Language Inclusion Checking of Timed Automata Based on Property Patterns
Abstract
:1. Introduction
2. Background of Timed Automata
- Constants and variables: the constants will not be modified when the model is running, e.g., the expression #define A 10, which defines the value of a constant A to be 10; the variables can be modified, expressed as var B:{0..100} = 50, which defines the variable B, where the initial value is 50 and the range of B is 0 to 100.
- Channel events: the channel events indicate the processes sending or accepting messages. Assume c is the channel name, then represents that a message is sent and represents the acceptance of a message.
- Transitions: the complete representation is ‘Clock: <clock constraint> [transition condition] event {operations} Clockreset:{clocks}’. The event will be executed when the clock constraint and the transition condition are satisfied. Some operations can be performed at the same time, e.g., changing the values of the variables. Clockreset means to reset the clocks in {} to zero.
3. Property Patterns Based on Timed Automata
- Name of property pattern: AbsenceProblem to be solved: An event must not occur within a certain amount of time.Solution: The patterns Absence-1 and Absence-2 are shown in Figure 2. For the self-transition in Absence-1, there is a clock constraint x > k which means that event a can only occur after k time units. The difference between Absence-2 and Absence-1 is whether the clock x is reset on the self-transition, which means that the time between two occurrences of event a must be larger than k time units. Event a may occur many times and also may never occur because there is no state invariant on or .
- Name of property pattern: ExistenceProblem to be solved: An event must occur within a certain amount of time.Solution: The patterns Existence-1, Existence-2 and Existence-3 are shown in Figure 3. Due to the state invariant x ≤ k on the states and the clock constraint x ≤ k on the transitions, we can make sure that event a occurs within k time units. Existence-1 indicates that event a can occur many times and the time between two successive occurrences must be within k time units due to the resetting of the clock x. In the patterns Existence-2 and Existence-3, the first occurrence of event a must be within k time units. Event a only occurs once within k time units in Existence-2, while it can happen many time in Existence-3 after the first occurrence.
- Name of property pattern: ResponseProblem to be solved: An event must always be followed by another event within a certain amount of time.Solution: The patterns Response-1 and Response-2 are shown in Figure 4. The state invariant x ≤ k on the states and the clock constraint x ≤ k on the transitions denotes the inevitability of the situation that event b follows event a within k time units. In addition, Response-1 indicates that event b can only occur after event a, while the self-transition on in Response-2 indicates that even if the event a does not occur, event b can occur separately.
- Name of property pattern: PrecedenceProblem to be solved: An event must always be preceded by another event within a certain amount of time.Solution: The patterns Precedence-1, Precedence-2, Precedence-3 and Precedence-4 are shown in Figure 5. Precedence-1 denotes that when event a occurs, the clock x is reset to zero. After that, if event b occurs, it must not be within k clock units, during which event a may continue to happen multiple times because of the self-transition on . Precedence-2 denotes that after event a, if event b occurs, it must be within k time units, during which event a can also occur many times. Precedence-3 and Precedence-4 are similar to the above. The only difference is that the occurrence time point of event b is related to the last occurrence of event a due to the clock resetting on the self-transitions from and .
- Name of property pattern: ChainProblem to be solved: A sequence of events must occur in order within a certain amount of time.Solution: The pattern Chain is shown in Figure 6. The state invariant x ≤ k on , and and the clock constraint x ≤ k on the transitions (together with events a, b and c sequentially) ensure that the system will finally transit to within k time units. Before or after the sequence happens, events a, b and c can occur arbitrarily.
- Name of property pattern: Occurrence timesProblem to be solved: An event must occur several times in a certain amount of time.Solution: The pattern Occurrence times is shown in Figure 7. There are state invariants x ≤ k on the states and clock constraint x ≤ k on the transitions, which indicates that event a must occur three times within k clock units. After that, event a can happen arbitrarily.
4. Language Inclusion Checking of Timed Automata
4.1. The Transformation before the Verification
- Convert the transition to ;
- For any transition and any clock constraint in , if , then is conjuncted with ; otherwise, it is ignored.
4.2. Synchronous Product with Concerned Events
- (1)
- For and the transition from , if , then its successor is such that . In this case, is used to represent the successors of .
- (2)
- For and the transition from , if :
- (a)
- A set of transitions is represented by as follows. For any and any transition in , the is added into . For any , the corresponding name of the clock in is ; for any , the corresponding one in is . For any , if , then ; otherwise, . The pending R will be explained in step c.
- (b)
- Since N needs to be determinized, the clock constraints of all the transitions in should be mutually exclusive. is a set of clock constraints in which each element is a clock constraint. For every transition in , conjuncts either the transition guard or the negation. As a result, the elements in are mutually exclusive. If a clock constraint on a transition is negated, this transition is disabled; otherwise, it is enabled.
