Results 1  10
of
50
Modelbased evaluation: From dependability to security
 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING
, 2004
"... The development of techniques for quantitative, modelbased evaluation of computer system dependability has a long and rich history. A wide array of modelbased evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, roughcut analyses, to statebased ..."
Abstract

Cited by 99 (5 self)
 Add to MetaCart
The development of techniques for quantitative, modelbased evaluation of computer system dependability has a long and rich history. A wide array of modelbased evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, roughcut analyses, to statebased methods, such as Markov reward models, and detailed, discreteevent simulation. The use of quantitative techniques for security evaluation is much less common, and has typically taken the form of formal analysis of small parts of an overall design, or experimental red teambased approaches. Alone, neither of these approaches is fully satisfactory, and we argue that there is much to be gained through the development of a sound modelbased methodology for quantifying the security one can expect from a particular design. In this work, we survey existing modelbased techniques for evaluating system dependability, and summarize how they are now being extended to evaluate system security. We find that many techniques from dependability evaluation can be applied in the security domain, but that significant challenges remain, largely due to fundamental differences between the accidental nature of the faults commonly assumed in dependability evaluation, and the intentional, human nature of cyber attacks.
Logical and stochastic modeling with SMART
, 2003
"... We describe the main features of SmArT, a software package providing a seamless environment for the logic and probabilistic analysis of complex systems. SmArT can combine dierent formalisms in the same modeling study. For the analysis of logical behavior, both explicit and symbolic statespace g ..."
Abstract

Cited by 29 (16 self)
 Add to MetaCart
We describe the main features of SmArT, a software package providing a seamless environment for the logic and probabilistic analysis of complex systems. SmArT can combine dierent formalisms in the same modeling study. For the analysis of logical behavior, both explicit and symbolic statespace generation techniques, as well as symbolic CTL modelchecking algorithms, are available. For the study of stochastic and timing behavior, both sparsestorage and Kronecker numerical solution approaches are available when the underlying process is a Markov chain. In addition,
Saturationbased symbolic reachability analysis using conjunctive and disjunctive partitioning
 Proc. CHARME, LNCS 3725
, 2005
"... Abstract. We propose a new saturationbased symbolic statespace generation algorithm for finite discretestate systems. Based on the structure of the highlevel model specification, we first disjunctively partition the transition relation of the system, then conjunctively partition each disjunct. O ..."
Abstract

Cited by 24 (13 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new saturationbased symbolic statespace generation algorithm for finite discretestate systems. Based on the structure of the highlevel model specification, we first disjunctively partition the transition relation of the system, then conjunctively partition each disjunct. Our new encoding recognizes identity transformations of state variables and exploits event locality, enabling us to apply a recursive fixedpoint image computation strategy completely different from the standard breadthfirst approach employing a global fixpoint image computation. Compared to breadthfirst symbolic methods, saturation has already been empirically shown to be several orders more efficient in terms of runtime and peak memory requirements for asynchronous concurrent systems. With the new partitioning, the saturation algorithm can now be applied to completely general asynchronous systems, while requiring similar or better runtimes and peak memory than previous saturation algorithms. 1
Hierarchical decision diagrams to exploit model structure
 In FORTE
, 2005
"... Abstract. Symbolic modelchecking using binary decision diagrams (BDD) can allow to represent very large state spaces. BDD give good results for synchronous systems, particularly for circuits that are well adapted to a binary encoding of a state. However both the operation definition mechanism (usin ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic modelchecking using binary decision diagrams (BDD) can allow to represent very large state spaces. BDD give good results for synchronous systems, particularly for circuits that are well adapted to a binary encoding of a state. However both the operation definition mechanism (using more BDD) and the state representation (purely linear traversal from root to leaves) show their limits when trying to tackle globally asynchronous and typed specifications. Data Decision Diagrams (DDD) [7] are a directed acyclic graph structure that manipulates(a priori unbounded) integer domain variables, and which offers a flexible and compositional definition of operations through inductive homomorphisms. We first introduce a new transitive closure unary operator for homomorphisms, that heavily reduces the intermediate peak size effect common to symbolic approaches. We then extend the DDD definition to introduce hierarchy in the data structure. We define Set Decision Diagrams, in which a variable’s domain is a set of values. Concretely, it means the arcs of an SDD may be labeled with an SDD (or a DDD), introducing the possibility of arbitrary depth nesting in the data structure. We show how this data structure and operation framework is particularly adapted to the computation and representation of structured statespaces, and thus shows good potential for symbolic modelchecking of software systems, a problem that is difficult for plain BDD representations. 1
Structural symbolic CTL model checking of asynchronous systems
 Computer Aided Verification (CAV’03), LNCS 2725
, 2003
"... Abstract. In previous work, we showed how structural information can be used to efficiently generate the statespace of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and ..."
Abstract

