A Multi-Core Solver for Parity Games

We describe a parallel algorithm for solving parity games,\ud with applications in, e.g., modal mu-calculus model\ud checking with arbitrary alternations, and (branching) bisimulation\ud checking. The algorithm is based on Jurdzinski's Small Progress\ud Measures. Actually, this is a class of algorithms, depending on\ud a selection heuristics.\ud \ud Our algorithm operates lock-free, and mostly wait-free (except for\ud infrequent termination detection), and thus allows maximum\ud parallelism. Additionally, we conserve memory by avoiding storage\ud of predecessor edges for the parity graph through strictly\ud forward-looking heuristics.\ud \ud We evaluate our multi-core implementation's behaviour on parity games\ud obtained from mu-calculus model checking problems for a set of\ud communication protocols, randomly generated problem instances, and\ud parametric problem instances from the literature.\ud \u

Attack Graph Generation and Analysis Techniques

As computer networks are emerging in everyday life, network security has become an important issue. Simultaneously, attacks are becoming more sophisticated, making the defense of computer networks increasingly difficult. Attack graph is a modeling tool used in the assessment of security of enterprise networks. Since its introduction a considerable amount of research effort has been spent in the development of theory and practices around the idea of attack graph. This paper presents a consolidated view of major attack graph generation and analysis techniques

Modeling and verifying the FlexRay physical layer protocol with reachability checking of timed automata

In this thesis, I report on the verification of the resilience of the FlexRay automotive bus protocol's physical layer protocol against glitches during message transmission and drifting clocks. This entailed modeling a significant part of this industrially used communictation protocol and the underlying hardware as well as the possible error scenarios in fine detail. Verifying such a complex model with model-checking led me to the development of data-structures and algorithms able to handle the associated complexity using only reasonable resources. This thesis presents such data-structures and algorithms for reachability checking of timed automata. It also present modeling principles enabling the construction of timed automata models that can be efficiently checked, as well as the models arrived at. Finally, it reports on the verified resilience of FlexRay's physical layer protocol against specific patterns of glitches under varying assumptions about the underlying hardware, like clock drift.In dieser Dissertation berichte ich über den Nachweis der Resilienz des Bitübertragungsprotokolls für die physikalische Schicht des FlexRay-Fahrzeugbusprotokolls gegenüber Übertragungsfehlern und Uhrenverschiebung. Dafür wurde es notwendig, einen signifikanten Teil dieses industriell genutzten Kommunikationsprotokolls mit seiner Hardwareumgebung und die möglichen Fehlerszenarien detailliert zu modellieren. Ein so komplexes Modell mittels Modellprüfung zu überprüfen führte mich zur Entwicklung von Datenstrukturen und Algorithmen, die die damit verbundene Komplexität mit vernünftigen Ressourcenanforderungen bewältigen können. Diese Dissertation stellt solche Datenstrukturen und Algorithmen zur Erreichbarkeitsprüfung gezeiteter Automaten vor. Sie stellt auch Modellierungsprinzipien vor, die es ermöglichen, Modelle in Form gezeiteter Automaten zu konstruieren, die effizient überprüft werden können, sowie die erstellten Modelle. Schließlich berichtet sie über die überprüfte Resilienz des FlexRay-Bitübertragungsprotokolls gegenüber spezifischen Übertragungsfehlermustern unter verschiedenen Annahmen über die Hardwareumgebung, wie etwa die Uhrenverschiebung.DFG: SFB/TRR 14 "AVACS - Automatische Verifikation und Analyse komplexer Systeme

A software development framework for context-aware systems

The beginning of the new century has been characterised by the miniaturisation and accessibility of electronics, which has enabled its widespread usage around the world. This technological background is progressively materialising the future of the remainder of the century, where industry-based societies have been moving towards information-based societies. Information from users and their environment is now pervasively available, and many new research areas have born in order to shape the potential of such advancements. Particularly, context-aware computing is at the core of many areas such as Intelligent Environments, Ambient Intelligence, Ambient Assisted Living or Pervasive Computing. Embedding contextual awareness into computers promises a fundamental enhancement in the interaction between computers and humans. While traditional computers require explicit commands in order to operate, contextually aware computers could also use information from the background and the users to provide services according to the situation. But embedding this contextual awareness has many unresolved challenges. The area of context-aware computing has attracted the interest of many researchers that have presented different approaches to solve particular aspects on the implementation of this technology. The great corpus of research in this direction indicates that context-aware systems have different requirements than those of traditional computing. Approaches for developing context-aware systems are typically scattered or do not present compatibility with other approaches. Existing techniques for creating context-aware systems also do not focus on covering all the different stages of a typical software development life-cycle. The contribution of this thesis is towards the foundation layers of a more holistic approach, that tries to facilitate further research on the best techniques for developing these kinds of systems. The approach presents a framework to support the development not only with methodologies, but with open-source tools that facilitate the implementation of context-aware systems in mobile and stationary platforms