- (c)
- For each , the successors of are generated as follows: (i) For any and any transition , if is true, then . (ii) Two clock sets are used here: and . For any and any clock , if and hold, add c into ; if and hold, add c into . (iii) For any clock c in , a clock in satisfying is chosen. For any , if holds, then is modified to . (iv) Let , with which .
4.3. Timed Automata Language Inclusion Checking Algorithm with Concerned Events
Algorithm 1 Timed Automata Language Inclusion Checking Algorithm with Concerned Events |
Input: timed automata M and N Output: verification result ( or )
|
5. Case Study
5.1. Modeling of the Water Disposal System
5.2. Models and Verification of System Properties
- The verification results of the assertions #assert System deadlockfree and #assert SystemWithAttacker deadlockfree are both true (through 184 states and 230 transitions and 91,146 states and 178,546 transitions, respectively), indicating that the deadlocks never occur in System and SystemWithAttacker.
- The verification result of the assertion #assert System ∣=[](WLToSen-WLToCtrl) is true (through 184 states and 230 transitions), indicating that the event WLToCtrl always happens after WLToSen, which means that the occurrence of WLToCtrl is inevitable after the event WLToSen.
- If an attack with the event FalseHL happens, the values of H or L will exceed the warning water levels. Then the event CorrectHL in the Configuration will recover the H and L. The verification result of the assertion #assert SystemWithAttacker∣=[](FalseHL- CorrectHL) is true (through 81,544 states and 206,839 transitions). This indicates that the event CorrectHL always happens after the event FalseHL, which means that the values of H and L can be recovered after an attack.
- If the attacks always happen, the CtrlWithCon will often send a message to the Configuration with the event ObtainHL to obtain the correct values of H and L. The verification result of the assertion #assert SystemWithAttacker ∣=[]ObtainHL is true (through 81,770 states and 183,929 transitions). This indicates that the event ObtainHL can always happen, which means that CtrlWithCon can detect the attacks.
- The property Resp is modeled by using the property pattern Resp-1, which detects whether the Sensor can send the messages to the Controller in time. The assertion in the PAT is: #assert System refines<T> Resp. The verification result is true (through 184 states and 230 transitions), indicating that when the Sensor receives the message WLToSen sent from the Heater, it can send the message WLToCtrl to the Controller in one time unit. If the clock constraint is changed to , the verification result is false. The above verification with LTL (#assert System ∣=[](WLToSen-WLToCtrl)) gives the result that the event WLToCtrl always happens after WLToSen. This verification further shows that the event WLToCtrl always happens after WLToSen in one time unit.
- The property Pre is modeled based on the property pattern Precedence-2. In Figure 9, we set the attack interval to be at least five time units and the detecting interval of the CtrlWithCon to be six time units. As the CtrlWithCon shown in Figure 9, if the conditions H > SH or L < SL are met, the Configuration will receive a message from CtrlWithCon to obtain the correct values of H and L and reply with the event CorrectHL. The property Pre verifies whether the controller could receive the messages with correct values of H and L, after the Attacker sends error messages, i.e., the event FalseHL. FalseHL can occur many times before CtrlWithCon notices it (i.e., the event ObtainHL), because the attacker can launch the attacks continuously (see the self-transition on the state Recover). The clock x is ticking after the first occurrence of FalseHL. The assertion is: #assert SystemWithAttacker refines<T> Pre. The verification result is true (through 36,094 states and 71,836). If the number in the clock constraint is changed to a smaller one, then the verification result is false. This means that the system is able to recover within seven time units after being attacked. The above verification with LTL (#assert SystemWithAttacker∣=[](FalseHL- CorrectHL)) gives the result that the event CorrectHL always happens after the event FalseHL. This verification further shows that the event CorrectHL always happens after the event FalseHL in seven time units.
- The property Existence is modeled based on the property pattern Existence-1. The assertion is: #assert SystemWithAttacker refines<T> Existence. The verification result of the property Existence is true (through 33,889 states and 67,375 transitions). This means that the system is able to examine whether the system is under attack within six time units, which shows that the system can automatically recover after being attacked. The above verification with LTL (#assert SystemWithAttacker ∣=[]ObtainHL) gives the result that the event ObtainHL can always happen if the attacker exists. This verification further shows that the time between two successive occurrences of the event ObtainHL is at most six time units.
