Showing papers on "Promela published in 2008"

Principles of the Spin Model Checker

Abstract: Principles of Spin is an introductory book, the only requirement is a background in programming. Spin models are written in the Promela language which is easily learned by students and programmers. Spin is easy to install and use. The Spin model checker is not only a widely used professional tool but it is also a superb tool for teaching important concepts of computer science such as verification, concurrency and nondeterminism. The book introduces Spin-based software that the author has developed for teaching: jSpin - an integrated development environment for Spin; SpinSpider - uses output from Spin to automatically construct state diagrams of concurrent programs; VN is a tool for visualizing nondeterminism. Complete programs will demonstrate each construct and concept and these programs will be available on a companion website.

Random testing and model checking: building a common framework for nondeterministic exploration

Abstract: Two popular forms of dynamic analysis, random testing and explicit-state software model checking, are perhaps best viewed as search strategies for exploring the state spaces introduced by nondeterminism in program inputs. We present an approach that enables this nondeterminism to be expressed in the SPIN model checker's PROMELA language, and then lets users generate either model checkers or random testers from a single harness for a tested C program. Our approach makes it easy to compare model checking and random testing for models with precisely the same input ranges and probabilities and allows us to mix random testing with model checking's exhaustive exploration of non-determinism. The PROMELA language, as intended in its design, serves as a convenient notation for expressing nondeterminism and mixing random choices with nondeterministic choices. We present and discuss a comparison of random testing and model checking. The results derive from using our framework to test a C program with an effectively infinite state space, a module in JPL's next Mars rover mission. More generally, we show how the ability of the SPIN model checker to call C code can be used to extend SPIN's features, and hope to inspire others to use the same methods to implement dynamic analyses that can make use of efficient state storage, matching, and backtracking.

Understanding SIP through Model-Checking

Abstract: In recent years, SIP has become an important and widely-used protocol for IP-based multimedia services. Despite voluminous documentation, there is only scattered and informal material explaining the states of the protocol and the events that can occur in each state. To fill this gap, this paper presents a Promela model of invite dialogs in SIP. The model has been verified and validated with the Spin model-checker. The paper discusses the practical value of this model, explains some problems in SIP revealed by it, makes recommendations for solutions, and presents some directions for future work.

Designing and Verifying Communication Protocols Using Model Driven Architecture and Spin Model Checker

Abstract: The need of communication protocols in today’s environment increases as much as the network explores. Many new kinds of protocols, e.g. for information sharing, security, etc., are being developed day-to-day which often leads to rapid, premature developments. Many protocols have not scaled to satisfy important properties like deadlock and livelock freedom, since MDA focuses on the rapid development rather than on the quality of the developed models. In order to fix the above, we introduce a 2-Phase strategy based on the UML state machine and sequence diagram. The state machine is converted into PROMELA code as a protocol model and its properties are derived from the sequence diagram as Linear Temporal Logic (LTL) through automation. The PROMELA code is interpreted through the SPIN model checker, which helps to simulate the behavior of protocol. Later the automated LTL properties are supplemented to the SPIN for the verification of protocol properties. The results are compared with the developed UML model and SPIN simulated model. Our test results impress the designer to verify the expected results with the system design and to identify the errors which are unnoticed during the design phase.

The High Road to Formal Validation

Abstract: In this paper we examine the difference between model checking high-level and low-level models. In particular, we compare the ProB model checker for the B-method and the Spin model checker for Promela. While Spin has a dramatically more efficient model checking engine, we show that in practice the performance can be disappointing compared to model checking high-level specifications with ProB . We investigate the reasons for this behaviour, examining expressivity, granularity and Spin's search algorithms. We also show that certain types of information (such as symmetry) can be more easily inferred and exploited in high-level models, leading to a considerable reduction in model checking time.

Verifying Compiler Based Refinement of BluespecTM Specifications Using the SPIN Model Checker

