一种新的安全协议形式化验证方法

形式化方法能有效检验安全协议的安全性,BAN类逻辑的发展极大地促进了这一领域的研究,但是现有的BAN类逻辑仍然存在许多问题．在分析现有BAN类逻辑的基础上,提出一种新的安全协议形式化验证方法,实现现有BAN类逻辑的验证功能,并使安全协议验证工作简单可行,便于实现机器自动验证．为安全协议形式化验证提供了一种新的途径．     

一种针对CP-nets并发模型的验证方法

状态爆炸问题导致CP-nets并发模型的正确性验证工作十分困难。提出了基于并发属性的模型化简方法和基于功能组合的模型抽象方法,用于对模型进行处理,移去与并发属性不相关的模型元素,提升模型的抽象层次,使模型状态空间规模得到显著降低,并在并发属性相关行为上与原模型保持一致;在处理后模型中运用状态空间分析、模型检测等验证方法完成模型验证,针对验证得出的模型错误,通过处理前后模型的对照关系在原模型中进行改正。这在一定程度上避免了状态爆炸问题并实现了模型验证。通过将上述方法应用于HMIPv6协议模型,验证了其有效性。     

并发系统的模型和自动验证

时序逻辑可以很好地应用于描述和验证并发系统的动态特性。AMC(Model Checker for Asynchronous concurrent systems)代替传统的从公理出发的形式推导,将并发系统描述转换为系统状态模型,然后应用模型实现对系统时序特性的自动验证。AMC能处理一般形式的合理性问题,并能对大的并发系统进行层次结构模型验证。     

基于TLA的UML模型形式化验证

统一建模语言(UML)不能直接对所建立模型的正确性进行形式化验证。为解决上述问题,从UML模型的静态结构和动态行为 2个方面分别提出结合行为时序逻辑(TLA)的模型形式化方法,在此基础上提出将UML模型转化为TLA+的形式化描述方法,并用TLC工具形式化检测TLA+描述的正确性。通过实例分析证明了该方法的有效性。     

定义及验证UML Statechart图中的数据流语义

在传统的UML Statechart图中加入了数据流对象后;因为UML Statechart图缺乏精确的数据流语义;所以不适合应用UML Statechart图对工作流中的数据流进行建模并验证其正确性。为了解决这一问题;选择标记转换系统（LTS）作为语义域;并用结构化操作语义（SOS）分两步定义了UML Statechart图的数据流语义;为工作流中的数据流正确性验证奠定了基础。在此基础上;使用时序逻辑公式表示数据流所需满足的性质;在验证数据流的正确性之前;给出了将它的UML Statechart图模型转化为可达状态迁移图的算法;最后通过模型检测算法验证数据流的正确性。     

基于模型检查的TCP连接管理协议分析与验证

随着网络协议复杂性的增大,如何发现其自身的潜在错误变得非常重要.为了发现传统测试手段难以检测的错误,采用模型检查技术分析和验证网络协议.从TCP协议设计规范中提取了包含TCP连接管理协议重要细节的形式化模型,并采用模型检查工具SPIN验证协议模型是否满足需求,结果表明,TCP协议设计规范中同同时打开连接过程存在不一致问题,针对该问题提出了改进策略.     

基于STP方法的SCADE模型形式化验证框架

高安全性应用开发环境(SCADE)的形式化验证组件Design Verifier能够验证航空航天领域嵌入式软件系统的安全性质,但不能充分描述拥有复杂时序性质的安全需求。为解决该问题,构建一种SCADE状态机的时序性质验证框架,将SCADE模型转换成NuSMV模型,并将线性时态逻辑和计算树逻辑引入SCADE模型的需求规范中。分析结果表明,借助NuSMV模型检查器及其验证结果可检验复杂时序相关的安全性质,减少模型设计阶段的错误,提高系统的安全性和可靠性。     

安全协议的扩展Horn逻辑模型及其验证方法

分析了Bruno Blanchet和Martin Abadi提出的基于Horn逻辑的安全协议模型及其验证方法,针对它们构造不满足安全性质的安全协议反例的不足,提出了安全协议的扩展Horn逻辑模型和修改版本的安全协议验证方法,使得能够从安全协议的扩展Horn逻辑模型和修改版本的安全协议验证过程中自动构造不满足安全性质的安全协议反例．在基于函数式编程语言Objective Carol开发的安全协议验证工具SPVT中,实现了上述算法,验证了算法的正确性．     

工作流时序约束模型分析与验证方法

为了解决工作流时间建模与时序一致性验证问题,以时序逻辑和模型检查为基础,提出了一种工作流时间建模与时序一致性验证方法.该方法用一阶逻辑描述工作流模型及其时间信息,用时序逻辑描述工作流的时序约束,用模型检查算法对时序约束进行验证与分析.该方法不是针对某一种时序约束提出来的,而是能够验证任何用时序逻辑描述的工作流时序约束.该方法还能够对未通过验证的时序约束提供工作流运行实例作为反例,帮助用户定位模型的问题.以一个工作流时间建模和时序一致性验证的实例证实了所提出方法的有效性.     

操作系统汇编级形式化设计和验证方法

由于系统的巨大规模,操作系统设计和实现的正确性很难用传统的方法进行描述和验证.在汇编层形式化地对系统模块的功能语义进行建模,提出一种汇编级的系统状态模型,作为汇编语言层设计和验证的纽带.通过定义系统状态模型的合法状态和状态转换函数来建立系统状态模型的论域,并以此来描述汇编层的论域.通过验证汇编层的功能模块的正确性来保证汇编语言层设计的正确性,达到对系统功能实现的正确性验证.同时,使用定理证明工具Isabelle/HOL来形式化地描述这一系统状态模型,基于这一形式化模型,在Isabelle/HOL中验证系统模块的功能语义的正确性.以实现的安全可信OS（verified secure operating system,简称VSOS）为例,阐述了所提出的形式化设计和验证方法,说明了这一方法的可行性.     

