Pub Date : 2023-06-23DOI: https://dl.acm.org/doi/10.1145/3571749
Shankara Narayanan Krishna, Khushraj Madnani, Manuel Mazo Jr., Paritosh Pandya
Metric Temporal Logic (MTL) and Timed Propositional Temporal Logic (TPTL) are prominent real-time extensions of Linear Temporal Logic (LTL). In general, the satisfiability checking problem for these extensions is undecidable when both the future (Until, U) and the past (Since, S) modalities are used (denoted by MTL[U,S] and TPTL[U,S]). In a classical result, the satisfiability checking for Metric Interval Temporal Logic (MITL[U,S]), a non-punctual fragment of MTL[U,S], is shown to be decidable with EXPSPACE complete complexity. A straightforward adoption of non-punctuality does not recover decidability in the case of TPTL[U,S]. Hence, we propose a more refined notion called non-adjacency for TPTL[U,S] and focus on its 1-variable fragment, 1-TPTL[U,S]. We show that non-adjacent 1-TPTL[U,S] is strictly more expressive than MITL. As one of our main results, we show that the satisfiability checking problem for non-adjacent 1-TPTL[U,S] is decidable with EXPSPACE complete complexity. Our decidability proof relies on a novel technique of anchored interval word abstraction and its reduction to a non-adjacent version of the newly proposed logic called PnEMTL. We further propose an extension of MSO [<] (Monadic Second Order Logic of Orders) with Guarded Metric Quantifiers (GQMSO) and show that it characterizes the expressiveness of PnEMTL. That apart, we introduce the notion of non-adjacency in the context of GQMSO (NA-GQMSO), which is a syntactic generalization of logic Q2MLO due to Hirshfeld and Rabinovich and show the decidability of satisfiability checking for NA-GQMSO.
{"title":"From Non-punctuality to Non-adjacency: A Quest for Decidability of Timed Temporal Logics with Quantifiers","authors":"Shankara Narayanan Krishna, Khushraj Madnani, Manuel Mazo Jr., Paritosh Pandya","doi":"https://dl.acm.org/doi/10.1145/3571749","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3571749","url":null,"abstract":"<p>Metric Temporal Logic (MTL) and Timed Propositional Temporal Logic (TPTL) are prominent real-time extensions of Linear Temporal Logic (LTL). In general, the satisfiability checking problem for these extensions is undecidable when both the future (Until, U) and the past (Since, S) modalities are used (denoted by MTL[U,S] and TPTL[U,S]). In a classical result, the satisfiability checking for Metric Interval Temporal Logic (MITL[U,S]), a non-punctual fragment of MTL[U,S], is shown to be decidable with EXPSPACE complete complexity. A straightforward adoption of non-punctuality does not recover decidability in the case of TPTL[U,S]. Hence, we propose a more refined notion called <i>non-adjacency</i> for TPTL[U,S] and focus on its 1-variable fragment, 1-TPTL[U,S]. We show that non-adjacent 1-TPTL[U,S] is strictly more expressive than MITL. As one of our main results, we show that the satisfiability checking problem for non-adjacent 1-TPTL[U,S] is decidable with EXPSPACE complete complexity. Our decidability proof relies on a novel technique of anchored interval word abstraction and its reduction to a non-adjacent version of the newly proposed logic called PnEMTL. We further propose an extension of MSO [<] (Monadic Second Order Logic of Orders) with Guarded Metric Quantifiers (GQMSO) and show that it characterizes the expressiveness of PnEMTL. That apart, we introduce the notion of non-adjacency in the context of GQMSO (NA-GQMSO), which is a syntactic generalization of logic Q2MLO due to Hirshfeld and Rabinovich and show the decidability of satisfiability checking for NA-GQMSO.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"40 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517792","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-23DOI: https://dl.acm.org/doi/10.1145/3605952
Nicklas S. Johansen, Lasse B. Kær, Andreas L. Madsen, Kristian Ø. Nielsen, Jiří Srba, Rasmus G. Tollund
Modern computer networks based on the software-defined networking (SDN) paradigm are becoming increasingly complex and often require frequent configuration changes in order to react to traffic fluctuations. It is essential that forwarding policies are preserved not only before and after the configuration update but also at any moment during the inherently distributed execution of such an update. We present Kaki, a Petri game based tool for automatic synthesis of switch batches which can be updated in parallel without violating a given (regular) forwarding policy like waypointing or service chaining. Kaki guarantees to find the minimum number of concurrent batches and supports both splittable and nonsplittable flow forwarding. In order to achieve optimal performance, we introduce two novel optimisation techniques based on static analysis: decomposition into independent subproblems and identification of switches that can be collectively updated in the same batch. These techniques considerably improve the performance of our tool Kaki, relying on TAPAAL’s verification engine for Petri games as its backend. Experiments on a large benchmark of real networks from the Internet Topology Zoo database demonstrate that Kaki outperforms the state-of-the-art tools Netstack and FLIP. Kaki computes concurrent update synthesis significantly faster than Netstack and compared to FLIP, it provides shorter (and provably optimal) concurrent update sequences at similar runtimes.