Cited by 20 (11 self)
 Add to MetaCart
(Show Context)
Abstract. In previous work, we showed how structural information can be used to efficiently generate the statespace of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and apply better fixedpoint iteration strategies, resulting in ordersofmagnitude reductions for both execution times and memory consumption in comparison to wellestablished tools such as NuSMV. 1
Symbolic Statespace Exploration and Numerical Analysis of Statesharing Composed Models
 IN PROCEEDINGS OF NSMC ’03: THE FOURTH INTERNATIONAL CONFERENCE ON THE NUMERICAL SOLUTION OF MARKOV CHAINS
, 2004
"... The complexity of stochastic models of realworld systems is usually managed by abstracting details and structuring models in a hierarchical manner. Systems are often built by replicating and joining subsystems, making possible the creation of a model structure that yields lumpable state spaces. Thi ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
(Show Context)
The complexity of stochastic models of realworld systems is usually managed by abstracting details and structuring models in a hierarchical manner. Systems are often built by replicating and joining subsystems, making possible the creation of a model structure that yields lumpable state spaces. This fact has been exploited to facilitate modelbased numerical analysis. Likewise, recent results on model construction suggest that decision diagrams can be used to compactly represent large Continuous Time Markov Chains (CTMCs). In this paper, we present an approach that combines and extends these two approaches. In particular, we propose methods that apply to hierarchically structured models with hierarchies based on sharing state variables. The hierarchy is constructed in a way that exposes structural symmetries in the constructed model, thus facilitating lumping. In addition, the methods allow one to derive a symbolic representation of the associated CTMC directly from the given model without the need to compute and store the overall state space or CTMC explicitly. The resulting representation of a generator matrix allows the analysis of large CTMCs in lumped form. The efficiency of the approach is demonstrated with the help of two example models.
Exploiting interleaving semantics in symbolic statespace generation
 Formal Methods in System Design
"... Abstract. Symbolic techniques based on Binary Decision Diagrams (BDDs) are widely employed for reasoning about temporal properties of hardware circuits and synchronous controllers. However, they often perform poorly when dealing with the huge state spaces underlying systems based on interleaving sem ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic techniques based on Binary Decision Diagrams (BDDs) are widely employed for reasoning about temporal properties of hardware circuits and synchronous controllers. However, they often perform poorly when dealing with the huge state spaces underlying systems based on interleaving semantics, such as communications protocols and distributed software, which are composed of independently acting subsystems that communicate via shared events. This article shows that the efficiency of state–space exploration techniques using decision diagrams can be drastically improved by exploiting the interleaving semantics underlying many event–based and component–based system models. A new algorithm for symbolically generating state spaces is presented that (i) encodes a model’s state vectors with Multi–valued Decision Diagrams (MDDs) rather than flattening them into BDDs and (ii) partitions the model’s Kronecker–consistent next–state function by event and subsystem, thus enabling multiple lightweight next–state transformations rather than a single heavyweight one. Together, this paves the way for a novel iteration order, called saturation, which replaces the breadth–first search order of traditional algorithms. The resulting saturation algorithm is implemented in the tool SMART, and experimental studies show that it is often several orders of magnitude better in terms of time efficiency, final memory consumption, and peak memory consumption than existing symbolic algorithms.
Hierarchical Set Decision Diagrams and Regular Models ⋆
"... Abstract. This paper presents algorithms and data structures that exploit a compositional and hierarchical specification to enable more efficient symbolic modelchecking. We encode the state space and transition relation using hierarchical Set Decision Diagrams (SDD) [9]. In SDD, arcs of the structur ..."
Abstract

Cited by 13 (10 self)
 Add to MetaCart
Abstract. This paper presents algorithms and data structures that exploit a compositional and hierarchical specification to enable more efficient symbolic modelchecking. We encode the state space and transition relation using hierarchical Set Decision Diagrams (SDD) [9]. In SDD, arcs of the structure are labeled with sets, themselves stored as SDD. To exploit the hierarchy of SDD, a structured model representation is needed. We thus introduce a formalism integrating a simple notion of type and instance. Complex composite behaviors are obtained using a synchronization mechanism borrowed from process calculi. Using this relatively general framework, we investigate how to capture similarities in regular models. Experimental results are presented, showing that this approach can outperform in time and memory previous work in this area. 1
Saturation for a General Class of Models
, 2004
"... Implicit techniques for construction and representation of the reachability set of a highlevel model have become quite efficient for certain types of models. In particular, previous work developed a “saturation” algorithm that exploits asynchronous behavior to efficiently construct the reachability ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Implicit techniques for construction and representation of the reachability set of a highlevel model have become quite efficient for certain types of models. In particular, previous work developed a “saturation” algorithm that exploits asynchronous behavior to efficiently construct the reachability set using multiway decision diagrams, but requires each model event to be expressible as a Kronecker product. In this paper, we develop a new version of the saturation algorithm that works for a general class of models: models whose events are not necessarily expressible as Kronecker products, models containing events with complex priority structures, and models whose state variables have unknown bounds. We apply our algorithm to several examples and give detailed experimental results.