Results 1  10
of
51
WellStructured Transition Systems Everywhere!
 THEORETICAL COMPUTER SCIENCE
, 1998
"... Wellstructured transition systems (WSTS's) are a general class of infinite state systems for which decidability results rely on the existence of a wellquasiordering between states that is compatible with the transitions. In this article, we provide an extensive treatment of the WSTS idea and show ..."
Abstract

Cited by 197 (9 self)
 Add to MetaCart
Wellstructured transition systems (WSTS's) are a general class of infinite state systems for which decidability results rely on the existence of a wellquasiordering between states that is compatible with the transitions. In this article, we provide an extensive treatment of the WSTS idea and show several new results. Our improved definitions allow many examples of classical systems to be seen as instances of WSTS's.
FORWARD ANALYSIS FOR WSTS, PART I: COMPLETIONS
, 2009
"... Wellstructured transition systems provide the right foundation to compute a finite basis of the set of predecessors of the upward closure of a state. The dual problem, to compute a finite representation of the set of successors of the downward closure of a state, is harder: Until now, the theoretic ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
Wellstructured transition systems provide the right foundation to compute a finite basis of the set of predecessors of the upward closure of a state. The dual problem, to compute a finite representation of the set of successors of the downward closure of a state, is harder: Until now, the theoretical framework for manipulating downwardclosed sets was missing. We answer this problem, using insights from domain theory (dcpos and ideal completions), from topology (sobrifications), and shed new light on the notion of adequate domains of limits.
Omegaregular model checking
 In Proc. 10th TACAS. LNCS
, 2004
"... Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transi ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Checking infinitestate systems is frequently done by encoding infinite sets of states as regular languages. Computing such a regular representation of, say, the set of reachable states of a system requires acceleration techniques that can finitely compute the effect of an unbounded number of transitions. Among the acceleration techniques that have been proposed, one finds both specific and generic techniques. Specific techniques exploit the particular type of system being analyzed, e.g. a system manipulating queues or integers, whereas generic techniques only assume that the transition relation is represented by a finitestate transducer, which has to be iterated. In this paper, we investigate the possibility of using generic techniques in cases where only specific techniques have been exploited so far. Finding that existing generic techniques are often not applicable in cases easily handled by specific techniques, we have developed a new approach to iterating transducers. This new approach builds on earlier work, but exploits a number of new conceptual and algorithmic ideas, often induced with the help of experiments, that give it a broad scope, as well as good performances.
Handling Parameterized Systems with NonAtomic Global Conditions
"... We consider verification of safety properties for parameterized systems with linear topologies. A process in the system is an extended automaton, where the transitions are guarded by both local and global conditions. The global conditions are nonatomic, i.e., a process allows arbitrary interleaving ..."
Abstract

Cited by 11 (8 self)
 Add to MetaCart
We consider verification of safety properties for parameterized systems with linear topologies. A process in the system is an extended automaton, where the transitions are guarded by both local and global conditions. The global conditions are nonatomic, i.e., a process allows arbitrary interleavings with other transitions while checking the states of all (or some) of the other processes. We translate the problem into model checking of infinite transition systems where each configuration is a labeled finite graph. We derive an overapproximation of the induced transition system, which leads to a symbolic scheme for analyzing safety properties. We have implemented a prototype and run it on several nontrivial case studies, namely nonatomic versions of Burn’s protocol, Dijkstra’s protocol, the Bakery algorithm, Lamport’s distributed mutual exclusion protocol, and a twophase commit protocol used for handling transactions in distributed systems. As far as we know, these protocols have not previously been verified in a fully automated framework. 1
On Noetherian Spaces
"... A topological space is Noetherian iff every open is compact. Our starting point is that this notion generalizes that of wellquasi order, in the sense that an Alexandroffdiscrete space is Noetherian iff its specialization quasiordering is well. For more general spaces, this opens the way to verify ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
A topological space is Noetherian iff every open is compact. Our starting point is that this notion generalizes that of wellquasi order, in the sense that an Alexandroffdiscrete space is Noetherian iff its specialization quasiordering is well. For more general spaces, this opens the way to verifying infinite transition systems based on nonwell quasi ordered sets, but where the preimage operator satisfies an additional continuity assumption. The technical development rests heavily on techniques arising from topology and domain theory, including sobriety and the de Groot dual of a stably compact space. We show that the category Nthr of Noetherian spaces is finitely complete and finitely cocomplete. Finally, we note that if X is a Noetherian space, then the set of all (even infinite) subsets of X is again Noetherian, a result that fails for wellquasi orders. 1.
On the expressiveness of Mobile Synchronizing Petri Nets
 SecCo’05. ENTCS
, 2007
"... In recent papers we have introduced Mobile Synchronizing Petri Nets, a new model for mobility based on coloured Petri Nets. It allows the description of systems composed of a collection of (possibly mobile) hardware devices and mobile agents, both modelled in a homogenous way and abstracting from mi ..."
Abstract

