Results 1  10
of
29
Branching Time and Abstraction in Bisimulation Semantics
 Journal of the ACM
, 1996
"... Abstract. In comparative concurrency semantics, one usually distinguishes between linear time and branching time semantic equivalences. Milner’s notion of ohsen~ation equirlalence is often mentioned as the standard example of a branching time equivalence. In this paper we investigate whether observa ..."
Abstract

Cited by 249 (14 self)
 Add to MetaCart
Abstract. In comparative concurrency semantics, one usually distinguishes between linear time and branching time semantic equivalences. Milner’s notion of ohsen~ation equirlalence is often mentioned as the standard example of a branching time equivalence. In this paper we investigate whether observation equivalence really does respect the branching structure of processes, and find that in the presence of the unobservable action 7 of CCS this is not the case. Therefore, the notion of branching hisimulation equivalence is introduced which strongly preserves the branching structure of processes, in the sense that it preserves computations together with the potentials in all intermediate states that are passed through, even if silent moves are involved. On closed KSterms branching bisimulation congruence can be completely axiomatized by the single axiom scheme: a.(7.(y + z) + y) = a.(y + z) (where a ranges over all actions) and the usual laws for strong congruence. WC also establish that for sequential processes observation equivalence is not preserved under refinement of actions, whereas branching bisimulation is. For a large class of processes, it turns out that branching bisimulation and observation equivalence are the same. As far as we know, all protocols that have been verified in the setting of observation equivalence happen to fit in this class, and hence are also valid in the stronger setting of branching hisimulation equivalence.
WellStructured Transition Systems Everywhere!
 THEORETICAL COMPUTER SCIENCE
, 1998
"... Wellstructured transition systems (WSTS's) are a general class of infinite state systems for which decidability results rely on the existence of a wellquasiordering between states that is compatible with the transitions. In this article, we provide an extensive treatment of the WSTS idea and show ..."
Abstract

Cited by 197 (9 self)
 Add to MetaCart
Wellstructured transition systems (WSTS's) are a general class of infinite state systems for which decidability results rely on the existence of a wellquasiordering between states that is compatible with the transitions. In this article, we provide an extensive treatment of the WSTS idea and show several new results. Our improved definitions allow many examples of classical systems to be seen as instances of WSTS's.
Verifying Programs with Unreliable Channels (Extended Abstract)
 Information and Computation
, 1992
"... The research on algorithmic verification methods for concurrent and parallel systems has mostly focussed on finitestate systems, with applications in e.g. communication protocols and hardware systems. For infinitestate systems, e.g. systems that operate on data from unbounded domains, algorithmic ..."
Abstract

Cited by 176 (35 self)
 Add to MetaCart
The research on algorithmic verification methods for concurrent and parallel systems has mostly focussed on finitestate systems, with applications in e.g. communication protocols and hardware systems. For infinitestate systems, e.g. systems that operate on data from unbounded domains, algorithmic verification is more difficult, since most verification problems are in general undecidable. In this paper, we consider the verification of a particular class of infinitestate systems, namely systems consisting of finitestate processes that communicate via unbounded lossy FIFO channels. This class is able to model e.g. link protocols such as the Alternating Bit Protocol and HDLC. The unboundedness of the channels makes these systems infinitestate. For this class of systems, we show that several interesting verification problems are decidable by giving algorithms for verifying the following classes of properties.
General Decidability Theorems for InfiniteState Systems
, 1996
"... ) Parosh Aziz Abdulla Uppsala University K¯arlis Cer¯ans University of Latvia Bengt Jonsson Uppsala University YihKuen Tsay National Taiwan University Abstract Over the last few years there has been an increasing research effort directed towards the automatic verification of infinite state sys ..."
Abstract

Cited by 107 (13 self)
 Add to MetaCart
) Parosh Aziz Abdulla Uppsala University K¯arlis Cer¯ans University of Latvia Bengt Jonsson Uppsala University YihKuen Tsay National Taiwan University Abstract Over the last few years there has been an increasing research effort directed towards the automatic verification of infinite state systems. For different classes of such systems (e.g., hybrid automata, dataindependent systems, relational automata, Petri nets, and lossy channel systems) this research has resulted in numerous highly nontrivial algorithms. As the interest in this area increases, it will be important to extract common principles that underly these and related results. This paper is concerned with identifying general mathematical structures which could serve as sufficient conditions for achieving decidability. We present decidability results for systems which consist of a finite control part operating on an infinite data domain. The data domain is equipped with a wellordered and wellfounded preorder such tha...
The concurrency workbench: A semantics based tool for the verification of concurrent systems
 In Proceedings of the Workshop on Automatic Verification Methods for Finite State Machines
, 1991
"... Abstract The Concurrency Workbench is an automated tool for analyzing networks of finitestate processes expressed in Milner's Calculus of Communicating Systems. Its key feature is its breadth: a variety of different verification methods, including equivalence checking, preorder checking, and model ..."
Abstract

