Pub Date : 2008-11-25DOI: 10.1109/FMCAD.2008.ECP.5
D. Hardin
In this tutorial, we will examine issues in the design and verification of microprocessors for safety-critical and security-critical applications. We will consider architectural and design alternatives to support high-assurance applications, and will describe techniques to improve secure system evaluation-measured in terms of completeness, human effort required, time, and cost-through the use of highly automated formal methods. We will describe practical techniques for creating executable formal computing platform models that can both be proved correct, and also function as high-speed simulators. This allows us to both verify the correctness of the models, as well as validate that the formalizations accurately model what was actually designed and built. As a case study, we will examine the design and verification of the Rockwell Collins AAMP7G microprocessor. The AAMP7G, currently in use in Rockwell Collins high-assurance system products, supports strict time and space partitioning in hardware, and has received an NSA MILS (Multiple Independent Levels of Security) certificate based in part on proofs of correctness. We will discuss the AAMP7G verification effort, focusing on the proof architecture that enabled us to show that the AAMP7G separation kernel microcode implements a particular security specification, using the ACL2 theorem prover.
{"title":"Invited Tutorial: Considerations in the Design and Verification of Microprocessors for Safety-Critical and Security-Critical Applications","authors":"D. Hardin","doi":"10.1109/FMCAD.2008.ECP.5","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.5","url":null,"abstract":"In this tutorial, we will examine issues in the design and verification of microprocessors for safety-critical and security-critical applications. We will consider architectural and design alternatives to support high-assurance applications, and will describe techniques to improve secure system evaluation-measured in terms of completeness, human effort required, time, and cost-through the use of highly automated formal methods. We will describe practical techniques for creating executable formal computing platform models that can both be proved correct, and also function as high-speed simulators. This allows us to both verify the correctness of the models, as well as validate that the formalizations accurately model what was actually designed and built. As a case study, we will examine the design and verification of the Rockwell Collins AAMP7G microprocessor. The AAMP7G, currently in use in Rockwell Collins high-assurance system products, supports strict time and space partitioning in hardware, and has received an NSA MILS (Multiple Independent Levels of Security) certificate based in part on proofs of correctness. We will discuss the AAMP7G verification effort, focusing on the proof architecture that enabled us to show that the AAMP7G separation kernel microcode implements a particular security specification, using the ACL2 theorem prover.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"14 15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124739536","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-25DOI: 10.1109/FMCAD.2008.ECP.13
Lei Bu, You Li, Linzhang Wang, Xuandong Li
Hybrid automata are well studied formal models for hybrid systems with both discrete and continuous state changes. However, the analysis of hybrid automata is quite difficult. Even for the simple class of linear hybrid automata, the reachability problem is undecidable. In the author's previous work, for linear hybrid automata we proposed a linear programming based approach to check one path at a time while the length of the path and the size of the automaton being checked can be large enough to handle problems of practical interest. Based on this approach, in this paper we present a prototype tool BACH to perform bounded reachability checking of linear hybrid automata. The experiment data shows that BACH has good performance and scalability, and supports our belief that BACH could become a powerful assistant to design engineers for the reachability analysis of linear hybrid automata.
{"title":"BACH : Bounded ReAchability CHecker for Linear Hybrid Automata","authors":"Lei Bu, You Li, Linzhang Wang, Xuandong Li","doi":"10.1109/FMCAD.2008.ECP.13","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.13","url":null,"abstract":"Hybrid automata are well studied formal models for hybrid systems with both discrete and continuous state changes. However, the analysis of hybrid automata is quite difficult. Even for the simple class of linear hybrid automata, the reachability problem is undecidable. In the author's previous work, for linear hybrid automata we proposed a linear programming based approach to check one path at a time while the length of the path and the size of the automaton being checked can be large enough to handle problems of practical interest. Based on this approach, in this paper we present a prototype tool BACH to perform bounded reachability checking of linear hybrid automata. The experiment data shows that BACH has good performance and scalability, and supports our belief that BACH could become a powerful assistant to design engineers for the reachability analysis of linear hybrid automata.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116967777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.18
Miquel Bofill, R. Nieuwenhuis, Albert Oliveras, Enric Rodríguez-carbonell, A. Rubio
The extensional theory of arrays is one of the most important ones for applications of SAT modulo theories (SMT) to hardware and software verification. Here we present a new T-solver for arrays in the context of the DPLL(T) approach to SMT. The main characteristics of our solver are: (i) no translation of writes into reads is needed, (ii) there is no axiom instantiation, and (iii) the T-solver interacts with the Boolean engine by asking to split on equality literals between indices. Unlike most state-of-the-art array solvers, it is not based on a lazy instantiation of the array axioms. This novelty might make it more convenient to apply this solver in some particular environments. Moreover, it is very competitive in practice, specially on problems that require heavy reasoning on array literals.
