An automaton-theoretic approach to safety and security in ... - CiteSeerX

` degli Studi di Pisa Universita Dipartimento di Informatica Dottorato di Ricerca in Informatica

Ph.D. Thesis: TD-2/03

An automaton-theoretic approach to safety and security in real-time systems Ruggero Lanotte

March 2003

Thesis supervisor: Prof. Andrea Maggiolo-Schettini

Abstract Hybrid Systems are automata equipped with variables. Constraints on these variables are expressed by Mathematical Logics. Hybrid Systems are used for modeling embedded systems and time dependent processes. In these branches of study safety and security are among the main requirements that a system must satisfy, hence the interest of ways to express and prove these properties. The aim of the thesis is to extend the classical classes of Hybrid Systems and to study safety and security properties of real life systems. For this purpose, we consider different subclasses of High Order Mathematical Logics over real variables, integers variables, arrays with infinite elements and parameters. We recall four classes which are enclosed in First Order Mathematical Logics and for which the satisfiability problem of a formula is known to be decidable. We consider two new classes of High Order Mathematical Logics, where arrays can be quantified, and we prove decidability results of satisfiability. Then we define the classes of Hybrid Systems which have constraints expressed by the subclasses of Mathematical Logic mentioned above. For these systems we prove expressiveness results, and we show that reachability and invariant properties are semi-decidable. We give an algorithm based on predicate transformation to compute predecessor steps and successor steps of a given set of states. As an application we study safety in a temperature control system and in a web browser. To study security properties we define a Timed Information Flow Logic. We give an algorithm, which may not terminate, for verifying whether a Hybrid System satisfies a formula expressed in this logic. Moreover, we prove a decidability result for this problem if a special class of Hybrid Systems and formulas expressed in Timed Information Flow Logic are considered. As an example we model a problem of web privacy.

Acknowledgments First of all I wish to thank my supervisor Andrea Maggiolo-Schettini for his help and encouragement during these three years. I also thank Adriano Peron and Simone Tini for collaboration and friendship. Thanks to my external referees Luca de Alfaro and Radu Grosu for their careful reading of my thesis and for their comments and suggestions. Finally, let me switch to Italian ... per ringraziare i miei genitori Antonio e Fiorenza, e mia sorella, Cristina, per avermi sempre sostenuto. Un grazie particolare ad Ilaria e ai miei amici.

Contents 1 Introduction 1.1 Mathematical Logics . . . . . . . . 1.2 Hybrid Systems . . . . . . . . . . . 1.3 Safety . . . . . . . . . . . . . . . . 1.4 Security . . . . . . . . . . . . . . . 1.5 Motivation and results of the thesis 1.6 Organization of the thesis . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

1 1 2 3 4 5 7

2 Quantified Formulae 2.1 Basic Notions . . . . . . . . . . . . . . . . . 2.1.1 Vectors . . . . . . . . . . . . . . . . . 2.1.2 Identifiers . . . . . . . . . . . . . . . 2.2 Quantified Formulae . . . . . . . . . . . . . 2.3 Subclasses . . . . . . . . . . . . . . . . . . . 2.3.1 Subclasses of Φ . . . . . . . . . . . . 2.3.2 BD-Formulae free on k . . . . . . . . 2.3.3 S-Formulae . . . . . . . . . . . . . . 2.4 Quantifier Elimination . . . . . . . . . . . . 2.4.1 ΦL , ΦP ar and ΦP Formulae . . . . . . 2.4.2 ΦInt Formulae . . . . . . . . . . . . . 2.4.3 BD-Formulae free on k . . . . . . . . 2.4.4 Quantifier Elimination on S-Formulae 2.5 Decidability of Satisfiability . . . . . . . . . 2.5.1 Discussion . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

9 9 9 9 11 16 16 16 17 18 18 21 22 24 34 35

. . . . . . .

37 37 39 40 40 42 43 45

. . . . . .

. . . . . .

. . . . . .

. . . . . .

3 Hybrid Systems with Identifiers 3.1 The Formalism . . . . . . . . . . . . . . . . . . 3.2 Composition . . . . . . . . . . . . . . . . . . . . 3.3 Subclasses . . . . . . . . . . . . . . . . . . . . . 3.3.1 Polynomial Hybrid Systems . . . . . . . 3.3.2 Linear Hybrid Systems . . . . . . . . . . 3.3.3 Linear Hybrid Systems with Parameters 3.3.4 Linear Hybrid Systems with Integers . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

ii

CONTENTS

3.4

3.3.5 BD-Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . 45 3.3.6 S-Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . . 46 Expressiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4 Reachability 4.1 The Reachability Problem . . . . . . . . . 4.1.1 Regions and Operators on Regions 4.1.2 Forward and Backward Analysis . . 4.2 Semi-Decidability of Reachability . . . . . 4.2.1 Semi-decidability for HInt . . . . . 4.2.2 Semi-decidability for HP ar . . . . . k 4.2.3 Semi-decidability for HBD . . . . . 4.2.4 Semi-decidability for HS . . . . . . 4.3 Semi-decidability of Negation of Invariants 4.4 Some Examples . . . . . . . . . . . . . . . 4.4.1 The Cache of a browser . . . . . . 4.4.2 Temperature Control System . . . 4.5 Discussion . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

5 Timed Information Flow Logic 5.1 Timed sequences . . . . . . . . . . . . . . . . . . . . . 5.2 Observability Declaration . . . . . . . . . . . . . . . . 5.3 Timed Information flow Logic . . . . . . . . . . . . . . 5.3.1 The expressions on observable timed sequences 5.3.2 Formulae on non observable timed sequences . . 5.3.3 The logic . . . . . . . . . . . . . . . . . . . . . 5.4 An Algorithm . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Construction of H ψ . . . . . . . . . . . . . . . . 5.4.2 Visit of H ⊗ H ψ . . . . . . . . . . . . . . . . . . 5.5 Applicability . . . . . . . . . . . . . . . . . . . . . . . . 5.5.1 Subclasses . . . . . . . . . . . . . . . . . . . . . 5.5.2 Verifying Authentication Protocols . . . . . . . 6 A Decidable Class 6.1 Timed Systems . . . . . . . . . . 6.1.1 The formalism . . . . . . . 6.1.2 Region of Timed Systems. 6.2 Multiplying by a constant . . . . 6.3 Decidability . . . . . . . . . . . . 6.3.1 Equivalence relation . . . 6.3.2 Clock zones . . . . . . . . 6.3.3 The algorithm CheckP si∗ 6.4 Discussion . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . . .

59 59 59 62 63 63 63 65 67 67 68 68 70 71

. . . . . . . . . . . .

. . . . . . . . . . . .

75 75 76 77 77 78 79 85 86 88 96 97 99

. . . . . . . . .

101 . 101 . 101 . 103 . 103 . 105 . 106 . 106 . 107 . 111

. . . . . . . . . . . . .

0.0. CONTENTS 7 Conclusions and Future Works Bibliography

iii 115 117

iv

CONTENTS

Chapter 1 Introduction The notion of finite automaton was developed in the fifties with neuron nets and switching circuits in mind. Later, finite automata have served as useful tool in the design of lexical analyzers ([53]). The subject of finite automata on infinite sequences and infinite trees was established in the sixties by B¨ uchi [24], Mc Naughton [75] and Rabin [81]. Their work opened connections between automata theory and others fields (for example logic), and provided a theory which is fundamental for those areas in computer science where non terminating computations are studied. Automata and related logics have been used to specify and verify systems. Hybrid Systems are automata equipped with variables. Constraints on these variables are expressed in Mathematical Logics. Hybrid Systems are used for modeling embedded systems (see [9]) and time dependent processes (see [55]). In these branches of study safety and security properties are among the main requirements that a system must satisfy, hence the interest of ways to express and prove these properties.

1.1

Mathematical Logics

A branch of First Order Logics are Mathematical Logics. Mathematical Logics consider quantified formulae where variables are either reals or integers, and where functions in {+, ·} and relations in {, ≤, ≥} are used. The satisfiability problem deals with the existence of values for free variables which satisfy a given formula. The satisfiability problem is in general undecidable if one considers polynomial formulae on integer variables (see [74]). Different classes are considered to avoid such difficulty. To prove decidability, usually an algorithm based on the quantifier elimination approach is provided. Given a formula with a quantified variable, the quantifier

2

CHAPTER 1. INTRODUCTION

elimination deals with the problem of finding an equivalent formula without quantifier. The formulae may contain either real variables or integer variables. In [37] quantifier elimination for formulae which are linear and which contain real variables is studied. Tarski in [86] considers the general case of polynomial formulae on real variables. For exponential formulae, quantifier elimination exists for some cases (see [73]). In the case of integer variables, if one considers linear formulae without quantifier on integer variables, then the satisfiability is decidable (see [68]). If one deals with first order logic on linear formulae with integer variables (called Presburger Arithmetic), [51] offers a quantifier elimination algorithm which is given by introducing equivalences modulo a natural value. When one tackles formulae with mixed integer and real variables, techniques of quantifier elimination given for real field still hold. On the contrary, these techniques do not hold for the case of integer variables. In [93], a quantifier algorithm for mixed variables is proposed. In this case, together with equivalences modulo a natural value, a function which gives the integer part of a real value is considered.

1.2

Hybrid Systems

Often the systems one wants to model are control systems embedded in an environment from which stimuli may come with different laws. As an example, sensors controlling temperature or water level may have a non-linear evolution law. Hybrid Systems have been introduced to describe similar situations (see [9] and [10]). A hybrid system consists of a finite number of locations, variables and transitions. In each location variables change their value as a function of the time elapsed, and satisfy, at each instant, a formula called invariant. The system can take a transition to evolve from a location to another location. The transition is labeled with a formula that gives the values of variables triggering the transition and their new values after the transition has been performed. Different variants of this model have been considered. Classes are usually distinguished by the mathematical logic which is used to model the system. In linear hybrid systems each formula is a linear formula on real variables; in each location variables change their value linearly with time; the rate at which variables change their value with time is called evolution rate. Timed Automata as well as Multirate Automata and Integrator Automata ([11] and [9]) are subclasses of linear hybrid automata. In [58] a linear hybrid system is extended with polynomial formulae on transitions and in invariants, but linear formulae are assumed for expressing evolution rates. The general case of polynomial formulae on real variables is considered in [43] and [44]. In [60] monotonic activities are studied.

1.3. SAFETY

3

The importance of real time considerations in their functioning has made Timed Systems ([11]) one of the mostly studied subclass. System states and transitions are annotated with conditions on time and reset of finitely many clocks. Various problems have been investigated (e.g. expressiveness of the model), both with discrete and dense time assumption (see also [48]). To describe more general situations and to model concurrent systems, various extensions have been proposed (see [13], [21], [28], [33], [62], [63] and [64]). Parameters are useful to describe an abstract system in which some values are not available at the moment. Parameters are also important to study for which values of parameters a system satisfies some properties. Hybrid systems with parameters have been studied. In linear hybrid systems in [9] parameters are variables which have evolution rate equal to zero, namely which do not change their values with time. These parameters can been used only to describe abstract constants and not to describe an abstract evolution rate or an abstract coefficient of a variable. The motivation of this restriction is the preservation of the linear form of regions. For the subclass of timed automata (see [11]), in [20] parameters are introduced to describe abstract constants, and in [54] some conditions are given to have decidability of reachability.

1.3

Safety

Among the major requirements that a system must satisfy are safety properties. To know whether properties such as “A certain state must not be reached” and “Whenever a certain location is reached, a certain property is satisfied” hold, is useful in the design of a system. Safety properties can be easily described by means of reachability and invariant problems, but undecidability results hold for many cases with dense time domain (see [9]). There are algorithms for simple cases (where decidability holds) which visit the graph of regions, where regions encapsulate infinite evaluations ([11], [58] and [13]). In undecidable cases one can partially solve the problem by using symbolic verification (see [9] and [18]). Another method is to have verification rules for proving safety properties and response properties (see [55], [72] and [71]). To extend Temporal and Modal logics ([34]) so that control and test on time and variable values are ensured, many logics have been proposed ([59], [16], [14] and [17]). These Logics extend the classical temporal operators, such as “until” or “next”, with control on time that can be expressed simply with an interval on the temporal operator or better with a quantification, while to check the values of variables, constraints on variables are sufficient.

4


An undecidability result holds for these logics if dense time domain is assumed ([16], [14] and [17]). There are algorithms for simple cases (where decidability holds) which visit the graph of regions, where regions encapsulate infinite evaluations ([8], [16] and [35]). A different way to obtain decidability is to relax punctuality, i.e. it is not permitted to consider singleton intervals (see [15] and [67]). Also for the mentioned logics, symbolic model-checking methods ([16] and [8]) are proposed. In order to make checking easier, different abstractions are considered: substitutions (see [79]), bisimulation (see [19]) and use of discrete time domain as an approximation for the dense time case (see [49] and [61]).

1.4

Security

Born in the seventies, Security has become one of the main requirements which a system must satisfy. In particular in these years where networks, distributed systems and mobility are widely used, the role of security, and so of protection of private information, becomes essential. Different aspects have been considered: Secrecy. Protected information must be confidential with respect to unauthorized agents. Integrity. Protected information must be not modified by unauthorized agents. Authentication. An agent cannot lie about his identity. Denial of service. The services must be available at all times. A successful approach is that of studying the information flow of a system. More precisely, one wants that a non-authorized agent be not able to deduce anything about secret agents activities. Several papers (see, among others, [39, 38, 42, 90, 91]) dealing with information flow, consider two-level systems, where the high level (or secret) behavior is distinguished from the low level (or observable) one. In the mentioned papers, systems respect the property of no information flow from the high level to the low level if the secret behavior cannot influence the observable one, or, equivalently, no information on the observable behavior permits to infer information on the secret one. Introducing logics for specific problems of security is known in the literature. As an example, [1], [2] and [3] introduce logics for analyzing cryptographic protocols in terms of belief. These logics are useful for uncovering flaws in protocols. In [85] a protocol is presented to show that these logics are not expressive enough, and therefore a temporal formalism is proposed which is rich enough to reveal the flaws.

1.5. MOTIVATION AND RESULTS OF THE THESIS

5

To verify security properties two ways are followed: static and dynamic verification. In static analysis, if security properties pass the tests, then it is guaranteed that there will be no violation at run-time. In the field of security, different techniques are considered. Type systems for programming languages are studied to prove security properties (see among the others [92], [89]). Extended versions to tackle distributed systems and the discrete time case are also studied (see [91], [88], [5] and [6]). In [22] a static technique for pi-calculus based on Flow Logic is presented (see [78]). This approach is built after early studies by Denning (see [29] and [30]), and it focuses in the use of channels and values. In [4] an abstract finite category is defined to build a decision procedure for secrecy correctness in security protocols. Dynamic Verification is based on examination of the all possible behaviors of a system. If a security property is not satisfied by a system via dynamic tests, it means that we are sure that there exists an information flow from secret information to public informations. This is different with respect to static analysis. In fact, in static analysis, if a system is considered to be not correct, it does not imply that at runtime there exists an information flow from secret information to public information. Usually a dynamic test costs more in terms of time and space with respect to a static test. In [38], [39] and [40] dynamic verification on an extension of CCS is based on bisimulation definition. Different properties of non interference are studied: nondeterministic non interference, two level non deducibility on inputs, restrictiveness and non deducibility on composition. Moreover interference property for the analysis of protocols and channels are considered. In [42] a process algebra with discrete time and with time dependent information flow is defined. In many cases the probability of events may play a rôle in information flow. In [7] CCS is extended with operators labeled with probability and for this model results for the properties of non-deterministic non interference and non deducibility on composition which hold for the case without probability, are extended. A different approach is studied by capturing confidentiality and authentication within CSP ([82]). Symbolic verification is considered in [23]. Extensions to quantify the amount of information passed and protocol verification with Isabelle following the inductive approach, are studied (in [69] and [80]).

1.5

Motivation and results of the thesis

The aim of the thesis is to improve the formalism of Hybrid Systems and related proof methods in order to model real life systems.

6


The ability of describing data structure and time is necessary for this purpose. Consider as example a temperature control system, which strongly depends on time, and programs as Internet browser and cryptographic systems which manage data and therefore need modeling data structures. Hybrid Systems allow describing time. We consider an extension of the formalism by introducing arrays with infinite elements, which permits to model data structures with fixed, infinite and parametrized length. For the known classes of Hybrid Systems there exists an algorithm based on predicate transformation which permits to have a symbolic model checking, and to have semidecidability of reachability (which is implied by the decidability of satisfiability of the formulae used). We want to have the same also for the subclasses we shall define. Since the arrays considered have infinite elements the satisfiability problem of the new formulae used is in general undecidable. Therefore we shall firstly define classes of formulae which use arrays and prove their decidability. Now to prove safety reachability is sufficient, but to prove security one needs more. The classical property of non interference defined for process algebras sometimes is too strong since it considers all the information flows from the secret level to the observable one. To express more specific properties also depending on time we need a suitable logic. We shall argue that existing logics are not sufficient to express security properties depending also on time, and we shall define ad hoc logic. Firstly, we recall four classes which are enclosed in First Order Mathematical Logics and for which the satisfiability problem of a formula is known to be decidable. Then, we define the sets of BD-Formulae free on k and S-Formulae, which are a subset of High Order Mathematical Logics. In the first set of formulae we solve the problem caused by integer variables in polynomial formulae by introducing dependent and bounded integer variables. In the set of S-Formulae we solve the problem caused to linear formulae when passing from First Order Logic to High Order Logic → − → − by using a form ∃ id 1 . ∀h . ∃ id 2 . We prove that the satisfiability problem for these two classes is decidable. We consider the classes of Hybrid Systems that have constraints expressed by the subclasses of Mathematical Logic mentioned above. We recall the known classes of Linear Hybrid Systems and Polynomial Hybrid Systems. Then we define the new classes of Hybrid Systems with integer variables, Hybrid Systems with parameters, BD-Hybrid Systems and S-Hybrid Systems. For these systems we prove expressiveness results. We show that the class of Hybrid Systems with parameters is a subset of the class of Polynomial Hybrid Systems, but it extends the class of Linear Hybrid Systems. We prove that the class of Polynomial Hybrid Systems is the most expressive among the known classes, but the new class of BD-Hybrid Systems extends it. Moreover, the new classes of S-Hybrid Systems and Hybrid Systems with integer variables extend the classical class of Linear Hybrid Systems and include cases which cannot be described by BD-Hybrid Systems and so by Polynomial Hybrid Systems.

1.6. ORGANIZATION OF THE THESIS

7

We show that reachability and invariant properties are semi-decidable. We give an algorithm based on predicate transformation to compute predecessor steps and successor steps of a given set of states. Moreover, in the class of Hybrid Systems with Parameters it is allowed to use parameters as rates of real variables or coefficients of linear formulae. This is not permitted in the class of Linear Hybrid Systems. But we prove that if one wants to calculate for which rates or coefficients a Linear Hybrid System satisfies a given property, it is sufficient to calculate the set of rational instances for which the Hybrid System with Parameters satisfies it. As an application, we study safety in a temperature control system and in a web browser. To study security properties we define a Timed Information Flow Logic. There are good reasons for introducing the Timed Information Flow Logic. The first is that specifying information flow properties with the Timed Information Flow Logic is easier, as one expects since the Timed Information Flow Logic is an ad hoc logic for information flow. The second reason is that some properties that can be expressed by the Timed Information Flow Logic formulae can be expressed by TPTL formulae that are at least exponential in size w.r.t. the size of the Timed Information Flow Logic formulae, and that, therefore, are intractable. The third reason is that the decidable classes of TPTL do not admit punctuality, which is useful in our setting. Moreover, we choose a dense time domain, because in the case of discrete time we must calculate the exact time step which gives the certitude that what proved in discrete time holds for real life, in which time is obviously dense. Besides, the number of the regions, that depends only on the size of the automaton in the case of dense time, depends also on the step in the case of discrete time. We give an algorithm, which may not terminate, for verifying whether a Hybrid System satisfies a formula expressed in Timed Information Flow Logic. Moreover, we prove a decidability result for this problem if a special class of Hybrid Systems and formulas expressed in Timed Information Flow Logic are considered. As an example, we model a problem of web privacy and a problem of encryption of a key.

1.6

Organization of the thesis

In Chapter 2, we recall the definition of four subclasses of First Order Logic and we define two new classes of High Order Logics. We study satisfiability of the new classes employing the technique of quantifier elimination. In Chapter 3, we define the class of Hybrid Systems with identifiers and we consider different subclasses. We prove some expressiveness results. In Chapter 4, we study the reachability problem by means of symbolic verification for the classes of systems mentioned above. We prove that reachability is semidecidable for the classes defined. As a consequence we have that the negation of the invariant problem is semi-decidable. We develop two examples.

8


In Chapter 5, we define the Timed Information Flow Logic. We give an algorithm to prove whether a system satisfies a formula. We show the abilities of the logic with some examples. In Chapter 6, we define a subclass of Hybrid Systems and a subclass of the Timed Information Flow Logic for which the problem whether a system satisfies a formula is decidable. In Chapter 7, we draw some conclusions.

Chapter 2 Quantified Formulae 2.1 2.1.1

Basic Notions Vectors

→ Let A be a set; a vector − s on the set A is a tuple (s1 , . . . , sn ) with si ∈ A, for → → → 1 ≤ i ≤ n. We call n the size of the vector − s (written |− s |). With (− s )i , for any th → − → − → − → 1 ≤ i ≤ | s |, we denote the i element si of s . If | s | = 0 then it means that − s → − is the empty vector (denoted by ∅ ). → → → → Let − s 1 = (s11 , . . . , s1n ) and − s 2 = (s21 , . . . , s2m ) be two vectors; with − s1]− s 2 we 1 1 2 2 denote the vector (s1 , . . . , sn , s1 , . . . , sm ).

2.1.2

Identifiers

→ − A vector of identifiers is a vector id = (id1 , . . . , idn ) of identifiers idi such that for each i 6= j it holds that idi 6= idj , i.e. identifiers are pairwise different. → − → − Let id 1 and id 2 be two vectors of identifiers; we will use the following terminology: → − − → • id is in id 1 , written id ∈ id 1 , if and only if there exists 1 ≤ i ≤ n such that → − id = ( id 1 )i . → − → − → − − → • id 1 minus id 2 , written id 1 \ id 2 , is equal to the vector of identifiers such that → − − → → − → − id ∈ id 1 \ id 2 if and only if id ∈ id 1 and id 6∈ id 2 . → − → − → − → − → − • id 1 is contained in id 2 , written id 1 ⊆ id 2 , if and only if for every 1 ≤ j ≤ | id 1 | → − → − it holds that ( id 1 )j ∈ id 2 . → − → − → − − → • The intersection between id 1 and id 2 , written id 1 ∩ id 2 , is equal to the vector → − → − → − → − of identifiers such that id ∈ id 1 ∩ id 2 if and only if id ∈ id 1 and id ∈ id 2 .

10

CHAPTER 2. QUANTIFIED FORMULAE

→0 − With id = (id01 , . . . , id0n ) we denote the vector of identifiers marked by ·0 , where id0i represents the new value of the identifier idi , for 1 ≤ i ≤ n. We note that ] applied to two vectors of identifiers may not return a vector of → − identifiers. This holds because of the request that idi 6= idj . Therefore, if id 1 and → − → − − → → − → − − → id 2 are two vectors of identifiers; with id 1 ] id 2 we denote the vector id 1 ]( id 2 \ id 1 ). As an example (x, y) ] (z, x) becomes (x, y) ] (z) = (x, y, z). On the other hand the definition of ] does not change for other types of vectors; as an example we have (4, 5) ] (5, 7) = (4, 5, 5, 7). Identifiers can be real variables, integer variables, arrays and parameters. We suppose that names of these classes are disjoint. Real Variables − A vector of real variables is a vector → x = (x1 , . . . , xn ) of variables xi that assume real values. Integer Variables → − A vector of integer variables is a vector k = (k1 , . . . , kn ) of variables ki that assume integer values. Arrays → A vector of arrays is a vector − a = (a1 , . . . , an ) of arrays ai that assume a function from integers to reals as value. This definition permits to avoid “index out of bounds” errors and to have arrays with parametric length. Parameters → A vector of parameters − m is a vector (m1 , . . . , mn ) of parameters mi . Differently from variables, parameters do not change their values. Usually, they can be used to denote either an abstract evolution rate or an abstract upper bound or an abstract coefficient of a variable. Valuation → − − Let id = (id1 , . . . , idn ) be a vector of identifiers; a valuation → v = (v1 , . . . , vn ) is a vector where: • for each 1 ≤ i ≤ n, if idi is a real variable then vi ∈ IR • for each 1 ≤ i ≤ n, if idi is an integer variable then vi ∈ ZZ • for each 1 ≤ i ≤ n, if idi is an array then vi : ZZ → IR is a function from integers to reals

2.2. QUANTIFIED FORMULAE

11

• for each 1 ≤ i ≤ n, if idi is a parameter then vi ∈ IR. → − → − With V ( id) we denote the set of valuations of vector of identifiers id. → → → Let − m be a vector of parameters; a valuation − v ∈ V (− m) is also called an instance → − of the vector of parameters m. → − → − Note that V ( ∅ ) is equal to the set which contains the empty vector, i.e. V ( ∅ ) = → − { ∅ }.

2.2

Quantified Formulae

→ − → − Let id = (id1 , . . . , idn ) be a vector of identifiers; with P( id) we denote the set of → − → − polynomial terms on id with real coefficients; more precisely, we define τ ∈ P( id) inductively as follows: τ ::= id | a[τ1 ] | c | τ1 + τ2 | τ1 · τ2 → − → − where id ∈ id is either a variable or a parameter, a ∈ id is an array, c ∈ IR and → − → − τ1 , τ2 ∈ P( id). We note that P( ∅ ) = IR. As an example, if x and y are real variables, m is a parameter, a an array and k an integer variable, (9+k ·m·x)·( 32 ·y)+a[k]2 ·y is a term of the set P((x, y, m, a, k)). → − In the definition of P( id) we have considered that an element of an array can be referred to by a generic term τ . With this definition one may have indexes which are not integers. To avoid this problem, we consider only integer terms, i.e. terms that assume integer values. → − We say that a term τ is an integer term on a vector of integer variables k if and → − only if τ ∈ P( k ) and each constant c used in τ is an integer. As an example, the term h2 · k + 10 is an integer term on vector of integer variables (h, k). In the following we suppose that for each a[τ ] which appears in a term, τ is an integer term. We will show that this choice does not cause loss of generality. → − → − → Let τ be a term in P( id) and − v = (v1 , . . . , vn ) be a valuation in V ( id); then → → with − v (τ ) we denote the value of τ with respect to the valuation − v , more precisely: − → v (c) = c → − − → v (id) = vi , if id = ( id)i , for some i → − − → → v (id[τ ]) = vi (− v (τ )), if id = ( id)i , for some i − → → → v (τ1 · τ2 ) = − v (τ1 ) · − v (τ2 ) − → → → v (τ1 + τ2 ) = − v (τ1 ) + − v (τ2 ).

12


When considering terms without arrays a term is linear if and only if it is of the form c1 · id1 + . . . + cn · idn + cn+1 , where ci are reals. On the other hand, if one considers arrays the definition must be recursive on the term which is applied to the array. Moreover, we give a definition which considers the possibility of having partial linearity, i.e that the term is linear on a subset of identifiers and not on all. − → Let τ be a term in P(id1 ); we say that τ is linear on the vector of identifiers → − id 2 = (id1 , . . . , idn , a1 , . . . , am ) if and only if → − − → 0 • there exists τ10 , . . . τn+m+1 ∈ P( id 1 \ id 2 ) such that τ is equal to 0 0 0 τ10 · id1 + . . . + τn0 · idn + τn+1 · a1 [τ1 ] + . . . + τn+m · am [τm ] + τn+m+1

→ − • τ1 , . . . τm are linear on id 2 . 0 0 We call τ10 , . . . τn+m the coefficients and τn+m+1 the constant of the linear term. → − → − Moreover, if τ ∈ P( id) and τ is linear on the all vector id, we simply say that τ is linear. As an example, the term z 2 ·x− 59 ·a[k]+7·k 2 is a linear term on (x, a). Moreover the term 2 · x − 59 · a[k] + 7 · k is linear.

→ − We define the set Φ( id) of quantified formulae. We consider the existential → − quantifier ∃ and the universal quantifier ∀. The vector of identifiers id represents the identifiers which are not quantified. − → Let id be a vector of identifiers, we define the set of quantified formulae, denoted → − by Φ( id), as follows: φ ::= τ ∼ 0 | ∃id . φ0 | ∀id . φ0 | ¬φ1 | φ1 ∨ φ2 | φ1 ∧ φ2 → − → − → − where ∼∈ {}, τ is in P( id), id 6∈ id, φ0 ∈ Φ( id ] (id)) and φ1 , φ2 ∈ → − Φ( id). → − Sometimes we will write ∃ id.φ to denote the existentially quantified formulae ∃id1 . . . ∃idn . φ. We show how to express a term a[τ ], with τ a non integer term. It is sufficient to use an integer variable k, with k = τ . As an example, a[x · y] = 5 can be written as the formula ∃k . a[k] = 5 ∧ k = x · y. Let φ a quantified formula; we say that id is quantified in φ if and only if there exists either ∃id.φ0 or ∀id.φ0 which is a sub formula of φ. If φ has no quantified identifiers, we say that φ is simple. Example 2.2.1 As an example, we give some of properties which can be written in → − Φ( id): • Equality between arrays: ∀h ∈ [1, size].a[h] = b[h]


13

• Membership of a value x: ∃k.a[k] = x • k is the index of the minimum: ∀h ∈ [1, size].a[h] ≥ a[k] • Binary array: ∀h ∈ [1, size].a[h] = 0 ∨ a[h] = 1 • ordering: ∀h ∈ [1, size − 1].a[h] ≤ a[h + 1]. These properties can be formulated also for arrays with infinite number of elements; as an example, ∀h ∈ [1, ∞).a[h] = b[h] means that each element of a at position 1 or greater than 1 is equal to the element of b at the same position. → − → − − − − Let φ ∈ Φ( id) and → v ∈ V ( id) → v satisfies φ, denoted by → v |= φ, if and only if − → v |= τ ∼ 0 → − v |= ∃id.φ0 → − v |= ∀id.φ0 → − v |= ¬φ1 → − v |= φ1 ∨ φ2 → − v |= φ1 ∧ φ2

iff iff iff iff iff iff

− → v (τ ) ∼ 0 → there exists v 0 ∈ V (id) s. t. − v ] (v 0 ) |= φ0 → for any v 0 ∈ V (id) it holds − v ] (v 0 ) |= φ0 → − v 6|= φ1 → − → v |= φ1 or − v |= φ2 → − → v |= φ1 and − v |= φ2 .

→ − Let φ be a formula in Φ( id); with JφK we denote the set of valuations which → → − → satisfy φ, more precisely, JφK = {− v ∈ V ( id) | − v |= φ}. Two formulae φ1 and φ2 are equivalent if and only if Jφ1 K = Jφ2 K. We note that ∀id.φ is equivalent to ¬∃id.¬φ. Moreover, we can denote with true → − the formula 0 = 0 and with f alse the formula ¬true. So, true, f alse are in Φ( id). → − The set Jf alseK is equal to empty set and JtrueK is equal to V ( id). In particular, → − → − → − if φ is in Φ( ∅ ), then φ is either equivalent to true (i.e. JφK = V ( ∅ ) = { ∅ }) or equivalent to false (i.e. JφK = ∅). → − → − Let φ ∈ Φ( id 1 ) be a quantified formula, and id 2 be a vector of identifiers; we → − say that φ is linear on id 2 if and only if, for each τ ∼ 0 which appears in φ, it holds → − that τ is linear on id 2 . We say that φ is linear if and only if for each τ ∼ 0 which appears in φ it holds that τ is linear. Let τ1 and τ2 be two terms; with φ[τ1 := τ2 ] we denote the substitution of each occurrence of τ1 with τ2 in φ. Let a and b be two arrays; we will write φ[a := b] to denote the substitution φ[a[τ1 ] := b[τ1 ]] . . . [a[τn ] := b[τn ]], where {a[τ1 ], . . . , a[τn ]} is the set of elements of a which appears in φ, i.e. the substitution renames the array a with the array b. → − For φ ∈ Φ( id) the satisfiability problem consists in finding whether φ is not equivalent to f alse. Satisfiability of quantified formulae is in general undecidable. This negative result comes from the fact that it is undecidable for integer variables. As an example,

14


→ → − → in [74] it is proved that checking the emptiness of the set {− v ∈ V ( k )|− v |= (τ = 0)} → − with τ ∈ P( k ) is undecidable. Therefore the following corollary holds. → − Corollary 2.2.2 Let φ ∈ Φ( id); it is undecidable whether φ is satisfiable. Satisfiability of quantified formulae on real identifiers (i.e real variables and parameters) is decidable (see [86]). Moreover, if one considers quantified linear formulae on real and integer variables, the satisfiability problem is decidable (see [93]). This last result does not hold if one considers also arrays with infinite elements. In [32] it is proved that if one considers linear formulae with integer variable and function from integers to integers the satisfiability is undecidable. Now we use arrays from integers to reals, but the the following proposition states the undecidability result for quantified linear formulae. → − Proposition 2.2.3 Let φ ∈ Φ( id) such that φ is linear; it is undecidable whether φ is satisfiable. Proof. We reduce the undecidable problem of acceptance of 2-counter machine to the satisfiability problem. A configuration of a two counter machine is determined be tree numbers (i, p, q). The values p, q ∈ IN are the values of the machine’s counter, and i ∈ [0, m] is a label. A program of the machine is given by a function map : [1, m] → ({+} × {1, 2} × [0, m]) ∪ ({−} × {1, 2} × [0, m] × [0, m]). If the current configuration of the machine is (i, p, q), then the next configuration is: • (j, p + 1, q) if map(i) = (+, 1, j) (increment first counter); • (j, p − 1, q) if map(i) = (−, 1, j, k) and p > 0 (decrement first counter); • (k, p, q) if map(i) = (−, 1, j, k) and p = 0 (test first counter for zero); • (j, p, q + 1) if map(i) = (+, 2, j) (increment second counter); • (j, p, q − 1) if map(i) = (−, 2, j, k) and q > 0 (decrement second counter); • (k, p, q) if map(i) = (−, 2, j, k) and q = 0 (test second counter for zero); The machine stops when i = 0. A configuration (i, p, q) is accepted by the machine if, starting from (i, p, q), it eventually stops on (0, 0, 0). Now, for a given configuration (i, p, q), we construct a linear formula φ such that φ is satisfiable if and only if the machine accepts the configuration (i, p, q).


