Yoriyuki Yamagata

On Accelerating SMT-based Bounded Model Checking of HSTM Designs

Hierarchical State Transition Matrix (HSTM) is a table-based modeling language for developing designs of software systems. We have proposed a Satisfiability Modulo Theory (SMT) based Bounded Model Checking (BMC) approach in [1] to provide formal verification supports for conducting rigorous and automatic analysis to improve reliability of HSTM designs. In this paper, we continue that work by developing and evaluating approaches to accelerating BMC of HSTM designs. The approaches center around an unrolled Bounded Reach ability Tree (BRT) of a HSTM design that is built with stateless explicit state exploration. Specifically, reach ability of invalid cells (representing undesired states) of a HSTM design, which occurs within the bound concerned, could be discovered during construction of the BRT, and furthermore, if no such occurrence, the constructed BRT could be utilized to rule out unnecessary subformulas of a BMC instance for verification of LTL properties. We have implemented these approaches in a tool called Garakabu2 with the state-of-the-art SMT solver CVC3 as its back-ended solver. Our preliminary experiments show that verification could be accelerated substantially.

A sequent calculus for limit computable mathematics

Abstract We introduce an implication-free fragment PA inf + - Exch of ω -arithmetic, having Exchange rule for sequents dropped. Exchange rule for formulas is, instead, an admissible rule in PA inf + - Exch . Our main result is that cut-free proofs of PA inf + - Exch are isomorphic with recursive winning strategies of a set of games called “1-backtracking games” in [S. Berardi, Th. Coquand, S. Hayashi, Games with 1-backtracking, Games for Logic and Programming Languages, Edinburgh, April 2005]. We also show that PA inf + - Exch is a sound and complete formal system for the implication-free fragment of LCM (Limit Computable Mathematics, see [S. Hayashi, Mathematics based on Learning, Algorithmic Learning Theory, in: LNAI, vol. 2533, Springer, pp. 7–21; S. Hayashi, Can proofs be animated by games? in: P. Urzyczyn (Ed.), Seventh International Conference on Typed Lambda Calculi and Applications, in: Lecture Notes in Computer Science, vol. 3461, 2005, pp. 11–22. Invited paper]). A simple syntactical description of this fragment was still missing. No sound and complete formal system is known for LCM itself.

Domain-Specific Languages with Scala

Domain-Specific Languages (DSLs) are often classified into external and internal DSLs. An external DSL is a stand-alone language with its own parser. An internal DSL is an extension of an existing programming language, the host language, offering the user of the DSL domain-specific constructs as well as the constructs of the host language, thus providing a richer language than the DSL itself. In this paper we report on experiences implementing external as well as internal formal modeling DSLs with the Scala programming language, known in particular for its support for defining DSLs. The modeling languages include monitoring logics, a testing language, and a general purpose SysML inspired modeling language. We present a systematic overview of advantages and disadvantages of each option.

A formal semantics of extended hierarchical state transition matrices using CSP

The extended hierarchical state transition matrices (EHSTMs) are a table-based modelling language frequently used in industry for specifying behaviours of systems. However, assuring correctness, i.e., having a design satisfy certain desired properties, is a non-trivial task. To address this problem, a model checker dedicated to EHSTMs called Garakabu2 has been developed. However, there is no formal justification for Garakabu2, since its semantics has never been fully formalised. In this paper, we give a formal semantics to EHSTMs by translating them into CSP, Communicating Sequential Processes. Among the variants of CSP, we use CSP#, which is the modelling language used by PAT model checker, as a target of translation. Our semantics covers most of the features supported by Garakabu2. We manually translate the small examples of EHSTMs to CSP#, and verify them by PAT. We also verify the examples directly using Garakabu2 and show that the results are same. The experiments also indicate that verification using our translation and PAT is much faster than that of Garakabu2 in some cases.

