899,161 research outputs found
Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis
The safety of infinite state systems can be checked by a backward
reachability procedure. For certain classes of systems, it is possible to prove
the termination of the procedure and hence conclude the decidability of the
safety problem. Although backward reachability is property-directed, it can
unnecessarily explore (large) portions of the state space of a system which are
not required to verify the safety property under consideration. To avoid this,
invariants can be used to dramatically prune the search space. Indeed, the
problem is to guess such appropriate invariants. In this paper, we present a
fully declarative and symbolic approach to the mechanization of backward
reachability of infinite state systems manipulating arrays by Satisfiability
Modulo Theories solving. Theories are used to specify the topology and the data
manipulated by the system. We identify sufficient conditions on the theories to
ensure the termination of backward reachability and we show the completeness of
a method for invariant synthesis (obtained as the dual of backward
reachability), again, under suitable hypotheses on the theories. We also
present a pragmatic approach to interleave invariant synthesis and backward
reachability so that a fix-point for the set of backward reachable states is
more easily obtained. Finally, we discuss heuristics that allow us to derive an
implementation of the techniques in the model checker MCMT, showing remarkable
speed-ups on a significant set of safety problems extracted from a variety of
sources.Comment: Accepted for publication in Logical Methods in Computer Scienc
The Nature and Function of Geographical Indications in Law
There are two basic types of legal regime for the protection of geographical indications (GIs). Some systems, notably that of the European Union, define and treat GIs as a distinct type of intellectual property. This approach is also reflected in the provisions concerning GIs in the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement). Other legal systems, notably those of Australia, Canada and the United States, treat GIs as a subcategory of trademarks. Like trademarks, GIs function principally as a means of providing information to consumers. EU legislation and jurisprudence, however, define GIs more expansively than do trademark-based legal systems, and see GIs as in some ways superior to trademarks. The EU is attempting to incorporate other features of its system of GI protection into the WTO/TRIPS system. But the nature of GIs is somewhat at odds with that of other types of intellectual property.geographical indications, intellectual property, Origin Regulation, trademarks, TRIPS, WTO, Food Consumption/Nutrition/Food Safety, International Relations/Trade,
Safe Environmental Envelopes of Discrete Systems
A safety verification task involves verifying a system against a desired
safety property under certain assumptions about the environment. However, these
environmental assumptions may occasionally be violated due to modeling errors
or faults. Ideally, the system guarantees its critical properties even under
some of these violations, i.e., the system is \emph{robust} against
environmental deviations. This paper proposes a notion of \emph{robustness} as
an explicit, first-class property of a transition system that captures how
robust it is against possible \emph{deviations} in the environment. We modeled
deviations as a set of \emph{transitions} that may be added to the original
environment. Our robustness notion then describes the safety envelope of this
system, i.e., it captures all sets of extra environment transitions for which
the system still guarantees a desired property. We show that being able to
explicitly reason about robustness enables new types of system analysis and
design tasks beyond the common verification problem stated above. We
demonstrate the application of our framework on case studies involving a
radiation therapy interface, an electronic voting machine, a fare collection
protocol, and a medical pump device.Comment: Full version of CAV23 pape
The Meaning of Memory Safety
We give a rigorous characterization of what it means for a programming
language to be memory safe, capturing the intuition that memory safety supports
local reasoning about state. We formalize this principle in two ways. First, we
show how a small memory-safe language validates a noninterference property: a
program can neither affect nor be affected by unreachable parts of the state.
Second, we extend separation logic, a proof system for heap-manipulating
programs, with a memory-safe variant of its frame rule. The new rule is
stronger because it applies even when parts of the program are buggy or
malicious, but also weaker because it demands a stricter form of separation
between parts of the program state. We also consider a number of pragmatically
motivated variations on memory safety and the reasoning principles they
support. As an application of our characterization, we evaluate the security of
a previously proposed dynamic monitor for memory safety of heap-allocated data.Comment: POST'18 final versio
Reactive Safety
The distinction between safety and liveness properties is a fundamental
classification with immediate implications on the feasibility and complexity of
various monitoring, model checking, and synthesis problems. In this paper, we
revisit the notion of safety for reactive systems, i.e., for systems whose
behavior is characterized by the interplay of uncontrolled environment inputs
and controlled system outputs. We show that reactive safety is a strictly
larger class of properties than standard safety. We provide algorithms for
checking if a property, given as a temporal formula or as a word or tree
automaton, is a reactive safety property and for translating such properties
into safety automata. Based on this construction, the standard verification and
synthesis algorithms for safety properties immediately extend to the larger
class of reactive safety.Comment: In Proceedings GandALF 2011, arXiv:1106.081
Lost in Abstraction: Monotonicity in Multi-Threaded Programs (Extended Technical Report)
Monotonicity in concurrent systems stipulates that, in any global state,
extant system actions remain executable when new processes are added to the
state. This concept is not only natural and common in multi-threaded software,
but also useful: if every thread's memory is finite, monotonicity often
guarantees the decidability of safety property verification even when the
number of running threads is unknown. In this paper, we show that the act of
obtaining finite-data thread abstractions for model checking can be at odds
with monotonicity: Predicate-abstracting certain widely used monotone software
results in non-monotone multi-threaded Boolean programs - the monotonicity is
lost in the abstraction. As a result, well-established sound and complete
safety checking algorithms become inapplicable; in fact, safety checking turns
out to be undecidable for the obtained class of unbounded-thread Boolean
programs. We demonstrate how the abstract programs can be modified into
monotone ones, without affecting safety properties of the non-monotone
abstraction. This significantly improves earlier approaches of enforcing
monotonicity via overapproximations
- …