The technology underlying
constraint-based symbolic model checking is
still at a very preliminary
development stage. Most of the existing
constraint-based verification tools make use, in fact, of `services' provided
by general purpose constraint solvers. For
instance, Polka [HPR94] and HyTech [HHW97], two infinite-state
model checkers for hybrid
systems, are based on a polyhedra library developed
by Halbwachs for the static analysis of sequential programs [CH78]. The
infinite-state model checker of Bultan, Gerber and Pugh [BGP99] is
based instead on the Omega library, a constraint solver for integer
linear arithmetic (Presburger arithmetics). Recently, Bultan
extended his tool with composite
constraints, i.e., constraints that
combine boolean and Presburger
formulas [Bul00,DB01,YTB01].
Finally, McMillan is currently
experimenting the use of SAT as an engine for
symbolic model checking [McM02].
Unfortunately, as experimentally
proved in [DR00,DRV01], such a loose
integration of model checking
and of
constraint programming suffers
from the `symbolic state
explosion' problem when applied to large
specifications. In the approaches inspired
to BDDs-like data structures for Symbolic Model
Checking this problem has been considered only in very specific
domains by introducing dedicated data
structures to compactly
represent (subclasses
of) arithmetic
constraints.
The more recent data structures
proposed in this field are:
- DDDs [MLAH99], a graph-based
representation of difference-constraints (used in
timed-automata) that improves the matrix-based representations of
the clock regions used in the analysis of time
stystems [AD94].
- CSTs [DR00], a
representation of upward-closed sets of Petri Nets markings
via special graphs called sharing trees;
- NDDs [WB00] an automata-based
package for handling Presburger arithmetics.
A comparison between the
performance of tools based on these data
structures has not been done,
yet. Furthermore, a lot of work remain
to be done in order to extend
these structures to larger fragments of
numerical constraints, and to
find general purpose heuristics that
could be use to make feasible
the verification
of large classes of
practical examples.
Applications of Constraint-based Verification
In recent years
there have been several application of
constraint-based verification
techniques to verification of protocols
and, more in general, of
reactive systems.
Specifically, we can
isolate two classes of
applications: verification of systems with a
finite number of components but
unbounded data paths, and verification
of systems with a finite but non
fixed a priori number of components
(parameterized verification).
Within the first class, in
[BGP99,DP99] mutual-exclusion algorithms
(e.g. Bakery and Ticket) have
been automatically verified using the
Omega library and using CLP(R).
Other examples are the verification of
the Fisher protocol, and of the
Bounded Retransmission Protocol
[HHW97,LPY97], and of the
Alternating Bit Protocol [ACJT96] (the
latter carried over using a
symbolic domain based on strings over
finite alphabets).
Within the second
class of applications, there have been several
efforts for automated
verification of safety properties of Unbounded
Petri Nets [ACJT96,DRV01,FS01],
Unbounded Timed Petri Nets with aged tokens
[AJ99], verification
of safaety properties for skeletons of concurrent programs
[BD02], and verification
of safety properties of consistency and coherence
protocols for multiprocessor
systems for any number of processors
[Del00,Del00b,DB01],
and verification of abstractions of multithreaded
Java programs [DRV02].
Interestingly, in
several applications constraint-based techniques are
combined with abstractions
defined either over the system model (as in
[Del00,DB01,DRV02])
or over the constraint representation of the
system states (as
in [BD02]). The study of systematic methods to
design and apply abtraction
is thus a fundamental tool for making
model checking useful
in practice.
Verification as Constraint Satisfiability
There has been a dramatic speed-up for SAT procedures in the last
decade: since 1991
the problems solvable by SAT solvers have grown
from 100 to 10,000
variables. Moreover, in the last few years, a
variety of new algorithms,
techniques, and heuristics improving on
previous state-of-the-art
SAT technology have been put forward. On
the basis of these
results, researchers from various communities have
started encoding real-world
problems into SAT. The results have been
success stories. In
the last decade there has been a dramatic speed-up
of SAT solvers: problems
with thousands of variables are now solved
routinely in milliseconds.