Abstract: The underlying model of computation for PROMELA is based on interacting processes with asynchronous communication, and hence SPIN has been mainly used as a verification engine for concurrent software systems. On the other hand, hardware verification has mostly focused on clock synchronous register-transfer level (RTL) models. As a result, verification tools such as SMV which are based on synchronous state machine models have been used more frequently for hardware verification. However, as levels of abstractions are being raised in hardware design and as high-level synthesis is being promoted for synthesizing RTL, hardware design verification problems are changing in nature. In this paper, we consider a specific high-level hardware description langauge, namely, Bluespec System Verilog (BSV). The programming model of BSV is based on concurrent guarded actions, which we also call as Concurrent Action Oriented Specification (CAOS). High-level synthesis from BSV models has been shown to produce efficient RTL designs. Given the industry traction of BSV-based high-level synthesis and associated design flow, we consider the following formal verification problems: (i) Given a BSV specification ${\cal S}$ of a hardware design, does it satisfy certain temporal properties? (ii) Given a BSV specification ${\cal S}$, and an implementation Rsynthesized from ${\cal S}$ using a BSV-based synthesis tool, does Rconform to the behaviors specified by ${\cal S}$; that is, is Ra refinement of ${\cal S}$? (iii) Given a different implementation Ri¾?synthesized from ${\cal S}$ using some other BSV-based synthesis tool, is Ri¾?a refinement of Ras well? In this paper, we show how SPIN Model Checker can be used to solve these three problems related to the verification of BSV-based designs. Using a sample design, we illustrate how our approach can be used for verifying whether the designer intent in the BSV specification is accurately matched by its synthesized hardware implementation.

An Automated Validation Method for Security Policies: The Firewall Case

Abstract: Research in computer security issues has recently addressed the development of security policy specification languages. It has however omitted the need of formal validation. In this paper we try to remedy to this drawback by the proposition of an automated tool for security policies. Because we have found several similarities between security policies and software engineering, our approach is strongly inspired from the reasoning followed in the software engineering. First, it brings out a model inspired by Promela to enable the validation task. Secondly, it proposes a 3-step validation process that deals with consistency, completeness and preservation of safety and liveness properties.

Automatic Symmetry Detection for Promela

Abstract: We introduce a specification language, Promela-Lite, which captures the essential features of Promela but which, unlike Promela, has a formally defined semantics. We show how we can detect symmetry in specifications defined in Promela-lite by constructing a directed, coloured bipartite digraph called a static channel diagram, and applying computational group theoretic techniques. We extend our approach to Promela and introduce a tool, SymmExtractor, for automatically detecting symmetries of Promela specifications. We demonstrate the effectiveness of our approach via experimental results for a suite of Promela specifications. Unlike previous approaches our technique is fully automatic, and not restricted to fully symmetric systems.

Designing and Verifying Communication Protocols Using Model Driven Architecture and Spin Model Checker

Abstract: The need of communication protocols in todaypsilas environment increases as much as the network explores. Many new kinds of protocols, e.g. for information sharing, security, etc., are being developed day-to-day which often leads to rapid, premature developments. Many protocols have not scaled to satisfy important properties like deadlock and livelock freedom, since MDA focuses on the rapid development rather than on the quality of the developed models. In order to fix the above, we introduce a 2-Phase strategy based on the UML state machine and sequence diagram to satisfy the properties of communication protocols. We convert these models into PROMELA code for execution on the SPIN model checker. The results are compared with the developed UML models.

Verification of Clinical Guidelines by Model Checking

Abstract: Clinical guidelines systematically assist practitioners with providing appropriate health care for specific clinical circumstances. However, a significant number of guidelines are lacking in quality. In this paper, we use the UML modeling language to capture guidelines and model checking techniques for their verification. We have established a classification of possible properties to be verified in a guideline and we present an automated approach based on a translation from UML to PROMELA, the input language of the SPIN model checker. Our approach is illustrated with a guideline based on a guideline published by the National Guideline Clearing House (NGC).

Producing Short Counterexamples Using Crucial Events

Abstract: Ideally, a model checking tool should successfully tackle state space explosion for complete system validation, while providing short counterexamples when an error exists. Techniques such as partial order (p.o.) reduction [1,2] are very effective at tackling state space explosion, but do not produce short counterexamples. On the other hand, directed model checking [3,4] techniques find short counterexamples, but are prone to state space explosion in the absence of errors. To the best of our knowledge, there is currently no single technique that meets both requirements. We present such a technique in this paper. For a subset of CTL, which we call CETL (Crucial Event Temporal Logic), we show that there exists a unique minimum set of events in each program trace whose execution is both necessary and sufficient to lead to an error state. These events are called "crucial events". We show how crucial events can be used to produce short counterexamples, while also providing state space reduction. We have implemented the techniques presented here as an extension to the model checker SPIN, called SPICED (Simple PROMELA Interpreter with Crucial Event Detection). Experimental results are presented.

Model Checking for UML Use Cases

Abstract: A use case driven approach is one of the most practical approaches in object orientation. UML use case diagrams and their descriptions written in a natural language are used in this modeling. Even though this approach provides us with convenient ways to develop large scale software and systems, it seems difficult to assure the correctness of the models, because of insufficient formalization in UML. This paper proposes a formal model verification process for UML use case models. In order to exclude ambiguity from the models, they are firstly formalized using the first order predicate logic. These logic based models are then transformed in the form of Promela code, so that they can be verified using the Spin model checker. A Promela code must be composed based on state transitions, whereas the logic based use case models do not explicitly include the states and their transitions. Therefore we introduce a state identification process in the logic based use case models. A supermarket checkout system is used to show how the proposed process works.

