FM 2015: FORMAL METHODS 2015
PROGRAM FOR WEDNESDAY, JUNE 24TH
View: session overviewtalk overview
09:00-10:00 Session 1: Keynote
Resource Analysis: From Sequential to Concurrent and Distributed Programs
ABSTRACT. Resource analysis aims at automatically inferring upper/lower bounds on the worst/best-case cost of executing programs. Ideally, a resource analyzer should be parametric on the cost model, i.e., the type of cost that the user wants infer (e.g., number of steps, amount of memory allocated, amount of data transmitted, etc.). The inferred upper bounds have important applications in the ﬁelds of program optimization, veriﬁcation and certiﬁcation. In this talk, we will review the basic techniques used in resource analysis of sequential programs and the new extensions needed to handle concurrent and distributed systems.
10:30-12:30 Session 2A: Probabilistic and Hybrid Systems
Direct formal verification of liveness properties in continuous and hybrid dynamical systems
ABSTRACT. This paper addresses the problem of formally verifying the temporal property of
eventuality (a type of liveness) in systems given by ordinary differential
equations (ODEs) under evolution constraints.
This problem is of a more general interest to hybrid system verification, where
reasoning about temporal properties in the continuous fragment is often a
bottleneck. Much of the difficulty in handling continuous systems stems from
the fact that closed-form solutions to non-linear ODEs are rarely available.
We present a general method for proving eventuality properties that works with
the differential equations directly, without the need to explicitly compute the
Our method is intuitively simple, yet much less conservative than previously
reported approaches to solving the eventuality verification problem, making it
highly amenable to use as a sound rule of inference in a formal proof calculus
for hybrid systems.
Counterexamples for Expected Rewards
ABSTRACT. The computation of counterexamples for probabilistic systems has gained a lot of attention in research during the last few years. However, all of the proposed methods focus on the situation when the probabilities of certain events are too high. In this paper we investigate how counterexamples for properties concerning expected costs (or, equivalently, expected rewards) of events can be computed. We propose methods to extract a minimum subsystem which already leads to costs beyond the allowed
bound. Besides these exact methods, we present heuristic approaches based on path search and on best-first search, which are applicable to very large systems when deriving a minimal subsystem becomes infeasible due to the system size. Experiments show that we can compute counterexamples for systems with millions of states.
Probabilistic Bisimulation for Realistic Schedulers
ABSTRACT. Weak distribution bisimilarity is an equivalence notion on probabilistic automata, originally proposed for Markov automata. It has gained some popularity as the coarsest behavioral equivalence enjoying valuable properties like preservation of trace distribution equivalence and compositionality. This holds in the classical context of arbitrary schedulers, but it has been argued that this class of schedulers is unrealistically powerful. This paper studies a strictly coarser notion of bisimilarity, which still enjoys these properties in the context of realistic subclasses of schedulers: Trace distribution equivalence is implied for partial information schedulers, and compositionality is preserved by distributed schedulers. The intersection of the two scheduler classes thus spans a coarser and still reasonable compositional theory of behavioral semantics.
Abstraction of Elementary Hybrid Systems by Variable Transformation
ABSTRACT. Elementary hybrid systems (EHSs) are those hybrid systems (HSs) containing elementary functions such as exp, ln, sin, cos, etc. EHSs are very common in practice, especially in safety-critical domains. Due to the non-polynomial expressions which lead to undecidable arithmetic, verification of EHSs is very hard. Existing approaches based on partition of state space or over-approximation of reachable sets suffer from state explosion or inflation of numerical errors. In this paper, we propose a symbolic abstraction approach that reduces EHSs to polynomial hybrid systems (PHSs), by replacing all non-polynomial terms with newly introduced variables. Thus the verification of EHSs is reduced to the one of PHSs, enabling us to apply all the well-established verification techniques and tools for PHSs to EHSs. In this way, it is possible to avoid the limitations of many existing methods. We illustrate the abstraction approach and its application in safety verification of EHSs by several real world examples.
