Model Checking Systems with Replicated Components using CSP

The Parameterised Model Checking Problem asks whether an implementation Impl(t) satisfies a specification Spec(t) for all instantiations of parameter t. In general, t can determine numerous entities: the number of processes used in a network, the type of data, the capacities of buffers, etc. The main theme of this thesis is automation of uniform verification of a subclass of PMCP with the parameter of the first kind, using techniques based on counter abstraction. Counter abstraction works by counting how many, rather than which, node processes are in a given state: for nodes with k local states, an abstract state (c(1), ..., c(k)) models a global state where c(i) processes are in the i-th state. We then use a threshold function z to cap the values of each counter. If for some i, counter c(i) reaches its threshold, z(i) , then this is interpreted as there being z(i) or more nodes in the i-th state. The addition of thresholds makes abstract models independent of the instantiation of the parameter. We adapt standard counter abstraction techniques to concurrent reactive systems modelled using the CSP process algebra. We demonstrate how to produce abstract models of systems that do not use node identifiers (i.e. where all nodes are indistinguishable). Every such abstraction is, by construction, refined by all instantiations of the implementation. If the abstract model satisfies the specification, then a positive answer to the particular uniform verification problem can be deduced. We show that by adding node identifiers we make the uniform verification problem undecidable. We demonstrate a sound abstraction method that extends standard counter abstraction techniques to systems that make full use of node identifiers (in specifications and implementations). However, on its own, the method is not enough to give the answer to verification problems for all parameter instantiations. This issue has led us to the development of a type reduction theory, which, for a given verification problem, establishes a function phi that maps all (sufficiently large) instantiations T of the parameter to some fixed type T and allows us to deduce that if Spec(T) is refined by phi(Impl(T)), then Spec(T) is refined by Impl(T). We can then combine this with our extended counter abstraction techniques and conclude that if the abstract model satisfies Spec(T), then the answer to the uniform verification problem is positive. We develop a symbolic operational semantics for CSP processes that satisfy certain normality requirements and we provide a set of translation rules that allow us to concretise symbolic transition graphs. The type reduction theory relies heavily on these results. One of the main advantages of our symbolic operational semantics and the type reduction theory is their generality, which makes them applicable in other settings and allows the theory to be combined with abstraction methods other than those used in this thesis. Finally, we present TomCAT, a tool that automates the construction of counter abstraction models and we demonstrate how our results apply in practice.

[1]  A. Prasad Sistla,et al.  Utilizing symmetry when model-checking under fairness assumptions: an automata-theoretic approach , 1997, TOPL.

[2]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[3]  Bill Roscoe,et al.  What can you Decide about Resetable Arrays , 2001 .

[4]  David Hopkins SVA‚ a tool for analysing shared−variable programms , 2007 .

[5]  Boris D. Lubachevsky,et al.  An approach to automating the verification of compact parallel coordination programs. I , 2018, Acta Informatica.

[6]  Bob Bentley,et al.  Validating the Intel(R) Pentium(R) 4 microprocessor , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[7]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[8]  J. Bryan Scattergood The semantics and implementation of machine-readable CSP , 1998 .

[9]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[10]  Raymond E. Miller,et al.  Homomorphisms between Models of Parallel Computation , 1982, J. Comput. Syst. Sci..

[11]  A. W. Roscoe,et al.  Automating Data Independence , 2000, ESORICS.

[12]  A. W. Roscoe Understanding Concurrent Systems , 2010, Texts in Computer Science.

[13]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[14]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[15]  Thomas Wahl,et al.  On Combining Symmetry Reduction and Symbolic Representation for Efficient Model Checking , 2003, CHARME.

[16]  William Stallings,et al.  Operating Systems: Internals and Design Principles , 1991 .

[17]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[18]  S. J. Creese,et al.  Verifying End-to-End Protocols using Induction with CSP/FDR , 1999, IPPS/SPDP Workshops.

[19]  Gerard Le Lann The Ariane 5 Flight 501 Failure - A Case Study in System Engineering for Computing Systems , 1996 .

[20]  Yassine Lakhnech,et al.  Incremental Verification by Abstraction , 2001, TACAS.