Verifying and Analyzing Adaptive Logic through UML State Models

Abstract: It is becoming increasingly important to be able to adapt an application's behavior at run time in response to changing requirements and environmental conditions. Adaptive programs are typically difficult to specify, design, and verify. A variety of conditions may trigger an adaptation, each of which may involve different types of adaptation mechanisms. In many cases, adaptive systems are concurrent, thus further exacerbating the complexity. Furthermore, it is important that adaptations do not put the system into an inconsistent state during or after adaptation. This paper presents an iterative approach to modeling and analyzing UML behavioral design models of adaptive systems, where the UML state diagrams are automatically translated into Promela code for analysis with the Spin model checker. The adaptive models are analyzed for adherence to both system invariants and properties that should hold during adaptation. We demonstrate this approach on applications for the mobile computing domain where we verify the design models against formally-specified properties.

The High Road to Formal Validation: Model Checking High-Level versus Low-Level Specifications

Abstract: In this paper we examine the difference between model checking high-level and low-level models. In particular, we compare the ProB model checker for the B-method and the spin model checker for Promela. While spin has a dramatically more efficient model checking engine, we show that in practice the performance can be disappointing compared to model checking high-level specifications with ProB. We investigate the reasons for this behaviour, examining expressivity, granularity and spin's search algorithms. We also show that certain types of information (such as symmetry) can be more easily inferred and exploited in high-level models, leading to a considerable reduction in model checking time.

Privacy apis: formal models for analyzing legal privacy requirements

Abstract: There is a growing interest in establishing rules to regulate the privacy of citizens in the treatment of sensitive personal data such as medical and financial records. Such rules must be respected by software used in these sectors. The regulatory statements are somewhat informal and must be interpreted carefully in the software interface to private data. Another issue of growing interest in establishing and proving that enterprises, their products, workflows, and services are in compliance with relevant privacy legislation. There is a growing industy in the creation of compliance tools that help enterprises self-examine to determine their status, but there is little formalization of what compliance means or how to check for it. To address these issues, we present techniques to formalize regulatory privacy rules and show how we can exploit this formalization to analyze the rules automatically. Our formal language, Privacy Commands which combine to form Privacy APIs, is an extension of classical access control language to include operations for notification and logging, constructs that ease the mapping between legal and formal language, and a robust and expressive system for expressing references and constraints. We develop constructs and evaluation mechanisms for the language which are specially suited to the modeling legal privacy policies and show the usefulness of the language by developing several comparison metrics for Privacy APIs which let us compare the permissiveness of policies. We call the metrics strong licensing and weak licensing and show how they are useful in comparing Privacy APIs. To validate the robustness and flexibility of the language we show several involved case studies with a variety of policies including the US HIPAA Privacy Rule, the US Cable TV Privacy Act, and the Insurance Council of Australia's Privacy Code. To automate the evaluation of policy properties and comparison we develop and prove the correctness of a mapping from Privacy APIs to Promela, the input language for the SPIN model checker.

Experiences in model driven verification of behavior with UML

Abstract: Model Driven Development (MDD) focuses on the intensive use of models during software development. In this paradigm, models are the central development artifact: transformations are used to derive executable programs, or tests for a given platform. This makes building quality models a cost-effective approach, as the models can be reused for many analysis or generation goals, and not just document a design. However, high quality models are needed for the approach to be successful. Hence the goal of performing analysis of high-level behavioral specifications such as UML, to enhance their quality and detect defects or ensure desired behavior. High-level specifications provide many facilities to handle large specifications (such as hierarchical structuring mechanisms) and provide sophisticated features to handle programming language's rich semantics. However, the price of these features is that these specifications are difficult to analyse, the semantics are not necessarily formally defined, and the complexity of the language features usually limits analysis to manual inspection, or in the best cases simulation. On the other hand, formal specifications have been developed specifically with analysis purposes in mind. In particular, model checking is an automatic approach suitable to analyse formally defined behaviors. However, formal specifications languages such as CSP, PROMELA, Petri nets, etc. have a steep learning curve, and are not cost effective since they are not directly linked to code. In this paper, we explore an approach to integrate formal methods with high-level notations, by translating high-level specifications to formal ones to enable analysis. We are thus bringing Model Driven Engineering to Verification Driven Engineering. We show how this approach was put in practice with UML within the context of the ModelPlex project.