{"title":"Kaki: Efficient Concurrent Update Synthesis for SDN","authors":"Nicklas S. Johansen, Lasse B. Kær, Andreas L. Madsen, Kristian Ø. Nielsen, Jiří Srba, Rasmus G. Tollund","doi":"https://dl.acm.org/doi/10.1145/3605952","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3605952","url":null,"abstract":"<p>Modern computer networks based on the software-defined networking (SDN) paradigm are becoming increasingly complex and often require frequent configuration changes in order to react to traffic fluctuations. It is essential that forwarding policies are preserved not only before and after the configuration update but also at any moment during the inherently distributed execution of such an update. We present Kaki, a Petri game based tool for automatic synthesis of switch batches which can be updated in parallel without violating a given (regular) forwarding policy like waypointing or service chaining. Kaki guarantees to find the minimum number of concurrent batches and supports both splittable and nonsplittable flow forwarding. In order to achieve optimal performance, we introduce two novel optimisation techniques based on static analysis: decomposition into independent subproblems and identification of switches that can be collectively updated in the same batch. These techniques considerably improve the performance of our tool Kaki, relying on TAPAAL’s verification engine for Petri games as its backend. Experiments on a large benchmark of real networks from the Internet Topology Zoo database demonstrate that Kaki outperforms the state-of-the-art tools Netstack and FLIP. Kaki computes concurrent update synthesis significantly faster than Netstack and compared to FLIP, it provides shorter (and provably optimal) concurrent update sequences at similar runtimes.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"12 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517765","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-23DOI: https://dl.acm.org/doi/10.1145/3574137
Nicholas Coughlin, Kirsten Winter, Graeme Smith
Rely/guarantee reasoning provides a compositional approach to reasoning about concurrent programs. However, such reasoning traditionally assumes a sequentially consistent memory model and hence is unsound on modern hardware in the presence of data races. In this article, we present a rely/guarantee-based approach for non-multicopy atomic weak memory models, i.e., where a thread’s stores are not simultaneously propagated to all other threads and hence are not observable by other threads at the same time. Such memory models include those of the earlier versions of the ARM processor as well as the POWER processor.
This article builds on our approach to compositional reasoning for multicopy atomic architectures, i.e., where a thread’s stores are simultaneously propagated to all other threads. In that context, an operational semantics can be based on thread-local instruction reordering. We exploit this to provide an efficient compositional proof technique in which weak memory behaviour can be shown to preserve rely/guarantee reasoning on a sequentially consistent memory model. To achieve this, we introduce a side-condition, reordering interference freedom on each thread, reducing the complexity of weak memory to checks over pairs of reorderable instructions.
In this article, we extend our approach to non-multicopy atomic weak memory models. We utilise the idea of reordering interference freedom between parallel components. This by itself would break compositionality but serves as a vehicle to derive a refined compatibility check between rely and guarantee conditions, which takes into account the effects of propagations of stores that are only partial, i.e., not covering all threads. All aspects of our approach have been encoded and proved sound in Isabelle/HOL.