15

We use three arrays: pc, c1 and c2 . Let h be a natural; the configuration (pc[h], c1 [h], c2 [h]) is the configuration of the machine after h steps. Let (i, p, q) be a configuration of a machine; with the formula Conf (h, (i, p, q)) we denote the formula pc[h] = i∧c1 [h] = p∧c2 [h] = q. The formula Conf (h, (i, p, q)) expresses the fact that at step hth the configuration of the machine is (i, p, q) Now we translate the function map. With Com(h, i) we denote the configuration at step (h + 1)th after performing the command i at step hth . More precisely, Com(h, i) is defined as follows: • Com(h, i) = Conf (h + 1, (j, c1 [h] + 1, c2 [h])) if map(i) = (+, 1, j); • Com(h, i) = (c1 [h] > 0 ⇒ Conf (h + 1, (j, c1 [h] − 1, c2 [h]))) ∧ (c1 [h] = 0 ⇒ Conf (h + 1, (k, c1 [h], c2 [h]))) if map(i) = (−, 1, j, k); • Com(h, i) = Conf (h + 1, (j, c1 [h], c2 [h] + 1)) if map(i) = (+, 2, j); • Com(h, i) = (c2 [h] > 0 ⇒ Conf (h + 1, (j, c1 [h], c2 [h] − 1))) ∧ (c2 [h] = 0 ⇒ Conf (h + 1, (k, c1 [h], c2 [h]))) if map(i) = (−, 2, j, k); With φP rog we denote the formula which ensures that for each h ≥ 0 the configuration (pc[h], c1 [h], c2 [h]) is the configuration of the machine after h steps. More precisely ^ φP rog = ∀h ≥ 0. pc[h] = i ⇒ Com(h, i). i∈[1,m]

So the machine accepts (i, p, q) if and only if the following formula is satisfiable: φP rog ∧ Conf (0, (i, p, q)) ∧ ∃k ≥ 0 . Conf (k, (0, 0, 0)). In fact, φP rog ensures that (pc[h], c1 [h], c2 [h]) is the hth configuration of the machine, Conf (0, (i, p, q)) ensures that the starting configuration is (i, p, q) and the formula ∃k ≥ 0 . Conf (k, (0, 0, 0)) ensures that the machine accepts (i, p, q). The formula above is linear and is satisfiable if and only if the machine accepts (i, p, q). 2 The proposition above implies that, in order to use these formulae in Hybrid Systems, we need to define new classes of formulae for which decidability of satisfiability holds. Moreover, since we want to define an algorithm based on predicate transformation, these formulae must be closed on conjunction and existential quantifiers. In section 2.3, firstly, we recall the classes for which decidability result for satisfiability problem is known. Then we define two subclasses of quantified formulae (called BD-Formulae free on k and S-Formulae), and in the formulation of the definitions we shall take into account the considerations above.

16

2.3


Subclasses

In this section we define BD-Formulae free on k, S-Formulae, and other subclasses → − of Φ( id).

2.3.1

Subclasses of Φ

→ → → Let − x be a vector of real variables and − m a vector of parameters; with ΦL (− x ] → − → − → − m) and ΦP ar ( x ] m) we denote the set of linear simple formulae with rational → → → → coefficients and constants on − x ]− m, and the set of simple formulae on − x ]− m and → − linear on x , respectively. As an example x + 34 y = 5m and 67 m2 x + 3y > 0 are in ΦL ((x, y, m)) and ΦP ar ((x, y, m)), respectively. → → → → Let − x be a vector of real variables and − m a vector of parameters; with ΦP (− x ]− m) → − → − we denote the set of formulae on x ] m. As an example ∃z. 67 m2 x + 3y · z > 0 is in ΦP ((x, y, m)). → − → → Let − x be a vector of real variables, k a vector of integer variables, and − m a → − → − → − vector of parameters; with ΦInt ( x ] k ] m) we denote the set of linear formulae → → − → with rational coefficients and constants on − x ] k ]− m. 5 As an example, ∃k.3h + 4k + 2 y = m is in ΦInt ((y, h, m)).

2.3.2

BD-Formulae free on k

→ − → − Let φ be a formula in Φ( id) and k ∈ id be a integer variable; we say that k is bounded in φ if and only if there exists u, l ∈ ZZ and φ0 such that φ ≡ k ∈ [l, u] ∧ φ0 . → − − → → − − → Let φ be a formula in Φ( id), h a vector of integer variables, k ∈ id \ h an → − integer variable and τ an integer term on h ; we say that k depends on τ in φ if and only if there exists φ0 such that φ ≡ (k = τ ) ∧ φ0 . These dependent variables are important in programming. In fact, if we have the assignment k := τ with τ an integer term, then k depends on τ . As an example, the assignment k := k 2 + 1 is translated into the formula k 0 = k 2 + 1. The term k 2 + 1 is an integer term, and so k 0 depends on k 2 + 1. The set of BD-Formulae free on k permits to express formulae in which integer variables (with the exception of at most the non-quantified variable k) are either dependent or bounded. As we have said, we suppose that universal quantifiers are written as ¬∃id.¬φ. → − Let k ∈ id be an integer variable; the set of BD-Formulae free on k (called → − ΦkBD ( id)) is the set of formulae φ such that:

2.3. SUBCLASSES

17

• for each sub formula ∃h.φ0 of φ it holds that h is either dependent or bounded in φ0 → − • for each h ∈ id \ (k) it holds that h is either dependent or bounded in φ. As an example, h = k 2 + 1 ∧ ∃l . l ∈ [1, 10] ∧ l > x is a quantified formula in In fact, h is dependent and l is bounded. → − We note that formulae in ΦkBD ( id) are closed on conjunction, disjunction and → − existential quantification, but not on negation. In fact, if φ ∈ ΦkBD ( id) then ¬φ may → − not be in ΦkBD ( id). ΦkBD (h, k, x).

2.3.3

S-Formulae

The set of S-Formulae permit to express formulae which define constraints on identifiers and some kinds of invariants for arrays. → − Let id be a vector of identifiers; we define the set of S-Formulae, denoted by → − ΦS ( id), recursively as follows: → − 1. if φ ∈ Φ( id) is a linear simple formula with rational coefficients and constants, → − then φ ∈ ΦS ( id); → − → − 2. if φ ∈ ΦS ( id ] (id)), then ∃id.φ ∈ ΦS ( id); → − → − 3. if φ ∈ Φ((h) ] id 2 ] id) is a linear simple formula with rational coefficients and constants, and for each a[τ ] which appears in φ it holds that either τ = h → − → − → − or no identifiers in ((h) ] id 2 ) appears in τ , then ∀h.∃ id 2 .φ is in ΦS ( id); → − → − 4. If φ1 , φ2 ∈ ΦS ( id) then φ1 ∨ φ2 and φ1 ∧ φ2 are in ΦS ( id). The requirements of the definition of universally quantified formulae allow us to have only universally quantified integer variables h. Moreover, the universally quantified formula is an existentially quantified formula where h can be used to refer to an element of array only with the term a[h] and the identifiers which are existentially quantified after h cannot be used to refer to an element of an array. → − We note that formulae in ΦS ( id) are closed on conjunction, disjunction and ex→ − istential quantification, but are not closed under negation. In fact, if φ ∈ ΦS ( id) → − then ¬φ may not be in ΦS ( id).

Example 2.3.1 In the example 2.2.1 only the ordering formula is not an S-Formula. Example 2.3.2 The formula ∃k.∀h.a[h] = a[k] is an S-Formula and expresses the fact that all elements of the array a are equal. Also the formula ∀h.∃k.a[h] = k is an S-Formula. This formula expresses the fact that a is an array of integers.

18


Example 2.3.3 Let k be an integer variable, y a real variable and a and b two arrays; ∃(k1 , y, a, b). y < 10 ∧ y = 2 · k1 ∧ a[k1 ] = 10 ∧ ∀h.∃k2 .a[h] = a[k1 ] − a[1] + b[h] ∧ b[h] = k2 means that y is an even number less than 10, a[k1 ] is equal to 10, each element hth of a is equal to a[k1 ] + a[1] − b[h], and b is a vector of integers. We use this example as running example.

2.4

Quantifier Elimination

→ − Let ∃id . φ be a formula in Φ( id); the problem of the quantifier elimination consists → − in finding a formula φ0 in Φ( id) equivalent to φ and where id does not appear. Quantifier elimination is used to simplify formulae and to compute satisfiability. → − → − In fact, a formula φ is satisfiable if and only if ∃ id.φ is (where id is the vector of → − identifiers not quantified in φ). Now in ∃ id.φ no identifier is non quantified, and therefore, by deleting each quantified identifier, we have a formula which must be either true or f alse. → → − → → → → Quantifier elimination for the classes ΦL (− x ]− m), ΦInt (− x ] h ]− m) and ΦP (− x] → − m) are known. Then we define and prove correctness of an algorithm for the new → − → − → → classes ΦP ar (− x ]− m), ΦS ( id) and ΦkBD ( id). As said before, we will define quantifier elimination of formulae of the form ∃id.φ. The case of ∀id.φ is reducible to ¬∃id.¬φ.

2.4.1

ΦL , ΦP ar and ΦP Formulae

In this subsection we recall the known technique of quantifier elimination of real → → → → variables for formulae in ΦL (− x ]− m) and ΦP (− x ]− m). We extend the algorithm → → used for these two classes to treat the new class ΦP ar (− x ]− m). We define quantifier elimination for real variables, parameters can be handled analogously. ΦL formulae → → An algorithm to solve this problem with formulae in ΦL (− x ]− m) is given in [37]. The → − → − algorithm takes a formula ∃x.φ in ΦL ( x ] m), and returns a simple linear formula → → φ0 in ΦL (− x ]− m) equivalent to ∃x.φ. We explain the algorithm. We tackle the problem for formulae which are conjunctions of inequalities, as the general case can be reduced to this, since ∃x.φ1 ∨ φ2 is equivalent to ∃x.φ1 ∨ ∃x.φ2 .

2.4. QUANTIFIER ELIMINATION

19

→ − − → Let ∃x.φ be a formula in ΦV L ( x ] m) where φ is simple; the algorithm transforms m φ into an equivalent formula i=1 τi + ci · x ∼i 0 such that: → → • τi is a linear term in P(− x ]− m) and ∼i ∈ { 0, for 1 ≤ i ≤ k, and ci < 0, for k + 1 ≤ i ≤ m. V Now, the formula ∃x. ( m i=1 τi + ci · x ∼i 0) is equivalent to the formula k m ^ ^ τi τ j − ∼ij 0 c cj i i=1 j=k+1 where ∼ij is < if ∼i or ∼j is 0, τj0 < 0, τi0 · τj − τj0 · → − τi ∼ij 0 of D(x, ∃x.φ) are linear on id. 2 Now by the proposition above, it is obvious that this algorithm is closed for → → → → formulae in ΦP ar (− x ]− m), i.e. for a given formula in ΦP ar (− x ]− m), the algorithm → − → − returns a formula in ΦP ar ( x ] m). → → → → Corollary 2.4.3 If φ ∈ ΦP ar (− x ]− m), then D(x, φ) is in ΦP ar (− x ]− m). An algorithm to solve the problem of the quantifier elimination of real variables → → with general formulae in ΦP (− x ]− m) is given in [86]. This is a generalization of Sturm’s algorithm (see [27]). Sturm’s algorithm calculates the number of changes of positivity (and so also the number of roots) of a polynomial in an interval. We call D0 (x, ∃x.φ) the formula resulting by the algorithm defined in [86]. Let φ = ∃x.φ0 ; with DelIR (x, φ) we denote the formula φ00 where φ00 is the formula D(x, φ) if φ is linear on x and D0 (x, ∃.φ) otherwise. The following corollary summarizes the properties described above and is derived directly from the previous results. Corollary 2.4.4 The following facts hold: → → • DelIR (x, φ) is in ΦP ((− x ]− m) and x does not appear in DelIR (x, φ);


21

• JφK = JDelIR (x, φ)K;

→ − → − • if φ is linear on x ] id then DelIR (x, φ) is linear on id. Example 2.4.5 The formula ∃x.z 3 + (3 − z) · y − (z − 4)2 · x < 0 ∧ 3 · x + z · y < 0 is linear on (x, y). By applying DelIR , we have the following equivalent formula which is linear on y: 3 · z 3 + (3 · (3 − z) + ((z − 4)2 · z)) · y < 0.

2.4.2

ΦInt Formulae

→ → − → In this section we recall the quantifier elimination for formulae in ΦInt (− x ] k ]− m). Before, we recall the technique used for a particular case called Presburger Arithmetic. This is the set of quantified linear formulae with rational coefficients and constants on integer variables (no real variable are permitted). For Presburger Arithmetic there exists a quantifier elimination algorithm which uses a new relation ≡n (see [51]). The formula τ ≡n 0 means that τ is a multiple of the natural n. When we deal with formulae on real and integer variables, the previous result cannot be used immediately. The results on real variables holds also if one consider mixed integer and real variables. On the contrary, the results for Presburger arithmetic does not hold if one consider mixed problem. → → − → In [93] they give an algorithm for the class of ΦInt (− x ] h ]− m). To do it, also the operator [τ ] is defined, which gives the maximal integer less or equal to the value of τ . So they solve the problem of the mixed variables as follows. Since the following equivalences hold • c · k = τ is equivalent to c · k = [τ ] ∧ τ = [τ ]; • c · k < τ is equivalent to c · k < [τ ] ∨ (c · k = [τ ] ∧ [τ ] < τ ) • c · k ≡n τ is equivalent to c · k ≡n [τ ] ∧ τ = [τ ]. In [93] they show that it is possible to use quantifier elimination defined for linear formulae on integer variables to solve the quantifier elimination of the integer variable k in the case of mixed variables. Moreover, if [τ ] is a term, then there exists a simple linear formula φ which implies that [τ ] = c · x + τ 0 . Therefore it is possible to use quantifier elimination defined for linear formulae, on real variables to solve the quantifier elimination of the real variable x in the case of mixed variables.

22


2.4.3

BD-Formulae free on k

In this section we define the quantifier elimination for BD-Formulae free on k, and we prove the correctness of the technique defined. Real variables The results of corollary 2.4.4 hold also for BD-Formulae, since we have required that, for each a[τ ] which appears in a formula, the term τ is an integer term. The following corollary summarizes these results for BD-Formulae. → − Corollary 2.4.6 Let φ ∈ ΦkBD ( id); the following facts hold: → − • DelIR (x, φ) is in ΦkBD ( id) and x does not appear in DelIR (x, φ); • JφK = JDelIR (x, φ)K;

→ − − → • if φ is linear on x ] id 2 then DelIR (x, φ) is linear on id 2 . Integer variables We give an algorithm to eliminate quantifier on dependent and bounded integer variables in general formulae, and, afterwards, we prove that the algorithm is closed for BD-Formulae. → − Let ∃k . φ be a formula in Φ( id) and k be either dependent or bounded; with DelZZ (k, ∃k . φ) we denote the formula φ0 resulting from deleting the quantified variable k as follows: W • if φ = k ∈ [l, u] ∧ φ00 then φ0 = c∈{l,l+1,...,u−1,u} φ00 [k := c]. • if φ = (k = τ ) ∧ φ00 with k depends on τ then φ0 = φ00 [k := τ ]. 00 00 As said before, the case of ∀k.k ∈ [l, u] W⇒ φ is reducible00to ¬∃k.k ∈ [l, u] ∧ ¬φ . In 00 fact, ¬∃k.k ∈ [l, u] ∧ ¬φ becomes ¬ c∈{l,l+1,...,u−1,u} ¬φ [k := c], which is equal to V 00 c∈{l,l+1,...,u−1,u} φ [k := c]. The following proposition shows the correctness of this elimination for general formulae.

→ − Proposition 2.4.7 Let ∃k.φ be a formula in Φ( id 1 ) with k either dependent or bounded; then the following facts hold: → − • DelZZ (k, ∃k.φ) is in Φ( id 1 ) and k does not appear in DelZZ (k, ∃k.φ); • J∃k.φK = JDelZZ (k, ∃k.φ)K;

→ − − → • if ∃k.φ is linear on k ] id 2 then DelZZ (k, ∃k.φ) is linear on id 2 .


23

Proof. The first statement is obvious. For the bounded variables the second statement too is obvious. For the dependent variables the fact J∃k.φK ⊆ Jφ[k := τ ]K is obvious. On the other hand, to prove → that J∃k.φK ⊇ Jφ[k := τ ]K, it is sufficient to prove that if − v satisfies φ[k := τ ] then → − v (τ ) is an integer value. Since τ is composed by integer values and variables, the second statement holds. The third statement is obvious from the fact that φ is linear on k; therefore if → − we substitute to k a constant c or a term τ , which is obviously linear on id 2 , then → − we have a formula linear in id 2 . 2 Now we prove that DelZZ is closed for BD-Formulae, i.e. when applied to a BD-Formula it returns a BD-Formula. → − Proposition 2.4.8 Let φ be a formula in ΦkBD ( id); it holds that DelZZ (h, φ) is in → − ΦkBD ( id) and h does not appear in DelZZ (h, φ); Proof. We must prove that the substitutions [h := c] and [h := τ ] preserve dependence and boundedness of other integer variables. For bounded variables this is obvious. For the dependent variables, each other integer variable h0 has his bounds or his dependences out from φ, so boundedness and dependence are preserved. 2

Arrays We give an algorithm to eliminate quantifiers on arrays in general formulae, and, afterwards, we prove that the algorithm is closed for BD-Formulae. The algorithm uses DelIR to solve this case. This is possible thanks to the fact that array elements can assume real values. The algorithm substitutes the elements used in the formula with new real variables. If an element used has the same index of another, then the identifiers used for the two elements must be equal. This technique is defined in [83] for functions from integers to integers; here we prove that can be used also for arrays (which are functions from integers to reals). → − Let ∃a.φ in Φ( id) where φ is simple, {a[τ1 ], . . . , a[τn ]} be the set of elements → of the array a which appears in φ and − x = (x1 , . . . , xn ) be a vector of new real → − variables, namely, for each 1 ≤ i ≤ n, it holds that xi 6∈ id. With Delarr (a, ∃a.φ) we denote the formula → → DelIR (− x , ∃− x φ[a[τ1 ] := x1 ] . . . [a[τn ] := xn ] ∧

n−1 ^

n ^

τi = τj ⇒ xi = xj ).

i=1 j=i+1

→ − Theorem 2.4.9 Let ∃a.φ be a formula in Φ( id), where φ is simple; then the following facts hold:

24

CHAPTER 2. QUANTIFIED FORMULAE → − • Delarr (a, ∃a.φ) is in Φ( id) and a does not appear in Delarr (a, ∃a.φ); • J∃a.φK = JDelarr (a, ∃a.φ)K; → − − → • if ∃a.φ is linear on a ] id 2 then Delarr (a, ∃a.φ) is linear on id 2 .

Proof. The first and the third statement hold by corollary 2.4.4. Let {a[τ1 ], . . . , a[τn ]} be the set of elements of the array a which appears in φ → and − x = (x1 , . . . , xn ) be a vector of real variables which do not appear in φ. → → If − v ∈ J∃a.φK, then there exists f ∈ V ((a)) such that − v ] (f ) |= φ. 0 → − → − → − → Let v be the valuation (f ( v (τ1 )), . . . , f ( v (τn ))) inVV (− x ). It is obvious that n−1 Vn 0 0 → − → − → − → − v ] v |= φ[a[τ1 ] := x1 ] . . . [a[τn ] := xn ] and v ] v |= i=1 j=i+1 τi = τj ⇒ xi = → xj . So, − v |= Delarr (a, ∃a.φ). → → − → Vice versa, let − v |= Delarr (a, ∃a.φ); then there exists vV0 ∈ V (− x ) such that V n−1 n 0 0 → − → − → − → − v ] v |= φ[a[τ1 ] := x1 ] . . . [a[τn ] := xn ] and v ] v |= i=1 j=i+1 τi = τj ⇒ xi = xj . → → We can construct f ∈ V ((a)) such that f (− v (τi )) = − v (xi ). This construction is V V n−1 n 0 → − → − possible due to the fact that v ] v |= i=1 j=i+1 τi = τj ⇒ xi = xj . → → It is obvious that − v ] f |= φ, and therefore − v |= ∃a.φ. 2 Since array elements do not appear in the integer term (so, dependences are preserved by quantifier elimination), the results of theorem 2.4.9 can be proved also − → for ΦkBD ( id). → − Corollary 2.4.10 Let φ be a formula in ΦkBD ( id); then the following facts hold: → − • Delarr (a, φ) is in ΦkBD ( id) and a does not appear in Delarr (a, φ); • JφK = JDelarr (a, φ)K; → − − → • if φ is linear on a ] id 2 then Delarr (a, φ) is linear on id 2 .

2.4.4

Quantifier Elimination on S-Formulae

In this section we study the quantifier elimination problem on S-Formulae. Moreover we give technique to check satisfiability of the new class of S-Formulae. Real and Integer Variables Since for each a[τ ] appearing in a formula we have required that τ is an integer term, the results on real variables and proposition 2.4.7 hold also if one considers mixed integer variables, real variables and arrays. The results for mixed integer and real variables do not hold if one consider also arrays. As an example ∀k ∈ [0, size] . a[k] = 0 is not expressible with a simple formula.


25

Proposition 2.4.11 There is no simple formula in Φ((a, size)) equivalent to the formula ∀k ∈ [0, size] . a[k] = 0. Proof. The set J∀k ∈ [0, size] . a[k] = 0K is equal to the set

V ((a, size)) \ {(f, c) | c ∈ IN ∧ f (i) 6= 0, for some i ∈ [0, c]}.

Let us suppose, by contradiction, that there exists a simple formula φ ∈ Φ((a, size)) equivalent to the formula ∀k ∈ [0, size] . a[k] = 0. Let a[τ1 ], . . . , a[τn ] be the occurrences of the elements of a in φ. Let m > n; the → valuation − v = (m, f ) with f (i) = 0, for any i ∈ [0, m], is in J∀k ∈ [0, size] . a[k] = 0K, and then it is also in JφK. → → Let A be the set of indexes {− v (τ1 ), . . . , − v (τn )}; since m > n, there exists l ∈ 0 0 → − ([0, m] \ A). Let v be the valuation (m, f ) such that f 0 (l) 6= 0 and f 0 (i) = f (i), → for any i 6= l. It is obvious that − v 0 6∈ J∀k ∈ [0, size] . a[k] = 0K. → → But, since − v |= φ and l is not in the set A of indexes, then − v 0 |= φ. Therefore → − → v 0 ∈ JφK and − v 0 6∈ J∀k ∈ [0, size] . a[k] = 0K, which contradicts the hypothesis. 2 The proposition above implies that a quantifier elimination algorithm cannot be defined for S-Formulae. In fact, let φ be an S-Formula; for each subformula ∀h.φ0 of φ we must delete h, but, as proved in proposition 2.4.11, this is not possible. In the next subsection, we will show how to delete quantified arrays appearing in φ by substituting them with a set of identifiers. We prove also the correctness of the new method proposed. If we delete each array appearing in φ, the resulting formula is a formula on mixed real and integer variables. Due to this, we can use the results showed in [93] to delete real and integer variables. We note that before deleting arrays and because of the results of corollary 2.4.4 and proposition 2.4.7, we can simplify the formulae given by, using quantifier elimination on real variables and dependent or bounded integer variables that either are out of the scope of ∀h or are existentially quantified inside the scope of ∀h. Example 2.4.12 In the formula of example 2.3.3, the real variable y does not appear in the scope of ∀h. Therefore, by deleting y, we have the equivalent formula ∃(k1 , a, b). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ ∀h.∃k2 .a[h] = a[k1 ] − a[1] + b[h] ∧ b[h] = k2 .

Arrays We give an algorithm to eliminate quantifiers on arrays even when the formula quantified contains a universal quantification on an integer variable. The algorithm uses the DelIR to solve this case.

26


The following proposition shows that each S-Formula is equivalent to one such that in the universally quantified formula elements of arrays are referred only by h. → − → − Lemma 2.4.13 Let φ be in ΦS ( id); there exists an equivalent formula φ0 in ΦS ( id) where φ0 is a disjunction of formulae of the form → − → − ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 such that φ1 is simple and, for each a[τ ] which appears in φ2 , it holds that τ = h. → − → − → − Proof. Since ∃ id.φ1 ∨ φ2 is equivalent to ∃ id.φ1 ∨ ∃ id.φ2 and by using distributivity, the formula φ is equivalent to a formula which is a disjunction of formulae of the form → Vn − → − ∃ id. i=1 φi , where each φi is either a simple formula or is of the form ∀h.∃ id 2 .φ00 . → V − Since ∀h.φ1 ∧ ∀h.φ2 is equivalent to ∀h.φ1 ∧ φ2 , the formula ∃ id. ni=1 φi is equiv→ − → − alent to a formula of the form ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 where φ1 is simple. By using Delarr and since we have proved that it preserves linearity, we can suppose that in → − id 2 no array appears. Now we must modify this formula to satisfy the requirement that for each a[τ ] which appears in φ2 it holds that τ = h. Let {a1 [τ1 ], . . . , an [τn ]} be the set {a[τ ] | a[τ ] appears in φ2 and h 6= τ }, and {x1 , . . . , xn } be a set of new variables which do not appear in φ. Since τi 6= h → − and by definition of S-Formulae, in each τi the identifiers in h ] id 2Vdo not appear. → − Therefore, since we have deleted each array in id 2 , in the formula ni=1 xi = ai [τi ], → − the identifiers in h ] id 2 do not appear. Then we can define the following formula: 0

φ = ∃(x1 , . . . , xn ).

n ^

→ − xi = ai [τi ] ∧ ∀h.∃ id 2 .φ2 [a1 [τ1 ] := x1 ] . . . [an [τn ] := xn ].

i=1

→ − → − → We prove now that φ0 is equivalent to ∀h.∃ id 2 .φ2 . Let − v ∈ J∀h.∃ id 2 .φ2 K; we → → → → must prove that − v ∈ Jφ0 K. Let − v 0 be the valuation (− v (a1 [τ1 ]), . . . , − v (an [τn ])); it is obvious that − → → v ]− v 0 |=

n ^

→ − xi = ai [τi ] ∧ ∀h.∃ id 2 .φ2 [a1 [τ1 ] := x1 ] . . . [an [τn ] := xn ]

i=1

→ and so − v ∈ Jφ0 K. − → Vice versa, let → v ]− v 0 be a valuation which satisfies n ^

→ − xi = ai [τi ] ∧ ∀h.∃ id 2 .φ2 [a1 [τ1 ] := x1 ] . . . [an [τn ] := xn ].

i=1

V − → − → Since → v ]− v 0 |= ni=1 xi = ai [τi ], it holds that → v (ai [τi ]) = − v 0 (xi ), and then → − − → v |= ∀h.∃ id 2 .φ2 .


27

Therefore the formula φ is equivalent to the formula n

^ → − − → ∃ id 1 .∃(x1 , . . . , xn ).φ1 ∧ xi = ai [τi ] ∧ ∀h.∃ id 2 .φ2 [a1 [τ1 ] := x1 ] . . . [an [τn ] := xn ] i=1

and, since for each a[τ ] which appears in φ2 [a[τ1 ] := x1 ] . . . [a[τn ] := xn ] it holds that τ = h, it is of the form requested. 2 Example 2.4.14 The formula ∃(k1 , a, b). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ ∀h.∃k2 .a[h] = a[k1 ] − a[1] + b[h] ∧ b[h] = k2 is equivalent to ∃(k1 , y, a, b, x1 , x2 ). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ ∀h.∃k2 .a[h] = x1 − x2 + b[h] ∧ b[h] = k2 . → − Lemma 2.4.15 Let φ be in ΦS ( id); then there exists an equivalent formula φ0 in → − ΦS ( id) which is a disjunction of formulae of the form → − → − ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 where → − − → 1. φ2 is a simple formula in ΦS ( id ] id 1 ] (h)); 2. for each a[τ ] which appears in φ2 ⇒ φ3 , it holds that τ = h; → − − → → 3. let − v ∈ V ( id ] id 1 ); then for each a[τ ] which appears in φ1 and c ∈ ZZ such → → that − v ] (c) ∈ Jφ2 K, it holds that − v (τ ) 6= c. Proof. By lemma 2.4.13 φ is equivalent to a formula φ0 which is a disjunction of formulae of the form → − → − ∃ id 1 . φ01 ∧ ∀h.∃ id 2 .φ02 where for each a[τ ] which appears in φ02 it holds τ = h. So we must modify this formula to satisfy the requirements 1 and 3. Let {a1 [τ1 ], . . . , an [τn ]} be the elements of arrays which appear in φ01 . The formula ! ! n n ^ ^ → − → − → − ∃ id 1 . φ01 ∧ ∃ id 2 .φ2 [ai [h] := ai [τi ]] ∧ ∀h.∃ id 2 . h 6= τi ⇒ φ02 i=1

i=1

28


V satisfies requirement 1 and requirement 3. In fact ni=1 h 6= τi is a simple formula − → − → → − − → → − → ( id ] id 1 ) and c ∈ ZZ are such that − v ] (c) |= in VnΦS ( id ] id 1 ] (h)) and if v ∈ V − → h = 6 τ , then it is obvious that v (τ ) = 6 c. i i i=1 Since ∀h.φ is equivalent to φ[h := τ ] ∧ ∀h 6= τ.φ, this formula is equivalent to → − → − ∃ id 1 . φ01 ∧ ∀h.∃ id 2 .φ02 . Then the thesis holds. 2 In the lemma above the first requirement means that in φ2 the free variables are − − → → → − id ] id 1 ] (h), i.e. the existentially quantified identifiers id 2 do not appear in φ2 . The second requirement says that in φ2 ⇒ φ3 elements of an array are referred to only by means of h. The third requirements means that the elements of an array referred to in φ1 are disjoints from those referred to in φ2 ⇒ φ3 . From now on we suppose that S-Formulae are of this form. Example 2.4.16 The formula ∃(k1 , a, b, x1 , x2 ). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ ∀h.∃k2 .a[h] = x1 − x2 + b[h] ∧ b[h] = k2 is equivalent to ∃(k1 , a, b, x1 , x2 , k3 , k4 ). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ a[k1 ] = x1 − x2 + b[k1 ] ∧ b[k1 ] = k3 ∧ a[1] = x1 − x2 + b[1] ∧ b[1] = k4 ∧ ∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ (a[h] = x1 − x2 + b[h] ∧ b[h] = k2 ) → − → − → − Lemma 2.4.17 Let φ = ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 be a S-Formula and a ∈ id 1 be an array; φ is equivalent to → − → − ∃ id \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 . − − Proof. Let → v be in JφK; then there exists → v 0 such that

→ − − → → v ]− v 0 |= φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 .

By definition of ∧ it holds that − → → v ]− v 0 |= φ1

2.4. QUANTIFIER ELIMINATION and

29

→ − − → → v ]− v 0 |= ∀h.∃ id 2 .φ2 ⇒ φ3 .

Therefore, if f is the function associated with a, then it holds that − → → v ]− v 0 \ (f ) |= ∃a.φ1 and

→ − − → → v ]− v 0 \ (f ) |= ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 .

which implies

→ − → − − → v |= ∃ id \ (a) . ∃a.φ1 ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 .

And so, by theorem 2.4.9, it holds that → − → − − → v |= ∃ id \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 .

− Vice versa. Let → v be a valuation such that → − → − − → v |= ∃ id \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 . − Then there exists → v 0 such that → − − → → v ]− v 0 |= Delarr (a, ∃a.φ1 ) ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 . By theorem 2.4.9, it holds that → − − → → v ]− v 0 |= ∃a.φ1 ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 . Then there exists f1 and f2 such that − → → v ]− v 0 ] (f1 ) |= φ1 and

→ − − → → v ]− v 0 ] (f2 ) |= ∀h.∃ id 2 .φ2 ⇒ φ3 . → → → → Let A be the set {(− v ]− v 0 )(τ1 ), . . . , (− v ]− v 0 )(τn )} such that {a[τ1 ], . . . , a[τn ]} is the set of elements of the array a which appears in φ1 . Let f3 be the valuation of array a such that f1 (c) if c ∈ A f3 (c) = f2 (c) if c ∈ 6 A We prove that

→ − − → → v ]− v 0 ] (f3 ) |= φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 .