Adapting Petri Nets Reductions to Promela Specifications

Abstract: The interleaving of concurrent processes actions leads to the well-known combinatorial explosion problem. Petri nets theory provides some structural reductions to tackle this phenomenon by agglomerating sequences of transitions into a single atomic transition. These reductions are easily checkable and preserve deadlocks, Petri nets liveness and any LTL formula that does not observe the modified transitions. Furthermore, they can be combined with other kinds of reductions such as partial-order techniques to improve the efficiency of state space reduction. We present in this paper an adaptation of these reductions for Promela specifications and propose simple rules to automatically infer atomic steps in the Promela model while preserving the checked property. We demonstrate on typical examples the efficiency of this approach and propose some perspectives of this work in the scope of software model checking.

Incomplete Property Checking for Asynchronous Reactive Systems

Abstract: Asynchronous reactive systems find applications in a wide range of software systems such as communication protocols, embedded software systems, etc. It is highly desirable to rigorously show that these systems are correctly designed, because a correct design is vital to providing services of high quality. However, formal approaches to the verification of these systems, such as model checking, are often difficult because these systems usually possess extremely large or even infinite state spaces. In fact, in case of infinite state systems, many interesting verification problems become undecidable and traditional finite state model checking techniques cannot be applied to those systems. We propose an Integer Linear Program (ILP) solving based verification framework that concentrates on the local analysis of the cyclic behavior of each individual component of a system. This way we avoid the exploration of the huge or even infinite state space of the system. More precisely, we use automated abstraction techniques to transform an original system into a set of local control flow cycles and over-approximate the message passing effects of these cycles. Then, we derive a necessary condition for the violation of the considered property on the message passing effects of cycles. We further encode the necessary condition into an ILP problem whose solution space represents the property violating behavior. The infeasibility of the ILP problem then establishes the satisfaction of the property by the system. Moreover, the resulting ILP problem can be checked in polynomial time. We have applied our framework to the verification of the buffer boundedness and livelock freedom properties, both of which are undecidable for asynchronous reactive systems with an infinite state space. On one hand, the verification framework that we propose is efficient since it needs not to consider an exponential number of all possible interleavings of the executions of the system components. Instead, it maintains the locality of the analysis of each component and reduces the original verification problem into a polynomial-time solvable problem. On the other hand, our framework is incomplete: it either proves the satisfaction of a property, or returns an inconclusive verdict “UNKNOWN”. In the latter case, the property may or may not be satisfied by the system under scrutiny. This imprecision comes from the potential coarseness of the abstractions that our verification framework employs. After all, the incompleteness of the framework is inevitable since the properties that we check are undecidable. While the precision of our framework remains an issue, we propose a counterexample guided abstraction refinement procedure based on the discovery of dependencies among control flow cycles. The discovered cycle dependencies can be efficiently encoded into linear inequalities that are used to augment the constraint set of the original property determination ILP problem. The newly added constraints may rule out certain spurious behavior that violates the property, and thus refine the abstraction. The cycle dependency discovery methods that we devise are also incomplete. This means that some spurious property violating behavior may never be eliminated by any cycle dependencies that we can discover. We make the verification methods applicable to two widely used modeling languages, namely Promela and UML RT, by devising tailored code abstraction techniques. These techniques address abstraction issues concerning specific fea-

Verification of Mobile SMS Application with Model Checking Agent

Abstract: In years, the evolution of mobile SMS (short message service) application is become one of the high demand technology which introduced the fast service and cost saving. So due to this, SMS become a platform for developing information services in order to enhance the way of conventional system been conducted. However, at certain limitation this increasing convergence has effected the performance of information services when the system face the uncertainties and unprecedented risk. System has become unstable and prone to errors, which consequently effect the user satisfaction. Therefore, the trusted model system is extremely important to build the dependable software system. So, this paper propose a model checking agent approach to handle the verification and validation of mobile SMS application in order to ensure that the design of the system is correct. First, we present the architecture of model checking agent in the test case study to verify the SMS message that received by the system. Then, we formalize the design into PROMELA specification for SPIN model checker. Result from the SPIN model checker is able to determine whether the model is satisfy the properties of the requirement stated or could be otherwise. This model checking agent proposed is focused on the verification towards the mobile SMS application.

