论文信息 - Domain partitioning for open reactive systems

Domain partitioning for open reactive systems

Testing or model-checking an open reactive system often requires generating a model of the environment. We describe a static analysis for Java that computes a partition of a system's inputs: inputs in the same equivalence class lead to identical behavior. The partition provides a basis for generation of code for a most general environment of the system, i.e., one that exercises all possible behaviors of the system. The partition also helps the generated environment avoid exercising the same behavior multipletimes. Many distributed systems with security requirements can be regarded as open reactive systems whose environment is an adversary-controlled network. We illustrate our approach by applying it to a fault-tolerant and intrusion-tolerant distributed voting system and model-checking the system together with the generated environment.

Scott D. Stoller

[1] Michael K. Reiter,et al. Secure and scalable replication in Phalanx , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[2] Lori A. Clarke,et al. Partition Analysis: A Method Combining Testing and Verification , 1985, IEEE Transactions on Software Engineering.

[3] B. E. Eckbo,et al. Appendix , 1826, Epilepsy Research.

[4] Patrice Godefroid,et al. Model checking for programming languages using VeriSoft , 1997, POPL '97.

[5] Martin C. Rinard,et al. Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[6] Gavin Lowe. Casper: a compiler for the analysis of security protocols , 1998 .

[7] Michael Goldsmith. The perfect spy for model−checking crypto−protocols , 1997 .

[8] Robert S. Hanmer,et al. Model checking without a model: an analysis of the heart-beat monitor of a telephone switch using VeriSoft , 1998, ISSTA '98.

[9] Patrice Godefroid,et al. Automatically closing open reactive programs , 1998, PLDI.