阵列的可拓理论是将SAT模理论应用于硬件和软件验证的重要理论之一。在这里,我们提出了一种新的T-求解器,用于阵列的DPLL(T)方法的SMT。我们的求解器的主要特点是:(i)不需要将写转换为读,(ii)没有公理实例化,以及(iii) t -求解器通过要求在索引之间拆分相等字面量来与布尔引擎交互。与大多数最先进的数组求解器不同,它不是基于数组公理的惰性实例化。这种新颖性可能会使在某些特定环境中应用该求解器更加方便。此外,它在实践中非常有竞争力,特别是在需要对数组字面量进行大量推理的问题上。
{"title":"A Write-Based Solver for SAT Modulo the Theory of Arrays","authors":"Miquel Bofill, R. Nieuwenhuis, Albert Oliveras, Enric Rodríguez-carbonell, A. Rubio","doi":"10.1109/FMCAD.2008.ECP.18","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.18","url":null,"abstract":"The extensional theory of arrays is one of the most important ones for applications of SAT modulo theories (SMT) to hardware and software verification. Here we present a new T-solver for arrays in the context of the DPLL(T) approach to SMT. The main characteristics of our solver are: (i) no translation of writes into reads is needed, (ii) there is no axiom instantiation, and (iii) the T-solver interacts with the Boolean engine by asking to split on equality literals between indices. Unlike most state-of-the-art array solvers, it is not based on a lazy instantiation of the array axioms. This novelty might make it more convenient to apply this solver in some particular environments. Moreover, it is very competitive in practice, specially on problems that require heavy reasoning on array literals.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121818041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.23
Nishant Sinha
Symbolic execution by James C. King (1976) is a popular program verification technique, where the program inputs are initialized to unknown symbolic values, and then propagated along program paths with the help of decision procedures. This technique has two main bottlenecks: (a) the number of program execution paths to be explored may be exponential, and, (b) the state representation (map from variables to terms) may blow-up. We propose a new program verification technique that addresses the problems by (a) performing a work list based analysis that handles join points, and (b) simplifying the intermediate state representation by using term rewriting. In addition, our technique tries to compact expressions generated during analysis of program loops by using a term generalization technique based on anti-unification. We have implemented the proposed method in the F-SOFT verification framework using the Maude term rewriting engine. Preliminary experiments show that the proposed method is effective in improving verification times on real-life benchmarks.