[21]  Keith A. Bartlett,et al.  A note on reliable full-duplex transmission over half-duplex links , 1969, Commun. ACM.

[22]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[23]  Nicolas Halbwachs,et al.  Automatic verification of parameterized networks of processes , 2001, Theor. Comput. Sci..

[24]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[25]  John C. Shepherdson,et al.  Computability of Recursive Functions , 1963, JACM.

[26]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[27]  Amir Pnueli,et al.  Liveness with (0, 1, ∞)-counter abstraction , 2002 .

[28]  M. Minsky Recursive Unsolvability of Post's Problem of "Tag" and other Topics in Theory of Turing Machines , 1961 .

[29]  A. N. Parashkevov,et al.  ARC-a tool for efficient refinement and equivalence checking for CSP , 1996, Proceedings of 1996 IEEE Second International Conference on Algorithms and Architectures for Parallel Processing, ICA/sup 3/PP '96.

[30]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[31]  Vineet Kahlon,et al.  Parameterized Model Checking of Ring-Based Message Passing Systems , 2004, CSL.

[32]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[33]  A. W. Roscoe,et al.  Data Independent Induction over Structured Networks , 2000, PDPTA.

[34]  M. Fitting First-order logic and automated theorem proving (2nd ed.) , 1996 .

[35]  S. J. Creese,et al.  Data independent induction : CSP model checking or arbitary sized networks , 2001 .

[36]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[37]  Philippa J. Hopcroft Data independence in the model checking of security protocols , 2001 .

[38]  Kedar S. Namjoshi,et al.  Reasoning about rings , 1995, POPL '95.

[39]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[40]  Alastair F. Donaldson,et al.  Automatic Symmetry Detection for Model Checking Using Computational Group Theory , 2005, FM.

[41]  Amir Pnueli,et al.  Verification by Augmented Finitary Abstraction , 2000, Inf. Comput..

[42]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[43]  Amir Pnueli,et al.  Automatic Verification of Parameterized Systems , 2005 .

[44]  Michael R. Lowry,et al.  Formal Analysis of a Space-Craft Controller Using SPIN , 2001, IEEE Trans. Software Eng..

[45]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.

[46]  Ranko S. Lazic,et al.  A semantic study of data independence with applications to model checking , 1999 .

[47]  E. Allen Emerson,et al.  Virtual symmetry reduction , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[48]  Benjamin C. Pierce,et al.  Foundational Calculi for Programming Languages , 1997, The Computer Science and Engineering Handbook.

[49]  Orna Grumberg,et al.  Combining Symmetry Reduction and Under-Approximation for Symbolic Model Checking , 2005, Formal Methods Syst. Des..

[50]  A. W. Roscoe,et al.  On model checking data-independent systems with arrays without reset , 2004, Theory and Practice of Logic Programming.

[51]  A. W. Roscoe The Three Platonic Models of Divergence-Strict CSP , 2008, ICTAC.

[52]  Hans van Vliet,et al.  Software engineering - principles and practice , 1993 .

[53]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[54]  Somesh Jha,et al.  Exploiting Symmetry In Temporal Logic Model Checking , 1993, CAV.

[55]  Marta Z. Kwiatkowska,et al.  Automated Verification of a Randomized Distributed Consensus Protocol Using Cadence SMV and PRISM , 2001, CAV.

[56]  Michael Goldsmith,et al.  Watchdog Transformations for Property-Oriented Model-Checking , 2003, FME.

[57]  Sriram K. Rajamani,et al.  Boolean Programs: A Model and Process for Software Analysis , 2000 .

[58]  Satish Chandra,et al.  Software model checking in practice: an industrial case study , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[59]  Ofer Strichman,et al.  SAT Based Abstraction-Refinement Using ILP and Machine Learning Techniques , 2002, CAV.

[60]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[61]  Kenneth L. McMillan,et al.  Verification of Infinite State Systems by Compositional Model Checking , 1999, CHARME.

[62]  Joël Ouaknine,et al.  Abstraction and Counterexample-Guided Refinement in Model Checking of Hybrid Systems , 2003, Int. J. Found. Comput. Sci..