Cited by 102 (3 self)
 Add to MetaCart
Abstract The Concurrency Workbench is an automated tool for analyzing networks of finitestate processes expressed in Milner's Calculus of Communicating Systems. Its key feature is its breadth: a variety of different verification methods, including equivalence checking, preorder checking, and model checking, are supported for several different process semantics. One experience from our work is that a large number of interesting verification methods can be formulated as combinations of a small number of primitive algorithms. The Workbench has been applied to the verification of communications protocols and mutual exclusion algorithms and has proven a valuable aid in teaching and research. 1 Introduction This paper describes the Concurrency Workbench [11, 12, 13], a tool that supports the automatic verification of finitestate processes. Such tools are practically motivated: the development of complex distributed computer systems requires sophisticated verification techniques to guarantee correctness, and the increase in detail rapidly becomes unmanageable without computer assistance. Finitestate systems, such as communications protocols and hardware, are particularly suitable for automated analysis because their finitary nature ensures the existence of decision procedures for a wide range of system properties.
Verification of Control Flow Based Security Properties
, 1998
"... A fundamental problem in softwarebased security is whether local security checks inserted into the code are sufficient to implement a global security property. We introduce a formalism based on a twolevel lineartime temporal logic for specifying global security properties pertaining to the contro ..."
Abstract

Cited by 71 (5 self)
 Add to MetaCart
A fundamental problem in softwarebased security is whether local security checks inserted into the code are sufficient to implement a global security property. We introduce a formalism based on a twolevel lineartime temporal logic for specifying global security properties pertaining to the controlflow of the program, and illustrate its expressive power with a number of existing properties. We define a minimalistic, securitydedicated program model that only contains procedure call and runtime security checks and propose an automatic method for verifying that an implementation using local security checks satisfies a global security property. For a given formula in the temporal logic we prove that there exists a bound on the size of the states that have to be considered in order to assure the validity of the formula: this reduces the problem to finitestate model checking. Finally, we instantiate the framework to the security architecture proposed for Java (JDK 1.2).
Model Checking Mobile Processes
, 1993
"... We introduce a temporal logic for the polyadic ßcalculus based on fixed point extensions of HennessyMilner logic. Features are added to account for parametrisation, generation, and passing of names, including the use, following Milner, of dependent sum and product to account for (unlocalised) inpu ..."
Abstract

Cited by 63 (11 self)
 Add to MetaCart
We introduce a temporal logic for the polyadic ßcalculus based on fixed point extensions of HennessyMilner logic. Features are added to account for parametrisation, generation, and passing of names, including the use, following Milner, of dependent sum and product to account for (unlocalised) input and output, and explicit parametrisation on names using lambdaabstraction and application. The latter provides a single name binding mechanism supporting all parametrisation needed. A proof system and decision procedure is developed based on Stirling and Walker's approach to model checking the modal ¯calculus using constants. One difficulty, for both conceptual and efficiencybased reasons, is to avoid the explicit use of the !rule for parametrised processes. A key idea, following Hennessy and Lin's approach to deciding bisimulation for certain types of valuepassing processes, is the relativisation of correctness assertions to conditions on names. Based on this idea a proof system and ...
Undecidable Verification Problems for Programs with Unreliable Channels
 Information and Computation
, 1994
"... We consider the verification of a particular class of infinitestate systems, namely systems consisting of finitestate processes that communicate via unbounded lossy FIFO channels. This class is able to model e.g. link protocols such as the Alternating Bit Protocol and HDLC. In an earlier paper, we ..."
Abstract

Cited by 58 (11 self)
 Add to MetaCart
We consider the verification of a particular class of infinitestate systems, namely systems consisting of finitestate processes that communicate via unbounded lossy FIFO channels. This class is able to model e.g. link protocols such as the Alternating Bit Protocol and HDLC. In an earlier paper, we showed that the problems of checking reachability, safety properties, and eventuality properties are decidable for this class of systems. In this paper, we show that the following problems are undecidable, namely ffl The model checking problem in propositional temporal logics such as Propositional Linear Time Temporal Logic (PTL) and Computation Tree Logic (CTL). ffl The problem of deciding eventuality properties with fair channels: do all computations eventually reach a given set of states if the unreliable channels satisfy fairness assumptions. The results are obtained through a reduction from a variant of Post's Correspondence Problem. This research report is a revised and extended ...
Model checking security properties of control flow graphs
 Journal of Computer Security
"... graphs ..."
Algebraic Theories for NamePassing Calculi
, 1996
"... In a theory of processes the names are atomic data items which can be exchanged and tested for identity. A wellknown example of a calculus for namepassing is the πcalculus, where names additionally are used as communication ports. We provide complete axiomatisations of late and early bisimulation ..."
Abstract

Cited by 41 (10 self)
 Add to MetaCart
In a theory of processes the names are atomic data items which can be exchanged and tested for identity. A wellknown example of a calculus for namepassing is the πcalculus, where names additionally are used as communication ports. We provide complete axiomatisations of late and early bisimulation equivalences in such calculi. Since neither of the equivalences is a congruence we also axiomatise the corresponding largest congruences. We consider a few variations of the signature of the language; among these, a calculus of deterministic processes which is reminiscent of sequential functional programs with a conditional construct. Most of our axioms are shown to be independent. The axiom systems differ only by a few simple axioms and reveal the similarities and the symmetries of the calculi and the equivalences.