Therefore it is sufficient to prove that − → → v ]− v 0 ] (f3 ) |= φ1

30 and


→ − − → → v ]− v 0 ] (f3 ) |= ∀h.∃ id 2 .φ2 ⇒ φ3 .

Since f3 (c) = f1 (c), for any c ∈ A, it holds that − → → v ]− v 0 ] (f3 ) |= φ1 . Now we must prove that → − − → → v ]− v 0 ] (f3 ) |= ∀h.∃ id 2 .φ2 ⇒ φ3 . From lemma 2.4.15, if c ∈ A then − → → v ]− v 0 ] (f3 , c) 6|= φ2 . So if c ∈ A, then it holds → − − → → v ]− v 0 ] (f3 , c) |= ∃ id 2 .φ2 ⇒ φ3 . Moreover, if c 6∈ A then f3 (c) = f2 (c) and so → − − → → v ]− v 0 ] (f3 , c) |= ∃ id 2 .φ2 ⇒ φ3 . Therefore This implies that

→ − − → → v ]− v 0 ] (f3 ) |= ∀h.∃ id 2 .φ2 ⇒ φ3 . → − − → → v ]− v 0 |= ∃a . φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 .

and hence the thesis holds. 2

Example 2.4.18 The formula ∃(k1 , a, b, x1 , x2 , k3 , k4 ). 2 · k1 < 10 ∧ a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ a[k1 ] = x1 − x2 + b[k1 ] ∧ b[k1 ] = k3 ∧ a[1] = x1 − x2 + b[1] ∧ b[1] = k4 ∧ ∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ (a[h] = x1 − x2 + b[h] ∧ b[h] = k2 )

is equivalent to ∃(k1 , b, x1 , x2 , k3 , k4 ). 2 · k1 < 10 ∧ Delarr (a, ∃a.a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ a[k1 ] = x1 − x2 + b[k1 ] ∧ b[k1 ] = k3 ∧ a[1] = x1 − x2 + b[1] ∧ b[1] = k4 )∧


31

∃a.∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ (a[h] = x1 − x2 + b[h] ∧ b[h] = k2 ). Now the formula Delarr (a, ∃a.a[k1 ] = 10 ∧ x1 = a[k1 ] ∧ x2 = a[1]∧ a[k1 ] = x1 − x2 + b[k1 ] ∧ b[k1 ] = k3 ∧ a[1] = x1 − x2 + b[1] ∧ b[1] = k4 ) is equivalent to DelIR ((x3 , x4 ), ∃(x3 , x4 ).x3 = 10 ∧ x1 = x3 ∧ x2 = x4 ∧ x3 = x1 − x2 + b[k1 ] ∧ x4 = x1 − x2 + b[1] ∧ b[1] = k4 ∧ (k1 = 1) ⇒ x3 = x4 ) which is equivalent to x1 = 10 ∧ x2 = b[k1 ] ∧ x1 + b[1] ∧ b[1] = k4 ∧ (x2 = 10 ∧ b[k1 ] = b[1] ∨ k 6= 1). The resulting formula is ∃(k1 , b, x1 , x2 , k3 , k4 ). 2·k1 < 10∧x1 = 10∧x2 = b[k1 ]∧x1 +b[1]∧b[1] = k4 ∧(x2 = 10∧b[k1 ] = b[1]∨k 6= 1) ∃a.∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ (a[h] = x1 − x2 + b[h] ∧ b[h] = k2 ). → − Now we must solve the problem of ∃a.∀h.∃ id.φ where for each a[τ ] which appears in φ it holds that τ = h. The following lemma gives the the solution. → − Lemma 2.4.19 Let φ = ∃a.∀h.∃ id.φ0 such that for each a[τ ] which appears in φ → − it holds that τ = h. Then φ is equivalent to ∀h.∃ id.DelIR (x, ∃x.φ0 [a[h] := x]), for some x which does not appear in φ. − Proof. Let → v ∈ JφK; then there exists f ∈ V ((a)) such that → − − → v ] (f ) |= ∀h.∃ id.φ0 .

But, for each c, it holds that → − − → v ] (f, c) |= ∃ id.φ0 . By definition of ∃ and by theorem 2.4.9 this implies that → − − → v ] (c) |= ∃ id.Delarr (a, ∃a.φ0 ). Since in φ only a[h] appears, it holds that Delarr (a, ∃a.φ0 ) and DelIR (x, ∃x.φ0 [a[h] := x]) coincide, and so we have proved that → − − → v |= ∀h.∃ id.DelIR (x, ∃x.φ0 [a[h] := x]).

32


− Vice versa, let → v be a valuation such that → − − → v |= ∀h.∃ id.DelIR (x, ∃x.φ0 [a[h] := x]). Then, by corollary 2.4.4, we have that → − − → v |= ∀h.∃ id.∃x.φ0 [a[h] := x]. Now for each c ∈ ZZ there exists a value vc ∈ V ((x)) such that → − − → v ] (c, vc ) |= ∃ id.φ0 [a[h] := x]. We construct a function f 0 such that f 0 (c) = vc for any c ∈ ZZ. Now we prove that for each c ∈ ZZ it holds that → − − → v ] (c, f 0 ) |= ∃ id.φ0 . In fact, it holds that for each c → → (− v ] (c, vc ))(x) = vc = f 0 (c) = (− v ] (c, f 0 ))(a[h]). But, since in φ0 only a[h] appears, we have proved that for each c ∈ ZZ it holds that → − − → v ] (c, f 0 ) |= ∃ id.φ0 and so

→ − − → v ] (f 0 ) |= ∀h.∃ id.φ0

which implies

→ − − → v |= ∃a.∀h.∃ id.φ0 . 2

Example 2.4.20 The formula ∃a.∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ (a[h] = x1 − x2 + b[h] ∧ b[h] = k2 ) is equivalent to ∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ DelIR (x = x1 − x2 + b[h] ∧ b[h] = k2 ) which is equivalent to ∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ b[h] = k2 .


33

→ − → − − → Let φ = ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 be an S-Formula and a ∈ id 1 be an array. S With Delarr (a, φ) we denote the formula → − → − ∃ id 1 \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∀h.∃ id 2 .DelIR (x, ∃x.φ2 ⇒ φ3 [a[h] := x]) where x does not appear in φ2 ⇒ φ3 . → − Theorem 2.4.21 Let φ ∈ ΦS ( id); then it holds that S • JφK = JDelarr (a, φ)K

→ − S S • Delarr (a, φ) is in ΦS ( id) and a does not appear in Delarr (a, φ) → − − → S • if φ is linear on id 2 ] (a) then Delarr (a, φ) is linear on id 2 . Proof. Let φ be an S-Formula; by lemma 2.4.15, φ is equivalent to a disjunction of formulae of the form → − → − ∃ id 1 . φ1 ∧ ∀h.∃ id 2 .φ2 ⇒ φ3 . By lemma 2.4.17 it is equivalent to → − → − ∃ id \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∃a.∀h.∃ id 2 .φ2 ⇒ φ3 and hence, by lemma 2.4.19 we have the following equivalent formula → − → − ∃ id 1 \ (a) . Delarr (a, ∃a.φ1 ) ∧ ∀h.∃ id 2 .DelIR (x, ∃x.φ2 ⇒ φ3 [a[h] := x]) where x does not appear in φ2 ⇒ φ3 . By theorem 2.4.9 and corollary 2.4.4 this formula is equivalent to φ. So we have proved the first statement. Moreover, since φ1 , φ2 and φ3 are linear on a, by theorem 2.4.9 and corollary 2.4.4 the formulae Delarr (a, ∃a.φ1 ) and DelIR (x, ∃x.φ2 ⇒ φ3 [a[h] := x]) preserve linearity, and so we have proved the second and the third statements. 2

Example 2.4.22 The resulting formula ∃(k1 , b, x1 , x2 , k3 , k4 ). 2·k1 < 10∧x1 = 10∧x2 = b[k1 ]∧x1 +b[1]∧b[1] = k4 ∧(x2 = 10∧b[k1 ] = b[1]∨k 6= 1) ∀h.∃k2 .(h 6= k1 ∧ h 6= 1) ⇒ b[h] = k2 . in an S-Formula. Moreover, each formula resulting from a step to delete existential quantifier on a, is a linear formula; this follows from the fact that the initial quantified formula is linear.

34


An other interesting result is that, if we delete from a quantified formula each array, then the result is an existentially quantified formula. → − → − Theorem 2.4.23 Let φ ∈ ΦS ( id) such that there is not an array b in id; it holds → − → − → − that there exists ∃ k .φ0 ∈ ΦS ( id) equivalent to φ and where k is a vector of integer variables and φ0 is simple. → Proof. Let − a be the vector of arrays quantified in φ. By theorem 2.4.21, the S → formula φ is equivalent to Delarr (− a , φ). This formula has no arrays. By results in → − [93], we can transform the subformulae ∀h.∃ id.φ into a formula without quantifiers and which uses the relation ≡n and the operator [τ ]. We can delete these by using the following equivalences W • ¬(τ ≡n 0) is equal to n−1 i=1 τ + i ≡n 0 (see [51]); • τ ≡n 0 is equivalent to ∃k.τ = n · k; • τ1 + c · [τ2 ] ∼ 0 is equivalent to ∃k.τ1 + c · k ∼ 0 ∧ k ∈ (τ2 − 1, τ2 ]. → − − → Therefore, each subformula ∀h.∃ id.φ has an equivalent formula of the form ∃ k .φ0 , → − where k is a vector of integers. By deleting real existentially quantified variables we have the thesis. 2

2.5

Decidability of Satisfiability

The importance of the decidability of satisfiability will appear to be relevant when we study Hybrid Systems with identifiers. The idea is that formulae which are equal to false can be deleted. Moreover, this is useful to study reachability of a given Hybrid System where one wants to know whether Jφ1 ∧ φ2 K 6= ∅. As proved in proposition 2.2.3, satisfiability is undecidable for a generic linear quantified formula. On the other hand, satisfiability is decidable for formulae in → → − → → → → → → → ΦL (− x ]− m), ΦP (− x ]− m), ΦP ar (− x ]− m) and ΦInt (− x ] k ]− m). The following theorems prove that satisfiability is decidable for formulae in → − → − ΦS ( id) and in ΦkBD ( id). → − Theorem 2.5.1 Let φ ∈ ΦS ( id); it is decidable whether φ is satisfiable. − → − → → → − → − → − → → Proof. Let id 1 ] id 2 = − x ]− a ] k ]− m. Let φ in ΦS ( id 1 ) and id 2 be the vector of → − quantified identifiers of φ; it is satisfiable if and only if J∃ id 2 .φK 6= ∅. → − S → (− a , ∃ id 2 .φ)K 6= 0. But, by By theorem 2.4.21, this holds if and only if JDelarr → − S → (− a , ∃ id 2 .φ) is equivalent to a existentially quantified formula theorem 2.4.23, Delarr → − → 0 − ∃ k .φ in ΦS ( ∅ ), where φ0 is simple.

2.5. DECIDABILITY OF SATISFIABILITY

35

→ − → − → − But, for any ∃ k .φ0 ∈ ΦS ( ∅ ), where φ0 is simple, it is decidable whether J∃ k .φ0 K is equal to empty set. More precisely, the problem is N P . In [68] it is proved that there exists an algorithm exponential on number of integer variables, but polynomial in the number of equations. 2 → − Theorem 2.5.2 Let φ ∈ ΦkBD ( id); it is decidable whether φ is satisfiable. − → → − Proof. Let φ be in ΦkBD ( id 1 ) and id 2 be the vector of quantified identifiers of φ; φ → − is satisfiable if and only if J∃ id 2 .φK 6= ∅. By using corollary 2.4.6, corollary 2.4.10 → − − → and proposition 2.4.8, ∃ id 2 .φ is equivalent to a formula ∃k.φ0 in Φ( ∅ ), where φ0 is simple. → − It is decidable whether a formula ∃k.φ0 in Φ( ∅ ), where φ0 is simple, is satisfiable. This derives from the fact that if an k n + . . . a1 k + a0 is a polynomial, then the roots |+...+|a0 |) are in the interval [−M, M ] where M = max(|an |,|a|an−1 (see [27]). 2 n|

2.5.1

Discussion

Due to the presence of arrays (which are functions from integers to reals) the logic → − Φ( id) is a High Order Mathematical Logic. The satisfiability problem for High Order Mathematical Logics is undecidable (due to the mentioned undecidability result holding for polynomial formulae on integer variables). However, if one considers only linear formulae, the satisfiability problem is decidable for the class of the First Order Mathematical Logic. In proposition 2.2.3 we prove that if one considers only linear formulae in the framework of High Order Mathematical Logic, one does not obtain decidability. Then, we have defined the sets of BD-Formulae free on k and S-Formulae, which are a subset of High Order Mathematical Logics. In the first set of formulae we have solved the problem caused by integer variables in polynomial formulae, by introducing dependent and bounded integer variables. In the set of S-Formulae we have solved the problem caused to linear formulae when passing from First Order Math→ − → − ematical Logic to High Order Mathematical Logic by using a form ∃ id 1 . ∀h . ∃ id 2 . We have proved that the satisfiability problem is decidable for these two new classes. For the scope of the thesis we have limited ourselves to arrays from integers to reals and from integers to integers. But, we note that the results of theorems 2.5.1 and 2.5.2 can be extended to other High Order Logics that consider other types of functions as f : ZZ × ZZ → IR (which can represent infinite matrix) or f : IR → IR.

36


Chapter 3 Hybrid Systems with Identifiers 3.1

The Formalism

→ − A Hybrid System with Identifiers is a tuple hΣ, Loc, id, T r, Act, Initi, where: • Σ is a finite set of synchronization symbols. → • Loc is a finite set of locations. A state is a pair (l, − v ) where l is a location → − → − and v is a valuation in V ( id). → − → • id is a vector containing variables, arrays and parameters. With − m we denote → − the vector of parameters which appear in id. • T r is a finite set of transitions. Each transition is of the form hl, a, φ, l0 i, where l and l0 are the source and the target location, respectively. The symbol a ∈ Σ is the synchronization label of the transition. The formula φ is a quantified → − − → →0 → − formula in Φ( id ] ( id \ − m) ), where id represents the valuations which enable → →0 − the transition and ( id \ − m) represents the new values which are assigned to → → − variables and arrays in id \ − m after performing the transition. → − • Act is a function which assigns to each location a quantified formula in Φ( id ] → →0 − → − (t) ] ( id \ − m) ). This formula represents the values of identifiers id when the → →0 − location is entered and the new values ( id \ − m) of variables and arrays when the location is left at a time t. → − • Init = (l0 , φ0 ) is a pair with l0 ∈ Loc and φ0 ∈ Φ( id), which represents the initial location l0 and the condition φ0 that must be satisfied by the system at the beginning. The set of Hybrid Systems with Identifiers is called Hid . Example 3.1.1 We model a cache of a browser by a Hybrid System with Identifiers. A request rc to the cache to obtain a file f of a web page has a positive answer ac if

38

CHAPTER 3. HYBRID SYSTEMS WITH IDENTIFIERS

the file is in the cache. Otherwise, the cache gives a negative answer nc , and, when the file f is downloaded, it is cached with the date d of his download (action sc ). The file which is overwritten is the oldest. In Fig. 3.1 we have modeled the cache. The real variable d represents the date, the real variable x is used to quantify the answer time of the cache to a request. The variable f represents the information of the file requested (name, location and contents). The array f ile represents the files f ile[i] that are in the cache. The array date represents the date date[i] of last request to file f ile[i]. The initial location is W ait, which represents the fact that the cache is waiting for a request of a file. The initial condition says that the date d is positive, x is equal to zero, and the dates and the file information are positive reals. After a request rc in f 0 we have the information of the file requested. We have omitted, for legibility, the fact that identifiers non specified do not change their values with the firing of the transition, more precisely, d0 = d∧x0 = x∧∀h ∈ [1, size]f ile0 [h] = f ile[h]∧date0 [h] = date[h]. Analogously for the other transitions and also for activities. Now in the location Check the cache looks for the file f . The cache gives a positive answer ac in a time enclosed in [2, 5] if the file is in the cache (f ile[k] = f ). The cache updates the date with the actual date (date0 [k] = d). On the other hand, if the file is not in the cache (∀h ∈ [1, size] . f ile[h] 6= f ), a negative answer nc is given in a time enclosed in [2, 5], and the cache is ready to download the file. When the page is downloaded (sc ), the file f is written (f ile0 [k] = f ) in the position k of the oldest referred page (i.e. in the position which has the minimum date). → − → Let hΣ, Loc, id, T r, Act, Init) be a Hybrid System with Identifiers where − m is the − → → → − → − vector of parameters in id. Let l be a location in Loc, v a valuation in V ( id \ − m) → → → → and − u an instance in V (− m). The system can evolve from a state (l, − v ]− u ) to another state by performing either an activity step or a transition step. Activity and transition steps are defined as follows: • the activity step describes the evolution of the system due to being in a location and passing of time. The quantified formula Act(l) must be satisfied by the → → valuation − v ]− u , and the activity in the location takes the system to a new → valuation − v 0 in a time c by means of Act(l). Parameters do not change their values. More precisely → → → c ≥ 0 and − v ]− u ] (c) ] − v 0 ∈ JAct(l)K → → → → (l, − v ]− u ) →c (l, − v0]− u) • the transition step describes the change due to performing a transition. The → − quantified formula φ of the transition must be satisfied by the valuation − v ]→ u,

3.2. COMPOSITION

39 d ≥ 0 ∧ x = 0 ∧ ∀h ∈ [1, size] . date[h] ≥ 0 ∧ f ile[h] ≥ 0 ? $ ' W ait 0

d =d+t

sc ∃k ∈ [1, size] . x ∈ [2, 5] f ile0 [k] = f ∧ date0 [k] = d∧ ∀h ∈ [1, size] . date[h] ≥ date[k]

& } % 7 rc f0 ≥ 0 ac ? $ x ∈ [2, 5] ∧ x0 = 0∧ ' ∃k ∈ [1, size] . Check f ile[k] = f ∧ date0 [k] = d d0 = d + t x0 = x + t &n % c x ∈ [2, 5] ∧ x0 = 0∧ [1, size] . f ile[h] 6= f ?∀h ∈ ' $ W rite 0

d =d+t & %

Figure 3.1: The cache of a browser. and the transition takes the system to a new location l0 and to a new valuation → − v 0 by means of φ. Parameters do not change their values. More precisely → − → → hl, a, φ, l0 i ∈ T r v ]− u ]− v 0 ∈ JφK → → → → (l, − v ]− u ) →e (l0 , − v0]− u) A run r of a Hybrid System with Identifiers is a sequence of steps → → → → → → (l0 , − v 10 ) →t0 (l0 , − v 20 ) →e0 (l1 , − v 11 ) →t1 (l1 , − v 21 ) . . . (ln−1 , − v 2n−1 ) →en (ln+1 , − v 1n+1 ). → where − v 10 satisfies the initial condition, ti is a time and ei = hli , ai , φi , li+1 i is a transition, for any 0 ≤ i ≤ n.

3.2

Composition

→ − Let H1 , H2 ∈ Hid , where Hi is the tuple hΣi , Loci , id i , T ri , Acti , Initi i, for i = 1, 2. The composition of H1 with H2 (denoted with H1 ⊗ H2 ) is the Hybrid System with → − → − identifiers hΣ1 ∪ Σ2 , Loc1 × Loc2 , id 1 ] id 2 , T r3 , Act3 , Init3 ) where: • h(l1 , l2 ), a, φ, (l10 , l20 )i ∈ T r3 if and only if – if a ∈ Σ1 \ Σ2 then there exists hl1 , a, φ, l10 i ∈ T r1 and l20 = l2 , or

40

CHAPTER 3. HYBRID SYSTEMS WITH IDENTIFIERS – if a ∈ Σ2 \ Σ1 then there exists hl2 , a, φ, l2 i ∈ T r2 and l10 = l1 , or – if a ∈ Σ1 ∩ Σ2 then there exists hl1 , a, φ1 , l10 i ∈ T r1 and hl2 , a, φ2 , l20 i ∈ T r2 and φ = φ1 ∧ φ2 • Act3 (l1 , l2 ) = Act1 (l1 ) ∧ Act2 (l2 ) • Init3 = ((l01 , l02 ), φ10 ∧ φ20 ) where Init1 = (l01 , φ10 ) and Init2 = (l02 , φ20 ).

Example 3.2.1 Let us assume a user’s browser that interacts with its cache and with other sites. In Fig. 3.2 we model the user’s browser and a generic site. The Hybrid System Hu represents the behavior of the browser. It can perform a request rc to the cache to obtain a web page. If the requested page is in the cache, then the cache gives a positive answer ac . Otherwise, the cache gives a negative answer nc , the browser downloads the page (actions rw and aw ) and, then, the page is cached (action sc ). The Hybrid System Hw represents a generic site. The time elapsed between a request rw (which resets clock y) and an answer aw is in the interval [100, 250]. The overall system is described by the composition of the Hybrid Systems with identifiers shown in figures 3.1 and 3.2.

3.3

Subclasses

In this section we consider different classes of Hid . Firstly, we consider the known classes of Polynomial Hybrid systems (see [43] and [44]) and Linear Hybrid Systems (see [9] and [18]). Afterwards we consider new subclasses of Hybrid Systems, namely Linear Hybrid Systems with Parameters, Linear Hybrid Systems with Integers, BDHybrid Systems (where formulae are BD-Formulae) and S-Hybrid Systems (where formulae are S-Formulae).

3.3.1

Polynomial Hybrid Systems

→ → A Polynomial Hybrid System is a tuple hΣ, Loc, − x ]− m, T r, Act, Initi in Hid where − → → − x is a vector of variable and m is a vector of parameters (i.e. no arrays and integer variables are used). With HP we denote the set of Polynomial Hybrid Systems. Example 3.3.1 Players A and B want to catch the ball which is at position (xb , yb ) of the playground. Player A starts from position (xA , yA ) and runs towards the ball at speed vA . Player B starts from position (xB , yB ) and runs towards the ball at speed vB . With variables PA and PB we denote the distances run through by players A and B, respectively. The identifiers xp , yp , xA , yA , xB , yB , vA and vB are parameters. With DA and DB we denote the terms (xp −xA )2 +(yp −yA )2 and (xp −xB )2 +(yp −yB )2

3.3. SUBCLASSES

41

Hu

Hw

' $ sc , y ∈ [2, 5] ' $ Copy Ready - 0 0 y =y+t y =y+t

' $ Req -

0

y =y+t

& % ac 6 rc

& % & % aw , z ∈ [100, 250] 6 rw , z 0 = 0 6

? $ '

? $ '

Search

aw , y 0 = 0

y0 = y + t

& %

& % nc , y 0 = 0 ? $ '

' $

N o in y0 = y + t

Ans y0 = y + t

Reqw -

y0 = y + t

rw , y ∈ [0, 1] & % & %

Figure 3.2: The web system

42

CHAPTER 3. HYBRID SYSTEMS WITH IDENTIFIERS PA = 0 ' $ PB = 0 Start vA , vB > 0 PA0 = PA + vA t xA , yA ≥ 0 0 xB , yB ≥ 0 - PB = PB + vB t xp , yp ≥ 0 & (PA )2 = DA ∧ (PB )2 < DB ' $ P layer A wins

&

% @ @ 2 2 @ (PB ) = DB ∧ (PA ) < DA @ R @ $ ' P layer B wins

%

&

%

Figure 3.3: The players problem.

giving the square of the distances of player A and player B from the ball, respectively. In fig 3.3 we describe the problem.

3.3.2

Linear Hybrid Systems

A Linear Hybrid system is a Polynomial Hybrid System where formulae are linear. → → More precisely, it is a tuple hΣ, Loc, − x ]− m, T r, Act, Initi in Hid where − − • → x is a vector of variables and → m is a vector of parameters (i.e. no arrays and integer variables are used); → → → • for each l ∈ Loc it holds that Act(l) ∈ ΦL (− x ]− m ] (t) ] − x 0 ); → → → • for each hl, a, φ, l0 i ∈ T r it holds that φ ∈ ΦL (− x ]− m ]− x 0 ); → → • if Init = (l0 , φ0 ), then φ0 ∈ ΦL (− x ]− m). With HL we denote the set of Linear Hybrid systems. Example 3.3.2 From [9] we take an automaton describing the system that controls the temperature of the coolant in a reactor tank by moving independent rods. The goal is to maintain the coolant between temperatures 0 and 10. When the temperature reaches its maximum value 10, the tank must be refrigerated with one of the rods. The temperature rises a rate 10 and decreases at rates −5 and −7 depending on which rod is being used. A rod can be moved again only if one time unit has elapsed since the end of its previous movement. If the temperature of the coolant cannot

3.3. SUBCLASSES

43

decrease because there is no available rod, a complete shutdown is required. In figure 3.4 we show the hybrid automaton for the temperature control system, the value of clocks x and y represent the time elapsed since the last use of rod 1 and rod 2 respectively, and variable z measures the temperature. The definition in [9] of HL uses rate rx ∈ Q for real variable x and invariant for locations. The rate rx means that in the activity step the real variable x changes his value as rx · t. Invariants are a function from location to linear simple formulae. The condition associated with a given location must be satisfied in each instant in which a system is in that location; more precisely, if φ1 and φ2 be the activity and invariant of a location, respectively, then the valuation reachable are those which satisfy the following formulae → ∃− x .∃t.φ1 ∧ ∀t0 .φ2 [x1 := x1 + rx1 t0 ] . . . [xn := xn + rxn t0 ]. Rates are permitted in our definition. Invariants can be easy deleted. In fact we transform ∀t0 .φ2 [x1 := x1 + rx1 t0 ] . . . [xn := xn + rxn t0 ] into ¬∃t0 .¬φ2 [x1 := x1 + rx1 t0 ] . . . [xn := xn + rxn t0 ]. So we use as activity formula the formula φ1 ∧ ¬DelIR (t0 , ¬φ2 [x1 := x1 + rx1 t0 ] . . . [xn := xn + rxn t0 ]). This is correct by corollary 2.4.4. In the definition of [18] the rate of x is a real variable x. ˙ Also this version of HL can be simulated.

3.3.3

Linear Hybrid Systems with Parameters

A Linear Hybrid System with Parameters is a Polynomial Hybrid System where formulae are linear only on variables and not on parameters. → → More precisely, it is a tuple hΣ, Loc, − x ]− m, T r, Act, Initi in Hid where − − • → x is a vector of variables and → m is a vector of parameters (i.e. no arrays and integer variables are used); → → → • for each l ∈ Loc it holds that Act(l) ∈ ΦP ar (− x ]− m ] (t) ] − x 0 ); → → → • for each hl, a, φ, l0 i ∈ T r it holds that φ ∈ ΦP ar (− x ]− m ]− x 0 ); → → • if Init = (l0 , φ0 ), then φ0 ∈ ΦP ar (− x ]− m). With HP ar we denote the set of Linear Hybrid Systems with Parameters. Example 3.3.3 In figure 3.5 we consider a parametric version of the Linear Hybrid System considered in figure 3.4.

44


$ $ ' ' t = 10 ∧ y ≥ 1 ROD2 HOT - z 0 = z − 7t z 0 = z + 10t - x0 = x + t x0 = x + t 0 y0 = y + t y =y+t t = 0 ∧ y0 = 0 z;0 ∈ [0, 10] z 0 ∈ [0, 10] & % & @% 6 @ @ @ @ @ @ 0 t = 10 ∧ x ≥ 1 t=0∧x =0 @ t = 10 ∧ x < 1 ∧ y < 1 @ ? ' $ $ ' @ R @ ROD1 z 0 = z + −5t Shutdown x0 = x + t 0 y =y+t z 0 ∈ [0, 10] & % & % x=1 y=1

Figure 3.4: Temperature control system

$ ' ' $ x=1 t = 10 ∧ y ≥ 1 HOT ROD2 y=1 0 - z 0 = z + v2 t vr > 0 - z 0= z + vr t x0 = x + t x = x + t v1 < 0 0 y = y + t y0 = y + t v2 < 0 t = 0 ∧ y0 = 0 z 0 ∈ [0, 10] z;0 ∈ [0, 10] & @% & % 6 @ @ @ @ @ @ 0 t = 10 ∧ x ≥ 1 t=0∧x =0 @ t = 10 ∧ x < 1 ∧ y < 1 @ ? ' ' $ $ @ R @ ROD1 z 0 = z + v1 t Shutdown x0 = x + t 0 y =y+t z 0 ∈ [0, 10] & % & %

Figure 3.5: Temperature control system

3.3. SUBCLASSES

3.3.4

45

Linear Hybrid Systems with Integers

→ → − → A Linear Hybrid System with Integers is a tuple hΣ, Loc, − x ] k ]− m, T r, Act, Initi in Hid where → − − − • → x is a vector of variables, k is a vector of integers and → m is a vector of parameters (i.e. no arrays are used); → → − →0 − → → • for each l ∈ Loc it holds that Act(l) ∈ ΦInt (− x ] k ]− m ] (t) ] − x 0 ] k ); → → − − →0 − → • for each hl, a, φ, l0 i ∈ T r it holds that φ ∈ ΦInt (− x ] k ]− m ]→ x 0 ] k ); → → − → • if Init = (l0 , φ0 ), then φ0 ∈ ΦInt (− x ] k ]− m). With HInt we denote the set of Linear Hybrid Systems with Integers.

3.3.5

BD-Hybrid Systems

A BD-Hybrid System free on k is a Hybrid System with Identifiers such that formulae are BD-Formulae free on k, for some integer variable k. → − → More precisely, it is a tuple hΣ, Loc, id, T r, Act, Initi in Hid where − m is the vector → − of parameters in id and → − → →0 − • for each l ∈ Loc it holds that Act(l) ∈ ΦkBD ( id ] (t) ] ( id \ − m) ); → − − → →0 m) ); • for each hl, a, φ, l0 i ∈ T r it holds that φ ∈ ΦkBD ( id ] ( id \ − → − • if Init = (l0 , φ0 ), then φ0 ∈ ΦkBD ( id). k With HBD we denote the set of BD-Hybrid Systems free on k. → − →0 − → − k We note that k is in either id or id . So let H be in HBD , with k is in id; then k0 it means that H is free on the values of k before a step. Moreover, let H be in HBD , →0 − 0 with k is in id ; then it means that H is free on the values of k after a step. K The following proposition states that the set HBD is closed under composition. k k Proposition 3.3.4 Let H1 , H2 be in HBD ; then H1 ⊗ H2 is in HBD .

→ − Proof. It is obvious from the fact that the set ΦkBD ( id) is closed under conjunction. 2 We note that the proposition does not hold if we consider BD-Hybrid Systems k2 k2 free on different integer variable, i.e. if H1 ∈ HBD and H2 ∈ HBD with k1 6= k2 then H1 ⊗ H2 may not be a BD-Hybrid System.

46


Example 3.3.5 In Fig. 3.6 we model the cryptographic algorithm RSA for smart n cards (see [25]) with a system in HBD . The array a represents the 128 bits of a key. The real variables x and y and the integer variable h are auxiliary variables. Private-key operations are the operations mk mod n, where m is the message, k is the secret key and n is public. The algorithm is the following: x=1 for h = 0 to 127 {x = (x*x) mod n If a[h]=0 then x = (x*m) mod Return x

n}

We suppose that we use Montgomery multiplication, for which a time in [4, 5] that does not depend on input is spent. Note that the system in Fig. 3.6 is free on the integer variable n.

3.3.6

S-Hybrid Systems

A S-Hybrid Systems is a Hybrid System with Identifiers such that formulae are SFormulae. → − → More precisely, it is a tuple hΣ, Loc, id, T r, Act, Initi in Hid where − m is the vector → − of parameters in id and → − → →0 − • for each l ∈ Loc it holds that Act(l) ∈ ΦS ( id ] (t) ] ( id \ − m) ); → − − → →0 • for each hl, a, φ, l0 i ∈ T r it holds that φ ∈ ΦS ( id ] ( id \ − m) ); → − • if Init = (l0 , φ0 ), then φ0 ∈ ΦS ( id). With HS we denote the set of S-Hybrid Systems. The following proposition states that the set HS is closed under composition. Proposition 3.3.6 Let H1 , H2 be in HS ; then H1 ⊗ H2 is in HS . → − Proof. It is obvious from the fact that the set ΦS ( id) is closed under conjunction. 2

Example 3.3.7 The example 3.2.1 is in HS .

