For successful software verification, model checkers must be capable of handling a large number of program variables. Traditional, BDD-based model checking is deficient in this regard, but SAT-based model checking, i.e. bounded model checking (BMC), shows some promise. However, unlike traditional model checking, for which time systems have been thoroughly researched, BMC is less capable of modeling timing behavior-an essential task for verifying many types of software. Here we propose a new SAT-based model checker, named xBMC, to solve the reachability problem of real-time systems. In xBMC, we encode the behavior of region automata as Boolean formulas, and efficiently represent region graph via kinds of discrete interpretations. In an experiment using well-developed model checkers to detect collisions in Fischer's protocol, xBMC outperformed both traditional (Kronos [12], Uppaal [22] , and RED [35] ) and bounded (SAL [27]) model checkers by being able to verify up to 22 processes, followed by RED with 15 processes. Moreover, to support both property refutation and verification, we also implement a complete inductive algorithm in xBMC to prevent the requirement of reaching an intrinsic threshold, i.e. the number of regions. In another experiment to verify the client authentication protocol of Cornell Single Sign-on Services, xBMC proves the protocol correctness efficiently since a proof is constructed in a rather small inductive steps. We conclude that combing efficient Boolean encoding, inductive methods, and SAT solver's capability, xBMC provides an effective and practical method for timing behavior verification. 
Introduction
Verification of real-world software systems mandates the ability of handling a large number of system variables. In symbolic model checking, the relations of system variables is encoded as binary decision diagrams (BDD's). Lots of system behavior can be explored by one BDD computation. The technique is known to be useful in many case studies. But the size of BDD's may grow significantly as the number of variables increases, verification of systems with a large number of variables remains a difficult problem for conventional BDD-based model checking algorithms. On the other hand, satisfiability (SAT) solvers are less sensitive to the number of variables. SAT-based techniques, such as bounded model checking, shows some promises in recent years [10, 13] . A recent comparison [7] of the two techniques suggests that BDD-based algorithms require more space, but SAT-based algorithms take more time. Since various heuristics have been proposed to improve the efficiency of SAT solvers [23, 26] , the performance of SAT-based algorithms is also improved as well. Subsequently, SAT-based bounded model checking technique is applied in more application domains [14, 18] .
However, the advantages of SAT-based algorithms are less clear in the analysis of timing behavior which is essential in embedded systems and protocol implementations. A difficulty in applying SAT-based techniques is the modeling of timing behavior. Göllü et al. [16] proposed discretizations of dense time automata and showed that a discretized trajectory traverses the same sequence of time regions as its original dense-time trajectory. Our contribution in this paper are three folds. Firstly, we encode the implicit simulation of region exploration algorithm in Boolean formulae and apply bounded model checking techniques to the analysis of timed automata. We not only characterize regions as combinations of discrete interpretations, but also precisely encode these interpretations' settings as Boolean formulas. To eliminate discretization side effects such as those mentioned by Göllü et al. [16] , we suggest using an exceptional successor formula that prevents timing behavior distortions. We prove that the satisfiability of these Boolean formulae is equivalent to solving the forward reachability problem of dense-time systems.
Secondly, we incorporate an inductive method in our bounded model checking algorithm. Since bounded model checking is not efficient in proving the correctness of systems, heuristics such as induction have been proposed to circumvent the drawback. The basic idea of inductive method is to prove safety properties for all steps by assuming them in the previous steps. The induction technique has been known in literature [10, 15, 28, 33] , but none of them considers timing behavior.
By applying a loop-free inductive method, we enhance our bounded reachability analysis algorithm of region automata with induciton. When the inductive method is effective, it guarantees the given safety property and terminates the algorithm immediately. Compared with other encodings of timing behavior [7, 27, 29, 31, 32] , the discretization of region automata allows us to deploy the inductive method rather straightforwardly. Different from conventional model checking algorithms for real-time systems [12, 22, 35] , we leverage SAT solver's capability and inductive method's effectiveness in the analysis of timing behavior. Subsequently, we believe that our combined algorithm provides a plausible solution to alleviate state explosion, especially for those systems with many state variables.
