Results 1  10
of
120
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Combining Partial Order Reductions with Onthefly Modelchecking
, 1994
"... Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during i ..."
Abstract

Cited by 191 (14 self)
 Add to MetaCart
Abstract Partial order modelchecking is an approach to reduce time and memory in modelchecking concurrent programs. Onthefly modelchecking is a technique to eliminate part of the search by intersecting an automaton representing the (negation of the) checked property with the state space during its generation. We prove conditions under which these two methods can be combined in order to gain reduction from both methods. An extension of the modelchecker SPIN, which implements this combination, is studied, showing substantial reduction over traditional search, not only in the number of reachable states, but directly in the amount of memory and time used. We also describe how to apply partialorder modelchecking under given fairness assumptions.
Symbolic Verification with Periodic Sets
, 1994
"... Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other s ..."
Abstract

Cited by 73 (6 self)
 Add to MetaCart
Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other structures than BDD's can be useful for representing sets of values, and that combining implicit and explicit representations can be fruitful. It introduces a representation of complex periodic sets of integer values, shows how this representation can be manipulated, and describes its application to the statespace exploration of protocols. Preliminary experimental results indicate that the method can dramatically reduce the resources required for statespace exploration.
Athena: a new efficient automatic checker for security protocol analysis
 In Proceedings of the Twelth IEEE Computer Security Foundations Workshop
, 1999
"... We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating we ..."
Abstract

Cited by 72 (1 self)
 Add to MetaCart
We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating wellformed formulae in this logic. For a wellformed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likelyhood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.
The practitioner's guide to coloured Petri nets
 International Journal on Software Tools for Technology Transfer
, 1998
"... Coloured Petri nets (CPnets or CPNs) provide a framework for the design, specification, validation, and verification of systems. CPnets have a wide range of application areas and many CPN projects have been carried out in industry, e.g., in the areas of communication protocols, operating systems, ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Coloured Petri nets (CPnets or CPNs) provide a framework for the design, specification, validation, and verification of systems. CPnets have a wide range of application areas and many CPN projects have been carried out in industry, e.g., in the areas of communication protocols, operating systems, hardware designs, embedded systems, software system designs, and business process reengineering. Design/CPN is a graphical computer tool supporting the practical use of CPnets. The tool supports the construction, simulation, and functional and performance analysis of CPN models. The tool is used by more than four hundred organisations in forty different countries  including one hundred commercial companies. It is available free of charge, also for commercial use. This paper provides a comprehensive road map to the practical use of CPnets and the Design/CPN tool. We give an informal introduction to the basic concepts and ideas underlying CPnets. The key components and facilities of the Design/CPN tool are presented and their use illustrated. The paper is selfcontained and does not assume any prior knowledge of Petri nets and CPnets nor any experience with the Design/CPN tool.
Athena: a novel approach to efficient automatic security protocol analysis
 Journal of Computer Security
, 2001
"... protocol analysis ..."
Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols
 In Proc. IFIP Working Conference on Programming Concepts and Methods (PROCOMET
, 1998
"... As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers h ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them. Keywords Model checking, security ...
PartialOrder Reduction in Symbolic State Space Exploration
, 1997
"... . State space explosion is a fundamental obstacle in formal verification of designs and protocols. Several techniques for combating this problem have emerged in the past few years, among which two are significant: partialorder reductions and symbolic state space search. In asynchronous systems, ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
. State space explosion is a fundamental obstacle in formal verification of designs and protocols. Several techniques for combating this problem have emerged in the past few years, among which two are significant: partialorder reductions and symbolic state space search. In asynchronous systems, interleavings of independent concurrent events are equivalent, and only a representative interleaving needs to be explored to verify local properties. Partialorder methods exploit this redundancy and visit only a subset of the reachable states. Symbolic techniques, on the other hand, capture the transition relation of a system and the set of reachable states as boolean functions. In many cases, these functions can be represented compactly using binary decision diagrams (BDDs). Traditionally, the two techniques have been practiced by two different schoolspartialorder methods with enumerative depthfirst search for the analysis of asynchronous network protocols, and symbolic bread...
Model Checking for Security Protocols
 CARNEGIE MELLON UNIVERSITY
, 1997
"... As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious intruders becomes paramount. People have looked t ..."
Abstract

Cited by 58 (3 self)
 Add to MetaCart
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious intruders becomes paramount. People have looked to cryptography to help solve many of these problems. However, cryptography itself is only a tool. The security of a system depends not only on the cryptosystem being used, but also on how it is used. Typically, researchers have proposed the use of security protocols to provide these security guarantees. These protocols consist of a sequence of messages, many with encrypted parts. In this paper, we develop a way of verifying these protocols using model checking. Model checking has proven to be a very useful technique for verifying hardware designs. By modelling circuits as finitestate machines, and examining all possible execution traces, model checking has found a number of errors in real w...
A Partial Order Approach to Branching Time Logic Model Checking
 Information and Computation
, 1994
"... Partial order techniques enable reducing the size of the state graph used for model checking, thus alleviating the `state space explosion' problem. These reductions are based on selecting a subset of the enabled operations from each program state. So far, these methods have been studied, implemented ..."
Abstract

Cited by 55 (14 self)
 Add to MetaCart
Partial order techniques enable reducing the size of the state graph used for model checking, thus alleviating the `state space explosion' problem. These reductions are based on selecting a subset of the enabled operations from each program state. So far, these methods have been studied, implemented and demonstrated for assertional languages that model the executions of a program as computation sequences, in particular the logic LTL (linear temporal logic). The present paper shows, for the first time, how this approach can be applied to languages that model the behavior of a program as a tree. We study here partial order reductions for branching temporal logics, e.g., the logics CTL and CTL (all logics with the nexttime operator removed) and process algebras such as CCS. Conditions on the subset of successors from each node to guarantee reduction that preserves CTL properties are given. Provided experimental results show that the reduction is substantial. 1 Introduction Partial ord...