Showing papers on "Promela published in 2009"

Verification of Business Process Entailment Constraints Using SPIN

Abstract: The verification of access controls is essential for providing secure systems. Model checking is an automated technique used for verifying finite state machines. The properties to be verified are usually expressed as formula in temporal logic. In this paper we present an approach to verify access control security properties of a security annotated business process model. To this end we utilise a security enhanced BPMN notation to define access control properties. To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process meta language (Promela) based on Coloured Petri net (CPN) semantics. The model checker SPIN is used for the process model verification and a trace file is written to provide visual feedback to the modeller on the abstraction level of the verified process model. As a proof of concept the described translation methodology is implemented as a plug-in for the free web-based BPMN modelling tool Oryx.

Towards Verifying Correctness of Wireless Sensor Network Applications Using Insense and Spin

Abstract: The design and implementation of wireless sensor network applications often require domain experts, who may lack expertise in software engineering, to produce resource-constrained, concurrent, real-time software without the support of high-level software engineering facilities The Insense language aims to address this mismatch by allowing the complexities of synchronisation, memory management and event-driven programming to be borne by the language implementation rather than by the programmer The main contribution of this paper is an initial step towards verifying the correctness of WSN applications with a focus on concurrency We model part of the synchronisation mechanism of the Insense language implementation using Promela constructs and verify its correctness using Spin We demonstrate how a previously published version of the mechanism is shown to be incorrect by Spin , and give complete verification results for the revised mechanism

Bridging the Gap between Enumerative and Symbolic Model Checkers

Abstract: We present a method to perform symbolic state space generation for languages with existing enumerative state generators. The method is largely independent from the chosen modelling language. We validated this on three different types of languages and tools: state-based languages (PROMELA), action-based process algebras (muCRL, mCRL2), and discrete abstractions of ODEs (Maple). Only little information about the combinatorial structure of the underlying model checking problem need to be provided. The key enabling data structure is the "PINS" dependency matrix. Moreover, it can be provided gradually (more precise information yield better results). Second, in addition to symbolic reachability, the same PINS matrix contains enough information to enable new optimizations in state space generation (transition caching), again independent from the chosen modelling language. We have also based existing optimizations, like (recursive) state collapsing, on top of PINS and hint at how to support partial order reduction techniques. Third, PINS allows interfacing of existing state generators to, e.g., distributed reachability tools. Thus, besides the stated novelties, the method we propose also significantly reduces the complexity of building modular yet still efficient model checking tools. Our experiments show that we can match or even outperform existing tools by reusing their own state generators, which we have linked into an implementation of our ideas.

Using SPIN to model check concurrent algorithms, using a translation from C to Promela

Abstract: This paper addresses the problem of automatically verifying correctness of concurrent algorithms, e.g., as found inconcurrent implementations of common data structures, using model checking. In order to use a model checker to analyze programs in, e.g., C, one must first translate programs to the input language of the model checker. Since our aim is to use SPIN, we present an automated translation from a subset of C to Promela. This translation is able to handle features not covered by previous such translations, notable pointer structures and function calls. We illustrate the application of our translation to a concurrent queue algorithm by Michael and Scott.

Model Checking UML Activity Diagrams with SPIN

Abstract: This paper describes an approach to verifying UML activity diagrams with model check techniques. Firstly, we define converting rules of the activity elements such as fork, joint, branch and merge into EHA. During this process, we handle the control of the actions, the creation of the hierarchy of the EHA and the change of the action states. Secondly, we describe the PROMELA framework generated for the UML activity diagrams containing the above elements. The paper is structured as followings. The second section of the paper explains the principles of the model checking with SPIN and the UML activity diagram. Section 3 describes the conversions from the UML activity diagram to the EHA model and the PROMELA model. Section 4 describes the modeling process of the dining-philosophers problem and the result of simulating the model with SPIN. The paper is ended with the conclusions and future work.

Model Checking C Programs by Translating C to Promela

Abstract: Nowadays, the cost of program errors is increasing from day to day, so software reliability becomes a critical problem to the whole world. C is one of the most popular programming languages, and ha ...

