Showing papers on "Promela published in 2010"

Improving Behavioral Design Pattern Detection through Model Checking

Abstract: Recovering design pattern instances in a software system can help maintainers to understand its design and implementation. In this paper we present a fully automated design pattern recovery approach that analyzes the behavior of pattern instances both statically and dynamically. In particular, the proposed approach exploits model checking to statically verify the behavioral aspects of design pattern instances. To this end, we encode the properties defining the correct behavior of a pattern as LTL (Linear Temporal Logic) formulae and the sequence diagram representing the possible interaction traces among the objects involved in the candidate instances as PROMELA specifications. To verify whether the LTL properties are satisfied by the candidates we employ the SPIN model checking tool. The dynamic analysis of the pattern behavior is performed through a code instrumentation and monitoring phase applied on the candidate pattern instances. This phase allows us to obtain actual dynamic data during program execution, which is then used to verify its compliance to the pattern definition. The effectiveness of the proposed approach is shown by presenting and discussing the results obtained on JHotDraw and JRefactory.

The SpinJa model checker

Abstract: SPINJA is a model checker for PROMELA, implemented in Java. SPINJA is designed to behave similarly to SPIN, but to be more easily extendible and reusable. Despite the fact that SPINJA uses a layered object-oriented design and is written in Java, SPINJA's performance is reasonable: benchmark experiments have shown that, in exhaustive mode, SPINJA is about five times slower than the highly optimized SPIN. For bitstate verification runs the difference is only a factor of two.

Automatic generation of model checking scripts based on environment modeling

Abstract: When applying model checking to the design models of the embedded systems, it is necessary to model not only the behavior of the target system but also that of the environment interacting with the system. In this paper, we present a method to model the environment and to automatically generate all possible environments from the model. In our method, we can flexibly model the structural variation of the environment and the sequences of the function calls using a class model and statechart models. We also present a tool to generate Promela scripts of SPIN from the environment model. As a practical experiment, we applied our tool to the verification of an OSEK/VDX RTOS design model.

On the verification of business processes by model checking techniques

Abstract: The correctness of a workflow specification is critical for the automation of business processes. For this reason, errors in the specification should be detected and corrected as early as possible - at specification time. In this paper, we present a verification method for workflow specifications using model checking techniques. We propose an approach for verifying correctness properties of workflow processes using SPIN model checker. First, a formalized workflow specification is translated into a Promela description. Second, the desired property is translated to an LTL formula. Finally, the SPIN model checker is run to check if the correctness properties hold for the model, and, if not, to provide a counterexample.

Creating High-Performance, Statically Type-Safe Network Applications

Abstract: A typical Internet server finds itself in the middle of a virtual battleground, under constant threat from worms, viruses and other malware seeking to subvert the original intentions of the programmer. In particular, critical Internet servers such as OpenSSH, BIND and Sendmail have had numerous security issues ranging from low-level buffer overflows to subtle protocol logic errors. These problems have cost billions of dollars as the growth of the Internet exposes increasing numbers of computers to electronic malware. Despite the decades of research on techniques such as model-checking, type-safety and other forms of formal analysis, the vast majority of server implementations continue to be written unsafely and informally in C/C++. In this dissertation we propose an architecture for constructing new implementations of standard Internet protocols which integrates mature formal methods not currently used in deployed servers: (i) static type systems from the ML family of functional languages; (ii) model checking to verify safety properties exhaustively about aspects of the servers; and (iii) generative meta-programming to express high-level constraints for the domain-specific tasks of packet parsing and constructing non-deterministic state machines. Our architecture—dubbed MELANGE—is based on Objective Caml and contributes two domain-specific languages: (i) the Meta Packet Language (MPL), a data description language used to describe the wire format of a protocol and output statically type-safe code to handle network traffic using high-level functional data structures; and (ii) the Statecall Policy Language (SPL) for constructing non-deterministic finite state automata which are embedded into applications and dynamically enforced, or translated into PROMELA and statically model-checked. Our research emphasises the importance of delivering efficient, portable code which is feasible to deploy across the Internet. We implemented two complex protocols—SSH and DNS—to verify our claims, and our evaluation shows that they perform faster than their standard counterparts OpenSSH and BIND, in addition to providing static guarantees against some classes of errors that are currently a major source of security problems.