Lastly, we implement our new algorithm in a verification tool and report ex-perimental results. Our experimental results suggest that our tool, xBMC, is more scalable for bug hunting than both conventional (Kronos [12] , Uppaal [22] , and RED [35] ) and bounded (SAL [27] ) model checkers by being able to verify Fischer's protocol up to 22 processes. In another experiment, we verify the correctness of the client authentication protocol, Cornell Single Sign-on Services(CorSSO) [19] . Our results show that xBMC can construct a proof in a handful of inductive steps. Hence, it offers a practical solution to both correctness guarantee and bug hunting in our experiments. The rest of this paper is organized as follows. In Section 2 we briefly describe timed automata having both discrete and clock variables. In Section 3 we describe how to encode the behavior of region automata as Boolean formulas. An inductive algorithm is given in Section 4. Inductive reachability analysis is given in Section 5, and experimental results are summarized in Section 6. After discussing related works in Section 7, we present our conclusions in Section 8.
Timed Automata
Lets first review what a real-time system is. Real-time systems are those that not only contain discrete variables but also dense-time clocks, where all clocks have a real domain and continuously increase at a uniform rate. Clocks are usually set to zero at the beginning and can be reset at any time. Such an action, i.e. resetting clocks, can happen at any time and induce no time cost. In other words, there always exists a room between any two actions, such that some action may happen between them. Such a real time system usually can be modelled as a timed automata proposed by Alur et al. [3] . Formally speaking, a timed automata is a tuple of D, X, A, I, E , where:
1. D is a finite set of discrete variables, with each d ∈ D having a predefined finite domain denoted by dom (d),
2. X is a finite set of clock variables,
3.
A is an action set with each τ ∈ A consisting of a finite series of discrete variable assignments, 4. I specifies an initial condition, and
X is a finite set of edges. An edge e : ϕ, τ, λ ∈ E represents the transition consisting of:ϕ ∈ Φ (D, X) as a triggering condition which specifies when the transition can be fired, τ ∈ A as the action that changes the current discrete interpretation into the next one, and λ ⊆ X as the set of reset clocks.
For a set D of discrete variables and a set X of clock variables, set Φ (D, X) of constraints ϕ is defined by: ϕ := ff |d = q|x c|¬ϕ|ϕ 1 ∨ ϕ 2 , where d ∈ D and q ∈ dom (d), x ∈ X, ∈ {<, =, ≤}, and c ∈ N is a non-negative integer. Typical short forms are:
A discrete interpretation s assigns each discrete variable a non-negative integer that represents one value from its predefined domain, i.e. s : D → N. A clock interpretation ν assigns a non-negative real value to each clock, i.e. ν : X → R ≥0 . We say that an interpretation pair (s,ν) satisfies constraint ϕ if and only if ϕ is evaluated as true, according to the values given by (s,ν).
For an action , s [τ ] denotes the discrete interpretation after applying τ ∈ A to s. For δ ∈ R + , ν + δ denotes the clock interpretation that maps each clock x to the value ν (x) + δ. For λ ⊆ X, ν [λ] denotes the clock interpretation that assigns 0 to each x ∈ λ and agrees with ν over the rest of the clocks. The essence of a timed automata is a transition system Q, → , where Q is the set of states and → is the transition relation. A state of a timed automata is a pair (s, ν) such that s is a discrete interpretation of D and ν is a clock interpretation of X. We say (s, ν) is an initial state, where s maps discrete variables to values that satisfy I and ν (x) = 0 for all x ∈ X. There are two types of →, i.e. 
