Verification of Well-Structured Graph Transformation Systems

The aim of this thesis is the definition of a high-level framework for verifying concurrent and distributed systems. Verification in computer science is challenging, since models that are sufficiently expressive to describe real-life case studies suffer from the undecidability of interesting problems. This also holds for the graph transformation systems used in this thesis. To still be able to analyse these system we have to restrict either the class of systems we can model, the class of states we can express or the properties we can verify. In fact, in the framework we will present, all these limitations are possible and each allows to solve different verification problems. For modelling we use graphs as the states of the system and graph transformation rules to model state changes. More precisely, we use hypergraphs, where an edge may be incident to an arbitrary long sequence of nodes. As rule formalism we use the single pushout approach based on category theory. This provides us with a powerful formalisms that allows us to use a finite set of rules to describe an infinite transition system. To obtain decidability results while still maintaining an infinite state space we use the theory of well-structured transition systems (WSTS), the main source of decidability results in the infinite case. We need to equip our state space with a well-quasi-order (wqo) which is a simulation relation for the transition relation (this is also known as compatibility condition or monotonicity requirement). If a system can be seen as a WSTS and some additional conditions are satisfied, one can decide the coverability problem, i.e., the problem of verifying whether, from a given initial state one can reach a state that covers a final state, i.e. is larger than the final state with respect to a chosen order. This problem can be used for verification by giving a finite set of minimal error states that represent an infinite class of erroneous states (i.e. all larger states). By checking whether one of these minimal states is coverable, we verify whether an error is reachable. The theory of WSTS provides us with a generic backwards algorithm to solve this problem. For graphs we will introduce three orders, the minor ordering, the subgraph ordering and the induced subgraph ordering, and investigate which graph transformation systems form WSTS with these orders. Since only the minor ordering is a wqo on all graphs, we will first define so-called Q-restricted WSTS, where we only require that the chosen order is a wqo on the downward-closed class Q. We examine how this affects the decidability of the coverability problem and present appropriate classes Q such that the subgraph ordering and induced subgraph ordering form Q-restricted WSTS. Furthermore, we will prove the computability of the backward algorithm for these Q-restricted WSTS. More precisely, we will do this in the form of a framework and give necessary conditions for orders to be compatible with this framework. For the three mentioned orders we prove that they satisfy these conditions. Being compatible with different orders strengthens the framework in the following way: On the one hand error specifications have to be invariant wrt. the order, meaning that different orders can describe different properties. On the other hand, there is the following trade-off: coarser orders are wqos on larger sets of graphs, but fewer GTS are well-structured wrt. coarse orders (analogously the reverse holds for fine orders). Finally, we will present the tool Uncover which implements most of the theoretical framework defined in this thesis. The practical value of our approach is illustrated by several case studies and runtime results

Verification and Control of Partially Observable Probabilistic Real-Time Systems

We propose automated techniques for the verification and control of probabilistic real-time systems that are only partially observable. To formally model such systems, we define an extension of probabilistic timed automata in which local states are partially visible to an observer or controller. We give a probabilistic temporal logic that can express a range of quantitative properties of these models, relating to the probability of an event's occurrence or the expected value of a reward measure. We then propose techniques to either verify that such a property holds or to synthesise a controller for the model which makes it true. Our approach is based on an integer discretisation of the model's dense-time behaviour and a grid-based abstraction of the uncountable belief space induced by partial observability. The latter is necessarily approximate since the underlying problem is undecidable, however we show how both lower and upper bounds on numerical results can be generated. We illustrate the effectiveness of the approach by implementing it in the PRISM model checker and applying it to several case studies, from the domains of computer security and task scheduling

A Metric Encoding for Bounded Model Checking (extended version)

In Bounded Model Checking both the system model and the checked property are translated into a Boolean formula to be analyzed by a SAT-solver. We introduce a new encoding technique which is particularly optimized for managing quantitative future and past metric temporal operators, typically found in properties of hard real time systems. The encoding is simple and intuitive in principle, but it is made more complex by the presence, typical of the Bounded Model Checking technique, of backward and forward loops used to represent an ultimately periodic infinite domain by a finite structure. We report and comment on the new encoding technique and on an extensive set of experiments carried out to assess its feasibility and effectiveness

Verification and control of partially observable probabilistic systems

We present automated techniques for the verification and control of partially observable, probabilistic systems for both discrete and dense models of time. For the discrete-time case, we formally model these systems using partially observable Markov decision processes; for dense time, we propose an extension of probabilistic timed automata in which local states are partially visible to an observer or controller. We give probabilistic temporal logics that can express a range of quantitative properties of these models, relating to the probability of an event’s occurrence or the expected value of a reward measure. We then propose techniques to either verify that such a property holds or synthesise a controller for the model which makes it true. Our approach is based on a grid-based abstraction of the uncountable belief space induced by partial observability and, for dense-time models, an integer discretisation of real-time behaviour. The former is necessarily approximate since the underlying problem is undecidable, however we show how both lower and upper bounds on numerical results can be generated. We illustrate the effectiveness of the approach by implementing it in the PRISM model checker and applying it to several case studies from the domains of task and network scheduling, computer security and planning

Equilibria-based Probabilistic Model Checking for Concurrent Stochastic Games

Probabilistic model checking for stochastic games enables formal verification of systems that comprise competing or collaborating entities operating in a stochastic environment. Despite good progress in the area, existing approaches focus on zero-sum goals and cannot reason about scenarios where entities are endowed with different objectives. In this paper, we propose probabilistic model checking techniques for concurrent stochastic games based on Nash equilibria. We extend the temporal logic rPATL (probabilistic alternating-time temporal logic with rewards) to allow reasoning about players with distinct quantitative goals, which capture either the probability of an event occurring or a reward measure. We present algorithms to synthesise strategies that are subgame perfect social welfare optimal Nash equilibria, i.e., where there is no incentive for any players to unilaterally change their strategy in any state of the game, whilst the combined probabilities or rewards are maximised. We implement our techniques in the PRISM-games tool and apply them to several case studies, including network protocols and robot navigation, showing the benefits compared to existing approaches

Leader Election in Anonymous Rings: Franklin Goes Probabilistic

We present a probabilistic leader election algorithm for anonymous, bidirectional, asynchronous rings. It is based on an algorithm from Franklin, augmented with random identity selection, hop counters to detect identity clashes, and round numbers modulo 2. As a result, the algorithm is finite-state, so that various model checking techniques can be employed to verify its correctness, that is, eventually a unique leader is elected with probability one. We also sketch a formal correctness proof of the algorithm for rings with arbitrary size