Eclipse Plug-In for Spin and st2msc Tools-Tool Presentation

Abstract: In this article we present an Eclipse plug-in for Spin and st2msc tools. The plug-in can be used to edit a Promela model, run the formal verification of the model, and generate optimized MSC of the Spin trail by st2msc. It simplifies handling with extensive Promela models to a great extent.

A formal analysis of ISO/IEEE P11073-20601 standard of medical device communication

Abstract: This article presents the formal work done for the ISO/IEEE P11073-20601 Draft Standard for Health informatics - Personal health device communication - Application profile - Optimized exchange protocol. ISO/IEEE 11073 family defines standards for device communication between agents (e.g. blood pressure monitors, weighing scales) that collect information about a person and manager (e.g., cell phone, health appliance, or personal computer) for collection, display, and possible later re-transmission. The particular draft standard ISO/IEEE P11073-20601 defines protocols for data exchange between agents and managers. Although such a system in medical use must be extremely reliable under all circumstances, until now a formal analysis has been used only in analyzing draft IEEE P11073-20601 as a part of developing the protocols in this family of standards. We analyzed the protocols both manually and automatically. For the automated analysis of safety properties we applied model-checking techniques, which is feasible since the number of processes is limited, and because we can abstract from most data in the protocols. We used the language Promela and the tool Spin, since this combination has a good reputation in practical applications and it is well documented. The results of our work are now incorporated in this standard.

RAFFS: Model Checking a Robust Abstract Flash File Store

Abstract: This paper presents a case study in modeling and verifying a POSIX-like file store for Flash memory. This work fits in the context of Hoare's verification challenge and, in particular, Joshi and Holzmann's mini-challenge to build a verifiable file store. We have designed a simple robust file store and implemented it in the form of a Promela model. A test harness is used to exercise the file store in a number of ways. Model checking technology has been extensively used to verify the correctness of our implementation. A distinguishing feature of our approach is the (bounded) exhaustive verification of power loss recovery.

Automated Testing of Planning Models

Abstract: Automated planning systems (APS) are maturing to the point that they have been used in experimental mode on both the NASA Deep Space 1 spacecraft and the NASA Earth Orbiter 1 satellite. One challenge is to improve the test coverage of APS to ensure that no unsafe plans can be generated. Unsafe plans can cause wasted resources or damage to hardware. Model checkers can be used to increase test coverage for large complex distributed systems and to prove the absence of certain types of errors. In this work we have built a generalized tool to convert the input models of an APS to Promela , the modeling language of the Spin model checker. We demonstrate on a mission sized APS input model, that we with Spin can explore a large part of the space of possible plans and verify with high probability the absence of unsafe plans.

Tool Presentation: Teaching Concurrency and Model Checking

Abstract: This paper describes software tools for teaching concurrency and model checking. jSpin is an development environment for Spin that formats and filters the output of a simulation according to the user's specification. SpinSpider uses debugging output from Spin to generate a diagram of the state space of a Promela model; the diagram can be incrementally displayed using iDot . VN supports teaching nondeterministic finite automata. The Erigone model checker is a partial reimplementation of Spin designed to be easy to use, well structured and well documented. It produces a full trace of the execution of the model checker in a format that is both readable and amenable to postprocessing.

Describing and Verifying Semantic Web Service Composition with MDA

Abstract: Describing and verifying OWL-S with the Unified Modeling Language (UML) cannot only improve the efficiency of developing semantic Web service, but also ensure the correctness of dynamic composition process; abstractly modeling semantic Web services with model-driven architecture (MDA) at a higher level is helpful for dynamically binding services. This paper proposes an effective approach to describe and compose semantic Web service with UML, a verification mechanism is imported to ensure the correctness of semantic Web service composition; class diagrams and use-case diagrams are used to model the static aspect of OWL-S, activity diagrams to model the behavior of an OWL-S composition process. In this paper, the transformation from UML models of semantic Web service composition to the model-checking language Promela was presented for verifying the correctness of Web service composition using automated verification tool SPIN.