5.3. Evaluation of the Algorithm
6. Related Work
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Alur, R.; Dill, D.L. A theory of timed automata. Theor. Comput. Sci. 1994, 126, 183–235. [Google Scholar] [CrossRef] [Green Version]
- Wang, T.; Sun, J.; Liu, Y.; Wang, X.Y.; Li, S.P. Are timed automata bad for a specification language? language inclusion checking for timed automata. Notes Comput. Sci. 2014, 156, 310–325. [Google Scholar]
- Jiang, K.; Guan, C.; Wang, J. Model checking coordination of CPS using timed automata. In Proceedings of the IEEE Computer Software and Applications Conference, Tokyo, Japan, 23–27 July 2018. [Google Scholar]
- Chen, G.; Jiang, Z. Environment Modeling During Model Checking of Cyber-Physical Systems. J. Comput. 2021, 54, 49–58. [Google Scholar]
- Kunz, G.; Machado, J.; Perondi, E. Using timed automata for modeling, simulating and verifying networked systems controllers specifications. Neural Comput. Appl. 2017, 28, 1031–1041. [Google Scholar] [CrossRef]
- Arcile, J.; André, É. Timed automata as a formalism for expressing security: A survey on theory and practice. ACM Comput. Surv. 2022, accepted. [Google Scholar] [CrossRef]
- Krichen, M.; Alroobaea, R. A new model-based framework for testing security of IOT systems in smart cities using attack trees and price timed automata. In Proceedings of the International Conference on Evaluation of Novel Approaches to Software Engineering, Heraklion, Greece, 4–5 May 2019. [Google Scholar]
- Christoph, C.; Uwe, Z. On the understandability of temporal properties formalized in linear temporal logic, property specification patterns and event processing language. IEEE Trans. Softw. Eng. 2020, 46, 100–112. [Google Scholar]
- Tripakis, S. Verifying progress in timed systems. In Proceedings of the International Amast Workshop on Formal Methods for Real-Time and Probabilistic Systems, Bamberg, Germany, 26–28 May 1999. [Google Scholar]
- Sun, J.; Yang, L.; Dong, J.S. Model checking CSP revisited: Introducing a process analysis toolkit. In Proceedings of the Leveraging Applications of Formal Methods, Verification and Validation, Porto Sani, Greece, 13–15 October 2008. [Google Scholar]
- Larsen, K.G.; Pettersson, P.; Wang, Y. Uppaal in a nutshell. Int. J. Softw. Tools Technol. Transf. 1997, 1, 134–152. [Google Scholar] [CrossRef]
- Huang, S.; Zhou, C.J.; Yang, S.H.; Qin, Y.Q. Cyber-physical system security for networked industrial processes. Int. J. Autom. Comput. 2015, 12, 567–578. [Google Scholar] [CrossRef] [Green Version]
- Lin, S.W.; Liu, Y.; Sun, J.; Dong, J.S. Automatic compositional verification of timed systems. In Proceedings of the International Symposium on Formal Methods, Heraklion, Greece, 15–18 October 2012. [Google Scholar]
- Alur, R.; Fix, L.; Henzinger, T.A. Event-clock automata: A determinizable class of timed automata. Theor. Comput. Sci. 1999, 211, 253–273. [Google Scholar] [CrossRef] [Green Version]
- Geeraerts, G.; Raskin, J.F.; Sznajder, N. On regions and zones for event-clock automata. Form. Methods Syst. Des. 2014, 34, 330–380. [Google Scholar] [CrossRef] [Green Version]
- Ouaknine, J.; Worrell, J. On the language inclusion problem for timed automata: Closing a decidability gap. In Proceedings of the Symposium on Logic in Computer Science, Turku, Finland, 17 July 2004. [Google Scholar]
- Clemente, L.; Lasota, S.; Piórkowski, R. Determinisability of one-clock timed automata. In Proceedings of the International Conference on Concurrency Theory, Dagstuhl, Germany, 1–4 September 2020. [Google Scholar]
- An, J.; Chen, M.; Zhan, B.; Zhan, N.; Zhang, M. Learning one-clock timed automata. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Dublin, Ireland, 25–30 April 2020. [Google Scholar]
- Suman, P.V.; Pandya, P.K.; Krishna, S.N.; Manasa, L. Timed automata with integer resets: Language inclusion and expressiveness. In Proceedings of the Formal Modeling and Analysis of Timed Systems, Saint Malo, France, 5 September 2008. [Google Scholar]
- Bouyer, P.; Fahrenberg, U.; Larsen, K.G.; Markey, N.; Quaknine, J.; Worrell, J. Model checking real-Time systems. In Handbook of Model Checking; Springer: Berlin/Heidelberg, Germany, 2018; pp. 1001–1046. [Google Scholar]