James C. King(1976)的符号执行是一种流行的程序验证技术,其中程序输入被初始化为未知的符号值,然后在决策过程的帮助下沿着程序路径传播。这种技术有两个主要瓶颈:(a)要探索的程序执行路径的数量可能是指数级的,(b)状态表示(从变量到项的映射)可能会爆炸。我们提出了一种新的程序验证技术,通过(a)执行基于工作列表的分析来处理连接点,以及(b)通过使用术语重写来简化中间状态表示来解决这些问题。此外,我们的技术尝试使用基于反统一的术语泛化技术来压缩程序循环分析过程中生成的表达式。我们使用Maude术语重写引擎在F-SOFT验证框架中实现了所提出的方法。初步实验表明,该方法可以有效地提高实际基准测试的验证时间。
{"title":"Symbolic Program Analysis Using Term Rewriting and Generalization","authors":"Nishant Sinha","doi":"10.1109/FMCAD.2008.ECP.23","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.23","url":null,"abstract":"Symbolic execution by James C. King (1976) is a popular program verification technique, where the program inputs are initialized to unknown symbolic values, and then propagated along program paths with the help of decision procedures. This technique has two main bottlenecks: (a) the number of program execution paths to be explored may be exponential, and, (b) the state representation (map from variables to terms) may blow-up. We propose a new program verification technique that addresses the problems by (a) performing a work list based analysis that handles join points, and (b) simplifying the intermediate state representation by using term rewriting. In addition, our technique tries to compact expressions generated during analysis of program loops by using a term generalization technique based on anti-unification. We have implemented the proposed method in the F-SOFT verification framework using the Maude term rewriting engine. Preliminary experiments show that the proposed method is effective in improving verification times on real-life benchmarks.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126358926","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.14
Muralidhar Talupur, M. Tuttle
A message flow is a sequence of messages sent among processors during the execution of a protocol, usually illustrated with something like a message sequence chart. Protocol designers use message flows to describe and reason about their protocols. We show how to derive high-quality invariants from message flows and use these invariants to accelerate a state-of-the-art method for parameterized protocol verification called the CMP method. The CMP method works by iteratively strengthening and abstracting a protocol. The labor-intensive portion of the method is finding the protocol invariants needed for each iteration. We provide a new analysis of the CMP method proving it works with any sound abstraction procedure. This facilitates the use of a new abstraction procedure tailored to our protocol invariants in the CMP method. Our experience is that message-flow derived invariants get to the heart of protocol correctness in the sense that only couple of additional invariants are needed for the CMP method to converge.
{"title":"Going with the Flow: Parameterized Verification Using Message Flows","authors":"Muralidhar Talupur, M. Tuttle","doi":"10.1109/FMCAD.2008.ECP.14","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.14","url":null,"abstract":"A message flow is a sequence of messages sent among processors during the execution of a protocol, usually illustrated with something like a message sequence chart. Protocol designers use message flows to describe and reason about their protocols. We show how to derive high-quality invariants from message flows and use these invariants to accelerate a state-of-the-art method for parameterized protocol verification called the CMP method. The CMP method works by iteratively strengthening and abstracting a protocol. The labor-intensive portion of the method is finding the protocol invariants needed for each iteration. We provide a new analysis of the CMP method proving it works with any sound abstraction procedure. This facilitates the use of a new abstraction procedure tailored to our protocol invariants in the CMP method. Our experience is that message-flow derived invariants get to the heart of protocol correctness in the sense that only couple of additional invariants are needed for the CMP method to converge.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"104 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128188559","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.9
F. M. D. Paula, Marcel Gort, A. Hu, S. Wilton, Jin Yang
Post-silicon debug is the problem of determining what's wrong when the fabricated chip of a new design behaves incorrectly. This problem now consumes over half of the overall verification effort on large designs, and the problem is growing worse. We introduce a new paradigm for using formal analysis, augmented with some on-chip hardware support, to automatically compute error traces that lead to an observed buggy state, thereby greatly simplifying the post-silicon debug problem. Our preliminary simulation experiments demonstrate the potential of our approach: we can "backspace" hundreds of cycles from randomly selected states of some sample designs. Our preliminary architectural studies propose some possible implementations and show that the on-chip overhead can be reasonable. We conclude by surveying future research directions.
{"title":"BackSpace: Formal Analysis for Post-Silicon Debug","authors":"F. M. D. Paula, Marcel Gort, A. Hu, S. Wilton, Jin Yang","doi":"10.1109/FMCAD.2008.ECP.9","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.9","url":null,"abstract":"Post-silicon debug is the problem of determining what's wrong when the fabricated chip of a new design behaves incorrectly. This problem now consumes over half of the overall verification effort on large designs, and the problem is growing worse. We introduce a new paradigm for using formal analysis, augmented with some on-chip hardware support, to automatically compute error traces that lead to an observed buggy state, thereby greatly simplifying the post-silicon debug problem. Our preliminary simulation experiments demonstrate the potential of our approach: we can \"backspace\" hundreds of cycles from randomly selected states of some sample designs. Our preliminary architectural studies propose some possible implementations and show that the on-chip overhead can be reasonable. We conclude by surveying future research directions.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121607991","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.7
J. Baumgartner, Hari Mony, A. Aziz
We consider the problem of optimal netlist simplification in the presence of constraints. Because constraints restrict the reachable states of a netlist, they may enhance logic minimization techniques such as redundant gate elimination which generally benefit from unreachability invariants. However, optimizing the logic appearing in a constraint definition may weaken its state-restriction capability, hence prior solutions have resorted to suboptimally neglecting certain valid optimization opportunities. We develop the theoretical foundation, and corresponding efficient implementation, to enable the optimal simplification of netlists with constraints. Experiments confirm that our techniques enable a significantly greater degree of redundant gate elimination than prior approaches (often greater than 2x), which has been key to the automated solution of various difficult verification problems.