Language and Tool Support for Model Checking of Fault-Tolerant Distributed Algorithms

Abstract: Model checking is a successful formal verification technique; however, its application to fault-tolerant distributed algorithms is still not common practice. One major reason for this is that model checking requires non-negligible users? efforts in representing the algorithm to be verified in the input language of a model checker. To alleviate this problem we propose an approach which encompasses (i) a language for concisely describing fault-tolerant distributed algorithms and (ii) a translator from the proposed language to PROMELA, the input language of the SPIN model checker. To demonstrate the feasibility of our approach, we show the results of an experiment where we described and verified several algorithms for consensus, a well-known distributed agreement problem.

Towards automatic verification of web-based SOA applications

Abstract: Nowadays, developing web applications in a Service-Oriented Architecture (SOA) style is emerging as a promising approach for delivering services to end users. Such web-based SOA applications are likely to suffer correctness and reliability problems mainly because their runtime environments (including web browsers and service platforms) are heterogeneous and their service interactions and flows are complex without explicit specifications. In this paper, we propose a model-checking based approach for verifying web-based SOA applications. At first, the application behavior will be automatically specified by analyzing the web-side source codes. And it will be combined with the pre-defined environment behavior so that a precise and complete enough behavior model of the application can be generated automatically. With user-defined constraint and refinement specifications, the behavior model is automatically translated to the formal specification (Promela for Spin) as the input of the model checker. If the model is flawed, the application has correctness and reliability problems. The violation traces generated by the model checker will be visualized in the behavior model for helping developers to solve the detected problems in a user-friendly manner.

Translation of Timed Promela to Timed Automata with Discrete Data

Abstract: The aim of the work is twofold. In order to face the problem of modeling time constraints in Promela, a timed extension of the language is presented. Next, timed Promela is translated to timed automata with discrete data, that is timed automata extended with integer variables. The translation enables verification of Promela specifications via tools accepting timed automata as input, such as VerICS or Uppaal. The translation is illustrated with a well known example of Fischer's mutual exclusion protocol. Some experimental results are also presented.

Consistency Check Between UML Sequence Diagram and Statechart

Abstract: UML can be used to accomplish the system modeling from different views.There are information redundancy in different views, so that the views may be inconsistent.This paper proposes an approach to analyze sequence diagram which has many different logical semantics.To deal with the hierarchy structure of statechart, finite state automata is used in this paper, and an automata decomposition algorithm is proposed to get an automata tree.A new model consistency criterion of sequence diagram and statechart, as well as a new structure of Promela is proposed.Model consistency is checked between sequence diagram and statechart with the model checker SPIN.

Formal verification of WAHS: an autonomous and wireless P2P auction handling system

Abstract: The cross between mobile ad hoc networks (MANETs) and peer to peer (P2P) systems raises interesting capabilities to explore the deployment of various applications This paper presents a new possibility to bring a mobile commerce application into P2P way We propose a communication architecture called WAHS (Wireless Auction Handling System) and a communication protocol named BSAP-Protocol (Buyer/Seller Auction Peer) that governs interactions between BSAPs during a P2P auction process Although tests and simulations give us an excellent overview of the protocol behaviour, the formal verification is needed to prove the correctness of a system We formally specify and verify the properties of our proposal by the use of PROMELA/SPIN model checker We implemented P2P auctions over MANETs functionalities' and give the first simulation results that show improvements in comparison to a previously published work

RESY: requirement synthesis for compositional model checking

Abstract: The requirement synthesis tool RESY automatically computes environment assumptions for compositional model checking. Given a process M in a multi-process PROMELA program, an abstraction refinement loop computes a coarse equivalence relation on the states of the environment, collapsing two states if the environment of M can either force the occurrence of an error from both states or from neither state. RESY supports three different operation modes: assumption generation, compositional model checking, and front-end to the model checker SPIN. In assumption generation mode, RESY minimizes the size of the assumption; small assumptions are useful for program documentation and as certificates for re-verification. In compositional model checking mode, RESY terminates as soon as the property is proven or disproven, independently of the size of the assumption. In front-end mode, RESY terminates when the size of the assumption falls below a specified threshold, and calls SPIN with the simplified verification problem.

Evaluating test adequacy coverage of high level petri nets using spin

Abstract: How to ensure the quality of complex software systems is a grand challenge. Formal methods and software testing techniques are two major complementary approaches for software quality assurance. In this paper, we present a unique approach that uses the simulation capability of the Spin model checker to evaluate the test adequacy of high level Petri nets based on various coverage criteria. In our approach, a high level Petri net is expressed as a program in Promela, the input language for Spin, and the simulation capability of Spin is used to execute the program and evaluate different test coverage criteria for high level Petri nets. We use high level Petri nets as a concrete formal specification method to demonstrate our approach, and our results can be easily generalized to other formal models as well.