Heuristics for the refinement of assumptions in generalized reactivity formulae

Reactive synthesis is concerned with automatically generating implementations from formal specifications. These specifications are typically written in the language of generalized reactivity (GR(1)), a subset of linear temporal logic capable of expressing the most common industrial specification patterns, and describe the requirements about the behavior of a system under assumptions about the environment where the system is to be deployed. Oftentimes no implementation exists which guarantees the required behavior under all possible environments, typically due to missing assumptions (this is usually referred to as unrealizability). To address this issue, new assumptions need to be added to complete the specification, a problem known as assumptions refinement. Since the space of candidate assumptions is intractably large, searching for the best solutions is inherently hard. In particular, new methods are needed to (i) increase the effectiveness of the search procedures, measured as the ratio between the number of solutions found and of refinements explored; and (ii) improve the results' quality, defined as the weakness of the solutions. In this thesis we propose a set of heuristics to meet these goals, and a methodology to assess and compare assumptions refinement methods based on quantitative metrics. The heuristics are in the form of algorithms to generate candidate refinements during the search, and quantitative measures to assess the quality of the candidates. We first discuss a heuristic method to generate assumptions that target the cause of unrealizability. This is done by selecting candidate refinement formulas based on Craig's interpolation. We provide a formal underpinning of the technique and evaluate it in terms of our new metric of effectiveness, as defined above, whose value is improved with respect to the state of the art. We demonstrate this on a set of popular benchmarks of embedded software. We then provide a formal, quantitative characterization of the permissiveness of environment assumptions in the form of a weakness measure. We prove that the partial order induced by this measure is consistent with the one induced by implication. The key advantage of this measure is that it allows for prioritizing candidate solutions, as we show experimentally. Lastly, we propose a notion of minimal refinements with respect to the observed counterstrategies. We demonstrate that exploring minimal refinements produces weaker solutions, and reduces the amount of computations needed to explore each refinement. However, this may come at the cost of reducing the effectiveness of the search. To counteract this effect, we propose a hybrid search approach in which both minimal and non-minimal refinements are explored.Open Acces

SAVCBS 2004 Specification and Verification of Component-Based Systems: Workshop Proceedings

This is the proceedings of the 2004 SAVCBS workshop. The workshop is concerned with how formal (i.e., mathematical) techniques can be or should be used to establish a suitable foundation for the specification and verification of component-based systems. Component-based systems are a growing concern for the software engineering community. Specification and reasoning techniques are urgently needed to permit composition of systems from components. Component-based specification and verification is also vital for scaling advanced verification techniques such as extended static analysis and model checking to the size of real systems. The workshop considers formalization of both functional and non-functional behavior, such as performance or reliability

A lattice-theoretic framework for circular assume-guarantee reasoning

We develop an abstract lattice-theoretic framework within which we study soundness and other properties of circular assume-guarantee (A-G) rules constrained by side conditions. We identify a particular side condition, non-blockingness, which admits an intelligible inductive proof of the soundness of circular A-G reasoning. Besides, conditional circular rules based on non-blockingness turn out to be complete in various senses and stronger than a large class of sound conditional A-G rules. In this respect, our framework enlightens the foundations of circular A-G reasoning. Due to its abstractness, the framework can be instantiated to many concrete settings. We show several known circular A-G rules for compositional verification to be instances of our generic rules. Thus, we do the circularity-breaking inductive argument once to establish soundness of our generic rules, which then implies soundness of all the instances without resorting to technically complicated circularity-breaking arguments for each single rule. In this respect, our framework unifies many approaches to circular A-G reasoning and provides a starting point for the systematic development of new circular A-G rules.Wir entwickeln einen abstrakten verbandstheoretischen Rahmen in dem wir die Korrektheit und andere Eigenschaften bedingter zirkulaerer Assume-Guarantee- Regeln (A-G-Regeln) untersuchen. Wir isolieren eine besondere Nebenbedingung, non-blockingness, die zu einem verstaendlichen induktiven Beweis der Korrektheit zirkulaerer A-G-Regeln fuehrt. Ausserdem sind durch non-blockingness eingeschr aenkte zirkulaere Regeln vollstaendig und staerker als eine grosse Klasse von korrekten bedingten A-G-Regeln. So gesehen erhellt unsere Arbeit die Grundlagen des zirkulaeren A-G-Paradigmas.Aufgrund seiner Abstraktheit kann unser Rahmen zu vielen konkreten Formalismen instanziiert werden. Wir zeigen, dass mehrere bekannte A-G-Regeln zur kompositionalen Verifikation Instanzen unserer generischen Regeln sind. So ist der zirkularitaetsaufloesende Beweis der Korrektheit nur einmal fuer unsere generische Regeln zu fuehren, dann erben alle Instanzen Korrektheit, ohne dass noch einmal ein zirkularitaets-aufloesender Beweis noetig ist. In dieser Hinsicht stellt unser Rahmen eine einheitliche Plattform dar, die verschiedene Ausformungen des zirkulaeren A-G-Paradigmas umfasst und von der ausgehend systematisch neue zirkulaere A-G-Regeln entwickelt werden koennen