This has lead to breakthroughs in planning
and model-checking
of hardware circuits. In particular SAT-based
Bounded Model Checking
[BCCZ99] has been proposed as a complementary
approach to Model
Checking based on OBDDs. Experimental results
clearly indicate that
SAT-based Bounded Model Checkers can
significantly outperform
OBDD-based Model Checkers in the verification
of hardware circuits.
There are several
others interesting approaches to formulate a
verification problem
as a single constraint solving problem and to
establish a property
by invoking the corresponding solver. As an
example, this is the
approched followed in the so called static
analysis of protocols
modeled via Petri Net like models [STC98]. In
this setting the transition
system and interesting classes of safety
properties (e.g. mutual
exclusion) can be expressed via a system of
inequalities defined
over integer values [EM97,EM00]. The encoding is
defined in such a
way that the emptyness of the set of solutions
implies the validity
of the property. The last problem can thus be
attacked by integer
linear programming, or, via a relaxation from
integer to reals,
by linear programming [EM00]. This kind of static
analysis can also
be useful to compute information (e.g.
overapproximations
of the reachabilty set of a protocol) to be used in
symbolic model checking
(e.g. to prune the search space as suggested
in [DRV01,DRV02]).
Central to the success
of the constraint-based approach to
verification are the
development of solvers for the decidable
fragments of interest,
their combination, and their extension to wider
fragments. While the
development of solvers is generally carried out
in an ad hoc fashion
(with proofs of correctness based on difficult
model-theoretic arguments),
a uniform approach to the synthesis of
decision procedures
in given in [ARR01,ARR02] which is based on
considerably simpler
proof-theoretic arguments. The problem of
satisfiability procedures
out of simpler ones is a long standing
problem in automated
reasoning for which two solutions are available
due to Nelson and
Oppen [NO78] and to Shostak [Sh84].
[AR01] presents an
approach to extending a decision procedure for Presburger
Arithmetics to deal
with non-linear constraints, thereby enlarging the
reange of applicability.
References
[AN01] P. A.
Abdulla,
A. Nylén
Timed Petri Nets and BQOs.
In Proc. ICATPN 2001, pag. 53-70, 2001.
[AD94] R. Alur and D.L. Dill.
A theory of timed automata.
TCS 126:183-235, 1994.
[A+02] A. Armando, D. Basin, M. Bouallagui, Y. Chevalier,
L. Compagna, S. Moedersheim, M. Rusinowitch, M. Turuani,
L. Vigano`, L. Vigneron.
The AVISS Security Protocol Analysis Tool.
To appear in the Proceeding of the 14th International Conference on
Computer Aided Verification, CAV 2002, Copenhagen, Denmark, July,
27-31, 2002.
[ACG99] A. Armando, C. Castellini, E. Giunchiglia.
SAT-based procedures for temporal reasoning.
In the Proceeding of the 5th European Conference on Planning (ECP-99).
Durham (UK), September 8-10, 1999.
[ACGGT02] A. Armando, C. Castellini, E. Giunchiglia, F. Giunchiglia,
A. Tacchella.
SAT-Based Decision Procedures for Automated Reasoning: a Unifying
Perspective.
Invited paper on the 'Festschrift' in honor of Joerg Sieckmann to
appear in the LNAI-series, Springer Verlag, 2002.
[AR01] A. Armando, S. Ranise.
A Practical Extension Mechanism for Decision Procedures: the Case Study
of Universal Presburger Arithmetic.
In the Journal of Universal Computer Science vol. 7:2, pages 124-140,
2001.
A short version of the paper has been presented at the 4th Workshop on
Tools for System Design and Verification (FM-TOOLS 2000), p. 53-57.
Reisenburg Castle near Ulm, Germany. Monday 10 July - Thursday 13 July
2000.
[AAR01] A. Armando, S. Ranise, M. Rusinowitch.
Uniform Derivation of Decision Procedures by Superposition.