Model Checking the SET Purchasing Process Protocol with SPIN

Abstract: Electronic Commerce is a considerable wide spread business engineering model in the Internet. The analysis of the EC's security is a hot research topic in the present. The article studies the Secure Electronics Transactions (SET) protocol and uses the model checking tool SPIN to model and to verify the key part of the protocol-purchasing process protocol. We describe the abstract model of the protocol with promela language of SPIN. During the modeling process, we plant some exploits which the intruders can take advantage of. Then we use LTL to describe the attributes that the protocol should satisfy and carry out the model checking. In our experiment, the intruder is detected with the tool SPIN.

S-Promela: An executable specification security policies language

Abstract: Security Policy constitutes the main basis of a secured system but can be its main vulnerability also since a wrongly configured policy or an inadequate one can be fatal for the system. Even if the network administrator is a high qualified person, the human interventions are error prone. Nevertheless, a formal specification can avoid such problem. This paper aims to give a first step towards a framework allowing to specify and to verify a given policy with respect to an expected one. Hence, we propose in this paper a new all-purpose security policy modeling based on the concepts of processes, channels, constraints, events and actions. This modeling is called all-purpose because it can be easily used to represent the several kinds of security rules i.e. authorization, obligation and prohibition. Moreover, it constitutes the first step towards the proposition of a new executable security specification language. This language, called S-Promela has a syntax supporting authorization, obligation and prohibition rules and a semantics facilitating the validation task.

Hierarchical Graph Rewriting as a Unifying Tool for Analyzing and Understanding Nondeterministic Systems

Abstract: We have designed and implemented LMNtal (pronounced "elemental"), a language based on hierarchical graph rewriting that allows us to encode diverse computational models involving concurrency, mobility and multiset rewriting. Towards its novel applications, the system has recently evolved into a model checker that employs LMNtal as the modeling language and PLTL as the specification language. The strengths of our LMNtal model checker are its powerful data structure, highly nondeterministic computation it can express, and virtually no discrepancy between programming and modeling languages. Models expressed in Promela, MSR, and Coloured Petri Nets can be easily encoded into LMNtal. The visualizer of the LMNtal IDE turned out to be extremely useful in understanding models by state space browsing. The LMNtal IDE has been used to run and visualize diverse examples taken from the fields of model checking, concurrency and AI search.

Design & Verification of UniPro Protocols for Mobile Phones

Abstract: UniPro, as an abstract standardized interface, interconnects the variety of devices within a mobile phone and hides the complexity of a heterogeneous environment. UniPro is a combination of chip-to-chip connectivity and TCP-like protocols. Thus, new protocols are defined and verified! This thesis helps in the design and verification of two basic UniPro protocols. The first one, the UniPro Sliding Window (USW) protocol, is implemented for flow control and reliability of UniPro, in the data link layer. The second protocol is built on the transport layer and is responsible for setting up and closing a connection between two nodes. Furthermore, we extend the connection management protocol for congestion control. So, link reservations are required before a new connection is set up. The connection bandwidth is reserved through the routers. In this Master’s thesis, we implement 3 different models for our protocols in order to check their correctness properties. The models are described in the Promela specification language, which can be input to both model checkers: Spin (used on a single machine) and DiVinE (which distributes the work load to multiple nodes). All models are fully verified in Spin or DiVinE.

Verification Web Services Composition Based on OWL-S

Abstract: In order to ensure the correctness and reliability of Web services composition based on OWL-S, verify the interaction protocol of Web services. It is provided that three lay architecture. Composition service based on OWL-S, GA model is the middle model and the Promela model is the verification model, SPIN as a model validator. The OWL-S composition Web services transform a top-down conversation protocol process into a GA model, use WAST tool into Promela model, the SPIN tool analysis and verification structure and performance of composition services. This method is flexibility and scalability which provide a solution for Web services composition model verification.

Abstraction framework and complexity of model checking based on the Promela models

Abstract: Automated model checking shortcomings is prone to state explosion. In this paper, we propose abstraction framework based on Promela models, and transform the source of Promela models to the abstract target of Promela models. On this basis, we analyze the reasons for the complexity of model checking based on Promela models. Finally we reduce the number of state-generated under the condition of verification property unchanged in the ATM example. These show that the abstraction framework reduce the complexity of model checking.

