15 research outputs found
Combining k-Induction with Continuously-Refined Invariants
Bounded model checking (BMC) is a well-known and successful technique for
finding bugs in software. k-induction is an approach to extend BMC-based
approaches from falsification to verification. Automatically generated
auxiliary invariants can be used to strengthen the induction hypothesis. We
improve this approach and further increase effectiveness and efficiency in the
following way: we start with light-weight invariants and refine these
invariants continuously during the analysis. We present and evaluate an
implementation of our approach in the open-source verification-framework
CPAchecker. Our experiments show that combining k-induction with
continuously-refined invariants significantly increases effectiveness and
efficiency, and outperforms all existing implementations of k-induction-based
software verification in terms of successful verification results.Comment: 12 pages, 5 figures, 2 tables, 2 algorithm
Liveness of Randomised Parameterised Systems under Arbitrary Schedulers (Technical Report)
We consider the problem of verifying liveness for systems with a finite, but
unbounded, number of processes, commonly known as parameterised systems.
Typical examples of such systems include distributed protocols (e.g. for the
dining philosopher problem). Unlike the case of verifying safety, proving
liveness is still considered extremely challenging, especially in the presence
of randomness in the system. In this paper we consider liveness under arbitrary
(including unfair) schedulers, which is often considered a desirable property
in the literature of self-stabilising systems. We introduce an automatic method
of proving liveness for randomised parameterised systems under arbitrary
schedulers. Viewing liveness as a two-player reachability game (between
Scheduler and Process), our method is a CEGAR approach that synthesises a
progress relation for Process that can be symbolically represented as a
finite-state automaton. The method is incremental and exploits both
Angluin-style L*-learning and SAT-solvers. Our experiments show that our
algorithm is able to prove liveness automatically for well-known randomised
distributed protocols, including Lehmann-Rabin Randomised Dining Philosopher
Protocol and randomised self-stabilising protocols (such as the Israeli-Jalfon
Protocol). To the best of our knowledge, this is the first fully-automatic
method that can prove liveness for randomised protocols.Comment: Full version of CAV'16 pape
Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures (Full version)
A widespread design approach in distributed applications based on the
service-oriented paradigm, such as web-services, consists of clearly separating
the enforcement of authorization policies and the workflow of the applications,
so that the interplay between the policy level and the workflow level is
abstracted away. While such an approach is attractive because it is quite
simple and permits one to reason about crucial properties of the policies under
consideration, it does not provide the right level of abstraction to specify
and reason about the way the workflow may interfere with the policies, and vice
versa. For example, the creation of a certificate as a side effect of a
workflow operation may enable a policy rule to fire and grant access to a
certain resource; without executing the operation, the policy rule should
remain inactive. Similarly, policy queries may be used as guards for workflow
transitions.
In this paper, we present a two-level formal verification framework to
overcome these problems and formally reason about the interplay of
authorization policies and workflow in service-oriented architectures. This
allows us to define and investigate some verification problems for SO
applications and give sufficient conditions for their decidability.Comment: 16 pages, 4 figures, full version of paper at Symposium on Secure
Computing (SecureCom09
Ilinva: Using Abduction to Generate Loop Invariants
International audienceWe describe a system to prove properties of programs. The key feature of this approach is a method to automatically synthesize in-ductive invariants of the loops contained in the program. The method is generic, i.e., it applies to a large set of programming languages and application domains; and lazy, in the sense that it only generates invariants that allow one to derive the required properties. It relies on an existing system called GPiD for abductive reasoning modulo theories [14], and on the platform for program verification Why3 [16]. Experiments show evidence of the practical relevance of our approach
Understanding the QuickXPlain Algorithm: Simple Explanation and Formal Proof
In his seminal paper of 2004, Ulrich Junker proposed the QuickXPlain
algorithm, which provides a divide-and-conquer computation strategy to find
within a given set an irreducible subset with a particular (monotone) property.
Beside its original application in the domain of constraint satisfaction
problems, the algorithm has since then found widespread adoption in areas as
different as model-based diagnosis, recommender systems, verification, or the
Semantic Web. This popularity is due to the frequent occurrence of the problem
of finding irreducible subsets on the one hand, and to QuickXPlain's general
applicability and favorable computational complexity on the other hand.
However, although (we regularly experience) people are having a hard time
understanding QuickXPlain and seeing why it works correctly, a proof of
correctness of the algorithm has never been published. This is what we account
for in this work, by explaining QuickXPlain in a novel tried and tested way and
by presenting an intelligible formal proof of it. Apart from showing the
correctness of the algorithm and excluding the later detection of errors (proof
and trust effect), the added value of the availability of a formal proof is,
e.g., (i) that the workings of the algorithm often become completely clear only
after studying, verifying and comprehending the proof (didactic effect), (ii)
the shown proof methodology can be used as a guidance for proving other
recursive algorithms (transfer effect), and (iii) the possibility of providing
"gapless" correctness proofs of systems that rely on (results computed by)
QuickXPlain, such as numerous model-based debuggers (completeness effect)
A Deductive Approach towards Reasoning about Algebraic Transition Systems
Algebraic transition systems are extended from labeled transition systems by allowing transitions labeled by algebraic equations for modeling more complex systems in detail. We present a deductive approach for specifying and verifying algebraic transition systems. We modify the standard dynamic logic by introducing algebraic equations into modalities. Algebraic transition systems are embedded in modalities of logic formulas which specify properties of algebraic transition systems. The semantics of modalities and formulas is defined with solutions of algebraic equations. A proof system for this logic is constructed to verify properties of algebraic transition systems. The proof system combines with inference rules decision procedures on the theory of polynomial ideals to reduce a proof-search problem to an algebraic computation problem. The proof system proves to be sound but inherently incomplete. Finally, a typical example illustrates that reasoning about algebraic transition systems with our approach is feasible