PRISM-games: verification and strategy synthesis for stochastic multi-player games with multiple objectives

Int J Softw Tools Technol Transfer https://doi.org/10.1007/s10009-017-0476-z TACAS 2016 PRISM-games: verification and strategy synthesis for stochastic multi-player games with multiple objectives Marta Kwiatkowska1 · David Parker2 · Clemens Wiltsche1 © The Author(s) 2017. This article is an open access publication Abstract PRISM-games is a tool for modelling, verification and strategy synthesis for stochastic multi-player games. These allow models to incorporate both probability, to represent uncertainty, unreliability or randomisation, and game-theoretic aspects, for systems where different entities have opposing objectives. Applications include autonomous transport, security protocols, energy management systems and many more. We provide a detailed overview of the PRISM-games tool, including its modelling and property specification formalisms, and its underlying architecture and implementation. In particular, we discuss some of its key features, which include multi-objective and compositional approaches to verification and strategy synthesis. We also discuss the scalability and efficiency of the tool and give an overview of some of the case studies to which it has been applied. Keywords Formal verification · Quantitative verification · Stochastic games 1 Introduction Automatic verification and strategy synthesis are techniques for analysing probabilistic systems. They can be used to produce formal guarantees with respect to quantitative properties such as safety, reliability and efficiency. For example, they can be employed to synthesise controllers in applications such as autonomous vehicles, network protocols B David Parker 1 Department of Computer Science, University of Oxford, Oxford, UK 2 School of Computer Science, University of Birmingham, Birmingham, UK and robotic systems. These often operate in uncertain and adverse environments, models of which require both stochasticity, for example, to represent noise, failures or delays, and game-theoretic aspects, to model non-cooperative agents or uncontrollable events. PRISM-games is a tool for verification and strategy synthesis for turn-based stochastic multi-player games, a model in which each state is controlled by one of a set of players. That player resolves non-determinism in its states by selecting an action to perform. The resulting behaviour, i.e. to which state the model then evolves, is probabilistic. This allows the model to capture both game-theoretic aspects and stochasticity. The crucial ingredient for reasoning about stochastic multi-player games is strategies, which represent the choices made by a given player, based on the execution of the model so far. For a stochastic game comprising just one player (in other words, a Markov decision process), we may choose to consider the behaviour of the player to be adversarial (for example, representing the malicious environment of a security protocol). We can then verify that the model exhibits certain formally specified properties, regardless of the behaviour of the adversary. Alternatively, we could assume that we are able to control the choices of the single player in this model (imagine, for example, it represents the navigation control system in an autonomous vehicle). In this setting, we can instead use strategy synthesis to generate a strategy (a controller) under which the behaviour of the game satisfies a formally specified property. The general case, in which there are multiple players, allows us to model situations where there are entities with opposing objectives, for example a controller and a malicious environment. PRISM-games provides strategy synthesis techniques that can generate a strategy for one 123 M. Kwiatkowska et al. player of a stochastic game such that it is guaranteed to satisfy a property, regardless of the strategies employed by the other players. Returning to the autonomous vehicle above, we could generate a strategy for the vehicle controller which guarantees that the probability of successfully completing a journey is above a specified threshold, regardless of the behaviour of other, uncontrollable aspects of the system such as other road users. This paper provides an overview of PRISM-games and the strategy synthesis techniques that it provides. These fall into two categories. The first, single-objective case, is used to express zero-sum properties in which two opposing sets of players aim to minimise and maximise a single objective: either the probability of an event or the expected reward accumulated before it occurs. The second, multi-objective case, enables the exploration of trade-offs, such as between performance and resource requirements. The tool also performs computation and visualisation of the Pareto sets representing the optimal achievable trade-offs. We also discuss the support in PRISM-games for compositional system development. This is done through assumeguarantee strategy synthesis, based on contracts over component interfaces that ensure cooperation between the components to achieve a common goal. For example, if one component satisfies the goal B under an assumption A on its environment (i.e. A → B), while the other component ensures that the assumption A is satisfied, we can compose strategies for the components into a strategy for the full system achieving B. Multi-objective strategy synthesis, e.g. for an implication A → B, can be conveniently employed to realise such assume-guarantee contracts. Again, Pareto set computation can be performed to visualise the relationship between properties and across interfaces. The underlying verification and strategy synthesis techniques developed for PRISM-games have been published elsewhere, in [5,7,12,14,16,44]. Existing short tool papers focusing on the functionality added in versions 1.0 and 2.0 of PRISM-games were presented in [13] and [34], respectively. This paper provides a comprehensive overview of the full tool, including detailed examples of the modelling and property specification and summaries of the key theory and algorithms. We also discuss implementation details, the scalability of the tool and the application domains to which it has been applied. Structure of the paper Section 2 provides basic details of the underlying model of stochastic multi-player games and explains how these can be described using the PRISMgames modelling language. Section 3 covers the property specification language, giving the formal syntax, semantics and examples of the various classes of quantitative properties that are supported. Section 4 gives an overview of the underlying algorithms used to perform verification and strat- 123 egy synthesis, and Sect. 5 describes the architecture of the tool and some lower-level aspects of its implementation. Section 6 presents some experimental results and discusses the scalability and efficiency of PRISM-games. We conclude, in Sects. 7, 8 and 9, with a discussion of case studies to which the tool has been applied, a sur (...truncated)