Results 1  10
of
49
Using Temporal Logics to Express Search Control Knowledge for Planning
 ARTIFICIAL INTELLIGENCE
, 1999
"... Over the years increasingly sophisticated planning algorithms have been developed. These have made for more efficient planners, but unfortunately these planners still suffer from combinatorial complexity even in simple domains. Theoretical results demonstrate that planning is in the worst case in ..."
Abstract

Cited by 328 (15 self)
 Add to MetaCart
(Show Context)
Over the years increasingly sophisticated planning algorithms have been developed. These have made for more efficient planners, but unfortunately these planners still suffer from combinatorial complexity even in simple domains. Theoretical results demonstrate that planning is in the worst case intractable. Nevertheless, planning in particular domains can often be made tractable by utilizing additional domain structure. In fact, it has long been acknowledged that domain independent planners need domain dependent information to help them plan effectively. In this
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over pr ..."
Abstract

Cited by 90 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
A Brief Account of Runtime Verification
, 2008
"... In this paper, a brief account of the field of runtime verification is given. Starting with a definition of runtime verification, a comparison to wellknown verification techniques like model checking and testing is provided, and applications in which runtime verification brings out its distinguishi ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
(Show Context)
In this paper, a brief account of the field of runtime verification is given. Starting with a definition of runtime verification, a comparison to wellknown verification techniques like model checking and testing is provided, and applications in which runtime verification brings out its distinguishing features are pointed out. Moreover, extensions of runtime verification such as monitororiented programming, and monitorbased runtime reflection are sketched and their similarities and differences are discussed. Finally, the use of runtime verification for contract enforcement is briefly pointed out.
On Model Checking Safety Properties
 IN MODEL CHECKING SOFTWARE. 10TH INTERNATIONAL SPIN WORKSHOP
, 2002
"... Safety properties are an interesting subset of general temporal properties for systems. In the linear time paradigm, model checking of safety properties is simpler than the general case, because safety properties can be captured by finite automata. This work discusses the theoretical and some of the ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
Safety properties are an interesting subset of general temporal properties for systems. In the linear time paradigm, model checking of safety properties is simpler than the general case, because safety properties can be captured by finite automata. This work discusses the theoretical and some of the practical issues related to model checking LTL properties. Our first
Alternationfree modal mucalculus for data trees
 In LICS’07
, 2007
"... An alternationfree modal µcalculus over data trees is introduced and studied. A data tree is an unranked ordered tree whose every node is labelled by a letter from a finite alphabet and an element (“datum”) from an infinite set. For expressing datasensitive properties, the calculus is equipped wi ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
An alternationfree modal µcalculus over data trees is introduced and studied. A data tree is an unranked ordered tree whose every node is labelled by a letter from a finite alphabet and an element (“datum”) from an infinite set. For expressing datasensitive properties, the calculus is equipped with freeze quantification. A freeze quantifier stores in a register the datum labelling the current tree node, which can then be accessed for equality comparisons deeper in the formula. The main results in the paper are that, for the fragment with forward modal operators and one register, satisfiability over finite data trees is decidable but not primitive recursive, and that for the subfragment consisting of safety formulae, satisfiability over countable data trees is decidable but not elementary. The proofs use alternating tree automata which have registers, and establish correspondences with nondeterministic tree automata which have faulty counters. Allowing backward modal operators or two registers causes undecidability. As consequences, decidability is obtained for two datasensitive fragments of the XPath query language. The paper shows that, for reasoning about data trees, the forward fragment of the calculus with one register is a powerful alternative to a recently proposed firstorder logic with two variables. 1.
On Complementing Nondeterministic Büchi Automata
, 2003
"... Several optimal algorithms have been proposed for the complementation of nondeterministic B uchi word automata. Due to the intricacy of the problem and the exponential blowup that complementation involves, these algorithms have never been used in practice, even though an effective complementatio ..."
Abstract