3.3. SUBCLASSES

47

h = 0 ∧ ∀l ∈ [0, 127].a[l] = 1 ∨ a[l] = 0 ? $ ' l1 true & % input x0 = 1 ? ' $ l2 t ∈ [4, 5]

Y mul, y 0 = y + n ∧ y 0 ≤ x2

& % 7 mul x0 = x2 − y ∧ y + n > x2 ? $ '

' $

l3

l4

t ∈ [4, 5]

eq1, a[h] = 1

& % eq0 a[h] = 0 ? $ '

-

Y

t ∈ [4, 5]

mul, & % y0 = y + n ∧ y0 ≤ x · m

mul, x0 = x · m − y ∧ y + n > x · m

l5 t ∈ [4, 5]

&succ % h0 = h + 1 ? $ check ' h ≤ 127 l6 t ∈ [4, 5]

output ∧ h = −1

& %

' $ -

l7 true

& %

Figure 3.6: RSA algorithm

48


3.4

Expressiveness

In this section we will study the expressive power of Hybrid Systems with respect to the language accepted. We will show that arrays, integer variables and polynomial formulae give different expressiveness. Beforehand, we define the notion of language accepted by a Hybrid System with Identifiers with respect to a set of final states. Let r be a run → → → → → → v 2n−1 ) →en (ln+1 , − v 1n+1 ) v 20 ) →e0 (l1 , − v 11 ) →t1 (l1 , − v 21 ) . . . (ln−1 , − (l0 , − v 10 ) →t0 (l0 , − where ti is a time and ei = hli , ai , φi , li+1 i is a transition, for any 0 ≤ i ≤ n + 1. With tw(r) we denote the sequence (t0 , a0 )(t1 , a1 ) . . . (tn , an ). Let F be a subset of the set of locations; we say that the locations in F are final locations. Moreover we say that r terminates with a final location if ln+1 is a final location. The language accepted by H (denoted by L(H)) is the set {tw(r) | r is a run of H which terminates with a final location}. First of all, in the following proposition, we summarize syntactic containments. Proposition 3.4.1 The following relations hold: • L(Hid ) ⊇ L(H0 ), where H0 is one of the subclasses mentioned above; k • L(HBD ) ⊇ L(HP ) ⊇ L(HP ar ) ⊇ L(HL );

• L(HS ) ⊇ L(HInt ) ⊇ L(HL ). Proof. The only non-immediate containment is L(HS ) ⊇ L(HInt ). But, by results in → → − → [93], we can transform a formula in ΦInt (− x ] k ]− m) in a formula without quantifiers and which uses the relation ≡n and the operator [τ ]. We can delete these, by using the following equivalences W • ¬(τ ≡n 0) is equal to n−1 i=1 τ + i ≡n 0 (see [51]); • τ ≡n 0 is equivalent to ∃k.τ = n · k; • τ1 + c · [τ2 ] ∼ 0 is equivalent to ∃k.τ1 + c · k ∼ 0 ∧ k ∈ (τ2 − 1, τ2 ]. → → − → Therefore, each formula in ΦInt (− x ] k ]− m) is equivalent to a formula of the form → 0 − → − ∃ k .φ , where k is a vector of integers and φ0 is simple. But this formula is also an S-Formula. 2

3.4. EXPRESSIVENESS

x=0

49

a, a, ∃h.x = h ∧ x0 = 0 ∃h.x = h ∧ x0 = 0 ' $ ' $ ' $ l1 l2 l3 - 0 - 0 - 0 x =x+t x =x+t x =x+t & %

& %

& %

Figure 3.7: The Hybrid System H1 .

' $ ' $ l1 l2 a, x = 2h + 1 - 0 - 0 x =x+t x =x+t

x=0

& %

& %


Why we gain power by using integer variables? The idea is that with a step we cannot simulate an infinite set of natural numbers. In the following proposition we prove that integer variables give more expressiveness to HInt with respect to k HL . Moreover, since HBD may have only one free variable, which is not sufficient to model two or more integer variables, we prove that there exists a language recognized by an S-Hybrid System and not by a BD-Hybrid system. Proposition 3.4.2 The following relations hold: • L(HInt ) 6⊆ L(HL ); k • L(HS ) 6⊆ L(HBD ).

Proof. Let H1 be the Hybrid System in figure 3.7 with l3 as final location. We note that H1 is both in HInt and HS . The language L(H1 ) is equal to the set {(a, c1 )(a, c2 ) | c1 , c2 ∈ IN}. We prove that L(H1 ) is not accepted by any HL and k HBD . Let us suppose, by contradiction, that there exists a H10 in HL such that L(H10 ) = L(H1 ). Let (l10 , φ0 ) be its initial condition. So, for each (a, c1 )(a, c2 ) ∈ → → → → v 4 ) →e2 v 1 ) →c1 (l10 , − v 2 ) →e1 (l20 , − v 3 ) →c2 (l20 , − L(H1 ) there exists a run (l10 , − 0 − → (l3 , v 5 ). → The times c1 and values − v 2 of real variables which are admissible after the first → activity step is the valuation which satisfies the formula ∃− x .φ0 ∧ Act(l10 ). By using

50


DelIR we have an equivalent simple linear formula φ0 such that, by renaming the → → → → → variable − x 0 with − x , we have that φ0 [− x 0 := − x ] ∈ Φ((t) ] − x ). → − Now, the times c1 and values v 3 of real variables which are admissible after the → → → transition step is the valuation which satisfies the formula ∃− x .φ0 [− x 0 := − x ]∧φ, where φ is the formula which labels the transition taken to perform the first transition step. Therefore the set of the first admissible times is the set of valuations which → → → → satisfy ∃− x 0 .∃− x .φ0 [− x 0 := − x ] ∧ φ. By using DelIR we have an equivalent linear simple formula on t. So admissible times c1 are in a finite union of intervals on reals. It is obvious that with a finite set of intervals on reals we cannot express the set of naturals. So we have proved that L(HInt ) 6⊆ L(HL ). k Now we must prove that L(H1 ) is not recognized by any HBD . This proof can be done by contradiction. By mimicking the proof done for HL and by using DelIR , Delarr and DelZZ , we have that the times t1 and t2 of the two activity steps which k can be taken by a HBD are the valuations which satisfy a formula φ on the form 0 0 ∃k.φ where φ is a simple formula on (t1 , t2 , k). Now JφK is equal to the set IN × IN. The set J∃k.∃t2 .φ0 K gives the times taken in the first activity step. By using S DelIR we have an equivalent formula ∃k.φ00 . The set J∃k.φ00 K is equal to n∈IN Jφ00 [k := n]K. By using Sturm’s algorithm we can transform φ00 [k := n] into a finite union of intervals on reals. Let p1 be the maximum degree of t1 in φ00 and p2 be the size of φ00 . Sturm’s algorithm transforms φ00 [k := n] into a number of intervals less or equal to pp12 . In fact each τ ∼ 0 becomes an union of at most p1 intervals. The union and the intersection of p1 repeated p2 times generate at most pp12 intervals. Let p1 = pp12 ; since the times must be naturals it means that the integers expressed by the formula φ00 [k := n] are less or equal to p1 . But p1 does not depend on n, and so we can conclude that for each n the integers expressed by the formula φ00 [k := n] are less or equal to p1 . We call In1 the set of intervals expressed by φ00 [k := n]. It is obvious that for each n the set In1 has at most p1 elements. Let ∃k.∃t1 .φ0 be the formula which expresses the times of the second activity step. In the same manner we can find p2 such that the times expressed by ∃t1 .φ0 [k := n] are less or equal than p2 , for any n. Moreover we call In2 the set of intervals expressed by ∃t1 .φ0 [k := n]. It is obvious that for each n the set In2 has at most p2 elements. S Now let An = In1 × In2 . Since In1 and In2 have naturals elements then n∈IN An is contained in IN × IN. Moreover, it is obvious that the pair of times contained in Jφ0 [k := n]K are contained in In1 × In2 . In fact In1 is the set of times of the first activity step and In2 is the set of times of the second activity step expressed by φ0 [k := n]. So it holds that [ [ J∃k.φ0 K = Jφ0 [k := n]K ⊆ An ⊆ IN × IN. n∈IN

n∈IN

0

Since J∃k.φ K is equal to IN × IN, it holds that [ J∃k.φ0 K = An . n∈IN

3.4. EXPRESSIVENESS

51

Moreover, for each n it holds that An has at most p1 · p2 elements. Let p = p1 · p2 ; we can construct a function f1 : IN × [0, p − 1] → IN × IN such that for any n ∈ IN it holds that {f1 (n, 0), . . . , f1 (n, p − 1)} = An . S Since it holds that n∈IN An = J∃k.φ0 K = IN × IN, the function f1 is surjective. Let f2 : IN → IN×[0, p−1] be a function such that for any natural n it holds that f2 (n) = (q, r) if and only if n = q · p + r. By the theorem of division the function f2 is well defined. Moreover the function f2 is surjective. In fact, for each (q, r), it holds that f2 (q · p + r) = (q, r). Let f : IN → IN × IN be the composition of functions f1 and f2 . Since f1 and f2 are surjective also f is surjective. So we have proved that there exists a function f : IN → IN × IN which is surjective, but this is impossible. 2 Moreover, in the following proposition, we prove that the intersection of L(HInt ) k ) is a set greater than L(HL ). It means that HL is not able to simulate and L(HBD one integer variable. k Proposition 3.4.3 L(HInt ) ∩ L(HBD ) ⊃ L(HL ). k Proof. It is obvious that L(HInt ) ∩ L(HBD ) ⊇ L(HL ). This is verified directly by considering the syntax of the three classes. Now, we must prove that there exists a k and not by a HL . language recognized by a HInt and HBD Let H2 be the Hybrid System of figure 3.8 with l2 as final location. We note k that H2 is both a HInt and a HBD . The language L(H2 ) is equal to the set {(a, t) | t is an odd integer}. We prove by contradiction that there is no Hybrid System in HL accepting L(H2 ). Similarly to proof of proposition 3.4.2, the times expressible by an HL is a finite set of intervals, and so we cannot express the set {t | ∃h . t = 2h + 1}. 2

We consider now the expressive power of polynomial formulae. In the following proposition we prove that polynomial formulae give more expressiveness to Hybrid Systems. So, parameters of HP ar permit to express languages not accepted by Hybrid Systems in HL . But, since parameters do not change their value, there exists a language recognized by HP and not by HP ar . Moreover, polynomial formulae used k in HBD cannot be simulated by linear formulae of HS . Proposition 3.4.4 The following relations hold: • L(HP ) 6⊆ L(HP ar ); • L(HP ar ) 6⊆ L(HInt );

52


x=0

a, ' x$ ' $ = m ∧ x0 = 0' $ 2 l1 l2 l3 b, x = m - 0 - 0 - 0 x =x+t x =x+t x =x+t & %

& %

& %


k • L(HBD ) 6⊆ L(HS ).

Proof. Let H3 be the Hybrid System of figure 3.9 with l3 as final location. We k note that H3 is both HP ar and HBD . The language L(H3 ) is equal to the set 0 0 2 {(a, t)(b, t ) | t = t }. We prove, by contradiction, that there exists no HInt and HS which recognize L(H3 ). As done in the proof of proposition 3.4.2, the admissible times of a run composed by two activity steps and two transition steps are the valuations which satisfy a linear formula in Φ((t1 , t2 )), where t1 represents the time of the first activity step and t2 the time of the second activity step. It means that there exists a linear formula φ such that JφK = {(c, c2 ) | c ∈ IR}. But this is impossible. In fact, by the proof of → − proposition 3.4.1, that φ is of the form ∃ k .φ0 . Therefore, JφK can S we can suppose → → be written as − v |= φ0 }. Now, (c, c0 ) ] − v |= φ0 if and only → {(c, c0 ) | (c, c0 ) ] − − → v ∈V ( k ) → − → − → → if (c, c0 ) |= φ0 [ k := − v ]. But φ0 [ k := − v ] is a linear simple formula on (t1 , t2 ) with rational coefficients and constants. So the formula describes a finite union of convex spaces. More precisely, if φ0 = φ1 ∨ . . . ∨ φl , with φi is a conjunction on inequalities, √ → − → − for 1 ≤ i ≤ l, then φi [ k := v ] is√a convex space. The pair ( 2, 2) is a valuation → which satisfies φ. We note that 2 6∈ Q. So there exists i and − v such that the √ → − → − convex space√S = φi [ k := v ] contains the pair ( 2, 2). √ If S = {( 2, 2)} then it means that S can be written as t1 = 2 and t2 √ = 2, but this contradicts the fact that coefficients and constants are rational, in fact 2 6∈ Q. √ 2 If S ⊃ {( 2, 2)} then it means that S has infinite solutions. Let (c, c ) in S such √ √ 2+c 2+c2 that c 6= 2; then since S is a convex the pair ( 2 , 2 ), which is in the middle √ of (c, c2 ) and ( 2, 2), is in S, and so it√is also in JφK. 2 But this means that the square of 2+c is equal to 2+c . This holds if and only 2 2 √ √ 2 2 if ( 2 + c) = 2(2 + c ). But the only c which satisfies the equation is c = 2, which contradicts the hypothesis. So we have proved that L(HP ar ) 6⊆ L(HInt ) and k L(HBD ) 6⊆ L(HS ). Now, we must prove that L(HP ) 6⊆ L(HP ar ). Let H4 be the Hybrid System of figure 3.10 with l2 as final location. The language L(H4 ) is equal to the set

3.4. EXPRESSIVENESS

x=0

53 a, ' x$ 0 = x ∧ y 0 = 0' $ l1 l2 0 0 x = x + t x =x - 0 y =y+t y0 = y + t b, & % % y = x2 ∧ x0 = & 0


{(a, t1 )(b, t01 ) . . . (a, tn )(b, t0n ) | t0i = t2i , 1 ≤ i ≤ n, }. We prove, by contradiction, that there not exists a HP ar which recognizes L(H4 ). If HP ar exists with l parameters which recognizes L(H4 ), then the admissible times of a run composed by 2 · n activity steps and 2 · n transition steps, with n > l, are given a formula in φ in Φ((t1 , t01 , . . . , tn , t0n , m1 , . . . , ml )). Now, we want to express the fact that t0i = (ti )2 , but we have proved that is impossible with linear formulae. Therefore we must use parameters. Since in Act(l) only the time of the actual activity step appears, it means that in φ, to have that t0i = (ti )2 , we must use a parameter mj and a formula t0i = (mj )2 ∧ ti = mj . Since parameters cannot change their values, we need n parameters. But this contradicts the hypothesis l < n. 2 Finally, we consider the power gained with arrays. In the following proposition we prove that arrays give memory to Hybrid Systems, which therefore gain in expressive power. This gain of expressivity is obvious since we have considered arrays with infinite length, but, in the proposition, we prove that to gain expressive power it is sufficient to have arrays with finite parametric length. Therefore the class of HS is more expressive than the class of HInt . Moreover, if k ) the power of arrays permits to we consider the intersection of L(HS ) with L(HBD prove that there exists a language in the intersection but not in L(HInt ). Proposition 3.4.5 The following relations hold: k ) ∩ L(HS ) 6⊆ L(Hint ); • L(HBD k • L(HBD ) ∩ L(HS ) 6⊆ L(HP ).

Proof. Let H5 be the Hybrid System in figure 3.11 with l3 as final location. The language L(H5 ) is the set {(a, t1 )(a, t2 ) . . . (a, tn )(b, t01 ) . . . (b, t0n ) | ti = t0i , 1 ≤ k i ≤ n}. We note that H5 is in HBD and HS . We prove, by contradiction, that there not exists a HInt and HP which recognize L(H5 ). If a HInt or HP exists, with l variables as done in proposition 3.4.4, then the admissible times of a run with 2 · n activity steps and 2 · n transitions steps, with n > l, are given by a formula in which

54


a, b, k < size∧ k < size∧ a0 [k] = x∧ x = a[k]∧ x0 = 0 x0 = 0 ' $ ' $ ' $ l l l3 1 2 size ≥ 0 x=0 - 0 - 0 - 0 x =x+t x =x+t x =x+t k=0 a, b, & % k = size∧ & % k = size∧ & % 0 a [k] = x∧ x = a[k] x0 = 0 ∧ k 0 = 0


a, b, k < size∧ k < size∧ a0 [k] = x∧ x = (a[k])2 ∧ 0 x = 0 x0 = 0 ' $ ' $ ' $ l1 l2 l3 size ≥ 0 x=0 - 0 - 0 - 0 x =x+t x =x+t x =x+t k=0 a, b, & % k = size∧ & % k = size∧ & % 0 a [k] = x∧ x = (a[k])2 x0 = 0 ∧ k 0 = 0


we must use a variable id to express ti = id ∧ id = t0i . It means that we need n variables, but this contradicts the hypothesis n > l. 2 In the following proposition we prove that the polynomial formulae on arrays k of the class HBD permit to express languages not recognized by both HP and HS . Moreover, the formulae with integer variables and arrays of HS permit to show that k there exists a language accepted by HS but not accepted by both HBD and HInt . Proposition 3.4.6 The following facts hold: k • L(HBD ) 6⊆ L(HP ) ∪ L(HS ); k • L(HS ) 6⊆ L(Hint ) ∪ L(HBD ).

3.4. EXPRESSIVENESS

55

a, b, k < size∧ k < size∧ a0 [k] = x∧ x = a[k] ∧ ∃h.x = h∧ x0 = 0 x0 = 0 ' $ ' $ ' $ l l l3 1 2 size ≥ 0 x=0 - 0 - 0 - 0 x =x+t x =x+t x =x+t k=0 a, b, & % k = size∧ & % k = size∧ & % 0 a [k] = x∧ x = a[k] ∧ ∃h.x = h x0 = 0 ∧ k 0 = 0


x=0 c, a, b, ∃h.x =h ? $0 ' $ $ ' x=m∧x =0 x = m2 ∧ x0 =' 0 l1 l2 l3 x0 = x + t x0 = x + t x0 = x + t & %

& %

& %


56


Proof. Let H6 be the Hybrid System in figure 3.12 with l3 as final location; H6 is k in HBD . The language L(H6 ) is the set {(a, t1 )(a, t2 ) . . . (a, tn )(b, t01 ) . . . (b, t0n ) | t0i = (ti )2 , 1 ≤ i ≤ n}. We prove, by contradiction, that there are no HP and HS which recognize L(H6 ). If there exists a HP which recognizes L(H6 ), then this contradicts the proof of proposition 3.4.5. Furthermore, if there exists a HS which recognizes L(H6 ), then this contradicts the proof of proposition 3.4.4. So we have proved that k L(HBD ) 6⊆ L(HP ) ∪ L(HS ). k Now we prove that HS 6⊆ Hint ∪ HBD . Let H7 be the Hybrid System in figure 3.13 with l3 as final location. The language L(H7 ) is equal to the set {(a, t1 )(a, t2 ) . . . (a, tn )(b, t01 ) . . . (b, t0n ) | ∀i ∈ [1, n].∃h ∈ IN.t0i = ti = h}. We note that H7 is in HS , and we prove, by contradiction, that there are no Hint k and HBD which recognize L(H7 ). If there exists a HInt which recognize L(H7 ), then k this contradicts the proof of proposition 3.4.5. Furthermore, if there exists a HBD which recognizes L(H7 ), then this contradicts the proof of proposition 3.4.2. 2 Finally we prove that the class of Hid is the most expressive of those considered. We prove more. In fact we show that there exists a language recognized by Hid and k and HS . not recognized by both HBD k ) ∪ L(HS ) Proposition 3.4.7 L(Hid ) ⊃ L(HBD

Proof. Let H8 be the Hybrid System in figure 3.14 with l4 as final location. The language L(H8 ) is equal to the set {(a, t)(b, t2 )(c, t1 ) . . . (c, tn ) | t1 , . . . , tn ∈ IN}. k which recognize L(H8 ). We prove, by contradiction, that there is no HS and HBD If there exists a HS which recognizes L(H8 ), then this contradicts the proof of k proposition 3.4.4. Moreover, if there exists a HBD which recognizes L(H8 ), then this contradicts the proof of proposition 3.4.2. 2 The previous results imply the following theorem. Theorem 3.4.8 The classification of expressiveness of languages and the Hybrid Systems memberships described in figure 3.15 hold. Theorem 3.4.8 gives a first idea of the importance of the new classes defined in this chapter. We have proved that the class of HP is the most expressive among the k known classes. But the new class of HBD extends it. Moreover, the new classes of HS and HInt extend the classical class of HL and consider cases which cannot be k recognized by HBD and so by HP . In the next chapter we shall prove that reachability is semidecidable for the class (as it is for the known ones) and we shall give an algorithm to compute reachability, which is based on predicate transformation.

3.4. EXPRESSIVENESS

57

H8 H5

H1

H4 '

$

L(Hid ) '

'

'

k ) L(HBD ''

$

$ $ L(HS )

$ $

L(HP ) L(HP ar ) L(HL ) L(H ) % && % Int &

&

&

%

% %

&

%

H3 H6

H2

Figure 3.15: The classes.

H7

58


For the class of HP ar , it contains HL and is contained in HP . The relevance of this class will appear in the next chapter where we will prove an interesting result of closure of reachability.

Chapter 4 Reachability 4.1

The Reachability Problem

→ − Let H = hΣ, Loc, id, T r, Act, Initi be such that H ∈ Hid ; a region of H is a pair → − (l, φ), where l is a location and φ is in Φ( id). A region represents the set of states → → (l, − v ) such that − v ∈ JφK. Let (l, φ) be a region; the reachability problem 3(l, φ) for a Hybrid System with → Identifiers consists in determining whether there exists a run (l0 , − v 0) → . . . → → − → − → − (ln , v n ) such that ln is the location l and v n ∈ JφK, namely v n satisfies φ. It means that a state can be reached with location l and valuation which satisfies φ. The problem is, in general, undecidable for linear hybrid systems (see [9] and [19]). Anyhow, there exists an algorithm based on predicate transformation to compute predecessor steps and successor steps of a given set of states for HL and HP (see [9], [10], [43] and [44]). In this chapter we extend this algorithm to consider the new classes defined.

4.1.1

Regions and Operators on Regions

We define now the successor operators [φ]l and poste which applied to a formula φ give the formula holding after an activity and after a transition step, respectively. → − → Let l be a location and φ be a formula in Φ( id), where − m is the vector of param→ − eters in id; the operator [φ]l returns a new formula that represents the valuations reachable by an activity step from location l. More precisely, − − → → →0 → → − [φ]l ≡ ∃( id \ m) . ∃ t ≥ 0 .(φ ∧ Act(l)) [( id \ − m) := ( id \ − m)]. → →0 − Since the new values of the identifiers are those expressed by ( id \ − m) , the → − − → − − 0 → → substitution [( id \ m) := ( id \ m)] permits to have a formula where non-quantified identifiers are the identifiers of the Hybrid System.

60

CHAPTER 4. REACHABILITY

The following proposition proves the correctness of the operator [ ]l for Hybrid Systems with Identifiers. → − Proposition 4.1.1 If φ ∈ Φ( id), then the following facts hold: → − • [φ]l ∈ Φ( id); → → • Let − v 0 be a valuation; then there exist − v ∈ JφK and c ∈ IR≥0 such that → → → (l, − v ) →c (l, − v 0 ) if and only if − v 0 ∈ J[φ]l K. → − → →0 − → → − Proof. Since φ∧Act(l) is in Φ( id ](t)]( id \ − m) ), then ∃( id \ − m) . ∃ t ≥ 0 .(φ∧Act(l)) → − → − − 0 → → − is in Φ(( id \ m) ] m). Therefore [φ]l ∈ Φ( id). We prove now the second statement. By definition of activity step there exists → − → → → → v ∈ JφK and c ∈ IR≥0 such that (l, − v ) →c (l, − v 0 ) if and only if − v ](c)] − v 00 satisfies → − → → → Act(l), where − v 00 is the valuation − v 0 restricted to identifiers in ( id \ − m)0 . → − − → → Since t and ( id \ → m)0 do not appear in φ, − v ] (c) ] − v 00 satisfies also φ, and therefore φ ∧ Act(l). → → − → → − − → →0 By definition of ∃( id \ − m). and ∃t ≥ 0 . and since ( id \ − m) and ( id \ − m) are 00 0 → − → − → − of the same type, v ] (c) ] v satisfies φ ∧ Act(l) if and only if v ∈ J[φ]l K. 2 → − → − → Let φ be a formula in Φ( id), where − m is the vector of parameters in id, and e = hl, a, φ0 , l0 i ∈ T r be a transition; the operator poste φ returns a new formula that gives the valuations reachable by performing the transition e. More precisely, − − → → → →0 → → − poste φ ≡ ∃( id \ − m) . (φ ∧ φ0 ) [( id \ − m) := ( id \ − m)] → →0 − Since the new values of the identifiers are those expressed by ( id \ − m) , the → − − → − − 0 → → substitution [( id \ m) := ( id \ m)] permits to have a formula where non-quantified identifiers are the identifiers of the Hybrid System. Similarly to that proved for [ ]l , the following proposition proves the correctness of the operator poste for Hybrid Systems with Identifiers. → − Proposition 4.1.2 Let φ ∈ Φ( id) and e = hl, a, φ0 , l0 i; then the following facts hold: → − • poste φ ∈ Φ( id); → − → → • Let − v 0 be a valuation; then there exists → v ∈ JφK such that (l, − v ) →e (l0 , − v 0) 0 → if and only if − v ∈ Jposte φK. → − − → →0 → → − → →0 − − Proof. Since φ∧φ0 is in Φ( id ]( id \ − m) ), then ∃( id \ − m).(φ∧φ0 ) is in Φ(( id \ − m) ] → m). → − Therefore poste φ ∈ Φ( id).

4.1. THE REACHABILITY PROBLEM

61

We prove now the second statement. By definition of transition step there exists − → → → → → → v ∈ JφK such that (l, − v ) →e (l, − v 0 ) if and only if − v ]− v 00 satisfies φ0 , where − v 00 is → − → → the valuation − v 0 restricted to identifiers in ( id \ − m)0 . → − − → → Since the elements of ( id \ → m)0 do not appear in φ, − v ]− v 00 satisfies also φ and therefore φ ∧ φ0 . → → − → →0 − − → → By definition of ∃( id \ − m). and since ( id \ − m) and id \ − m are of the same type, 00 0 0 → − → − → − v ] v satisfies φ ∧ φ if and only if v ∈ Jposte φK. 2 Similarly, we can define predecessor operators [φ]l and pree φ as follows: → →0 − → → − → →0 − [φ]l ≡ ∃( id \ − m) . ∃ t ≥ 0 .(φ[( id \ − m) := ( id \ − m) ] ∧ Act(l)) → →0 − → → − → →0 − pree φ ≡ ∃( id \ − m) . (φ[( id \ − m) := ( id \ − m) ] ∧ φ0 ). Results showed for the successor operators hold also for the predecessor operators. → − Proposition 4.1.3 Let φ ∈ Φ( id) and e = hl, a, φ0 , l0 i; then the following facts hold: → − • [φ]l and pree φ are in Φ( id); → → • Let − v be a valuation; then there exist − v 0 ∈ JφK and c ∈ IR≥0 such that → → → (l, − v ) →c (l, − v 0 ) if and only if − v ∈ J[φ]l K; → − → → • Let − v be a valuation; then there exists → v 0 ∈ JφK such that (l, − v ) →e (l0 , − v 0) → if and only if − v ∈ Jpree φK.

→ − → → − → →0 − → → − Proof. Since φ ∈ Φ( id) then φ[( id \ − m) := ( id \ − m) ] ∧ Act(l) and φ[( id \ − m) := → − − → − → − − → − → − − 0 0 0 0 → → → ( id \ m) ] ∧ φ are in Φ( id ] (t) ] ( id \ m) ) and Φ( id ] ( id \ m) ), respectively. → − Therefore [φ]l and pree φ are in Φ( id). We prove now the second statement. By definition of activity step, there exist 0 → − → → → → v ∈ JφK and c ∈ IR≥0 such that (l, − v ) →c (l, − v 0 ) if and only if − v ] (c) ] − v 00 → − → → → satisfies Act(l), where − v 00 is the valuation − v 0 restricted to identifiers in ( id \ − m)0 . → − − → − → → Now, id \ → m and ( id \ − m)0 are of the same type, and so − v satisfies φ if and only → − − → − 0 → → − if satisfies φ[( id \ m) := ( id \ m) ]. → → − → → − → →0 − − − Since t and ( id \ − m) do not appear in φ[( id \ − m) := ( id \ − m) ], → v ] (c) ] → v 00 → → − → − 0 − → → − → →0 − satisfies also φ[( id \ − m) := ( id \ → m) ] and therefore φ[( id \ − m) := ( id \ − m) ] ∧ Act(l). → → − → − − 00 0 → − → − → m) := By definitions of ∃( id \ m) . and ∃t ≥ 0 . , v ] (c) ] v satisfies φ[( id \ − → − − 0 → → − ( id \ m) ] ∧ Act(l) if and only if v ∈ J[φ]l K. The third statement can be proved similarly to the second one. 2

62


Let (l, φ) be a region; with Reachpost (l, φ) we denote the set of regions reachable by successor operators from (l, φ). More precisely, the regions (l, φ) and (l, [φ]l ) are in Reachpost (l, φ), and, if (l0 , φ0 ) is in Reachpost (l, φ) then for each transition e with source l0 and target l00 , it holds that (l00 , poste φ0 ) and (l00 , [poste (φ0 )]l00 ) are in Reachpost (l, φ). By propositions 4.1.1 and 4.1.2, it is obvious that (l0 , φ0 ) is in Reachpost (l, φ) if → → → and only if there exists a sequence of steps from (l, − v ) to (l, − v 0 ) for some − v ∈ JφK 0 0 → − and v ∈ Jφ K. Let (l, φ) be a region; with Reachpre (l, φ) we denote the set of reachable regions by predecessor operators from (l, φ). More precisely, (l, φ) and (l, [φ]l ) are in Reachpre (l, φ), and, if (l0 , φ0 ) is in Reachpre (l, φ) then for each transition e with source l00 and target l0 , it holds that (l00 , pree φ0 ) and (l00 , [pree (φ0 )]l00 ) are in Reachpre (l, φ). By proposition 4.1.3, it is obvious that (l0 , φ0 ) is in Reachpre (l, φ) if and only → → → if there exists a sequence of steps from (l0 , − v 0 ) to (l, − v ) for some − v ∈ JφK and 0 0 → − v ∈ Jφ K. → → Let H ∈ HL with real variables in − x and parameters in − m; a linear region of H → − → is a pair (l, φ) where l is a location of H and φ is in ΦL ( x ] − m). → → Let H ∈ HP with real variables in − x and parameters in − m; a polynomial region → → of H is a pair (l, φ) where l is a location of H and φ is in ΦP (− x ]− m). As we have said, reachability is semi-decidable for the classes of HL and HP .

4.1.2

Forward and Backward Analysis

Propositions 4.1.1, 4.1.2 and 4.1.3 allow us to use the successor and predecessor operators to calculate whether a state is reachable. Therefore, for the reachability problem 3(l, φ), we can use two techniques 1. Forward Analysis: we can try to reach (l, φ) from the initial state by using repetitively the successor operators. 2. Backward Analysis: we can try to reach the initial state from the region (l, φ) by using repetitively the predecessor operators. We note that if the state is reachable each of the two techniques terminates. If the state is not reachable then the forward analysis terminates if and only if the regions reachable from the initial region are finitely many. Similarly, the backward analysis terminates if and only if the reachable region from the state (l, φ) are finitely many. Due to this consideration, if the forward analysis does not terminate this does not imply that the backward analysis does not terminate, and vice versa.

4.2. SEMI-DECIDABILITY OF REACHABILITY

4.2

63

Semi-Decidability of Reachability

For HP and HL it is known that reachability is semi-decidable. For Hid we are confronted with the undecidability of satisfiability of general quantified formulae. Now we examine the other subclasses defined previously.

4.2.1

Semi-decidability for HInt

We define now the form of regions of a HInt . → − → Let H be in HInt with real variables in − x , integer variables in h and parameters → in − m; an integer region of H is a pair (l, φ) where l is a location of H and φ is in → → − → ΦInt (− x ] h ]− m). The following proposition states that successor and predecessor operators are → → − → closed for formulae in ΦInt (− x ] h ]− m), and so reachability is semi-decidable for HInt . → → − → Proposition 4.2.1 If φ ∈ ΦInt (− x ] h ]− m), then [φ]l , poste φ, [φ]l and pree φ are → → − → in ΦInt (− x ] h ]− m). → → − → Proof. If φ ∈ ΦInt (− x ] h ]− m), by definition of HInt for each location l it holds that → − − →0 − → → − → − → → → Act(l) is in ΦInt ( x ] h ] m ](t)] − x 0 ] h ). So [φ]l and [φ]l are in ΦInt (− x ] h ]− m). Moreover, by definition of HInt , in each transition e = hl, a, φ0 i, we have that φ0 is → → − − →0 − → → − → → in ΦInt (− x ] h ]− m ]→ x 0 ] h ). Therefore, poste φ and pree φ are in ΦInt (− x ] h ]− m). So the thesis holds. 2 By induction and by results in [93], we can prove the following corollary. Corollary 4.2.2 Let (l, φ) be an integer region of H ∈ HInt ; the following facts hold: • For each (l0 , φ0 ) ∈ Reachpost (l, φ), (l0 , φ0 ) is an integer region of H; • For each (l0 , φ0 ) ∈ Reachpre (l, φ), (l0 , φ0 ) is an integer region of H; • The reachability problem 3(l, φ) for H is semi-decidable.

4.2.2

Semi-decidability for HP ar

We define now the form of regions of a H ∈ HP ar . → → Let H in HP ar with real variables in − x and parameters in − m; a parametric region → → is a pair (l, φ) where l is a location of H and φ is in ΦP ar (− x ]− m). The following corollary states that successor and predecessor operators are closed → → for formulae in ΦP ar (− x ]− m), and so reachability is semi-decidable for HP ar .