Explicit or Symbolic Translation of Linear Temporal Logic to Automata

Formal verification techniques are growing increasingly vital for the development of safety-critical software and hardware in practice. Techniques such as requirements-based design and model checking for system verification have been successfully used to verify systems for air traffic control, airplane separation assurance, autopilots, CPU logic designs, life-support, medical equipment, and other functions that ensure human safety. Formal behavioral specifications written early in the system-design process and communicated across all design phases increase the efficiency, consistency, and quality of the system under development. We argue that to prevent introducing design or verification errors, it is crucial to test specifications for satisfiability. We advocate for the adaptation of a new sanity check via satisfiability checking for property assurance. Our focus here is on specifications expressed in Linear Temporal Logic (LTL). We demonstrate that LTL satisfiability checking reduces to model checking and satisfiability checking for the specification, its complement, and a conjunction of all properties should be performed as a first step to LTL model checking. We report on an experimental investigation of LTL satisfiability checking. We introduce a large set of rigorous benchmarks to enable objective evaluation of LTL-to-automaton algorithms in terms of scalability, performance, correctness, and size of the automata produced. For explicit model checking, we use the Spin model checker; we tested all LTL-to-explicit automaton translation tools that were publicly available when we conducted our study. For symbolic model checking, we use CadenceSMV, NuSMV, and SAL-SMC for both LTL-to-symbolic automaton translation and to perform the satisfiability check. Our experiments result in two major findings. First, scalability, correctness, and other debilitating performance issues afflict most LTL translation tools. Second, for LTL satisfiability checking, the symbolic approach is clearly superior to the explicit approach. Ironically, the explicit approach to LTL-to-automata had been heavily studied while only one algorithm existed for LTL-to-symbolic automata. Since 1994, there had been essentially no new progress in encoding symbolic automata for BDD-based analysis. Therefore, we introduce a set of 30 symbolic automata encodings. The set consists of novel combinations of existing constructs, such as different LTL formula normal forms, with a novel transition-labeled symbolic automaton form, a new way to encode transitions, and new BDD variable orders based on algorithms for tree decomposition of graphs. An extensive set of experiments demonstrates that these encodings translate to significant, sometimes exponential, improvement over the current standard encoding for symbolic LTL satisfiability checking. Building upon these ideas, we return to the explicit automata domain and focus on the most common type of specifications used in industrial practice: safety properties. We show that we can exploit the inherent determinism of safety properties to create a set of 26 explicit automata encodings comprised of novel aspects including: state numbers versus state labels versus a state look-up table, finite versus infinite acceptance conditions, forward-looking versus backward-looking transition encodings, assignment-based versus BDD-based alphabet representation, state and transition minimization, edge abbreviation, trap-state elimination, and determinization either on-the-fly or up-front using the subset construction. We conduct an extensive experimental evaluation and identify an encoding that offers the best performance in explicit LTL model checking time and is constantly faster than the previous best explicit automaton encoding algorithm

Polynomial Timed Reductions to Solve Computer Security Problems in Access Control, Ethereum Smart Contract, Cloud VM Scheduling, and Logic Locking.