For a state (s, ν) and ∃e
A run r : (s 0 , ν 0 ) → (s 1 , ν 1 ) → · · · of a timed automata is an infinite sequence of states and transitions, where for all i ∈ N, (s i , ν i ) ∈ Q. An arbitrary interleaving of the two transition types is permissible. A state (s , ν ) is reachable from (s, ν) if it belongs to a run starting at (s, ν). Let Run (s, ν) denote the set of runs starting at (s, ν). We define Reach (s, ν) : {(s , ν ) |∃r ∈ Run (s, ν) and i ∈ N, (s i , ν i ) = (s , ν )} as the set of states reachable from (s, ν).
Boolean Encoding of Region Automata

Region
System states change as time progresses, but some changed states are not distinguishable by constraints. Based on this observation, Alur et al. [3, 6] defined the equivalence of clock interpretations and proposed region graphs for the verification of timed automata. To be self-contained, we give the formal definition of equivalence class in definition 1. For each x ∈ X , let c x be the largest constant that x is compared to within any triggering condition. For t ∈ R ≥0 , let t denote t's integral part, and f rac(t) = t − t denote t's fraction. Definition 1 For clock interpretations ν and ν in a timed automata, we say ν ∼ = ν if and only if the following conditions hold.
It can be shown that ∼ = defines an equivalent relation over clock interpretations. We use [ν] to denote the equivalence class that ν belongs to. To achieve descretizing timed automata correctly and efficiently, in this paper, we represent the set of clock assignments of an equivalence class as (ν d , ν γ ), a pair of discrete interpretations mapping integral parts and fraction orderings of clock assignments respectively. Given an equivalence class [ν] , integral parts of the clock assignments stand for the discrete interpretation ν d in (1), which maps each clock x ∈ X, assuming ν (x) = t, into an integer representing an interval from
We also define three predicates: E, O, M to determine whether the discrete value of a clock is even, odd or its maximum. Definition 2 Given a discrete interpretation ν d , for some clock x ∈ X:
We then use ν γ , defined as equation 2, to indicate the fraction ordering of the equivalence class [ν] . This discrete interpretation maps an ordered clock pair, e.g. (x 1 , x 2 ), into a relation from {≺, , ≈}, where •
To prove the second condition of definition 3, it is crucial to note that for any pair (
. The first condition of definition 1 holds. Since
, it follows that f rac(ν(x)) = 0 iff f rac(ν (x)) = 0. Finally, as we had mentioned, for any pair (x 1 , x 2 ) ∈ ν γ , each value of ν γ (x 1 , x 2 ) exactly specifies the fraction relation between x 1 and x 2 . It follows that ν γ (
, while ν d and ν γ are defined in (1) and (2) respectively. For example, the equivalence class 1 < x 1 < x 2 < 2∧x 3 = 1 is represented by the pair (ν d , ν γ ), where
Successor
Following the work of Alur et al. [3] , we give the definition of successor, which captures how system states move from one region into its subsequent region due to time passage.
Definition 4 Let α, β be two distinct regions of a timed automata. β is the successor of α, written as succ(α), if and only if for each
Before answering how to encode successor relation for general interpretation states, we first focus on 2-clock systems. Suppose X = {x 1 , x 2 }, regions can be classified into eleven classes according to their shapes: point (1), vertical segment(2), vertical line(3), horizontal segment(4), back triangle(5), slash(6), triangle (7), vertical rectangle (8) , horizontal line(9), horizontal rectangle(10) and square (11) . We illustrate them in figure 3.2. Respective discrete interpretation conditions of current and next states are shown in table 1. 
Accordingly, it is possible to define a 2-clock formula φ
for the successor relation of a 2-clock system using the conditions of current and succeeding discrete interpretations (see Table 1 ). Let ν d , ν γ |= φ denote that φ is evaluated as true according to the values given by ν d , ν γ . Lemma 3 shows the correctness.
Lemma 2 Given a 2-clock timed automata with
Proof. The proof is trivial since in a 2-clock system, the successor of a region is exactly the first region it encounters following the 45 degree arrow.
be two regions of a 2-clock timed automata with
Proof. The correctness of this insight is shown by the following assertions of table 1.