{"title":"Compositional Reasoning for Non-multicopy Atomic Architectures","authors":"Nicholas Coughlin, Kirsten Winter, Graeme Smith","doi":"https://dl.acm.org/doi/10.1145/3574137","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3574137","url":null,"abstract":"<p>Rely/guarantee reasoning provides a compositional approach to reasoning about concurrent programs. However, such reasoning traditionally assumes a sequentially consistent memory model and hence is unsound on modern hardware in the presence of data races. In this article, we present a rely/guarantee-based approach for <i>non-multicopy atomic</i> weak memory models, i.e., where a thread’s stores are not simultaneously propagated to all other threads and hence are not observable by other threads at the same time. Such memory models include those of the earlier versions of the ARM processor as well as the POWER processor.</p><p>This article builds on our approach to compositional reasoning for <i>multicopy atomic</i> architectures, i.e., where a thread’s stores are simultaneously propagated to all other threads. In that context, an operational semantics can be based on thread-local instruction reordering. We exploit this to provide an efficient compositional proof technique in which weak memory behaviour can be shown to preserve rely/guarantee reasoning on a sequentially consistent memory model. To achieve this, we introduce a side-condition, <i>reordering interference freedom</i> on each thread, reducing the complexity of weak memory to checks over pairs of reorderable instructions.</p><p>In this article, we extend our approach to non-multicopy atomic weak memory models. We utilise the idea of reordering interference freedom between parallel components. This by itself would break compositionality but serves as a vehicle to derive a refined compatibility check between rely and guarantee conditions, which takes into account the effects of propagations of stores that are only partial, i.e., not covering all threads. All aspects of our approach have been encoded and proved sound in Isabelle/HOL.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"18 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517740","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-23DOI: https://dl.acm.org/doi/10.1145/3580285
Daniel Wright, Sadegh Dalvandi, Mark Batty, Brijesh Dongol
Verification techniques for C11 programs have advanced significantly in recent years with the development of operational semantics and associated logics for increasingly large fragments of C11. However, these semantics and logics have been developed in a restricted setting to avoid the thin-air-read problem. In this article, we propose an operational semantics that leverages an intra-thread partial order (called semantic dependencies) induced by a recently developed denotational event-structure-based semantics. We prove that our operational semantics is sound and complete with respect to the denotational semantics. We present an associated logic that generalises a recent Owicki–Gries framework for RC11 RAR (repaired C11) with relaxed and release-acquire accesses. We describe the mechanisation of the logic in the Isabelle/HOL theorem prover, which we use to prove correctness of a number of examples.
{"title":"Mechanised Operational Reasoning for C11 Programs with Relaxed Dependencies","authors":"Daniel Wright, Sadegh Dalvandi, Mark Batty, Brijesh Dongol","doi":"https://dl.acm.org/doi/10.1145/3580285","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3580285","url":null,"abstract":"<p>Verification techniques for C11 programs have advanced significantly in recent years with the development of operational semantics and associated logics for increasingly large fragments of C11. However, these semantics and logics have been developed in a restricted setting to avoid the <i>thin-air-read</i> problem. In this article, we propose an operational semantics that leverages an intra-thread partial order (called <i>semantic dependencies</i>) induced by a recently developed denotational event-structure-based semantics. We prove that our operational semantics is sound and complete with respect to the denotational semantics. We present an associated logic that generalises a recent Owicki–Gries framework for RC11 RAR (repaired C11) with relaxed and release-acquire accesses. We describe the mechanisation of the logic in the Isabelle/HOL theorem prover, which we use to prove correctness of a number of examples.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"17 7","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517766","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Formal methods have been used in a wide range of domains, including software, cyber-physical systems, and integrated computer-based systems. In recent years, we have seen in particular the application of formal methods in a wide range of areas, such as systems-of-systems, security, artificial intelligence, human-computer interaction, manufacturing, sustainability, power, transport, smart cities, healthcare, and biology. Formal methods also get used more and more in industry. All of these developments are supported by the design and validation of various formal method tools. Formal Methods 2021 (FM 2021) solicited high-quality papers reporting novel research results, as well as tool papers and case study reports. To establish the program of FM 2021, we assembled a program committee of 46 renowned scientists from all over the world. We received a total of 161 abstract submissions, which resulted in 131 full paper submissions from authors in 28 different countries, from which we selected 33 full papers and 2 short tool papers. This special section contains a selection of the best theory papers from the FM 2021 conference that have been selected by the program committee. The articles cover a broad spectrum of topics in the area of formal methods. The six accepted articles include the following:
