## Cones and Foci for Protocol Verification Revisited (2003)

### Cached

### Download Links

- [www.cs.vu.nl]
- [www.cwi.nl]
- [homepages.cwi.nl]
- [seshome.informatik.uni-oldenburg.de]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. 6th Conference on Foundations of Software Science and Computation Structures, LNCS 2620 |

Citations: | 9 - 4 self |

### BibTeX

@INPROCEEDINGS{Fokkink03conesand,

author = {Wan Fokkink and Jun Pang},

title = {Cones and Foci for Protocol Verification Revisited},

booktitle = {In Proc. 6th Conference on Foundations of Software Science and Computation Structures, LNCS 2620},

year = {2003},

pages = {267--281},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We define a cones and foci proof method, which rephrases the question whether two system specifications are branching bisimilar in terms of proof obligations on relations between data objects. Compared to the original cones and foci method from Groote and Springintveld [22], our method is more generally applicable, and does not require a preprocessing step to eliminate τ-loops. We prove soundness of our approach and give an application. 1

### Citations

738 |
Parallel Program Design: A Foundation
- Chandy, Misra
- 1988
(Show Context)
Citation Context ...urrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation [25, 28], invariants and simulations. Linear process equations resemble the UNITY format =-=[8]-=- and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings [29, 32] and simulation [14]. Van der Zwaag [36] gave an adaptation of the cones and foci method f... |

366 | Hierarchical correctness proofs for distributed algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...el with respect to an underlying simulation notion (e.g., [9, 17, 30]). The methodology surrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation =-=[25, 28]-=-, invariants and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings [29, 32] and s... |

255 | Branching Time and Abstraction in Bisimulation Semantics
- Glabbeek, Weijland
- 1996
(Show Context)
Citation Context ...A labeled transition system is associated to each CRL specification. Two CRL specifications are considered equivalent if the initial states of their labeled transition systems are branching bisimilar =-=[GW96]-=-. Verification of system correctness boils down to checking whether the implementation of a system (with all internal activity hidden) is branching bisimilar to the specification of the desired extern... |

217 |
Algebra of communicating processes with abstraction, Theoretical Computer Science 37
- Bergstra, Klop
- 1985
(Show Context)
Citation Context ...over possibly infinite data domains. Internal activity of a process can be hidden by a hiding operator τI, which renames all internal actions (i.e., the actions in the set I) into the hidden action τ =-=[5]-=-. A labeled transition system is associated to each µCRL specification. Two µCRL specifications are considered equivalent if the initial states of their labeled transition systems are branching bisimi... |

176 | Translation validation for an optimizing compiler
- Necula
- 2000
(Show Context)
Citation Context ... we can take these τ-loops in our stride. Related Work In compiler correctness, advances have been made to validate programs at a symbolic level with respect to an underlying simulation notion (e.g., =-=[9, 17, 30]-=-). The methodology surrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation [25, 28], invariants and simulations. Linear process equations resemb... |

140 | Translation validation
- Pnueli, Siegel, et al.
- 1998
(Show Context)
Citation Context ...ation [25, 28], invariants and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings =-=[29, 32]-=- and simulation [14]. Van der Zwaag [36] gave an adaptation of the cones and foci method from [22] to a timed setting, modulo timed branching bisimulation equivalence. We leave it as an open question ... |

134 | Forward and backward simulations. Part I: untimed systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ...ation [25, 28], invariants and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings =-=[29, 32]-=- and simulation [14]. Van der Zwaag [36] gave an adaptation of the cones and foci method from [22] to a timed setting, modulo timed branching bisimulation equivalence. We leave it as an open question ... |

97 |
The syntax and semantics of CRL
- Groote, Ponse
- 1994
(Show Context)
Citation Context ... CES5008: Improving the quality of embedded systems using formal design and systematic testing. 1. Introduction In order to make data a first class citizen in the study of processes, the language CRL =-=[GP95]-=- combines the process algebra ACP [BW90] with equational abstract data types [LEW96]. Processes are intertwined with data: Actions and recursion variables are parametrized by data types; an if-thenels... |

91 |
Process Algebra, volume 18 of Cambridge Tracts
- Baeten, Weijland
- 1990
(Show Context)
Citation Context ... prove soundness of our approach and give an application. 1 Introduction In order to make data a first class citizen in the study of processes, the language µCRL [21] combines the process algebra ACP =-=[3]-=- with equational abstract data types [27]. Processes are intertwined with data: Actions and recursion variables are parametrized by data types; an if-then-else construct allows data objects to influen... |

