Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

A. Dubey,X. Wu,H. Su,T. J. Koo

DOI: https://doi.org/10.1007/11562948_11

2005-01-01

Abstract:In this paper, we describe a computation platform called ReachLab, which enables automatic analysis of embedded software systems that interact with continuous environment. Algorithms are used to specify how the state space of the system model should be explored in order to perform analysis. In ReachLab, both system models and analysis algorithm models are specified in the same framework using Hybrid System Analysis and Design Language (HADL), which is a meta-model based language. The platform allows the models of algorithms to be constructed hierarchically and promotes their reuse in constructing more complex algorithms. Moreover, the platform is designed in such a way that the concerns of design and implementation of analysis algorithms are separated. On one hand, the models of analysis algorithms are abstract and therefore the design of algorithms can be made independent of implementation details. On the other hand, translators are provided to automatically generate implementations from the models for computing analysis results based on computation kernels. Multiple computation kernels, which are based on specific computation tools such as d/dt and the Level Set toolbox, are supported and can be chosen to enable hybrid state space exploration. An example is provided to illustrate the design and implementation process in ReachLab.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/qsic.2010.50

2010-01-01

Abstract:Automated verification of noninterference is commonly considered more precise than type-based approach on enforcing secure information flow for program. We propose an approach on model checking symbolic pushdown system generated from Java bytecode, and develop a deployment-time verification framework to ensure noninterference of bytecode. In order to overcome the constraints brought by the nature of object-oriented language and application scenario, we extend self-composition to low-recorded self-composition to reduce the partial correctness judgements on safety property to reachability analysis. In this variation, meta-level indices of heap are recorded into the self-composed pushdown system for the construction of auxiliary interleaving assignments and branch condition to illegal-flow state. Our experiments show that the approach is more scalable than previous work based on automated verification.

Ting Wang,Songzheng Song,Jun Sun,Yang Liu,Jin Song Dong,Xinyu Wang,Shanping Li

DOI: https://doi.org/10.1007/978-3-642-34281-3_26

2012-01-01

Abstract:Refinement checking plays an important role in system verification. It establishes properties of an implementation by showing a refinement relationship between the implementation and a specification. Recently, it has been shown that anti-chain based approaches increase the efficiency of trace refinement checking significantly. In this work, we study the problem of adopting anti-chain for stable failures refinement checking, failures-divergence refinement checking and probabilistic refine checking (i.e., a probabilistic implementation against a non-probabilistic specification). We show that the first two problems can be significantly improved, because the state space of the product model may be reduced dramatically. Though applying anti-chain for probabilistic refinement checking is more complicated, we manage to show improvements in some cases. We have integrated these techniques into the PAT model checking framework. Experiments are conducted to demonstrate the efficiency of our approach.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

SUN Cong,TANG Li-yong,CHEN Zhong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.07.023

2011-01-01

Computer Science

Abstract:We proposed an approach for analyzing information-flow security of imperative language with output channels.The program is Abstracted with pushdown system,which is then self-composed in order to adapt noninterference as a safety property.The output operations in the two relevant runs are respectively modeled as storing and matching procedure by pushdown rules.Then the termination-insensitive noninterference is verified by a reachability analysis of illegal-flow state.A variation of this approach can deal with program containing divergent run.An upper-bound regression algorithm was proposed to find the maximum upper-bound in order to trigger coercive termination of divergent run.The experimental results show that the approach is more precise and efficient than existing work.

Simon Foster,Kangfeng Ye,Ana Cavalcanti,Jim Woodcock

DOI: https://doi.org/10.1016/j.jlamp.2021.100681

2021-04-12

Abstract:Reactive programs combine traditional sequential programming constructs with primitives to allow communication with other concurrent agents. They are ubiquitous in modern applications, ranging from components systems and web services, to cyber-physical systems and autonomous robots. In this paper, we present an algebraic verification strategy for concurrent reactive programs, with a large or infinite state space. We define novel operators to characterise interactions and state updates, and an associated equational theory. With this we can calculate a reactive program's denotational semantics, and thereby facilitate automated proof. Of note is our reasoning support for iterative programs with reactive invariants, based on Kleene algebra, and for parallel composition. We illustrate our strategy by verifying a reactive buffer. Our laws and strategy are mechanised in Isabelle/UTP, our implementation of Hoare and He's Unifying Theories of Programming (UTP) framework, to provide soundness guarantees and practical verification support.