模型检测中状态爆炸问题研究综述

模型检测已成为保证软件系统正确性和可靠性的重要手段,但随着软件功能日益强大,其规模和复杂度也越来越大,在模型检测过程中容易产生状态爆炸问题。如何解决模型检测中的状态爆炸,已成为工业界和理论界无法回避的重要课题。系统地综述模型检测领域解决状态爆炸问题的关键技术和主要方法,并提出该领域的最新研究进展与方向。     

时序逻辑程序的模型检测

时序逻辑程序的形式化验证对提高程序的正确性具有重要意义。以投影时序逻辑的可执行子集、框架投影时序逻辑语言Framed Tempura为研究对象,使用命题投影时序逻辑描述Framed Tempura程序的性质,将程序p和性质Ф统一表示在投影时序逻辑中,模型检测需要判定p→Ф是否有效,可转化为判定p∧Ф是否不可满足,这可以通过构造p∧Ф的正则图加以解决。最后,给出了Framed Tempura程序的模型检测实例。     

A state/event-based model-checking approach for the analysis of abstract system properties

We present the UMC framework for the formal analysis of concurrent systems specified by collections of UML state machines. The formal model of a system is given by a doubly labelled transition system, and the logic used to specify its properties is the state-based and event-based logic UCTL. UMC is an on-the-fly analysis framework which allows the user to interactively explore a UML model, to visualize abstract behavioural slices of it and to perform local model checking of UCTL formulae. An automotive scenario from the service-oriented computing (SOC) domain is used as case study to illustrate our approach.     

A model checker for linear time temporal logic

This report describes the design and implementation of a model checker for linear time temporal logic. The model checker uses a depth-first search algorithm that attempts to find a minimal satisfying model and uses as little space as possible during the checking procedure. The depth-first nature of the algorithm enables the model checker to be used where space is at a premium.This work was supported both by Alvey under grant PRJ/SE/054 (SERC grant GR/D/57942) and by ESPRIT under Basic Research Action 3096 (SPEC).     

Checking extended <Emphasis Type="Italic">CTL</Emphasis> properties using guarded quotient structures

We extend CTL logic to a logic called COUNT CTL (CCTL) for specifying properties of concurrent programs with large number of processes. We present a model checking algorithm for symmetric or partially symmetric systems when their correctness specification is given in CCTL. The model-checking algorithm employs Guarded Quotient Structures introduced by Sistla and Godefroid (Lecture Notes in Comput. Sci., vol. 2102, 2001). The GQS structures can be succinct representations for the reachability graphs of partially symmetric or even asymmetric systems. Our algorithm exploits state symmetries for fast evaluation. The algorithm is top down in nature, and automatically incorporates formula decomposition and sub-formula tracking. This paper is supported in part by the NSF grants CCR-9988884, CCR-0205365.     

Introductory Paper

In today’s competitive market designing of digital systems (hardware as well as software) faces tremendous challenges. In fact, notwithstanding an ever decreasing project budget, time to market and product lifetime, designers are faced with an ever increasing system complexity and customer expected quality. The above situation calls for better and better formal verification techniques at all steps of the design flow. This special issue is devoted to publishing revised versions of contributions first presented at the 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME) held 21–24 October 2003 in L’Aquila, Italy. Authors of well regarded papers from CHARME’03 were invited to submit to this special issue. All papers included here have been suitably extended and have undergone an independent round of reviewing.     

Relay Reachability Algorithm for Exploring Huge State Space

Since many desirable properties about finite-state model are expressed as a reachability problem, reachability algorithms have been extensively studied in model checking. On the other hand, reachability algorithms play an important role in game solving since reachability games are often described as a finite state model. In this sense, reachability algorithms are located in the intersection of the research areas of Model Checking and Artificial Intelligence.This paper interests in solving the reachability games called Push-Push. However, both exact and approximate reachability algorithms are not sufficient to the games since its state space is huge and requires lots of iterations such as 338 steps in the reachability computation. Thus we devise the new algorithm called relay reachability algorithm. It divides the global state space into several local ones. And exact reachability algorithm is applied on each local state space one by one. With these reachability algorithms, we solve all of the games.     

基于动态内存和状态管理的模型检测新方法

模型检测是并发系统验证的主要形式化方法之一,但其存在因状态空间爆炸而导致内存不够的问题,这也是大规模并发系统验证的瓶颈.很多研究人员尽管做了很多相关研究,但仍然没有很好地解决这个问题.在研究动态内存和状态管理的基础上,提出了一种新的模型检测方法,避免了因为内存不足而无法模型检测的问题.     

Integrating predicate transition nets with first order temporal logic in the specification and verification of concurrent systems

This paper presents some results of integrating predicate transition nets with first order temporal logic in the specification and verification of concurrent systems. The intention of this research is to use predicate transition nets as a specification method and to use first order temporal logic as a verification method so that their strengths — the easy comprehension of predicate transition nets and the reasoning power of first order temporal logic can be combined. In this paper, a theoretical relationship between the computation models of these two formalisms is presented; an algorithm for systematically translating a predicate transition net into a corresponding temporal logic system is outlined; and a special temporal refutation proof technique is proposed and illustrated in verifying various concurrent properties of the predicate transition net specification of the five dining philosophers problem.