Results 1  10
of
266
Bandera: Extracting Finitestate Models from Java Source Code
 IN PROCEEDINGS OF THE 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 2000
"... Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a fini ..."
Abstract

Cited by 648 (33 self)
 Add to MetaCart
Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a finitestate model that approximates the executable behavior of the software system of interest. Current bestpractice involves handconstruction of models which is expensive (prohibitive for all but the smallest systems), prone to errors (which can result in misleading verification results), and difficult to optimize (which is necessary to combat the exponential complexity of verification algorithms). In this paper, we describe an integrated collection of program analysis and transformation components, called Bandera, that enables the automatic extraction of safe, compact finitestate models from program source code. Bandera takes as input Java source code and generates a program model in the input language of one of several existing verification tools; Bandera also maps verifier outputs back to the original source code. We discuss the major components of Bandera and give an overview of how it can be used to model check correctness properties of Java programs.
Model Checking for Programming Languages using VeriSoft
 IN PROCEEDINGS OF THE 24TH ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1997
"... Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of ..."
Abstract

Cited by 440 (14 self)
 Add to MetaCart
Verification by statespace exploration, also often referred to as "model checking", is an effective method for analyzing the correctness of concurrent reactive systems (e.g., communication protocols). Unfortunately, existing modelchecking techniques are restricted to the verification of properties of models, i.e., abstractions, of concurrent systems. In this paper, we discuss how model checking can be extended to deal directly with "actual" descriptions of concurrent systems, e.g., implementations of communication protocols written in programming languages such as C or C++. We then introduce a new search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary C code. As an example of application, we describe how VeriSoft successfully discovered an error in a 2500line C program controlling rob...
Formal Methods: State of the Art and Future Directions
 ACM Computing Surveys
, 1996
"... ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, N ..."
Abstract

Cited by 419 (6 self)
 Add to MetaCart
ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, NY 10036 USA, fax +1 (212) 8690481, or permissions@acm.org. 2 \Delta E.M. Clarke and J.M. Wing About ProgramsMechanical verification, Specification techniques; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical LogicMechanical theorem proving General Terms: Software engineering, formal methods, hardware verification Additional Key Words and Phrases: Software specification, model checking, theorem proving 1. INTRODUCTION Hardware and software systems will inevitably grow in scale and functionality. Because of this increase in complexity, the likelihood of subtle errors is much greater. Moreover, some of these errors may cause catastrophic loss of money, time, or even huma...
Automated Analysis of Cryptographic Protocols Using Murphi
, 1997
"... A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and anal ..."
Abstract

Cited by 295 (25 self)
 Add to MetaCart
(Show Context)
A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murphi allows us to examine multiple runs of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties.
Multifacet’s general executiondriven multiprocessor simulator (gems) toolset
 SIGARCH Comput. Archit. News
, 2005
"... The Wisconsin Multifacet Project has created a simulation toolset to characterize and evaluate the performance of multiprocessor hardware systems commonly used as database and web servers. We leverage an existing fullsystem functional simulation infrastructure (Simics [14]) as the basis around whic ..."
Abstract

Cited by 265 (22 self)
 Add to MetaCart
(Show Context)
The Wisconsin Multifacet Project has created a simulation toolset to characterize and evaluate the performance of multiprocessor hardware systems commonly used as database and web servers. We leverage an existing fullsystem functional simulation infrastructure (Simics [14]) as the basis around which to build a set of timing simulator modules for modeling the timing of the memory system and microprocessors. This simulator infrastructure enables us to run architectural experiments using a suite of scaleddown commercial workloads [3]. To enable other researchers to more easily perform such research, we have released these timing simulator modules as the Multifacet General Executiondriven
Cmc: A pragmatic approach to model checking real code
 In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation
, 2002
"... Permission is granted for noncommercial reproduction of the work for educational or research purposes. ..."
Abstract

Cited by 224 (12 self)
 Add to MetaCart
(Show Context)
Permission is granted for noncommercial reproduction of the work for educational or research purposes.
Better Verification Through Symmetry
, 1996
"... A fundamental difficulty in automatic formal verification of finitestate systems is the state explosion problem  even relatively simple systems can produce very large state spaces, causing great difficulties for methods that rely on explicit state enumeration. We address the problem by exploiting ..."
Abstract

Cited by 217 (8 self)
 Add to MetaCart
A fundamental difficulty in automatic formal verification of finitestate systems is the state explosion problem  even relatively simple systems can produce very large state spaces, causing great difficulties for methods that rely on explicit state enumeration. We address the problem by exploiting structural symmetries in the description of the system to be verified. We make symmetries easy to detect by introducing a new data type scalarset, a finite and unordered set, to our description language. The operations on scalarsets are restricted so that states are guaranteed to have the same future behaviors, up to permutation of the elements of the scalarsets. Using the symmetries implied by scalarsets, a verifier can automatically generate a reduced state space, on the fly. We provide a proof of the soundness of the new symmetrybased verification algorithm based on a definition of the formal semantics of a simple description language with scalarsets. The algorithm has been implemented ...
The Murφ Verification System
 IN COMPUTER AIDED VERIFICATION. 8TH INTERNATIONAL CONFERENCE
, 1996
"... This is a brief overview of the Murφ verification system. ..."
Abstract

Cited by 171 (8 self)
 Add to MetaCart
This is a brief overview of the Murφ verification system.
NUSMV: a new symbolic model checker
 International Journal on Software Tools for Technology Transfer
, 2000
"... This paper describes a new symbolic model checker, called NUSMV, developed as part of a joint project between CMU and IRST. NUSMV is the result of the reengineering, reimplementation, and, to a limited extent, extension of the CMU SMV model checker. The core of this paper consists of a detailed de ..."
Abstract

Cited by 168 (22 self)
 Add to MetaCart
This paper describes a new symbolic model checker, called NUSMV, developed as part of a joint project between CMU and IRST. NUSMV is the result of the reengineering, reimplementation, and, to a limited extent, extension of the CMU SMV model checker. The core of this paper consists of a detailed description of the NUSMV functionalities, architecture, and implementation.
A metanotation for protocol analysis
 in: Proc. CSFW’99
, 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract

Cited by 166 (38 self)
 Add to MetaCart
(Show Context)
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1