Exploring Domain Specific Approaches to Software Model Checking

Model checking has proven to be an effective technology for verification and debugging in hardware domains and more recently in software domains. The major challenges in the application of model checking to software systems are: the mapping of software executables to model checker's input language and the intrinsic complexity of the ever growing software systems. This thesis explores the domain specific model checking approaches to large systems in order to optimize the state space storage for specific domains. Bogor [Bogor 2003] is an extensible, customizable, and highly modular model checking framework that supports general as well as domain specific software model checking. As a part of the thesis, domain specific extensions to Bogor's input language, called Bandera Intermediate Representation (BIR), were implemented by providing a plugin for Eclipse [Eclipse 2004]. Eclipse is a universal platform for tool integration and its plugin development environment facilitates addition of new plugins to the existing ones. Eclipse's extension mechanism is exploited by Bogor. Bogor was installed as an Eclipse plugin and with the help of Eclipse's Plugin Development Environment (PDE), new data types were integrated with the existing Bogor framework. Two case studies ('postfix calculator' using stack extension and 'resource allocation' using multiset extension) were investigated. Various metrics such as number of states, transitions, and maximum depth were analyzed. The complexity of the test cases was increased gradually to test the extensions for feasibility and scalability. The thesis also involves a comprehensive study of some of the well-known model checkers and their features, degree of automation, and input languages. It was observed that customizing the model checker as per domain specifications helped in achieving space reduction. The space reduction is prominent, especially in large domains where it contributes towards state space explosion solution. Although development of extensions is achievable, it requires a working knowledge of Eclipse and specific knowledge of model checking. In conclusion, a domain specific approach for software model checking was demonstrated to be a promising technology. Language extensions to BIR were successfully built and tested for accuracy and scalability.Computer Science Departmen

Loupe: Verifying Publish-Subscribe Architectures with a Magnifying Lens

CONE

Using Graph Transformations and Graph Abstractions for Software Verification

In this paper we describe our intended approach for the verification of software written in imperative programming languages. We base our approach on model checking of graph transition systems, where each state is a graph and the transitions are specified by graph transformation rules. We believe that graph transformation is a very suitable technique to model the execution semantics of languages with dynamic memory allocation. Furthermore, such representation allows us to investigate the use of graph abstractions, which can mitigate the combinatorial explosion inherent to model checking. In addition to presenting our planned approach, we reason about its feasibility, and, by providing a brief comparison to other existing methods, we highlight the benefits and drawbacks that are expected

Reusable Models for Timing and Liveness Analysis of Middleware for Distributed Real-Time and Embedded Systems

Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other properties whose assurance is crucial to correct system behavior. Formal tools and techniques play a key role in verifying and validating system properties. However, many DRE systems are built using middleware frameworks that have grown increasingly complex to address the diverse requirements of a wide range of applications. How to apply formal tools and techniques effectively to these systems, given the range of middleware configuration options available, is therefore an important research problem. This paper makes three contributions to research on formal verification and validation of middleware-based DRE systems. First, it presents a reusable library of formal models we have developed to capture essential timing and concurrency semantics of foundational middleware building blocks provided by the ACE framework. Second, it describes domain-specific techniques to reduce the cost of checking those models while ensuring they remain valid with respect to the semantics of the middleware itself. Third, it presents a verification and validation case study involving a gateway service, using our models

Composable Models for Timing and Liveness Analysis in Distributed Real-Time Embedded Systems Middleware

Middleware for distributed real-time embedded (DRE) systems has grown increasingly complex, to address functional and temporal requirements of diverse applications. While current approaches to modeling middleware have eased the task of assembling, deploying and configuring middleware and the applications that use it, a lower-level set of formal models is needed to uncover subtle timing and liveness hazards introduced by interference between and within distributed computations, particularly in the face of alternative middleware concurrency strategies. In this paper, we propose timed automata as a formal model of low-level middleware building blocks from which a variety different middleware configurations can be constructed. When combined with analysis techniques such as model checking, this formal model can help developers in verifying the correctness of various middleware configurations with respect to the timing and liveness constraints of each particular application

Program Model Checking: A Practitioner's Guide

Program model checking is a verification technology that uses state-space exploration to evaluate large numbers of potential program executions. Program model checking provides improved coverage over testing by systematically evaluating all possible test inputs and all possible interleavings of threads in a multithreaded system. Model-checking algorithms use several classes of optimizations to reduce the time and memory requirements for analysis, as well as heuristics for meaningful analysis of partial areas of the state space Our goal in this guidebook is to assemble, distill, and demonstrate emerging best practices for applying program model checking. We offer it as a starting point and introduction for those who want to apply model checking to software verification and validation. The guidebook will not discuss any specific tool in great detail, but we provide references for specific tools

Inspect: a runtime model checker for multithreaded C programs

technical reportWe present Inspect, a runtime model checker for revealing concurrency bugs in multithreaded C programs. Inspect instruments a given program at all global interaction points, and with the help of a new scheduler, examines all relevant thread interleavings under dynamic partial order reduction (DPOR). While the ideas behind Inspect are well known, there hasn't been a previously reported effort in which these ideas are applied to multithreaded C programs. We report on our engineering efforts to endow Inspect with (i) automatic source program instrumentation, (ii) practical DPOR implementation, and (iii) optimizations such as using locksets to compute more precise co-enabled relation. Our initial experience shows that such a tool can, indeed, be very effective for obtaining a handle on the notorious complexity of thread programmin

Abstract Certification of Java Programs in Rewriting Logic

In this thesis we propose an abstraction based certification technique for Java programs which is based on rewriting logic, a very general logical and semantic framework efficiently implemented in the functional programming language Maude. We focus on safety properties, i.e. properties of a system that are defined in terms of certain events not happening, which we characterize as unreachability problems in rewriting logic. The safety policy is expressed in the style of JML, a standard property specification language for Java modules. In order to provide a decision procedure, we enforce finite-state models of programs by using abstract interpretation. Starting from a specification of the Java semantics written in Maude, we develop an abstraction based, finite-state operational semantics also written in Maude which is appropriate for program verification. As a by-product of the verification based on abstraction, a dependable safety certificate is delivered which consists of a set of rewriting proofs that can be easily checked by the code consumer by using a standard rewriting logic engine. The abstraction based proof-carrying code technique, called JavaPCC, has been implemented and successfully tested on several examples, which demonstrate the feasibility of our approach. We analyse local properties of Java methods: i.e. properties of methods regarding their parameters and results. We also study global confidentiality properties of complete Java classes, by initially considering non--interference and, then, erasure with and without non--interference. Non--interference is a semantic program property that assigns confidentiality levels to data objects and prevents illicit information flows from occurring from high to low security levels. In this thesis, we present a novel security model for global non--interference which approximates non--interference as a safety property.Alba Castro, MF. (2011). Abstract Certification of Java Programs in Rewriting Logic [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/13617Palanci