Verification and falsification of programs with loops using predicate abstraction

Predicate abstraction is a major abstraction technique for the verification of software. Data is abstracted by means of Boolean variables, which keep track of predicates over the data. In many cases, predicate abstraction suffers from the need for at least one predicate for each iteration of a loop construct in the program. We propose to extract looping counterexamples from the abstract model, and to parametrise the simulation instance in the number of loop iterations. We present a novel technique that speeds up the detection of long counterexamples as well as the verification of programs with loop

Automatic Verification of Message-Based Device Drivers

We develop a practical solution to the problem of automatic verification of the interface between device drivers and the OS. Our solution relies on a combination of improved driver architecture and verification tools. It supports drivers written in C and can be implemented in any existing OS, which sets it apart from previous proposals for verification-friendly drivers. Our Linux-based evaluation shows that this methodology amplifies the power of existing verification tools in detecting driver bugs, making it possible to verify properties beyond the reach of traditional techniques.Comment: In Proceedings SSV 2012, arXiv:1211.587

Predicate Abstraction with Under-approximation Refinement

We propose an abstraction-based model checking method which relies on refinement of an under-approximation of the feasible behaviors of the system under analysis. The method preserves errors to safety properties, since all analyzed behaviors are feasible by definition. The method does not require an abstract transition relation to be generated, but instead executes the concrete transitions while storing abstract versions of the concrete states, as specified by a set of abstraction predicates. For each explored transition the method checks, with the help of a theorem prover, whether there is any loss of precision introduced by abstraction. The results of these checks are used to decide termination or to refine the abstraction by generating new abstraction predicates. If the (possibly infinite) concrete system under analysis has a finite bisimulation quotient, then the method is guaranteed to eventually explore an equivalent finite bisimilar structure. We illustrate the application of the approach for checking concurrent programs.Comment: 22 pages, 3 figures, accepted for publication in Logical Methods in Computer Science journal (special issue CAV 2005

Counter Attack on Byzantine Generals: Parameterized Model Checking of Fault-tolerant Distributed Algorithms

We introduce an automated parameterized verification method for fault-tolerant distributed algorithms (FTDA). FTDAs are parameterized by both the number of processes and the assumed maximum number of Byzantine faulty processes. At the center of our technique is a parametric interval abstraction (PIA) where the interval boundaries are arithmetic expressions over parameters. Using PIA for both data abstraction and a new form of counter abstraction, we reduce the parameterized problem to finite-state model checking. We demonstrate the practical feasibility of our method by verifying several variants of the well-known distributed algorithm by Srikanth and Toueg. Our semi-decision procedures are complemented and motivated by an undecidability proof for FTDA verification which holds even in the absence of interprocess communication. To the best of our knowledge, this is the first paper to achieve parameterized automated verification of Byzantine FTDA

Formal Specification and Verification of a Coordination Protocol for an Automated Air Traffic Control System

Safe separation between aircraft is the primary consideration in air trafficcontrol. To achieve the required level of assurance for this safety-critical application,the Automated Airspace Concept (AAC) proposes three levels of conflict detectionand resolution. Recently, a high-level operational concept was proposed to definethe cooperation between components in the AAC. However, the proposed coordinationprotocol has not been formally studied. We use formal verification techniquesto ensure there are no potentially catastrophic design flaws remaining in the AACdesign before the next stage of production.We formalize the high-level operational concept, which was previously describedonly in natural language, in NuSMV and perform model validation by checkingagainst LTL/CTL specifications we derive from the system description. We writeLTL specifications describing safe system operations and use model checking forsystem verification. We employ specification debugging to ensure correctness ofboth sets of formal specifications and model abstraction to reduce model checkingtime and enable fast, design-time checking. We analyze two counterexamplesrevealing unexpected emergent behaviors in the operational concept that triggereddesign changes by system engineers to meet safety standards. Our experience reportilluminates the application of formal methods in real safety-critical system developmentby detailing a complete end-to-end design-time verification process includingall models and specifications