Lenore D. Zuck

The Glory of the Past

An extension of propositional temporal logic that includes operators referring to a bounded past is considered. An exponential time decision procedure and a complete axiomatic system are presented. A suggested normal form leads to a syntactic classification of safety and liveness formulae. The adequacy of temporal logic to modular verification is examined. Finally we present the notion of α-fairness which is proved to fully capture the behavior of probabilistic finite state programs.

VOC: A translation validator for optimizing compilers

Abstract There is a growing awareness, both in industry and academia, of the crucial role of formally proving the correctness of safety-critical components of systems. Most formal verification methods verify the correctness of a high-level representation of the system against a given specification. However, if one wishes to infer from such a verification the correctness of the code which runs on the actual target architecture, it is essential to prove that the high-level representation is correctly implemented at the lower level. That is, it is essential to verify the the correctness of the translation from the high-level source-code representation to the object code, a translation which is typically performed by a compiler (or a code generator in case the source is a specification rather than a programming language). Formally verifying a full-fledged optimizing compiler, as one would verify any other large program, is not feasible due to its size, ongoing evolution and modification, and, possibly, proprietary considerations. The translation validation method used in this paper is a novel approach that offers an alternative to the verification of translators in general and compilers in particular. According to the translation validation approach, rather than verifying the compiler itself, one constructs a validation tool which, after every run of the compiler, formally confirms that the target code produced on that run is a correct translation of the source program The paper presents VOC–a methodology for translation validation of optimizing compilers. We distinguish between structure preserving optimizations, for which we establish a simulation relation between the source and target code based on computational induction, and structure modifying optimizations, for which we develop specialized “meta-rules”. The paper also describes VOC64—a prototype translation validator that automatically produces verification conditions for the global optimizations of the SGI Pro-64 compiler.

JTLV: a framework for developing verification algorithms

Jtlv is a computer-aided verification scripting environment offering state-of-the-art Integrated Developer Environment for algorithmic verification applications Jtlv may be viewed as a new, and much enhanced Tlv [18], with Java rather than Tlv-basic as the scripting language JTLV attaches its internal parsers as an Eclipse editor, and facilitates a rich, common, and abstract verification developer environment that is implemented as an Eclipse plugin.

Reliable communication over unreliable channels

Layered communication protocols frequently implement a FIFO message fiacility cm top of an unrehable non-FIFO serwce such as that provided hy a packet-swltchmg network. This paper investigates the possibdity of Implementing a reliable message layer on top of an underlying layer that can low packets and deliver them out of order, with the addltlonzd restriction that the implementatmn uses only a fixed fimte number of different packets. A new formalism is presented to spcclfy communication layers and their properties, the notion of their implementation by 1/0 automata. and the properties of such implementations. An 1/0 automaton that Implements a rellable layer over an unreliable layer is presented In this implementation, tbe number ot packets needed to deliver each succeeding message increases permanently as additional packet-loss and reordering faults occur. A proof is gwen that no protocol can avoid such performance degradatmn.

The faithfulness of abstract protocol analysis: message authentication

Dolev and Yao initiated an approach to studying cryptographic protocols which abstracts from possible problems with the cryptography so as to focus on the structural aspects of the protocol. Recent work in this framework has developed easily applicable methods to determine many security properties of protocols. A separate line of work, initiated by Bellare and Rogaway, analyzes the way specific cryptographic primitives are used in protocols. It gives asymptotic bounds on the risk of failures of secrecy or authentication.In this paper we show how the Dolev-Yao model may be used for protocol analysis, while a further analysis gives a quantitative bound on the extent to which real cryptographic primitives may diverge from the idealized model. We develop this method where the cryptographic primitives are based on Carter-Wegman universal classes of hash functions. This choice allows us to give specific quantitative bounds rather than simply asymptotic bounds.

TVOC: a translation validator for optimizing compilers

We describe a tool called TVOC, that uses the translation validation approach to check the validity of compiler optimizations: for a given source program, TVOC proves the equivalence of the source code and the target code produced by running the compiler. There are two phases to the verification process: the first phase verifies loop transformations using the proof rule permute; the second phase verifies structure-preserving optimizations using the proof rule Validate. Verification conditions are validated using the automatic theorem prover CVC Lite.

Model checking and abstraction to the aid of parameterized systems (a survey)

Parameterized systems are systems that involve numerous instantiations of the same finite-state module, and depend on a parameter which defines their size. Examples of parameterized systems include sensor systems, telecommunication protocols, bus protocols, cache coherence protocols, and many other protocols that underly current state-of-the-art systems. Formal verification of parameterized systems is known to be undecidable (Inform. Process. Lett. 22 (6)) and thus cannot be automated. Recent research has shown that it is often the case that a combination of methodologies allows to reduce the problem of verification of a parameterized system into the problem of verification of a finite-state system, that can be automatically verified. This paper describes several recent methodologies, based on model checking and abstraction. We start with the method of invisible auxiliary assertions that combines a small-model theorem with heuristics to automatically generate auxiliary constructs used in proofs of correctness of parameterized systems. We also describe the method of counter abstraction that offers simple liveness proofs for many parameterized systems, and discuss novel methodologies of using counter abstraction to automatically verify that probabilistic parameterized system satisfy their temporal specifications with probability 1.

Network Invariants in Action

The paper presents the method of network invariants for verifying a wide spectrum of LTL properties, including liveness, of parameterized systems. This method can be applied to establish the validity of the property over a system S(n) for every value of the parameter n. The application of the method requires checking abstraction relations between two finite-state systems. We present a proof rule, based on the method of Abstraction Mapping by Abadi and Lamport, which has been implemented on the tlv modelc hecker and incorporates both history and prophecy variables. The effectiveness of the network invariant method is illustrated on several examples, including a deterministic and probabilistic versions of the dining-philosophers problem.

Verifying Correctness of Transactional Memories

We show how to verify the correctness of transactional memory implementations with a model checker. We show how to specify transactional memory in terms of the admissible interchange of transaction operations, and give proof rules for showing that an implementation satisfies this specification. This notion of an admissible interchange is a key to our ability to use a model checker, and lets us capture the various notions of transaction conflict as characterized by Scott. We demonstrate our work using the TLC model checker to verify several well-known implementations described abstractly in the TLA+ specification language.

Tight bounds for the sequence transmission problem

We investigate the problem of transmitting sequences over unreliable channels where both the data items and the message alphabet have finite domains. We show tight bounds on the number of different sequences that can be transmitted (as a function of size of the message alphabet) when the channel can (1) reorder and duplicate messages and (2) reorder and delete messages. All of our results are derived using formal reasoning about, knowledge.