An embeddable virtual machine for state space generation

Abstract: The semantics of modelling languages are not always specified in a precise and formal way, and their rather complex underlying models make it a non-trivial exercise to reuse them in newly developed tools. We report on experiments with a virtual machine-based approach for state space generation. The virtual machine’s (VM) byte-code language is straightforwardly implementable, facilitates reuse and makes it an adequate target for translation of higher-level languages like the SPIN model checker’s Promela, or even C. As added value, it provides efficiently executable operational semantics for modelling languages. Several tools have been built around the VM implementation we developed, to evaluate the benefits of the proposed approach.

Verifying Web Services Composition Based on Interface Automata Using SPIN

Abstract: Web services are a very appropriate communication mechanism to perform distributed business processes among several organizations. These processes should be reliable, because a failure in them can cause high economic losses. To provide a framework to compose lots of specialized services flexibly, BPEL4WS is proposed to describe Web services composition. But the language is lack of the support for checking the correctness of composition. It has to depend on formal verification method which helps to check the correctness of services composition. In order to solve above shortages of BPEL4WS, This paper presents a formal approach which verifies BPEL4WS using the interface automata. In this approach, BPEL4WS is mapped into interface automata, which is then transformed into Promela (It is the input language of SPIN model checker.), and the correctness properties of Web services composition can be verified by SPIN. Finally, paper gives a case study to illustrate the proposed approach.

Model-driven protocol design based on component oriented modeling

Abstract: Due to new emerging areas in the communication field there is a constant need for the design of novel communication protocols. This demands techniques for a rapid and efficient protocol design and development. Systematic protocol designs using formal description techniques (FDTs), such as SDL, LOTOS, etc., have proven a successful way to develop correct protocols. FDTs enforce, however, a semantic-oriented description which makes it difficult to reuse parts of the specification of other FDTs. A general-purpose modeling language like the UML may help to easily bridge between different description techniques. In contrast to the standardized FDTs, UML lacks a formal semantics. A model-driven protocol design, which aims at supporting the reuse of designs, makes only sense, when the designs of basic protocol mechanisms fit in reusable design patterns or components with a formally defined semantics. In this paper, we propose a component based protocol development approach with UML. Typical structures and behaviors of protocols are pre-defined as components using UML diagrams. The semantics of the UML diagrams is formally defined using the compositional Temporal Logic of Actions (cTLA). Based on this formalization, transformation into other presentations, e.g. PROMELA for verification, are supported. We demonstrate the approach for an example transfer protocol.

From scenarios to test implementations via Promela

Abstract: We report on a tool for generating executable concurrent tests from scenarios specified as message sequence charts. The proposed approach features three steps: 1) Deriving a MSC test implementation from a MSC scenario, 2) Mapping the test implementation into a Promela model, 3) Generating executable test scripts in Java. The generation of an intermediate Promela model allows for model-checking to inspect the test implementation for properties like soundness, fault detection power as well as for consistency checking between different test scenarios. Moreover decoupling the executable test scripts from the scenario specification makes it possible to use different backend code generators to support other scripting languages when needed.

Slicing AADL Specifications for Model Checking

Abstract: To combat the state-space explosion problem in model checking larger systems, abstraction techniques can be employed. Here, methods that operate on the system specification before constructing its state space are preferable to those that try to minimize the resulting transition system as they generally reduce peak memory requirements. We sketch a slicing algorithm for system specifications written in (a variant of) the Architecture Analysis and Design Language (AADL). Given a specification and a property to be verified, it automatically removes those parts of the specification that are irrelevant for model checking the property, thus reducing the size of the corresponding transition system. The applicability and effectiveness of our approach is demonstrated by analyzing the state-space reduction for an example, employing a translator from AADL to Promela, the input language of the SPIN model checker.

A method of verifying web service composition

Abstract: Service composition is one of the primary tasks in developing service-oriented systems. However, there are currently some challenges to check its correction. In this paper, we propose a visual methodology and a tool for verifying business processes written in BPEL by using the SPIN model checker. We present algorithms to translate BPEL processes into PROMELA programs via labeled control flow graphs. The use of label control graphs in the tool will help regular users understand BPEL business processes and the verification process with a model checker more easily. Finally, the Spin model checker will verify important properties of the PROMELA program that represents a BPEL business process.

