Formal Methods for Security Functionality and for Secure Functionality
ABSTRACT. High levels of assurance for security properties are obviously desirable, so security seems like an ideal application area for formal methods. However, security properties can be tricky to characterise, even informally, so this is easier said than done. In light of this we will discuss some experiences and hopes in applying formal methods - incl. some fairly lightweight formal methods - to improve security.
How Hard is Finding Shortest Counter-Example Lassos in Model Checking?
ABSTRACT. Modern model checkers help system engineers to pinpoint the reason for the faulty behavior of a system by providing counter-example traces. For finite-state systems and omega-regular specifications, they come in the form of lassos. Lassos that are unnecessarily long should be avoided, as they make finding the cause for an error in a trace harder.
We give the first thorough characterization of the computational complexity of finding the shortest and approximately shortest counter-example lassos in model checking for the full class of omega-regular specifications. We show how to build (potentially exponentially larger) tight automata for arbitrary omega-regular specifications, which can be used to reduce finding shortest counter-example lassos for some finite-state system to finding a shortest accepting lasso in a (product) Büchi automaton. We then show that even approximating the size of the shortest counter-example lasso is an NP-hard problem for any polynomial approximation function, which demonstrates the hardness of obtaining short counter-examples in practical model checking. We also prove that minimizing only the length of the lasso cycle is possible in polynomial time for a fixed but arbitrary upper limit on the size of strongly connected components in specification automata.
From LTL to Unambiguous Büchi Automata via Disambiguation of Alternating Automata
ABSTRACT. This paper proposes a new algorithm for the generation of unambiguous Büchi automata (UBA) from LTL formulas. Unlike existing tableau-based LTL-to-UBA translations, our algorithm deals with very weak alternating automata (VWAA) as an intermediate representation. It relies on a new notion of unambiguity for VWAA and a disambiguation procedure for VWAA. We introduce optimizations on the VWAA level and new LTL simplifications targeted at generating small UBA.
We report on an implementation of the construction in our tool Duggi and discuss experimental results that compare the automata sizes and computation times of Duggi with the tableau-based LTL-to-UBA translation of the SPOT tool set. Our experiments also cover the analysis of Markov chains under LTL specifications, which is an important application of UBA.
Generic Partition Refinement and Weighted Tree Automata
ABSTRACT. Partition refinement is a method for minimizing automata and transition systems of various types. Recently, we have developed a partition refinement algorithm that is generic in the transition type of the given system and matches the runtime of the best known algorithms for many fixed types of systems, e.g. deterministic automata as well as ordinary, weighted, and probabilistic (labelled) transition systems. Gener- icity is achieved by modelling transition types as endofunctors on sets and state-based systems as coalgebras. In the present work, we extend the scope and the runtime analysis of our algorithm to cover additional instances, notably weighted automata and, more generally, weighted tree automata. For tree automata with weights in a cancellative monoid we match, and for non-cancellative monoids such as (the additive monoid of) the tropical semiring even substantially improve, the asymptotic runtime of the best known algorithms. We have implemented our algorithm in a generic tool that is easily instantiated to concrete system types by implementing a simple refinement interface. Moreover, the algorithm and the tool are modular, and partition refiners for new types of systems are obtained easily by composing pre-implemented basic functors. Experiments show that even for complex system types, the tool is able to handle systems with millions of transitions.
Equilibria-Based Probabilistic Model Checking for Concurrent Stochastic Games
ABSTRACT. Probabilistic model checking for stochastic games enables formal verification of systems where competing or collaborating entities operate in a stochastic environment. While good progress has been made in the area, existing approaches focus on zero-sum goals and cannot reason about distinct entities collaborating whilst working to different objectives. In this paper, we propose probabilistic model checking techniques for concurrent stochastic games based on Nash equilibria. We extend the temporal logic rPATL (probabilistic alternating-time temporal logic with rewards) for reasoning about players with distinct quantitative goals which relate to either the probability of an event occurring or a reward measure. We present algorithms to synthesise strategies that are subgame perfect social welfare optimal Nash equilibria, i.e., where there is no incentive for any players to unilaterally change their strategy in any state of the game, whilst the combined probabilities or rewards are maximised. We implement our techniques in an extension of the PRISM-games tool and demonstrate their application to several case studies, including network protocols and robot navigation.
ABSTRACT. We propose a new static software analysis principle called Abstract Execution, generalizing Symbolic Execution: While the latter analyzes all possible execution paths of a specific program, Abstract Execution analyzes a partially unspecified program by permitting abstract symbols representing unknown contexts. For each abstract symbol, we faithfully represent each possible concrete execution resulting from its substitution with concrete code. There is a wide range of applications of Abstract Execution, especially for verifying relational properties of schematic programs. We implemented Abstract Execution in a deductive verification framework and proved correctness of eight well-known statement-level refactoring rules, including two with loops. For each refactoring we characterize the preconditions that make it semantics-preserving. Most preconditions are not mentioned in the literature.
Static Analysis for Detecting High-Level Races in RTOS Kernels
ABSTRACT. We propose a static analysis based approach for detecting high-level races in RTOS kernels popularly used in safety-critical embedded software. High-Level races are indicators of atomicity violations and can lead to erroneous software behaviour with serious consequences. Hitherto techniques for detecting high-level races have relied on model-checking approaches, which are inefficient and apriori unsound. In contrast we propose a technique based on static analysis that is both efficient and sound. The technique is based on the notion of disjoint blocks recently introduced in Chopra et al [8]. We evaluate our technique on three popular RTOS kernels and show that it is effective in detecting races, many of them harmful, with a high rate of precision.
Parallel Composition and Modular Verification of Computer Controlled Systems in Differential Dynamic Logic
ABSTRACT. Computer-Controlled Systems (CCS) are a subclass of hybrid systems where the periodic relation of control components to time is paramount. Since they additionally are at the heart of many safety-critical devices, it is of primary importance to correctly model such systems and to ensure they function correctly according to safety requirements. Differential dynamic logic is a powerful logic to model hybrid systems and to prove their correctness. We contribute a component-based modeling and reasoning framework to differential dynamic logic that separates models into components with timing guarantees, such as reactivity of controllers and controllability of continuous dynamics. Components operate in parallel, with coarse-grained interleaving, periodic execution and communication. We present techniques to automate system safety proofs from isolated, modular, and possibly mechanized proofs of component properties parameterized with timing and scheduling characteristics.
An Axiomatic Approach to Liveness for Differential Equations
ABSTRACT. This paper presents an approach for deductive liveness verification for ordinary
differential equations (ODEs) with differential dynamic logic. Numerous
subtleties prevent the generalization of well-known discrete liveness
verification techniques, such as loop variants, to the continuous setting. For
example, ODE solutions rarely exist in closed-form, they may blow up in finite
time, or their progress towards the goal may converge to zero. Our approach
handles these subtleties by successively refining ODE liveness properties using
ODE invariance properties which have a well-understood deductive proof theory.
This approach is widely applicable: we survey several liveness arguments in the
literature and derive them as special instances of our axiomatic refinement
approach. We also correct several soundness errors in the surveyed arguments,
which further highlights the subtlety of ODE liveness reasoning and the utility
of our deductive approach. The library of common refinement steps identified
through our approach enables both the sound development and justification of new
ODE liveness proof rules from our axioms.