[63]  Michel Dubois,et al.  A New Approach for the Verification of Cache Coherence Protocols , 1995, IEEE Trans. Parallel Distributed Syst..

[64]  Alberto L. Sangiovanni-Vincentelli,et al.  An Iterative Approach to Language Containment , 1993, CAV.

[65]  Robert K. Brayton,et al.  Automatic Datapath Abstraction In Hardware Systems , 1995, CAV.

[66]  Thomas Wahl,et al.  Dynamic Symmetry Reduction , 2005, TACAS.

[67]  David L. Dill,et al.  CVC: A Cooperating Validity Checker , 2002, CAV.

[68]  A. W. Roscoe,et al.  Formal Verification of Arbitrary Network Topologies , 1999, PDPTA.

[69]  Rajeev Alur,et al.  Counterexample-guided predicate abstraction of hybrid systems , 2006, Theor. Comput. Sci..

[70]  A. Prasad Sistla,et al.  On-the-Fly Model Checking Under Fairness that Exploits Symmetry , 1999, Formal Methods Syst. Des..

[71]  Pierre Wolper,et al.  Expressing interesting properties of programs in propositional temporal logic , 1986, POPL '86.

[72]  Marsha Chechik,et al.  Identification and Counter Abstraction for Full Virtual Symmetry , 2005, CHARME.

[73]  Richard M. Karp,et al.  Parallel Program Schemata , 1969, J. Comput. Syst. Sci..

[74]  Jun Sun,et al.  Fair Model Checking with Process Counter Abstraction , 2009, FM.

[75]  Amir Pnueli,et al.  On the Development of Reactive Systems , 1989, Logics and Models of Concurrent Systems.

[76]  Rob J. van Glabbeek Notes on the Methodology of CCS and CSP , 1997, Theor. Comput. Sci..

[77]  Marvin Minsky,et al.  Computation : finite and infinite machines , 2016 .

[78]  Andrew S. Tanenbaum,et al.  Operating systems: design and implementation , 1987, Prentice-Hall software series.

[79]  Serge Haddad,et al.  Exploiting Symmetry in Linear Time Temporal Logic Model Checking: One Step Beyond , 1998, TACAS.

[80]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[81]  E. Allen Emerson,et al.  Model Checking Real-Time Properties of Symmetric Systems , 1998, MFCS.

[82]  Jun Sun,et al.  Model Checking CSP Revisited: Introducing a Process Analysis Toolkit , 2008, ISoLA.

[83]  Leslie Lamport,et al.  A new solution of Dijkstra's concurrent programming problem , 1974, Commun. ACM.

[84]  George Boolos,et al.  Computability and logic , 1974 .

[85]  A. Prasad Sistla,et al.  Symmetry and model checking , 1993, Formal Methods Syst. Des..

[86]  Edmund M. Clarke,et al.  Hierarchical Verification of Asynchronous Circuits Using Temporal Logic , 1985, Theor. Comput. Sci..

[87]  Abraham Robinson,et al.  Random-Access Stored-Program Machines, an Approach to Programming Languages , 1964, JACM.

[88]  Edmund M. Clarke,et al.  Sequential circuit verification using symbolic model checking , 1991, DAC '90.

[89]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[90]  A. W. Roscoe,et al.  Responsiveness and stable revivals , 2007, Formal Aspects of Computing.

[91]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[92]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[93]  Gavin Lowe,et al.  Using data-independence in the analysis of intrusion detection systems , 2005, Theor. Comput. Sci..

[94]  Shaz Qadeer,et al.  Verifying Sequential Consistency on Shared-Memory Multiprocessors by Model Checking , 2001, IEEE Trans. Parallel Distributed Syst..

[95]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[96]  Geoff Barrett,et al.  Model Checking in Practice - The T9000 Virtual Channel Processor , 1993, FME.

[97]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[98]  Michael Leuschel,et al.  Probing the Depths of CSP-M: A New fdr-Compliant Validation Tool , 2008, ICFEM.

[99]  E. Allen Emerson,et al.  From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking , 1999, CHARME.

[100]  Michael Leuschel,et al.  Seven at one stroke: LTL model checking for high-level specifications in B, Z, CSP, and more , 2009, International Journal on Software Tools for Technology Transfer.

