The aim of this conference is to bring together students and faculty interested in application of formal methods to specification and verification of software systems. The conference will consist of a series of presentations by students of CSC2108, Fall'03. The presentations are based on projects that the students worked on between 12/2003-1/2004 either on their own or in groups of two. Projects done by one person will be presented in 15 minutes followed by a 5-minute question period. Two-person projects will be presented in 23 minutes followed by a 7-minute question period. The program below gives the schedule of these talks and their abstracts. Everyone is welcome to attend. Proceedings of this conference will be published as a DCS technical report. Conference Venue: The conference will take place in BA5256 at the University of Toronto.
Nelson Arruda and Ali Juma, Three Tools for
Model-Checking Security Protocols.
We look at three tools for model-checking security protocols. These
tools are OFMC, Hermes, and Maude. We also model and verify the SSL
Handshake Protocol using OFMC.
Ou Wei and Yong Yuan, Asymmetry and 3-Valued Symmetry Reduction (Presentation PPT)
Symmetry reduction is an efficient abstraction technique for symmetric
systems. The reduced model produced by this method is often smaller
than the original model, and is bisimilar to that model. However, it
is very often that systems are not "perfectly" symmetric, while
exhibiting symmetry in part of their behaviors. In this paper, by
defining a more general permutation, component symmetry, we extend
symmetry reduction to a wider class of asymmetric systems. We show
that the component symmetry reduced model is bisimulation equivalent
to the original model.
Multi-valued models exhibit special symmetric properties because of the
states and transitions labeled with multi-valued logic values. In this
paper, we also develop symmetry reduction on 3-valued models, and show
that the original 3-valued model and its symmetry reduced model refine each
other. We then analyze the relationship between symmetry reduction of
a 3-valued model and classical models induced by it.
Borys Bradel, Two Approaches of Showing
Program Equivalence (Presentation PPT)
We describe two approaches to showing program equivalence. Program
equivalence is useful for showing that a program created by an
optimizing compiler is correct. The optimized version of the program
can be compared to a program that is created from the same source code
by a verified compiler that performs no optimizations. Our first
approach consists of using a theorem prover, ACL2, to prove that two
programs are equivalent. For this approach to work we must transform
the instructions of the programs into a representation that ACL2 can
work with. Our second approach consists of calculating the weakest
pre-condition needed for two programs to be correct, and then using
ACL2 to prove that the pre-condition is met. We use both approaches
to show the equivalence of several programs.
Shiva Nejati and Mehrdad Sabetzadeh,
Integrating Model-Checking and Theorem Proving for Automating the
Generation of Abstractions (Presentation PDF)
We investigate how the integration of model-checking and theorem
proving techniques can help in automating the process of constructing
abstractions. We survey some of the existing approaches to automatic
generation of abstract models. Each approach is exemplified and its
important details are outlined. In addition, we show how the
optimizations proposed in [NGC03] can be expressed in terms of
satisfiability problems and incorporated into a 3-valued abstraction
framework.
Mihaela Gheorghiu, Symbolic Trajectory Evaluation (Presentation PDF)
The purpose of this work is to survey the Symbolic Trajectory
Evaluation (STE) method of formal hardware verification, and present a
tool implementing STE.
Yinghua Jia, Initial
Abstraction Generation using Requirements
Many researchers
have proposed approaches for automatic abstraction refinement.
However, the role of requirements in initial abstraction generation is
under-investigated. I believe that in order to scale model checking
to realistic programs, aggressive abstraction based on requirement is
necessary. In this project paper, the idea of requirements guided
abstraction is outlined and a discussion of issues for realization of
this idea is also presented.
Maryam Rashidian, Using Query Checking to
Generate Test Sequences for Different Coverage Criteria (Presentation PPT)
Testing is our tool to uncover development and coding errors and to
assess software reliability, dependability, and performance. The most
common testing practice is to construct a test suite. A test set or
test suite is a finite set of test sequences, according to some
selection criteria, called coverage criteria. The notion of coverage
limits the type and number of tests generated, and let testers decide
whether software has been adequately tested for a specific testing
criterion. Test requirements are specific things that must be
satisfied or covered; for example, reaching statements are the
requirements for statement coverage. A testing criterion is a rule or
collection of rules that impose requirements on a set of test
cases. Test engineers measure the extent to which a criterion is
satisfied in terms of coverage, which is the percent of requirements
that are satisfied.
Manual construction of test suites is time consuming and error prone,
therefore automatic generation of test suites is desirable to improve
the quality of testing. Formal methods offer an opportunity to reduce
the cost of the testing phase, by applying model checking to the
problem of test case generation. Using query checking to produce test
sequences is a different experience.
Temporal logic query checking was first introduced by William Chan. He
proposed a number of applications for query checking by giving more
feedback to the user during model checking, by providing a partial
explanation when the property holds and diagnostic information when it
does not. A query is a temporal logic formula containing a special
symbol ?x, known as a placeholder. Given a Kripke structure and a
prepositional formula y, we say that y satisfies the query if
replacing the placeholder by y results in a temporal logic formula
satisfied by the Kripke structure. Query checking has been shown to be
applicable to a variety of model exploration tasks, ranging from
invariant computation to test case generation. In this paper we show
that query checking can be successfully and effectively be applied for
test case generation for different Logical Expression Coverage
Criteria. To illustrate this we use a Cruise Control System model
specified with SCR and the witness generation property of the query
checker TLQSolver, which is a temporal logic query checker on top of
multi-valued model checker XChek.
