Frédéric Herbreteau

Using non-convex approximations for efficient analysis of timed automata

The reachability problem for timed automata asks if there exists a path from an initial state to a target state. The standard solution to this problem involves computing the zone graph of the automaton, which in principle could be infinite. In order to make the graph finite, zones are approximated using an extrapolation operator. For reasons of efficiency in current algorithms extrapolation of a zone is always a zone; and in particular it is convex. In this paper, we propose to solve the reachability problem without such extrapolation operators. To ensure termination, we provide an efficient algorithm to check if a zone is included in the so called region closure of another. Although theoretically better, closure cannot be used in the standard algorithm since a closure of a zone may not be convex. An additional benefit of the proposed approach is that it permits to calculate approximating parameters on-the-fly during exploration of the zone graph, as opposed to the current methods which do it by a static analysis of the automaton prior to the exploration. This allows for further improvements in the algorithm. Promising experimental results are presented.

Efficient emptiness check for timed büchi automata

The Buchi non-emptiness problem for timed automata concerns deciding if a given automaton has an infinite non-Zeno run satisfying the Buchi accepting condition The standard solution to this problem involves adding an auxiliary clock to take care of the non-Zenoness In this paper, we show that this simple transformation may sometimes result in an exponential blowup We propose a method avoiding this blowup.

The power of hybrid acceleration

This paper addresses the problem of computing symbolically the set of reachable configurations of a linear hybrid automaton. A solution proposed in earlier work consists in exploring the reachable configurations using an acceleration operator for computing the iterated effect of selected control cycles. Unfortunately, this method imposes a periodicity requirement on the data transformations labeling these cycles, that is not always satisfied in practice. This happens in particular with the important subclass of timed automata, even though it is known that the paths of such automata have a periodic behavior. The goal of this paper is to broaden substantially the applicability of hybrid acceleration. This is done by introducing powerful reduction rules, aimed at translating hybrid data transformations into equivalent ones that satisfy the periodicity criterion. In particular, we show that these rules always succeed in the case of timed automata. This makes it possible to compute an exact symbolic representation of the set of reachable configurations of a linear hybrid automaton, with a guarantee of termination over the subclass of timed automata. Compared to other known solutions to this problem, our method is simpler, and applicable to a much larger class of systems.

Efficient on-the-fly emptiness check for timed Büchi automata

The Buchi non-emptiness problem for timed automata concerns deciding if a given automaton has an infinite non-Zeno run satisfying the Buchi accepting condition. The solution to this problem amounts to searching for a cycle in the so-called zone graph of the automaton. Since non-Zenoness cannot be verified directly from the zone graph, additional constructions are required. In this paper, it is shown that in many cases, non-Zenoness can be ascertained without extra constructions. An on-the-fly algorithm for the non-emptiness problem, using an efficient non-Zenoness construction only when required, is proposed. Experiments carried out with a prototype implementation of the algorithm are reported and the results are seen to be promising.

Lazy Abstractions for Timed Automata

We consider the reachability problem for timed automata. A standard solution to this problem involves computing a search tree whose nodes are abstractions of zones. For efficiency reasons, they are parametrized by the maximal lower and upper bounds (LU-bounds) occurring in the guards of the automaton. We propose an algorithm that dynamically updates LU-bounds during exploration of the search tree. In order to keep them as small as possible, the bounds are refined only when they enable a transition that is impossible in the unabstracted system. So our algorithm can be seen as a kind of lazy CEGAR algorithm for timed automata. We show that on several standard benchmarks, the algorithm is capable of keeping very small LU-bounds, and in consequence is able to reduce the search space substantially.

Decidable Topologies for Communicating Automata with FIFO and Bag Channels

We study the reachability problem for networks of finite-state automata communicating over unbounded perfect channels. We consider communication topologies comprising both ordinary FIFO channels and bag channels, i.e., channels where messages can be freely reordered. It is well-known that when only FIFO channels are considered, the reachability problem is decidable if, and only if, there is no undirected cycle in the topology. On the other side, when only bag channels are allowed, the reachability problem is decidable for any topology by a simple reduction to Petri nets. In this paper, we study the more complex case where the topology contains both FIFO and bag channels, and we provide a complete characterisation of the decidable topologies in this generalised setting.

Efficient emptiness check for timed Büchi automata

The Büchi non-emptiness problem for timed automata refers to deciding if a given automaton has an infinite non-Zeno run satisfying the Büchi accepting condition. The standard solution to this problem involves adding an auxiliary clock to take care of the non-Zenoness. In this paper, it is shown that this simple transformation may sometimes result in an exponential blowup. A construction avoiding this blowup is proposed. It is also shown that in many cases, non-Zenoness can be ascertained without an extra construction. An on-the-fly algorithm for the non-emptiness problem, using a non-Zenoness construction only when required, is proposed. Experiments carried out with a prototype implementation of the algorithm are reported.

Reachability of communicating timed processes

We study the reachability problem for communicating timed processes, both in discrete and dense time. Our model comprises automata with local timing constraints communicating over unbounded FIFO channels. Each automaton can only access its set of local clocks; all clocks evolve at the same rate. Our main contribution is a complete characterization of decidable and undecidable communication topologies, for both discrete and dense time. We also obtain complexity results, by showing that communicating timed processes are at least as hard as Petri nets; in the discrete time, we also show equivalence with Petri nets. Our results follow from mutual topology-preserving reductions between timed automata and (untimed) counter automata. To account for urgency of receptions, we also investigate the case where processes can test emptiness of channels.

Unfolding concurrent well-structured transition systems

Our main objective is to combine partial-order methods with verification techniques for infinite-state systems in order to obtain efficient verification algorithms for concurrent infinite-state systems. Partial-order methods are commonly used in the analysis of finite systems consisting of many parallel components. In this paper we propose an extension of these methods to parallel compositions of infinite-state systems. We argue that it is advantageous to model each component by an event structure as this allows us to exhibit the concurrency present implicitly in some infinite-state systems such as automata with queues or counters. We generalize the notion of complete prefix from 1-safe Petri nets to all well-structured transition systems. We give an on-the-fly unfolding algorithm which given event structures representing the components produces an event structure representing their synchronized product. A prototype implementation demonstrates the benefits of our approach.

SneakLeak: Detecting Multipartite Leakage Paths in Android Apps

In this paper, a technique is proposed to address the threat emerging from multiple colluding Android applications (apps). Existing techniques have focused on single app analysis which may be defeated by scattering leakage-capable path segments across multiple apps. In such a scenario, individual app shall appear benign. Whereas, together with other conspiring apps, if present, can lead to information leakage. This threat is known as app collusion. Relay of private and sensitive information from one app to another is possible via multiple communication mechanisms provided by Android. In this paper, we present SneakLeak, a new model-checking based technique for detection of app collusion. The proposed method analyze multiple apps simultaneously. SneakLeak can identify any set of conspiring apps that might be involved in the collusion. To demonstrate the efficacy of our proposal, we experimented with Android apps exhibiting collusion through inter-app communication. The apps are taken from test dataset named DroidBench. Our experiments show that the technique can precisely detect the presence/absence of collusion among apps.