Model Checking Service Component Composition by SPIN

Abstract: Service Component Architecture (SCA) provides a language-independent way to define and compose service component. The SCA assembly model should be reliable. This target can be reached by translating a formal signature model and behavior model for SCA to Promela, and Promela specifications are then verified with the model checker SPIN. SCA complements some service composition languages (such as BPEL) for enabling the more convenient and efficient service-based development. Based on our method and by using IBM WID tool, we show how to build a reliable BPEL process.

A Framework for Model Checking Concurrent Java Components

Abstract: The Java programming language supports concurrency. Concurrent programs are harder to verify than their sequential counterparts due to their inherent nondeterminism and a number of specific concurrency problems, such as interference and deadlock. In this paper we illustrate how to construct a base model of Java concurrency primitives using the Promela language of SPIN. Subsequently, a readers-writers monitor, and eighteen mutants, are used as an example to show the power and simplicity of using SPIN for verifying concurrent Java components. This builds on previous work and contributes in three ways, 1) each Java concurrency primitive is modelled directly and added to a standard modelling library for inclusion into models for a range of concurrent components, 2) we assume a concurrent component may be used in potentially many contexts rather than simply the context or contexts it may have been used or found, 3) by providing a modelling library we illustrate how model checking can be implemented in a simple, powerful, and practical manner.

The use of model transformation in the INESS project

Abstract: The INESS (INtegrated European Signalling System) Project is an effort, funded by the FP7 programme of the European Union, to provide a common, integrated, railway signalling system within Europe. It comprises 30 partners, including 6 railway companies. INESS experts have been using the Executable UML (xUML) language to model the proposed integrated signalling system. Because of the safety-critical aspects of these systems, one key idea is to use formal verification techniques to analyse the xUML models for inconsistencies in the requirements and against core properties provided by professional railway engineers. Our objective in the project is to equip our INESS partners with an automated tool to carry out this analysis. Therefore, we have devised a formal verification strategy that uses model transformation technology to automatically translate xUML models to the input language of existing, state-of-the-art, model checking tools. In this paper we describe this formal verification strategy in more detail: we present initial results on implementing the automatic generation of PROMELA models that can be analysed using the SPIN model checker.

Formal Verification of UML-RT Capsules using Model Checking

Abstract: Formal verification methods have successfully been used to ensure correctness of both hardware and software systems. In contrast to testing methods, that can demonstrate the presence of faults in a system, formal methods can prove their absence. A department of the telecommunications company Ericsson AB in Gothenburg, Sweden, uses the UML-RT language to model software used in WCDMA radio base stations. These concurrent and reactive systems can be modeled in the Eclipse-based RSARTE environment. Previous work underlines a need of narrowing the gap between software development tools used in industry and formal verification tools. This thesis examines the feasibility of using model checking to verify properties of UMLRT capsules. We present a prototype tool for generating verification models in the Promela language for the model checker Spin. The tool is implemented as a model-to-text transformation using the JET tool and is integrated into RSARTE. The result of the work establishes that it, for a subset of constructs in UML-RT, is possible to automate generation of verification models that can be used to demonstrate properties of the original UML-RT capsules. We demonstrate this with example models created in RSARTE.

Identifying Modeling Errors in Signatures by Model Checking

Abstract: Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and error-prone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming pro cess to detect modeling errors. In this paper we present the first approach for verifying signature specifications using the Spin model checker. The signatures are modeled in the specification language EDL which leans on colored Petri nets. We show how the signature specification is transformed into a Promela model and how characteristic specification errors can be found by Spin .

Model Checking Airline Tickets Reservation System Based on BPEL

Abstract: BPEL is a business flow language which describes the composition of web services. Since business flow is very complex, the method of formalized analysis can help ensure the accuracy of composition of web services. For the Airline Tickets Reservation System described by BPEL, we provide a formalized analysis process with FSM in this paper, and finally translate it into programs described by Promela. The safety property and behavior property are verified with model checking tool SPIN, the results of experiment show no flaw in this system.