Cited by 25 (8 self)
 Add to MetaCart
(Show Context)
Several optimal algorithms have been proposed for the complementation of nondeterministic B uchi word automata. Due to the intricacy of the problem and the exponential blowup that complementation involves, these algorithms have never been used in practice, even though an effective complementation construction would be of significant practical value. Recently, Kupferman and Vardi described a complementation algorithm that goes through weak alternating automata and that seems simpler than previous algorithms. We combine their algorithm with known and new minimization techniques. Our approach is based on optimizations of both the intermediate weak alternating automaton and the final nondeterministic automaton, and involves techniques of rank and height reductions, as well as direct and fair simulation.
Foundations for groupcentric secure information sharing models
 In Proc. of the ACM Symp. on Access Control Models and Tech
, 2009
"... We develop the foundations for a theory of GroupCentric Secure Information Sharing (gSIS), characterize a specific family of models in this arena and identify several directions in which this theory can be extended. Traditional approach to information sharing, characterized as DisseminationCentri ..."
Abstract

Cited by 24 (13 self)
 Add to MetaCart
(Show Context)
We develop the foundations for a theory of GroupCentric Secure Information Sharing (gSIS), characterize a specific family of models in this arena and identify several directions in which this theory can be extended. Traditional approach to information sharing, characterized as DisseminationCentric, focuses on attaching attributes and policies to an object as it is disseminated from producers to consumers in a system. In contrast, GroupCentric sharing envisions bringing the users and objects together in a group to facilitate sharing. The metaphors “secure meeting room ” and “subscription service ” characterize the GroupCentric approach where participants and information come together to share for some common purpose. Our focus in this paper is on semantics of group operations: Join and Leave for users and Add and Remove for objects, each of which can have several variations called types. We use Linear Temporal Logic to first characterize the core properties of a group in terms of these operations. We then characterize additional properties for specific types of these operations. Finally, we specify the authorization behavior for read access in a single group for a family of gSIS models and show that these models satisfy the abovementioned properties using the NuSMV model checker. Categories and Subject Descriptors
Inferring finitestate models with temporal constraints
 In Proceedings of ASE
, 2008
"... Finite state machinebased abstractions of software behaviour are popular because they can be used as the basis for a wide range of (semi) automated verification and validation techniques. These can however rarely be applied in practice, because the specifications are rarely kept uptodate or even ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
Finite state machinebased abstractions of software behaviour are popular because they can be used as the basis for a wide range of (semi) automated verification and validation techniques. These can however rarely be applied in practice, because the specifications are rarely kept uptodate or even generated in the first place. Several techniques to reverseengineer these specifications have been proposed, but they are rarely used in practice because their input requirements (i.e. the number of execution traces) are often very high if they are to produce an accurate result. An insufficient set of traces usually results in a state machine that is either too general, or incomplete. Temporal logic formulae can often be used to concisely express constraints on system behaviour that might otherwise require thousands of execution traces to identify. This paper describes an extension of an existing state machine inference technique that accounts for temporal logic formulae, and encourages the addition of new formulae as the inference process converges on a solution. The implementation of this process is openly available, and some preliminary results are provided. 1.
Proving more properties with bounded model checking
 In: CAV. Volume 3114 of LNCS. (2004) 96–108
, 2004
"... Abstract. Bounded Model Checking, although complete in theory, has been thus far limited in practice to falsification of properties that were not invariants. In this paper we propose a termination criterion for all of LTL, and we show its effectiveness through experiments. Our approach is based on c ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Bounded Model Checking, although complete in theory, has been thus far limited in practice to falsification of properties that were not invariants. In this paper we propose a termination criterion for all of LTL, and we show its effectiveness through experiments. Our approach is based on converting the LTL formula to a Büchi automaton so as to reduce model checking to the verification of a fairness constraint. This reduction leads to one termination criterion that applies to all formulae. We also discuss cases for which a dedicated termination test improves bounded model checking efficiency. 1