{"title":"Optimal Constraint-Preserving Netlist Simplification","authors":"J. Baumgartner, Hari Mony, A. Aziz","doi":"10.1109/FMCAD.2008.ECP.7","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.7","url":null,"abstract":"We consider the problem of optimal netlist simplification in the presence of constraints. Because constraints restrict the reachable states of a netlist, they may enhance logic minimization techniques such as redundant gate elimination which generally benefit from unreachability invariants. However, optimizing the logic appearing in a constraint definition may weaken its state-restriction capability, hence prior solutions have resorted to suboptimally neglecting certain valid optimization opportunities. We develop the theoretical foundation, and corresponding efficient implementation, to enable the optimal simplification of netlists with constraints. Experiments confirm that our techniques enable a significantly greater degree of redundant gate elimination than prior approaches (often greater than 2x), which has been key to the automated solution of various difficult verification problems.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121365779","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.22
P. Böhm, T. Melham
Modern computer systems rely more and more on on-chip communication protocols to exchange data. To meet performance requirements these protocols have become highly complex, which usually makes their formal verification infeasible with reasonable time and effort. We present a new refinement approach to on-chip communication protocols that combines design and verification together, interleaving them hand-in-hand. Our modeling framework consists of design steps and design transformations formalized as finite state machines. Given a verified design step, transformations are used to extend the system with advanced features. A design transformation ensures that the extended design is correct if the previous system is correct. This approach is illustrated by an arbiter-based master-slave communication system inspired by the AMBA high-performance bus architecture. Starting with a sequential protocol design, it is extended with pipelining and burst transfers. Transformations are generated from design constraints providing a basis for correctness-by-design of the derived system.
{"title":"A Refinement Approach to Design and Verification of On-Chip Communication Protocols","authors":"P. Böhm, T. Melham","doi":"10.1109/FMCAD.2008.ECP.22","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.22","url":null,"abstract":"Modern computer systems rely more and more on on-chip communication protocols to exchange data. To meet performance requirements these protocols have become highly complex, which usually makes their formal verification infeasible with reasonable time and effort. We present a new refinement approach to on-chip communication protocols that combines design and verification together, interleaving them hand-in-hand. Our modeling framework consists of design steps and design transformations formalized as finite state machines. Given a verified design step, transformations are used to extend the system with advanced features. A design transformation ensures that the extended design is correct if the previous system is correct. This approach is illustrated by an arbiter-based master-slave communication system inspired by the AMBA high-performance bus architecture. Starting with a sequential protocol design, it is extended with pipelining and burst transfers. Transformations are generated from design constraints providing a basis for correctness-by-design of the derived system.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130975482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.11
Chao Yan, M. Greenstreet
This paper presents the verification of an asynchronous arbiter modeled at the circuit level with non-linear ordinary differential equations. We use Brockett's annulus to represent the allowed families of continuous waveforms for input and output signals and show that the metastability filter of the arbiter can be understood as a "Brockett annulus transformer." Improvements to the Coho verification tool are described that reduce the over approximation errors when working with non- convex reachable regions. The verification shows that the arbiter observes a four-phase handshake protocol with its clients and maintains mutual exclusion. We also show several liveness properties including bounded time response to uncontested requests and that grants are issued fairly.