{"title":"Introduction to the Special Section on FM 2021","authors":"M. Huisman, C. Pasareanu, N. Zhan","doi":"10.1145/3604594","DOIUrl":"https://doi.org/10.1145/3604594","url":null,"abstract":"Formal methods have been used in a wide range of domains, including software, cyber-physical systems, and integrated computer-based systems. In recent years, we have seen in particular the application of formal methods in a wide range of areas, such as systems-of-systems, security, artificial intelligence, human-computer interaction, manufacturing, sustainability, power, transport, smart cities, healthcare, and biology. Formal methods also get used more and more in industry. All of these developments are supported by the design and validation of various formal method tools. Formal Methods 2021 (FM 2021) solicited high-quality papers reporting novel research results, as well as tool papers and case study reports. To establish the program of FM 2021, we assembled a program committee of 46 renowned scientists from all over the world. We received a total of 161 abstract submissions, which resulted in 131 full paper submissions from authors in 28 different countries, from which we selected 33 full papers and 2 short tool papers. This special section contains a selection of the best theory papers from the FM 2021 conference that have been selected by the program committee. The articles cover a broad spectrum of topics in the area of formal methods. The six accepted articles include the following:","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":" ","pages":"1 - 2"},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44866233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-23DOI: https://dl.acm.org/doi/10.1145/3585391
Krishnendu Chatterjee, Ehsan Kafshdar Goharshady, Petr Novotný, Jiří Zárevúcky, Đorđe Žikelić
We consider the almost-sure (a.s.) termination problem for probabilistic programs, which are a stochastic extension of classical imperative programs. Lexicographic ranking functions provide a sound and practical approach for termination of non-probabilistic programs, and their extension to probabilistic programs is achieved via lexicographic ranking supermartingales (LexRSMs). However, LexRSMs introduced in the previous work have a limitation that impedes their automation: all of their components have to be non-negative in all reachable states. This might result in a LexRSM not existing even for simple terminating programs. Our contributions are twofold. First, we introduce a generalization of LexRSMs that allows for some components to be negative. This standard feature of non-probabilistic termination proofs was hitherto not known to be sound in the probabilistic setting, as the soundness proof requires a careful analysis of the underlying stochastic process. Second, we present polynomial-time algorithms using our generalized LexRSMs for proving a.s. termination in broad classes of linear-arithmetic programs.
{"title":"On Lexicographic Proof Rules for Probabilistic Termination","authors":"Krishnendu Chatterjee, Ehsan Kafshdar Goharshady, Petr Novotný, Jiří Zárevúcky, Đorđe Žikelić","doi":"https://dl.acm.org/doi/10.1145/3585391","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3585391","url":null,"abstract":"<p>We consider the almost-sure (a.s.) termination problem for probabilistic programs, which are a stochastic extension of classical imperative programs. Lexicographic ranking functions provide a sound and practical approach for termination of non-probabilistic programs, and their extension to probabilistic programs is achieved via lexicographic ranking supermartingales (LexRSMs). However, LexRSMs introduced in the previous work have a limitation that impedes their automation: all of their components have to be non-negative in all reachable states. This might result in a LexRSM not existing even for simple terminating programs. Our contributions are twofold. First, we introduce a generalization of LexRSMs that allows for some components to be negative. This standard feature of non-probabilistic termination proofs was hitherto not known to be sound in the probabilistic setting, as the soundness proof requires a careful analysis of the underlying stochastic process. Second, we present polynomial-time algorithms using our generalized LexRSMs for proving a.s. termination in broad classes of linear-arithmetic programs.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"39 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517742","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-21DOI: https://dl.acm.org/doi/10.1145/3605360
Bernhard K. Aichernig, Martin Tappler, Felix Wallner
Automata learning enables model-based analysis of black-box systems by automatically constructing models from system observations, which are often collected via testing. The required testing budget to learn adequate models heavily depends on the applied learning and testing techniques.
Test cases executed for learning (1) collect behavioural information and (2) falsify learned hypothesis automata. Falsification test-cases are commonly selected through conformance testing. Active learning algorithms additionally implement test-case selection strategies to gain information, whereas passive algorithms derive models solely from given data. In an active setting, such algorithms require external test-case selection, like repeated conformance testing to extend the available data.
There exist various approaches to learning and conformance testing, where interdependencies among them affect performance. We investigate the performance of combinations of six learning algorithms, including a passive algorithm, and seven testing algorithms, by performing experiments using 153 benchmark models. We discuss insights regarding the performance of different configurations for various types of systems. Our findings may provide guidance for future users of automata learning. For example, counterexample processing during learning strongly impacts efficiency, which is further affected by testing approach and system type. Testing with the random Wp-method performs best overall, while mutation-based testing performs well on smaller models.
