Stefan Schwoon

Efficient Algorithms for Model Checking Pushdown Systems

We study model checking problems for pushdown systems and linear time logics. We show that the global model checking problem (computing the set of configurations, reachable or not, that violate the formula) can be solved in \(O({g_{\cal P}}{g_{\cal P}}^3{g_{\cal B}}{g_{\cal B}}^3)\) time and \(O({g_{\cal P}}{g_{\cal P}}^2{g_{\cal B}}{g_{\cal B}}^2)\) space, where \({g_{\cal P}}{g_{\cal P}}\) and \({g_{\cal B}}{g_{\cal B}}\) are the size of the pushdown system and the size of a Buchi automaton for the negation of the formula. The global model checking problem for reachable configurations can be solved in \(O({g_{\cal P}}{g_{\cal P}}^4{g_{\cal B}}{g_{\cal B}}^3)\) time and \(O({g_{\cal P}}{g_{\cal P}}^4{g_{\cal B}}{g_{\cal B}}^2)\) space. In the case of pushdown systems with constant number of control states (relevant for our application), the complexity becomes \(O({g_{\cal P}}{g_{\cal P}}{g_{\cal B}}{g_{\cal B}}^3)\) time and \(O({g_{\cal P}}{g_{\cal P}}{g_{\cal B}}{g_{\cal B}}^2)\) space and \(O({g_{\cal P}}{g_{\cal P}}^2{g_{\cal B}}{g_{\cal B}}^3)\) time and \(O({g_{\cal P}}{g_{\cal P}}^2{g_{\cal B}}{g_{\cal B}}^2)\) space, respectively. We show applications of these results in the area of program analysis and present some experimental results.

Model checking LTL with regular valuations for pushdown systems

Recent works have proposed pushdown systems as a tool for analyzing programs with (recursive) procedures, and the model-checking problem for LTL has received special attention. However, all these works impose a strong restriction on the possible valuations of atomic propositions: whether a configuration of the pushdown system satisfies an atomic proposition or not can only depend on the current control state of the pushdown automaton and on its topmost stack symbol. In this paper we consider LTL with regular valuations: the set of configurations satisfying an atomic proposition can be an arbitrary regular language. The model-checking problem is solved via two different techniques, with an eye on efficiency. The resulting algorithms are polynomial in certain measures of the problem which are usually small, but can be exponential in the size of the problem instance. However, we show that this exponential blowup is inevitable. The extension to regular valuations allows to model problems in different areas; for instance, we show an application to the analysis of systems with checkpoints. We claim that our model-checking algorithms provide a general, unifying and efficient framework for solving them.

A BDD-Based Model Checker for Recursive Programs

We present a model-checker for boolean programs with (possibly recursive) procedures and the temporal logic LTL. The checker is guaranteed to terminate even for (usually faulty) programs in which the depth of the recursion is not bounded. The algorithm uses automata to finitely represent possibly infinite sets of stack contents and BDDs to compactly represent finite sets of values of boolean variables. We illustrate the checker on some examples and compare it with the Bebop tool of Ball and Rajamani.

A note on on-the-fly verification algorithms

The automata-theoretic approach to LTL verification relies on an algorithm for finding accepting cycles in a Buchi automaton. Explicit-state model checkers typically construct the automaton “on the fly” and explore its states using depth-first search. We survey algorithms proposed for this purpose and identify two good algorithms, a new algorithm based on nested DFS, and another based on strongly connected components. We compare these algorithms both theoretically and experimentally and determine cases where both algorithms can be useful.

Abstraction refinement with craig interpolation and symbolic pushdown systems

Counterexample-guided abstraction refinement (CEGAR) has proven to be a powerful method for software model-checking. In this paper, we investigate this concept in the context of sequential (possibly recursive) programs whose statements are given as BDDs. We examine how Craig interpolants can be computed efficiently in this case and propose a new, special type of interpolants. Moreover, we show how to treat multiple counterexamples in one refinement cycle. We have implemented this approach within the model-checker Moped and report on experiments.

Symbolic Context-Bounded Analysis of Multithreaded Java Programs

The reachability problem is undecidable for programs with both recursive procedures and multiple threads with shared memory. Approaches to this problem have been the focus of much recent research. One of these is to use context-bounded reachability, i.e. to consider only those runs in which the active thread changes at most ktimes, where kis fixed. However, to the best of our knowledge, context-bounded reachability has not been implemented in any tool so far, primarily because its worst-case runtime is prohibitively high, i.e. O(nk), where nis the size of the shared memory. Moreover, existing algorithms for context-bounded reachability do not admit a meaningful symbolic implementation (e.g., using BDDs) to reduce the run-time in practice. In this paper, we propose an improvement that overcomes this problem. We have implemented our approach in the tool jMoped and report on experiments.

Reachability analysis of multithreaded software with asynchronous communication

We introduce asynchronous dynamic pushdown networks (ADPN), a new model for multithreaded programs in which pushdown systems communicate via shared memory. ADPN generalizes both CPS (concurrent pushdown systems) and DPN (dynamic pushdown networks). We show that ADPN exhibit several advantages as a program model. Since the reachability problem for ADPN is undecidable even in the case without dynamic creation of processes, we address the bounded reachability problem, which considers only those computation sequences where the (index of the) thread accessing the shared memory is changed at most a fixed given number of times. We provide efficient algorithms for both forward and backward reachability analysis. The algorithms are based on automata techniques for symbolic representation of sets of configurations. This talk is based on joint work with Ahmed Bouajjani, Javier Esparza, and Jan Strejcek that appeared in FSTTCS 2005.

On generalized authorization problems

This paper defines a framework in which one can formalize a variety of authorization and policy issues that arise in access control of shared computing resources. Instantiations of the framework address such issues as privacy, recency, validity, and trust. The paper presents an efficient algorithm for solving all authorization problems in the framework; this approach yields new algorithms for a number of specific authorization problems.

The model-checking Kit

The Model-Checking Kit [8] is a collection of programs which allow to model finite state systems using a variety of modelling languages, and verify them using a variety of checkers, including deadlock-checkers, reachability-checkers, and model-checkers for the temporal logics CTL and LTL [7].

NETRA :: seeing through access control

We present netra, a tool for systematically analyzing and detecting explicit information-flow vulnerabilities in access-control configurations. Our tool takes a snapshot of the access-control metadata, and performs static analysis on this snapshot. We devise an augmented relational calculus that naturally models both access control mechanisms and information-flow policies uniformly. This calculus is interpreted as a logic program, with a fixpoint semantics similar to Datalog, and produces all access tuples in a given configuration that violate properties of interest. Our analysis framework is programmable both at the model level and at the property level, effectively separating mechanism from policy. We demonstrate the effectiveness of this modularity by analyzing two systems with very different mechanisms for access control---Windows XP and SELinux---with the same specification of information-flow vulnerabilities. netra finds vulnerabilities in default configurations of both systems.