PLTL Partitioned Model Checking for Reactive Systems under Fairness Assumptions

We are interested in verifying dynamic properties of finite state reactive systems under fairness assumptions by model checking. The systems we want to verify are specified through a top-down refinement process. In order to deal with the state explosion problem, we have proposed in previous works to partition the reachability graph, and to perform the verification on each part separately. Moreover, we have defined a class, called Bmod, of dynamic properties that are verifiable by parts, whatever the partition. We decide if a property P belongs to Bmod by looking at the form of the Buchi automaton that accepts the negation of P. However, when a property P belongs to Bmod, the property f => P, where f is a fairness assumption, does not necessarily belong to Bmod. In this paper, we propose to use the refinement process in order to build the parts on which the verification has to be performed. We then show that with such a partition, if a property P is verifiable by parts and if f is the expression of the fairness assumptions on a system, then the property f => P is still verifiable by parts. This approach is illustrated by its application to the chip card protocol T=1 using the B engineering design language

Partitioned {PLTL} Model-Checking for Refined Transition Systems

International audienceThis paper is about the verification of dynamic properties by model-checking for finite state reactive systems. Properties are expressed as PLTL formulae. Systems are specified through a top-down refinement process. In order to cope with the state explosion problem, we propose partitioning the state space to be verified and to verify the properties independently on each part. Properties that are such that if they hold on every part then they hold for the whole system are called verifiable by parts. In a previous paper, we presented a class of interesting PLTL properties that are always verifiable by parts. That is, they are verifiable by parts with any partitioning of the state space. In addition to these properties, some properties are verifiable by parts on a system provided with a particular partitioning. In this paper, we propose a partitioning of the state space of a system that is guided by the refinement process. We introduce an extended class of PLTL properties that are verifiable by parts with regard to this partitioning. This class includes the first one. In particular, the new class includes liveness properties under fairness assumptions. This class is defined from Buchi automata that accept the language of the negations of the properties. Our work is illustrated by its application to a chip card protocol called T=1. This protocol is specified through successive refinements

On the verification of parametric and real-time systems

2009 - 2010Parametric and Real-Time Systems play a central role in the theory underlying the Verification and Synthesis problems. Real-time systems are present everywhere and are used in safety critical applications, such as flight controllers. Failures in such systems can be very expensive and even life threatening and, moreover, they are quite hard to design and verify. For these reasons, the development of formal methods for the modeling and analysis of safety-critical systems is an active area of computer science research. The standard formalism used to specify the wished behaviour of a realtime system is temporal logic. Traditional temporal logics, such as linear temporal logic (LTL), allow only qualitative assertions about the temporal ordering of events. However, in several circumstances, for assessing the efficiency of the system being modeled, it may be useful to have additional quantitative guarantees. An extension of LTL with a real-time semantics is given by the Metric Interval Temporal Logic (MITL), where changes of truth values happen according to a splitting of the line of non-negative reals into intervals. However, even with quantitative temporal logics, we would actually like to find out what quantitative bounds can be placed on the logic operators. In this thesis we face with the above problem proposing a parametric extension of MITL, that is the parametric metric interval temporal logic (PMITL), which allows to introduce parameters within intervals . For this logic, we study decision problems which are the analogous of satisfiability, validity and model-checking problems for non-parametric temporal logic. PMITL turns out to be decidable and we show that, when parameter valuations give only non-singular sets, the considered problems are all decidable, EXPSPACE-complete, and have the same complexity as in MITL. Moreover, we investigate the computational complexity of these problems for natural fragments of PMITL, and show that in meaningful fragments of the logic they are PSPACE-complete. We also consider a remarkable problem expressed by queries where the values that each parameter may assume are either existentially or universally quantified. We solve this problem in several cases and we propose an algorithm in EXPSPACE. Another interesting application of the temporal logic is when it is used to express specification of concurrent programs, where programs and properties are formalized as regular languages of infinite words. In this case, the verification problem (whether the program satisfies the specification) corresponds to solve the language inclusion problem. In the second part of this thesis we consider the Synthesis problem for realtime systems, investigating the applicability of automata constructions that avoid determinization for solving the language inclusion problem and the realizability problem for real-time logics. Since Safra’s determinization procedure is difficult to implement, we present Safraless algorithms for automata on infinite timed words. [edited by author]IX n.s

