Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap
0 likes265 views
This document presents a method for trace-checking cyber-physical system (CPS) properties using Hybrid Logic of Signals (HLS) and a tool called ThEodorE. HLS allows expressing complex CPS requirements involving both software and physical behaviors. ThEodorE reduces trace-checking to a satisfiability modulo theories problem solvable by SMT solvers. The method was evaluated on requirements from a satellite system and shown to check more requirements than existing approaches within practical time limits.
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!16 Hybrid Logic of Signals
Expressing CPS requirements](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-16-320.jpg)
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!17 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-17-320.jpg)
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!18 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-18-320.jpg)
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!19 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-19-320.jpg)
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!20 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-20-320.jpg)
![exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!21 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-21-320.jpg)
![!22 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-22-320.jpg)
![!23 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-23-320.jpg)
![!24 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index
• the timestamp of an index (and vice versa)](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-24-320.jpg)
![HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index
• the timestamp of an index (and vice versa)
• expressions combining timestamps,
indices, and real-valued variables
!25 Hybrid Logic of Signals
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
Expressing CPS requirements](https://image.slidesharecdn.com/claudio-icse2021pres-210525221916/85/Trace-Checking-CPS-Properties-Bridging-the-Cyber-Physical-Gap-25-320.jpg)
Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap
- 1. Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap Claudio Menghi University of Luxembourg Enrico Viganò University of Luxembourg Domenico Bianculli University of Luxembourg Lionel C. Briand University of Luxembourg, University of Ottawa
- 2. Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap Claudio Menghi University of Luxembourg Enrico Viganò University of Luxembourg Domenico Bianculli University of Luxembourg Lionel C. Briand University of Luxembourg, University of Ottawa
- 3. !3 Introduction LuxSpace: a space systems integrator based in Luxembourg Preamble ESAIL: a satellite that collects tracking information from vessels
- 4. !4 Introduction Objective Support engineers in verifying and validating CPS
- 5. !5 Introduction Requirements Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.
- 6. !6 Introduction Traces A fragment of an execution trace of our case study
- 7. !7 Introduction Trace Checking Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5 °/s.
- 8. !8 Introduction Trace Checking Goal: automate the trace checking activity Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5 °/s.
- 9. !9 Introduction Goals Goal 1: Support a language that can express complex CPS requirements Requirements that involve software and physical components Goal 2: Applicable on industrial execution traces Provides results within practical time limits
- 10. !10 Introduction Contributions Hybrid Logic of Signals (HLS) ThEodorE Goal 1: Support a language that can express complex CPS requirements Requirements that involve software and physical components Goal 2: Applicable on industrial execution traces Provides results within practical time limits
- 12. !12 Hybrid Logic of Signals Requirements Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.
- 13. !13 Hybrid Logic of Signals Requirements Indices - Software behaviour Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.
- 14. !14 Hybrid Logic of Signals Requirements Timestamps - Physical behaviour 10s Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s. Indices - Software behaviour
- 15. Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”, the angular rate shall reach a value lower than 1.5°/s within 10s. Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s. !15 Hybrid Logic of Signals Requirements Real-valued variables Requirements Timestamps - Physical behaviour stabilizes around c Indices - Software behaviour
- 16. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !16 Hybrid Logic of Signals Expressing CPS requirements
- 17. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !17 Hybrid Logic of Signals Expressing CPS requirements HLS allows using existential and universal quantifiers with
- 18. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !18 Hybrid Logic of Signals Expressing CPS requirements HLS allows using existential and universal quantifiers with • timestamp variables
- 19. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !19 Hybrid Logic of Signals Expressing CPS requirements HLS allows using existential and universal quantifiers with • timestamp variables • index variables
- 20. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !20 Hybrid Logic of Signals Expressing CPS requirements HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables
- 21. exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) !21 Hybrid Logic of Signals Expressing CPS requirements HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables HLS supports specifications that use
- 22. !22 Hybrid Logic of Signals Expressing CPS requirements exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables HLS supports specifications that use • a signal at a certain timestamp
- 23. !23 Hybrid Logic of Signals Expressing CPS requirements exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables HLS supports specifications that use • a signal at a certain timestamp • a signal at a certain index
- 24. !24 Hybrid Logic of Signals Expressing CPS requirements exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables HLS supports specifications that use • a signal at a certain timestamp • a signal at a certain index • the timestamp of an index (and vice versa)
- 25. HLS allows using existential and universal quantifiers with • timestamp variables • index variables • real-valued variables HLS supports specifications that use • a signal at a certain timestamp • a signal at a certain index • the timestamp of an index (and vice versa) • expressions combining timestamps, indices, and real-valued variables !25 Hybrid Logic of Signals exists 𝜌 such that (𝜌<1.5 and forall σ0 in [0;5] such that ((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3) implies exists τ0 in [0s;10s] such that (ang-rate @t (τ0 + i2t(σ0 )) < 𝜌))) Expressing CPS requirements
- 26. Section title Text Title in Arial Bold 24 pt Optional: subtitle in Arial 14 !26 ThEodorE
- 27. !27 ThEodorE Logic-based TracE checkEr for HLS ThEodorE: • Reduces trace-checking problem to a SMT problem • Allows the use of efficient off-the-shelf SMT solvers
- 28. !28 ThEodorE Logic-based TracE checkEr for HLS
- 29. !29 Optional: subtitle in Arial 14 Evaluation
- 30. !30 Evaluation • RQ1 (Expressiveness): To which extent can Hybrid Logic of Signals express requirements from industrial CPS applications? • RQ2 (Applicability): Can ThEodorE verify CPS requirements on industrial execution traces? Research questions
- 31. !31 Evaluation RQ1 (Expressiveness) • We considered 212 industrial requirements from ESAIL • We compared the expressiveness of the Hybrid Logic of Signals (HLS) with SB-TempPsy-DSL and STL
- 32. !32 Evaluation RQ1 (Expressiveness) The answer to RQ1 is that HLS could express all the requirements of our case study, many more than SB-TemPsy-DSL (+31%) and STL (+51%).
- 33. !33 Evaluation RQ2 (Applicability) • We considered 747 trace-requirement combinations • We compared the applicability of ThEodorE with SB-Tempsy-Check and Breach
- 34. !34 Evaluation RQ2 (Applicability) The answer to RQ2 is that ThEodorE computed a verdict for 74.5% trace-requirement combinations. ThEodorE produced a verdict for 67.9% of the 337 trace-requirement combinations that could not be checked by the other tools.
- 35. !35 Optional: subtitle in Arial 14 Conclusions
- 36. !36 Conclusions Conclusions • The goal of this work is to support engineers in verifying and validating CPS • We proposed • Hybrid Logic of Signals: a language to express complex industrial CPS requirements • ThEodorE: an efficient trace-checking tool that can analyse requirements expressed using the Hybrid Logic of Signals
- 37. !37 Conclusions Conclusions • HLS was able to express all the CPS requirements • HLS supported a much wider set of properties than other languages • ThEodorE checked most of the requirements within practical time limits
- 38. Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap Claudio Menghi University of Luxembourg [email protected] Enrico Viganò University of Luxembourg [email protected] Domenico Bianculli University of Luxembourg [email protected] Lionel C. Briand University of Luxembourg, University of Ottawa [email protected]