Typing correspondence assertions for communication protocols

Woo and Lam propose correspondence assertions for specifying authenticity properties of security protocols. Prior work on checking correspondence assertions depends on model-checking and is limited to finite-state systems. We propose a dependent type and effect system for checking correspondence assertions. Since it is based on type-checking, our method is not limited to finite-state systems. This paper presents our system in the simple and general setting of the π-calculus. We show how to type-check correctness properties of example communication protocols based on secure channels. In a related paper, we extend our system to the more complex and specific setting of checking cryptographic protocols based on encrypted messages sent over insecure channels.     

Learning hard concepts through constructive induction: framework and rationale

The intrinsic accuracy of an inductive problem is the accuracy achieved by exhaustive table look-up. Intrinsic accuracy is the upper bound for any inductive method. Hard concepts are concepts that have high intrinsic accuracy, but which cannot be learned effectively with traditional inductive methods. To learn hard concepts, we must use constructive induction - methods that create new features. We use measures of concept dispersion to explore (conceptually and empirically) the inherent weaknesses of traditional inductive approaches. These structural defects are buried in the design of the algorithms and prevent the learning of hard concepts. After studying some examples of successful and unsuccessful feature construction ("success" being defined here in terms of accuracy), we introduce a single measure of inductive difficulty that we call variation. We argue for a specific approach to constructive induction that reduces variation by incorporating various kinds of domain knowledge. All of these kinds of domain knowledge boil down to utility invariants, i.e., transformations that group together non-contiguous portions of feature space having similar class-membership values. Utility invariants manifest themselves in various ways: in some cases they exist in the user's stock of domain knowledge, in other cases they may be discovered via methods we describe.     

Constructing invariants for hybrid systems

We present a new method for generating algebraic invariants of hybrid systems. The method reduces the invariant generation problem to a constraint solving problem using techniques from the theory of ideals over polynomial rings. Starting with a template invariant—a polynomial equality over the system variables with unknown coefficients—constraints are generated on the coefficients guaranteeing that the solutions are inductive invariants. To control the complexity of the constraint solving, several stronger conditions that imply inductiveness are proposed, thus allowing a trade-off between the complexity of the invariant generation process and the strength of the resulting invariants. This research was supported in part by NSF grants CCR-01-21403, CCR-02-20134 and CCR-02-09237, by ARO grant DAAD19-01-1-0723, by ARPA/AF contracts F33615-00-C-1693 and F33615-99-C-3014, and by NAVY/ONR contract N00014-03-1-0939.     

Test selection based on communicating nondeterministic finite-statemachines using a generalized Wp-method

Presents a method of generating test sequences for concurrent programs and communication protocols that are modeled as communicating nondeterministic finite-state machines (CNFSMs). A conformance relation, called trace-equivalence, is defined within this model, serving as a guide to test generation. A test generation method for a single nondeterministic finite-state machine (NFSM) is developed, which is an improved and generalized version of the Wp-method that generates test sequences only for deterministic finite-state machines. It is applicable to both nondeterministic and deterministic finite-state machines. When applied to deterministic finite-state machines, it yields usually smaller test suites with full fault coverage than the existing methods that also provide full fault coverage, provided that the number of states in implementation NFSMs are bounded by a known integer. For a system of CNFSMs, the test sequences are generated in the following manner: a system of CNFSMs is first reduced into a single NFSM by reachability analysis; then the test sequences are generated from the resulting NFSM using the generalized Wp-method     

An assertion-based verification methodology for system-level design

In this paper, we integrate an assertion-based verification methodology with our object-oriented system-level synthesis methodology to address the problem of HW/SW co-verification. In this direction a system-level assertion language is defined. The system-level assertions can be used to monitor the current state of system or flow of transactions. These assertions are automatically converted to “monitor hardware” or “monitor software” during the system-level synthesis process depending on their type and also synthesis style of their corresponding functions. The synthesized assertions are functionally equivalent to their original system-level assertions, and hence, can be reused to verify the system after HW/SW synthesis and also at run-time after system manufacturing. This way, not only system-level assertions are reused in lower-levels of abstraction, but also run-time verification of system is provided. In this paper, we describe the system-level assertion language and explain the corresponding synthesis method in our object-oriented system-level synthesis methodology; however the concept can be applied to any system-level design methodology with modifications to assertion types and synthesis method.     

Induction as the Basis for Program Verification

We will consider the inductive mechanisms in five techniques for verifying iterative/recursive program structures: inductive assertion, predicate transformers, subgoal induction, computation induction, and structural induction. We will discover that all five techniques can be justified by a single theorem about inductive proof techniques. We will also show that all five techniques face the problem of finding properties that will carry an induction. Such properties are called inductive sets. We will see that the inductive sets of the five techniques are easily related to one another and that a program proof by any of the techniques can be easily converted to a proof by any of the other techniques. Our conclusion is that computer programs simply are inductive definitions of the functions they compute. Induction is the only method by which they can be proved. The problems of induction are therefore unavoidable.     