64


Corollary 4.2.3 The following facts hold: → → → → • If φ ∈ ΦP ar (− x ]− m) then [φ]l , poste φ, [φ]l and pree φ are in ΦP ar (− x ]− m); • If (l, φ) is a parametric region of H in HP ar , then for each region (l0 , φ0 ) in Reachpost (l, φ), (l0 , φ0 ) is a parametric region of H; • If (l, φ) is a parametric region of H in HP ar , then for each region (l0 , φ0 ) in Reachpre (l, φ), (l0 , φ0 ) is a parametric region of H; • If (l, φ) is parametric region of H in HP ar , then the reachability problem 3(l, φ) for H is semi-decidable. An interesting result is that if a region (l, φ) is reachable by an H ∈ HP ar with → → → parameters in − m, and − u is a rational instance in V (− m), then, if we instantiate → − → − the parameters in m with the values in u in both H and (l, φ), we have that → → → → (l, φ[− m := − u ]) is a reachable region for the Linear Hybrid System H[− m := − u ]. → − Theorem 4.2.4 Let H ∈ HP ar and − m be the vector of parameters of H; if → u is a − → rational instance in V ( m), then the following facts hold: → → • H[− m := − u ] is in HL ; → • If (l0 , φ0 ) ∈ Reachpost (l, φ) is a reachable region of H ∈ HP ar , then (l0 , φ0 [− m := → − → − → − → − → − u ]) ∈ Reachpost (l, φ[ m := u ]) is a reachable region of H[ m := u ]; → • If (l0 , φ0 ) ∈ Reachpre (l, φ) is a reachable region of H ∈ HP ar , then (l0 , φ0 [− m := → − → − → − → − → − u ]) ∈ Reachpre (l, φ[ m := u ]) is a reachable region of H[ m := u ]. → − → Proof. Let τ ∈ P( id) where in τ only rational values appear, and let − v be a → − → − valuation in V ( id); if v is composed by rational values, then, by structural induction → on τ , − v (τ ) is a rational value. In fact, since we have requested that values which → → v (τ1 ) and − v (τ2 ) appear in τ must be rationals, if τ ≡ c then c ∈ Q. Moreover, if − → − → − are rationals then v (τ1 + τ2 ) and v (τ1 · τ2 ) are rationals. → → From this fact we have that formulae which appear in H[− m := − u ] are linear → − → − formulae, and so we have proved that H[ m := u ] is in HL . → We prove now the second statement. Since we have proved that if − u is composed → − by rational values, then u (τ ) is a rational value. So, it holds that for each formula → → → → → → → φ ∈ ΦP ar (− x ]− m) if − u is a rational instance of − m then φ[− m := − u ] is in ΦL (− x ). − → → − → − → − Now, we prove that [φ]l [ m := u ] is equal to [φ[ m := u ]]l . Since the formulae are linear on real variables the algorithm which is applied to delete real variable x → → → is D(x, φ). So it is sufficient to prove that D(x, φ)[− m := − u ] is equal to D(x, φ[− m := → − → − → − → − → − u ]). But this is obvious since (φ1 ∨ φ2 )[ m := u ] and (φ1 ∧ φ2 )[ m := u ] are equal → → → → → → → → to φ1 [− m := − u ] ∨ φ2 [− m := − u ] and φ1 [− m := − u ] ∧ φ2 [− m := − u ], respectively.

4.2. SEMI-DECIDABILITY OF REACHABILITY

65

→ → → → The fact that (poste φ)[− m := − u ] is equal to poste (φ[− m := − u ]) can be proved as the previous case. So, by induction on number of steps, we have that if (l0 , φ0 ) → → in Reachpost (l, φ) is a reachable region of H ∈ HP ar then (l0 , φ0 [− m := − u ]) in → − → − → − → − Reachpost (l, φ[ m := u ]) is a reachable region of H[ m := u ] ∈ HL . The third statement can be proved similarly to the second one. 2 In the class of HP ar it is allowed to use parameters as rates of real variables or coefficients of linear formulae. This is not allowed in the class of HL . By the result proved, if one wants to calculate for which rates or coefficients a Linear Hybrid System satisfies a given property, it is sufficient to calculate the set of rational instances for which the Hybrid System with Parameters satisfies it.

4.2.3

k Semi-decidability for HBD

k . We define now the form of regions of a H ∈ HBD 0 → − − → Let k be an integer variable in id ] id ; with U n(k) we denote the integer variable → − →0 − h such that h = k if k ∈ id and h0 = k if k ∈ id . The variable U n(k) is the variable k without 0 , if 0 appears in k. As an example, U n(l) = l and U n(l0 ) = l. So we write k = U n(k) if 0 does not appear in k and k = U n(k)0 if 0 appears in k. → − k Let H ∈ HBD with id as identifiers. A BD free on k region of H is a pair (l, φ), → U n(k) − where l is a location of H and φ is in ΦBD ( id). k So the region of a H ∈ HBD is a pair (l, φ) where where φ is free on the integer variable resulting from deleting 0 in k, if 0 appears in k. The following theorem proves that successor and predecessor operators are closed → − k for formulae in ΦkBD ( id). More precisely, let H ∈ HBD ; if k = U n(k) (i.e. H is free on the values of k before a step), then successor operators are closed. Moreover, if k = U n(k)0 (i.e. H is free on the values of k after a step), then predecessor operators are closed. k Therefore reachability is semi-decidable for HBD . k Theorem 4.2.5 Let (l, φ) be a BD-region free on k of H in HBD ; the following facts hold:

→ U n(k) − • If k = U n(k), then [φ]l and pree φ are in ΦBD ( id); → U n(k) − • If k = U n(k)0 , then [φ]l and poste φ are in ΦBD ( id). Proof. We prove the first statement. By hypothesis k = U n(k); therefore, if φ ∈ → → − U n(k) − ΦBD ( id), then the only non-bounded and non-dependent integer variable in φ[( id \ → →0 − → − m) := ( id \ − m) ] is k 0 .

66


→ − k By definition of HBD , for each location l, it holds that Act(l) is in ΦkBD ( id ] (t) ] → →0 − ( id \ − m) ). Therefore in Act(l) the variable k 0 is either bounded or dependent and → → − → →0 − so in φ[( id \ − m) := ( id \ − m) ] ∧ Act(l) the only non-bounded and non-dependent → U n(k) − integer variable is k. Since k = U n(k), [φ]l is in ΦBD ( id). k By definition of HBD each transition e is of the form hl, a, φ0 , l0 i where φ0 is in → − → − → ΦkBD ( id ] ( id \ − m)0 ). Therefore in φ0 the variable k 0 is either bounded or dependent → →0 − → − − and so in φ[( id \ → m) := ( id \ − m) ] ∧ φ0 the only non-bounded and non-dependent → U n(k) − integer variable is k. Since k = U n(k), pree φ is in ΦBD ( id). We prove now the second statement. By hypothesis k = U n(k)0 ; therefore, if → U n(k) − φ ∈ ΦBD ( id), then the only non-bounded and non-dependent integer variable in φ is U n(k). → − k By definition of HBD , for each location l it holds that Act(l) is in ΦkBD ( id ] (t) ] → →0 − ( id \ − m) ). Therefore in Act(l) the variable U n(k) is either bounded or dependent, and so in φ ∧ Act(l) the only non-bounded and non-dependent integer variable is k. This implies that in [φ]l the only non-bounded and non-dependent integer vari→ U n(k) − able is U n(k). Then [φ]l is in ΦBD ( id). k , each transition e is of the form hl, a, φ0 , l0 i, where φ0 is By definition of HBD → − → − 0 → in ΦkBD ( id ] ( id \ − m)0 ). Therefore in φ0 the variable U n(k) is either bounded or dependent and so in φ∧φ0 the only non-bounded and non-dependent integer variable is k. This implies that in poste φ the only non-bounded and non-dependent integer → U n(k) − variable is U n(k). Then poste φ is in ΦBD ( id). 2 The previous proposition states that if a BD-Hybrid System is free on k we must use successor operators to compute reachability, and if a BD-Hybrid System is free on k 0 we must use predecessor operators to compute reachability. Now, by induction and by theorem 2.5.2, we can prove the following corollary. k Corollary 4.2.6 Let (l, φ) be a BD-region free on k of H ∈ HBD ; then the following facts holds:

• if k = U n(k), then, for each (l0 , φ0 ) ∈ Reachpre (l, φ), it holds that (l0 , φ0 ) is a BD-region free on k of H; • if k = U n(k)0 , then, for each (l0 , φ0 ) ∈ Reachpost (l, φ), it holds that (l0 , φ0 ) is a BD-region free on k of H; • the reachability problem 3(l, φ) for H is semi-decidable.

4.3. SEMI-DECIDABILITY OF NEGATION OF INVARIANTS

4.2.4

67

Semi-decidability for HS

We define now the form of the regions of a H ∈ HS . → − Let H ∈ HS with identifiers in id; a S-region of H is a pair (l, φ) where l is a → − location of H and φ is in ΦS ( id). The following theorem states that successor and predecessor operators are closed → − for formulae in ΦS ( id), and so reachability is semi-decidable for HS . → − → − Theorem 4.2.7 If φ ∈ ΦS ( id) then [φ]l , poste φ, [φ]l and pree φ are in ΦS ( id). → − Proof. By definition of HS , for each location l it holds that Act(l) is in ΦS ( id); then → → − → →0 − → − → →0 − φ ∧ Act(l) and φ[( id \ − m) := ( id \ − m) ] ∧ Act(l) are in ΦS ( id ] (t) ] ( id \ − m) ). → − Therefore [φ]l and [φ]l are in ΦS ( id). By definition of HS each transition e is of the form hl, a, φ0 , l0 i where φ0 is in → − → → − → →0 − → − → →0 − ΦS ( id), then φ ∧ φ0 and φ[( id \ − m) := ( id \ − m) ] ∧ φ0 are in ΦS ( id ] ( id \ − m) ). → − Therefore poste φ and pree φ are in ΦS ( id). 2 Now, by induction and by theorem 2.5.1, we can prove the following corollary. Corollary 4.2.8 Let (l, φ) be a S-region of H ∈ HS ; then the following facts hold: • for each (l0 , φ0 ) ∈ Reachpost (l, φ), (l0 , φ0 ) is a S-region of H; • for each (l0 , φ0 ) ∈ Reachpre (l, φ), (l0 , φ0 ) is a S-region of H; • the reachability problem 3(l, φ) for H is semi-decidable.

4.3

Semi-decidability of Negation of Invariants

Let (l, φ) be a region of H; the invariant problem 2(l, φ) consists in verifying that, → → for each state (l, − v ) reachable by a run of H, it holds that − v ∈ JφK. The negation of this problem is known to be semi-decidable for the classes of HL and HP . So it must be also for HP ar . Now we consider the other subclasses. The problem can be reduced to the reachability of the state (l, φ). In fact, 2(l, φ) holds if and only if the set of state (l, ¬φ) cannot be reached. Since we have proved that this problem is semi-decidable for the all classes without Hid and since we use the k negation of φ for HS and HBD , then the following propositions hold. Proposition 4.3.1 Let H ∈ HInt and (l, φ) be a region of H; it is semi-decidable whether H does not satisfy 2(l, φ).

68


k Proposition 4.3.2 Let H ∈ HBD and (l, φ) be a region of H; if φ is closed on negation, then it is semi-decidable whether H does not satisfy 2(l, φ).

Proposition 4.3.3 Let H ∈ HS and (l, φ) be a region of H; if φ is closed on negation, then it is semi-decidable whether H does not satisfy 2(l, φ). We note that the closure on negation is requested only for formulae which appear in the invariant one wants to prove. For formulae which appear in the Hybrid System H the closure is not requested. Corollary 4.3.4 Let H ∈ HP ar and (l, φ) be a region of H; it is semi-decidable whether H satisfies 2(l, φ).

4.4

Some Examples

In this section we study two properties for the Hybrid Systems in figure 3.1 and 3.5.

4.4.1

The Cache of a browser

With reference to the system of figure 3.1, we want to prove that if one starts from region (Check, true) and reaches the location W ait, then the formula ∀h ∈ [i, size] . f ile[k] 6= f does not hold, i.e. the file f will be in the cache. For simplicity, we denote with hl1 , l2 i the transition with source location l1 and → − target location l2 . Moreover, with id we represent the old values of variable id ∈ id. By the operator [true]Check we reach the region (Check, true). Now we have two cases: Case 1: By the operator posthCheck,W aiti the region (W ait, ∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ∧ date[k] = d). is reached. Now by the operator [ ]W ait the region (W ait, ∃k ∈ [1, size].∃d.∃t ≥ 0.x = 0 ∧ d = d + t ∧ f ile[k] = f ∧ date[k] = d) is reached. By deleting d and t we have the region (W ait, ∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ). Now we must prove that the formulae reached in W ait are disjoint with the formula ∀h ∈ [1, size] . f ile[k] 6= f . More precisely we must prove that J∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ∧ date[k] = d ∧ ∀h ∈ [1, size] . f ile[h] 6= f K

4.4. SOME EXAMPLES

69

and J∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ∧ ∀h ∈ [1, size] . f ile[h] 6= f K

are empty. We prove the first emptiness, the second one is similar. Now the set

J∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ∧ date[k] = d ∧ ∀h ∈ [1, size] . f ile[h] 6= f K is empty if and only if the set J∃size.∃x.∃f ile.∃f.∃k ∈ [1, size].x = 0 ∧ f ile[k] = f ∧ ∀h ∈ [1, size] . f ile[h] 6= f K is empty. By deleting x we must prove that J∃size.∃f ile.∃f.∃k ∈ [1, size].f ile[k] = f ∧ ∀h ∈ [1, size] . f ile[h] 6= f K is empty. Now we transform this formula to satisfy the requirements of lemma 2.4.15. The resulting formula is the following ∃size.∃f ile.∃f.∃k ∈ [1, size]. f ile[k] = f ∧ f ile[k] 6= f ∧ ∀h . (h ∈ [1, size] ∧ h 6= k) ⇒ f ile[h] 6= f By deleting the array f ile we have the formula ∃size.∃f ∃k ∈ [1, size].f 6= f ∧ ∀h . (h ∈ [1, size] ∧ h 6= k) ⇒ true. By deleting f the formula is equivalent to f alse. Therefore, we have proved that by taking the transition hCheck, W aiti the region (W ait, ∀h ∈ [1, size] . f ile[h] 6= f ) cannot be reached. Case 2: By the operator posthCheck,W ritei the region (W rite, x = 0 ∧ ∀h ∈ [1, size].f ile[h] 6= f ) is reached. By the operator [ ]W rite the region (W rite, x = 0 ∧ ∀h ∈ [1, size].f ile[h] 6= f ) is reached. By the operator posthW rite,W aiti the region (W ait, ∃k ∈ [1, size].∃f ile.∃date.x = 0 ∧ f ile[k] = f ∧ date[k] = d∧

70


∀h ∈ [1, size].date[h] ≥ date[k]∀h ∈ [1, k).f ile[h] 6= f ∧ date[h] = date[h] ∧ ∀h ∈ (k, size].f ile[h] 6= f ∧ date[h] = date[h]) is reached Now, as done in case 1, we can prove that a state in the region (W ait, ∀h ∈ [1, size] . f ile[h] 6= f ) cannot be reached. So, we have proved that from a state in (Check, true) a state in which f is not in the cache cannot be reached.

4.4.2

Temperature Control System

With reference to the system of figure 3.5, we want to prove the invariant 2(Shutdown, ¬φ0 ) where φ0 is following formula φ0 ≡ vr > 0 ∧ v1 < 0 ∧ v2 < 0 ∧ (20 · v1 − 10 · vr ≤ vr · v1 ) ∧ (20 · v2 − 10 · vr ≤ vr · v2 ) By Theorem 4.2.4, it means that each H in HL which is derived from the Hybrid System in figure 3.5 by a rational instance of (vr , v1 , v2 ) and which satisfies φ0 , does not reach Shutdown. We start from the location Shutdown with the formula φ0 and by using each predecessor operators, we want to arrive to a contradiction. If this is the case, the location Shutdown cannot be reached; otherwise, if the initial location with a formula which implies the initial condition can be reached, then the location Shutdown can be reached. For simplicity, we denote with hl1 , l2 i the transition with source location l1 and target location l2 . By the operator prehShutdown,HOT i the location HOT with the formula t = 10∧x < 1 ∧ y < 1 ∧ φ0 is reached. By the operator [ ]HOT the location HOT satisfies the formula t − vr · x − 10 + vr > 0 ∧ t − vr · y − 10 + vr > 0 ∧ t ≤ 10 ∧ t ≥ 0 ∧ φ0 . Now we have three cases: Case 1: The initial condition x = 1 ∧ y = 1 ∧ vr > 0 ∧ v1 < 0 ∧ v2 < 0 together with the condition t − vr · x − 10 + vr > 0 ∧ t − vr · y − 10 + vr > 0 ∧ t ≤ 10 ∧ t ≥ 0 ∧ φ0 is false. In fact, if x = 1 and t − vr · x − 10 + vr > 0, then it holds the formula t − 10 > 0, or, better, t > 10, which contradicts the formula t ≤ 10. We have a contradiction. In fact, if x = 1 and t − vr · x − 10 + vr > 0, then the formula t − 10 > 0 is implied. But this contradicts the formula t ≤ 10. Case 2: By the operator prehHOT,ROD1i the location ROD1 with the formula

4.5. DISCUSSION

71

t > 10 − vr ∧ t − vr · y > 10 − vr ∧ t = 0 ∧ φ0 is reached. By the operator [ ]ROD1 the location ROD1 satisfies the formula vr · t < 10 · v1 − vr · v1 + vr · v1 · y ∧ t ≤ 10 ∧ t ≥ 0 ∧ vr > 10 ∧ φ0 . By the operator prehROD1,HOT i the location HOT with the formula vr · t < 10 · v1 − vr · v1 + vr · v1 · y ∧ x ≥ 1 ∧ t = 10 ∧ vr > 10 ∧ φ0 is reached. By the operator [ ]HOT the location HOT satisfies the formula 10 − t ≥ vr − vr · x ∧ v1 · t + 10 · vr − 20 · v1 < vr · v1 · y − vr · v1 ∧ vr2 − vr2 · x + vr · v1 · x < 10 · v1 + vr · v1 · y − vr · t∧ t ≤ 10 ∧ t ≥ 0 ∧ vr > 10 ∧ φ0 . Now, we have three cases: Case 2.a: We have a contradiction. In fact, if x = 1∧y = 1 and vr2 −vr2 ·x+vr ·v1 ·x < 10 · v1 + vr · v1 · y − vr · t, then it holds that vr · t < 10 · v1 . But, since t ≥ 0, it holds 10 · v1 > 0; since v1 < 0, we have the formula f alse. Case 2.b: By the operator prehHOT,ROD1i we have a contradiction. In fact, if x0 = 0 and 10 − t ≥ vr − vr · x, then the formula 10 − t ≥ vr is implied. Since t = 0, the formula 10 ≥ vr is implied, but this contradicts the formula vr > 10. Case 2.c: By the operator prehHOT,ROD2i we have a contradiction. In fact, if y 0 = 0 and v1 ·t+10·vr −20·v1 < vr ·v1 ·y −vr ·v1 , the formula v1 ·t+10·vr −20·v1 < −vr ·v1 is implied. Since t = 0, the formula 20 · v1 − 10 · vr > vr · v1 is implied, but this contradicts the formula 20 · v1 − 10 · vr ≤ vr · v1 in φ0 . Case 3: The case in which we use the operator prehHOT,ROD2i is equivalent to Case 2. So, we have proved that if vr > 0 ∧ v1 < 0 ∧ v2 < 0 ∧ (20 · v1 − 10 · vr ≤ vr · v1 ) ∧ (20 · v2 − 10 · vr ≤ vr · v2 ) holds, the location Shutdown cannot be reached. So also the Hybrid System of figure 3.4 cannot reach Shutdown.

4.5

Discussion

In this chapter we have studied the reachability problem for the classes discussed in the previous chapter. Theorem 3.4.8, proved in the previous chapter, gives an expressiveness motivation for the new classes. We have proved that we cannot simulate parametric size of arrays. In fact, in the Hybrid System H5 represented in figure 3.11, array a has a size which is equal to the integer variable size. So we have that a has a finite number of elements but this number is not known a priori, it is non deterministically

72

CHAPTER 4. REACHABILITY y0 = y + 2 ∨ y0 = y − 2

x=0

y 0 = 1, ' $ ' $ ' $ l1 Check l2 x0 = x x=y 0 t = 0 - 0 - 0 x =x+t x0 = x x =x+t 0 y =y & % & % & %

Figure 4.1: The Hybrid System H20

assigned at the start of the computation. Moreover, if we use an array with infinite elements then it is obvious that we cannot simulate this with a finite number of real variables. For integer variables the problem is different. If we are not interested in the language of a Hybrid System, we can suppose to simulate integer variables with transition which are labeled with the assignment x0 = x + c and x0 = x − c. As an example in figure 4.1 we represent the Hybrid System H2 of figure 3.8. We introduce a location Check in which we look for the condition x = 2h + 1. The request t = 0 means that in the location Check time must not be spent. But this transformation has a problem: the reachable regions of the H20 are infinitely many but the number of those of H2 is finite. This means that reachability and invariant problems terminate in H2 and cannot terminate in H20 . Moreover, let us suppose we have a Hybrid System which is H2 with Act(l1 ) = 0 x = x + t ∧ x0 = 2h + 1. In this case we require that in the location l1 , when the activity step is performed, the variable x is an odd integer value. But this cannot be simulated in H20 . In fact if x is equal to 3.1, the computation stops in the location Check. So in the locations l1 and Check, at the end of an activity step, x can assume real values. This means that the transformed Hybrid System cannot satisfy the same reachability and invariant problems of the original Hybrid System. For invariants we have proved that formulae must be closed on negation, more precisely in 2(l, φ) the formula φ must be closed on negation. The known classes of HL and HP , and the classes HP ar and HInt have the formulae of regions closed on negation. → − Now, it is obvious that a simple formula in ΦS ( id) is closed on negation. More→ − over in ΦS ( id) we have formulae which are quantified and closed on negation, as an example : • ∀k ∈ [1, size] . a[k] = x is closed on negation; in fact ∃k . k ∈ [1, size]∧a[k] 6= x is a S-formula.

4.5. DISCUSSION

73

• ∃k.a[k] = b[k] is closed on negation; in fact ∀k . a[k] 6= b[k] is a S-formula. For the class of BD-Formulae free on k, simple formulae cannot be closed on negation. The formulae closed on negation are those in which the only non-quantified integer variable is k. As an example ∀h ∈ [1, 10] . a[h] = k 2 − x is closed on negation. In fact negation preserves dependences and boundedness of quantified integer variables. From these considerations and since the request of closure on negation is only for the formula of the invariant and not for the formulae which appear in the Hybrid System, the closure request on negation is not so restrictive.

74


Chapter 5 Timed Information Flow Logic In [41], [45], [65] and [66] a first study of security properties in the framework of Timed Systems was done. In this chapter we define a logic suitable to express security properties. By the logic we want to be able to capture untimed and timed attacks and to certificate the security of a system. The logic expresses properties on the set of timed sequences which a system recognizes. A timed sequence is a sequence of triples composed by a time t, the symbol performed by the system at time t and the value of identifiers at time t. Now some symbols can be observed by an external agent and others cannot. To model this situation we define an observability declaration which states, for each symbol, in which conditions the symbol and a set of related identifiers are visible to an external agent. As an example the request of the browser is visible to a site if the address requested is in its domain, whereas other internal symbols, as the request to the cache, are never visible to external agents. Hence given a timed sequence and an observability declaration one can infer the sequence which an external agent can observe. The logic selects the set of timed sequences by using two operators, one which describes the timed sequence observed by an external agent with respect to an observability declaration and, one which describes properties on the part which is not observed by an external agents. Therefore, in the next sections, we firstly give a definition of timed sequences recognized by a system and of observability declaration. Afterwards, we define formulae to describe a set of timed sequences observed by external agents and a set of sequences of non observable triples.

5.1

Timed sequences

→ − Let H be the Hybrid System with Identifiers hΣ, Loc, id, T r, Act, Initi; we consider → → timed sequences of H of the form (t1 , a1 , − v 1 ) . . . (tn , an , − v n ), with ti a time, ai ∈ Σ → − → − and v i ∈ V ( id), describing the temporal behavior of a system that performs action

76

CHAPTER 5. TIMED INFORMATION FLOW LOGIC

P → ai with valuation − v i at time ij=1 tj . Let r be a run of H as follows → → → → → → v 1n+1 ) v 2n ) →en (ln+1 , − v 20 ) →e0 (l1 , − v 11 ) →t1 (l1 , − v 21 ) . . . (ln , − (l0 , − v 10 ) →t0 (l0 , − where ti is a time and ei = hli , ai , φi , li+1 i is a transition, for any 0 ≤ i ≤ n. With → → → ω r we denote the timed sequence (t0 , a0 , − v 11 )(t1 , a1 , − v 12 ) . . . (tn , an , − v 1n+1 ). The set of timed sequences of H (denoted with R(H)) is the set {ω r | r is a run of H} → → Given a finite timed sequence ω1 = (t1 , a1 , − v 1 ) . . . (tn , an , − v n ) and a timed se0 0 0 0 − 0 0 − → → quence ω2 = (t1 , a1 , v 1 ) . . . (tn , an , v n ), let ω1 ω2 denote their concatenation → → → → (t1 , a1 , − v 1 ) . . . (tn , an , − v n )(t01 , a01 , − v 01 ) . . . (t0n , a0n , − v 0n ).

Let R be a set of regions and R be a set of timed sequences. We say that R is generated by R (or R is the set of starting regions of R) if and only if the following fact holds: ω is in R if and only if there exists a run r and a region (l, φ) ∈ R such → → that r starts from a state (l, − v ) with − v in JφK and ω = ω r .

5.2

Observability Declaration

→ − Let H = hΣ, Loc, id, T r, Act, Initi be a Hybrid System with Identifiers; an observability declaration of H is a set of tuples → − → − γ = {(φ1 , a1 , id 1 ), . . . , (φn , an , id n )} → − → − → − such that φi ∈ Φ( id i ), Σ = {a1 , . . . , an } and id i ⊆ id. With Γ(H) we denote the set of observability declarations of H. → − The meaning of a tuple (φi , ai , id i ) is that when a transition step performs ai → − then ai and the values of id i are observable if and only if φi is satisfied. Example 5.2.1 In the example 3.2.1 a site is able to see f and rw if and only if the address f requested by the user is in his domain. Let us assume a site with domain addresses enclosed in [40, 50]. Then the site is able to see rw and the address f if and only if f is enclosed in [40, 50]. The corresponding declaration is (f ∈ [40, 50], rw , (f )), i.e. if f is enclosed between 40 and 50 then rw and the value of f are observable. Example 5.2.2 Different formalisms use an alphabet (Low, High) to describe the set of observable action Low and the set of hidden actions High. This is express→ − ible by the observability declaration γ such that (true, a, ∅ ) ∈ γ if a ∈ Low and → − (f alse, a, ∅ ) ∈ γ if a ∈ High.

5.3. TIMED INFORMATION FLOW LOGIC

77

→ → Let γ be an observability declaration of H and ω = (t1 , a1 , − v 1 ) . . . (tn , an , − v n) → − be a timed sequence of H. With ωi we denote the tuple (ti , ai , v i ). Moreover, we say that the tuple ωi is observable with respect to γ if and only if there exists − → → (φ, a, id) ∈ γ such that a = ai and − v i ∈ JφK. Let γ be an observability declaration of H; for a timed sequence of H → → ω = (t1 , a1 , − v 1 ) . . . (tn , an , − v n) we denote with ωγ the observable part of ω with respect to γ, → → (t01 , ai1 , − v 01 ) . . . (t0m , aim , − v 0m ) such that: • for any j, the tuple ωij is observable with respect to γ and for each k in either (1, i1 ) or (ij , ij+1 ), the tuple ωk is not observable with respect to γ. → − − → v 0j is the valuation − v ij restricted • for each j, if (φ, a, id) ∈ γ with a = aij , then → → − to observable identifiers in id; Pij P1 t . th and, for each j > 1, t0j = h=i • t01 = ih=1 j−1 +1 h

5.3

Timed Information flow Logic

Now we define TIFL. TIFL uses two operators do define security properties: one operator to define the observable part of a set of timed sequences, and one to describe the property of a sequence of non observable triples. Therefore we firstly define the set of expressions on observable timed sequences and the set of formulae on non observable timed sequences .

5.3.1

The expressions on observable timed sequences

→ → We consider the finite timed sequences (t1 , a1 , − v 1 ) . . . (tn , an , − v n ) describing finite → − → observable behaviors, where t1 , . . . , tn are time values and v 1 , . . . , − v n are valuations of identifiers observable when symbols a1 , . . . , an are observable. → − We consider regular expressions on the pairs (a, φ). If (φ0 , a, id 2 ) ∈ γ, then the → → expression (a, φ) denotes the set of sequences (t, a, − v ) such that − v ] (t) ∈ Jφ ∧ φ0 K. The meaning is that at time t one observes both the symbol a and the identifiers in → − → − → id 2 (namely − v |= φ0 ), and the values of time and identifiers in id 2 are expressed by → the formula φ (namely − v ] (t) |= φ). Let γ ∈ Γ(H) be a observability declaration; the expressions on observable timed sequences with respect to γ are expressed by the following grammar: D ::= (a, φ) | D1 + D2 | D1 D2 | D1+

78


→ − where a is a symbol and φ is a formula in Φ( id ] (time)). The identifier time expresses the time in which a is performed. → − We require that if (φ0 , a, id 2 ) ∈ γ and D is an expression on observable timed sequences on γ, then for each (a, φ) which appears in D it holds that φ is a formula → − in Φ( id 2 ] (time)), i.e. the formula φ observed with the symbol a ranges on the identifiers observable when a is performed. Regular expressions D1 + D2 , D1 D2 and D1+ denote union, concatenation and iteration, respectively. Therefore an expression of observable timed sequences gives a set of sequences of triples observable by an external agent. Example 5.3.1 In the example 5.2.1 we have defined the tuple (f ∈ [40, 50], rw , (f )), which means that rw and the identifier f are observable if and only if f has a value between 40 and 50. With the expression (rw , f = 45 ∧ time ∈ [10, 20]) we describe the fact that the site has received a request for the file with address 45 in a time enclosed in [10, 20]. Let γ ∈ Γ(H) be an observability declaration; the function Dγ defined below associates a set of finite timed sequences with each regular expression: → − → − Dγ [(a, φ)] = {(t, a, − v ) | (φ0 , a, id) ∈ γ and → v ] (t) ∈ Jφ ∧ φ0 K} Dγ [D1 + D2 ] = Dγ [D1 ] ∪ Dγ [D2 ] Dγ [D1 D2 ] = {d1 d2 | d1 ∈ Dγ [D1 ] and d2 ∈ Dγ [D2 ]} Dγ [D1+ ] = {d1 . . . dk | k ≥ 1 and di ∈ Dγ [D1 ] for each 1 ≤ i ≤ k}.

5.3.2

Formulae on non observable timed sequences

Let ω and ω 0 be two timed sequences and γ ∈ Γ(H) be an observability declaration; we say that ω and ω 0 have indistinguishable observable start with respect to γ, written → → ω ≡γ ω 0 , if and only if ωγ = (t, a, − v ) . . . and ωγ0 = (t0 , a0 , − v 0 ) . . . implies t = t0 , a = a0 → → and − v =− v 0. So, ω ≡γ ω 0 iff one cannot distinguish the two timed sequences by observing their first observable symbol and identifiers. Let us consider the set of Formulae on non observable timed sequences with respect to an observability declaration γ, that are described by the following grammar: π ::= a | φ |π ∀ | ¬π1 | π1 ∧ π2 | π1 ∨ π2 Let ω be a timed sequence, R a set of timed sequences with ω ∈ R and γ ∈ Γ(H) an observability declaration;


79

• (ω, R, γ) satisfies the property a, written (ω, R, γ) |= a, iff ω reads a before reading the first observable tuple with respect to γ. • (ω, R, γ) satisfies the property φ, written (ω, R, γ) |= φ, iff ω satisfies φ in each step before reading the first observable tuple with respect to γ. • (ω, R, γ) satisfies the property π ∀ , written (ω, R, γ) |= π ∀ , iff for each timed sequence ω 0 ∈ R such that ω 0 ≡γ ω, it holds that (ω 0 , R, γ) |= π. Therefore a formula written with a non observable property gives a property on a sequence of non observable triples. → → Let ω = (t1 , a1 , − v 1 ) . . . (tn , an , − v n ), R be a set of timed sequences such that ω ∈ R and γ an observability declaration. The relation |= is inductively defined as follows: (ω, R, γ) |= a

iff

the first observable tuple of ω w.r.t. γ is ωi implies a ∈ {a1 , . . . , ai−1 }

(ω, R, γ) |= φ

iff

the first observable tuple of ω w.r.t. γ is ωi → implies − vj ∈ JφK, for any 1 ≤ j < i

(ω, R, γ) |= π ∀

iff

for each timed sequences ω 0 ≡γ ω in R it holds that (ω 0 , R, γ) |= π

(ω, R, γ) |= ¬π1

iff

(ω, R, γ) 6|= π1

(ω, R, γ) |= π1 ∧ π2

iff

both (ω, R, γ) |= π1 and (ω, R, γ) |= π2

(ω, R, γ) |= π1 ∨ π2

iff

either (ω, R, γ) |= π1 or (ω, R, γ) |= π2

The relation (ω, R, γ) |= π may reveal information flow in the initial part of the timed sequences R. As an example, (ω, R, γ) |= a∀ , for some timed sequence ω with → ωγ = (t1 , a1 , − v 1 ) . . ., implies that if we consider any timed sequence ω 0 in R and we → observe the first observable symbol a1 and identifier values − v 1 at time t1 , then we can infer that the non observable symbol a has been read before.