• All cases are considered, i.e., i=1∼11 ψ
• Each case presents a unique type, i.e., i =j ψ
• According to lemma 2, the condition of the current equivalence class and its successor in the i th case is exactly specified by ψ
. P We derive a general formula for n-clock systems by intersecting 2-clock formulas, instead of inspecting all clock values in one time. Our initial attempt detailed intersecting φ 2 of each distinct clock pair, i.e.,
. Apparently such an intuitive conjunction easily raises contradictions. Come back to the previous example, where a region
) = 3 makes the predicate evaluated as false. This is because that we require x 2 to increase when compared to x 1 but require it to remain the same value(stutter) when compared to x 3 . We call clocks that raise contradictions contradictory clocks. Two important observations help us prevent these contradictions.
1. All contradictory clocks belong to the set:{x|O(ν d (x))}.
2. Contradictions should be solved by either a) enforcing clocks in {x|E(ν d (x))} to increase, or b) if no clocks have even values, enforcing clocks having the largest fraction part to increase.
Instead of enforcing clocks increasing, our solution is adding an auxiliary case to allow contradictory clocks stuttering. 
By disjoining stuttering conditions defined in table 2, we define (i,j)-clock formula for n-clock systems as equation 4 .
Recall to the previous example, the conjunction of all (i,j)-clock formulas implies
The predicate is equal to
This is the precise discrete interpretation of 1 < x 3 < x 1 < x 2 < 2, which is exact the successor of 1 < x 1 < x 2 < 2 ∧ x 3 = 1.
Adding auxiliary stuttering cases helps us prevent contradictions, but it may induce distort behavior such as all clocks stutter. This may happen only when ∀x ∈ X, O(ν d (x)) holds. We prevent all pairs stuttering by adding the formula φ nzeno as equation 5. Finally, φ time , the general successor formula for n-clock systems, is given in equation6.
Proof. (⇒) It's easy to see that β = succ(α) implies that, for each pair of clocks (x i , x j ), φ (i,j) n is evaluated to true (according to Lemma 3), and not all stuttering cases are allowed, i.e.
We prove that all cases satisfy definition 4.
11 , which follows that
We assert that χ = {x|x ∈ X, E(ν d (x))}. It can be seen as follows. We first prove that ∀x ∈ χ, E(ν d (x)). Assume that there exists x i ∈ χ and O(ν d (x i )). Then we can find some x j , such that E(x j ) and ψ
is violated. This raises a contradiction. We then prove that ∀x ∈ X and E(ν d (x)), x ∈ χ. Assume that there exists x i such that E(ν d (x i )) and x i ∈ χ. Then we can find some x j , such that a) if E(x j ), ψ
is violated. In any case, the assumption raises a contradiction. Since only clocks in {x|x ∈ X, E(ν d (x))} are progressed, for any ν ∈ α and ν ∈ β, we can choose a δ such that 0 < δ < 1 − max x∈X f rac(ν(x)), and ∀0 ≤ δ < δ,
In other words, we assert
, and x has the largest fraction}. Again, we first prove that ∀x ∈ χ, x has the largest fraction. Assume that there exists x i ∈ χ and x j having a larger fraction than 5 is violated and a contradiction arises. We then prove that all clocks having the largest fraction are in χ. Assume that there exists x i having the largest fraction and x i ∈ χ. Then we can find some x j , such that a) if O(x j ) and ν γ =≈, ψ
is violated. In any case, the assumption raises a contradiction. Finally, since all and only clocks having the largest fraction are progressed, for any ν ∈ α and ν ∈ β, we can choose a δ such that δ = 1 − f rac(ν(x)), x ∈ χ, and for all 0 < δ < δ, ν
Discrete Transition
In this sub-section, we describe how to trigger an edge using discrete interpretations. Since we use discrete intervals to represent clock values, the first step is to transform the triggering condition ))}, and b) discards other pairs. Given an edge e : ϕ, τ, λ , we can define ψ (e) , the conditions over discrete interpretations to trigger this edge, as equation 7. And then given a TA, we define its discrete transition formula φ tran as equation 8 . 1 < 2c, and c) if ¡ is ≤, this can be proved via a) and b). The proof of (⇐)is similar. P The proof follows lemma 5 and the correctness of discrete assignment encodings. P
Interpretation Graph
A TA's transition system is represented by a finite discrete interpretation graph φ time defines the successor relation formula for capturing a region moving into a subsequent region due to time passage, while φ tran defines the discrete transition formula for triggering some edge using discrete interpretations. Let 
Corollary 1 Given a TA, (s, ν) δ → (s , ν ) if and only if [ν] is represented by
(ν d , ν γ ), [ν ] is represented by (ν d , ν γ ), and (s, ν d , ν γ ) δ * ∼ = → s , ν d , ν γ Corollary 2 Given a TA, (s, ν) e → (s , ν ) if and only if (s, ν d , ν γ ) e∼ = → s , ν d , ν γ
Boolean Encoding
The set of our state variables B is defined in equation 9, in which a set of Boolean variables is used to encode interpretation states. Given each discrete variable's domain and each clock's largest constraint value, the number of state variables, i.e. |B|, equals lg |dom (d)| + lg (2c x + 2) + |X| |X − 1|. For example, given a timed automata with one discrete variable q : {Q 1 , Q 2 } and two clocks x 1 : c x1 = 1, x 2 : c x2 = 1, a region q = Q 1 ∧ 0 < x 1 < x 2 < 1 would be encoded as b
To perform BMC, we add a copy of B to the set of state variables at each iteration.Finally, we build a circuit representation to translate a bit-vector logic (used to build the equation for a concrete transition relation) into conjunctive normal form (CNF).
Induction
Although SAT-based model checking is very useful for bug hunting [9, 13, 39] , its ability to prove properties is often criticized. The inductive method offers SATbased model checking an opportunity to prove safety properties efficiently. The basic idea, like mathematical induction, is to prove the safety property for all steps by assuming the property on previous steps. Here, we briefly illustrate the technique. Interested readers are referred to [10, 15, 28, 33] for further discussion. Let q 0 ∈ Q where q 0 is the initial state and P (•) a predicate over states in Q. We would like to prove that for any state q reachable from q 0 , P (q) holds by induction. Firstly, we verify if P (q 0 ) holds. If not, an error is reported for q 0 . If P (q 0 ) holds, we check whether P (q) ∧ (q → q ) ∧ ¬P (q ) can be satisfied, i.e. whether it is possible to reach a state q that does not satisfy P (•) from any state q satisfying P (•). If it is impossible, we know that P (•) must hold for any state in Reach(q 0 ). To see this, recall that P (q 0 ) holds. We argue that all successors of q 0 must satisfy P (•). If not, P (q) ∧ (q → q ) ∧ ¬P (q ) must be satisfiable for some successor q , which is a contradiction. Similarly, we can prove all states reachable from q 0 in two steps must satisfy P (•), and so on. Hence we conclude all reachable states must satisfy P (•).
In the example, the depth of the inductive step is one. We call it the simple induction. However, the capability of simple induction is very limited. Just like mathematical induction, it may be necessary to assume several previous steps in order to prove the property. In the literature, induction with arbitrary depths has been proposed. Unfortunately, the inductive technique cannot prove all safety properties, even with arbitrary depths. In [10, 15, 28, 33] , various mechanisms are proposed to make induction complete. Here, we use loop-free induction. In loop-free
) return "success"; if (i=MaxBound) return "fail within MaxBound steps"; i:=i+1; end.
Figure 2: Flow of Inductive Method induction, additional constraints are applied to prevent loops. Consider a self-loop transition, followed by a state that does not satisfy P (•). The problematic state can always be reached by an inductive step of arbitrary depth. It suffices to consider a short path leading to the problematic state and still prove the soundness and completeness of the induction. By requiring all previous states to be distinct, loopfree induction eliminates unsubstantial paths. Based on the discretization scheme in Section 3, we can deploy loop-free induction to speed up the verification of safety properties. In figure 2 , which shows the flow of the inductive method, B i represents the state variables of i th step and P (B) is true when the valuation of B satisfies the predicate P (•).
The flow tries to establish the loop-free inductive step within a given bound. The inductive step essentially checks whether it is possible to reach any bad state following several safe states. If it is impossible, we stop; otherwise, the length is increased and the algorithm repeats the loop.
Reachability Analysis
In this section, we describe how we deal with the reachability problem by solving the satisfiability problem of an expanding Boolean formula iteratively. Moreover, we show how to apply loop-free induction in BMC efficiently.
Bounded Reachability Analysis
Given an initial condition, a risk condition, a transition condition and an integer bound, we solve the bounded reachability problem by iteratively calling the SAT solver. We unfold the interpretation transition relation until the SAT solver returns a truth assignment, or reaches the bound. Let I(B i ) and R(B i ) respectively denote the CNF formula of the given initial and risk conditions over B i . The implementation of BoundedFwdReach() is given in Figure 2 . By conjoining the formula with the negation clause of the risk condition, each intermediate result is saved for use in later iterations to speed up the decision procedure of the SAT-solver. In the next section, we also show that this conjunction can be used directly to apply the inductive method. If the risk state is reachable, the formula will be satisfied at the i th step, and a truth assignment will be returned by the SAT solver. The procedure will then terminate and generate a counterexample. The formula will keep on expanding if a risk state is not reached. Therefore, if the risk state is unreachable, the procedure terminates when either MaxBound is reached, or memory is exhausted. Given a TA having nregions, the final formula will contain
Inductive Reachability Analysis
Since the number of regions is exponential to the number of clocks, as well as each clock's largest constant, the threshold is usually prohibitively high. In IndFwdReach(), we combine loop-free induction with BoundFwdReach() and obtain a complete inductive algorithm for forward reachability analysis. Note that, in figure  2 , we denote the released formula as F \ I, i.e. removing the clauses of I from F . Two extra checks for the loop-free requirement and the induction are used to help determine completeness in early steps. If the loop-free requirement is not satisfied, which means no new states can be reached in the next step, the procedure can terminate and the risk state is unreachable. For the induction, we regard P (•) as ¬R(•), i.e. the negation of the risk condition. Once the induction succeeds, we can conclude that all reachable states must satisfy ¬R(•), which implies that the risk state is unreachable.
One limitation of this inductive method is that we can not predict in which step it can terminate with "success" returned. Although regions are finite and we can guarantee success when MaxBound exceeds the number of regions, in the worst case, the inductive method may not determine termination ahead, but only induce overhead. However, when the inductive method is effective, it can verify the given safety property within a handful of steps, regardless of the diameter of the reachability graph. Moreover, since loop-free constraints enforce SAT-solvers searching distinct states, removing MaxBound remains the ability to guarantee termination and correctness. If we concern complete verification, there is no need to determine the bound ahead. In Section 6, we conduct an experiment to show the effectiveness of induction. 
Experiments
We realize all our ideas in xBMC 2.0, which is written in C and makes use of zChaff [10] . Experiments were run against Fischer's mutual exclusion protocol and Cornell Single Sign-On Services (CorSSO) [19] .
Fisher's Mutual Exclusion
We first verify Fischer's mutual exclusion protocol, which consists of n timed automata with each automaton modeling an individual process (figure 6.1). Mutual exclusion property was considered violated when A < B. The largest constraint for the local clock of each process was adjusted by increasing the value of B and keeping A = 1. We compare our model checker with Kronos [12] , RED [35] , Uppaal [22] and SAL 2 (infBMC) [29] . Uppaal provides a friendly interface and safety and bounded liveness verification, which is widely used in timed behavior verification. Kronos and RED 4.0 support full TCTL verification of real-time systems, but use different data structures for system state representation. Kronos and Uppaal use DBMs (Difference Bounded Matrices) [21] , while RED uses CRDs (Clock Restriction Diagrams) [35] . Opposite to these conventional model checkers, infBMC is a bounded model checker included in SAL 2, a suit of tools developed by the SRI's Symbolic Analysis Laboratory for analyzing state machines. infBMC supports verification of infinite state systems using a special decision procedure [27] that solves the satisfiability of combinations of real and integer linear arithmetic.