一种C程序断言的全自动静态验证方法

在软件程序中插入断言是保证软件质量的一个简单但有效的方法，人们常使用测试的方法检验程序中的断言是否满足，但测试很难保证验证的完备性。本文提出了一种可以保证完备性的全自动静态断言验证方法，其基本思想是基于程序切片符号执行程序的所有执行路径，并证明路径上的所有断言都满足。为了尽量减少符号执行的语句的数量，使用了基于反例的抽象精化方法，从一个粗略的切片标准开始迭代地符号执行一爷路径，根据验证的反例自动生成下一次迭代过程中使用的精化的切片标准。包含循环的程序可能具有无穷多条程序执行路径，提出的基于符号执行上下文不变式证明的方法可以证明由于循环导致的无穷多条路径中断言都满足，从而使得验证过程可以终止。实验表明，提出的全自动静态断言验证方法不仅可行，而且验证代价较小，具有较强的实用性。     

A prototyping environment for specifying,executing and checking communicating real-time state machines

We describe a toolset, consisting of a graphical editor, a simulator, and an assertion checker, for prototyping real-time systems that are specified as Communicating Real-Time State machines (CRSMs). CRSMs are timed state machines that communicate synchronously over unidirectional channels. The system behavior of CRSMs is characterized by a time-stamped trace of communication events. Safety and timing assertions on the trace of communication events are expressed in a notation based on Real-Time Logic. We illustrate the simulator and assertion checker by specifying a traffic-light controller and other real-time systems. There are two main contributions in this work: first, the prototyping environment serves as a validation of the model, the execution algorithm and paper design of example CRSMs, demonstrating that the ideas are realizable and potentially useful. Secondly, the paper presents a novel and useful method of specifying safety and timing properties, and checking them during simulation.     

ADI: Automatic Derivation of Invariants

Most current systems for mechanical program verification are not fully automatic, since the user himself must provide the intermediate inductive assertions. This paper describes an interactive computer program, called ADI, which automatically generates the needed inductive assertions. ADI is also able to extend partial loop assertions supplied by the user to form complete assertions. The implementation (written in QLISP and INTERLISP) is based on both the algorithmic and the heuristic approaches introduced by Katz and Manna in "Logical Analysis of Programs" [25]. For the algorithmic subsystem ADI includes: Difference Equations Constructor, Difference Equations Solver, and Invariants from Conditional Statements Generator. The heuristic subsystem includes: Exit Rules Package, Bounding Variables Component, Strengthening Executer, Weakening Executer, and a Heuristic Invariant Matcher-which is the actual implementation of two new heuristics, MATCHPQ and MATCHPT. ADI is a small step toward interactive, practical program verification.     

Nondeterministic flowchart programs with recursive procedures: Semantics and correctness II

In the second part of this work, we formulate a new inductive assertion method applying to the class of nondeterministic flowchart programs with recursive procedures studied in part 1. Using results on unfolding proved in part 1, we prove that this method is sound and complete with a finite number of assertions. We study four notions of correctness: two notions of partial correctness (existential and universal) and the corresponding notions of total correctness. We also formalize two notions of extension and equivalence (existential and universal) in the second-order predicate calculus.     

Expressing checkable properties of dynamic systems: the Bandera Specification Language

Research on how to reason about correctness properties of software systems using model checking is advancing rapidly. Work on extracting finite-state models from program source code and on abstracting those models is focused on enabling the tractable checking of program properties such as freedom from deadlock and assertion violations. For the most part, the problem of specifying more general program properties has not been considered. In this paper, we report on the support for specifying properties of dynamic multi-threaded Java programs that we have built into the Bandera system. Bandera extracts finite-state models, in the input format of several existing model checkers, from Java code based on the property to be checked. The Bandera Specification Language (BSL) provides a language for defining general assertions and pre/post conditions on methods. It also supports the definition of observations that can be made of the state of program objects and the incorporation of those observations as predicates that can be instantiated in the scope of object quantifiers and used in describing common forms of state/event sequencing properties. We illustrate how BSL can be used to formulate a variety of system correctness properties for several multi-threaded Java applications. Published online: 2 October 2002     

Simulating the behavior of software modules by trace rewriting

The trace assertion method is a module interface specification method based on the finite state machine model. To support this method, we plan to develop a specification simulation tool, a trace simulator, that symbolically interprets trace assertions of trace specifications and simulates the externally observable behavior of the modules specified. We first present the trace assertion method. Then we formally define trace rewriting systems and show how trace rewriting, a technique similar to term rewriting, can be applied to implement trace simulation     

基于流分析与归纳不变式结合的German协议验证

German缓存一致性协议是用于共享内存的并发多处理器系统中的缓存一致性协议,对German协议进行形式化验证一直是学术界和工业界的热点.我们生成German协议的流图,对流程图的各个步骤进行详细的描述,并提出了流分析与归纳不变式结合对协议验证的方法,通过辅助不变式与协议流图的对应关系,从而进一步分析和验证German协议的正确性.     

