Results 1  10
of
15
Exact and efficient verification of parameterized cache coherence protocols
 Correct Hardware Design and Verification Methods (CHARME ’03), LNCS 2860
, 2003
"... Abstract. We propose new, tractably (in some cases provably) efficient algorithmic methods for exact (sound and complete) parameterized reasoning about cache coherence protocols. For reasoning about general snoopy cache protocols, history graph construction can be used to reason about safety propert ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose new, tractably (in some cases provably) efficient algorithmic methods for exact (sound and complete) parameterized reasoning about cache coherence protocols. For reasoning about general snoopy cache protocols, history graph construction can be used to reason about safety properties for this framework. Although the worst case size of the abstract history graph can be exponential in the size of the transition diagram of the given protocol, the actual size is small for standard cache protocols as is evidenced by our experimental results. The framework can handle all 8 of the cache protocols in [19] as well as their splittransaction versions. We next identify a framework called initialized broadcast protocols suitable for reasoning about invalidationbased snoopy cache protocols and show how to reduce reasoning about such systems with an arbitrary number of caches to a system with at most 7 caches. This yields a provably polynomial time algorithm for the parameterized verification of invalidation based snoopy protocols. Our results apply to both safety and liveness properties. Finally, we present a methodology for reducing parameterized reasoning about directory based protocols to snoopy protocols, thus leveraging techniques developed for verifying snoopy protocols to directory based ones, which are typically are much harder to reason about. We demonstrate by reducing reasoning about a directory based protocol suggested by German [17] to the ESI snoopy protocol, a modification of the MSI snoopy protocol. 1
Verification by network decomposition
 IN 15 TH CONCUR, LNCS 3170
, 2004
"... We describe a new method to verify networks of homogeneous processes which communicate by token passing. Given an arbitrary network graph and an indexed LT L \ X property, we show how to decompose the network graph into multiple constant size networks, thereby reducing one model checking call on a ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
We describe a new method to verify networks of homogeneous processes which communicate by token passing. Given an arbitrary network graph and an indexed LT L \ X property, we show how to decompose the network graph into multiple constant size networks, thereby reducing one model checking call on a large network to several calls on small networks. We thus obtain cutoffs for arbitrary classes of networks, adding to previous work by Emerson and Namjoshi on the ring topology. Our results on LT L \ X are complemented by a negative result which precludes the existence of reductions for CT L \ X on general networks.
Regular Model Checking
, 2000
"... We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving relation ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We present regular model checking, a framework for algorithmic verification of infinitestate systems with, e.g., queues, stacks, integers, or a parameterized linear topology. States are represented by strings over a finite alphabet and the transition relation by a regular lengthpreserving relation on strings. Both sets of states and the transition relation are represented by regular sets. Major problems in the verification of parameterized and infinitestate systems are to compute the set of states that are reachable from some set of initial states, and to compute the transitive closure of the transition relation. We present an automatatheoretic construction for computing a nonfinite composition of regular relations, e.g., the transitive closure of a relation. The method is incomplete in general, but we give sufficient conditions under which it works. We show how to reduce model checking of ωregular properties of parameterized systems into a nonfinite composition of regular relations. We also report on an implementation of regular model checking, based on a new package for nondeterministic finite automata.
Parameterized Model Checking of Ringbased Message Passing Systems
 In Proc. of CS’04, volume 3210 of LNCS
, 2004
"... Abstract. The Parameterized Model Checking Problem (PMCP) is to decide whether a temporal property holds for a uniform family of systems, ¢¡, comprised of finite, but arbitrarily many, copies of a template process. Unfortunately, it is undecidable in general [3]. In this paper, we consider the PMC ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. The Parameterized Model Checking Problem (PMCP) is to decide whether a temporal property holds for a uniform family of systems, ¢¡, comprised of finite, but arbitrarily many, copies of a template process. Unfortunately, it is undecidable in general [3]. In this paper, we consider the PMCP for systems comprised of processes arranged in a ring that communicate by passing messages via tokens whose values can be updated at most a bounded number of times. Correctness properties are expressed using the stutteringinsensitive linear time LTL £ logic X. For bidirectional rings we show how to reduce reasoning about rings with an arbitrary number of processes to rings with up to a certain finite cutoff number of processes. This immediately yields decidability of the PMCP at hand. We go on to show that for unidirectional rings small cutoffs can be achieved, making the decision procedure provably efficient. As example applications, we consider protocols for the leader election problem. 1
Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size
"... The security of systems such as operating systems, hypervisors, and web browsers depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
(Show Context)
The security of systems such as operating systems, hypervisors, and web browsers depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has made automated formal verification of reference monitors a more tractable goal. However, a significant remaining factor for the complexity of automated verification is the size of the data structures (e.g., access control matrices) over which the programs operate. This paper develops a parametric verification technique that scales even when reference monitors and adversaries operate over unbounded, but finite data structures. Specifically, we develop a parametric guarded command language for modeling reference monitors and adversaries. We also present a parametric temporal specification logic for expressing security policies that the monitor is expected to enforce. The central technical results of the paper are a set of small model theorems. These theorems state that in order to verify that a policy is enforced by a reference monitor with an arbitrarily large data structure, it is sufficient to model check the monitor with just one entry in its data structure. We apply our methodology to verify the designs of two hypervisors, SecVisor and the sHype mandatoryaccesscontrol extension to Xen. Our approach is able to prove that sHype and a variant of the original SecVisor design correctly enforces the expected security properties in the presence of powerful adversaries. 1.
