Parameterized Synthesis

We study the synthesis problem for distributed architectures with a parametric number of finite-state components. Parameterized specifications arise naturally in a synthesis setting, but thus far it was unclear how to detect realizability and how to perform synthesis in a parameterized setting. Using a classical result from verification, we show that for a class of specifications in indexed LTL\X, parameterized synthesis in token ring networks is equivalent to distributed synthesis in a network consisting of a few copies of a single process. Adapting a well-known result from distributed synthesis, we show that the latter problem is undecidable. We describe a semi-decision procedure for the parameterized synthesis problem in token rings, based on bounded synthesis. We extend the approach to parameterized synthesis in token-passing networks with arbitrary topologies, and show applicability on a simple case study. Finally, we sketch a general framework for parameterized synthesis based on cutoffs and other parameterized verification techniques.Comment: Extended version of TACAS 2012 paper, 29 page

On the satisfiability of indexed linear temporal logics

Indexed Linear Temporal Logics (ILTL) are an extension of standard Linear Temporal Logics (LTL) with quantifications over index variables which range over a set of process identifiers. ILTL has been widely used in specifying and verifying properties of parameterised systems, e.g., in parameterised model checking of concurrent processes. However there is still a lack of theoretical investigations on properties of ILTL, compared to the well-studied LTL. In this paper, we start to narrow this gap, focusing on the satisfiability problem, i.e., to decide whether a model exists for a given formula. This problem is in general undecidable. Various fragments of ILTL have been considered in the literature typically in parameterised model checking, e.g., ILTL formulae in prenex normal form, or containing only non-nested quantifiers, or admitting limited temporal operators. We carry out a thorough study on the decidability and complexity of the satisfiability problem for these fragments. Namely, for each fragment, we either show that it is undecidable, or otherwise provide tight complexity bounds

Parameterized Systems in BIP: Design and Model Checking

BIP is a component-based framework for system design that has important industrial applications. BIP is built on three pillars: behavior, interaction, and priority. In this paper, we introduce first-order interaction logic (FOIL) that extends BIP to systems parameterized in the number of components. We show that FOIL captures classical parameterized architectures such as token-passing rings, cliques of identical components communicating with rendezvous or broadcast, and client-server systems. Although the BIP framework includes efficient verification tools for statically-defined systems, none are available for parameterized systems with an unbounded number of components. The parameterized model checking literature contains a wealth of techniques for systems of classical architectures. However, application of these results requires a deep understanding of parameterized model checking techniques and their underlying mathematical models. To overcome these difficulties, we introduce a framework that automatically identifies parameterized model checking techniques applicable to a BIP design. To our knowledge, it is the first framework that allows one to apply prominent parameterized model checking results in a systematic way

On the satisfiability of indexed linear temporal logics

Indexed Linear Temporal Logics (ILTL) are an extension of standard Linear Temporal Logics (LTL) with quantifications over index variables which range over a set of process identifiers. ILTL has been widely used in specifying and verifying properties of parameterised systems, e.g., in parameterised model checking of concurrent processes. However there is still a lack of theoretical investigations on properties of ILTL, compared to the well-studied LTL. In this paper, we start to narrow this gap, focusing on the satisfiability problem, i.e., to decide whether a model exists for a given formula. This problem is in general undecidable. Various fragments of ILTL have been considered in the literature typically in parameterised model checking, e.g., ILTL formulae in prenex normal form, or containing only non-nested quantifiers, or admitting limited temporal operators. We carry out a thorough study on the decidability and complexity of the satisfiability problem for these fragments. Namely, for each fragment, we either show that it is undecidable, or otherwise provide tight complexity bounds

A model checking-based approach for security policy verification of mobile systems