In the Proceedings of the Annual Conference on Computer Science
Logic (CSL01), Paris, France, 10-13 September 2001, pages 513-527.
[AAR02] A. Armando, S. Ranise, M. Rusinowitch.
The Rewriting Approach to Satisfiability Procedures.
Accepted for publication on the Journal of Information and
Computation, 2002.
[BLPWY99] G. Behrmann, K. G. Larsen, J. Pearson, C. Weise, and W. Yi.
Efficient Timed Reachability Analysis Using Clock Difference Diagrams.
In Proc. CAV 99, 1999.
[BCCZ99] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu.
Symbolic Model Checking without BDDs.
In Proceedings of TACAS'99, Cleaveland, W. R., LNCS 1579, pages
193-207, 1999.
[BD02] M. Bozzano, and G. Delzanno
Beyond Parameterized Verification.
To appear in Proc. TACAS 2002, April 2002.
[Bul00] T. Bultan.
Action Language: a specification language for model checking reactive
systems.
In Proc. ICSE 2000, pag. 335-344, 2000.
[Bul00b] T. Bultan.
BDD vs. Constraint-Based Model Checking: An Experimental Evaluation for
Asynchronous Concurrent Systems.
In Proc. TACAS 2000, pag. 441-455, 2000.
[BGP99] T. Bultan, R. Gerber, and W. Pugh.
Model-checking concurrent systems with unbounded integer
variables: Symbolic representations, approximations, and experimental
results.
ACM TOPLAS, 21(4):747--789, 1999.
[BD94] J. R. Burch and D. L. Dill.
Automatic verification of pipelined microprocessors control.
In Proceedings
of
the sixth International Conference on
Computer-Aided Verification {CAV}, volume 818, pages 68--80,
Standford, California, USA, 1994. Springer-Verlag.
[CH78] P. Cousot and N. Halbwachs.
Automatic Discovery of Linear Restraints among Variables of a Program.
In Proc. POPL 78, 1978.
[Del00] G. Delzanno.
Automatic Verification of Parameterized Cache Coherence
Protocols. In Proceedings of the 12th International Conference on
Computer Aided Verification, CAV 2000,
Lecture Notes in Computer Science, vol. 1855, pages 53--68, Springer
2000.
[Del00b] G. Delzanno.
Verification of Consistency Protocols via Infinite state Symbolic Model
Checking, a Case Study.
In Formal Methods for Distributed System Development,
Proceedings of the FORTE XIII/PSTV XX, pages 171--188,
Kluwer, 2000.
[DB01] G. Delzanno and T. Bultan.
Constraint-based Verification of Client-server Protocols.
In Proc. CP 2001, LNCS, vol. 2239, Springer 2001, pages 286-301,
December 2001.
[DEP99] G. Delzanno, J. Esparza, and A. Podelski.
Constraint-based Analysis of Broadcast Protocols.
In Proceedings of the Annual Conference of the European Association for
Computer Science Logic,
CSL '99, Lecture Notes in Computer Science, vol. 1683, pag. 50-66,
Springer,
1999.
[DP99] G. Delzanno, and A. Podelski.
Model Checking in CLP.
In Proceedings of the Fifth International Conference on
Tools and Algorithms for the Construction and Analysis of Systems,
TACAS '99,
pages 223-239, Lecture Notes in Computer Science,
vol. 1579, Springer, 1999.
[DP01] G.Delzanno and A. Podelski.
Constraint-based Deductive Model Checking.
To appear in Software Tools for Technology Transfer, 2001
[DR00] G. Delzanno, and J. F. Raskin.
Symbolic Representation of Upward-closed Sets.
In Proceedings of the 6th International Conference on
Tools and Algorithms for Construction and Analysis of Systems, TACAS
2000,
Lecture Notes in Computer Science, vol. 1785, pages 426-440, Springer
2000.
[DRV01] G. Delzanno, J.-F. Raskin, and L. Van Begin.
Attacking Symbolic State Explosion.