Formal synthesis of control and communication schemes

Thesis (Ph.D.)--Boston UniversityIn traditional motion planning, the problem is simply specified as "go from A to B while avoiding obstacles", where A and B are two configurations or regions of interest in the robot workspace. However, a large number of robotic applications require more expressive specification languages, which allow for logical and temporal statements about the satisfaction of properties of interest. Examples include "visit A and B infinitely often, always avoid C, and do not visit D unless E vas visited before". Such task specifications cannot be trivially converted to a sequence of "go from A to B" primitives. This thesis establishes theoretical and computational frameworks for automatic synthesis of robot control and communication schemes that are correct-by-construction from task specifications given in expressive languages. We consider a purely discrete scenario, in which the dynamics of each robot is modeled as a finite discrete system. The first problem addressed in this thesis is the generation of provably-correct individual control and communication strategies for a team of robots from rich task specifications in the case when the workspace is static. The second problem relaxes this assumption and considers a scenario in which the environment changes according to some unknown patterns. It proposed a combined learning and formal synthesis approach to generate correct control policies. To tackle the first problem, we draw inspirations from the research fields of formal verification and synthesis, distributed formal synthesis, and concurrency theory. We consider a team of robots that can move among the regions of a partitioned environment and have known capabilities of servicing a set of requests that can occur in the regions of the partition. Some of these requests can be serviced by a robot individually, while some require the cooperation of groups of robots. We propose a top-down approach, in which global specifications given as Regular Expressions (RE) or Linear Temporal Logics (LTL) can be decomposed into local (individual) specifications, which can then be used to automatically synthesize robot control and communication strategies. To address the second problem, we bring together automata learning methods from the field of theoretical linguistics and techniques from temporal logic games and probabilistic model checking, to develop a provably-correct control strategy for robots moving in an environment with unknown dynamics. The robots are required to achieve a surveillance mission, in which a certain request needs to be serviced repeatedly, while the expected time in between consecutive services is minimized and additional temporal logic constraints are satisfied. We define a fragment of Linear Temporal Logic (LTL) to describe such a mission. We consider a single agent case at first and then extend the results to multi-agent systems. To this end, we apply approximate dynamic programming to our computational framework, which leads to significant reduction of computational time. To demonstrate the proposed theoretical and computational frameworks, we implement the derived algorithms in two experimental platforms, the Robotic Urban-Like Environment (RULE) and the Robotic InDoor-like Environment (RIDE). We assign tasks to the team using Regular Expressions or Linear Temporal Logics over requests occurring at regions in the environment. The robots are automatically deployed to complete the missions

A compositional analysis of broadcasting embedded systems

This work takes as its starting point D Kendall's CANdle/bCANdle algebraic framework for formal modelling and specification of broadcasting embedded systems based on CAN networks. Checking real-time properties of such systems is beset by problems of state-space explosion and so a scheme is given for recasting systems specified in Kendall's framework as parallel compositions of timed automata; a CAN network channel is modelled as an automaton. This recasting is shown to be bi-similar to the original bCANdle model. In the recast framework,"compositionality" theorems allow one to infer that a model of a system is simulated by some abstraction of the model, and hence that properties of the model expressible in ACTL can be inferred from analogous properties of the abstraction. These theorems are reminiscent of "assume-guarantee" reasoning allowing one to build simulations component-wise although, unfortunately, components participating in a "broadcast" are required to be abstracted "atomically". Case studies are presented to show how this can be used in practice, and how systems which take impossibly long to model-check can tackled by compositional methods. The work is of broader interest also, as the models are built as UPPAAL systems and the compositionality theorems apply to any UPPAAL system in which the components do not share local variables. The method could for instance extend to systems using some network other than CAN, provided it can be modelled by timed automata. Possibilities also exist for building it into an automated tool, complementing other methods such as counterexample- guided abstraction refinement

Security Analysis of System Behaviour - From "Security by Design" to "Security at Runtime" -

The Internet today provides the environment for novel applications and processes which may evolve way beyond pre-planned scope and purpose. Security analysis is growing in complexity with the increase in functionality, connectivity, and dynamics of current electronic business processes. Technical processes within critical infrastructures also have to cope with these developments. To tackle the complexity of the security analysis, the application of models is becoming standard practice. However, model-based support for security analysis is not only needed in pre-operational phases but also during process execution, in order to provide situational security awareness at runtime. This cumulative thesis provides three major contributions to modelling methodology. Firstly, this thesis provides an approach for model-based analysis and verification of security and safety properties in order to support fault prevention and fault removal in system design or redesign. Furthermore, some construction principles for the design of well-behaved scalable systems are given. The second topic is the analysis of the exposition of vulnerabilities in the software components of networked systems to exploitation by internal or external threats. This kind of fault forecasting allows the security assessment of alternative system configurations and security policies. Validation and deployment of security policies that minimise the attack surface can now improve fault tolerance and mitigate the impact of successful attacks. Thirdly, the approach is extended to runtime applicability. An observing system monitors an event stream from the observed system with the aim to detect faults - deviations from the specified behaviour or security compliance violations - at runtime. Furthermore, knowledge about the expected behaviour given by an operational model is used to predict faults in the near future. Building on this, a holistic security management strategy is proposed. The architecture of the observing system is described and the applicability of model-based security analysis at runtime is demonstrated utilising processes from several industrial scenarios. The results of this cumulative thesis are provided by 19 selected peer-reviewed papers

A compositional analysis of broadcasting embedded systems

This work takes as its starting point D Kendall's CANdle/bCANdle algebraic framework for formal modelling and specification of broadcasting embedded systems based on CAN networks. Checking real-time properties of such systems is beset by problems of state-space explosion and so a scheme is given for recasting systems specified in Kendall's framework as parallel compositions of timed automata; a CAN network channel is modelled as an automaton. This recasting is shown to be bi-similar to the original bCANdle model. In the recast framework,"compositionality" theorems allow one to infer that a model of a system is simulated by some abstraction of the model, and hence that properties of the model expressible in ACTL can be inferred from analogous properties of the abstraction. These theorems are reminiscent of "assume-guarantee" reasoning allowing one to build simulations component-wise although, unfortunately, components participating in a "broadcast" are required to be abstracted "atomically". Case studies are presented to show how this can be used in practice, and how systems which take impossibly long to model-check can tackled by compositional methods. The work is of broader interest also, as the models are built as UPPAAL systems and the compositionality theorems apply to any UPPAAL system in which the components do not share local variables. The method could for instance extend to systems using some network other than CAN, provided it can be modelled by timed automata. Possibilities also exist for building it into an automated tool, complementing other methods such as counterexample- guided abstraction refinement.EThOS - Electronic Theses Online ServiceGBUnited Kingdo