Results 1  10
of
33
Automatic Deductive Verification with Invisible Invariants
, 2001
"... The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving inva ..."
Abstract

Cited by 103 (11 self)
 Add to MetaCart
(Show Context)
The paper presents a method for the automatic verification of a certain class of parameterized systems. These are boundeddata systems consisting of N processes (N being the parameter), where each process is finitestate. First, we show that if we use the standard deductive inv rule for proving invariance properties, then all the generated verification conditions can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Next, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Combining this automatic computation of invariants with the previously mentioned resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying boundeddata parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". We illustrate the method on a nontrivial example of a cache protocol, provided by Steve German.
Parameterized Verification with Automatically Computed Inductive Assertions
, 2001
"... The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic mo ..."
Abstract

Cited by 90 (9 self)
 Add to MetaCart
The paper presents a method, called the method of verification by invisible invariants, for the automatic verification of a large class of parameterized systems. The method is based on the automatic calculation of candidate inductive assertions and checking for their inductiveness, using symbolic modelchecking techniques for both tasks. First, we show how to use modelchecking techniques over finite (and small) instances of the parameterized system in order to derive candidates for invariant assertions. Next, we show that the premises of the standard deductive inv rule for proving invariance properties can be automatically resolved by finitestate (bddbased) methods with no need for interactive theorem proving. Combining the automatic computation of invariants with the automatic resolution of the VCs (verification conditions) yields a (necessarily) incomplete but fully automatic sound method for verifying large classes of parameterized systems. The generated invariants can be transferred to the VCvalidation phase without ever been examined by the user, which explains why we refer to them as "invisible". The efficacy of the method is demonstrated by automatic verification of diverse parameterized systems in a fully automatic and efficient manner.
Equational abstractions
 of LNCS
, 2003
"... Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the m ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
Abstract. Abstraction reduces the problem of whether an infinite state system satisfies version. The most common abstractions are quotients of the original system. We present a simple method of defining quotient abstractions by means of equations collapsing the set of states. Our method yields the minimal quotient system together with a set of proof obligations that guarantee its executability and can be discharged with tools such as those in the Maude formal environment.
Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols
 Journal of HigherOrder and Symbolic Computation
, 2004
"... Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narro ..."
Abstract

Cited by 34 (12 self)
 Add to MetaCart
(Show Context)
Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under reasonable executability assumptions about R. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by R. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.
Symbolic Model Checking of InfiniteState Systems Using Narrowing
"... Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relatin ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
(Show Context)
Rewriting is a general and expressive way of specifying concurrent systems, where concurrent transitions are axiomatized by rewrite rules. Narrowing is a complete symbolic method for model checking reachability properties. We show that this method can be reinterpreted as a lifting simulation relating the original system and the symbolic system associated to the narrowing transitions. Since the narrowing graph can be infinite, this lifting simulation only gives us a semidecision procedure for the failure of invariants. However, we propose new methods for folding the narrowing tree that can in practice result in finite systems that symbolically simulate the original system and can be used to algorithmically verify its properties. We also show how both narrowing and folding can be used to symbolically model check systems which, in addition, have state predicates, and therefore correspond to Kripke structures on which ACTL∗ and LTL formulas can be algorithmically verified using such finite symbolic abstractions.
Liveness with Invisible Ranking
 SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER
, 2006
"... The method of Invisible Invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems, and (2) a small model theor ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
(Show Context)
The method of Invisible Invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems, and (2) a small model theorem implying that it is sufficient to check the validity of logical assertions of certain syntactic form on small instantiations of a parameterized system. The approach can be generalized to any deductive proof rule that (1) requires auxiliary constructs that can be generated by project&generalize, and (2) the premises resulting when using the constructs are of the form covered by the small model theorem. The method of invisible ranking, presented here, generalizes the approach to liveness properties of parameterized systems. Starting with a proof rule and cases where the method can be applied almost “as is,” the paper progresses to develop deductive proof rules for liveness and extend the small model theorem to cover many intricate families of parameterized systems.
Analysing randomized distributed algorithms
 Validation of Stochastic Systems
, 2004
"... Abstract. Randomization is of paramount importance in practical applications and randomized algorithms are used widely, for example in coordinating distributed computer networks, message routing and cache management. The appeal of randomized algorithms is their simplicity and elegance. However, thi ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Randomization is of paramount importance in practical applications and randomized algorithms are used widely, for example in coordinating distributed computer networks, message routing and cache management. The appeal of randomized algorithms is their simplicity and elegance. However, this comes at a cost: the analysis of such systems become very complex, particularly in the context of distributed computation. This arises through the interplay between probability and nondeterminism. To prove a randomized distributed algorithm correct one usually involves two levels: classical, assertionbased reasoning, and a probabilistic analysis based on a suitable probability space on computations. In this paper we describe a number of approaches which allows us to verify the correctness of randomized distributed algorithms. 1
Symmetry and completeness in the analysis of parameterized systems
 VMCAI 2007. LNCS
, 2007
"... Abstract. Parameterized systems (e.g., network protocols) are compositions of a number of isomorphic, finitestate processes. While correctness is decidable for any fixedsize instance, correctness over all instances is undecidable in general. Typical proof methods, such as those based on process ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Parameterized systems (e.g., network protocols) are compositions of a number of isomorphic, finitestate processes. While correctness is decidable for any fixedsize instance, correctness over all instances is undecidable in general. Typical proof methods, such as those based on process invariants or cutoffs, rely on summarizing the behavior of a parameterized system by a finitestate process. While these methods have been applied successfully to particular protocols, it is unknown whether such summarization is always possible. In this paper, it is shown that—after essential modifications—the cutoff method (which has the most stringent requirements) is complete for safety properties. The proof also shows that cutoff proofs are equivalent to determining inductive invariants. The paper studies this question next, presenting a new algorithm to construct universally quantified inductive invariants. The algorithm computes the strongest invariant of a given shape, and is therefore complete. The key to this result is a previously unnoticed connection between inductiveness, small model theorems, and compositional analysis, which is interesting in its own right. 1