5.3.3

The logic

Let us introduce Timed Information Flow Logic (Ψ(γ)), whose formulae describe properties over sets of timed sequences and can reveal information flow arising in whatsoever part of the timed sequences. As seen above we can express an observable part of a set of timed sequences by means of expression D and express properties on a sequence of non observable symbols by means of π. Now we use these two operators to describe security properties.

80


Let γ ∈ Γ(H) be an observability declaration. The formulae in Ψ(γ) are generated by the following grammar: ψ ::= | π.ψ | D.ψ | ¬ψ | ψ1 ∧ ψ2 | ψ1 ∨ ψ2 where D is an expression on observable timed sequences with respect to γ and π is a formula on non observable timed sequences with respect to γ. A set of timed sequences R satisfies iff R is not empty. A set of timed sequences R satisfies property π.ψ iff ψ is satisfied by the set of timed sequences ω in R such that (ω, R, γ) satisfies π. The operator π. permits to select timed sequences in R whose non observable initial behavior satisfies the property expressed by π. A set of timed sequences R satisfies property D.ψ iff ψ is satisfied by the set of timed sequences ω such that ω 0 ω ∈ R, ωγ0 ∈ Dγ [D] and ω 0 terminates with an observable tuple. Given a set of timed sequences R, the operator D. applied to R returns the set of the timed sequence ω that the Hybrid System H may perform after a sequence ω 0 whose observable part is in Dγ [D] and such that ω 0 followed by ω is a timed sequence in R. Formally, we say that a set of timed sequences R and an observability declaration γ satisfy a property ψ, written R |=γ ψ, iff the following requirements are fulfilled: R |=γ

iff

R 6= ∅

R |=γ π.ψ

iff

{ω ∈ R | (ω, R, γ) |= π} |=γ ψ

R |=γ D.ψ

iff

{ω | ω 0 ω ∈ R, ωγ0 ∈ Dγ [D] and ω 0 terminates with an observable tuple} |=γ ψ

R |=γ ¬ψ

iff

R 6|=γ ψ

R |=γ ψ1 ∧ ψ2

iff

both R |=γ ψ1 and R |=γ ψ2

R |=γ ψ1 ∨ ψ2

iff

either R |=γ ψ1 or R |=γ ψ2 .

A Hybrid System with Identifiers H satisfies a property ψ in Ψ(γ) where γ ∈ Γ(H), written H |=γ ψ, iff R(H) |=γ ψ. Formulae of Timed Information Flow Logic permit to describe behaviors giving rise to information flow. As an example, let us assume that the timed sequences R(H) of a given Hybrid System with Identifiers H satisfy (a1 , time ∈ I1 ).¬b1 .(a2 , time ∈ I2 ).¬b2 .(a3 , time ∈ I3 ).¬, for intervals I1 , I2 , I3 and symbols a1 , a2 , a3 , b1 , b2 . In such a case there is an information flow, since whenever we observe action ai in interval Ii , for 1 ≤ i ≤ 3, we are


81

sure that either b1 has been read between a1 and a2 , or b2 has been read between a2 and a3 . In fact, let us consider all observable sequences of actions beginning → → → with (t1 , a1 − v 1 )(t2 , a2 , − v 2 )(t3 , a3 , − v 3 ), with ti ∈ Ii for 1 ≤ i ≤ 3. If we reject timed sequences that do not read b1 between a1 and a2 and, subsequently, we reject timed sequences that do not read b2 between a2 and a3 , then we obtain the empty set of timed sequences. Timed Information Flow Logic permits to describe behaviors giving rise to information flow depending also on time. As an example, let us assume that the timed sequences R(H) of a given Hybrid System H satisfy (a1 , time ∈ I1 ).b∀ .(a2 , time ∈ I2 ).. This means that there exists a time t ∈ I2 such that each timed sequence which → → reads (t1 , a1 , − v 1 )(t2 , a2 , − v 2 ) with t1 ∈ I1 and t2 = t, performs b. It means that we have an information flow due to the time of performing an observable symbol. Besides describing behaviors giving rise to information flow, formulae of Ψ(γ) permit also to certify that suspect behaviors do not give rise to information flow. Both uses of Ψ(γ) are showed below. Example 5.3.2 Let γ be the observability declaration → − → − → − → − {(true, a1 , ∅ ), (true, a2 , ∅ ), (f alse, b1 , ∅ ), (f alse, b2 , ∅ )}. The observability declaration γ means that the only observable symbols are a1 and a2 . Let ω1 , ω2 , ω3 and ω4 be four timed sequences as follows: → → → ω1 = (5, b1 , − v 11 )(8, b2 , − v 12 )(10, a1 , − v 13 ) . . . → → → ω2 = (2, b1 , − v 21 )(4, b2 , − v 22 )(10, a1 , − v 23 ) . . . → → ω3 = (1, b1 , − v 31 )(20, a1 , − v 32 ) . . . → ω4 = (20, a2 , − v 41 ) . . . Let R be the set {ω1 , ω2 , ω3 , ω4 }. We prove now that R satisfies ¬b1 .(a1 , true).¬. The property means that before the symbol a1 the non observable symbol b1 is surely performed. Therefore R |=γ ¬b1 .(a1 , true).¬ iff {ωi | (ωi , R, γ) |= ¬b1 } |=γ (a1 , true).¬ Since (ω1 , R, γ) |= b1 , (ω2 , R, γ) |= b1 , (ω3 , R, γ) |= b1 and (ω4 , R, γ) |= ¬b1 ; we have that {ωi | (ωi , R, γ) |= ¬b1 } |=γ (a1 , true).¬ iff {ω4 } |=γ (a1 , true).¬

82


→ − But (ω4 )γ = (20, a2 , ∅ ) . . . and so {ω4 } |=γ (a1 , true).¬ iff ∅ |=γ ¬ Therefore R |=γ ¬b1 .(a1 , true).¬. Similarly, we can prove that R satisfies (b2 .(a1 , true).) ∧ (¬b2 .(a1 , true).). The property means that before the symbol a1 the symbol b2 is not necessarily be performed. So if one does not consider time information, then there is not a way to know whether b2 has been performed. If one consider time information, then an attack can be found. In fact R satisfies b∀2 .(a1 , true).. The property means that there exists a time t such that each timed sequence with observable part equal → − to (t, a1 , ∅ ) . . ., performs b2 . This means that there exists a time t such that if → − (t, a1 , ∅ ) . . . is observed, then the symbol b2 is surely performed. Therefore R |=γ b∀2 .(a1 , true). iff {ωi | (ωi , R, γ) |= b∀2 } |=γ (a1 , true). But, we have that

→ − (ω1 )γ = (10, a1 , ∅ ) . . . → − (ω2 )γ = (10, a1 , ∅ ) . . . → − (ω3 )γ = (20, a1 , ∅ ) . . . → − (ω4 )γ = (20, a2 , ∅ ) . . . .

Therefore, it is obvious that ω1 ≡γ ω1 , ω1 ≡γ ω2 , ω2 ≡γ ω2 , ω2 ≡γ ω1 ,ω3 ≡γ ω3 and ω4 ≡γ ω4 . So, (ω1 , R, γ) |= b∀2 , (ω2 , R, γ) |= b∀2 , (ω3 , R, γ) 6|= b∀2 and (ω4 , R, γ) 6|= b∀2 . Then {ωi | (ωi , R, γ) |= b∀2 } |=γ (a1 , true). iff {ω1 , ω2 } |=γ (a1 , true).. → − → − Since (ω1 )γ = (10, a1 , ∅ ) . . . and (ω2 )γ = (10, a1 , ∅ ) . . ., then {ω1 , ω2 } |=γ (a1 , true). iff {ω1 , ω2 } |=γ . Therefore R |=γ b∀2 .(a1 , true).. Example 5.3.3 Let us consider the web system of example 3.2.1 with the observability declaration → − → − {(f ∈ [40, 50], rw , (f )), (f ∈ [40, 50], aw , ∅ ), (f alse, {ac , rc , nc , sc }, ∅ )}. This observability declaration means that the site with addresses in [40, 50] is able to observe a request rw with address f sent to him and his answer aw if and only if the address requested is between 40 and 50 (i.e. f ∈ [40, 50]). Symbols in {ac , rc , nc , sc } are not observable. We call this site e.


83

The following property holds: (rw , true)(aw , true).rw .(rw , time ∈ [0, 100)).¬ The operator (rw , true)(aw , true). creates a set of timed sequences R from the timed sequences of the Hybrid System which can be performed after a communication with the site e. The operator rw . selects the set R0 of timed sequences in R such that the non observable action rw (i.e. a request to a site different to e) appears before an observable symbol. So we require that the Hybrid System, after performing a number of steps, performs rw with f 6∈ [40, 50]. Now, in the timed sequences in R0 the first observable symbol following rw appears at least 100 units of time after the observable symbols that appear before rw , since the non observable rw can happen only at least 100 units of time after the observable answer aw . Therefore, the operator (rw , time ∈ [0, 100)). applied to R0 gives the empty set of timed sequences, which satisfy ¬. The property means that if the time elapsed between two communications with the web site e is in the interval [0, 100), then there has not been any communication with a different site in the meantime. This information can be exploited by e to violate the privacy of the user. In [36] it is shown that, when the user visits the site e, e can attack the browser and infer whether it has recently visited some different web page or not, thus violating the privacy of the user. In fact, assume that e contains an applet that, when executed, causes a request of the page not in e and, then, a request to e itself. When the user’s browser downloads the page of e, it performs the applet. Therefore, if e receives the original request and the request caused by the applet within 100 units of time, it infers that no communication between the user and a different site form e has happened in the meantime, i.e. that the page was in the cache of the user. In fact, the browser takes at least 100 units of time to download a page from a site. The property above shows that we are able to detect behaviors violating privacy. We can also show that we are able to certify that privacy is not violated by a suspect behavior of a system described by a given automaton. To this purpose, in example 3.2.1 let us suppose we have x ∈ [102, 256] instead of x ∈ [2, 5] in the transition with label ac of system in figure 3.1. We can enforce the property (rw , true)(aw , true).rc .((ac )∀ ∨ (aw )∀ ).(rw , true).¬ The operator (rw , true)(aw , true). creates a set of timed sequences R from the timed sequences of the Hybrid System which can be performed after a communication with the site e. The operator rc . selects the timed sequences R0 in R which perform rc before an observable symbol (i.e. the user has requested a page and so the browser checks in the cache). So in R0 , we have a set of timed sequences performable after reading

84


a communication with e and in which before the first observable symbol a rc is performed. The operator ((ac )∀ ∨ (aw )∀ ). takes the timed sequences in R0 such that if the first observable symbol is performed in a time t, then we are sure that ac (resp. aw ) is performed. But we consider that x ∈ [102, 256] so, if we fix a time, the non observable symbol ac (resp. aw ) can and cannot be performed. Therefore this set is empty. This property means that whenever we fix a time t ∈ [0, ∞) separating two communication with e, if there is a request rc in the meantime then it holds neither that all timed sequences perform a communication with the cache nor that all timed sequences perform a communication with a site different from e. So, e is not able to infer, by observing its interaction with the user, whether the user has accessed the cache or a different site. Example 5.3.4 Let us consider the example 3.3.5 with the observability declaration → − → − → − {(true, input, ∅ ), (true, output, ∅ ), (f alse, {sq, eq1, eq2, mul, succ, check}, ∅ )}. It means that an observer is able to see only the time needed to encrypt a key. We can enforce the property (input, true).

127 X

a[i] ≥ 2.(output, time ∈ [2048, 2565]).¬.

i=0

This means that if the time elapsed to encrypt the message m is in [2048, 2550], then the key has a number of bit set to one less than 2. This attack permits to check only 129 combinations to find the key (see [56]). This idea was developed in [31] were a timing attack against smart card implementation of RSA was conducted. Other similar attacks can be described. As an example, in [47], a timing attack on the RC5 block encryption algorithm is described. The analysis is motivated by the possibility that some implementations of RC5 could result in the data-dependent rotations taking a time that is a function of the data. In [52], the vulnerability of two implementations of the Data Encryption Standard (DES) cryptosystem under a timing attack is studied. It is showed that a timing attack yields the Hamming weight of the key used by both DES implementations. Moreover, the attack is computationally inexpensive. A timing attack against an implementation of AES candidate Rijndael is described in [57], and the one against the popular SSH protocol in [84]. Let B ⊆ {1, . . . , 127}; the set B identifies a key if one considers the indexes in B equal to 1Wand those not in B equal to 0. With φB we denote the formula W i∈B a[i] 6= 1 ∨ i6∈B a[i] 6= 0. The formula φB represents the fact that the current key is different from that expressed by B. A property which guarantees security is the following: _ (input, true). (φB )∀ .(output, true).¬. B⊆{0,...,127}

5.4. AN ALGORITHM

85

Now, let us give a notion of normal form for Information Flow formulae, and let us prove that arbitrary formulae can be reduced to equivalent normal forms. Before, we need to introduce some notions. Let us define the set Π of the Pi-formulae as the least set containing every formula π.ψ, every formula ¬ψ with ψ ∈ Π, every formula ψ1 ∧ ψ2 with either ψ1 ∈ Π or ψ2 ∈ Π, and every formula ψ1 ∨ ψ2 with either ψ1 ∈ Π or ψ2 ∈ Π. A formula ψ is a normal form iff no subformula π.ψ 0 appearing in ψ is such that ψ 0 ∈ Π. Proposition 5.3.5 Each formula ψ has an equivalent normal form. Proof. We can transform ψ into a formula satisfying the condition of normal form by exploiting the following equivalences: • π1 .π2 .ψ ≡ (π1 ∧ π2 ).ψ • π.(ψ1 ∨ ψ2 ) ≡ (π.ψ1 ) ∨ (π.ψ2 ) • π.(ψ1 ∧ ψ2 ) ≡ (π.ψ1 ) ∧ (π.ψ2 ) • π.¬(ψ) ≡ ¬(π.ψ). 2 We conclude this section with giving the following result, which follows directly from the definition of relation |=γ . Proposition 5.3.6 Let H and H 0 be two Hybrid Systems such that R(H) = R(H 0 ). For each formula ψ it holds that H |=γ ψ iff H 0 |=γ ψ.

5.4

An Algorithm

In this section we give an algorithm to verify whether a Hybrid System with Identifiers satisfies a given formula ψ. We say that the formula argues on all observable sequences. Formula D.ψ argues on the observable sequences ω 0 ω, with ω 0 ∈ Dγ [D] and ω argued on ψ. Moreover, ¬ψ and π.ψ argue on the same observable sequences of ψ. Finally, ψ1 ∨ψ2 and ψ1 ∧ ψ2 argue on the observable sequences that are argued on by both ψ1 and ψ2 . Intuitively, a formula ψ argues on an observable sequence ω iff ψ considers ω 0 whose observable part ωγ0 coincides with ω. First of all, we construct an automaton H ψ that recognizes precisely the timed sequences ω whose observable part ωγ is argued on by ψ. Then, we consider the composition of H and H ψ , that recognizes the intersection of the languages R(H) and R(H ψ ), i.e. the timed sequences in R(H) whose observable part is argued on ψ. Therefore, R(H) satisfies ψ if and only if R(H ⊗ H ψ ) does. Finally, we visit the region of H ⊗ H ψ to check whether ψ holds.

86

CHAPTER 5. TIMED INFORMATION FLOW LOGIC {aj , ¬φj }j∈[1,n] '$

x=0

a, φi ∧ φ[time := x]∧ ' '$ $

{ aj ,¬φj }j∈[1,n] l0 l - x0 = - x0 = x+t x+t &%

T 0 = x ∧ x0 = 0

&%

la

- x0 =

x+t

& % *

a, φi ∧ φ[time := x] ∧ T 0 = x ∧ x0 = 0

Figure 5.1: The Hybrid System H (a,φ)

5.4.1

Construction of H ψ

First of all we construct the Hybrid System with Identifiers H D and the set of locations E D that recognize precisely the finite timed sequences ω such that, if there exists a run for ω ending with a location in E D , then ωγ ∈ Dγ [D] and ω terminates with an observable tuple. → − → − Let γ = {(φ1 , a1 , id 1 ), . . . , (φn , an , id n )}; the automaton H (a,φ) with a = ai is in Fig. 5.1. The set of ending locations is E (a,φ) = {la }. H (a,φ) recognizes a possibly empty sequence of non observable symbols followed by the observable symbol a and by time and valuation in JφK. The identifier x calculates the time elapsed before reading the first observable tuple. This time is stored in the identifier T and the variable x is reset to calculate the time of the next observable tuple. The Hybrid System has no transition entering the initial location l0 and no transition departing from the ending location la . This property is satisfied by any H D and permits a construction inductive w.r.t. D. Note that the location la of H (a,φ) is marked by the observable symbol a. Given a set of transitions T r and locations l and l0 , let T r[l0 /l] denote the set of transitions in T r modified by replacing the starting (resp. target) location with l0 , if the starting (resp. target) state is l. Moreover, given a set of locations L, let T r[L/l] denote the set {T r[l0 /l] | l0 ∈ L}. Let L be a set of locations; with ActL we denote the activity function on locations of L such that for each location l ∈ L it holds that ActL (l) = (x0 = x + t). Given Hybrid Systems H D1 = hΣ, Loc1 , (x, T ), T r1 , Act1 , (l01 , x = 0)i with ending locations E D1 and H D2 = hΣ, Loc2 , (x, T ), T r2 , Act2 , (l02 , x = 0)i with ending

5.4. AN ALGORITHM

87

locations E D2 , then we define: H D1 +D2 = hΣ, Loc1 ∪ Loc2 ∪ {l0 }, (x, T ), T r1 [l0 /l01 ] ∪ T r2 [l0 /l02 ], ActLoc1 ∪Loc2 ∪{l0 } , (l0 , x = 0)i D1 +D2 E = E D1 ∪ E D2 H D1 D2 E D1 D2 +

H D1

+

E D1

= hΣ, Loc1 ∪ Loc2 , (x, T ), T r1 ∪ T r2 [E D1 /l02 ], ActLoc1 ∪Loc2 , (l01 , x = 0)i = E D2 = hΣ, Loc1 ∪ {l0 }, (x, T ), T r1 ∪ {hl0 , a, φ, li | hl01 , a, φ, li ∈ T r1 }∪ {hl, a, φ, l0 i | hl, a, φ, l00 i ∈ T r1 ∧ l00 ∈ E D1 }, ActLoc1 ∪{l0 } , (l01 , x = 0)i = E D1

The Hybrid System H D1 +D2 chooses between performing a run of H D1 and performing a run of H D2 . The Hybrid System H D1 D2 performs a run of H D1 followed by a + run of H D2 . Finally, the automaton H D1 performs a finite sequence of runs of H D1 . We can define now H ψ . The Hybrid System H is defined as follows: hΣ, {l }, (x, T ), {hl , a, true, l i | a ∈ Σ}, Act{l } , (l , true)i. Let H ψ1 be the Hybrid System hΣ, Loc1 , (x, T ), T r1 , Act1 , (l01 , x = 0)i, H ψ2 be the Hybrid System hΣ, Loc2 , (x, T ), T r2 , Act2 , (l02 , x = 0)i and H D be the Hybrid System hΣ, Loc3 , (x, T ), T r3 , Act3 , (l03 , x = 0)i with ending locations E D , then we define: H π.ψ1 H D.ψ1 H ψ1 ∨ψ2

= H ¬ψ1 = H ψ1 S = hΣ, Loc3 ∪ Loc1 , (x, T ), T r3 ∪ T r1 [ l∈E D lD.ψ1 /l01 ], ActLoc3 ∪Loc1 , (l03 , x = 0)i = H ψ1 ∧ψ2 = hΣ, Loc1 ∪ Loc2 ∪ {l0 }, (x, T ), T r1 [l0 /l01 ] ∪ T r2 [l0 /l02 ], ActLoc1 ∪Loc2 ∪{l0 } , (l0 , x = 0)i

The Hybrid System H recognizes all timed sequences. Hybrid System H π.ψ1 and H ¬ψ1 coincide with H ψ1 , since both π.ψ1 and ¬ψ1 argue on the same sequences that are argued on by ψ1 . The automaton H D.ψ1 performs a run of H D followed by a run of H ψ1 . Note that locations of H D are marked by D.ψ1 . Both H ψ1 ∨ψ2 and H ψ1 ∧ψ2 choose between performing runs of H ψ1 and performing runs of H ψ2 . Theorem 5.4.1 Let γ ∈ Γ(H) and γ 0 be the observability declaration such that → − → − (φ, a, id ](T )) ∈ γ 0 if and only if (φ, a, id) ∈ γ. It holds that H |=γ ψ ⇔ H ⊗H ψ |=γ 0 ψ. Proof. The thesis is immediate by induction on the structure of ψ. 2

88


5.4.2

Visit of H ⊗ H ψ

Before visiting the regions of the Hybrid System H ⊗ H ψ we need the following lemma, which states that a timed sequence ω, an observability declaration γ and a set of timed sequences R satisfy a formula π if and only if ω and each set of the timed sequences in R containing the set of timed sequences with have indistinguishable start with respect to ω and γ, do. Lemma 5.4.2 Let ω be a timed sequence, γ an observability declaration and R a set of timed sequences. For each R0 such that R ⊇ R0 ⊇ {ω 0 ∈ R | ω ≡γ ω 0 }, it holds that (ω, R, γ) |= π ⇔ (ω, R0 , γ) |= π. Proof. We prove the thesis by induction on π: • π=a (ω, R, γ) |= a if and only if a is read before the first observable tuple of ω. Therefore for each each R0 such that R ⊇ R0 ⊇ {ω 0 ∈ R | ω ≡γ ω 0 }, it holds that (ω, R0 , γ) |= a. Then the thesis holds. • π=φ (ω, R, γ) |= φ if and only if φ is satisfied in each step before reading the first observable symbol of ω. Therefore for each each R0 such that R ⊇ R0 ⊇ {ω 0 ∈ R | ω ≡γ ω 0 }, it holds that (ω, R0 , γ) |= φ. Then the thesis holds. • π = π1∀ (ω, R, γ) |= π1∀ if and only if for each ω 0 ∈ R such that ω 0 ≡γ ω it holds that (ω 0 , R, γ) |= π1 . By induction it holds that for each R0 such that R ⊇ R0 ⊇ {ω 00 ∈ R | ω 0 ≡γ ω 00 }, it holds that (ω 0 , R0 , γ) |= π1 . Since the sets of all the timed sequences with indistinguishable start with respect to ω 0 and ω are equal, we have that for each ω 0 such that ω 0 ≡γ ω and for each R0 such that R ⊇ R0 ⊇ {ω 0 ∈ R | ω ≡γ ω 0 }, it holds that (ω 0 , R0 , γ) |= π1 . Therefore (ω, R0 , γ) |= π ∀ . Then the thesis holds. • π ≡ ¬π1 The thesis follows immediately by the semantics of ¬ and by the inductive hypothesis. • π ≡ π1 ∨ π2 The thesis follows immediately by the semantics of ∨ and by the inductive hypothesis. • π ≡ π1 ∧ π2 The thesis follows immediately by the semantics of ∧ and by the inductive hypothesis.

5.4. AN ALGORITHM

89

2 We say that a region is marked by a symbol a or by a formula ψ iff the location of the region is. Given an expression D, a formula ψ, a Hybrid System H and a set of regions R, let Reach(D, ψ, R, H) denote the set of regions that are marked by D.ψ and are reachable from R. The set Reach(D, ψ, R, H) can be computed immediately by using the operators [ ]l and poste . Let π be a formula, with F (π) we denote set of formulae {φ1 , . . . , φn } which appear in π. Let us define now the algorithm CheckPi (figure 5.2). It takes a set of regions R of a Hybrid System H, an observable symbol a, a formula π and an observability declaration γ. Let R be the timed sequences performable from regions in R. The algorithm returns the set of regions R0 such that a region (l, φ) is in R0 if and only if there is a timed sequence ω ∈ R such that ω reads as first observable symbol a with respect to γ, (ω, R, γ) |= π and such that there exists corresponding run r of H (namely ω = ω r ) departing from a region in R and crossing (l, φ) when reading a. The algorithm uses pairs of the form ((l, φ), B1 , B2 ), with (l, φ) a region, B1 a set of non observable symbols, and B2 a set of formulae contained in F (π), meaning that (l, φ) is reachable from some region in R by reading precisely the non observable symbols in B1 and satisfying in each step the formulae in B2 . In fact, the algorithm starts with considering the pairs ((l, φ), ∅, F (π)) such that (l, φ) ∈ R (see line 1), and, for each pair ((l, φ), B1 , B2 ) such that there exists a transition e with source l and target l00 , and for each set C of formulae not satisfied in this step, the tuple ((l0 , φ00 ), B1 ∪ {a}, B2 \ C) is generated (see lines 10–13). The set A contains all tuples ((l, φ), B1 , B2 ) such that the states in (l, φ) can be reached by reading a sequence of non observable symbols in B1 followed by the low symbol a, and satisfying the formulae in B2 . In fact, at lines 7–8, for each tuple ((l, φ), B1 , B2 ), if l is marked by a, then ((l, φ), B1 , B2 ) is added to A. Now, following lemma 5.4.2, we consider the states with the same time and observable valuations (lines 16–18). In the set f inal we add the region which satisfy π. To calculate this set we use the function V al (figure 5.3). For each tuple ((l, φ), B1 , B2 ) in AC , V al(((l, φ), B1 , B2 ), AC , π) is true if and only if the states in (l, φ) are reached by timed sequence satisfying π. In fact, if π ≡ true then V al(((l, φ), B1 , B2 ), AC , π) is true. If π ≡ a then V al(((l, φ), B1 , B2 ), AC , π) returns true if and only if a ∈ B1 , i.e. if and only if a is read to reach states in (l, φ). If π ≡ φ then V al(((l, φ), B1 , B2 ), AC , π) returns true if and only if φ ∈ B2 , i.e. if and only if φ is satisfied in each step to reach states in (l, φ). If π ≡ (π1 )∀ then V al(((l, φ), B1 , B2 ), AC , π) return true if and only if V al(((l0 , φ0 ), B10 , B20 ), AC , π1 ) return true for each pair ((l0 , φ0 ), B10 , B20 ) ∈ AC , i.e. iff all timed sequences reaching regions ((l0 , φ0 ), B10 , B20 ) with ((l0 , φ0 ), B10 , B20 ) ∈ AC satisfy π1 . Note that we do not

90


CheckPi (R: set of regions, H: Hybrid System, a: symbol, π:formula, γ:obs declaration): set of regions 1.

to be visited := {((l, φ), ∅, F (π)) | (l, φ) ∈ R};

2.

visited:=∅;

3.

A:=∅;

4.

While to be visited 6= ∅ do

5.

((l, φ), B1 , B2 ):=extract(to be visited);

6.

Add(((l, φ), B1 , B2 ), visited);

7.

If l is marked by a

8. 9. 10. 11. 12. 13. 14. 15.

Then Add(((l, φ), B1 , B2 ), A); else For each C ⊆ B2 AND transition e with source l and target l00 do V V φ00 := poste ([φ ∧ φ0 ∈C ¬φ0 ∧ φ0 ∈B2 \C φ0 ]l ); If ((l0 , φ00 ), B1 ∪ {a}, B2 \ C) 6∈ visited AND Jφ00 K 6= ∅

Then Add(((l0 , φ00 ), B1 ∪ {a}, B2 \ C), to be visited);

f inal:=∅; → − → − Let id be the vector of non observable identifiers of H w.r.t. (φ, a, id 1 ) ∈ γ AND A = {((l1 , φ1 ), B11 , B21 ), . . . , ((lm , φm ), B1m , B2m )};

16. 17.

For each C ⊆ {1, . . . , m} do V V → − → − φC := j∈C ∃ idφj ∧ j6∈C ¬∃ idφj ;

18.

AC := {((li , φi ∧ φC ), B1i , B2i ) | i ∈ C ∧ Jφi ∧ φC K 6= ∅};

19.

f inal:=f inal ∪ {(l, φ) | ((l, φ), B1 , B2 ) ∈ AC ∧ V al(((l, φ), B1 , B2 ), AC , π)};

20.

Return f inal;

Figure 5.2: The algorithm CheckP i.

5.4. AN ALGORITHM

91

Val (((l, φ), B1 , B2 ): (region, symbols,formulae), A: set of (region, symbols,formulae), π: formula):boolean 1. 2. 3. 4. 5. 6. 7. 8.

Case π of true Then Return true; a Then Return (a ∈ B1 ) ; φ Then Return (φ ∈ B2 ) ; (π1 )∀ Then

9.

Return

10.

¬π1 Then

11. 12. 13. 14. 15.

V

((l0 ,φ0 ),B10 ,B20 )∈A V

al(((l0 , φ0 ), B10 , B20 ), A, π1 ) ;

Return (NOT V al((l, φ), B1 , B2 ), A, π1 )); π1 ∨ π2 Then Return (V al((l, φ), B1 , B2 ), A, π1 ) OR V al(((l, φ), B1 , B2 ), A, π2 )); π1 ∧ π2 Then Return (V al(((l, φ), B1 , B2 ), A, π1 ) AND V al(((l, φ), B1 , B2 ), A, π2 ))

Figure 5.3: The function V al.

92


CheckPsi (ψ: formula, R: set of regions, γ:obs declaration,H: Hybrid System): boolean 1.

Case ψ of

2.

Then

3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Return {(l, φ) ∈ R | JφK 6= ∅} = 6 ∅;

D.ψ 0 Then

Return CheckP si(ψ 0 , Reach(D, ψ 0 , R, H), γ, H); π.ψ 0 Then S R0 := a∈Σ CheckP i(R, H, a, π, γ); Return CheckP si(ψ 0 , R0 , γ, H); ¬ψ1 Then Return NOT (CheckP si(ψ1 , R, γ, H)); ψ1 ∨ ψ2 Then Return (CheckP si(ψ1 , R, γ, H) OR CheckP si(ψ2 , R, γ, H)); ψ1 ∧ ψ2 Then Return (CheckP si(ψ1 , R, γ, H) AND CheckP si(ψ2 , R, γ, H)).

Figure 5.4: The algorithm CheckP si.

distinguish time and identifier values. The reason is that since the condition φC is added (see line 17–18 of figure 5.2), we group the reachable states with the same observable start. By propositions 4.1.1 and 4.1.2, each state in Jφi ∧φC K is reachable. The cases π ≡ ¬π1 , π ≡ π1 ∨ π2 and π ≡ π1 ∧ π2 are immediate. The algorithm CheckP si(ψ, R, γ, H), defined in figure 5.4 checks whether timed sequences originating from the regions R of the Hybrid System H satisfy the formula ψ with respect to γ. If ψ ≡ then the algorithm returns true iff there exists a region with formula not equal to false. If ψ ≡ D.ψ 0 then we consider the regions R0 = Reach(D, ψ 0 , R, H) that can be reached from R by reading an observable sequence in Dγ [D], and from which timed sequences that must satisfy ψ 0 must be performed (this last requirement coincide with asking that the regions are marked by D.ψ 0 ). Then, we apply CheckP si to ψ 0 , R0 , γ and H.

5.4. AN ALGORITHM

93

If ψ ≡ π.ψ 0 then we consider the regions R0 that are reached by timed sequences satisfying π. These runs are grouped by observable symbols that are read to reach them. Then, we apply CheckP si to ψ 0 , R0 , γ and H. So, given any timed sequence ω 0 ω 00 from R such that after performing ω 0 the region (l, φ) ∈ R0 is reached, we forget the portion ω 0 , notwithstanding we should check that the complete timed sequence satisfy ψ 0 . Our choice is correct since ψ is a normal form and, therefore, the forgotten part of the timed sequence does not play any rôle in the satisfiability of ψ 0 . The cases ψ ≡ ¬ψ 0 , ψ ≡ ψ1 ∧ ψ2 and ψ ≡ ψ1 ∨ ψ2 are immediate. Now, to check whether a Hybrid System H satisfies a formula ψ, it suffices to apply CheckP si to ψ, the initial region of H ⊗ H ψ , and H ⊗ H ψ . Theorem 5.4.3 Let H be a Hybrid System, γ an observability declaration and ψ → − be a formula. Let γ 0 be the observability declaration such that (φ, a, id ] (T )) ∈ γ 0 if → − and only if (φ, a, id) ∈ γ. If CheckP si(ψ, {(l0 , φ0 )}, γ 0 , H ⊗ H ψ ) terminates, then it holds that: CheckP si(ψ, {(l0 , φ0 )}, γ 0 , H ⊗ H ψ ) returns T rue iff H |=γ ψ. Proof. Since the set of timed sequences originating from the region (l0 , φ0 ) coincide with R(H), it suffices to prove that if R is a set of timed sequences generated by the regions in a set R, then it holds that: CheckP si(ψ, R, γ, H ⊗ H ψ ) returns T rue iff R |=γ ψ. The proof is by induction over ψ: • ψ≡ Since R is empty if and only if the set of starting regions R has no region (l, φ) with JφK 6= ∅ (see propositions 4.1.1 and 4.1.2), the thesis holds. • ψ ≡ D.ψ 0 Let RD be the set of timed sequences

{ω| ω 0 ω ∈ R, ωγ0 ∈ Dγ [D] and ω 0 terminates with an observable tuple}. The semantics of D.ψ 0 implies that R |=γ D.ψ 0 if and only if RD |=γ ψ 0 . By definition of CheckP si, it holds that CheckP si(D.ψ 0 , R, γ, H ⊗H ψ ) returns T rue if and only if CheckP si(ψ 0 , Reach(D, ψ 0 , R, H ⊗ H ψ ), γ, H ⊗ H ψ ) returns T rue. So, we have to prove that RD |=γ ψ 0 iff CheckP si(ψ 0 , Reach(D, ψ 0 , R, H ⊗ H ψ ), γ, H ⊗ H ψ ) returns T rue. 0

Now, by definition of Reach, the construction of H D.ψ and the propositions 4.1.1 and 4.1.2, the set of starting regions of RD is equal to the set Reach(D, ψ 0 , R, H ⊗ H ψ ). So, RD |= ψ 0 iff CheckP si(ψ 0 , Reach(D, ψ 0 , R, H ⊗ H ψ ), γ, H ⊗ H ψ ) returns T rue holds by the inductive hypothesis.