Formal verification of secure ad hoc routing protocols using AVISPA: ARAN case study

Abstract: Formal verification through model checking proved to be a very useful validation technique for security protocols: authentication, key agreement, non-repudiation, confidentiality, etc. But it has not been yet fully applied for the security properties of secure routing protocols for ad hoc networks. Few researchers had tried this approach. But they had mainly used Promela and SPIN, a tool that is relatively difficult to use. On the other hand, other researchers used formal analysis, a mathematical approach with good results but that is hard to automate. In this paper we present the use of AVISPA in this purpose. We show that the model under which the verification is made is identical to the models used by the researchers that implemented verification in SPIN or by the ones that used formal analysis. Then we present an actual verification taking as a case study ARAN secure routing protocol.

Method for verifying consistency of dynamic behavior in UML model and time-sequence contract

Abstract: The invention relates to a method for verifying the consistency of a dynamic behavior in a unified modeling language (UML) model and a time-sequence contract. The method is characterized by comprisingthe following steps: modeling according to the UML standard, including generating a UML state diagram and a UML sequence diagram, and then saving the metamodels of the diagrams; mapping the UML statediagram to a PROMELA code for the dynamic behavior of the model; establishing the time-sequence contract of the model to map the UML sequence diagram to an LTL temporal logical formula; utilizing a model verifying tool SPIN to verify the PROMELA code and the LTL temporal logical formula; and analyzing the returned SPIN verifying result. The technical scheme of the invention associates the unifiedmodeling language (UML) and the verifying tool together, solves the problem of model inconsistency arisen in the requirement and design stage of soft engineering and provides an effective basis for the subsequent development of model driving type software.

Data decision diagrams for Promela systems analysis

Abstract: In this paper, we show how to verify computation tree logic (CTL) properties, using symbolic methods, on systems described in Promela. Symbolic representation is based on data decision diagrams (DDDs) which are n-valued Shared Decision Trees designed to represent dynamic systems with integer domain variables. We describe principal components used for the verification of Promela systems (DDD, representation of Promela programs with DDD, the transposition of the execution of Promela instructions into DDD). Then we compare and contrast our method with the model checker SPIN or classical binary decision diagram (BDD) techniques to highlight as to which system classes SPIN or our tool is more relevant.

An approach to check the consistency between the UML 2.0 dynamic diagrams

Abstract: Nowadays, UML is applied to modeling in the analysis and design of software systems widely. However, modeling the system by different UML diagrams certainly will introduce inconsistency between UML diagrams. A method model checking the consistency between Statechart Diagram and Sequence Diagram in UML 2.0 is given. Firstly, XYZ/E can express the mechanism of state transformation and formal semantics, so it can characterize Statechart Diagram directly. Secondly, XYZ/E and Promela are similar in many aspects; an algorithm transforms the XYZ/E code into promela is proposed. In the follow, the rules which describe how to use LTL to express the interaction fragments in UML2.0 sequence diagram are given. Finally, the consistency between the two diagrams is verified by checking whether the LTL formula is the property of the model described by Promela.

Timing analysis using formal methods

Abstract: A method and tools for providing precise timing analysis scalable to industrial case studies with large numbers of tasks and messages are provided, including the capability to model and analyze task and message response times; ECU usage; bus usage; end-to-end latency of task/message chains; and timing synchronization problems in task/message graphs. System tasks and messages are modeled in a formalism known as calendar automaton. Models are written in a modeling language such as Promela and instrumented with code specific to the analysis specification. Models and instrumentation are automatically generated from the system description and analysis specification. The system model is subjected to exhaustive state space exploration by a compatible model checker, such as SPIN. During exploration, the instrumented code produces results for different timing analyses. Optimization techniques are provided to generate models which require less memory and time for analysis and make the method scalable to large, industrial case studies.

Analyzing a formal specification of Mondex using model checking

Abstract: Mondex, an electronic purse, is the first pilot project of the software verification Grand Challenge to establish the correctness of software. Several research groups around the world have applied different formal methods in specifying and analyzing the Mondex since 2006. In this paper, we present a method to analyze the Sam specification of Mondex using model checking. Our specification uses Sam that integrates high level Petri nets and temporal logic. Our analysis method translates the SAM Mondex specification into a behavior preserving PROMELA program and uses SPIN to model check the resulting PROMELA program. Our results and experiences are discussed, which contributes to the world wide effort in developing a verified software repository.

Verification of Privacy Preserving Authentication Protocol for VANETs

Abstract: The paper presents verification of privacy preserving authentication protocol for VANETs using SPIN tool. The authentication process involves authentication of the moving vehicle and the corresponding road side unit (RSU) by a fixed infrastructure from (CTA) through RSU. The whole process needs only one request and reply between different entities. The work described the impact of known attack on the protocol, graphically specification, its behavior in terms of reliability and its correctly verification using the integrated specification verifying JSPIN tool.

