8 research outputs found
High-level Counterexamples for Probabilistic Automata
Providing compact and understandable counterexamples for violated system
properties is an essential task in model checking. Existing works on
counterexamples for probabilistic systems so far computed either a large set of
system runs or a subset of the system's states, both of which are of limited
use in manual debugging. Many probabilistic systems are described in a guarded
command language like the one used by the popular model checker PRISM. In this
paper we describe how a smallest possible subset of the commands can be
identified which together make the system erroneous. We additionally show how
the selected commands can be further simplified to obtain a well-understandable
counterexample
Model exploration and analysis for quantitative safety refinement in probabilistic B
The role played by counterexamples in standard system analysis is well known;
but less common is a notion of counterexample in probabilistic systems
refinement. In this paper we extend previous work using counterexamples to
inductive invariant properties of probabilistic systems, demonstrating how they
can be used to extend the technique of bounded model checking-style analysis
for the refinement of quantitative safety specifications in the probabilistic B
language. In particular, we show how the method can be adapted to cope with
refinements incorporating probabilistic loops. Finally, we demonstrate the
technique on pB models summarising a one-step refinement of a randomised
algorithm for finding the minimum cut of undirected graphs, and that for the
dependability analysis of a controller design.Comment: In Proceedings Refine 2011, arXiv:1106.348
Counterexample Generation in Probabilistic Model Checking
Providing evidence for the refutation of a property is an essential, if not the most important, feature of model checking. This paper considers algorithms for counterexample generation for probabilistic CTL formulae in discrete-time Markov chains. Finding the strongest evidence (i.e., the most probable path) violating a (bounded) until-formula is shown to be reducible to a single-source (hop-constrained) shortest path problem. Counterexamples of smallest size that deviate most from the required probability bound can be obtained by applying (small amendments to) k-shortest (hop-constrained) paths algorithms. These results can be extended to Markov chains with rewards, to LTL model checking, and are useful for Markov decision processes. Experimental results show that typically the size of a counterexample is excessive. To obtain much more compact representations, we present a simple algorithm to generate (minimal) regular expressions that can act as counterexamples. The feasibility of our approach is illustrated by means of two communication protocols: leader election in an anonymous ring network and the Crowds protocol
Effective verification of confidentiality for multi-threaded programs
This paper studies how confidentiality properties of multi-threaded programs can be verified efficiently by a combination of newly developed and existing model checking algorithms. In particular, we study the verification of scheduler-specific observational determinism (SSOD), a property that characterizes secure information flow for multi-threaded programs under a given scheduler. Scheduler-specificness allows us to reason about refinement attacks, an important and tricky class of attacks that are notorious in practice. SSOD imposes two conditions: (SSOD-1)~all individual public variables have to evolve deterministically, expressed by requiring stuttering equivalence between the traces of each individual public variable, and (SSOD-2)~the relative order of updates of public variables is coincidental, i.e., there always exists a matching trace. \ud
\ud
We verify the first condition by reducing it to the question whether all traces of \ud
each public variable are stuttering equivalent. \ud
To verify the second condition, we show how\ud
the condition can be translated, via a series of steps, \ud
into a standard strong bisimulation problem. \ud
Our verification techniques can be easily\ud
adapted to verify other formalizations of similar information flow properties.\ud
\ud
We also exploit counter example generation techniques to synthesize attacks for insecure programs that fail either SSOD-1 or SSOD-2, i.e., showing how confidentiality \ud
of programs can be broken
P.: Significant diagnostic counterexamples in probabilistic model checking
Abstract. This paper presents a novel technique for counterexample generation in probabilistic model checking of Markov chains and Markov Decision Processes. (Finite) paths in counterexamples are grouped together in witnesses that are likely to provide similar debugging information to the user. We list five properties that witnesses should satisfy in order to be useful as debugging aid: similarity, accuracy, originality, significance, and finiteness. Our witnesses contain paths that behave similarly outside strongly connected components. Then, we show how to compute these witnesses by reducing the problem of generating counterexamples for general properties over Markov Decision Processes, in several steps, to the easy problem of generating counterexamples for reachability properties over acyclic Markov chains.