A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and security-related protocols. We illustrate the feasibility of the approach by analyzing the Needham-Schroeder protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murphi allows us to examine multiple runs of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties.

This is a brief overview of the Murφ verification system.

An extension to the Murphi verifier is presented to verify systems with replicated identical components. Although most systems are finite-state in nature, many of them are also designed to be scalable, so that a description gives a family of systems, each member of which has a different number of replicated components. It is therefore desirable to be able to verify the entire family of systems, independent of the exact number of replicated components. The verification is performed by explicit state enumeration in an abstract state space where states do not record the exact numbers of components. We provide an extension to the existing Murphi language, by which a designer can easily specify a system in its concrete form. Through a new datatype, called RepetitiveID, a designer can suggest the use of this abstraction to verify a family of systems. First of all, Murphi automatically checks the soundness of this abstraction. Then it automatically translates the system description to an abstract ...

In verification by explicit state enumeration, for each reachable state of the protocol being verified the full state descriptor is stored in a state table. Two probabilistic methods -- bitstate hashing and hash compaction -- have been proposed in the literature that store much fewer bits for each state but come at the price of some probability that not all reachable states will be explored during the search, and that the verifier may thus produce false positives. Holzmann introduced bitstate hashing and derived an approximation formula for the average probability that a particular state is not omitted during the search, but this formula does not give a bound on the probability of false positives. In contrast, the analysis for hash compaction, introduced by Wolper and Leroy and improved upon by Stern and Dill, yielded a bound on the probability that not even one state is omitted during the search, thus providing a bound on the probability of false positives. In this paper, we propose a...

Modern digital systems often employ sophisticated protocols. Unfortunately, designing correct protocols is a subtle art. Even when using great care, a designer typically cannot foresee all possible interactions among the components of the system; thus, bugs like subtle race conditions or deadlocks are easily overlooked. One way a computer can support the designer is by simulating random executions of the system. There is, however, a high probability of missing executions containing errors -- especially in complex systems -- using this simulation approach. In contrast, an automatic verifier tries to examine all states reachable from a given set of startstates. The biggest obstacle in this exhaustive approach is that often there is a very large number of reachable states. This thesis describes three techniques to increase the size of the reachable state spaces that can be handled in automatic verifiers. The techniques work in verifiers that are based on explicitly storing each reachable ...

Parallel architecture becomes more and more attractive as the demand for performance increases. One of the most important classes of parallel machines is that of shared memory architectures, which are perceived as easier to program than other parallel architectures. In a shared memory multiprocessor architecture, a memory model describes the behavior of the memory system as observed at the user-level. A cache coherence protocol aims to conform to a memory model by maintaining consistency among the multiple copies of cached data and the data in main memory. Memory models and cache coherence protocols can be quite complex and subtle, creating a real possibility of misunderstandings and actual design errors. In this thesis, we will present solutions to the problems of specifying memory models and verifying the correctness of cache coherence protocols. Weaker memory models for multiprocessor systems allow higher-performance implementation techniques for memory systems. However, weak memor...

This paper describes and analyzes a probabilistic technique to reduce the memory requirement of the table of reached states maintained in verification by explicit state enumeration. The memory savings of the new scheme come at the price of a certain probability that the search becomes incomplete. However, this probability can be made negligibly small by using typically 40 bits of memory per state. From this point of view, this new scheme improves substantially on Holzmann's bitstate hashing, which has a high probability of producing an incomplete search even when using close to 1000 bits per state. The proposed scheme has been implemented in the contexts of the SPIN and Mur' verification systems. Experiments on sample protocols nicely match the predictions of the analysis. For large protocols, memory savings of two orders of magnitude are obtained. We also show how to efficiently combine the new scheme with state space caching, and we analyze bitstate hashing in order to compare it wit...

An approach for interpreted sequential verification at different levels of abstraction by symbolic simulation is proposed. The equivalence checker has been used in previous work to compare two designs at rt-level. We describe in this paper the automatic verification of gate-level results of a commercial synthesis tool against a behavioral specification at rt-level. The symbolic simulator has to cope with different numbers of control steps since the descriptions are not cycle equivalent. The state explosion problem of previous approaches relying on state traversal is avoided.

ion Our approach: reduction using reversible rules Page 2 ffl The main problem in automatic formal verification using state enumeration is the state explosion problem. ffl There are several existing approaches to widen the range of verifiable systems. ffl We proposed in this paper a new reduction method to further widen the range of verifiable systems. ffl The new reduction method can be easily combined with some of the other reduction methods, such as symmetry. GOAL 1 REDUCING THE MEMORY USAGE ffl on-the-fly verification ffl some states are thrown away after examination ffl a small number of states are stored and used to represent the discarded states when we generate a new state on-the-fly, instead of checking whether it is stored in the memory, we check whether its representative is stored in the memory. Page 3 ffl Our main goal is to reduce the memory usage, by storing only a small portion of the states in a state graph. ffl Each of the state stored represents a set of stat...

We present a new approach for using a theorem-prover to verify the correctness of protocols and distributed algorithms. The method compares a state graph of the implementation with a specification which is a state graph representing the desired abstract behavior. The steps in the specification correspond to atomic transactions, which are not atomic in the implementation. The method relies