Model Checking Security Vulnerabilities in Software Design

Abstract: Software faults in the design are frequent sources of security vulnerabilities. Mode checking shows the great promise in detecting and eradicating security vulnerabilities in the programs. The wide use of the system modeling language UML with precise syntax and semantics enables software engineers to analyze the design in details. We present a method of integrating the two techniques to detect design faults which may become security vulnerabilities in the software. Given a software design in UML and security policy, our method extracts the security properties and formally expresses them in temporal logic language. Combining with the security properties, we convert the UML models into PROMELA models, which are input of the model checker SPIN. The method either statically proves that the model satisfies the security property, or provides an execution path that exhibits a violation of the property. A case study shows the feasibility of the method.

Model checking of SSL 3.0 protocol based on SPIN

Abstract: Model checking is to check whether a bounded state system can meet their design specifications using state-space search approach automatically. This paper describes the key exchange protocol SSL 3.0, and conducts a formalized analysis and modeling and verification of the protocol by using the famous model checker tool SPIN. The LTL property is dynamically changed during the verification which can reduce the transition of model space and make the search more efficiently. The experimental results show that this method of verification is correct, certificate the safety and feasibility of the protocol itself, and improve the verification efficiency of the protocol.

Model Checking Cryptographic Protocols with Interval Temporal Logic

Abstract: This paper investigates model-checking Needham-Schroeder Public-Keyprotocol using Propositio nal Projection Temporal Logic (PPTL). To this end, the ProMeLa model of the protocol is firstly constructed then the properties to verify is specified by PPTL formulas, which is translated into automata and further to Never Claim. The transformation is by the method we present and is implemented by an automatic tool we developed. After that, the verification is done base on SPIN, and the results shows PPTL model checking approach is sound and can be used to verify more generalized communication protocols.

Model checking programmable router configurations

Abstract: Programmable networks offer the ability to customize router behaviour at run time, thus increasing flexibility of network administration. Programmable network routers are configured using domain-specific languages. In this paper, we describe our approach to defining the syntax and semantics of such a domain-specific language. The ability to evolve router programs dynamically creates potential for misconfigurations. By exploiting domain-specific abstractions, we are able to translate router configurations into Promela and validate them using the Spin model checker, thus providing reasoning support for our domain-specific language. To evaluate our approach we use our configuration language to express the IETF's Differentiated Services specification and show that industrial-sized DiffServ router configurations can be validated using Spin on a standard PC.

CheAPS: a Checker of Asynchronous Parameterized Systems

Abstract: We present CheAPS, the checker of asynchronous parameterized communicating systems. It is a set of tools for verification of parameterized families F = {Mn} of finite-state models against LTL specification φ. Each model Mn from a family F is composed of a fixed number of control processes and n processes from a fixed set of prototypes. Given a description of a family F CheAPS generates finite-state models Mn and checks if one of such models can be used as an invariant of the family. As soon as an invariant is detected it is model checked by Spin to verify it against a specification φ. If Spin completes the verification successfully, then all the models of F satisfy φ. CheAPS is designed to use existing non-parameterized models as a source of parameterized family description. When one has a debugged model with a fixed number of processes it should be rather easy to create a parameterized variant. Therefore, we chose the following way. The process prototypes are described in a subset of Promela. The communication structure of the models from F is described by means of a network grammar G. The terminals of G stand for process prototypes whereas non-terminals of G are used to generate subnets. The rules of this grammar are annotated with channel bindings to provide a correct connection of prototype processes to the network. A parameterized family F as a set of finite-state models can be viewed as a language of the network grammar G. CheAPS includes the gen-net-model tool to automatically generate Promela descriptions of models Mn from a network grammar G and prototype descriptions. The core component of CheAPS is the simba tool intended for checking block simulation between finite-state models. For each non-terminal N of the grammar G models induced by N are successively generated. For two models induced by N simba constructs a block simulation relation. In the simple case if a larger model is proved to be simulated by a smaller one, then the smaller one is declared to be an invariant IN of N . In a general case several models induced by N should be simulated by an invariant model IN . The models vary by application of different grammar rules to N in the last steps. The goal is to find such a model which simulates all the models derived from N . As state-spaces in model checking grow rapidly with increase of the number of communicating processes simba has several state storage implementations and search strategies. State storage implementations are as follows: std, dfa, dfafile. The first one is a standard C++ implementation of a set, which works well only on relatively small state spaces. The second one uses the representation of state set by a minimized DFA, which is implemented in Spin. The last one is a mixed representation by a minimized DFA and a sequential file. While DFA is utilized to check set membership, a file keeps “unstable” states, which should be explored on the next iteration. Thus, dfafile keeps the balance between memory consumption and performance. Along with forward search strategy simba provides forward-then-back search strategy, which propagates negative results. If simba cannot find an invariant for “reasonably” large models induced from N one may apply the failpath tool. This tool selects the paths in the models to give an insight on the

