Results 1  10
of
64
Alternatingtime Temporal Logic
 Journal of the ACM
, 1997
"... Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general var ..."
Abstract

Cited by 448 (47 self)
 Add to MetaCart
Temporal logic comes in two varieties: lineartime temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branchingtime temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternatingtime temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While lineartime and branchingtime logics are natural specification languages for closed systems, alternatingtime logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as modelchecking problems for alternatingtime formulas.
MOCHA: Modularity in Model Checking
, 1998
"... this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported: ..."
Abstract

Cited by 158 (20 self)
 Add to MetaCart
this paper, we describe the toolkit MOCHA in which the proposed approach is being implemented. The input language of MOCHA is a machine readable variant of reactive modules. The following functionalities are currently being supported:
Verifying aspect advice modularly
 In FSE ’04
"... Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assum ..."
Abstract

Cited by 45 (1 self)
 Add to MetaCart
Aspectoriented programming has become an increasingly important means of expressing crosscutting program abstractions. Despite this, aspects lack support for computeraided verification. We present a technique for verifying aspectoriented programs (expressed as state machines). Our technique assumes that the set of pointcut designators is known statically, but that the actual advice can vary. This calls for a modular technique that does not require repeated analysis of the entire system every time a developer changes advice. We present such an analysis, addressing several subtleties that arise. We also present an important optimization for handling multiple pointcut designators. We have implemented a prototype verifier and applied it to some simple but interesting cases.
The Common Fragment of CTL and LTL
 In IEEE Symposium on Foundations of Computer Science
, 2000
"... It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. B ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
It is wellknown that CTL and LTL have incomparable expressive power. In this paper, we give an inductive definition of those ACTL formulas that can be expressed in LTL. In addition, we obtain a procedure to decide whether an ACTL formula lies in LTL, and show that this problem is PSPACE complete. By omitting path quantifiers, we get an inductive definition of the LTL formulas expressible in ACTL. We can show that the fragment defined by our logic represents exactly those LTL formulas the negation of which can be represented by a 1weak Büchi automaton and that for this fragment, the representing automaton can be chosen to be of size linear in the size of the formula.
Concurrent OmegaRegular Games
, 2000
"... We consider twoplayer games which are played on a finite state space for an infinite number of rounds. The games are concurrent, that is, in each round, the two players choose their moves independently and simultaneously; the current state and the two moves determine a successor state. We consider ..."
Abstract

