Results 1  10
of
14
Model Checking of Probabilistic and Nondeterministic Systems
, 1995
"... . The temporal logics pCTL and pCTL* have been proposed as tools for the formal specification and verification of probabilistic systems: as they can express quantitative bounds on the probability of system evolutions, they can be used to specify system properties such as reliability and performance. ..."
Abstract

Cited by 200 (13 self)
 Add to MetaCart
. The temporal logics pCTL and pCTL* have been proposed as tools for the formal specification and verification of probabilistic systems: as they can express quantitative bounds on the probability of system evolutions, they can be used to specify system properties such as reliability and performance. In this paper, we present modelchecking algorithms for extensions of pCTL and pCTL* to systems in which the probabilistic behavior coexists with nondeterminism, and show that these algorithms have polynomialtime complexity in the size of the system. This provides a practical tool for reasoning on the reliability and performance of parallel systems. 1 Introduction Temporal logic has been successfully used to specify the behavior of concurrent and reactive systems. These systems are usually modeled as nondeterministic processes: at any moment in time, more than one future evolution may be possible, but a probabilistic characterization of their likelihood is normally not attempted. While ma...
System Specification and Refinement in Temporal Logic
 Proceedings of Foundations of Software Technology and Theoretical Computer Science, volume 652 of LNCS
, 1995
"... . We consider two types of specifications of reactive systems: requirement specification which lists properties the system should satisfy, and System specification which describes the response of the system to each incoming input. Some of the differences between these two styles of specification ar ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
. We consider two types of specifications of reactive systems: requirement specification which lists properties the system should satisfy, and System specification which describes the response of the system to each incoming input. Some of the differences between these two styles of specification are analyzed with the conclusion that both types are needed in an orderly system development. Traditionally, temporal logic was used for requirement specification while process algebras, such as csp and ccs, were used for system specification. Recent developments, mainly represented in Lamport's temporal logic of actions (tla), demonstrated that temporal logic can be used effectively also for system specification. This paper explores the use of temporal logic for systems specification, evaluates some of the advantages and disadvantages of such a use, and demonstrates the use of temporal logic for refinement and systematic development of systems. To allow simulation of a single high level step ...
Model Checking LTL using Constraint Programming
 In 18th International Conference on Application and Theory of Petri Nets
, 1997
"... . The modelchecking problem for 1safe Petri nets and lineartime temporal logic (LTL) consists of deciding, given a 1safe Petri net and a formula of LTL, whether the Petri net satisfies the property encoded by the formula. This paper introduces a semidecision test for this problem. By a semidecisi ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
. The modelchecking problem for 1safe Petri nets and lineartime temporal logic (LTL) consists of deciding, given a 1safe Petri net and a formula of LTL, whether the Petri net satisfies the property encoded by the formula. This paper introduces a semidecision test for this problem. By a semidecision test we understand a procedure which may answer `yes', in which case the Petri net satisfies the property, or `don't know'. The test is based on a variant of the so called automatatheoretic approach to modelchecking and on the notion of Tinvariant. We analyse the computational complexity of the test, implement it using 2lp  a constraint programming tool, and apply it to two case studies. This paper is a (very) abbreviated version of [6]. 1 Introduction Lineartime temporal logic (LTL) is a wellknown formalism for specifying properties of concurrent systems. The problem of deciding if a concurrent system satisfies a LTL formula is called the modelchecking problem (of LTL). In [16] ...
Safety and Liveness Properties: A Survey
"... The distinction of safety and liveness properties is often adopted in specification and design methods for distributed systems. We present a short survey on the "history" of these concepts and on papers that contributed to their general acceptance. ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
The distinction of safety and liveness properties is often adopted in specification and design methods for distributed systems. We present a short survey on the "history" of these concepts and on papers that contributed to their general acceptance.
Formal Methods for Broadband and Multimedia Systems
 Computer Networks and ISDN Systems, Special Issue on Trends in Formal Description Techniques and their Applications
, 1997
"... this paper to exemplify steps that need to be taken in order to overcome this deficit. We first discuss choices that need to be made when designing a suitable realtime execution model for SDL and Estelle and proceed to present two remedies to the inexpressiveness problem: First, we introduce the co ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
this paper to exemplify steps that need to be taken in order to overcome this deficit. We first discuss choices that need to be made when designing a suitable realtime execution model for SDL and Estelle and proceed to present two remedies to the inexpressiveness problem: First, we introduce the concept of complementary realtime specification by reconciling the semantic models of Metric Temporal Logic and SDL and showing how both languages can be used in a complementary fashion. Second, we suggest a language extension and the corresponding semantic interpretation for Estelle. While we present examples from the domain of multimedia and broadband systems, the applicability of our specification methods extends to hard realtime systems. Finally, we discuss extensions of our techniques to capture QoS stochastic properties, and we allude to formal requirements verification and automatic implementation based on our techniques. Condensed version to appear in Computer Networks and ISDN Systems. 21 August 1997 1 Introduction The specification of requirements on the observable behavior of distributed, communicating realtime system is an important step in the engineering of these systems. Requirements specifications help avoiding inconsistencies in the requirements, they are the basis for deriving correct system designs, they are essential in establishing the system's correctness by serving as a basis for testing and formal verification, and they are important in the documentation of system requirements. [20] suggests that proper requirements engineering, of which requirements specification is an important step, is pivotal in avoiding pitfalls of what is called the `software crisis'. Facets of the software crisis include systems that have low reliability or even unusability a...
