We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

The design of concurrent programs is error-prone due to the interaction between concurrently executing threads. Traditional automated techniques for finding errors in concurrent programs, such as model checking, explore all possible thread interleavings. Since the number of thread interleavings increases exponentially with the number of threads, such analyses have high computational complexity. In this paper, we present a novel analysis technique for concurrent programs that avoids this exponential complexity. Our analysis transforms a concurrent program into a sequential program that simulates the execution of a large subset of the behaviors of the concurrent program. The sequential program is then analyzed by a tool that only needs to understand the semantics of sequential execution. Our technique never reports false errors but may miss errors. We have implemented the technique in KISS, an automated checker for multithreaded C programs, and obtained promising initial results by using KISS to detect race conditions in Windows device drivers.

Coloured Petri nets (CP-nets or CPNs) provide a framework for the design, specification, validation, and verification of systems. CP-nets have a wide range of application areas and many CPN projects have been carried out in industry, e.g., in the areas of communication protocols, operating systems, hardware designs, embedded systems, software system designs, and business process re-engineering. Design/CPN is a graphical computer tool supporting the practical use of CP-nets. The tool supports the construction, simulation, and functional and performance analysis of CPN models. The tool is used by more than four hundred organisations in forty different countries -- including one hundred commercial companies. It is available free of charge, also for commercial use. This paper provides a comprehensive road map to the practical use of CP-nets and the Design/CPN tool. We give an informal introduction to the basic concepts and ideas underlying CP-nets. The key components and facilities of the Design/CPN tool are presented and their use illustrated. The paper is self-contained and does not assume any prior knowledge of Petri nets and CP-nets nor any experience with the Design/CPN tool.

We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating well-formed formulae in this logic. For a well-formed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likely-hood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.

We show in this paper that the algorithm for solving the model checking problem with a nested depth-first search can interfere with algorithms that support partial order reduction. We introduce a revised version of the algorithm that guarantees compatibility. The change also improves the performance of the nested depth-first search algorithm when partial order reduction is not used.

protocol analysis

Abstract. The number of installations of the Spin model checking tool is steadily increasing. There are well over two thousand installations today, divided roughly evenly over academic and industrial sites. The tool itself also continues to evolve � it has more than doubled in size, and hopefully at least equally so in functionality, since it was rst distributed in early 1991. The tool runs on most standard workstations, and starting with version 2.8 also on standard PCs. In this overview, we summarize the design principles of the tool, and review its current state. 1

Partial order techniques enable reducing the size of the state graph used for model checking, thus alleviating the `state space explosion' problem. These reductions are based on selecting a subset of the enabled operations from each program state. So far, these methods have been studied, implemented and demonstrated for assertional languages that model the executions of a program as computation sequences, in particular the logic LTL (linear temporal logic). The present paper shows, for the first time, how this approach can be applied to languages that model the behavior of a program as a tree. We study here partial order reductions for branching temporal logics, e.g., the logics CTL and CTL (all logics with the next-time operator removed) and process algebras such as CCS. Conditions on the subset of successors from each node to guarantee reduction that preserves CTL properties are given. Provided experimental results show that the reduction is substantial. 1 Introduction Partial ord...

this article we present BRUTUS, a tool for verifying properties of security protocols. This tool can be viewed as a special-purpose model checker for security protocols. We also present reduction techniques that make the tool efficient. Experimental results are provided to demonstrate the efficiency of BRUTUS

In recent work, Flanagan and Qadeer proposed atomicity declarations as a light-weight mechanism for specifying non-interference properties in concurrent programming languages such as Java, and they provided a type and e#ect system to verify atomicity properties. While verification of atomicity specifications via a static type system has several advantages (scalability, compositional checking), we show that verification via model-checking also has several advantages (fewer unchecked annotations, greater coverage of Java idioms, stronger verification). In particular, we show that by adapting the Bogor model-checker, we naturally address several properties that are di#cult to check with a static type system.