Cited by 33 (10 self)
 Add to MetaCart
We consider twoplayer games which are played on a finite state space for an infinite number of rounds. The games are concurrent, that is, in each round, the two players choose their moves independently and simultaneously; the current state and the two moves determine a successor state. We consider omegaregular winning conditions on the resulting infinite state sequence. To model the independent choice of moves, both players are allowed to use randomization for selecting their moves. This gives rise to the following qualitative modes of winning, which can be studied without numerical considerations concerning probabilities: surewin (player 1 can ensure winning with certainty), almostsurewin (player 1 can ensure winning with probability 1), limitwin (player 1 can ensure winning with probability arbitrarily close to 1), boundedwin (player 1 can ensure winning with probability bounded away from 0), positivewin (player 1 can ensure winning with positive probability), and existwin (player 1 can ensure that at least one possible outcome of the game satisfies the winning condition). We provide algorithms for computing the sets of winning states for each of these winning modes. In particular, we solve concurrent Rabinchain games in ÒÇ Ñ time, where Ò is the size of the game structure and Ñ is the number of pairs in the Rabinchain condition. While this complexity is in line with traditional turnbased games, where in each state only one of the two players has a choice of moves, our algorithms are considerably more involved than those for turnbased games. This is because concurrent games violate two of the most fundamental properties of turnbased games. First, concurrent games are not determined, but rather exhibit a more general duality property which involves multiple modes of winning. Second, winning strategies for concurrent games may require infinite memory.
Verifying CrossCutting Features as Open Systems
, 2002
"... Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderat ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
Featureoriented software designs capture many interesting notions of crosscutting, and o#er a powerful method for building productline architectures. Each crosscutting feature is an independent module that fundamentally yields an open system from a verification perspective. We describe desiderata for verifying such modules through model checking and find that existing work on the verification of open systems fails to address most of the concerns that arise from featureoriented systems. We therefore provide a new methodology for verifying such systems. To validate this new methodology, we have implemented it and applied it to a suite of modules that exhibit feature interaction problems. Our model checker was able to automatically locate ten problems previously found through a laborious simulationbased e#ort.
Module checking revisited
 In Proc. 9th CAV, LNCS 1254
, 1997
"... Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy t ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
Abstract. When we verify the correctness of an open system with respect to a desired requirement, we should take into consideration the different environments with which the system may interact. Each environment induces a different behavior of the system, and we want all these behaviors to satisfy the requirement. Module checking is an algorithmic method that checks, given an open system (modeled as a finite structure) and a desired requirement (specified by a temporallogic formula), whether the open system satisfies the requirement with respect to all environments. In this paper we extend the modulechecking method with respect to two orthogonal issues. Both issues concern the fact that often we are not interested in satisfaction of the requirement with respect to all environments, but only with respect to these that meet some restriction. We consider the case where the environment has incomplete information about the system; i.e., when the system has internal variables, which are not readable by its environment, and the case where some assumptions are known about environment; i.e., when the system is guaranteed to satisfy the requirement only when its environment satisfies certain assumptions. We study the complexities of the extended modulechecking problems. In particular, we show that for universal temporal logics (e.g., LTL, ¥ CTL, and ¥ CTL ¦), module checking with incomplete information coincides with module checking, which by itself coincides with model checking. On the other hand, for nonuniversal temporal logics (e.g., CTL and CTL ¦), module checking with incomplete information is harder than module checking, which is by itself harder than model checking. 1
Open Systems in Reactive Environments: Control and Synthesis
, 2000
"... We study the problems of synthesizing open systems as well as controllers for open systems. We deal with specifications given as formulas of the branching temporal logic CTL ? and its sublogic CTL. A key aspect of our work is that we deal with reactive environments. These are environments that can ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
We study the problems of synthesizing open systems as well as controllers for open systems. We deal with specifications given as formulas of the branching temporal logic CTL ? and its sublogic CTL. A key aspect of our work is that we deal with reactive environments. These are environments that can disable some of their responses along the interaction with the system.
Analysis of security protocols as open systems
 Theoretical Computer Science
, 2003
"... We propose a methodology for the formal analysis of security protocols. This originates from the observation that the verification of security protocols can be conveniently treated as the verification of open systems, i.e. systems which may have unspecified components. These might be used to represe ..."
Abstract

Cited by 26 (13 self)
 Add to MetaCart
We propose a methodology for the formal analysis of security protocols. This originates from the observation that the verification of security protocols can be conveniently treated as the verification of open systems, i.e. systems which may have unspecified components. These might be used to represent a hostile environment wherein the protocol runs and whose behavior cannot be predicted a priori. We define a language for the description of security protocols, namely CryptoCCS, and a logical language for expressing their properties. We provide an effective verification method for security protocols which is based on a suitable extension of partial model checking. Indeed, we obtain a decidability result for the secrecy analysis of protocols with a finite number of sessions, bounded message size and new nonce generation.
Distributed Controller Synthesis for Local Specifications
, 2001
"... We consider the problem of synthesizing distributed controllers for reactive systems against local specifications. We show that a larger class of architectures become decidable in comparison to the analogous problem for global specifications. We identify the exact class of architectures for which th ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
We consider the problem of synthesizing distributed controllers for reactive systems against local specifications. We show that a larger class of architectures become decidable in comparison to the analogous problem for global specifications. We identify the exact class of architectures for which the problem is decidable. Our results also show the decidability of a related realizability problem for local specifications.