Model checking and compositional reasoning for multi-agent systems

Multi-agent systems are distributed systems containing interacting autonomous agents designed to achieve shared and private goals. For safety-critical systems where we wish to replace a human role with an autonomous entity, we need to make assurances about the correctness of the autonomous delegate. Specialised techniques have been proposed recently for the verification of agents against mentalistic logics. Problematically, these approaches treat the system in a monolithic way. When verifying a property against a single agent, the approaches examine all behaviours of every component in the system. This is both inefficient and can lead to intractability: the so-called state-space explosion problem. In this thesis, we consider techniques to support the verification of agents in isolation. We avoid the state-space explosion problem by verifying an individual agent in the context of a specification of the rest of the system, rather than the system itself. We show that it is possible to verify an agent against its desired properties without needing to consider the behaviours of the remaining components. We first introduce a novel approach for verifying a system as a whole against specifications expressed in a logic of time and knowledge. The technique, based on automata over trees, supports an efficient procedure to verify systems in an automata-theoretic way using language containment. We show how the automata-theoretic approach can be used as an underpinning for assume-guarantee reasoning for multi-agent systems. We use a temporal logic of actions to specify the expected behaviour of the other components in the system. When performing modular verification, this specification is used to exclude behaviours that are inconsistent with the concrete system. We implement both approaches within the open-source model checker MCMAS and show that, for the relevant properties, the assume-guarantee approach can significantly increase the tractability of individual agent verification.Open Acces

Compositional and Scheduler-Independent Information Flow Security

Software pervades our society deeper with every year. This trend makes software security more and more important. For instance, software systems running critical infrastructures like power plants must withstand criminal or even terrorist attacks, but also smartphone apps used by consumers in their daily routine are usually expected to operate securely. In particular, before entrusting a program with confidential information (such as, e.g., image or audio data recorded by a smartphone), one wants to be sure that the program is trustworthy and does not leak the secrets to untrusted sinks (such as, e.g., an untrusted server on the Internet). Information flow properties characterize such confidentiality requirements by restricting the flow of confidential information, and an information flow analysis permits to check that a program respects those restrictions. The problem of information flow in multi-threaded programs is particularly challenging, because information flows can originate in subtle ways from the interplay between threads. Moreover, the existence of such information flows depends on the scheduler, which might not even be known when analyzing a program. To obtain high assurance that no leak is overlooked in an information flow analysis, formally well-founded analyses provide a rigorous solution. Such analyses are proven sound with respect to formal information flow properties that specify precisely what restrictions on information flow mean. In this thesis, we develop two novel information flow properties for multi-threaded programs, FSI-security and SIFUM-security. These properties are scheduler-independent, i.e., they characterize secure information flow for different schedulers simultaneously. Moreover, they are compositional, i.e., they permit to break down the analysis of a multi-threaded program to single threads. For both properties we develop a security analysis based on a security type system that is proven sound with respect to the property. Compared to existing scheduler-independent information flow properties, FSI-security is less restrictive. In particular, FSI-security is the first scheduler-independent information flow property that permits programs with nondeterministic behavior and programs whose control flow depends on secrets. The security analysis based on SIFUM-security is the first provably sound flow-sensitive information flow analysis for multi-threaded programs in the form of a security type system. Flow-sensitivity results in increased analysis precision by taking the order of program statements into account. The key in our development of SIFUM-security and the corresponding flow-sensitive analysis for multi-threaded programs was to adopt assumption-guarantee style reasoning to information flow security. We integrate FSI-security and SIFUM-security into the novel property FSIFUM-security, and we integrate the security analyses for FSI- and SIFUM-security into a security analysis for FSIFUM-security. Thereby, FSIFUM-security and the corresponding analysis inherit the advantages of both FSI- and SIFUM-security. In addition to developing novel type-based information flow analyses we also explore information flow analysis for multi-threaded programs with program dependence graphs (PDGs) which is used successfully to analyze sequential programs. To this end, we develop a formal connection between PDG-based and type-based information flow analysis for sequential programs. We exploit the connection to transfer concepts from our type-based analysis for multi-threaded programs to PDGs, resulting in a provably sound PDG-based information flow analysis for multi-threaded programs. Beyond this, we also use the connection to transfer concepts from PDGs to type systems and to precisely compare the precision of a type-based and a PDG-based information flow analysis. Our results provide foundations for more precise and more widely applicable information flow analysis for multi-threaded programs, and we hope that they contribute to a more wide-spread certification of information flow security for concurrent programs