57 research outputs found
Bounded Satisfiability for PCTL
While model checking PCTL for Markov chains is decidable in polynomial-time,
the decidability of PCTL satisfiability, as well as its finite model property,
are long standing open problems. While general satisfiability is an intriguing
challenge from a purely theoretical point of view, we argue that general
solutions would not be of interest to practitioners: such solutions could be
too big to be implementable or even infinite. Inspired by bounded synthesis
techniques, we turn to the more applied problem of seeking models of a bounded
size: we restrict our search to implementable -- and therefore reasonably
simple -- models. We propose a procedure to decide whether or not a given PCTL
formula has an implementable model by reducing it to an SMT problem. We have
implemented our techniques and found that they can be applied to the practical
problem of sanity checking -- a procedure that allows a system designer to
check whether their formula has an unexpectedly small model
Replication and Abstraction: Symmetry in Automated Formal Verification.
This article surveys fundamental and applied aspects of symmetry in system models, and of symmetry reduction methods used to counter state explosion in model checking, an automated formal verification technique. While covering the research field broadly, we particularly emphasize recent progress in applying the technique to realistic systems, including tools that promise to elevate the scope of symmetry reduction to large-scale program verification. The article targets researchers and engineers interested in formal verification of concurrent systems
RustHorn: CHC-based Verification for Rust Programs (full version)
Reduction to the satisfiability problem for constrained Horn clauses (CHCs)
is a widely studied approach to automated program verification. The current
CHC-based methods for pointer-manipulating programs, however, are not very
scalable. This paper proposes a novel translation of pointer-manipulating Rust
programs into CHCs, which clears away pointers and memories by leveraging
ownership. We formalize the translation for a simplified core of Rust and prove
its correctness. We have implemented a prototype verifier for a subset of Rust
and confirmed the effectiveness of our method.Comment: Full version of the same-titled paper in ESOP202
Partially-Observable Security Games for Automating Attack-Defense Analysis
Network systems often contain vulnerabilities that remain unfixed in a
network for various reasons, such as the lack of a patch or knowledge to fix
them. With the presence of such residual vulnerabilities, the network
administrator should properly react to the malicious activities or proactively
prevent them, by applying suitable countermeasures that minimize the likelihood
of an attack by the attacker. In this paper, we propose a stochastic
game-theoretic approach for analyzing network security and synthesizing defense
strategies to protect a network. To support analysis under partial observation,
where some of the attacker's activities are unobservable or undetectable by the
defender, we construct a one-sided partially observable security game and
transform it into a perfect game for further analysis. We prove that this
transformation is sound for a sub-class of security games and a subset of
properties specified in the logic rPATL. We implement a prototype that fully
automates our approach, and evaluate it by conducting experiments on a
real-life network
- …