Empirically efficient verification for a class of infinitestate systems
 In TACAS’05, volume 3440 of LNCS
, 2005
"... Abstract. Wellstructured transition systems (WSTS) are a broad and wellstudied class of infinitestate systems, for which the problem of verifying the reachability of an upwardclosed set of error states is decidable (subject to some technicalities). Recently, Bingham proposed a new algorithm for ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Wellstructured transition systems (WSTS) are a broad and wellstudied class of infinitestate systems, for which the problem of verifying the reachability of an upwardclosed set of error states is decidable (subject to some technicalities). Recently, Bingham proposed a new algorithm for this problem, but applicable only to the special cases of broadcast protocols and petri nets. The algorithm exploits finitestate symbolic model checking and was shown to outperform the classical WSTS verification algorithm on a contrived example family of petri nets. In this work, we generalize the earlier results to handle a larger class of WSTS, which we dub nicely sliceable, that includes broadcast protocols, petri nets, contextfree grammars, and lossy channel systems. We also add an optimization to the algorithm that accelerates convergence. In addition, we introduce a new reduction that soundly converts the verification of parameterized systems with unbounded conjunctive guards into a verification problem on nicely sliceable WSTS. The reduction is complete if a certain decidable side condition holds. This allows us to access industrially relevant challenge problems from parameterized memory system verification. Our empirical results show that, although our new method performs worse than the classical approach on small petri net examples, it performs substantially better on the larger examples based on real, parameterized protocols (e.g., German’s cache coherence protocol, with data paths). 1
Parametric Verification of Address Space Separation
"... Abstract. The address translation subsystem of operating systems, hypervisors, and virtual machine monitors must correctly enforce address space separation in the presence of adversaries. The size, and hierarchical nesting, of the data structures over which such systems operate raise challenges for ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The address translation subsystem of operating systems, hypervisors, and virtual machine monitors must correctly enforce address space separation in the presence of adversaries. The size, and hierarchical nesting, of the data structures over which such systems operate raise challenges for automated model checking techniques to be fruitfully applied to them. We address this problem by developing a sound and complete parametric verification technique that achieves the best possible reduction in model size. Our results significantly generalize prior work on this topic, and bring interesting systems within the scope of analysis. We demonstrate the applicability of our approach by modeling shadow paging mechanisms of Xen version 3.0.3 and ShadowVisor, a research hypervisor developed for the x86 platform. 1
Unbounded System Verification Using Decision Procedures and Predicate Abstraction
, 2004
"... Designs of hardware and software systems have grown in complexity to meet the demand for improved performance. The complexity of the design often manifests itself in the form of subtle and intricate design flaws and bugs. The cost of these errors can be prohibitive and often dictates the lifetime of ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Designs of hardware and software systems have grown in complexity to meet the demand for improved performance. The complexity of the design often manifests itself in the form of subtle and intricate design flaws and bugs. The cost of these errors can be prohibitive and often dictates the lifetime of a product. Most design teams allocate a substantial amount of their resources in testing and verifying a product. Traditional simulation based testing or verification methods, which exercise the design on a small set of concrete inputs, often fall short of detecting most bugs in a system. Besides, these methods are suitable for finding bugs but cannot guarantee the absence of a bug in the design or the model. Formal verification based methods can ensure that a property holds for all the possible states of the system. Model checking is an approach that has been successful in verifying systems of commercial complexity or in detecting bugs that are hard to find using traditional simulation. The approach is based on systematically traversing the state space of a system and checking a property at each state. However, model checking can’t be directly applied to systems that have very large or unbounded state space. Examples of such systems include microprocessors with large buffer sizes and memories, parameterized cachecoherence and communication protocols and distributed mutual exclusion algorithms. Most previous works have either used general purpose theorem provers with considerable manual guidance or techniques specific to a particular class of systems that often exclude realistic systems discussed above. The lack of automation or the restrictions on the systems that can
Abstraction of parallel uniform processes with data
 in: Proc. SEFM'04 (2004
"... In practice, distributed systems are quite often composed by an arbitrarily large but nite number of processes that execute a similar program. Abstract interpretation is an effective technique to ght state explosion problems. In this paper, we propose a general framework for abstracting parallel c ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
In practice, distributed systems are quite often composed by an arbitrarily large but nite number of processes that execute a similar program. Abstract interpretation is an effective technique to ght state explosion problems. In this paper, we propose a general framework for abstracting parallel composition of uniform processes with data, in the setting of a process algebraic language CRL. We illustrate the feasibility of this technique by proposing two instances of the general framework and applying them to the verication of two systems. 1.
Model Checking of ControlUser ComponentBased Parametrised Systems
"... Abstract. Many real componentbased systems, so called ControlUser systems, are composed of a stable part (control component) and a number of dynamic components of the same type (user components). Models of these systems are parametrised by the number of user components and thus potentially infinit ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. Many real componentbased systems, so called ControlUser systems, are composed of a stable part (control component) and a number of dynamic components of the same type (user components). Models of these systems are parametrised by the number of user components and thus potentially infinite. Model checking techniques can be used to verify only specific instances of the systems. This paper presents an algorithmic technique for verification of safety interaction properties of ControlUser systems. The core of our verification method is a computation of a cutoff. If the system is proved to be correct for every number of user components lower than the cutoff then it is correct for any number of users. We present an onthefly model checking algorithm which integrates computation of a cutoff with the verification itself. Symmetry reduction can be applied during the verification to tackle the state explosion of the model. Applying the algorithm we verify models of several previously published componentbased systems. 1