94

CHAPTER 5. TIMED INFORMATION FLOW LOGIC • ψ ≡ π.ψ 0 Let Rπ be the set of timed sequences {ω ∈ R | (ω, R, γ) |= π}. The semantics of π.ψ 0 implies that R |= π.ψ 0 iff Rπ |= ψ 0 . Let Raπ be the set of timed sequences → v ) and ω 0 terminates with an observable tuple}. {ω | ω 0 ω ∈ Rπ , ωγ0 = (t, a, − S We prove now that R0π = a∈Σ Raπ is S equal to the set of timed sequences 0 0 starting from regions in R , where R = a∈Σ CheckP i(R, H ⊗ H ψ , a, π, γ).

By lemma 5.4.2, it is sufficient to prove that the set Raπ is equal to the set of timed sequences starting from regions in CheckP i(R, H ⊗ H ψ , a, π, γ). Let Ra → be the set {ω ∈ R | ωγ = (t, a, − v ) . . .}. CheckP i constructs the set of tuples ((l, φ), B1 , B2 ) such that l is marked by a, B1 is the set of non observable symbols read to reach l and B2 is the set of formulae in F (π) which are satisfied in each step to reach l. So, ((l, φ), B1 , B2 ) ∈ A if and only if there → v ) and ω 0 terminates with an observable exists ω 0 ω in Ra with ωγ0 = (t, a, − symbol. Moreover ω 0 reads the non observable symbols in B1 and satisfies in each step the formulae in B2 . Now CheckP i splits the set A in the sets AC considering the formulae ^ ^ − → − → ¬∃ idφj ∃ idφj ∧ φC = j∈C

j6∈C

where S C ⊆ {1, . . . , m} and m is the size of A. It is obvious that A is equivalent to C⊆{1,...,m} AC . → So ((l, φ ∧ φC ), B1 , B2 ) ∈ AC and − v ∈ Jφ ∧ φC K if and only if there exists ω 0 ω → → v ), − v ∈ Jφ ∧ φC K and ω 0 terminates with an observable in Ra with ω 0 = (t, a, − γ

tuple. Moreover ω 0 reads the non observable symbols in B1 and satisfies in each step the formulae in B2 . Now, CheckP i calls the function V al(((l, φ ∧ φC ), B1 , B2 ), AC , π). We prove by induction on π, that (ω 0 ω, Ra , γ) |= π if and only if V al(((l, φ ∧ φC ), B1 , B2 ), AC , π) return true. It holds: – π=a (ω 0 ω, R, γ) |= a if and only if a ∈ B1 . Then the thesis holds. – π=φ (ω 0 ω, R, γ) |= φ if and only if φ ∈ B2 . Then the thesis holds. – π = π1∀ Firstly, we note that, by lemma 5.4.2, each ω 00 ∈ Ra with indistinguishable start with respect to ω 0 ω, when performing the first observable step, crosses only regions in AC . In fact, let A = {((l1 , φ1 ), B11 , B21 ), . . . , ((lm , φm ), B1m , B2m )}; then for each AC and AC 0 with C 6= C 0 it holds that there exists i ∈ C and i 6∈ C 0 . So

5.4. AN ALGORITHM

95

→ − → − the regions in AC satisfy ∃ idφi and those in AC 0 satisfy ¬∃ idφi . If ω 00 is indistinguishable from ω 0 ω then the first observable values of identifiers → − satisfies ∃ idφi . Moreover if ω 00 crosses a region in AC 0 the first observables → − values satisfy ¬∃ idφi . So if ω 00 when performing the first observable step crosses a region in AC 0 , then there exists a valuation which satisfies → − → − ∃ idφi ∧ ¬∃ idφi , but this is impossible. Therefore no tuple in AC 0 with C 0 6= C must be considered. → − → Now, for each ((l0 , φ0 ), B10 , B20 ) in AC and − v ∈ J∃ id.φ0 K, by propositions 4.1.1 and 4.1.2, there exists a run and so a timed sequence which reach → − v. → Moreover, let ωγ0 = (t, a, − v ); for each ((l0 , φ0 ), B10 , B20 ), by construction → − → of AC , − v ∈ J∃ id.φ0 K. So for each ((l0 , φ0 ), B10 , B20 ) in AC there exists a timed sequence ω 00 with indistinguishable start with respect to ω 0 ω and which, when performing the first observable step, reaches l0 satisfying the formula φ0 , reads the non observable symbols in B1 and satisfies in each step formulae in B2 . By induction, it is obvious that (ω 00 , R, γ) |= π1 if 0 0 0 0 and only if V al(((l true. So (ω 0 ω, R, γ) |= π1∀ V , φ ), B1 , B2 ), AC , π01 ) returns if and only if (l0 ,φ0 ),B 0 ,B 0 )∈AC V al(((l , φ0 ), B10 , B20 ), AC , π1 ) is true. 1

2

– π ≡ ¬π1 The thesis follows immediately by the semantics of ¬ and by the inductive hypothesis. – π ≡ π1 ∨ π2 The thesis follows immediately by the semantics of ∨ and by the inductive hypothesis. – π ≡ π1 ∧ π2 The thesis follows immediately by the semantics of ∧ and by the inductive hypothesis.

So, we have proved that (ω 0 ω, Ra , γ) |= π iff V al(((l, φ), B1 , B2 ), AC , π) returns true. Then ω ∈ Raπ if and only if (l, φ) ∈ CheckP i(R, H ⊗ H ψ , a, π, γ), where ω is in the set of timed sequences generated by (l, φ). Therefore R0π isSequal to the set of timed sequences starting from regions in R0 where R0 = a∈Σ CheckP i(R, H ⊗ H ψ , a, π, γ). So, we have to prove that Rπ |= ψ 0 iff CheckP si(ψ 0 , R0 , γ, H ⊗ H ψ ) returns T rue, where R0 is the set of starting regions of R0π . We reason by induction over ψ 0 . Note that, by Prop. 5.3.5, we can assume that π.ψ 0 is in normal form. – ψ0 ≡ Since Rπ is empty if and only if R0π is empty if and only if the set of starting regions R0 has no region (l, φ) with JφK 6= ∅, the thesis holds.

96

CHAPTER 5. TIMED INFORMATION FLOW LOGIC – ψ 0 ≡ D.ψ 00 Let Rπ.D be the set {ω| ω 0 ω ∈ Rπ , ωγ0 ∈ Dγ [D] and ω 0 terminates with an observable tuple}. The semantics of D.ψ 00 , implies that Rπ |= D.ψ 00 if and only if Rπ.D |= ψ 00 . By the definition of CheckP si, it holds that CheckP si(D.ψ 00 , R0 , γ, H ⊗ H ψ ) returns T rue iff CheckP si(ψ 00 , Reach(D, ψ 00 , R0 , H ⊗H ψ ), γ, H ⊗H ψ ) returns T rue. By definition of Reach, the set of starting regions of Rπ.D is equal to the set Reach(D, ψ 00 , R0 , H ⊗ H ψ ). In fact, Reach uses marks to reach the regions by means of D, but the marks do not appear before the starting states of R0π . – ψ 0 ≡ ¬ψ1 The thesis follows immediately by the semantics of ¬ and by the inductive hypothesis. – ψ 0 ≡ ψ1 ∨ ψ2 The thesis follows immediately by the semantics of ∨ and by the inductive hypothesis. – ψ 0 ≡ ψ1 ∧ ψ2 The thesis follows immediately by the semantics of ∧ and by the inductive hypothesis. • ψ ≡ ¬ψ1 The thesis follows immediately by the semantics of ¬, by the inductive hypothesis, and by the definition of CheckP si(¬ψ1 ). • ψ ≡ ψ1 ∨ ψ2 The thesis follows immediately by the semantics of ∨, by the inductive hypothesis, and by the definition of CheckP si(ψ1 ∧ ψ2 ). • ψ ≡ ψ1 ∧ ψ2 The thesis follows immediately by the semantics of ∧, by the inductive hypothesis, and by the definition of CheckP si(ψ1 ∨ ψ2 ). 2

5.5

Applicability

We note that to use algorithm CheckP si some requirements must be satisfied. In → − → − the algorithm CheckP i we use the formulae ∃ id.φ and ¬∃ id.φ, where φ is a formula → − of a region and id are the non observable identifiers. It means that the formulae of a region must be closed on existential quantifier and the existentially quantified

5.5. APPLICABILITY

97

formula must be closed on negation. Moreover, we use the negation of formulae φ which appears in ψ, and in both CheckP si and CheckP i we must be able to calculate whether a formula is satisfiable. As a consequence we need of a notion of applicability of the algorithm. Let H be a Hybrid System, γ ∈ Γ(H) an observability declaration and ψ a formula. With Gen(H, γ, ψ) we denote the set of formulae such that φ ∈ Gen(H, γ, ψ) if and only if • φ is the initial condition of H ⊗ H ψ , or • there exists π, a ∈ Σ and a set of regions R with formulae in Gen(H, γ, ψ) such that (l, φ) ∈ CheckP i(R, H ⊗ H ψ , a, π, γ), or • there exists D and a set of regions R with formulae in Gen(H, γ, ψ) such that (l, φ) ∈ Reach(D, ψ, R, H ⊗ H ψ ) In the set Gen(H, γ, psi) there are all the formulae which can be tested for emptiness when running the algorithm CheckP si. Let H be a Hybrid System, γ ∈ Γ(H) an observability declaration and ψ a formula. The algorithm CheckP si is applicable to H, γ and ψ if and only if for each φ in Gen(H, γ, ψ) it is decidable whether JφK = ∅.

5.5.1

Subclasses

→ − → → Let − x be a vector of real variables, k a vector of integer variables and − m a vector of parameters. With ΨL (γ), ΨP ar (γ), ΨP (γ) and ΨInt (γ) we denote the set of formula → → → → → → ψ such that each φ appearing in ψ is in ΦL (− x ]− m), ΦP ar (− x ]− m), ΦP (− x ]− m) and → − → − → − ΦInt ( x ] k ] m), respectively. Proposition 5.5.1 Let β ∈ {L, P ar, P, Int}. Let H ∈ Hβ , γ ∈ Γ(H) and ψ ∈ Ψβ (γ). Then CheckP si is applicable to H, γ and ψ. → − Proof. Since each formula in Φβ ( id) is closed on negation and since γ is an observability declaration of H ∈ Hβ , H ψ is in Hβ and so also H ⊗ H ψ . We prove by → − induction that Gen(H, γ, ψ) ⊆ Φβ ( id ] (x, T )). → − The initial condition of H ⊗ H ψ is in Φβ ( id ] (x, T )). By closure results, for → − each region (l, φ) in Reach(D, ψ, R, H ⊗ H ψ ), it holds that φ ∈ Φβ ( id ] (x, T )). → − Moreover, since each formula φ in Φβ ( id ](x, T )) is closed on negation and existential → − → − → − quantification then the formulae ∃ id.φ, ¬∃ id.φ and ¬φ are in Φβ ( id ] (x, T )). So if → − (l, φ) is in CheckP i then φ is in Φβ ( id ] (x, T )). → − Therefore, for each formula φ in Gen(H, γ, ψ), it holds that φ ∈ Φβ ( id ] (x, T )). So, it is decidable whether JφK = ∅.

98


2 → − Let id be a vector of identifiers. With ΨS (γ) we denote the set of formula ψ → − such that each φ appearing in ψ is in ΦS ( id). Let H ∈ HS be an Hybrid System with identifiers; with ΓS (H) we denote the → − set of observability declaration γ such that (φ, a, id 1 ) is in γ if and only if φ ∈ → − ΦS ( id 1 ] (time)). → − Theorem 5.5.2 Let H ∈ HS , γ ∈ ΓS (H) ψ ∈ ΨS (γ). If for each (φ1 , a, id 1 ) in → − γ there is no array in id 1 , and for each φ2 appearing in ψ the formula ¬φ2 is in → − ΦS ( id ] (time)), then CheckP si is applicable to H, γ and ψ. Proof. Since γ is an observability declaration of H ∈ HS and no array is observable, then each formula which appears in γ is equivalent to an integer formula and so is closed on negation (see proof of theorem 2.4.23). Therefore H ψ is in HS , and so, by proposition 3.3.6, also H ⊗ H ψ . → − We prove by induction that Gen(H, γ, ψ) ⊆ ΦS ( id ](x, T )). The initial condition → − of H ⊗ H ψ is in ΦS ( id ] (x, T )). By closure results of successors operators, for each → − region (l, φ) in Reach(D, ψ, R, H ⊗ H ψ ), it holds that φ ∈ ΦS ( id ] (x, T )) Moreover, since no array is observable then, by theorem 2.4.23, the formula φC is equivalent to an integer formulae, and so is closed on negation (see proof of theorem 2.4.23). Therefore, since each formula φ which appears in ψ is closed on negation, if (l, φ) is → − in CheckP i then φ is in ΦS ( id ] (x, T )). → − So, for each formula φ in Gen(H, γ, ψ), it holds that φ ∈ ΦS ( id ] (x, T )). By theorem 2.5.1, it is decidable whether JφK = ∅ 2 → − Let id be a vector of identifiers. With ΨkBD (γ) we denote the set of formula ψ → U n(k) − such that each φ appearing in ψ is in ΦBD ( id). k Let H ∈ HBD be an Hybrid System; with ΓkBD (H) we denote the set of observ→ − → U n(k) − ability declarations γ such that (φ, a, id 1 ) is in γ if and only if φ ∈ ΦBD ( id 1 ] (time)). k Theorem 5.5.3 Let H ∈ HBD with k = U n(k)0 , γ ∈ ΓkBD (H) and ψ ∈ ΨkBD (γ). → − → − If for each (φ1 , a, id 1 ) in γ there is no integer variable h 6= U n(k) in id 1 , and for → U n(k) − each φ2 appearing in ψ the formula ¬φ2 is in ΦBD ( id ] (time)), then CheckP si is applicable to H, γ and ψ. k Proof. Since γ is an observability declaration of H ∈ HBD and there is no observable ψ k integer variable h 6= U n(k), then H ⊗ H is in HBD . → U n(k) − We prove by induction that Gen(H, γ, ψ) ⊆ ΦBD ( id ] (x, T )). The initial con→ U n(k) − dition of H ⊗ H ψ is in ΦBD ( id ] (x, T )). By closure results of successors operators,

5.5. APPLICABILITY

99

→ U n(k) − for each region (l, φ) in Reach(D, ψ, R, H ⊗H ψ ), it holds that φ ∈ ΦBD ( id ](x, T )). Moreover, since no integer variable different from U n(k) is observable, the formula φC is closed on negation. Therefore, since each formula φ which appears in ψ is → U n(k) − closed on negation, if (l, φ) is in CheckP i, φ is in ΦBD ( id ] (x, T )). → U n(k) − So, for each formula φ in Gen(H, γ, ψ), it holds that φ ∈ ΦBD ( id ] (x, T )). By theorem 2.5.2, it is decidable whether JφK = ∅ 2 k Now we must consider the last case in which H ∈ HBD with k = U n(k). By theorem 4.2.5 it is obvious that CheckP si cannot be used to deal with the case k = U n(k). But we can easily define an algorithm CheckP si based on predecessor k operators. Therefore the theorem above can be proved also for the case H ∈ HBD with k = U n(k).

5.5.2

Verifying Authentication Protocols

In Authentication Protocols agents communicate to establish secret session keys. Most formal approaches are based on a set of assumptions commonly refereed to as the “Dolev-Yao model”. In the Dolev-Yao-based model, the protocol adversary has the following capabilities: • read any message and block further transmission • remember messages • generate fresh data as needed • compose a new message from known data and send • lie on his identity Each agent A has a key KA and only the agent A can encrypt a message with the key KA . We have not described any protocol with our formalisms. But we discuss how to do. The messages can be exchanged by variables. The behaviors of agents and k intruders can be easily described with Hybrid System in either HBD or in HS . Since the intruder does not break key, the algorithm to encrypt/decrypt a message may not be strong. It is sufficient that the message encrypted is not equal to that non encrypted. So, to encrypt/decrypt a message it is sufficient to use an array. As an example if we take the array such that ∀ha[h] = h + key we can use a[M ] and M − key to encrypt and decrypt a message. The nonces can be easily simulated by the time elapsed from the initial state. Therefore, security properties can be easily written by requiring that at the end of each session of the protocol each variables of the intruder is visible.

100


Moreover, in our formalism, we can express some hypotheses on time elapsed. As an example we can extend the Dolev-Yao model by supposing that the intruder can break a key if a certain time is elapsed.

Chapter 6 A Decidable Class 6.1 6.1.1

Timed Systems The formalism

→ → Let − x be a vector of real variables; with ΦT S (− x ) we denote the set of linear simple formulae composed by the formulae x ∼ c and x − y ∼ c, where c is a positive → rational and x and y are in − x. We define now the class of Timed Systems. Timed Systems are Hybrid Systems where activities increase each real variable of the amount of time elapsed. Each → transition is labeled with a condition in ΦT S (− x ) which must be satisfied by the values of real variables before performing the step, and the new value of a real → variable is either a positive rational or the old value of a real variable in − x. → − A Timed System is a tuple hΣ, Loc, x , T r, Act, Initi in Hid where: − • → x = (x1 , . . . , xn ) is a vector of variables, i.e. no arrays, integer variables and parameters are used; • for each l ∈ Loc it holds that Act(l) =

V

i∈[1,n]

x0i = xi + t;

V • for each hl, a, φ, l0 i ∈ T r it holds that φ = φ0 ∧ i∈[1,n] x0i = τi , where φ0 ∈ → → ΦT S (− x ) and τi is either a positive rational or a real variable in − x; → • if Init = (l0 , φ0 ), then φ0 ∈ ΦT S (− x ). With HT S we denote the set of Timed Systems. The real variables of a Timed System are also called clocks. To express that a clock does not change his value with a transition step it is sufficient to use the formula x0i = xi .

102

CHAPTER 6. A DECIDABLE CLASS Aiu

Aic

Aiw

ri

)c i

u1

c1

nc

k Q i ui > iK 6 sic , {ui } i aic 6 rQ c Q sc rc Q ? ? u2 c2 i u5 u ≤K nic aiw 6 ui ∈ T1 , aic 6 ri , {ui } ? r i ? c wu3 u4 c3

s1

y i ∈ T2 , aiw 6 rwi , {y} ?

s2

K = 10000, T1 = [2, 5], T2 = [100, 250] Figure 6.1: The web system Example 6.1.1 We model the problem of privacy of example 3.2.1 in the framework of Timed Systems. Let us assume a user’s browser that interacts with its cache, with a finite set of sites {w1 , . . . , wn }. In Fig. 6.1 we model this system by Timed Systems. The System Aiu represents the behavior of the user which requests the page wi . He can perform a request rci to the cache to obtain a web page in wi . If the requested page is in the cache, then the cache gives a positive answer aic . Otherwise, the cache gives a negative answer nic , the browser downloads the page from wi (actions rwi and aiw ) and, then, the page is cached (action sic ). The whole browser Au is the system A1u ⊗ A2u ⊗ . . . ⊗ Anu . System Aiw represents the site wi . The time elapsed between a request rwi (which resets clock y i ) and an answer aiw is in the interval T2 = [100, 250]. System Aic represents the behavior of cache for page wi . When a page in wi is requested by the user (action rci ) and the page is not yet in the cache (state c1 ), the cache gives a negative answer (action nic ). In this case the user downloads the page, which is cached (action sc , which resets clock ui ). Now, if the page is not requested for a time greater than 10000, the page is removed from the cache (such a deadline is checked by clock ui ), and the next request rci causes Aic to reach state c1 . When the page is in the cache (state c2 is active and ui ≤ K holds), the time elapsed between a request rci and an answer aic is in the interval T1 = [2, 5]. The whole cache Ac is the system A1c ⊗ A2c ⊗ . . . ⊗ Anc . Now, the only observable actions for wi are rwi and aiw , since wi cannot observe interactions between the browser and the cache and between the browser and wj with j 6= i. The whole system is Au ⊗ Ac ⊗ A1w ⊗ A2w ⊗ . . . ⊗ Anw . With ΨT S (γ) we denote the set of formulae ψ in Ψ(γ) such that each φ appearing → − in ψ W is in ΦT S ( x ) and each formula which appears in a expression D is in the form j∈[1,n] time ∈ Ij , where Ij has an upper bound. Let H ∈ HT S ; with ΓT S (H) we denote the observability declaration γ such that → − → − → − for each (φ, a, id) ∈ γ it holds that φ is either true or f alse and id is equal to ∅ , i.e. γ is a partition of observable and non-observable symbols.

6.2. MULTIPLYING BY A CONSTANT

6.1.2

103

Region of Timed Systems.

→ Let H ∈ HT S with clocks in − x ; a region of H is a pair (l, φ), where l is a location → − of H and φ is in ΦT S ( x ). The closure of successor operators are proved in [50]. Moreover, if the formula of the region has only natural values, then also the formula calculated by successor operator has. So the following theorem is proved in [50]. Theorem 6.1.2 Let H ∈ HT S and (l, φ) be a region of H. Then the following facts hold: → • [φ]l and poste φ are formulae in ΦT S (− x ); • if in φ only natural values appear, then in [φ]l and poste φ only natural values appear.

6.2

Multiplying by a constant

→ → → Let − v ∈ V (− x ) be a valuation and c a positive rational; with − v · c we denote the → − → − → − valuation such that for each x ∈ x it holds that ( v · c)(x) = ( v (x)) · c. → → Let ω = (t1 , a1 , − v 1 ) . . . (tn , an , − v n ) be a timed sequence and c a positive rational, → → with ω · c we denote the timed sequence (t1 · c, a1 , − v 1 · c) . . . (tn · c, an , − v n · c). This definition can be easily extended to sets of timed sequences R by defining the set R · c = {ω · c | ω ∈ R}. → Let φ ∈ ΦT S (− x ) be a formula; with φ · c we denote the formula φ where each 0 formulae x ∼ c and x − y ∼ c0 are replaced with x ∼ c0 · c and x − y ∼ c0 · c, respectively. Let H ∈ HT S ; with H · c we denote the Hybrid System H where each formula φ is substituted with φ · c. In [11] it is proved that H ·c recognizes the sequences recognized by H, with time multiplied by c. Nothing is said about valuations of clocks. So we extend this result by proving that the timed sequences recognized by a Timed System H multiplied for c are those recognized by the Timed System H · c. Lemma 6.2.1 If H ∈ HT S and c is a positive rational, then it holds that R(H ·c) = R(H) · c. − Proof. Let φ be a formula. Firstly, we prove by induction on φ that → v ∈ JφK if and → − only if v · c ∈ Jφ · cK: • φ = x ∼ c0 → − It is obvious that − v (x) ∼ c0 if and only if → v (x) · c ∼ c0 · c.

• φ = x − y ∼ c0 → → − → It is obvious that − v (x) − − v (y) ∼ c0 if and only if → v (x) · c − − v (y) · c ∼ c0 · c.

104

CHAPTER 6. A DECIDABLE CLASS

• φ ≡ φ1 ∨ φ2 Immediately by the semantics of ∨ and by the inductive hypothesis. • φ ≡ φ1 ∧ φ2 Immediately by the semantics of ∧ and by the inductive hypothesis. → → Now it is obvious that (l, − v ) →e (l, − v 0 ) is a transition step of H if and only if → → (l, − v · c) →e·c (l, − v 0 · c) is a transition step of H · c where e · c is the transition e → → where the formula is multiplied by c. Moreover, (l, − v ) →t (l, − v 0 ) is a continuous → → step of H if and only if (l, − v · c) →t·c (l, − v 0 · c) is a continuous step of H · c. Then the thesis holds by induction on the length of ω ∈ R(H). In fact it is easy to show that ω ∈ R(H) if and only if ω · c ∈ R(H · c). 2 Let ψ ∈ ΨT S (γ) and c be a positive rational; with ψ · c we denote the formula ψ where each formula φ and interval I appearing in ψ are multiplied by c. Let H ∈ HT S , γ ∈ ΓT S (H). We prove now that H and γ satisfy ψ if and only if the Timed System H · c and γ satisfy ψ · c. Theorem 6.2.2 Let H ∈ HT S , γ ∈ ΓT S (H), ψ ∈ ΨT S (γ) and c a positive rational; it holds that H |=γ ψ is and only if H · c |=γ ψ · c. Proof. By lemma 6.2.1 it holds that H · c |=γ ψ · c if and only if R(H) · c |=γ ψ · c. We prove by induction on ψ that R |=γ ψ if and only if R · c |=γ ψ · c: • ψ= It is obvious that R is empty if and only if R · c is. • ψ = D.ψ1 Let RD be the set of timed sequences {ω| ω 0 ω ∈ R, ωγ0 ∈ Dγ [D] and ω 0 terminates with an observable tuple}. The semantics of D.ψ1 implies that R |= D.ψ1 iff RD |= ψ1 . Firstly, we note that ωγ · c is equal to (ω · c)γ . In fact an observable tuple → (t · c, a, − v · c) of ωγ · c, where t is the sum of non observable times {t1 , . . . , tn }, → is equal to the corresponding tuple (t1 · c + . . . + tn · c, a, − v · c) of (ω · c)γ . From this fact and by mimicking the proof of lemma 6.2.1, we have that (RD )·c is equal to (R · c)D·c . Now, by induction hypothesis, RD |=γ ψ1 if and only if (RD )·c |=γ ψ1 ·c. Since we have proved that (RD )·c is equal to (R·c)D·c , it holds that (R·c)D·c |=γ ψ1 ·c. Therefore (R · c) |=γ (D · c).(ψ1 · c), which implies R · c |=γ (D.ψ1 ) · c.

6.3. DECIDABILITY

105

• ψ = π.ψ1 Let Rπ be the set of timed sequences {ω ∈ R | (ω, R, γ) |= π}. The semantics of π.ψ1 implies that R |= π.ψ1 iff Rπ |= ψ1 . As proved for the case D.ψ1 it holds that ωγ · c is equal to (ω · c)γ . From this fact, since ω ≡γ ω 0 if and only if ω · c ≡γ ω 0 · c and by mimicking the proof of lemma 6.2.1, we have that (Rπ ) · c is equal to (R · c)π·c . Now, by induction hypothesis, Rπ |=γ ψ1 if and only if (Rπ ) · c |=γ ψ1 · c. Since we have proved that (Rπ )·c is equal to (R·c)π·c , it holds that (R·c)π·c |=γ ψ1 ·c. Therefore (R · c) |=γ (π · c).(ψ1 · c), which implies R · c |=γ (π.ψ1 ) · c. • ψ ≡ ¬ψ1 Immediately by the semantics of ¬ and by the inductive hypothesis. • ψ ≡ ψ1 ∨ ψ2 Immediately by the semantics of ∨ and by the inductive hypothesis. • ψ ≡ ψ1 ∧ ψ2 Immediately by the semantics of ∧ and by the inductive hypothesis. 2 From now, by applying theorem 6.2.2, we suppose that in the formula ψ and in the Timed Systems H, only natural values appear. Moreover, we consider regions with only natural values.

6.3

Decidability

→ It is obvious that the set ΦT S (− x ) is not finite; therefore the algorithm CheckP si may not terminate. For Timed Systems reachability problem and the emptiness of language accepted are decidable. This results from the fact that a variable of a Timed System if becomes greater than the maximum constant C which appears in the given Timed System, then, while is not reset by a transition, will still be greater than that constant. So in [11], the authors propose to approximate each value of a variable greater than C with the formula x > C. Now we use this approximation to prove the decidability of satisfiability for the case of Timed Systems. In [11] a kind of region is defined where it is possible to express formulae on the fractional part of a variable. In this thesis, for uniformity, we will use a non-classical definition based on clock zones (see [12] and [50]).

106

6.3.1


Equivalence relation

We recall the definition of clock equivalence. Let H ∈ HT S ; with CH we denote the greatest constant which appears in H. Let us consider the equivalence relation ≈ over clock valuations containing pre→ → cisely the pairs (− v ,− v 0 ) such that: → → → → • for each clock x, either b− v (x)c = b− v 0 (x)c, or both − v (x) and − v 0 (x) are greater than CH , with CH the largest integer appearing in clock constraints over x. → → • for each pair of clocks x and y with − v (x) ≤ CH and − v (y) ≤ CH it holds that 0 → − → − → − → f ract( v (x)) ≤ f ract( v (y)) iff f ract( v (x)) ≤ f ract(− v 0 (y)) (f ract( ) is the fractional part). − → → • for each clock x with → v (x) ≤ CH , f ract(− v (x)) = 0 iff f ract(− v 0 (x)) = 0. → → → As proved in [11], − v ≈− v 0 implies that, for any φ ∈ ΦT S (− x ) with constants less 0 → − → − → − or equal than CH , v |= φ iff v |= φ. With [ v ] we denote the equivalence class → → → {− v 0|− v ≈− v 0 }. The set of equivalence classes are finitely many.

6.3.2

Clock zones

We recall the definition of clock zone and its properties proved in [11], [12] and [50]. → → Let H ∈ HT S with clocks in − x and φ be a formula in ΦT S (− x ). The formula φ is a clock zone of H if and only if each constant c which appears in φ is a natural in [0, CH ]. → A clock zone is a finite union of equivalence classes [− v ] (see [12]). Therefore the following proposition holds. Proposition 6.3.1 A formula φ is a clock zone of H, if and only if there exists → − → → → v 1, . . . , − v n such that JφK = [− v 1 ] ∪ . . . ∪ [− v n ]. → In [50] it is proved that, if φ is a formula in ΦT S (− x ) with constant enclosed in [0, CH ], then the successor operator [φ]l returns a formula where constants are still enclosed in [0, CH ]. So, the following theorem holds. Theorem 6.3.2 If a formula φ is a clock zone of H, then [φ]l is a clock zone of H. This result does not hold if one considers the operator poste . In fact let us suppose we have a transition e labeled with the condition x = 2 ∧ x0 = 0 ∧ y 0 = y of a Timed System H with CH = 2. If we apply poste to the formula y − x = 2 we have the following resulting formula x = 0 ∧ y = 4. But 4 is not in [0, 2]. To solve this problem, [11] proposes to approximate the formula x = 0 ∧ y = 4 with the formula x = 0 ∧ y > 2. This approximation guarantees a finite number of reachable regions and permits to have decidability results for the emptiness problem.

6.3. DECIDABILITY

107

→ → Let φ ∈ ΦT S (− x ); with Approx(φ) we denote the formula such that − v ∈ 0 0 → − → − → − JApprox(φ)K if and only if there exists v ∈ [ v ] such that v ∈ JφK. It is obvious that Approx(φ) is a clock zone and can be easily computed. → Let φ ∈ ΦT S (− x ); with post∗e φ we denote the clock zone Approx(poste φ). Moreover, let (l, φ) be a region; with Reach∗post (l, φ) we denote the set of regions reachable by operators [ ]l and post∗e from (l, φ). More precisely, the regions (l, φ) and (l, [φ]l ) are in Reach∗post (l, φ), and, if (l0 , φ0 ) is in Reach∗post (l, φ), then for each transition e with source l0 and target l00 , it holds that (l00 , post∗e φ0 ) and (l00 , [post∗e (φ0 )]l00 ) are in Reach∗post (l, φ). The following proposition is obvious since all possible clock zones of H are finitely many. Proposition 6.3.3 The set Reach∗post (l, φ) is finite. The following theorem summarizes the properties proved in [11] and [50]. − − Theorem 6.3.4 Let (l0 , φ0 ) ∈ Reach∗post (l, φ). There exist → v ∈ JφK, → v 0 ∈ Jφ0 K and → → a sequence of steps from (l, − v ) to (l0 , − v 0 ). As immediate consequence, we have the following corollary. Corollary 6.3.5 Let R be a set of regions and R0 = {(l, Approx(φ)) | (l, φ) ∈ R}. Let R and R0 be the set of timed sequences generated by R and R0 , respectively. The following facts hold: • R is empty if and only if R0 is empty; • R ⊆ R0 .