10:30-12:30 Session 2B: Security
Certified Reasoning with Infinity
ABSTRACT. We demonstrate how infinities improve the expressivity, power, readability, conciseness, and compositionality of a program logic. We prove that adding infinities to Presburger arithmetic enables these improvements without sacrificing decidability. We develop Omega++, a Coq-certified decision procedure for Presburger arithmetic with infinity and benchmark its performance. Both the program and proof of Omega++ are paramaterized over user-selected semantics for the indeterminate terms (such as 0 * ∞).
Detection of Design Flaws in the Android Permission Protocol through Bounded Verification
ABSTRACT. The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of hundreds of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely.
Privacy by design in practice: reasoning about privacy properties of biometric system architectures
ABSTRACT. The work presented in this paper is the result of a collaboration between academics, industry and lawyers to show the applicability of the privacy by design approach to biometric systems and the benefit of formal methods to this end.
The choice of particular techniques and the role of the components (central server, secure module, terminal, smart card, etc.) in the architecture have a strong impact on the privacy guarantees provided by a biometric system.
However, existing proposals were made on a case by case basis, which makes it difficult to compare them and to provide a rationale for the choice of specific options.
In this paper, we show that a general framework for the definition of privacy architectures can be used to specify these options and to reason about them in a formal way.
Verifying Parameterized Timed Security Protocols
ABSTRACT. Quantitative timing is often explicitly used in systems for better security, e.g., the credentials for automatic website logon often has limited lifetime. Verifying timing relevant security protocols in these systems is very challenging as timing adds another dimension of complexity compared with the untimed protocol verification. In our previous work, we proposed an approach to check the correctness of the timed authentication in security protocols with fixed timing constraints. However, a more difficult question persists, i.e., given a particular protocol design, whether the protocol has security flaws in its design or it can be configured secure with proper parameter values? In this work, we answer this question by proposing a parameterized verification framework, where the quantitative parameters in the protocols can be intuitively specified as well as automatically analyzed. Given a security protocol, our verification algorithm either produces the secure constraints of the parameters, or constructs an attack that works for any parameter values. The correctness of our algorithm is formally proved. We implement our method into a tool called PTAuth and evaluate it with several security protocols. Using PTAuth, we have successfully found a timing attack in Kerberos V which is unreported before.
14:00-15:30 Session 3A: Temporal Logic
Using Real-Time Maude to Model Check Energy Consumption Behavior
ABSTRACT. Energy consumption is one of the primary non-functional concerns, especially for application programs running on systems that have limited battery capacity. A model-based analysis of the problem is introduced at early stages of development. As rigorous formal models of this, the power consumption automaton and a variant of linear temporal logic are proposed. Detecting unexpected energy consumption is then reduced to a model checking problem, which is unfortunately undecidable in general. This paper introduces some restrictions to the logic formulas representing energy consumption properties so that an automatic analysis is possible with Real-Time Maude.
Trace-Length Independent Runtime Monitoring of Quantitative Policies in LTL
ABSTRACT. Linear temporal logic (LTL) has been widely used to specify runtime
policies. Traditionally this use of LTL is to capture the qualitative
aspects of the monitored systems, but recent developments in metric
LTL and its extensions with aggregate operators allow some
quantitative policies to be specified. Our interest in LTL-based
policy languages is driven by applications in runtime Android malware
detection, which requires the monitoring algorithm to be independent
of the length of the system event traces so that its performance does
not degrade as the traces grow. We propose a policy language based on
a past-time variant of LTL, extended with an aggregate operator called
the counting quantifier to specify a policy based on the number of
times some sub-policies are satisfied in the past. We show that a
broad class of policies, but not all policies, specified our language
can be monitored in a trace-length independent way, and provide a
concrete algorithm to do so. We implement and test our algorithm in
an existing Android monitoring framework and show that our approach
can effectively specify and enforce quantitative policies drawn from
real-world Android malware studies.