{"title":"Verifying an Arbiter Circuit","authors":"Chao Yan, M. Greenstreet","doi":"10.1109/FMCAD.2008.ECP.11","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.11","url":null,"abstract":"This paper presents the verification of an asynchronous arbiter modeled at the circuit level with non-linear ordinary differential equations. We use Brockett's annulus to represent the allowed families of continuous waveforms for input and output signals and show that the metastability filter of the arbiter can be understood as a \"Brockett annulus transformer.\" Improvements to the Coho verification tool are described that reduce the over approximation errors when working with non- convex reachable regions. The verification shows that the arbiter observes a four-phase handshake protocol with its clients and maintains mutual exclusion. We also show several liveness properties including bounded time response to uncontested requests and that grants are issued fairly.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134478426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2008-11-17DOI: 10.1109/FMCAD.2008.ECP.15
Jesse D. Bingham
Parameterized model checking refers to any method that extends traditional, finite-state model checking to handle systems with an arbitrary number of processes. One popular approach to this problem uses abstraction and so-called guard strengthening. Here a small number of processes remain intact, while the rest are abstracted away. This initially causes counter-examples, but the user can write non-interference lemmas, which eliminate spurious behavior by the abstracted processes. The technique is sound in that if the user writes a lemma that is not invariant, the proof will never succeed. Though the non-interference lemmas are typically much simpler than writing a full inductive invariant, there is still a non-trivial amount of human insight needed to analysis counter-examples and concoct the lemmas. In our work, we show how the process of inferring appropriate non-interference lemmas can be automated. Our approach is based on a very general theory that simply assumes a Galois connection between the concrete and abstract systems. Effectively, we start with the non-interference conjecture false, and iteratively weaken it until it is provable using the Galois connection. This produces the strongest non-interference lemma provable in the Galois connection. Hence, if the approach fails to prove the property, then no human lemma would help, since it is the strongest possible lemma. We instantiate this theory to a class of symmetric parameterized systems, and show how BDDs can be used to perform all involved computations. We also show how BDD-blow up that can arise when concretizing can be mitigated by using a sound over-approximation. We successfully applied the resulting tool to three parameterized verification benchmarks: the GERMAN protocol with data path, the GERMAN2004 protocol, and the FLASH protocol. To our knowledge, this is the first time automatic parameterized model checking has been done on GERMAN2004.
{"title":"Automatic Non-Interference Lemmas for Parameterized Model Checking","authors":"Jesse D. Bingham","doi":"10.1109/FMCAD.2008.ECP.15","DOIUrl":"https://doi.org/10.1109/FMCAD.2008.ECP.15","url":null,"abstract":"Parameterized model checking refers to any method that extends traditional, finite-state model checking to handle systems with an arbitrary number of processes. One popular approach to this problem uses abstraction and so-called guard strengthening. Here a small number of processes remain intact, while the rest are abstracted away. This initially causes counter-examples, but the user can write non-interference lemmas, which eliminate spurious behavior by the abstracted processes. The technique is sound in that if the user writes a lemma that is not invariant, the proof will never succeed. Though the non-interference lemmas are typically much simpler than writing a full inductive invariant, there is still a non-trivial amount of human insight needed to analysis counter-examples and concoct the lemmas. In our work, we show how the process of inferring appropriate non-interference lemmas can be automated. Our approach is based on a very general theory that simply assumes a Galois connection between the concrete and abstract systems. Effectively, we start with the non-interference conjecture false, and iteratively weaken it until it is provable using the Galois connection. This produces the strongest non-interference lemma provable in the Galois connection. Hence, if the approach fails to prove the property, then no human lemma would help, since it is the strongest possible lemma. We instantiate this theory to a class of symmetric parameterized systems, and show how BDDs can be used to perform all involved computations. We also show how BDD-blow up that can arise when concretizing can be mitigated by using a sound over-approximation. We successfully applied the resulting tool to three parameterized verification benchmarks: the GERMAN protocol with data path, the GERMAN2004 protocol, and the FLASH protocol. To our knowledge, this is the first time automatic parameterized model checking has been done on GERMAN2004.","PeriodicalId":399042,"journal":{"name":"2008 Formal Methods in Computer-Aided Design","volume":"186 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132033935","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: