All-Path Reachability Logic

This paper presents a language-independent proof system for reachability properties of programs written in non-deterministic (e.g., concurrent) languages, referred to as all-path reachability logic. It derives partial-correctness properties with all-path semantics (a state satisfying a given precondition reaches states satisfying a given postcondition on all terminating execution paths). The proof system takes as axioms any unconditional operational semantics, and is sound (partially correct) and (relatively) complete, independent of the object language. The soundness has also been mechanized in Coq. This approach is implemented in a tool for semantics-based verification as part of the K framework (http://kframework.org

Formally Verified Compositional Algorithms for Factored Transition Systems

Artificial Intelligence (AI) planning and model checking are two disciplines that found wide practical applications. It is often the case that a problem in those two fields concerns a transition system whose behaviour can be encoded in a digraph that models the system's state space. However, due to the very large size of state spaces of realistic systems, they are compactly represented as propositionally factored transition systems. These representations have the advantage of being exponentially smaller than the state space of the represented system. Many problems in AI~planning and model checking involve questions about state spaces, which correspond to graph theoretic questions on digraphs modelling the state spaces. However, existing techniques to answer those graph theoretic questions effectively require, in the worst case, constructing the digraph that models the state space, by expanding the propositionally factored representation of the syste\ m. This is not practical, if not impossible, in many cases because of the state space size compared to the factored representation. One common approach that is used to avoid constructing the state space is the compositional approach, where only smaller abstractions of the system at hand are processed and the given problem (e.g. reachability) is solved for them. Then, a solution for the problem on the concrete system is derived from the solutions of the problem on the abstract systems. The motivation of this approach is that, in the worst case, one need only construct the state spaces of the abstractions which can be exponentially smaller than the state space of the concrete system. We study the application of the compositional approach to two fundamental problems on transition systems: upper-bounding the topological properties (e.g. the largest distance between any two states, i.e. the diameter) of the state spa\ ce, and computing reachability between states. We provide new compositional algorithms to solve both problems by exploiting different structures of the given system. In addition to the use of an existing abstraction (usually referred to as projection) based on removing state space variables, we develop two new abstractions for use within our compositional algorithms. One of the new abstractions is also based on state variables, while the other is based on assignments to state variables. We theoretically and experimentally show that our new compositional algorithms improve the state-of-the-art in solving both problems, upper-bounding state space topological parameters and reachability. We designed the algorithms as well as formally verified them with the aid of an interactive theorem prover. This is the first application that we are aware of, for such a theorem prover based methodology to the design of new algorithms in either AI~planning or model checking

Formal analysis of control systems via inductive approaches

This dissertation is concerned with the formal analysis of complex control systems via inductive approaches using barrier certificates. In general, safety-critical applications such as air traffic networks, autonomous vehicles, power grids, medical devices, and robotic equipment, are expected to satisfy complex logic specifications including but not limited to safety, reachability, and security. Due to several factors such as the continuous-state evolution of systems' trajectories, large systems' sizes, disturbances, etc., verification and synthesis of control systems against such high-level logic specifications is a challenging task. An interesting yet simple way to tackle the verification and synthesis problem for logic specifications is to utilize inductive approaches based on barrier certificates. Barrier certificates take the form of inductive invariants and provide sufficient conditions for the satisfaction of safety or reachability specifications. Therefore, the verification and synthesis problem is reduced to the discovery of suitable barrier certificates. However, finding suitable barrier certificates can be a difficult problem due to several factors. First, the computation of barrier certificates is not scalable to large-scale systems. Second, the conditions imposed by barrier certificates are restrictive, making it difficult to search for one. Third, barrier certificate-based methods are limited to the analysis of safety or reachability specifications. As a result, they are not directly applicable to complicated logic tasks such as those expressed by omega-regular properties or (in)finite strings over automata, as well as security specifications such as those expressed by hyperproperties. In this regard, the dissertation focuses on alleviating the aforementioned issues and provides novel techniques to verify and synthesize controllers for (possibly large-scale and stochastic) control systems against the aforementioned specifications. The first part of the thesis proposes a compositional framework for scalable construction of control barrier certificates for large-scale discrete-time stochastic control systems. In particular, we show that by considering the large-scale system as an interconnected one composed of several subsystems, one may construct control barrier certificates for the interconnected system by searching for so-called control sub-barrier certificates for subsystems and utilizing some compositionality conditions based on small-gain and dissipativity approaches. Correspondingly, one may also synthesize controllers that can be applied to the interconnected system in a decentralized manner, so that the large-scale system satisfies safety specifications over (in)finite time horizons with some probability lower bounds. In the second part of the thesis, we propose a new notion of k-inductive barrier certificates for the verification of (stochastic) discrete-time dynamical systems against safety and reachability specifications. In particular, we illustrate that due to the restrictive nature of the traditional barrier certificate conditions, it is not always possible to find suitable barrier certificates even when the system is guaranteed to satisfy the desired specifications. Then, we extend the k-induction principle utilized in software verification to propose several notions of k-inductive barrier certificates that relax the traditional barrier certificate conditions. As a result, larger classes of functions may act as barrier certificates, making them easier to find. In the context of non-stochastic systems, we propose two notions of k-inductive barrier certificates and provide formal guarantees for safety specifications. In the case of stochastic systems, we propose one notion of k-inductive barrier certificates for safety and two notions for tackling reachability specifications. Then, we obtain probabilistic guarantees for the satisfaction of safety and reachability specifications over infinite time horizons, respectively. The last part of the thesis is concerned with the analysis of (stochastic) control systems against complex logic specifications beyond safety and reachability. First, we consider the synthesis problem for (possibly large-scale) stochastic control systems against \emph{trace properties}, which describe specifications over individual traces of the system. Examples of such properties include omega-regular languages or (in)finite words over automata. We provide an automata-theoretic approach to decompose such complex specifications into sequential safety specifications. We then utilize the probability guarantees obtained for the safety specifications and combine them to obtain probability lower bounds for the satisfaction of original specifications. We provide such guarantees over both finite and infinite time horizons. Secondly, we consider the verification problem for non-stochastic systems against specifications that can be expressed over sets of traces, called hyperproperties. Hyperproperties can express many security and planning specifications that cannot be considered using omega-regular languages. In this context, we provide an automata-theoretic approach to decompose hyperproperties into smaller verification conditions called conditional invariances. Then, we introduce a new notion of so-called augmented barrier certificates constructed on the augmented system (i.e., self-composition of the system) to provide guarantees for the satisfaction of the conditional invariances. These guarantees may then be combined to achieve the satisfaction of original hyperproperties.Diese Dissertation befasst sich mit der formalen Analyse komplexer Regelkreise, wobei induktive Ansätze unter Verwendung von Barrierezertifikaten zum Einsatz kommen. Im Allgemeinen wird von sicherheitskritischen Anwendungen wie Flugverkehrsnetzen, autonomen Fahrzeugen, Stromnetzen, medizinischen Geräten und Roboteranlagen erwartet, dass sie komplexe formale Spezifikationen erfüllen, um etwa die Betriebs- und Informationssicherheit zu gewährleisten oder anderweitige Ziele wie beispielsweise bestimmte Erreichbarkeitseigenschaften einzuhalten. Aufgrund verschiedener Faktoren wie der kontinuierlichen Zeitentwicklung der Systemtrajektorien, der Größe der Systeme, Störungen usw. ist die Verifizierung und Synthese von Steuersystemen anhand von solch allgemeinen logischen Spezifikationen eine anspruchsvolle Aufgabe. Ein interessanter und dennoch einfacher Weg, das Verifikations- und Syntheseproblem für formale Spezifikationen anzugehen, ist die Verwendung von induktiven Ansäzen, die auf Barrierezertifikaten basieren. Diese haben die Form von induktiven Invarianten und liefern hinreichende Bedingungen für die Erfüllung von Sicherheits- oder Erreichbarkeitsanforderungen. Daher reduziert sich das Verifikations- und Syntheseproblem auf die Entdeckung geeigneter Barrierezertifikate. Die Suche nach geeigneten Barrierezertifikaten kann jedoch aufgrund mehrerer Faktoren ein schwieriges Problem darstellen. Erstens skaliert die Berechnung von Barrierezertifikaten nicht ohne weiteres auf große Systeme. Zweitens stellen die von Barrierezertifikaten auferlegten Bedingungen eine starke Einschränkung dar, was die Suche nach einem solchen Zertifikat erschwert. Drittens sind auf Barrierezertifikaten basierende Methoden auf die Analyse von Sicherheits- oder Erreichbarkeitsspezifikationen limitiert. Infolgedessen sind sie nicht direkt auf komplizierte logische Aufgaben anwendbar, wie z.B. solche, die durch omega-reguläre Eigenschaften oder (un)endliche Zeichenketten über Automaten ausgedrückt werden, oder auf bestimmte Sicherheitsspezifikationen, etwa wenn sie durch Hypereigenschaften ausgedrückt werden. In dieser Hinsicht konzentriert sich die Dissertation auf die Linderung der oben genannten Probleme und stellt neuartige Techniken zur Verifikation und Synthese von Reglern f\ür (möglicherweise große und stochastische) Regelkreise hinsichtlich der oben genannten Spezifikationen zur Verfügung. IIm ersten Teil der Dissertation wird ein kompositorischer Rahmen für die skalierbare Konstruktion von Regelungsbarrierezertifikaten für große, zeitdiskrete und stochastische Regelkreise vorgeschlagen. Insbesondere zeigen wir, dass man durch die Zerlegung des Systems in mehrere, zusammenhängende Subsysteme Regelungsbarrierezertifikate für das Gesamtsystem konstruieren kann, indem man nach sogenannten Regelungsunterbarrierezertifikaten für die Subsysteme sucht. Hierzu lassen sich bestimmte Kompositionalitätsbedingungen auf der Basis von small-gain und dissipativity Ansätzen formulieren. Dementsprechend kann man auch Regler synthetisieren, die dezentral auf die zusammenhängenden Komponenten des Systems angewendet werden können, so dass das Gesamtsystem die Sicherheitsspezifikationen über (un)endliche Zeithorizonte mit einigen Wahrscheinlichkeitsuntergrenzen erfüllt. Im zweiten Teil der Dissertation stellen wir das neuartige Konzept der k-induktiven Barrierezertifikate für die Verifikation von (stochastischen) zeitdiskreten dynamischen Systemen bezüglich Sicherheits- und Erreichbarkeitsspezifikationen vor. Insbesondere zeigen wir, dass es aufgrund der restriktiven Natur der traditionellen Barrierezertifikatsbedingungen nicht immer möglich ist, geeignete Barrierezertifikate zu finden, selbst wenn das System garantiert die gewünschten Spezifikationen erfüllt. Im Anschluss erweitern wir das k-Induktionsprinzip, das in der Softwareverifikation verwendet wird, indem wir mehrere Konzepte für k-induktive Barrierezertifikate vorschlagen, die die traditionellen Barrierezertifikatsbedingungen lockern. Infolgedessen können größere Klassen von Funktionen als Barrierezertifikate fungieren, wodurch sie leichter zu finden sind. Im Zusammenhang mit nicht-stochastischen Systemen führen wir zwei Ausprägungen von k-induktiven Barrierezertifikaten ein und geben formale Garantien für Sicherheitsspezifikationen. Für stochastische Systeme stellen wir ein Konzept für k-induktive Barrierezertifikate für Sicherheit und zwei Konzepte für die Behandlung von Erreichbarkeitsspezifikationen vor. Danach erarbeiten wir probabilistische Garantien für die Erfüllung von Sicherheits- und Erreichbarkeitsanforderungen über unendliche Zeithorizonte. Der letzte Teil der Dissertation befasst sich mit der Analyse von (stochastischen) Regelkreisen bezüglich komplexer logischer Spezifikationen jenseits von Sicherheit und Erreichbarkeit. Zunächst betrachten wir das Syntheseproblem für (möglicherweise großräumige) stochastische Regelkreise im Hinblick auf Spureigenschaften, also Spezifikationen über einzelne Spuren des Systems. Beispiele für solche Eigenschaften sind omega-reguläre Sprachen oder (un)endliche Wörter über Automaten. Wir bieten einen automaten-theoretischen Ansatz, um solche komplexen Spezifikationen in sequenzielle Sicherheitsspezifikationen zu zerlegen. Wir verwenden sogleich die für die Sicherheitsspezifikationen erhaltenen Wahrscheinlichkeitsgarantien und kombinieren sie, um untere Wahrscheinlichkeitsschranken für die Erfüllung der ursprünglichen Spezifikationen zu erhalten. Wir geben derartige Garantien sowohl für endliche als auch für unendliche Zeithorizonte. Im Anschluss betrachten wir das Verifikationsproblem für nicht-stochastische Systeme bezüglich Spezifikationen, die über Mengen von Spuren, so genannte Hypereigenschaften, ausgedrückt werden können. Hypereigenschaften können viele Sicherheits- und Planungsspezifikationen ausdrücken, die mittels omega-regulären Sprachen nicht betrachtet werden können. In diesem Zusammenhang stellen wir einen automaten-theoretischen Ansatz zur Verfügung, um Hypereigenschaften in kleinere Verifikationsbedingungen, sogenannte bedingten Invarianzen, zu zerlegen. Darauf aufbauend führen wir das Konzept des erweiterten Barrierezertifikats ein, welches auf dem (mittels Selbstkomposition) erweiterten System konstruiert wird, um Garantien für die Erfüllung der bedingten Invarianzen zu geben. Diese Garantien können dann wiederum kombiniert werden, um die Erfüllung der ursprünglichen Hypereigenschaften zu erreichen