86 |
The syntax and semantics of µCRL
- Groote, Ponse
- 1990
(Show Context)
Citation Context ...ocessing step to eliminate τ-loops. We prove soundness of our approach and give an application. 1 Introduction In order to make data a first class citizen in the study of processes, the language µCRL =-=[21]-=- combines the process algebra ACP [3] with equational abstract data types [27]. Processes are intertwined with data: Actions and recursion variables are parametrized by data types; an if-then-else con... |

77 | CADP - a protocol validation and verification toolbox
- Fernandez, Garavel, et al.
- 1996
(Show Context)
Citation Context ...neration of labeled transition systems, together with reduction modulo branching bisimulation equivalence, and allows model checking of temporal logic formulas [10] via a back-end to the CADP toolset =-=[12]-=-. This approach to verify system correctness has three important drawbacks. First, the labeled transition systems of the µCRL specifications involved must be ⋆ This research is supported by the Dutch ... |

74 |
Specification of Abstract Data Types
- Ehrich, Loeckx, et al.
- 1996
(Show Context)
Citation Context ...tic testing. 1. Introduction In order to make data a first class citizen in the study of processes, the language CRL [GP95] combines the process algebra ACP [BW90] with equational abstract data types =-=[LEW96]-=-. Processes are intertwined with data: Actions and recursion variables are parametrized by data types; an if-thenelse construct allows data objects to influence the course of a process; and alternativ... |

61 | An Efficient Algorithm for Branching Bisimulation and Stuttering Equivalence - Groote, Vaandrager - 1990 |

47 |
Invariants in process algebra with data
- Bezem, Groote
- 1994
(Show Context)
Citation Context ...oint F ; this is essential for soundness of the cones and foci method, as otherwise internal actions in the cone would not be inert. b d b d External actions Internal actions Linear process equations =-=[6]-=- constitute a restricted class of µCRL specifications in some kind of linear format. Algorithms have been developed to transform µCRL specifications into this linear format [19, 24, 35]. In a linear p... |

41 |
Recursive applicative program schemes, in
- Courcelle
- 1990
(Show Context)
Citation Context ...own and useful concepts such as the precondition/effect notation [25, 28], invariants and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes =-=[11]-=-; state mappings are comparable to refinement mappings [29, 32] and simulation [14]. Van der Zwaag [36] gave an adaptation of the cones and foci method from [22] to a timed setting, modulo timed branc... |

40 |
On the consistency of Koomen’s fair abstraction rule
- Baeten, Bergstra, et al.
- 1987
(Show Context)
Citation Context ...progressing and non-progressing ones, and only progressing τ’s are abstracted away; in many cases it is far from trivial to define the proper pre-abstraction. Finally, a special fair abstraction rule =-=[2]-=- can be used to try and eliminate the remaining (non-progressing) τ’s. In this paper, we propose an adaptation of the cones and foci method, in which the cumbersome treatment of infinite sequences of ... |

39 | Focus points and convergent process operators: A proof strategy for protocol verification
- Groote, Springintveld
- 2001
(Show Context)
Citation Context ...whether two system specifications are branching bisimilar in terms of proof obligations on relations between data objects. Compared to the original cones and foci method from Groote and Springintveld =-=[GS01]-=-, our method is more generally applicable, and does not require a preprocessing step to eliminate # -loops. We prove soundness of our approach and give an application. 2000 Mathematics Subject Classif... |

35 | µCRL: A toolset for analysing algebraic specifications
- Blom, Fokkink, et al.
(Show Context)
Citation Context ...en) is branching bisimilar to the specification of the desired external behavior of the system. Checking whether two states are branching bisimilar can be performed efficiently [23]. The µCRL toolset =-=[7]-=- supports the generation of labeled transition systems, together with reduction modulo branching bisimulation equivalence, and allows model checking of temporal logic formulas [10] via a back-end to t... |

33 | Branching bisimilarity is an equivalence indeed
- Basten
- 1996
(Show Context)
Citation Context ...f µCRL specifications, and Lab consists of actions from Act ∪ {τ} parametrized by data. We define branching bisimilarity [16] between states in LTSs. Branching bisimulation is an equivalence relation =-=[4]-=-. Definition 2 (Branching bisimulation). Assume an LTS. A symmetric binary relation B on states is a branching bisimulation if sBt and s ℓ → s ′ implies: - either ℓ = τ and s ′ B t; - or there is a se... |

30 |
Compositional Verification of Distributed Systems
- Jonsson
- 1987
(Show Context)
Citation Context ...el with respect to an underlying simulation notion (e.g., [9, 17, 30]). The methodology surrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation =-=[25, 28]-=-, invariants and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings [29, 32] and s... |