In Proceedings of the 13th International Conference on
Computer Aided Verification, CAV 2001,
pages 298-310, Lecture Notes in Computer Science, vol. 2102,
Springer, 2001.
[DRV02] G. Delzanno, J.-F. Raskin, and L. Van Begin.
Towards Automated Verification of Multithreaded Java Programs.
To appear in TACAS 2002.
[EM00] J. Esparza, S. Melzer.
Verification of Safety Properties Using Integer Programming: Beyond the
State Equation.
Formal Methods in System Design 16(2): 159-189, (2000)
[EM97] J. Esparza, S. Melzer.
Model Checking LTL Using Constraint Programming.
In Proc. ICATPN 1997, pag. 1-20, 1997.
[GQ01] R. Giacobazzi and E. Quintarelli.
Incompleteness, counterexamples and refinements
in abstract model-checking.
In P. Cousot Ed. The 8th International Static Analysis
Symposium SAS 01, volume 2126 of Lecture Notes in Computer Science,
pages 356-373, Springer-Verlag, 2001.
[GS92] S. M. German, A. P. Sistla.
Reasoning about Systems with Many Processes.
JACM 39(3): 675-735 (1992)
[KMMPS94] Y. Kesten, O. Maler, M. Marcus, A. Pnueli, E. Shahar
Symbolic Model Checking with Rich ssertional Languages.
In Proc. CAV 1997, pag. 424-435, 1997.
[HPR94] N. Halbwachs, Y.-E. Proy and P. Raymond.
Verification of linear hybrid systems by means of convex
approximations.
In Proc. SAS?94, LNCS 864, Springer Verlag, 1994.
[HHW97] T. A. Henzinger, P.-H. Ho, and H. Wong-Toi.
Hy Tech: a Model Checker for Hybrid Systems.
In Proc. CAV 97, 1997.
[LPY97] K. G. Larsen, P.
Pettersson,
and W. Yi.
Uppaal in a Nutshell.
International Journal on Software Tools for Technology Transfer,
1(1-2):134--152, 1997.
[McM02] K. L. McMillan
Applying SAT methods in Unbounded Symbolic Model Checking
To appear in Proc. CAV 02, July 2002.
[MLAH99] J. Moeller, J. Lichtenberg, H. R. Andersen, and H. Hulgaard.
Difference Decision Diagrams.
In Proc. CSL '99, pp. 111-125, 999.
[MLAH99b] J. Moeller, J. Lichtenberg, H. R. Andersen, and H.
Hulgaard.
Fully symbolic model checking of timed systems using
difference decision diagrams.
In Proc. FloC Workshop SMC, 1999.
[NO78] G. Nelson and D.C. Oppen.
Simplification by Cooperating Decision Procedures.
Technical Report STAN-CS-78-652, Stanford CS Dept., April 1978.
[Sh84] R. E. Shostak.
Deciding Combination of Theories.
Journal of the ACM, 31(1):1--12, 1984.
[Ran01] F. Ranzato.
On the completeness of model checking.
In D. Sands, ed., Proc. ESOP 01, LNCS vol. 2028, pp. 137-154, Springer,
2001.
[YTB01] T. Yavuz-Kahveci, M. Tuncer, T. Bultan
A Library for Composite Symbolic Representations.
In Proc. TACAS 2001, pages 52-66, 2001.
Relazione
Primo Anno Progetto
Obj 1 - "Bounded Symbolic Model-Checking
basato su SAT"
In [ACG03,AC03] e' stata
studiata l'applicazione di SAT bounded model checking
e di euristiche basate su tecniche di planning al debugging di
protocolli crittografici.
La tecnica proposta risulta essere molto efficace per il debugging di
tali protocolli.
Obj 2 - "Analisi Statica di Sistemi
Concorrenti Parametrici basata su IP"
In [DRV03] abbiamo studiato
la combinazione della teoria strutturale
delle reti di Petri (basata su Integer Programming) con le strutture
dati
CST (usate per rappresentare constraint lineari e analizzare in modo
simbolico
lo spazio degli stati di una rete di Petri).