International audienceThis article describes an approach for the automated verification of mobile systems. Mobile systems are characterized by the explicit notion of (e.g., sites where they run) and the ability to execute at different locations, yielding a number of security issues. To this aim, we formalize mobile systems as Labeled Kripke Structures, encapsulating the notion of that describes the hierarchical nesting of the threads constituting the system. Then, we formalize a generic that includes rules for expressing and manipulating the code location. In contrast to many other approaches, our technique supports both access control and information flow specification. We developed a prototype framework for model checking of mobile systems. It works directly on the program code (in contrast to most traditional process-algebraic approaches that can model only limited details of mobile systems) and uses abstraction-refinement techniques, based also on location abstractions, to manage the program state space. We experimented with a number of mobile code benchmarks by verifying various security policies. The experimental results demonstrate the validity of the proposed mobile system modeling and policy specification formalisms and highlight the advantages of the model checking-based approach, which combines the validation of security properties with other checks, such as the validation of buffer overflows

Огляд методів верифікації параметризованих моделей

Дорогий, Я. Ю. Огляд методів верифікації параметризованих моделей = A survey of parametric model verification methods / Я. Ю. Дорогий, В. В. Цуркан // Зб. наук. пр. НУК. – Миколаїв : НУК, 2020. – № 1 (479). – С. 82–90.Анотація. Фактично сьогодні відсутній сучасний огляд методів верифікації параметризованих моделей, який би чітко відповів на питання щодо доцільності використання того чи іншого підходу до верифікації параметризованих моделей. Саме тому метою дослідження є аналіз методів верифікації параметризованих моделей. Під час проведення дослідження застосовувалися методи системного аналізу, порівняння та аналізу. Проведено аналіз методів верифікації параметризованих моделей, серед яких досліджено чотири групи методів, таких як аналітичні методи редукції, методи абстракції, символьні методи та методи, засновані на пошуку інваріантів. В аналітичних методах редукції, як правило, зазначається спосіб відображення моделей сімейства параметризованих моделей на одну модель цього сімейства. Для методів абстракції також часто зазначається спосіб відображення параметризованих моделей на одну модель, але ця модель не належить самому параметризованому сімейству, а моделює поведінку будь-якого числа однотипних процесів. Зі способу відображення випливають структурні обмеження на параметризовані сімейства моделей, які можуть бути верифіковані в такий спосіб. Символьні методи зазвичай використовують модифікації символьного підходу до розв’язання задачі верифікації моделей. У методах, заснованих на пошуку інваріанта, шукається або конструюється процес-інваріант, що моделює поведінку декількох процесів системи. В ході дослідження визначено їх основні характеристики, недоліки та переваги. Символьні методи застосовуються переважно для перевірки властивостей безпеки, тоді як багато методів інваріантів застосовні також для перевірки властивостей живучості. Для застосування символьних методів опис параметризованої моделі потрібно представити спеціальною мовою методу, яка зазвичай досить сильно відрізняється від мов опису моделей засобів верифікації моделей. Методи інваріантів використовують описи процесів у вигляді транзиційних систем, розмічених пропозиціональними змінними, а також сумісні з мовами опису моделей засобів верифікації моделей. Методи інваріантів використовують для перевірки специфікації та пошуку контрприкладів наявні засоби верифікації моделей, символьні ж методи вимагають реалізації спеціальних алгоритмів. Як наслідок, визначено найкращу групу методів, яка не потребує розроблення нових мов опису та спеціальних алгоритмів.Abstract. In fact, at present there is no up-to-date overview of parametric model verification methods that would clearly answer the question of whether a parameterized model verification approach is appropriate. That is why the purpose of the study is to analyze the methods of verification of parameterized models. Methods of systematic analysis, comparison and analysis were used during the study. Parametric model verification methods are analyzed, among which four groups of methods are investigated, such as analytical reduction methods, abstraction methods, symbolic methods and invariant search methods. In analytical methods of reduction, as a rule, the method is indicated displaying models of a family of parameterized models on one model of this family. For abstraction methods, the method for displaying parameterized models on one model is also often indicated, but this model does not belong to the parameterized family itself, but rather models the behavior of any number of homogeneous processes. The mapping method follows structural constraints on parameterized model families that can be verified in this way. Symbolic methods typically use modifications to the symbolic approach to solve the model verification problem. Invariant-based methods seek or construct an invariant process that simulates the behavior of multiple system processes. The study identified their main characteristics, disadvantages and advantages. Symbolic methods are used mainly for checking security properties, while many invariant methods are applicable for checking survivability properties. To apply symbolic methods, the parameterized model description must be presented in a special method language, which is usually quite different from the model verification languages of the model verification tools. Invariant methods use process descriptions in the form of transition systems, marked with propositional variables, and are compatible with the model language of the model verification tools. Invariant methods are used to check the specification and search for counterexamples existing models verification tools, symbolic methods require implementation of special algorithms. As a result, the best group of methods has been identified that does not require the development of new description languages and special algorithms

