Verifying Programs with Unreliable Channels

We consider the verification of a particular class of infinite-state systems, namely systems consisting of finite-state processes that communicate via unbounded lossy FIFO channels. This class is able to model, e.g., link protocols such as the Alternating Bit Protocol and HDLC. For this class of systems, we show that several interesting verification problems are decidable by giving algorithms for verifying (1) thereachability problem—is a finite set of global states reachable from some other global state of the system ? (2)safety properties over tracesformulated as regular sets of allowed finite traces, and (3)eventuality properties—do all computations of a system eventually reach a given set of states? We have used the algorithms to verify some idealized sliding-window protocols with reasonable time and space resources. Our results should be contrasted with the well-known fact that these problems are undecidable for systems with unboundedperfectFIFO channels.     

Reachability analysis of rational eigenvalue linear systems

One of the key problems in the safety analysis of control systems is the exact computation of reachable state spaces for continuous-time systems. Issues related to the controllability and observability of these systems are well-studied in systems theory. However, there are not many results on reachability, even for general linear systems. In this study, we present a large class of linear systems with decidable reachable state spaces. This is approached by reducing the reachability analysis to real root isolation of exponential polynomials. Furthermore, we have implemented this method in a Maple package based on symbolic computation and applied to several examples successfully.     

利用有向环的性质求解可达关系

不确定规划研究的最终目标是求出规划解,但是由于缺少引导信息,直接求规划解会导致大量的无用状态和动作被搜索。获得状态间的可达关系可以避免冗余计算。目前求可达关系的方法效率较低,因此设计了一种求可达关系的新方法。将不确定状态转移系统抽象成一个图,在这个图中,查找状态之间的可达信息是否形成一个有向环。若存在一个有向环,说明环内每两个状态之间都有可达关系。将其中一个状态作为父节点,并且将这个环内所有状态的可达关系记录在父节点中,通过访问父节点的可达信息更新环内状态的可达信息,减少了许多无用的状态和动作被搜索。实验结果表明,所设计的算法不仅能得到更全面的可达关系,而且效率也高于已有的算法。     

Verifying parallel programs with dynamic communication structures

We address the verification problem of networks of communicating pushdown systems modeling communicating parallel programs with procedure calls. Processes in such networks can read the control state of the other processes according to a given communication structure (specifying the observability rights between processes). The reachability problem of such models is undecidable in general. First, we define a class of networks that effectively preserves recognizability (hence, its reachability problem is decidable). Then, we consider networks where the communication structure can change dynamically during the execution according to a phase graph. The reachability problem for these dynamic networks being undecidable in general, we define a subclass for which it becomes decidable. Then, we consider reachability when the switches in the communication structures are bounded. We show that this problem is undecidable even for one switch. We define a natural class of models for which this problem is decidable. This class can be used in the definition of an efficient semi-decision procedure for the analysis of the general model of dynamic networks. Our techniques allowed to find bugs in two versions of a Windows NT Bluetooth driver.     

Probabilistic opacity for Markov decision processes

Opacity is a generic security property, that has been defined on (non-probabilistic) transition systems and later on Markov chains with labels. For a secret predicate, given as a subset of runs, and a function describing the view of an external observer, the value of interest for opacity is a measure of the set of runs disclosing the secret. We extend this definition to the richer framework of Markov decision processes, where non-deterministic choice is combined with probabilistic transitions, and we study related decidability problems with partial or complete observation hypotheses for the schedulers. We prove that all questions are decidable with complete observation and ω-regular secrets. With partial observation, we prove that all quantitative questions are undecidable but the question whether a system is almost surely non-opaque becomes decidable for a restricted class of ω-regular secrets, as well as for all ω-regular secrets under finite-memory schedulers.     

Reachability and observability of switched linear systems with continuous-time and discrete-time subsystems

In this paper, the reachability and observability criteria of switched linear systems with continuous-time and discrete-time subsystems are obtained. These criteria show that the reachable set may not be a subspace in the state space, because of the existence of discrete-time subsystems. Therefore, the definition of span reachability is proposed. Moreover, we demonstrate that the reachable set is equivalent to subspace if the discrete-time subsystems are reversible. The subspace algorithms for span reachability and unobservability are provided. One example is introduced to illustrate the effectiveness of the proposed criteria.     

基于时序关系的系统失效可达图生成方法

针对状态事件故障树生成系统可达图过程中存在的状态空间爆炸问题,提出了一种基于时序关系的系统失效可达图生成方法。通过分析触发和被触发类型事件的时序关系,对存在时序关系的事件进行排序,根据时序关系获得系统构件间的所有不可同时到达状态对,对构件间的可同时到达状态建立笛卡尔积,获得系统的所有可同时到达状态对,根据连接表和最小割集获得系统失效的状态可达图,从而有效解决系统失效可达图生成过程中存在的状态空间爆炸问题。应用基于时序关系的系统失效可达图方法生成鱼攻系统失效可达图,实验结果 验证了该方法的可行性与稳定性; 同时也为表明其能有效地缓解状态空间爆炸问题,为状态事件故障树生成系统可达图提供了一种新的方法。     

Risk Assessment for One-Counter Threads

Threads as contained in a thread algebra are used for the modeling of sequential program behavior. A thread that may use a counter to control its execution is called a ‘one-counter thread’. In this paper the decidability of risk assessment (a certain form of action forecasting) for one-counter threads is proved. This relates to Cohen’s impossibility result on virus detection (Comput. Secur. 6(1), 22–35, 1984). Our decidability result follows from a general property of the traces of one-counter threads: if a state is reachable from some initial state, then it is also reachable along a path in which all counter values stay below a fixed bound that depends only on the initial and final counter value. A further consequence is that the reachability of a state is decidable. These properties are based on a result for ω-one counter machines by Rosier and Yen (SIAM J. Comput. 16(5), 779–807, 1987).