This thesis addresses computer security problems in: Access Control, Ethereum Smart Contracts, Cloud VM Scheduling, and Logic Locking. These problems are solved using polynomially timed reductions to 2 complexity classes: PSPACE-Complete and NP-Complete. This thesis is divided into 2 parts, problems reduced to: Model Checking (PSPACE-Complete) and Integer Linear Programming (ILP) (NP-Complete). The PSPACE-Complete problems are: Safety Analysis of Administrative Temporal Role Based Access Control (ATRBAC) Policies, and Safety Analysis of Ethereum Smart Contracts. The NP-Complete problems are: Minimizing Information Leakage in Virtual Machine (VM) Cloud Environments using VM Migrations, and Attacking Logic Locked Circuits using a Reduction to Integer Linear Programming (ILP). In Chapter 3, I create the Cree Administrative Temporal Role Based Access Control (ATRBAC)-Safety solver. Which is a reduction from ATRBAC-Safety to Model Checking. I create 4 general performance techniques which can be utilized in any ATRBAC-Safety solver. 1. Polynomial Time Solving, which is able to solve specific archetypes of ATRBAC-Safety policies using a polynomial timed algorithm. 2. Static Pruning, which includes 2 methods for reducing the size of the policy without effecting the result of the safety query. 3. Abstraction Refinement, which can increase the speed for reachable safety queries by only solving a subset of the original policy. 4. Bound Estimation, which creates a bound on the number of steps from the initial state, where a satisfying state must exist. This is directly used by the model checker's bounded model checking mode, but can be utilized by any solver with a bound limiting parameter. In Chapter 4, I analyze ATRBAC-Safety policies to identify some of the ``sources of complexity'' which make solving ATRBAC-Safety policies difficult. I provide analysis of the sources of complexity that exists in the previously published datasets [128,90,54]. I perform analysis of Cree's performance techniques on the previous datasets. I create 2 new datasets, which are shown to be hard instances of ATRBAC-Safety. I analyze the new datasets to show how they achieve this hardness and how they differ from each other and the previous datasets. In Chapter 5, I create a novel reduction from a Reduced-Solidity Smart Contract, subset of available Solidity features, to Model Checking. This reduction reduces Reduced-Solidity Smart Contract into a Finite State Machine and then reduces to an instance of a Model Checking problem. This provides the ability to test smart contracts published on the Ethereum blockchain and test if there exists bugs or malicious code. I perform empirical analysis on select Smart contracts. In Chapter 6, I create 2 methods for generating instances of ATRBAC policies into Solidity Smart Contracts. The first method is the Generic ATRBAC Smart Contract. This method requires no modification before deployment. After deployed the owner is able to create, and maintain, the policy using special access functions. The special action functions are automated with code that converts an ATRBAC policy into a series of transactions the owner can run. The second method is the Baked ATRBAC Smart Contract. This method takes an ATRBAC policy and reduces it to a Smart Contract instance with no special access functions. The smart contract can then be deployed by anyone, and that person will have no special access. I perform an empirical analysis on the setup costs, transaction costs, and security each provides. In Chapter 7, I create a new reduction from Minimizing Information Leakage via Virtual Machine (VM) Migrations to Integer Linear Programming (ILP). I compare a polynomial algorithm by Moon et. al. [71], my ILP reduction, and a reduction to CNF-SAT that is not included in this thesis. The polynomial method is faster, but the problem is NP-Complete thus that solution must have sacrificed something to obtain the polynomial time speed (unless P = NP). I show instances in which the polynomial time algorithm does not produce the minimum total information leakage, but the ILP and CNF-SAT reductions are able to. In addition to this, I show that Total Information Leakage also has a security vulnerability for non-zero information leakage using the model. I propose an alternative method to Total Information Leakage, called Max Client-to-Client Information Leakage, which removes the vulnerability at the cost of increased total information leakage. In Chapter 8, I create a reduction from the Key Recovery Attack on Logic Locked Circuits to Integer Linear Programming (ILP). This is a recreation of the ``SAT Attack'' using ILP. I provide an empirical analysis of the ILP attack and compare it to the SAT-Attack. I show that ``ILP Attack'' is a viable attack, thus future claims of ``SAT-Attack Resistant Logic Locking Techniques'' need to also show resistance to all potential NP-Complete attacks

Extrapolation-based Path Invariants for Abstraction Refinement of Fifo Systems

Rapport de Recherche RR-1459-09 LaBRIThe technique of counterexample-guided abstraction refinement (Cegar) has been successfully applied in the areas of software and hardware verification. Automatic abstraction refinement is also desirable for the safety verification of complex infinite-state models. This paper investigates Cegar in the context of formal models of network protocols, in our case, the verification of fifo systems. Our main contribution is the introduction of extrapolation-based path invariants for abstraction refinement. We develop a range of algorithms that are based on this novel theoretical notion, and which are parametrized by different extrapolation operators. These are utilized as subroutines in the refinement step of our Cegar semi-algorithm that is based on recognizable partition abstractions. We give suffcient conditions for the termination of Cegar by constraining the extrapolation operator. Our empirical evaluation confirms the benefit of extrapolation-based path invariants

On the Use of Formal Methods to Model and Verify Neuronal Archetypes

International audienceHaving a formal model of neural networks can greatly help in understanding and verifying their properties, behavior, and response to external factors such as disease and medicine. In this paper, we adopt a formal model to represent neurons, some neuronal graphs, and their composition. Some specific neuronal graphs are known for having biologically relevant structures and behaviors and we call them archetypes. These archetypes are supposed to be the basis of typical instances of neuronal information processing. In this paper we study six fundamental archetypes (simple series, series with multiple outputs, parallel composition, negative loop, inhibition of a behavior, and contralateral inhibition), and we consider two ways to couple two archetypes: (i) connecting the output(s) of the first archetype to the input(s) of the second archetype and (ii) nesting the first archetype within the second one. We report and compare two key approaches to the formal modeling and verification of the proposed neuronal archetypes and some selected couplings. The first approach exploits the synchronous programming language Lustre to encode archetypes and their couplings, and to express properties concerning their dynamic behavior. These properties are verified thanks to the use of model checkers. The second approach relies on a theorem prover, the Coq Proof Assistant, to prove dynamic properties of neurons and archetype