Formal semantics of extended hierarchical state transition matrix by CSP

The Extended Hierarchical State Transition Matrix (EHSTM) is a table-based modeling language frequently used in industry for specifying behaviors of a system. However, assuring correctness, i.e., having a design satisfy certain desired properties, is a non-trivial task. To address this problem, a model checker dedicated to EHSTMs called Garakabu2 is developed. However, there is no formal justification of Garakabu2, since its semantics has never been fully formalized. In this paper, we give a formal semantics to EHSTM by translating it into CSP, Communicating Sequential Processes. Our semantics covers most of the features supported by Garakabu2. We manually translate the small examples of EHSTM to CSP, and verify them by PAT, a CSP based model checker. We also verify the examples directly using Garakabu2 and show the result are same. The experiments also show that verification using our translation and PAT is much faster than that of Garakabu2 for checking message type EHSTM.

Log-Based Anomaly Detection of CPS Using a Statistical Method

Detecting anomalies of a cyber physical system (CPS), which is a complex system consisting of both physical and software parts, is important because a CPS often operates autonomously in an unpredictable environment. However, because of the ever-changing nature and lack of a precise model for a CPS, detecting anomalies is still a challenging task. To address this problem, we propose applying an outlier detection method to a CPS log. By using a log obtained from an actual aquarium management system, we evaluated the effectiveness of our proposed method by analyzing outliers that it detected. By investigating the outliers with the developer of the system, we confirmed that some outliers indicate actual faults in the system. For example, our method detected failures of mutual exclusion in the control system that were unknown to the developer. Our method also detected transient losses of functionalities and unexpected reboots. On the other hand, our method did not detect anomalies that were too many and similar. In addition, our method reported rare but unproblematic concurrent combinations of operations as anomalies. Thus, our approach is effective at finding anomalies, but there is still room for improvement.

Java Pathfinder on Android Devices

Because Android apps are written in Java and executed on a virtual machine (VM), there is an opportunity to employ Java Pathfinder (JPF) for their verification. There already exist two JPF extensions, jpf-android and jpf-pathdroid. The former executes Java bytecode on the Java VM, while the latter executes Android applications in their original format. Both do not support native methods, and thus depend on a model of the Android environment. This paper introduces an alternative approach: we run JPF as an Android application that executes Java bytecode, which gives us direct access to the Android environment. This approach allows us to verify rich Android apps that rely on native calls

Model-Based Testing of Stateful APIs with Modbat

Modbat makes testing easier by providing a user-friendly modeling language to describe the behavior of systems, from such a model, test cases are generated and executed. Modbats domain-specific language is based on Scala, its features include probabilistic and non-deterministic transitions, component models with inheritance, and exceptions. We demonstrate the versatility of Modbat by finding a confirmed defect in the currently latest version of Java, and by testing SAT solvers.

With an Open Mind: How to Write Good Models

Writing effective models for systems and their environment is a challenge. The task involves both mastering the modeling tool and its notation, and faithfully translating all requirements and specifications into a complete model. The former ability can be learned, while the latter one is a continuous challenge requiring experience and tools supporting the visualization and understanding of models. This paper describes our experience with incomplete models, the types of changes that were made later, and the defects that were found with the improved models.

Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

In this paper, we propose and evaluate the application of unsupervised machine learning to anomaly detection for a Cyber-Physical System (CPS). We compare two methods: Deep Neural Networks (DNN) adapted to time series data generated by a CPS, and one-class Support Vector Machines (SVM). These methods are evaluated against data from the Secure Water Treatment (SWaT) testbed, a scaled-down but fully operational raw water purification plant. For both methods, we first train detectors using a log generated by SWaT operating under normal conditions. Then, we evaluate the performance of both methods using a log generated by SWaT operating under 36 different attack scenarios. We find that our DNN generates fewer false positives than our one-class SVM while our SVM detects slightly more anomalies. Overall, our DNN has a slightly better F measure than our SVM. We discuss the characteristics of the DNN and one-class SVM used in this experiment, and compare the advantages and disadvantages of the two methods.