A WOWA-based Aggregation Technique on Trust Values Connected to Metadata

Metadata produced by members of a diverse community of peers tend to contain low-quality or even mutually inconsistent assertions. Trust values computed on the basis of users' feedback can improve metadata quality and reduce inconsistency, eliminating untrustworthy assertions.In this paper, we describe an approach to metadata creation and improvement, where community members express their opinions on the trustworthiness of each assertion. Our technique aggregates individual trustworthiness values to obtain a community-wide assessment of each assertion. We then apply a global trustworthiness threshold to eliminate some assertions to reduce the metadatabase's overall inconsistency.     

Computing differential invariants of hybrid systems as fixedpoints

We introduce a fixedpoint algorithm for verifying safety properties of hybrid systems with differential equations whose right-hand sides are polynomials in the state variables. In order to verify nontrivial systems without solving their differential equations and without numerical errors, we use a continuous generalization of induction, for which our algorithm computes the required differential invariants. As a means for combining local differential invariants into global system invariants in a sound way, our fixedpoint algorithm works with a compositional verification logic for hybrid systems. With this compositional approach we exploit locality in system designs. To improve the verification power, we further introduce a saturation procedure that refines the system dynamics successively with differential invariants until safety becomes provable. By complementing our symbolic verification algorithm with a robust version of numerical falsification, we obtain a fast and sound verification procedure. We verify roundabout maneuvers in air traffic management and collision avoidance in train control and car control.     

An automated reasoning problem associated with proving claims about programs using Floyd-Hoare inductive assertion methods

Proving claims about behavior of software is essential for the qualification of computer-based systems used in the control of nuclear reactors. For this Problem Corner, we select one of the verification conditions for a C program that initializes an array to zero. We add assertions about the initial conditions and state of the program and about the expected behavior of the program in terms of its state. The modeling and specification technique is the inductive assertion technique of Floyd-Hoare. The program with assertions is then transformed by the source-to-source program transformation system TAMPR into a set of separate verification conditions to be proven by the automated reasoning system. Our experience with this program demonstrates the typical automated reasoning problems we have encountered and illustrates how we have approached solutions to the problems.Work supported by the Civilian Reactor Development Program and the Applied Mathematical Sciences Research subprogram of the Office of Energy Research, U.S. Department of Energy, under Contract No. W-31-109-ENG-38.     

Liveness with invisible ranking

The method of invisible invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems and (2) a small-model theorem, implying that it is sufficient to check the validity of logical assertions of a certain syntactic form on small instantiations of a parameterized system. The approach can be generalized to any deductive proof rule that (1) requires auxiliary constructs that can be generated by project&generalize, and (2) the premises resulting when using the constructs are of the form covered by the small-model theorem. The method of invisible ranking, presented here, generalizes the approach to liveness properties of parameterized systems. Starting with a proof rule and cases where the method can be applied almost “as is,” the paper progresses to develop deductive proof rules for liveness and extend the small-model theorem to cover many intricate families of parameterized systems.     

Improving the precision of INCA by eliminating solutions withspurious cycles

The Inequality Necessary Condition Analyzer (INCA) is a finite-state verification tool that has been able to check properties of some very large concurrent systems. INCA checks a property of a concurrent system by generating a system of inequalities that must have integer solutions if the property can be violated. There may, however, be integer solutions to the inequalities that do not correspond to an execution violating the property. INCA thus accepts the possibility of an inconclusive result in exchange for greater tractability. We describe here a method for eliminating one of the two main sources of these inconclusive results     

基于线性误差断言的推理方法

误差在系统中是普遍存在的。在安全关键系统中,对误差的定量分析是必要的,而以往的推理验证方法较少考虑误差。误差通常用区间数来刻画,从而推广了线性断言,并给出了线性误差断言的概念。此外,结合凸集的性质,提出了求解线性误差断言顶点的具体方法,并验证了该方法的正确性。通过分析相关概念及定理,将判断线性误差断言之间的蕴含关系的问题转化为前驱断言的顶点是否被包含在后驱断言的零点集的判断问题,从而给出了判断线性误差断言的蕴含关系的具体方法步骤,且该方法易于在计算机上编程实现。最后,给出该方法在火车加速状态上的应用,并且用大量随机实例测试了该方法的正确性。与不含误差语义的推理方法相比,该方法在含误差参数的系统的推理验证领域是有优势的。     

Parameterized Verification of Linear Networks using Automata as Invariants

The paper proposes an induction based approach, that employs automata as inductive invariants, for verifying safety and liveness properties of linear networks of arbitrary size. The proposed method has been shown to be complete for verifying safety properties. Automated methods that check for correcteness of such families of networks are proposed. These methods are based on generating an invariant automaton from the correctness property which is also specified by an automaton. These methods have been implemented and successfully tested on some examples. Received November 1998 / Accepted in revised form June 1999