Relative Liveness: From Intuition to Automated Verification
 Bank University
, 1995
"... . We point out deficiencies of previous treatments of liveness. We define a new liveness condition in two forms: one based on finite trace theory, and the other on automata. We prove the equivalence of these two definitions. We also introduce a safety condition and provide modular and hierarchical v ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
. We point out deficiencies of previous treatments of liveness. We define a new liveness condition in two forms: one based on finite trace theory, and the other on automata. We prove the equivalence of these two definitions. We also introduce a safety condition and provide modular and hierarchical verification theorems for both safety and liveness. Finally, we present a verification algorithm for liveness. Index terms: Concurrent systems, deadlock, fairness, finite automata, liveness, safety, trace structures, verification. 1 Introduction Motivation and scope Formal verification, especially if it can be automated, gains importance as designed systems become more and more complex. Formal verification is particularly important for concurrent systems because nondeterministic interleavings of events can generate considerable complexity. The subject of this paper is the definition, analysis, and automatic verification of a liveness condition for (possibly asynchronous) digital circuits...
You should Better Enforce than Verify
"... Abstract. This tutorial deals with runtime enforcement which is an extension of runtime verification aiming to circumvent misbehaviors of systems. After an historical overview of previous approaches, we present our approach to property enforcement and future challenges. Runtime verification is a wel ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. This tutorial deals with runtime enforcement which is an extension of runtime verification aiming to circumvent misbehaviors of systems. After an historical overview of previous approaches, we present our approach to property enforcement and future challenges. Runtime verification is a well established technique which consists in using a monitor to supervise at runtime, the execution of an underlying program against a set of expected properties. A monitor is a state machine (with an output function) processing (step by step) an execution sequence of the monitored program, and producing a sequence of verdicts (truth values of a truthdomain) indicating fulfillment or violation of a property. Whilst the detection might sometimes be a sufficient assurance for some systems, the occurrence (resp. nonoccurrence) of property violations (resp. validations) might be unacceptable for others. Runtime enforcement [1–4] of the desired property is a possible solution to ensure expected behaviors and avoid misbehaviors. Within this technique the monitor not only observes the current program execution, but it also modifies
The Rabin Index and Chain automata, with applications to automata and games
 In Computer Aided Verification, Proc. 7th Int. Conference, LNCS 939
, 1995
"... . In this paper we relate the Rabin Index of an !language to the complexity of translation amongst automata, strategies for twoperson regular games, and the complexity of controllersynthesis and verification for real systems, via a new construction to transform Rabin automata to Chain automata. T ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. In this paper we relate the Rabin Index of an !language to the complexity of translation amongst automata, strategies for twoperson regular games, and the complexity of controllersynthesis and verification for real systems, via a new construction to transform Rabin automata to Chain automata. The Rabin Index is the minimum number of pairs required to realize the language as a deterministic Rabin automaton (DRA), and is a measure of the inherent complexity of the !language. Chain automata are a special kind of Rabin automata where the sets comprising the acceptance condition form a chain. Our main construction translates a DRA with n states and h pairs to a deterministic chain automaton (DCA) with n:h k states, where k is the Rabin Index of the language. Using this construction, we can transform a DRA into a minimumpair DRA or deterministic Streett automaton (DSA), each with n:h k states. Using a simple correspondence between tree automata (TA) and games, we extend the const...
On Topological Hierarchies of Temporal Properties
, 1996
"... . The classification of properties of concurrent programs into safety and liveness was first proposed by Lamport [20]. Since then several characterizations of hierarchies of properties have been given, see e.g. [4, 18, 8, 19]; this includes syntactic characterizations (in terms classes of formula ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. The classification of properties of concurrent programs into safety and liveness was first proposed by Lamport [20]. Since then several characterizations of hierarchies of properties have been given, see e.g. [4, 18, 8, 19]; this includes syntactic characterizations (in terms classes of formulas of logics such as the linear temporal logic) as well as extensional (as sets of computations in some abstract domain). The latter often admits a topological characterization with respect to the natural topologies of the domain of computations. We introduce a general notion of a linear time model of computation which consists of partial and completed computations satisfying certain axioms. The model is endowed with a natural topology. We show that the usual topologies on strings, Mazurkiewicz traces and pomsets arise as special cases. We then introduce a hierarchy of properties including safety, liveness, guarantee, response and persistence properties, and show that our definition ...
Synthesizing Enforcement Monitors wrt. the SafetyProgress Classification of Properties
, 2008
"... Abstract. Runtime enforcement is a powerful technique to ensure that a program will respect a given security policy. We extend previous works on this topic in several directions. Firstly, we propose a generic notion of enforcement monitors based on a memory device and finite sets of control states a ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. Runtime enforcement is a powerful technique to ensure that a program will respect a given security policy. We extend previous works on this topic in several directions. Firstly, we propose a generic notion of enforcement monitors based on a memory device and finite sets of control states and enforcement operations. Moreover, we specify their enforcement abilities w.r.t. the general safetyprogress classification of properties. It allows a finegrain characterization of the space of enforceable properties. Finally, we propose a systematic technique to produce an enforcement monitor from the Streett automaton recognizing a given safety, guarantee, obligation or response security property. 1