Automata-theoretic and bounded model checking for linear temporal logic

In this work we study methods for model checking the temporal logic LTL. The focus is on the automata-theoretic approach to model checking and bounded model checking. We begin by examining automata-theoretic methods to model check LTL safety properties. The model checking problem can be reduced to checking whether the language of a finite state automaton on finite words is empty. We describe an efficient algorithm for generating small finite state automata for so called non-pathological safety properties. The presented implementation is the first tool able to decide whether a formula is non-pathological. The experimental results show that treating safety properties can benefit model checking at very little cost. In addition, we find supporting evidence for the view that minimising the automaton representing the property does not always lead to a small product state space. A deterministic property automaton can result in a smaller product state space even though it might have a larger number states. Next we investigate modular analysis. Modular analysis is a state space reduction method for modular Petri nets. The method can be used to construct a reduced state space called the synchronisation graph. We devise an on-the-fly automata-theoretic method for model checking the behaviour of a modular Petri net from the synchronisation graph. The solution is based on reducing the model checking problem to an instance of verification with testers. We analyse the tester verification problem and present an efficient on-the-fly algorithm, the first complete solution to tester verification problem, based on generalised nested depth-first search. We have also studied propositional encodings for bounded model checking LTL. A new simple linear sized encoding is developed and experimentally evaluated. The implementation in the NuSMV2 model checker is competitive with previously presented encodings. We show how to generalise the LTL encoding to a more succint logic: LTL with past operators. The generalised encoding compares favourably with previous encodings for LTL with past operators. Links between bounded model checking and the automata-theoretic approach are also explored.reviewe

Ten virtues of structured graphs

This paper extends the invited talk by the first author about the virtues of structured graphs. The motivation behind the talk and this paper relies on our experience on the development of ADR, a formal approach for the design of styleconformant, reconfigurable software systems. ADR is based on hierarchical graphs with interfaces and it has been conceived in the attempt of reconciling software architectures and process calculi by means of graphical methods. We have tried to write an ADR agnostic paper where we raise some drawbacks of flat, unstructured graphs for the design and analysis of software systems and we argue that hierarchical, structured graphs can alleviate such drawbacks

A Proof Assistant Based Formalization of components in MDE

International audienceModel driven engineering (MDE) now plays a key role in the development of safety critical systems through the use of early validation and verification of models, and the automatic generation of software and hardware artifacts from the validated and verified models. In order to ease the integration of formal specification and verification technologies, various formalizations of the MDE technologies were proposed by different authors using term or graph rewriting, proof assistants, logical frameworks, etc. The use of components is also mandatory to improve the efficiency of system development. Invasive Software Composition (ISC) has been proposed by Assman to add a generic component structure to existing Domain Specific Modeling Languages in MDE. This approach is the basis of the ReuseWare toolset. We present in this paper an extension of a formal embedding of some key aspects of MDE in set theory in order to formalize ISC and prove the correctness of the proposed approach with respect to the conformance relation with the base metamodel. The formal embedding we rely on was developed by some of the authors and then implemented using the Calculus of Inductive Construction and the Coq proof-assistant. This work is a first step in the formalization of composable verification technologies in order to ease its integration for DSML extended with component features using ISC