Formal Methods for System Development

Abstract: Two main types of formal methods have been investigated, formal specification and formal verification. Focus for formal verification has been on the concept of un-timed model checking. Some dominating formal specification languages, VDM and Z, and some prominent model checkers, FDR, Spin, and LTSA, have been learnt and presented. A tutorial for the formal verification tool Spin is created. The tutorial is example driven and describes the description language Promela and the verification methods available in Spin. Care has been taken to illustrate reasoning about the results from Spin. Topics discussed include the applicability and need for formal methods, the possible need for understanding the underlying theory, and considerations made in regards to creating the tutorial.

A Formal Framework for Run-Time Verification of Web Applications: An Approach Supported by Scope Extended Linear Temporal Logic

Abstract: The research work presented in this thesis encompasses three main subject areas in an effort to develop a formal approach and framework for the analysis and verification of Web Applications. This research aims at ensuring and maintaining high quality Web Applications in an efficient, automatic, and easy to use manner. The main research venue is dedicated to developing methods for formal modeling of a given web application using communicating finite automata model, based on the user-defined properties to be validated. We elaborate a method for automatic generation of such a model from execution traces produced by a web application while it is explored by a human operator or a crawler. The obtained model could then be used to verify properties with a model checker, as well as for regression testing and documentation. Some of the web related properties concern all states of the model, while others—only a proper subset of them. Therefore, we refine our model to designate the subset of the global states of interest. The second research venue involves solving the problem of property specification in Linear Temporal Logic (LTL) over a subset of states of a system under test while ignoring the valuation of the properties in the rest of them. We introduce specialized operators that facilitate specifying properties over propositional scopes, where each scope constitutes a subset of states that satisfy a propositional logic formula. Using the proposed operators, the user can specify web properties more concisely and intuitively. Although the motivation behind this problem stems from the context of distinguishing between stable and transient states of the proposed model for Web Applications, the anticipated solution is generic and applicable to any problem domain. Specifying properties using temporal logic is often complex even to experts, while it is a daunting task and error prone for non-expert users. To assist web developer and testers in formally specifying web related properties, we present a library of web specification patterns mapped into LTL. This library is a result of a survey of various resources in the field of quality assurance of Web Applications, which characterize successful web application using a set of standardized attributes. The patterns are categorized into two main classes: functional and non-functional. We finally present our implementation of the proposed framework using Spin model checker, where we develop a prototype tool that monitors and analyzes executions of a given web application, and produces a communicating automata model which could be represented either in Promela (Spin' input language) or XML-Promela. Keywords: Dynamic Analysis, Model Checking, Verification, Linear Temporal Logic, Spin Model Checker, Web Application, Browsing Session, Kripke Structure, Property Patterns, Communicating Automata.

Formal Verification of 802.11 MAC Layer Handoff Process Using SPIN Model Checker

Abstract: IEEE 802.11 based wireless local area network have been rapidly growth and deployment in the recent years. Critical to the 802.11 MAC operations, is the handoff process which occurs when a mobile node moves its association from one access point to another. In this paper, we firstly present the formal description of handoff process, based on finite state machine. And then, we extend the semantic of PROMELA, the accepted model of well-known model checker—SPIN, to make it applicable for the description of broadcast communication and timer characteristic in the handoff process. Finally, we carry out the formal verification for the Linear Temporal Logic properties of handoff process using SPIN.

Heuristic Search for Unbounded Executions

Abstract: We present a heuristic search based approach to finding un- bounded executions in software models that can be described using Com- municating Finite State Machines (CFSMs). This improves the unbound- edness test devised by Jeron and Jard in case certain knowledge about potential sources of unboundedness is available. Such knowledge can be obtained from a boundedness analysis that we designed in precursory work. We evaluate the effectiveness of several different heuristics and search strategies. To show the feasibility of our approach, we compare the performance of the heuristic search algorithms with that of uninformed search algorithms in detecting unbounded executions for a number of case studies. We discuss the applicability of our approach to high level modeling languages for concurrent systems such as Promela.