21 | Linearization in parallel pcrl
- Groote, Ponse, et al.
- 2001
(Show Context)
Citation Context ...inear process equations [6] constitute a restricted class of µCRL specifications in some kind of linear format. Algorithms have been developed to transform µCRL specifications into this linear format =-=[19, 24, 35]-=-. In a linear process equation, the states of the associated labeled transition system are data objects. Assume that the implementation of a system and its desired external behavior are both given in ... |

20 | Formal verification of a leader election protocol in process algebra
- Fredlund, Groote, et al.
- 1997
(Show Context)
Citation Context ...eral with the help of invariants (i.e., properties of the reachable states) that are proved separately. This method was used in the verification of a considerable number of real-life protocols (e.g., =-=[15, 20, 34]-=-), often with the support of a theorem prover or proof checker. The main idea of this method is that quite often in the implementation of a system, internal actions progress inertly towards a state in... |

20 |
A modular approach to protocol verification using process algebra
- Koymans, Mulder
- 1990
(Show Context)
Citation Context ...t having to resort to a fair abstraction rule. We prove that our method is sound modulo branching bisimulation equivalence. Furthermore, we apply our method to the Concurrent Alternating Bit Protocol =-=[KM90]-=-, which served as the main example in [GS01]. While the old cones and foci method required a typical cumbersome treatment of #-loops, here we can take these #-loops in our stride. Related Work In comp... |

20 |
der Zwaag. The tree identify protocol of
- Shankland, van
- 1998
(Show Context)
Citation Context ...eral with the help of invariants (i.e., properties of the reachable states) that are proved separately. This method was used in the verification of a considerable number of real-life protocols (e.g., =-=[15, 20, 34]-=-), often with the support of a theorem prover or proof checker. The main idea of this method is that quite often in the implementation of a system, internal actions progress inertly towards a state in... |

18 | Analysis of a distributed system for lifting trucks
- Groote, Pang, et al.
- 2003
(Show Context)
Citation Context ...with reduction modulo branching bisimulation equivalence and model checking of temporal logic formulas. This approach has been used to analyze a wide range of protocols and distributed systems (e.g., =-=[1, 18, 31, 33]-=-). In this paper we focus on analyzing protocols and distributed systems on the level of their symbolic specifications. 2.3 Linear process equations A linear process equation (LPE) is a one-line µCRL ... |

14 | A Provably Correct Embedded Verifier for the Certification of Safety Critical Software
- Cimatti, Giunchiglia, et al.
- 1997
(Show Context)
Citation Context ... we can take these τ-loops in our stride. Related Work In compiler correctness, advances have been made to validate programs at a symbolic level with respect to an underlying simulation notion (e.g., =-=[9, 17, 30]-=-). The methodology surrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation [25, 28], invariants and simulations. Linear process equations resemb... |

13 |
de Pol, “Checking verifications of protocols and distributed systems by computer
- Groote, Monin, et al.
- 1998
(Show Context)
Citation Context ...eral with the help of invariants (i.e., properties of the reachable states) that are proved separately. This method was used in the verification of a considerable number of real-life protocols (e.g., =-=[15, 20, 34]-=-), often with the support of a theorem prover or proof checker. The main idea of this method is that quite often in the implementation of a system, internal actions progress inertly towards a state in... |

12 | The parallel composition of uniform processes with data, Theoretical Computer Science 266
- Groote, Wamel
- 2001
(Show Context)
Citation Context ...inear process equations [6] constitute a restricted class of µCRL specifications in some kind of linear format. Algorithms have been developed to transform µCRL specifications into this linear format =-=[19, 24, 35]-=-. In a linear process equation, the states of the associated labeled transition system are data objects. Assume that the implementation of a system and its desired external behavior are both given in ... |

10 | Towards rigorous compiler implementation verification
- Goerigk, Simon
- 1999
(Show Context)
Citation Context ... we can take these τ-loops in our stride. Related Work In compiler correctness, advances have been made to validate programs at a symbolic level with respect to an underlying simulation notion (e.g., =-=[9, 17, 30]-=-). The methodology surrounding cones and foci incorporates well-known and useful concepts such as the precondition/effect notation [25, 28], invariants and simulations. Linear process equations resemb... |

10 |
Analysis of a security protocol in µCRL
- Pang
- 2002
(Show Context)
Citation Context ...with reduction modulo branching bisimulation equivalence and model checking of temporal logic formulas. This approach has been used to analyze a wide range of protocols and distributed systems (e.g., =-=[1, 18, 31, 33]-=-). In this paper we focus on analyzing protocols and distributed systems on the level of their symbolic specifications. 2.3 Linear process equations A linear process equation (LPE) is a one-line µCRL ... |

