Reasoning about Abstract Open Systems with Generalized Module Checking

We present a framework for reasoning about abstract open systems. Open systems, also called “reactive systems” or “modules”, are systems that interact with their environment and whose behaviors depend on these interactions. Embedded software is a typical example of open system. Module checking [KV96] is a verification technique for checking whether an open system satisfies a temporal property no matter what its environment does. Module checking makes it possible to check adversarial properties of the “game” played by the open system with its environment (such as “is there a winning strategy for a malicious agent trying to intrude a secure system?”). We study how module checking can be extended to reason about 3-valued abstractions of open systems in such a way that both proofs and counter-examples obtained by verifying arbitrary properties on such abstractions are guaranteed to be sound, i.e., to carry over to the concrete system. We also introduce a new verification technique, called generalized module checking, that can improve the precision of module checking. The modeling framework and verification techniques developed in this paper can be used to represent and reason about abstractions automatically generated from a static analysis of an open program using abstraction techniques such as predicate abstraction. This application is illustrated with an example of open program and property that cannot be verified by current abstraction-based verification tools.

[1]  Radha Jagadeesan,et al.  Modal Transition Systems: A Foundation for Three-Valued Program Analysis , 2001, ESOP.

[2]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[3]  Radha Jagadeesan,et al.  On the Expressiveness of 3-Valued Models , 2002, VMCAI.

[4]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[5]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[6]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[7]  Dennis Dams,et al.  Abstract interpretation and partition refinement for model checking , 1996 .

[8]  Patrice Godefroid,et al.  Generalized Model Checking: Reasoning about Partial State Spaces , 2000, CONCUR.

[9]  Robert de Simone,et al.  CONCUR'98 Concurrency Theory , 1998, Lecture Notes in Computer Science.

[10]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[11]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[12]  Thomas A. Henzinger,et al.  Alternating Refinement Relations , 1998, CONCUR.

[13]  Radha Jagadeesan,et al.  Automatic Abstraction Using Generalized Model Checking , 2002, CAV.

[14]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[15]  J. Van Leeuwen,et al.  Handbook of theoretical computer science - Part A: Algorithms and complexity; Part B: Formal models and semantics , 1990 .

[16]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[17]  S. C. Kleene,et al.  Introduction to Metamathematics , 1952 .

[18]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[19]  Orna Kupferman,et al.  Module Checking , 1996, Inf. Comput..

[20]  Patrice Godefroid,et al.  Model Checking Partial State Spaces with 3-Valued Temporal Logics , 1999, CAV.

[21]  Radha Jagadeesan,et al.  Abstraction-Based Model Checking Using Modal Transition Systems , 2001, CONCUR.

[22]  Kousha Etessami,et al.  Optimizing Büchi Automata , 2000, CONCUR.

[23]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[24]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[25]  R. Milner,et al.  Bigraphical Reactive Systems , 2001, CONCUR.