Obj 5: "Strutture Dati Efficienti per
Constraint-based Model Checking"
In [AD03,DG04] sono state
definite delle nuove strutture dati (basate su una
combinazione di vincoli lineari e formule del I ordine) per la verifica
della
correttezza di protocolli crittografici (vedi survey [DG03]).
In [Del03] e' stata studiata l'applicazione di tali strutture dati
all'analisi
di specifiche di programmi concorrenti date in pi-calcolo (estendendo
un lavoro del
Prof. Amadio di Marsiglia).
Task 2.3: "Soft Constraints for
verification"
In [BF03a,BF03b] proponiamo
una tecnica quantitativa e scalabile che usa
constraint solving per modellare e analizzare l'efficacita' di una
policy di
sicurezza e della sua applicazione.
In [BFO04,BFO03]
consideriamo come i vincoli soft possano fornire un aiuto
nell'individuare "cascade vulnerability" in una rete.
Alcune volte, infatti le interconnessioni tra sistemi e le loro
comunicazioni
possono portare a connessioni non previste e ad incrementare il rischio
di violazione della sicurezza multilivello dei sistemi in rete.
Task 1.3 "Integrazione di paradigmi diversi"
In [BCLM03a,BCLM03b] abbiamo
studiato la relazione tra due frameworks di
verifica: il multiset rewriting (MSR) e le process algebra (PA)
ispirate al
ccs e al Pi-calcolo. In [AMMR03,JMMS03,MMS03,MM03] abbiamo studiato
l'integrazione di diversi
linguaggi logici (alcuni che supportano vincoli tipo CLP) per la
specifica e,
in prospettiva, la validazione di sistemi multiagente).
OBIETTIVI II ANNO
Nel secondo anno di
attivita' la nostra unita' si propone di:
NuovoObj1 -SAT-
Estendere l'uso di SAT ad
altri domini applicativi quali la verifica di
protocolli utilizzati su internet e programmi multithreaded
NuovoObj2 -Strutture Dati-
Studiare l'applicazione dei
CST e delle strutture dati basate su logica
del I ordine e vincoli al'analisi di protocolli per internet e
programmi
multithreaded.
NuovoObj3 -Integrazione linguaggi e
tecniche e loro applicazione-
Studiare l'integrazione
delle tecniche e dei linguaggi sviluppate all'interno
dell'unita' (SAT, CST, ecc). Studiare la combinazione con strumenti di
interpretazione
astratta sviluppati in altri task del progetto CoVer.
Estendere l'applicabilita delle tecniche risultanti a nuovi domini
applicativi
(ad es. sistemi ad agenti)
Publications and Technical Reports
[AC03] A. Armando and L.
Compagna.
"Abstraction-driven SAT-based Analysis of Security Protocols".`
Proc. of the Sixth International Conference on Theory and
Applications of Satisfiability Testing (SAT 2003),
May 5-8 2003, S.Margherita Ligure, Italy. LNCS 2919.
[AMMR03]
E. Astesiano, M. Martelli, V. Mascardi and G. Reggio
From Requirement Specification to Prototype Execution: a Combination of
a Multiview
Use-Case Driven Method and Agent-Oriented Techniques
In Proceedings of the Fifteenth International Conference on Software
Engineering and Knowledge Engineering (SEKE), San Francisco, 2003.
[ACG03] Alessandro Armando, Luca Compagna, Pierre Ganty.
SAT-based Model Checking of Security Protocols using
Planning Graph Analysis
Proc. FME 2003 International Symposium of Formal Methods Europe.
LNCS 2805. Pisa, Italy, September 2003.
Also accepted at MoChArt, Workshop on Model
Checking and Artificial Intelligence, Acapulco, Mexico, 2003.
[AD03] Pierluigi Ammirati,
Giorgio Delzanno
Constraint-based Automatic Verification of Time Dependent Security
Properties.