Ye Wang and Hui Lan, Probabilistic Symbolic Model-Checking: Theory and
Practice (Presentation Part 1 PPT, Part 2 PDF)
Model checking has made significant advancement in
the past two decades. In this report, we will focus on probabilistic
symbolic model checking. We will describe three probabilistic system
models, namely, discrete-time Markov chain, Markov decision process,
and continuous-time Markov chain. With each model, we will examine its
corresponding specification language and model checking algorithm.
Then we will use the probabilistic symbolic model checking tool,
PRISM, to verify properties of a simple web server with possible
hardware and software failures.
Sotirios Liaskos,
Representing and Exploring the Behavioral View of
Goal Models: A Semi-Formal Approach (Presentation PPT)
Goal analysis is a modeling technique for recursively decomposing a
problem in order to generate software requirements. The main result of
this process, the goal decomposition model, is an AND/OR graph that
describes the alternative sets of tasks that can satisfy the root
goal. The diagrammatic notation for building such graphs is provided
by the GRL language. We enrich GRL to support posing constraints to
the order with which the goals can be satisfied and tasks can be
performed. Thus, we introduce the precedence link. By adding
precedence constraints between goals/tasks found in the decomposition
view, we create the precedence diagram which constitutes the
behavioral view of the goal model. From this, we extract a Kripke
structure, and use SMV and XChek to explore alternative scenarios with
which the goals can be satisfied. Among others, we find that
behavioral constraints may also imply functional constraints.
Wai Sum MONG, Lazy Abstraction on Software Model Checking (Presentation PPT)
This paper is a survey of the BLAST, which is a software model checker
for C programs developed at Berkeley. Based on the popular
abstract-check-refine paradigm, the concept of lazy abstraction is
introduced in the BLAST project. Lazy abstraction is an new idea
proposed to optimize the abstract-check-refine loop. We present the
lazy abstraction concept and the implementation framework of BLAST.
In the end, an example of using the BLAST is also given.
Jonathan Amir, A survey of Run-time Verification (Presentation PPT)
Traditional formal methods such as model checking and theorem proving
provide solutions to verification and validation of software
systems. However, they are usually heavy and do not scale
well. On the other hand, software testing is the most widely used
technique to verify the correctness of software systems. It scales
well, but it is not formal, and doesn't provide any
guarantees. Run-time Verification is a light-weight formal method
technique that attempts to bridge the gap between formal methods and
testing. A program is monitored while it is running and checked
against properties of interest that are specified formally. In this
paper we survey recent developments in Run-time Verification, discuss
relevant algorithms and techniques and present the JPaX and Java-MaC
tools.
Kevin Brewer, Binary Decision Diagrams and Automated Verification This report serves as an overview of the use of Ordered Binary/Boolean Decision Diagrams (OBDDs) in automated verification. The history, key developments and current state of the problems involved will be discussed, with a focus on examining some of the ways of approaching/approximating optimal orderings for minimal OBDD size.
Lin Mei and Yuan Gan, Verification of an Elevator System with MOCHA Unlike many other existing model checkers, MOCHA is designed for the modular verification of heterogeneous systems. Instead of manipulating unstructured state-transition graphs, it supports the hierarchical modeling framework of Reactive Modules. It overcomes the state-explosion problem by exploiting the modular structure naturally present in many system designs. Instead of traditional temporal logics such as CTL and LTL, it uses Alternating Temporal Logic, a module-level specification language. For the verification of complex systems, its algorithms incorporate optimizations based on the hierarchical reduction of sequences of internal transitions. In this paper, we study the language Reactive Modules, the Alternating Temporal Logic and use a case study of an elevator system to try out MOCHA. Finally, we compare it with other tools SMV and SPIN and draw conclusions.
Ulrich Germann, Planning
and Model Checking: A Review of Recent Interactions
Model checking can be seen as plan validation: A system design is a
plan of what the system should do. Model checking then means verifying
that the plan achieves its objectives under all circumstances. Vice
versa, we can view planning as model checking. The actions of an
agent change its environment (otherwise, there would be no point in
acting as an agent). The changes in the overall system (the
environment) can be modeled as state transition graphs, which often
can be "folded up" into a Kripke or closely related structure.
Planning then amounts to finding a path trough this structure that
reaches a desired goal state. In model checking, much research has
been devoted to the efficient storage of large state transition
structures, whereas efficient search within such structures has been
studied intensively in AI. My talk discusses some recent interactions
between the two fields, in particular the adoption of model checking
techniques for "conformant planning" (AGAF x, or "the goal must be
accomplished under all circumstances"), and heuristic search for model
checking.
For more information or to request a copy of conference proceedings, send mail to chechik@cs.toronto.edu. Information about CSC2108 "Automated Verification" is available at www.cs.toronto.edu/~chechik/courses03/csc2108.