{"title":"Benchmarking Combinations of Learning and Testing Algorithms for Automata Learning","authors":"Bernhard K. Aichernig, Martin Tappler, Felix Wallner","doi":"https://dl.acm.org/doi/10.1145/3605360","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3605360","url":null,"abstract":"<p>Automata learning enables model-based analysis of black-box systems by automatically constructing models from system observations, which are often collected via testing. The required testing budget to learn adequate models heavily depends on the applied learning and testing techniques. </p><p>Test cases executed for learning (1) collect behavioural information and (2) falsify learned hypothesis automata. Falsification test-cases are commonly selected through conformance testing. Active learning algorithms additionally implement test-case selection strategies to gain information, whereas passive algorithms derive models solely from given data. In an active setting, such algorithms require external test-case selection, like repeated conformance testing to extend the available data. </p><p>There exist various approaches to learning and conformance testing, where interdependencies among them affect performance. We investigate the performance of combinations of six learning algorithms, including a passive algorithm, and seven testing algorithms, by performing experiments using 153 benchmark models. We discuss insights regarding the performance of different configurations for various types of systems. Our findings may provide guidance for future users of automata learning. For example, counterexample processing during learning strongly impacts efficiency, which is further affected by testing approach and system type. Testing with the random Wp-method performs best overall, while mutation-based testing performs well on smaller models.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"15 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517743","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Automata learning enables model-based analysis of black-box systems by automatically constructing models from system observations, which are often collected via testing. The required testing budget to learn adequate models heavily depends on the applied learning and testing techniques. Test cases executed for learning (1) collect behavioural information and (2) falsify learned hypothesis automata. Falsification test-cases are commonly selected through conformance testing. Active learning algorithms additionally implement test-case selection strategies to gain information, whereas passive algorithms derive models solely from given data. In an active setting, such algorithms require external test-case selection, like repeated conformance testing to extend the available data. There exist various approaches to learning and conformance testing, where interdependencies among them affect performance. We investigate the performance of combinations of six learning algorithms, including a passive algorithm, and seven testing algorithms, by performing experiments using 153 benchmark models. We discuss insights regarding the performance of different configurations for various types of systems. Our findings may provide guidance for future users of automata learning. For example, counterexample processing during learning strongly impacts efficiency, which is further affected by testing approach and system type. Testing with the random Wp-method performs best overall, while mutation-based testing performs well on smaller models.
{"title":"Benchmarking Combinations of Learning and Testing Algorithms for Automata Learning","authors":"B. Aichernig, Martin Tappler, Felix Wallner","doi":"10.1145/3605360","DOIUrl":"https://doi.org/10.1145/3605360","url":null,"abstract":"Automata learning enables model-based analysis of black-box systems by automatically constructing models from system observations, which are often collected via testing. The required testing budget to learn adequate models heavily depends on the applied learning and testing techniques. Test cases executed for learning (1) collect behavioural information and (2) falsify learned hypothesis automata. Falsification test-cases are commonly selected through conformance testing. Active learning algorithms additionally implement test-case selection strategies to gain information, whereas passive algorithms derive models solely from given data. In an active setting, such algorithms require external test-case selection, like repeated conformance testing to extend the available data. There exist various approaches to learning and conformance testing, where interdependencies among them affect performance. We investigate the performance of combinations of six learning algorithms, including a passive algorithm, and seven testing algorithms, by performing experiments using 153 benchmark models. We discuss insights regarding the performance of different configurations for various types of systems. Our findings may provide guidance for future users of automata learning. For example, counterexample processing during learning strongly impacts efficiency, which is further affected by testing approach and system type. Testing with the random Wp-method performs best overall, while mutation-based testing performs well on smaller models.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":" ","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49533006","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-25DOI: https://dl.acm.org/doi/10.1145/3599731
Yuan Fei, Huibiao Zhu, Jiaqi Yin
As IoT in multi-server environment increases resources utilization, more and more problems of IoT authentication and key agreement are revealed. Authentication and Key Agreement (AKA) protocol plays an important role in solving these problems. Many AKA protocols have been proposed, and some of them support their own verifications. However, there lacks a unifying verification framework for multi-server IoT. In this paper, we propose a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). It supports the construction of CSP models for the AKA protocol, the implementation of the CSP models in PAT with C#, and the verification of formal models. With the help of C#, many complex functions in AKA protocol can be implemented. We also design an algorithm to support automatic conversion from CSP model to PAT model. FVF-AKA can verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). It also supports the verification of security properties for the AKA protocol suffering from four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). Our approach can be applied to most AKA protocols for multi-server IoT generally. By applying FVF-AKA to two AKA protocols, we can verify whether they satisfy the fundamental properties and analyze their security properties in vulnerable environments. Our work would help to analyze the AKA protocol for multi-server IoT and provide the foundation for the analysis of enhancing its security and robustness.