Monitoring Local Progress with Watchdog Timers Deduced from Global Properties

Abstract: Distributed systems are used in numerous applications where failures can be costly. Due to concerns that some of the nodes may become faulty, critical services are usually replicated across several nodes, which execute distributed algorithms to ensure correct service in spite of failures. To prevent replica-exhaustion, it is fundamental to detect errors and trigger appropriate recovery actions. In particular, it is important to detect situations in which nodes cease to execute the intended algorithm, e.g., when a replica is compromised by an attacker or when a hardware fault causes the node to behave erratically. This paper proposes a method for monitoring the local execution of nodes using watchdog timers. The approach consists in deducing, from the global system properties, local states that must be visited periodically by nodes that execute the intended algorithm correctly. When a node fails to trigger a watchdog before the time limit, an appropriate response can be initiated. The approach is applied to a well-known Byzantine consensus algorithm. The algorithm is modeled in the Promela language and the Spin model checker is used to identify local states that must be visited periodically by correct nodes. Such states are suitable for online monitoring using watchdog timers.

A Key Technique to Develop the Model Checker for Propositional Projection Temporal Logic

Abstract: The propositional projection temporal logic(PPTL)has more expressive power than other linear temporal logics,for example,the propositional linear-time temporal logic(PLTL),and thus is more suitable for use as a specification language in model checkingHence,a key technique for PPTL model checker is presentedThe model checker interprets a ProMeLa model S as a Buchi automaton AS,and transforms PPTL property P to an automaton A PIn order to determine whether S satisfies P or not,the product of automata AS and A P is computed and it is checked whether the product automaton accepts the empty word or notThe checking algorithm is implemented based on SPINHowever,since PPTL contains both finite and infinite models,SPIN cannot be used off-the-shelfTo cope with the problem,the related algorithm in SPIN is modified to support PPTLExperimental results show that the PPTL model checker can effectively perform model checking against PPTL properties

Researches on the Modeling and Verification of BPE14WS Based on Spin

Abstract: One of important issues in web service composition researching area is how to describe web service composition formally and verify the correctness.A formal model of web service composition can be used to check and verify web service composition so that the correctness of web service composition can be guaranteed.This paper gives the transform method from BPEL4WS to Promela and verifies the model based on SPIN.At last,this paper gives an example of web service composition and the model checking method through verifying the safeness,liveness and boundness of the model.

Extending non-termination proof techniques to asynchronously communicating concurrent programs

Abstract: Currently, no approaches are known that allow for non-termination proofs of concurrent programs which account for asynchronous communication via FIFO message queues. Those programs may be written in high-level languages such as Java or Promela. We present a first approach to prove nontermination for such programs. In addition to integers, the programs that we consider may contain queues as data structures. We present a representation of queues and the operations on them in the domain of integers, and generate invariants that help us prove non-termination of selected control flow loops using a theorem proving approach. We illustrate this approach by applying a prototype tool implementation to a number of case studies.

A component based testing technique for a MANET routing protocol

Abstract: This paper deals with the crucial challenging issue of testing the conformance of the MANET routing protocols. Indeed, because of the inherent constraints of such networks such as a dynamic topology, to formally test these protocols becomes a tough problem. Most of the studies taking into account a formal model of the protocol is faced to the combinatorial state space explosion issue when deploying and analyzing that model. In our work we present how to cope with that problem by drawing inspiration of the model-checker research domain and an integration of a component-based testing algorithm dedicated to the automatic generation of OLSR test sequences from a formal model written in Promela.

Promela-based UML Modeling Methods and Its Application

Abstract: In terms of the advantages and disadvantages of the formalization methods and the visualization methods,this paper proposes modeling methods based on the two methods,which are reciprocal supplemented each other,it mainly focuses on how to use the formalization methods to verify the UML model,converts a UML model to a Promela specification,and then uses the famous model checking tool SPIN to verify it.And it is resulted to be available to verify the converting methods through an instance.