All verification processes that did not crash reached a violated state. When B=2(Table3), Kronos failed to construct the product automaton of the system while verifying 6 processes. Uppaal ran efficiently until the number of processes reached 14. RED demonstrated an exceptional data sharing capability and outperformed the other tools in terms of memory utilization and successfully checked 15 processes. infBMC reported all counterexamples at the 10 t h iterations, but its internal decision procedure crashed while verifying 6 processes. xBMC was capable of reporting all Fig. 5 . Each process in Fischer's protocol has one local clock x and can access the global pointer lock (e.g., lock := P to assign itself to the pointer). Initially, all processes are in idle and lock=nil. (Table 4) , the increased number of variables limited xBMC to handling up to 13 processes. On the other hand, performance among the other tools was not significantly affected by increasing values of constraint constants.
Cornell Single Sign-On Service
Cornell Single Sign-On (CorSSO) [19] is a distributed service for network authentication. It delegates client identity checking to multiple servers by threshold cryptography. In CorSSO, there are three kinds of principles, namely, authentication servers, application servers and clients. For a client to access the services provided by an application server, he has to identify himself by the authentication policy specified by the application server. The authentication policy consists of a list of sub-policies each specifying a set of authentication servers. A client is allowed to access the application server if he had complied with any sub-policy, i.e. obtaining sufficient certificates from the specified authentication servers within a specified time.
Unlike monolithic authentication schemes where the server is usually overloaded with authentication requests, the authentication policies in CorSSO allow a client to prove her identity by different criteria. With threshold cryptography, each criterion is divided into requests to multiple authentication servers. The authentication process is therefore distributed, so the load of each authentication server is more balanced.
In our experiments, we model client behavior. In the simplified client model shown in Figure 4 , a client has only two locations: Authentication and Access. In Authentication, he firstly chooses one of the two policies by setting the value of p non-deterministically. If the first policy is chosen, i.e. p = 1, he needs to collect more than TH 1 certificates from the authentication servers. Similarly, more than TH 2 certificates are needed if the second policy is chosen. Then he starts to collect certificates. If he had obtained sufficient certificates within the time limit, he can then move to Access. Finally, he can discard the certificates and reset the policy, i.e. p := 0, and then return to Authentication.
To model timing constraints, we use two clock variables x and y. Let us suppose that it spends at least TA to acquire a certificate. Then one new certificate can be added until x exceeds TA, and once it collected, x is reset for the next certificate. Furthermore, all certificates for a sub-policy must be collected within TE, which is modeled by y. Note that y is reset each time the client choosing a new sub-policy.
We compare the performance of our model checker with RED. We first verify the safety property that all clients in Access have acquired sufficient certificates necessitated by the chosen policy. Then we implant a bug by mistyping TH 2 for TH 1 in the transition 3 in figure 6 .2. This may raise a violation against the safety property once TH 1 < TH 2 . Systems with two to eleven clients are checked by both xBMC and RED. Note that we did not turn on the symmetry reduction option in RED, even though the systems under test are highly symmetric b . Since the b Symmetry reduction is not activated by default. present technique does not take symmetry into consideration, we think it would be unfair to compare it with other heuristics. Both RED and xBMC report the safety property is satisfied for normal cases, and the manually-inserted bugs are detected by both tools as expected. The performance results c are shown in table 5. Instead of exploring all regions in the system, xBMC guarantees the correctness by induction at the third step. On the other hand, the traditional reachability analysis in RED has to explore all representatives of equivalent states. Consequently, the time spent by xBMC is only a fraction of that required by RED. For all bug inserted cases, xBMC reports that the property is falsified at the 12 th step. Since SAT-based BMC is efficient for finding defects in design, the performance of xBMC is in accord with our expectations. Compared to RED, xBMC spends only 3.33% time cost to find a counterexample in the system with 11 clients. Note that xBMC stops once a bug is detected, which means that the performance in bug hunting may not necessarily depend on system size.