Proc. of SPV 2003, a Satellite workshop of Concur 03.
BFO04] S. Bistarelli,
S.N.Foley, B. O'Sullivan,
Modelling and Detecting the Cascade Vulnerabiliy Problem using Soft
Constraints,
in Proc. ACM Symposium on Applied Computing (SAC 2004), Cyprus.
ACM Press New York, NY, USA
[BFO03] S. Bistarelli,
S.N.Foley, B. O'Sullivan,
A Constraint-based Framework for the Cascade Vulnerability Problem,
in Proc. ICLP2003 Workshop on Constraint and Logic Programming in
Security (COLOPS2003),
9 December, Tata Institute of Fundamental Research (TIFR), Mumbay,
India.
[BCLM03a] S. Bistarelli, I.
cervesato, G. Lenzini, F. martinelli,
Relating Process Algebras and Multiset Rewriting for Immediate
Decryption
Protocols,
Proc. Second International Workshop on Mathematical Methods, Models and
Architectures for Computer Networks Security - MMM'03, St. Petersburg,
Russia, 20-24 September 2003, LNAI 2776, pp. 88-101.
[BF03a] Stefano Bistarelli
and Simon N. Foley,
A Constraint Based Framework for Dependability Goals: Integrity,
In Proc. SAFECOMP 03, 2003
[BF03b] Stefano Bistarelli
and Simon N Foley,
Analysis of Integrity Policies using Soft Constraints,
Proc. IEEE 4th International Workshop on Policies for
Distributed Systems and Networks (POLICY2003), Como, June 4-6, 2003.
[BCLM03b] S. Bistarelli, I.
Cervesato, G. Lenzini, F. Martinelli,
Relating Process Algebras and Multiset Rewriting for Security Protocol
Analysis,
Proc. Workshop on Issues in the Theory of Security (WITS'03),
April 5 - 6, 2003, Warsaw, Poland, 2003.
[Del03] Giorgio Delzanno
A Symbolic Procedure for Control Reachability in the Asynchronous
Pi-calculus
Proc. of Infinity 2003, a Satellite workshop of Concur 03, ENTCS.
[DRV03] Giorgio Delzanno,
Jean-Francois Raskin, Laurent Van Begin
Covering Sharing Trees: Compact Data Structures for Parameterized
Verification
Accepted for publication on the International Journal on
Software Tools for Technology Transfer (STTT), September 2003.
[DG03] Giorgio Delzanno,
Pierre Ganty.
Symbolic Methods for Automatically Proving Secrecy and
Authentication in Infinite-state Models of Cryptographic Protocols
Proceedings of WISP, Workshop on Issues in Security and Petri Nets,
Eindhoven, The Netherlands, 2003.
[DG04] Giorgio Delzanno,
Pierre Ganty.
Automatic Verification of Time Sensitive Cryptographic Protocols
Proceedings of TACAS: Tools and Algorithms
for the Construction and Analysis of Systems, Barcelona, Spain, 2004.
[JMVS03]
T. Juan, M. Martelli, V. Mascardi and L. Sterling
Customizing AOSE Methodologies by Reusing AOSE Features
In Proceedings of the 2nd International Conference on Autonomous
Agents and Multiagent Systems (AAMAS'03), Melbourne, 2003.
[MM03] M. Martelli and V.
Mascardi
From UML Diagrams to Jess Rules: Integrating OO and Rule-Based
Languages to
Specify, Implement and Execute Agents
In Proceedings of the 8th APPIA-GULP-PRODE Joint Conference on
Declarative
Programming (AGP'03), Reggio Calabria, 2003
[MM03] V. Mascardi, M.
Martelli and L. Sterling
Logic-Based Specification Languages for Intelligent Software Agents
Accepted for publication by the Theory and Practice of Logic
Programming Journal
[Van03] Laurent Van Begin.
Efficient Verification of Counting Abstractions for Parametric systems.
PhD Thesis- Université Libre de Bruxelles, Belgium, December
2003.