6.3.3

The algorithm CheckP si∗

As a consequence of proposition 6.3.3 and theorem 6.3.4 we have that the problem of reachability is decidable for Timed Systems. Moreover we note that the theorem 6.3.4 proves a result which is weaker that the results of propositions 4.1.1 and 4.1.2. If fact, by these propositions we can assert that each state expressed by a region is reachable, and not just someone of them. This is obvious since we have approximate the valuations expressed by means of regions. As an example, if one uses the formula y > 2 instead of y = 4 is obvious that there exists a valuation reachable but not all valuations are reachable. This implies that if in the algorithm CheckP si one substitutes the operator poste with post∗e , then the correctness can be lost. We prove that the definition we have given of ΓT S (H) and ΨT S (γ) is sufficient to have correctness of the algorithm. Before, we prove that the algorithm CheckP si which substitutes poste with post∗e , always terminates.

108


With CheckP i∗ and Reach∗ we denote the algorithm CheckP i and Reach, respectively, where each occurrence of operator poste is substituted with post∗e . With CheckP si∗ we denote the algorithm CheckP si where each occurrence of CheckP i and Reach are substituted with CheckP i∗ and Reach∗ , respectively. Theorem 5.4.1 holds also for Timed Systems H if one considers the observability declaration γ ∈ ΓT S (H). Moreover, since ψ ∈ ΨT S (γ), H ψ can be easily transformed into a Timed System by considering T as a clock. Therefore, also H ⊗H ψ is a Timed System. Theorem 6.3.6 Let H ∈ HT S , γ ∈ ΓT S (H) and ψ ∈ ΨT S (γ). If (l0 , φ0 ) is the initial condition of H ⊗ H ψ , then the algorithm CheckP si∗ (ψ, {(l0 , φ0 )}, γ, H ⊗ H ψ ) terminates. Proof. It is obvious that the function Reach terminates since the clock zones are finitely many. Now we must prove that CheckP i∗ terminates. In line 11 φ00 is a clock zone, so the possible tuples ((l, φ), B1 , B2 ) are finitely many. Moreover, since the only observable clock is T , and since we have requested that each interval which appears in ψ has an upper bound, each formula φC of line 17, by using DelIR , is a clock zone. → − In fact ∃ id.φj is equivalent to a formula with natural values on T and, since T is bounded, the number of possible intervals in which T ranges are finitely many. 2 Now we can prove the main theorem. Theorem 6.3.7 Let H be a Timed System, γ ∈ ΓT S (H), and ψ ∈ ΨT S (γ). Let γ 0 → − be the observability declaration such that (φ, a, (T )) ∈ γ 0 if and only if (φ, a, ∅ ) ∈ γ. Then it holds that: CheckP si∗ (ψ, {(l0 , φ0 )}, γ 0 , H ⊗ H ψ ) returns T rue iff H |=γ ψ. Proof. The proof is similar to that of theorem 5.4.3. It suffices to show that if R is a set of timed sequences generated by the regions in a set R , possibly infinite, and Approx(R) is the finite set {(l, Approx(φ)) | (l, φ) ∈ R}, then it holds that: CheckP si∗ (ψ, Approx(R), γ, H ⊗ H ψ ) returns T rue iff R |=γ ψ. The proof is by induction over ψ. • ψ≡ It is obvious that R is empty if and only if the set of starting regions R has no region (l, φ) with JφK 6= ∅. By corollary 6.3.5, it is sufficient to check the finite set of region Approx(R) instead of R. Therefore the thesis holds.

6.3. DECIDABILITY

109

• ψ ≡ D.ψ 0 This case can be proved as done in theorem 5.4.3, by using the results of corollary 6.3.5. • ψ ≡ π.ψ 0 Let Rπ be the set of timed sequences {ω ∈ R | (ω, R, γ) |= π}. The semantics of π.ψ 0 implies that R |= π.ψ 0 iff Rπ |= ψ 0 . Let R0π be the set of timed sequences → {ω | ω 0 ω ∈ Rπ , ωγ0 = (t, a, − v ) and ω 0 terminates with an observable tuple}. As proved in theorem 5.4.3, we have that R0π is equal to the set of timed sequences starting from regions in R0 where [ Approx(R0 ) = CheckP i∗ (Approx(R), H ⊗ H ψ , a, π, γ). a∈Σ

In fact, by mimicking the proof of theorem 5.4.3, it is sufficient to prove that (ω 0 ω, R, γ) |= π if and only if V al(((l, φ ∧ φC ), B1 , B2 ), AC , π) returns true. The proof is by induction on π: – π=a (ω 0 ω, R, γ) |= a if and only if a ∈ B1 . Then the thesis holds. – π=φ (ω 0 ω, R, γ) |= φ if and only if φ ∈ B2 . Then the thesis holds. – π = π1∀ As proved for theorem 5.4.3, it holds that each ω 00 ∈ R with indistinguishable start with respect to ω 0 ω, when performing the first observable step, crosses only region in AC . → − → Now, for each ((l0 , φ0 ), B10 , B20 ) in AC and − v ∈ J∃ id.φ0 K, there exists a run → → and so a timed sequence which reach − v . In fact, if ωγ0 = (t, a, − v ), then → − v = (t) since the only observable clock is T . Therefore, by definition of → → v0≈− v which can be reached. By definition [ ]l and post∗e , there exists − → − → of Reachpost , there exists (l, φ) ∈ Reachpost (l0 , φ0 ) such that − v 0 |= ∃ id.φ. → − Since in φ only natural constants appear, the set J∃ id.φK is a finite set of intervals with natural bounds. By definition of ψ, T is bounded and so, → → by definition of ≈, if f ract(t) is equal to zero then − v0=− v and otherwise 0 → − v (T ) ∈ (btc, dte). → − Therefore, since J∃ id.φK is a finite set of intervals with natural bounds, → − → − v ∈ J∃ id.φK. By propositions 4.1.1 and 4.1.2, there exists a run and so → a timed sequence which reaches the valuation − v.

110

CHAPTER 6. A DECIDABLE CLASS → Moreover, let ωγ0 = (t, a, − v ); for each ((l0 , φ0 ), B10 , B20 ), by construction → − → of AC , − v ∈ J∃ id.φ0 K. So for each ((l0 , φ0 ), B10 , B20 ) in AC there exists a timed sequence ω 00 with indistinguishable start with respect to ω 0 ω and which, when performing the first observable step, reaches l0 satisfying the formula φ0 , reads the non observable symbols in B1 and satisfies in each step formulae in B2 . By induction it is obvious that (ω 00 , R, γ) |= π1 if 0 and only if V al(((l , φ0 ), B10 , B20 ), AC , π1 ) return true. So (ω 0 ω, R, γ) |= π1∀ V if and only if (l0 ,φ0 ),B 0 ,B 0 )∈AC V al(((l0 , φ0 ), B10 , B20 ), AC , π1 ) is true. 1

2

– π ≡ ¬π1 Immediately by the semantics of ¬ and by the inductive hypothesis. – π ≡ π1 ∨ π2 Immediately by the semantics of ∨ and by the inductive hypothesis. – π ≡ π1 ∧ π2 Immediately by the semantics of ∧ and by the inductive hypothesis.

Now we have proved that R0π is equal toSthe set of timed sequences starting from regions in R0 where Approx(R0 ) = a∈Σ CheckP i∗ (R, H ⊗ H ψ , a, π, γ). So, we have to prove that Rπ |= ψ 0 iff CheckP si∗ (ψ 0 , Approx(R0 ), γ, H ⊗ H ψ ) returns T rue. This can be proved, by induction, as done in the proof of theorem 5.4.3. • ψ ≡ ¬ψ1 Immediately by the semantics of ¬, by the inductive hypothesis, and by the definition of CheckP si∗ (¬ψ1 ). • ψ ≡ ψ1 ∨ ψ2 Immediately by the semantics of ∨, by the inductive hypothesis, and by the definition of CheckP si∗ (ψ1 ∧ ψ2 ). • ψ ≡ ψ1 ∧ ψ2 Immediately by the semantics of ∧, by the inductive hypothesis, and by the definition of CheckP si∗ (ψ1 ∨ ψ2 ). 2

Example 6.3.8 Let us consider the web system of example 6.1.1 with n ≥ 3. Let γ be the observability declaration such that the only observable symbols are in {a1w , a2w , rw1 , rw3 }. The observability declaration γ means that the site w1 and w2 are allied to attack the privacy of the user. Let us take an arbitrary constant C. The following property holds:

6.4. DISCUSSION

111

(a1w , time ∈ [0, C]) + (rw1 , time ∈ [0, C])+ .

_

ajw .(rw2 , time ∈ [0, 100)).¬

j∈[3,n]

This property means that if the time elapsed between a communication with the web site w1 and a communication with the web site w2 is in the interval [0, 100), then there has not been any communication with other web site wj in the meantime. This information can be exploited by w1 and w2 to violate the privacy of the user. We can also show that we are able to certify that privacy is not violated by a suspected behavior of a system described by a given automaton. To this purpose, in figure 6.1 let us take T1 = T2 . Let D = ((rw1 , time ∈ [0, C])(rw1 , time ∈ [0, C]) + (rw2 , time ∈ [0, C])(rw2 , time ∈ [0, C]))+ ; we can enforce the property _ D. rcj .((ajc )∀ ∨ (ajw )∀ ).D. j∈[3,n]

This property means that whenever we fix a time t ∈ [0, C] separating two communication with either w1 or w2 , if there is a request rcj in the meantime, then it holds neither that all runs perform a communication with the cache nor that all runs perform a communication with wj . So, w1 and w2 are not able to infer whether the user has accessed either the cache or the site wj by observing its interaction with the user.

6.4

Discussion

In this section we discuss three choices: 1) the choice of introducing the Timed Information Flow Logic instead of exploiting existing timed temporal logics, like TPTL [14], to express information flow properties; 2) the choice of solving the problem H |=γ ψ without exploiting the well known technique of emptiness; 3) the choice of using dense time domains. There are three good reasons for introducing the Timed Information Flow Logic. The first is that specifying information flow properties with the Timed Information Flow Logic is easier, as one expects since the Timed Information Flow Logic is an ad hoc logic for information flow. The second reason and more important is that some properties that can be expressed by the Timed Information Flow Logic formulae can be expressed by TPTL formulae that are at least exponential in size w.r.t. the size of the Timed Information Flow Logic formulae, and that, therefore, are intractable. An example is given by the Timed Information Flow Logic formula (a1 , time ∈ I1 ).(b1 ∧. . .∧bn ).(a2 , time ∈ I2 )., which requires that there are runs where b1 , . . . , bn appear, in any order, between a1 and a2 . To express this formula in TPTL, one must enumerate each possible sequence of b1 , . . . , bn , thus having a formula exponential w.r.t. n.

112

CHAPTER 6. A DECIDABLE CLASS a1 , x0 = 0 b, x0 = x x = 1, a2 1 x 6= 1, a2

Figure 6.2: The rôle of punctuality High

High

High

Σ

a , x ∈ I b, x0 = x a , x ∈ I 1

x0 = 0

1

2

2

x0 = x

Figure 6.3: The automaton H¬((a1 ,I1 ).(h).(a2 ,I2 ).¬) The third reason is that the decidable classes of TPTL do not admit punctuality (see [67] and [15]), which is useful in our setting. As an example, let H be the automaton in Fig.6.2. We note that H |=γ (a1 , time ∈ I1 ).(¬b).(a2 , time ∈ [1, 1]).¬, which means that if a2 is performed exactly one time unit after a1 , then b has been performed in the meantime. This is an information flow, which cannot be expressed without considering interval [1, 1], i.e. without considering punctuality. Let us denote with High the set of symbols such that a ∈ High if and only if → − (f alse, a, ∅ ) ∈ γ. The set High represents the set of non-observable symbols. The idea of emptiness is to express the negation of a formula ψ with an automaton H¬ψ , so that H |=γ ψ iff R(H) ∩ R(H¬ψ ) = ∅. As an example, if ψ = (a1 , time ∈ I1 ).(b).(a2 , time ∈ I2 ).¬, which requires that b does not appear between a1 and a2 , then H¬ψ is the system in Fig.6.3, whose timed sequences can be combined with the the timed sequences in H where b appears between a1 and a2 . Let us take now ψ = (¬(¬b)∀ ).. We have that H |=γ ψ iff {ω ∈ R(H) | there exists ω 0 ≡γ ω s.t. (ω 0 , R(H)) |=γ b} 6= ∅. In this case we cannot apply emptiness, since we are not able to construct H¬ψ . The reason is that H¬ψ cannot accept a run ω depending on the fact that b appears or not, as in the case above, since a run ω satisfying ψ may read b or not. Here H¬ψ should select ω depending on what a different run ω 0 does, which is not possible. So, we have not applied emptiness since, in general, it does not work in our setting. Finally, let us discuss the choice of dense time. A time domain T is discrete if there is a rational k ∈ Q such that T = {k · c | c ∈ IN}. If one assumes discrete time domains for security there is a problem due to determining the value of k. In fact, if we consider dense time domains we are sure that the system respects the real world, which obviously ranges on dense time. In the case of discrete time we must calculate the exact k which gives this certitude. As an example, if we assume dense time then the automaton in Fig.6.4 satisfies (a1 , time ∈ [0, 0]).b1 ∧b2 .(a2 , time ∈ [1, 1])., which requires that there is a run where both b1 and b2 appear between a1 and a2 . If we assume discrete time, then the property is satisfied only if we choose a k less than 1 , since (a1 , time ∈ [0, 0]).b1 ∧ b2 .(a2 , time ∈ [1, 1]). can be satisfied by a run having 3

6.4. DISCUSSION

113

High

High, y > 0 ∧ x0 = x ∧ y 0 = 0

a1 , x0 = y 0 = 0

a2 , x = 1 ∧ y > 0

Figure 6.4: The importance of k with discrete time three actions in three different instants and in a total time 1. This example shows that the value k that must be chosen depends not only on the automaton, but also on the formula. Moreover, the number of the regions, that depends only on the size of the automaton in the case of dense time, depends and also on k1 in the case of discrete time.

114


Chapter 7 Conclusions and Future Works The aim of the thesis is to extend the classical classes of Hybrid Systems to study safety and security properties of real life systems. For this purpose, we have considered different classes of Hybrid Systems. Due to the presence of arrays the logics to express conditions of the systems becomes High Order. The satisfiability problem for High Order Mathematical Logics is undecidable We have proved that if one considers only linear formulae in the framework of High Order Mathematical Logic, one does not obtain decidability. Therefore we have defined two subsets of High Order Mathematical Logics: the set of BD-Formulae free on k (which solve the problem of undecidability result for polynomial integer formulae) and the set of S-Formulae (which solve the problem of undecidability result for linear formulae). We have proved that the satisfiability problem for these two classes is decidable. Therefore, to design real life systems, we have considered the classes of Hybrid Systems that have constraints expressed by known subclasses of First Order Mathematical Logic and by the classes mentioned above. For these Hybrid Systems we have proved expressiveness results and we have showed that reachability and invariant properties are semi-decidable. We have given an algorithm based on predicate transformation to compute predecessor steps and successor steps of a given set of states. To study security properties we have defined a Timed Information Flow Logic. We have given an algorithm, which may not terminate, for verifying whether a Hybrid System satisfies a formula expressed in Timed Information Flow Logic. Moreover, we have proved a decidability result for this problem if a special class of Hybrid Systems and formulas expressed in Timed Information Flow Logic are considered. We have discussed the reasons to introduce this logic. In the future, we will study extensions of the Mathematical Logics introduced by considering not only functions from integers to either reals or integers. We will

116

CHAPTER 7. CONCLUSIONS AND FUTURE WORKS

consider also more general functions. As an example, we can study functions from reals to integers or functions from the cartesian product of integers by integers to reals. We can study the impact of these logics on the expressiveness results. Moreover we can study succinctness results, i.e. the power of description in term of size of a System to recognize a certain language. Finally, we can consider a more efficient algorithm to study the Timed Information Flow Logic, in particular for the decidable case.

Bibliography [1] Abadi, M.: On SDSI’s Linked Local Name Spaces. Journal of Computer Security 6, 1998, 3–21. [2] Abadi, M., Burrows, M., Needham, R.: A Logic of Authentication. ACM Transactions on Computer Systems 8 (1990), 18–36. [3] Abadi, M., Tuttle, M. R.: A Semantics for a Logic of Authentication. 10th ACM Symposium on Principles of Distributed Computing, ACM Press, 1991, 201–216. [4] Adi, K., Debbai, M.: Abstract Interpretation for Proving Secrecy Properties in Security Protocols. Workshop on Logical Aspects of Cryptographics ’01, Electronic Notes in Theoretical Computer Science 55 (2001). [5] Agat, J.: Transforming out Timing Leaks. 27th Annual ACM Symposium on Principles of Programming Languages, 2000, 40–53. [6] Agat, J. :Transforming out Timing Leaks in Practice. POPL 2000. ACM Press, 2000, 40–53. [7] Aldini, A.: Probabilistic Information Flow in a Process Algebra. CONCUR’01, Lecture Notes in Computer Science 2154, 2001, 152–168. [8] Alur, R., Courcoubetis, C., Dill, D.: Model-Checking in Dense Real-time. Information and Computation 104 (1993), 2–34. [9] Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T.A., Ho, P.H., Nicollin, X., Olivero, A., Sifakis, J., Yovine, S.: The Algorithmic Analysis of Hybrid Systems, Theoretical Computer Science 138 (1995), 3–34. [10] Alur, R., Courcoubetis, C., Henzinger, T.A., Ho, P.H: Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems. Hybrid Systems, Lecture Notes in Computer Science 736, Springer, Berlin, 1993, 209–229. [11] Alur, R., Dill, D.L.: A Theory of Timed Automata. Theoretical Computer Science 126 (1994), 183–235.

118

BIBLIOGRAPHY

[12] Alur, R., Dill, D.: Automata-theoretic Verification of Real-time Systems. Formal Methods for Real-Time Computing, Trends in Software Series, John Wiley & Sons Publishers, 1996, 55–82. [13] Alur, R., Fix, L., Henzinger, A.: Event-Clock Automata: A Determinizable Class of Timed Automata. Theoretical Computer Science 211 (1999), 253–273. [14] Alur, R., Henzinger, T. A.: Logics and Models of Real time: A Survey. Real Time: Theory in Practice, Lecture Notes in Computer Science 600, Springer, Berlin, 1992, 74–106. [15] Alur, R., Henzinger, T. A.: The benefits of relaxing punctuality. The Journal of the ACM 43 (1996), 116–146. [16] Alur, R., Henzinger, T.A.: A really Temporal Logic. The Journal of the ACM 41, 1994, 181–204. [17] Alur, R., Henzinger, T.A.: Real-time Logics:Complexity and Expressiveness. Information and Computation 104, 1993, 35–77. [18] Alur, R., Henzinger, T.A., Ho, P. H.: Automatic Symbolic Verification of Embedded Systems. IEEE Trans. on Software Engineering 22 (1996), 181–201. [19] Alur, R., Henzinger, T., Lafferriere, G., Pappas, G.: Discrete Abstractions of Hybrid Systems. Proc. of the IEEE, 2000. [20] Alur, R., Henzinger, T.A., Vardi, M.Y.: Parametric Real-time Reasoning. In Proc. 25th Annual Symp. on Theory of computing, ACM Press, 1993, 592–601. [21] Berard, B., Petit, A., Diekert, V., Gastin, P.: Characterization of the Expressive Power of Silent Transitions in Timed Automata. Fundamenta Informaticae 36 (1998), 145–182. [22] Bodei, C., Degano, P., Nielson, F., Nielson H.R.: Static Analysis for the Pi-Calculus with Applications to Security. Information and Computation 168 (2001), 68–92. [23] Boreale, M.: Symbolic trace analysis of cryptographic protocols. ICALP’01, Lecture Notes in Computer Science 2076, 2001. [24] B¨ uchi, J. R.: On a Decision Method in Restricted Second Order Arithmetic. Proc. Internat. Congr. on Logic, Methodology and Philosophy of Science, 1960, 1–11. [25] CASCADE: Chip Architecture for Smart Cards and portable intelligent devices. http://www.dice.ucl.ac.be/crypto/cascade

7.0. BIBLIOGRAPHY

119

[26] Chandru, V., Rao, M.R.: Integer Programming. Algorithms and Theory of Computation Handbook, CRC Press, 1999. [27] Childs, L. N.: A Concrete Introduction to Higher Algebra. Springer, 1979. [28] Choffrut, C., Goldwurm, M.: Timed Automata with Periodic Clock Constraints. Rapport L.I.A.F.A. n. 99/28, Université Paris VII, 1999. [29] Denning, D. E.: A Lattice Model of Secure Information Flow. Communications of the ACM (1976), 236–243. [30] Denning, D. E., Denning, P. J.: Certification of Programs for Secure Information Flow. Communications of the ACM, (1977), 504–513. [31] Dhem, J. F., Koeune, F., Leroux, P. A., Mestré, P., Quisquater, J. J., Willems, J. L.: A Practical Implementation of the Timing Attack. CARDIS, 1998, 167– 182. [32] Downey, P. : Undeciability of presburger arithmetic with a single monadic predicate letter. Technical Report 18-72, Center for Research in Computing Technology, Havard Univ., 1972. [33] D’Souza, D., Thiagarajan, P.S.: Product Interval Automata: a Subclass of Timed Automata. Proc. FSTTCS’99, Lecture Notes in Computer Science 1738, Springer, Berlin, 1999, 60–71. [34] Emerson, E. A.: Temporal and Modal Logic. Handbook of Theoretical Computer Science, Elsevier Science Publishers, Amsterdam, 1990, 996–1072. [35] Emerson, E. A., Mok, A. K., Sistla, A. P., Srinivasan, J.: Quantitative Temporal Reasoning. Lecture Notes in Computer Science 531, Springer, Berlin, 1995, 136–145. [36] Felten, E.W., Schneider, M.A.: Timing attacks on Web privacy. Proc. 7th ACM Conference on Computer and Communications Security, 2000, 25–32. [37] Ferrante, J., Rackoff, C.: A Decision Procedure for First-order Theory of Real Addition with Order. SIAM Journal on Computing 4 (1975), 69–76. [38] Focardi, R., Gorrieri, R.: A Classification of Security Properties for Process Algebras. Journal of Computer Security 3 (1995), 5–33. [39] Focardi, R., Gorrieri, R.: Automatic Compositional Verification of Some Security Properties. Proc. 2nd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science 1055, Springer, Berlin, 1996, 167-186.

120

BIBLIOGRAPHY

[40] Focardi, R., Gorrieri, R.: The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties. IEEE Transactions on Software Engineering 9 (1997), 550–571. [41] Focardi, R., Gorrieri, R., Lanotte, R., Maggiolo-Schettini, A., Martinelli, F., Tini, S., Tronci, E.: Formal Models of Timing Attacks on Web Privacy. TOSCA 2001, Electronic Notes in Theoretical Computer Science 62, 2001. [42] Focardi, R., Gorrieri, R., Martinelli, F.: Information flow analysis in a discretetime process algebra. Proc. 13th Computer Security Foundation Workshop, IEEE Press, 2000. [43] Fränzle, M.: Analysis of Hybrid Systems: An ounce of realism can save an infinity of states. CSL ’99, Lecture Notes in Computer Science 1683, Springer, Berlin, 1999, 126–140. [44] Fränzle, M.: What Will Be Eventually True of Polynomial Hybrid Automata. TACS, Lecture Notes in Computer Science 2215, Springer, Berlin, 2001. [45] Gruska, D.P., Lanotte, R., Maggiolo-Schettini, A.: A Contribution to a Classification of Timing Attacks on Privacy. MTCS 2002. [46] Hachez, G., Koeune, F., Quisquater, J. J.: Timing Attack: What Can Be Achieved by a Powerful Adversary. 20th Symposium on Information Theory in the Benelux, 1999. [47] Handschuh H., Howard, M. Heys: A Timing Attack on RC5. Proc. Selected Areas in Cryptography, Lecture Notes in Computer Science 1556, Springer, Berlin, 1999, 306–318. [48] Henzinger, T. A., Kopke, P.W., Wong-Toi, H.: The Expressive Power of Clocks. Automata, languages, and Programming. Lecture Notes in Computer Science 944, Springer, Berlin, 1995, 335–346. [49] Henzinger, T. A., Manna, Z., Pnueli, A.: What Good are Digital Clocks?. Automata, languages, and Programming. Lecture Notes in Computer Science 623, 1992, 545–558. [50] Henzinger, T. A., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic Model Checking for Real-time Systems. Information and Computation 111 (1994), 193-244. [51] Herbert, B. E.: Mathematical Introduction to Logic. Academic Press, 1972. [52] Hevia, A., Kiwi, M.: Strength of two data encryption standard implementations under timing attacks. ACM Transactions on Information and System Security (TISSEC) 2, 1999, 416–437

7.0. BIBLIOGRAPHY

121

[53] Hopcroft J. E. Ullman J.: Introduction to Automata theory, Languages and Computation. Addison Wesley, Reading, Mass., 1979. [54] Hune, T., Romijn, J., Stoelinga, M., Vaandrager, F.W.: Linear Parametric Model Checking of Timed Automata. Tools and Algorithms for Construction and Analysis of Systems, 2001, 189–203. [55] Kesten, Y., Manna, Z., Pnueli, A.: Verifying Clocked Transitions Systems. Lecture Notes in Computer Science 1066, Springer, Berlin, 1996, 13–40. [56] Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems. CRYPTO’96, Lecture Notes in Computer Science 1109, Springer, Berlin, 1996, 104-113. [57] Koeune, F., Quisquater, J.J.: A timing attack against Rijndael. Tech. Report CG-1999/1, UCL Crypto Group, Louvain-la-Neuve, 1999. [58] Lafferriere, G., Pappas, G.J., Yovine, S.: A New Class of Decidable Hybrid Systems. Hybrid Systems: Computation and Control, Lecture Notes in Computer Science 1569, Springer, Berlin, 1999, 137–151. [59] Lakhneche, Y., Hooman, J.: Metrical Temporal Logic with Durations. Theoretical Computer Science 138 (1995), 169–200. [60] Lanotte, R., Maggiolo-Schettini, A.: Timed Automata with Monotonic Activities. MFCS 2000, Bratislava, Lecture Notes in Computer Science 1893, Springer, Berlin, 2000, 518–527. [61] Lanotte, R., Maggiolo-Schettini, A.: Model Checking for Timed Automata with Monotonic Activities. Technical Report. [62] Lanotte, R., Maggiolo-Schettini, A., Peron, A.: Timed Cooperating Automata. Fundamenta Informaticae 43 (2000), 153–173. [63] Lanotte, R., Maggiolo-Schettini, A., Peron, A., Tini, S.: Transformations of Timed Cooperating Automata Fundamenta Informaticae 47 (2001), 271-282. [64] Lanotte, R., Maggiolo-Schettini, A., Tini, S. : Concurrency in Timed Automata. FCT 2001, Lecture Notes in Computer Science 2138, Springer, Berlin, 2001, 240–251. [65] Lanotte, R., Maggiolo-Schettini, A., Tini, S.: Privacy in Real-Time Systems. MTCS 2001, Electronic Notes in Theoretical Computer Science 52, (2002). [66] Lanotte, R., Maggiolo-Schettini, A., Tini, S.: Timed Information Flow Logic for Timed Automata. Technical Report.

122

BIBLIOGRAPHY

[67] La Torre, S., Napoli, M.: A Decidable Dense Branching-time Temporal Logic. FSTTCS 2000, Lecture Notes in Computer Science 1974, Springer, Berlin, 2000, 139-150. [68] Lenstra H.W.: Integer Programming with a Fixed Number of Variables. Mathematics of Operations Research 8 1983, 538–548. [69] Lowe, G.: Quantifying Information Flow. Proceedings of the 15th IEEE Computer Security Foundations Workshop, 2002. [70] Lynch, N.: I/O Automaton Models and Proofs for Shared–Key Communication systems. Proc 12th of the Computer Security Foundations Workshop, IEEE Press, 1999, 14–29. [71] Maler, O., Manna, Z., Pnueli, A.: From Timed to Hybrid Systems. Lecture Notes in Computer Science 1600, Springer, Berlin, 1992, 447–483. [72] Manna, Z., Pnueli, A.: Clocked Transition Systems. Logic and software Workshop, 1995. [73] Marker, D.: Model theory and exponentiation. Notices AMS 43 (1996), 753–759. [74] Matijasevic, J. V.: Enumerable sets are Diophantine. Soviet Mathematics 11, (1970), 354–357. [75] McNaughton, R.: Testing and Generating Infinite Sequences by a Finite Automaton. Information and Control 9 (1996), 521–530. [76] Moskowitz, I. S., Costich, O. L.: A Classical Automata Approach to Noninterference Type Problems. Proc. 5th of the Computer Security Foundations Workshop, IEEE Press, 1992, 2–8. [77] Nicollin, X., Olivero, A., Sifakis, J., Yovine, S.: An Approach to Description and Analysis of Hybrid systems. Real Time: Theory in Practice, Lecture Notes in Computer Science 736, Springer, Berlin, 1993, 149–178. [78] Nielson, F., Nielson, H. R.: Flow logics and Operational Semantics. Electronic Notes of Theoretical Computer Science 10 (1998). [79] Pappas, J. G., Simić, S.: Consistent Abstraction of Affine Control Systems. IEEE Transactions on Automatic Control 5, (2002), 745–756. [80] Paulson, L. C.: Mechanized proofs for a recursive authentication protocol. 10th Computer Security Foundations Workshop, 1997, 84–95. [81] Rabin, M. O.: Decidability of Second-order Theories and Automata on Infinite Trees. Trans. Amer. Math. Soc. 141 (1969), 1–35.

7.0. BIBLIOGRAPHY

123

[82] Schneider, S.: Security Properties and CSP. IEEE Computer Society Symposium on Security and Privacy, 1996. [83] Shostak R.E. : A practical decision procedure for arithmetic with functionssymbols journal of ACM 26, 1979, 351–360. [84] Song, D. X., Wagner, D., Tian, X.: Timing Analysis of Keystrokes and Timing Attacks on SSH. 10th USENIX Security Symposium, 2001. [85] Syverson, P. F.:Adding Time To a Logic of Authentication. 1st ACM Conference on Computer and Communications Security, 1993, 97–101. [86] Tarski, A.: A Decision Method for Elementary Algebra and Geometry. University of California Press, Second Edition, 1951. [87] Thomas, W.: Automata on Infinite Objects. Handbook of Theoretical Computer Science, Elsevier Science Publishers, Amsterdam, 1990, 134–191. [88] Volpano, D.: Secrecy by typing in Security Protocols. Theoretical Aspects of Computer Software, Lecture Notes in Computer Science 1281, Springer, Berlin, 1997, 611–638. [89] Volpano, D., Irvine, C., Smith, G.: A Sound Type System For Secure Flow Analysis. Journal of Computer Security 4 (1996), 1–21. [90] Volpano, D., Smith, G.: Confinement properties for programming languages. SIGACT News 29 (1998), 33–42. [91] Volpano, D., Smith, G.: Secure information flow in a multi-threaded imperative language. Proc. ACM Symposium on Principles of Programming Languages, 1998, 355–364. [92] Volpano, D., Smith, G.: Verifying Secrets and Relative Secrecy. POPL 2000, 2000, 268–276. [93] Weispfenning, V.: Mixed Real-Integer Linear Quantifier Elimination. Proceedings of the ACM International Symposium on Symbolic and Algebraic Computation, 1999.

An automaton-theoretic approach to safety and security in ... - CiteSeerX

An automaton-theoretic approach to safety and security in ... - CiteSeerX

Suggest Documents

An Integrated Approach to Safety and Security based on ... - ACSAC

Common Approach to Functional Safety and System Security in ...

An Integrated Approach to Security Verification and ... - CiteSeerX

Safe Communities: An Ecological Approach to Safety ... - CiteSeerX

An Interdisciplinary Approach to Inflight Aircraft Icing Safety - CiteSeerX

A DSL Approach to Improve Productivity and Safety in ... - CiteSeerX

A DSL Approach to Improve Productivity and Safety in ... - CiteSeerX

an approach to improve isolation and security in ...

An Approach to Security, Performance and Bandwidth Issues in ASP ...

An Integrated Approach to QoS and Security in Future ...

An Architecture-Centric Approach to Detecting Security ... - CiteSeerX

An Approach to Usable Security Based on Event ... - CiteSeerX

An Approach to Security Using Rijndael Algorithm - CiteSeerX

An Architecture-Centric Approach to Detecting Security ... - CiteSeerX

An Approach to Security Assessment of Critical

Preliminary: An Anthropological Approach to Security - WordPress.com

An Aspect-oriented Approach to Enforce Security

An ontosemiotic approach to representations in ... - CiteSeerX

An Approach to UNIX Security Logging - NIST Computer Security ...

Common Concepts Underlying Safety, Security, and ... - CiteSeerX

Cyber security challenges in Smart Cities: Safety, security ... - CiteSeerX

Health and Safety in Agriculture and Food Security Nexus - CiteSeerX

Biopreservation, an ecological approach to improve the safety and ...

Achieving an Integrated Approach to Food Safety and Hygiene ... - MDPI