- Lorber, F.; Rosenmann, A.; Nickovia, D.; Aichernig, B.K. Bounded determinization of timed automata with silent transitions. In Proceedings of the Formal Modeling and Analysis of Timed Systems, Madrid, Spain, 2–4 September 2015. [Google Scholar]
- Aichernig, B.K.; Lorber, F. On-the-Fly determinization of bounded networks of timed automata. In Proceedings of the International Symposium on Theoretical Aspects of Software Engineering, Shanghai, China, 17–19 July 2016. [Google Scholar]
- André, É. What’s decidable about parametric timed automata? Int. J. Softw. Tools Technol. Transf. 2019, 21, 203–219. [Google Scholar] [CrossRef] [Green Version]
- André, É.; Kryukov, A. Parametric non-interference in timed automata. In Proceedings of the International Conference on Engineering of Complex Computer Systems, Singapore, 28–31 October 2020. [Google Scholar]
- Bezdek, P.; Benes, N.; Cerna, I.; Barnat, J. On clock-aware LTL parameter synthesis of timed automata. J. Log. Algebr. Methods Program. 2018, 99, 114–142. [Google Scholar] [CrossRef]
- Bouyer, P.; Markey, N.; Sankur, O. Robustness in timed automata. In Proceedings of the 7th International Workshop on Reachability Problems, Uppsala, Sweden, 24–26 September 2013. [Google Scholar]
- Bendik, J.; Sencan, A.; Gol, E.A.; Cerna, I. Timed Automata Robustness Analysis via Model Checking. arXiv 2021, arXiv:2108.08018. [Google Scholar] [CrossRef] [PubMed]
- Kolbl, M.; Leue, S.; Wies, T. Clock bound repair for timed systems. In Proceedings of the International Conference on Computer Aided Verification, New York, NY, USA, 15–18 July 2019. [Google Scholar]
- Ergurtuna, M.; Yalcinkaya, B.; Gol, E.A. An automated system repair framework with signal temporal logic. Acta Inform. 2022, 59, 183–209. [Google Scholar] [CrossRef]
- Dwyer, M.B.; Avrunin, G.S.; Corbett, J.C. Patterns in property specifications for finite-state verification. In Proceedings of the International Conference on Software Engineering, Los Angeles, CA, USA, 16–22 May 1999. [Google Scholar]
- Gruhn, V.; Laue, R. Patterns for timed property specifications. Electron. Notes Theor. Comput. Sci. 2006, 153, 117–133. [Google Scholar] [CrossRef] [Green Version]
- Konrad, S.; Cheng, B.H.C. Real-time specification patterns. In Proceedings of the International Conference on Software Engineering, St. Louis, MI, USA, 15–21 May 2005. [Google Scholar]
- Dong, J.S.; Hao, P.; Qin, S.; Sun, J.; Wang, Y. Timed automata patterns. IEEE Trans. Softw. Eng. 2008, 34, 844–859. [Google Scholar] [CrossRef]
- Abid, N.; Zilio, S.D.; Botlan, D.L. Real-Time specification patterns and tools. In Proceedings of the International Workshop on Formal Methods for Industrial Critical Systems, Paris, France, 27–28 August 2012. [Google Scholar]
- Ge, N.; Pantel, M.; Zilio, S.D. Formal verification of user-level real-time property patterns. In Proceedings of the International Symposium on Theoretical Aspects of Software Engineering, Guangzhou, China, 29–31 August 2018. [Google Scholar]
System | Time (in s) (A1) | Visited States (A1) | Time (in s) (A2) | Visited States (A2) |
---|---|---|---|---|
FIS×7(1) | 3.7 | 20.0 K | 3.3 | 20.0 K |
FIS×8(1) | 23.8 | 91.6 K | 20.5 | 91.6 K |
RW×6(6) | 5.6 | 23.3 K | 4.9 | 23.3 K |
RW×7(1) | 10.3 | 99.5 K | 9.1 | 99.5 K |
LYN×5(2) | 1.8 | 8.1 K | 1.7 | 8.1 K |
LYN×6(1) | 3.2 | 16.8 K | 2.8 | 16.8 K |
FDDI×7(7) | 6.3 | 1.2 K | 5.7 | 1.2 K |
CSMA×5(1) | 0.2 | 0.9 K | 0.2 | 0.9 K |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wang, T.; Shen, Y.; Chen, T.; Ji, B.; Zhu, T.; Lv, M. Language Inclusion Checking of Timed Automata Based on Property Patterns. Appl. Sci. 2022, 12, 12946. https://doi.org/10.3390/app122412946
Wang T, Shen Y, Chen T, Ji B, Zhu T, Lv M. Language Inclusion Checking of Timed Automata Based on Property Patterns. Applied Sciences. 2022; 12(24):12946. https://doi.org/10.3390/app122412946
Chicago/Turabian StyleWang, Ting, Yan Shen, Tieming Chen, Baiyang Ji, Tiantian Zhu, and Mingqi Lv. 2022. "Language Inclusion Checking of Timed Automata Based on Property Patterns" Applied Sciences 12, no. 24: 12946. https://doi.org/10.3390/app122412946
APA StyleWang, T., Shen, Y., Chen, T., Ji, B., Zhu, T., & Lv, M. (2022). Language Inclusion Checking of Timed Automata Based on Property Patterns. Applied Sciences, 12(24), 12946. https://doi.org/10.3390/app122412946