[101]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[102]  Gavin Lowe On the Application of Counterexample−Guided Abstraction refinement and data independence to the parameterised model checking problem , 2004 .

[103]  A. W. Roscoe,et al.  Proving security protocols with model checkers by data independence techniques , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[104]  Bill Roscoe,et al.  On the expressiveness of CSP , 2011 .

[105]  Mordechai Ben-Ari,et al.  The temporal logic of branching time , 1981, POPL '81.

[106]  Kenneth L. McMillan,et al.  Induction in Compositional Model Checking , 2000, CAV.

[107]  Bill Roscoe,et al.  Compiling Shared Variable Programs into CSP , 2001 .

[108]  M. Nielsen,et al.  Decidability Issues for Petri Nets , 1994 .

[109]  Jan A. Bergstra,et al.  Process Algebra for Synchronous Communication , 1984, Inf. Control..

[110]  Michel Hack,et al.  The Recursive Equivalence of the Reachability Problem and the Liveness Problem for Petri Nets and Vector Addition Systems , 1974, SWAT.

[111]  Jos C. M. Baeten,et al.  A Generic Process Algebra , 2006, Electron. Notes Theor. Comput. Sci..

[112]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[113]  Bill Roscoe TTP: A case study in combining induction and data independence , 1999 .

[114]  Joël Ouaknine,et al.  On Timed Models and Full Abstraction , 2006, MFPS.

[115]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[116]  Gavin Lowe,et al.  Counter Abstraction in the CSP/FDR setting , 2009, AVoCS.

[117]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[118]  C. Petri Kommunikation mit Automaten , 1962 .

[119]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[120]  J. Lambek How to Program an Infinite Abacus , 1961, Canadian Mathematical Bulletin.

[121]  C. A. R. Hoare,et al.  A Theory of Communicating Sequential Processes , 1984, JACM.

[122]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[123]  David L. Dill,et al.  Counter-Example Based Predicate Discovery in Predicate Abstraction , 2002, FMCAD.

[124]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[125]  Tomasz Mazur,et al.  Formal verification of not fully symmetric systems using counter abstraction , 2008 .

[126]  Jos C. M. Baeten,et al.  A brief history of process algebra , 2005, Theor. Comput. Sci..

[127]  A. W. Roscoe,et al.  On Model Checking Data-Independent Systems with Arrays with Whole-Array Operations , 2004, 25 Years Communicating Sequential Processes.

[128]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[129]  A. W. Roscoe,et al.  Capturing parallel attacks within the data independence framework , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[130]  Krishan K. Sabnani An algorithmic technique for protocol verification , 1988, IEEE Trans. Commun..

[131]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[132]  Krzysztof R. Apt,et al.  Limits for Automatic Verification of Finite-State Concurrent Systems , 1986, Inf. Process. Lett..

[133]  Vineet Kahlon,et al.  Reducing Model Checking of the Many to the Few , 2000, CADE.

[134]  Bill Roscoe Verifying Determinism of Concurrent Systems Which Use Unbounded Arrays , 1998 .

[135]  John E. Hopcroft,et al.  On the Reachability Problem for 5-Dimensional Vector Addition Systems , 1976, Theor. Comput. Sci..

[136]  Thomas Wahl Adaptive Symmetry Reduction , 2007, CAV.

[137]  Gordon D. Plotkin,et al.  A structural approach to operational semantics , 2004, J. Log. Algebraic Methods Program..

[138]  A. W. Roscoe,et al.  Revivals, stuckness and the hierarchy of CSP models , 2009, J. Log. Algebraic Methods Program..

[139]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[140]  Tom C. Newcomb,et al.  Model checking data-independent systems with arrays , 2003 .

[141]  Shuvendu K. Lahiri,et al.  Constructing Quantified Invariants via Predicate Abstraction , 2004, VMCAI.

[142]  Charles Rackoff,et al.  The Covering and Boundedness Problems for Vector Addition Systems , 1978, Theor. Comput. Sci..

[143]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[144]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[145]  Edmund M. Clarke,et al.  Avoiding the state explosion problem in temporal logic model checking , 1987, PODC '87.