Cited by 10 (7 self)
 Add to MetaCart
In recent papers we have introduced Mobile Synchronizing Petri Nets, a new model for mobility based on coloured Petri Nets. It allows the description of systems composed of a collection of (possibly mobile) hardware devices and mobile agents, both modelled in a homogenous way and abstracting from middleware details. Our basic model introduced a colour to describe localities, but still lacked appropriate primitives to deal with security, and in fact it was equivalent to P/T nets. Then, we introduced the primitives to cope with security: a new colour for identifiers, basically corresponding to the natural numbers, that are created by means of a special transition. This mechanism allows us to deal with authentication issues. In this paper we discuss the expressiveness of the extended model with the authentication primitives. More specifically, we study several instances of the classical reachability and coverability problems. Finally, we also study a more abstract version of the mechanism to create identifiers, using abstract names, close to those in the πcalculus or the Ambient Calculus. We have proved that both models are strictly in between P/T nets and Turing machines.
Proving Liveness by Backwards Reachability
 In CONCUR, LNCS
, 2006
"... Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is g ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is guaranteed is computed by a backwards reachability analysis. A central technique for handling concurrency is a check for certain commutativity properties. The method is not complete. However, it can be seen as a complement to other methods for proving termination, in that it transforms a termination problem into a simpler one with a larger set of terminated states. We show the usefulness of our method by applying it to existing programs from the literature. We have also implemented it in the framework of Regular Model Checking, and used it to automatically verify nonstarvation for parameterized algorithms. 1
Forward analysis for WSTS, part II: Complete WSTS
 In ICALP’09, volume 5556 of LNCS
, 2009
"... Abstract. We describe a simple, conceptual forward analysis procedure for ∞complete WSTS S. This computes the clover of a state s0, i.e., a finite description of the closure of the cover of s0. When S is the completion of a WSTS X, the clover in S is a finite description of the cover in X. We show ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Abstract. We describe a simple, conceptual forward analysis procedure for ∞complete WSTS S. This computes the clover of a state s0, i.e., a finite description of the closure of the cover of s0. When S is the completion of a WSTS X, the clover in S is a finite description of the cover in X. We show that this applies exactly when X is an ω 2WSTS, a new robust class of WSTS. We show that our procedure terminates in more cases than the generalized KarpMiller procedure on extensions of Petri nets. We characterize the WSTS where our procedure terminates as those that are cloverflattable. Finally, we apply this to wellstructured counter systems. 1
Graph Grammar Modeling and Verification of Ad Hoc Routing Protocols (Extended Version)
"... Abstract. We present a technique for modeling and automatic verification of network protocols, based on graph transformation. It is suitable for protocols with a potentially unbounded number of nodes, in which the structure and topology of the network is a central aspect, such as routing protocols f ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. We present a technique for modeling and automatic verification of network protocols, based on graph transformation. It is suitable for protocols with a potentially unbounded number of nodes, in which the structure and topology of the network is a central aspect, such as routing protocols for ad hoc networks. Safety properties are specified as a set of undesirable global configurations. We verify that there is no undesirable configuration which is reachable from an initial configuration, by means of symbolic backward reachability analysis. In general, the reachability problem is undecidable. We implement the technique in a graph grammar analysis tool, and automatically verify several interesting nontrivial examples. Notably, we prove loop freedom for the DYMO ad hoc routing protocol. DYMO is currently on the IETF standards track, to potentially become an Internet standard. 1
Automatic verification of secrecy properties for linear logic specifications of cryptographic protocols
, 2003
"... In this paper we investigate the applicability of a bottomup evaluation strategy for a first order fragment of linear logic we introduced in [Bozzano et al., 2002b] for the purposes of automated verification of secrecy in cryptographic protocols. Following [Cervesato et al., 1999], we use multic ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In this paper we investigate the applicability of a bottomup evaluation strategy for a first order fragment of linear logic we introduced in [Bozzano et al., 2002b] for the purposes of automated verification of secrecy in cryptographic protocols. Following [Cervesato et al., 1999], we use multiconclusion clauses to represent the behaviour of agents in a protocol session, and we adopt the DolevYao intruder model. In addition, universal quantification provides a formal and declarative way to express creation of nonces. Our approach is well suited to verify properties which can be specified by means of minimal conditions. Unlike traditional approaches based on modelchecking, we can reason about parametric, infinitestate systems, thus we do not pose any limitation on the number of parallel runs of a protocol. Furthermore, our approach can be used both to find attacks and to prove secrecy for a protocol. We apply our method to analyze several classical examples of authentication protocols. Among them we consider the gg protocol [Millen, 1999]. This protocol is a challenging case study in that it is free from sequential attacks, whereas it suffers from parallel attacks that occur only when at least two sessions are run in parallel. The other case studies are the OtwayRees protocol and several formulation of the NeedhamSchroeder protocol.