the system is well behaved. A solution to this problem consists in exploiting the model of the environment used for statically verifying the system’s behaviour and, if the verification succeeds, using it also for validating the model against the real environment via runtime verification. The article discusses this approach and demonstrates its feasibility by presenting its implementation on top of a framework integrating the Agent Java PathFinder model checker. A high-level Domain Specific Language is used to model the environment in a user-friendly way; the latter is then compiled to trace expressions for both static formal verification and runtime verification. To evaluate our approach, we apply it to two different case studies: an autonomous cruise control system and a simulation of the Mars Curiosity rover.
Article
Unlike standalone embedded devices, behaviors of a Cyber-Physical System (CPS) are highly dynamic. Many parameter values (e.g. those related to nature environment and third party black box functions) are unknown offline. Furthermore, distributed sub-CPSs may exchange data online. In this paper, we first propose the concept of parametric hybrid automata (PHA) to describe such complex CPSs. As some PHA parameter values are unknown until runtime, conventional offline model checking is infeasible. Instead, we propose to carry out PHA model checking online, as a fault prediction mechanism. However, this usage is challenged by the high time cost of state reachability verification, which is the conventional focus of model checking. To address this challenge, we propose that the model checking shall focus on online scenario reachability validation instead. Furthermore, we propose a mechanism to compose/decompose scenarios. Our scenario reachability validation can exploit linear programming to achieve polynomial time cost. Evaluations on a state-of-the-art train control system show that our approach can cut online model checking time cost from over 1 hour to within 200 milliseconds.
Article
Full-text available
A number of powerful and scalable hybrid systems model checkers have recently emerged. Although all of them honor roughly the same hybrid systems semantics, they have drastically different model description languages. This situation (a) makes it difficult to quickly evaluate a specific hybrid automaton model using the different tools, (b) obstructs comparisons of reachability approaches, and (c) impedes the widespread application of research results that perform model modification and could benefit many of the tools. In this paper, we present Hyst, a Hybrid Source Transformer. Hyst is a source-to-source translation tool, currently taking input in the SpaceEx model format, and translating to the formats of HyCreate, Flow∗, or dReach. Internally, the tool supports generic model-to-model transformation passes that serve to both ease the translation and potentially improve reachability results for the supported tools. Although these model transformation passes could be implemented within each tool, the Hyst approach provides a single place for model modification, generating modified input sources for the unmodified target tools. Our evaluation demonstrates Hyst is capable of automatically translating benchmarks in several classes (including affine and nonlinear hybrid automata) to the input formats of several tools. Additionally, we illustrate a general model transformation pass based on pseudo-invariants implemented in Hyst that illustrates the reachability improvement.
Article
Full-text available
In this poster, we present methods for randomly generating hybrid automata with affine differential equations, invariants, guards, and assignments. Selecting an arbitrary affine function from the set of all affine functions results in a low likelihood of generating hybrid automata with diverse and interesting behaviors, as there are an uncountable number of elements in the set of all affine functions. Instead, we partition the set of all affine functions into potentially interesting classes and randomly select elements from these classes. For example, we partition the set of all affine differential equations by using restrictions on eigenvalues such as those that yield stable, unstable, etc. equilibrium points. We partition the components describing discrete behavior (guards, assignments, and invariants) to allow either time-dependent or state-dependent switching, and in particular provide the ability to generate subclasses of piecewise-affine hybrid automata. Our preliminary experimental results with a prototype tool called HyRG (Hybrid Random Generator) illustrate the feasibility of this generation method to automatically create standard hybrid automaton examples like the bouncing ball and thermostat.
Data
Full-text available
We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition, we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability of the approach. 1
Conference Paper
Full-text available
We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition, we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability of the approach.
Article
In this paper, a brief account of the field of runtime verification is given. Starting with a definition of runtime verification, a comparison to well-known verification techniques like model checking and testing is provided, and applications in which runtime verification brings out its distinguishing features are pointed out. Moreover, extensions of runtime verification such as monitor-oriented programming, and monitor-based runtime reflection are sketched and their similarities and differences are discussed. Finally, the use of runtime verification for contract enforcement is briefly pointed out.
Conference Paper
Compilers should be correct. To improve the quality of C compilers, we created Csmith, a randomized test-case generation tool, and spent three years using it to find compiler bugs. During this period we reported more than 325 previously unknown bugs to compiler developers. Every compiler we tested was found to crash and also to silently generate wrong code when presented with valid input. In this paper we present our compiler-testing tool and the results of our bug-hunting study. Our first contribution is to advance the state of the art in compiler testing. Unlike previous tools, Csmith generates programs that cover a large subset of C while avoiding the undefined and unspecified behaviors that would destroy its ability to automatically find wrong-code bugs. Our second contribution is a collection of qualitative and quantitative results about the bugs we have found in open-source C compilers.
SpaceEx: Scalable verification of hybrid systems
  • G Frehse
  • C Le Guernic
  • A Donzé
  • S Cotton
  • R Ray
  • O Lebeltel
  • R Ripado
  • A Girard
  • T Dang
  • O Maler
Frehse, G., Le Guernic, C., Donzé, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R., Girard, A., Dang, T., Maler, O.: SpaceEx: Scalable verification of hybrid systems. In: Computer Aided Verification (CAV). LNCS, Springer (2011)
Poster: Hyrg: A random generation tool for affine hybrid automata
  • L V Nguyen
  • C Schilling
  • S Bogomolov
  • T T Johnson
Nguyen, L.V., Schilling, C., Bogomolov, S., Johnson, T.T.: Poster: Hyrg: A random generation tool for affine hybrid automata. In: 18th International Conference on Hybrid Systems: Computation and Control (HSCC 2015) (2015)