{"title":"FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoT","authors":"Yuan Fei, Huibiao Zhu, Jiaqi Yin","doi":"https://dl.acm.org/doi/10.1145/3599731","DOIUrl":"https://doi.org/https://dl.acm.org/doi/10.1145/3599731","url":null,"abstract":"<p>As IoT in multi-server environment increases resources utilization, more and more problems of IoT authentication and key agreement are revealed. Authentication and Key Agreement (AKA) protocol plays an important role in solving these problems. Many AKA protocols have been proposed, and some of them support their own verifications. However, there lacks a unifying verification framework for multi-server IoT. In this paper, we propose a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). It supports the construction of CSP models for the AKA protocol, the implementation of the CSP models in PAT with C#, and the verification of formal models. With the help of C#, many complex functions in AKA protocol can be implemented. We also design an algorithm to support automatic conversion from CSP model to PAT model. FVF-AKA can verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). It also supports the verification of security properties for the AKA protocol suffering from four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). Our approach can be applied to most AKA protocols for multi-server IoT generally. By applying FVF-AKA to two AKA protocols, we can verify whether they satisfy the fundamental properties and analyze their security properties in vulnerable environments. Our work would help to analyze the AKA protocol for multi-server IoT and provide the foundation for the analysis of enhancing its security and robustness.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"12 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
As IoT in multi-server environment increases resources utilization, more and more problems of IoT authentication and key agreement are revealed. Authentication and Key Agreement (AKA) protocol plays an important role in solving these problems. Many AKA protocols have been proposed, and some of them support their own verifications. However, there lacks a unifying verification framework for multi-server IoT. In this paper, we propose a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). It supports the construction of CSP models for the AKA protocol, the implementation of the CSP models in PAT with C#, and the verification of formal models. With the help of C#, many complex functions in AKA protocol can be implemented. We also design an algorithm to support automatic conversion from CSP model to PAT model. FVF-AKA can verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). It also supports the verification of security properties for the AKA protocol suffering from four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). Our approach can be applied to most AKA protocols for multi-server IoT generally. By applying FVF-AKA to two AKA protocols, we can verify whether they satisfy the fundamental properties and analyze their security properties in vulnerable environments. Our work would help to analyze the AKA protocol for multi-server IoT and provide the foundation for the analysis of enhancing its security and robustness.
{"title":"FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoT","authors":"Yuan Fei, Huibiao Zhu, Jiaqi Yin","doi":"10.1145/3599731","DOIUrl":"https://doi.org/10.1145/3599731","url":null,"abstract":"As IoT in multi-server environment increases resources utilization, more and more problems of IoT authentication and key agreement are revealed. Authentication and Key Agreement (AKA) protocol plays an important role in solving these problems. Many AKA protocols have been proposed, and some of them support their own verifications. However, there lacks a unifying verification framework for multi-server IoT. In this paper, we propose a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). It supports the construction of CSP models for the AKA protocol, the implementation of the CSP models in PAT with C#, and the verification of formal models. With the help of C#, many complex functions in AKA protocol can be implemented. We also design an algorithm to support automatic conversion from CSP model to PAT model. FVF-AKA can verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). It also supports the verification of security properties for the AKA protocol suffering from four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). Our approach can be applied to most AKA protocols for multi-server IoT generally. By applying FVF-AKA to two AKA protocols, we can verify whether they satisfy the fundamental properties and analyze their security properties in vulnerable environments. Our work would help to analyze the AKA protocol for multi-server IoT and provide the foundation for the analysis of enhancing its security and robustness.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":" ","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46326242","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号