Related Work and Discussion
Due to the success of hardware verification by SAT-based techniques, SATbased model checking has recently gained considerable attention among software verification researchers. Clarke et al. [14] developed a SAT-based bounded model checker for ANSI C, and the present authors used xBMC to verify Web application code security in an earlier project [18] . Although both projects focused on software verification, neither supported timing behavior analysis.
The verification of timed automata by checking satisfiability has been the topic of several research projects. Most research works encode the evaluation of atomic constraint to variants of predicate calculus with real variables. Niebert et al. [30] represented the bounded reachability problem in Boolean variables and numerical constraints of Pratt's difference logic, while Audemard et al. [5] took a clock as a real c All experiments were performed on a Pentium IV 1.7 GHz computer with 256MB of RAM running the Linux operating system. T/O: time out(¿60000s), O/M: out of memory, N/A: not available. [32] proposed an unbounded, fully symbolic model checking technique by translating Quantified Separation Logic to equivalent quantified Boolean formula. Based on their method, both SAT and BDD techniques can be applied to verify real time systems. They used CUDD packages to implement their tool TMV. It would be interesting to compare zone and region algorithms in satbased model checking but their SAT-based model checker is unavailable. The closest research to ours is Penczek et als project. They also target region automata but encode them by slicing each time unit into more segments. Loop-free termination is applied but induction is not incorporated. In table 6 d , we compare their encodings and ours to verify Fisher's protocol. Obviously, xBMC induces less variables and clauses, no matter whether their enhancement, i.e. forward projection(BBMC-ARG), is applied. Some researchers have tried to determine whether iterative satisfiability analysis d BBMC's data are directly taken from their paper [36] .
can terminate early if more restrictive formulas are generated based on satisfiability results from previous iterations. Moura et al. [28] achieved this by using induction rules to prove the safety properties of infinite systems. Although they were able to detect cases where early termination was possible, they could not guarantee termination. In [34] , Sorea checked full LTL formulas based on predicate abstraction to extend BMC capabilities. Compared to encoding abstract predicates, encoding regions themselves provides at least two advantages -simplicity and an intrinsic bound for termination.
McMillan [24] uses interpolations as an over-approximation of the reachable states. His technique not only verifies the correctness of safety properties, but also guarantees termination. However, it has yet to support timing analysis. Compared to interpolation, where the analysis of internal information in SAT-solvers is required, the inductive method can be implemented by treating SAT-solvers as black boxes. We would like to investigate the merging of interpolations and our approach in the future.
Unlike other reachability analysis techniques for timed automata, discretization allows us to deploy the inductive method rather straightforwardly. However, it is unclear how to apply the same technique in BDD [8] , DBM [21] or CRD [35] . It would also be interesting to develop a corresponding inductive method for them and compare their performance with our discretization approach.
Conclusion and Future Work
BMC is more efficient in identifying bugs, especially for systems with a large number of program variables; however, its correctness guarantee performance can be disappointing. With induction, it is now possible to prove safety properties efficiently by BMC in some cases. With the help of discretization, we are able to migrate the success of the discrete-system verification to timing-behavior analysis. We applied induction algorithms to our previous research on discretization of region automata, and thereby reduced the reachability analysis of dense-time systems to satisfiability. The results of our primitive experiments indicate that even without enhancements (e.g. symmetry reduction, forward projection, and abstraction), our approach is more efficient than RED in correctness guarantee as well as bug hunting. However, one limitation of our approach is that the performance depends on whether and when the induction successes.