Applied Formal Methods in Wireless Sensor Networks

This work covers the application of formal methods to the world of wireless sensor networks. Mainly two different perspectives are analyzed through mathematical models which can be distinct for example into qualitative statements like "Is the system error free?" From the perspective of quantitative propositions we investigate protocol optimal parameter settings for an energy efficient operation

Weak invariant simulation and analysis of parameterized networks

Multi-process networks figure in many engineering applications such as communication networks, transportation networks, manufacturing and logistic systems, and computer hardware and software. Parameterized discrete event systems provide a convenient means of modeling such networks when the number of subprocesses is arbitrary, unknown or time-varying. Unfortunately, some key properties of these networks, such as nonblocking and deadlock-freedom, are undecidable. Moreover, mathematical tools supporting analysis of these networks are limited. This thesis introduces a novel mathematical notion, weak invariant simulation and proposes an efficient method to check whether a finite-state generator weakly invariantly simulates another finite-state generator with respect to a specific subalphabet. This new simulation relation is first used to define a tractable subclass of parameterized ring networks of isomorphic subprocesses in which deadlock-freedom is decidable. Within this framework, a procedure is given to determine the reachable deadlocked states of the network. The effectiveness of the procedure is demonstrated by the deadlock analysis of a version of the dining philosophers problem. To generalize the results on ring networks, we consider a network consisting of several linear parameterized sections but exhibiting a branching topology. To model these networks we introduce Generalized Parameterized Discrete Event Systems (GPDES). The difficulty in analysis of a GPDES is the fact that some of the subprocesses interact with several parameterized sections of the network. Hence the analysis proposed in this thesis involves careful study of interaction among different branches of the network. Here again, we use `weak invariant simulation' to limit the behavior of subprocesses of the network. Then we investigate interactions among different components of the network, using a dependency graph. The dependency graph is a directed graph developed to characterize reachable partial deadlocks caused by generalized circular waits in the proposed GPDES. Our results implicitly characterize reachable generalized circular waits as a language accepted by a finite automaton. Our framework allows for modeling and analysis of new parameterized problems. We investigated deadlock in a large-scale factory as an illustrative example

Analysis of Parameterized Networks

In particular, the thesis will focus on parameterized networks of discrete-event systems. These are collections of interacting, isomorphic subsystems, where the number of subsystems is, for practical purposes, arbitrary; thus, the system parameter of interest is, in this case, the size of the network as characterized by the number of subsystems. Parameterized networks are reasonable models of real systems where the number of subsystems is large, unknown, or time-varying: examples include communication, computer and transportation networks. Intuition and engineering practice suggest that, in checking properties of such networks , it should be sufficient to consider a ``testbed'' network of limited size. However, there is presently little rigorous support for such an approach. In general, the problem of deciding whether a temporal property holds for a parameterized network of finite-state systems is undecidable; and the only decidable subproblems that have so far been identified place unreasonable restrictions on the means by which subsystems may interact. The key to ensuring decidability, and therefore the existence of effective solutions to the problem, is to identify restrictions that limit the computational power of the network. This can be done not only by limiting communication but also by restricting the structure of individual subsystems. In this thesis, we take both approaches, and also their combination on two different network topologies: ring networks and fully connected networks