Parameter Synthesis through Temporal Logic Specifications
ABSTRACT. Parameters are often used to tune mathematical models and capture nondeterminism and uncertainty in physical and engineering systems. This paper is concerned with parametric nonlinear dynamical systems and the problem of determining the parameter values that are consistent with some expected properties. In our previous works, we proposed a parameter synthesis algorithm limited to safety properties and demonstrated its applications for biological systems. Here we consider more general properties specified by a fragment of STL (Signal Temporal Logic), which allows us to deal with complex behavioral patterns that biological processes exhibit. We propose an algorithm for parameter synthesis w.r.t. a property specified using the considered logic. It exploits reachable set computations and forward refinements. We instantiate our algorithm in the case of polynomial dynamical systems exploiting Bernstein coefficients and we illustrate it on an epidemic model.
14:00-15:30 Session 3B: Model Checking and Runtime Verification
Verifying the Safety of a Flight-Critical System
ABSTRACT. This paper describes our work on demonstrating verification and
certification technologies on a flight critical system.
Performed in the context
of a major NASA milestone, this study required us
to tackle a system
of realistic functionality, size, and complexity.
Our work targeted a commercial aircraft control system called Transport Control Model (TCM).
The work involved several stages:
formalizing and disambiguating requirements in collaboration
with domain experts; processing models for their use by formal verification tools;
applying compositional techniques at the architectural and component
level to scale verification.
This was one of the most challenging and substantial studies
that our group has performed, and it took several person months to
complete it. In this paper, we describe the overall process and report the lesson learned.
A Specification Language for Static and Runtime Verification of Data and Control Properties
ABSTRACT. Static verification techniques can verify properties across all executions of a program, but powerful judgements are hard to achieve automatically. In contrast, runtime verification enjoys full automation, but cannot judge future and alternative runs. In this paper we present a novel approach in which data-centric and control-oriented properties may be stated in a single formalism, amenable to both static and dynamic verification techniques. We develop and formalise a specification notation, ppDATE, extending the control-flow property language used in the runtime verification tool LARVA with pre/post-conditions and show how specifications written in this notation can be analysed both using the deductive theorem prover KeY and the runtime verification tool LARVA. Verification is performed in two steps: KeY first partially proves the data-oriented part of the specification, simplifying the specification which is then passed on to LARVA to check at runtime for the remaining parts of the specification including the control-centric aspects. We apply the approach to Mondex, an electronic purse application.
Safety, Liveness and Run-time Refinement for Modular Process-Aware Information Systems with Dynamic Sub Processes
ABSTRACT. We study modularity, run-time adaptation and refinement under safety and liveness constraints in event-based process models with dynamic sub-process instantiation. The study is part of a larger programme to provide semantically well-founded technologies for modelling, implementation and verification of flexible, run-time adaptable process-aware information systems, moved into practice via the Dynamic Condition Response (DCR) Graphs notation co-developed with our industrial partner. Our key contributions are: (1) A formal theory of dynamic sub-process instantiation for declarative, event-based processes under safety and liveness constraints, given as the DCR* process language, equipped with a compositional operational semantics and conservatively extending the DCR Graphs notation; (2) an expressiveness analysis revealing that the DCR* process language is Turing-complete, while the fragment corresponding to DCR Graphs (without dynamic sub-process instantiation) characterises exactly the languages that are the union of a regular and an omega-regular language; (3) a formalisation of run-time refinement and adaptation by composition for DCR* processes and a proof that such refinement is undecidable in general; and finally (4) a decidable and practically useful sub-class of run-time refinements. Our results are illustrated by a running example inspired by a recent Electronic Case Management solution based on DCR Graphs and delivered by our industrial partner. An online prototype implementation of the DCR* language (including examples from the paper) and its visualisation as DCR Graphs can be found at http://tiger.itu.dk:8018/.