9 |
de Pol. Simulation as a correct transformation of rewrite systems
- Fokkink, van
- 1997
(Show Context)
Citation Context ...lations. Linear process equations resemble the UNITY format [CM88] and recursive applicative program schemes [Cou90]; state mappings are comparable to refinement mappings [LV95, PSS98] and simulation =-=[FP97]-=-. Van der Zwaag [vdZ01] gave an adaptation of the cones and foci method from [GS01] to a timed setting, modulo timed branching bisimulation equivalence. We leave it as an open question whether our inn... |

9 |
Correct performance of transaction capabilities
- Arts, Langevelde
- 2001
(Show Context)
Citation Context ...with reduction modulo branching bisimulation equivalence and model checking of temporal logic formulas. This approach has been used to analyze a wide range of protocols and distributed systems (e.g., =-=[1, 18, 31, 33]-=-). In this paper we focus on analyzing protocols and distributed systems on the level of their symbolic specifications. 2.3 Linear process equations A linear process equation (LPE) is a one-line µCRL ... |

8 | The cones and foci proof technique for timed transition systems. Information Processing Letters, 80(1):33–40, 2001. The design and implementation of distributed systems are error-prone and becoming extremely complex. Formal methods can be used to specify
- Zwaag
(Show Context)
Citation Context ...s equations resemble the UNITY format [CM88] and recursive applicative program schemes [Cou90]; state mappings are comparable to refinement mappings [LV95, PSS98] and simulation [FP97]. Van der Zwaag =-=[vdZ01]-=- gave an adaptation of the cones and foci method from [GS01] to a timed setting, modulo timed branching bisimulation equivalence. We leave it as an open question whether our innovations for the cones ... |

6 | Verifying a sliding window protocol in µCRL
- Fokkink, Groote, et al.
- 2003
(Show Context)
Citation Context ...ch the cumbersome treatment of infinite sequences of τ-actions is no longer necessary. This improvement of the cones and foci method was conceived during the verification of a sliding window protocol =-=[13]-=-, where the adaptation simplified matters considerably. As before, the method deals with linear process equations, requires the definition of a state mapping, and generates the same matching criteria.... |

5 |
Formal specification of JavaSpaces TM architecture using µCRL
- Pol, Espada
- 2002
(Show Context)
Citation Context |

5 | Linearization of µCRL specifications (extended abstract
- Usenko
- 2002
(Show Context)
Citation Context ...inear process equations [6] constitute a restricted class of µCRL specifications in some kind of linear format. Algorithms have been developed to transform µCRL specifications into this linear format =-=[19, 24, 35]-=-. In a linear process equation, the states of the associated labeled transition system are data objects. Assume that the implementation of a system and its desired external behavior are both given in ... |

4 | Simulation as a correct transformation of rewrite systems
- Fokkink, Pol
- 1997
(Show Context)
Citation Context ...ts and simulations. Linear process equations resemble the UNITY format [8] and recursive applicative program schemes [11]; state mappings are comparable to refinement mappings [29, 32] and simulation =-=[14]-=-. Van der Zwaag [36] gave an adaptation of the cones and foci method from [22] to a timed setting, modulo timed branching bisimulation equivalence. We leave it as an open question whether our innovati... |

3 | CRL: A toolset for analysing algebraic specifications - Blom, Fokkink, et al. - 2001 |

2 | An e#cient algorithm for branching bisimulation and stuttering equivalence - Groote, Vaandrager - 1990 |

1 |
Verification of a sliding window protocol in CRL
- Fokkink, Groote, et al.
(Show Context)
Citation Context ...ch the cumbersome treatment of infinite sequences of #-actions is no longer necessary. This improvement of the cones and foci method was conceived during the verification of a sliding window protocol =-=[FGP]-=-, where the adaptation simplified matters considerably. As before, the method deals with linear process equations, requires the definition of a state mapping, and generates the same matching criteria.... |

1 | Analysis of a security protocol in CRL - Pang - 2002 |

1 |
Linearization of CRL specifications (extended abstract
- Usenko
- 2002
(Show Context)
Citation Context ...riples, describing when an action may happen and what is its e#ect on the vector of data parameters. Each CRL specification that does not include successful termination can be transformed into an LPE =-=[Use02]-=-. 1 Definition 2.3 (Linear process equation) A linear process equation is a CRL specification of the form X(d:D) = # a#Act#{#} # e:E a(f a (d, e))X(g a (d, e)) # h a (d, e) # # where f a : D E # D, g ... |