Logic in Computer Science,Programming Languages

Cong Sun,Ning Xi,Jinku Li,Qingsong Yao,Jianfeng Ma

DOI: https://doi.org/10.1109/APSEC.2014.60

2014-01-01

Abstract:Information flow security has been considered as a critical requirement on software systems, especially when heterogeneous components from different parties cooperate to achieve end-to-end enforcement on data confidentiality. Enforcing the information flow security properties on complicated systems faces a great challenge because the properties cannot be preserved under composition and most of the current approaches are not scalable enough. To address this problem, there have been several recent efforts on the compositional information flow analyses developed for different abstraction levels. But these approaches have rarely been considered to incorporate with the process of system design. Integrating the security enforcement with the model-based development process can provide the designer with ability to verify information flow security in the early stage of system development. We propose a compositional information flow verification which is integrated with model-based system design in Sys ML by an automated model translation from semi-formal behavior and structure models to interface automata. Our compositional approach is general to support the complex security lattices and a variety of in distinguish ability relations. The evaluation results show the usability of our approach on practical system designs and the scalability of the compositional verification.

Haiying Sun,Jing Liu,Dehui Du

DOI: https://doi.org/10.1109/apsec.2012.92

2012-01-01

Abstract:In the paper, we propose a method that can be applied to verify implementation in real-time reactive system. Different from other software model checking approaches, our method is based on testing. This approach allows the verification of safety property to be conducted directly on real code instead of models extracted from final implementation. Verifying that kind of models is a hard work and can only be applied to parts of the implementation. The method is done by establishing a connection between safety verification and conformance testing in real-time system. We first prove a theorem that in real-time system, under the input enabled precondition, if an implementation conforms to its specification and the specification satisfies the safety properties, the implementation satisfies it either. Then, based on contropositivity of the former conclusion, we present a test case generation framework which forms basis for generating test cases that can be used to detect violations of safety properties in the implementation. In addition, this test generation framework can also detect more nonconformance defects when compared with other real time test generation methods. The method is illustrated with a train gate control system.

Wenrui Meng,Qiang Liu,Jie Li

DOI: https://doi.org/10.1109/CTRQ.2010.21

2010-01-01

Abstract:Model checking is a well known formal technique for systems verification and its main challenge is state explosion. Assume-guarantee is a promising way to deal with this challenge, but in the compositional reasoning process we should provide assumption for the model to be verified. Traditionally the assumption is given manually, which constrains its practice application. There are some automatic assumption generation ways based learning algorithm which are time consuming and inefficient. In this paper, we will introduce reachability assume-guarantee reasoning for property equal to some target states’ reachability. We will generate assumption automatically in liner time. The key idea of our approach is getting all the conditions what the property verification needs and which are contained in an automaton. And then we condense the automaton to a complete and non-redundant assumption. Finally we verify the assumption automaton on environment model. In our approach, we will improve the efficiency of assume-guarantee reasoning.

Stefan Leue,Alin Ştefănescu,Wei Wei

DOI: https://doi.org/10.1007/978-3-540-85114-1_14

2008-01-01

Abstract:The execution of a reactive system amounts to the repetitions of executions of control flow cycles in the component processes of the system. The way in which cycle executions are combined is not arbitrary since cycles may depend on or exclude one another. We believe that the information of such dependencies is important to the design, understanding, and verification of reactive systems. In this paper, we formally define the concept of a cycle dependency, and propose several static analysis methods to discover such dependencies. We have implemented several strategies for computing cycle dependencies and compared their performance with realistic models of considerable size. It is also shown how the detection of accurate dependencies is used to improve a livelock freedom analysis that we developed previously.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/uic-atc.2009.44

2009-01-01

Abstract:We propose an approach on model checking information flow for imperative language with procedures. We characterize our model with pushdown system, which has a stack of unbounded length that naturally models the execution of procedural programs. Because the type-based static analysis is sometimes too conservative and rejects safe program as ill-typed, we take a semantic-based approach by self-composing symbolic pushdown system and specifying noninterference with LTL formula. Then we verify this LTL-expressed property via model checker Moped. Except for overcoming the conservative characteristic of type-based approach, our motivation also includes the insufficient state of arts on precise information flow analysis under interprocedural setting. To remedy the inefficiency of model checking compared with type system, we propose both compact form and contracted form of self-composition. According to experimental results, they can greatly increase the efficiency of realistic verification. Our method provides flexibility on separating program abstraction from noninterference verification, thus could be expected to use on different programming languages.

Chencheng Tang,Matthias Althoff

DOI: https://doi.org/10.1016/j.ifacol.2023.10.028

2023-07-26

Abstract:Verifying the correct behavior of robots in contact tasks is challenging due to model uncertainties associated with contacts. Standard methods for testing often fall short since all (uncountable many) solutions cannot be obtained. Instead, we propose to formally and efficiently verify robot behaviors in contact tasks using reachability analysis, which enables checking all the reachable states against user-provided specifications. To this end, we extend the state of the art in reachability analysis for hybrid (mixed discrete and continuous) dynamics subject to discrete-time input trajectories. In particular, we present a novel and scalable guard intersection approach to reliably compute the complex behavior caused by contacts. We model robots subject to contacts as hybrid automata in which crucial time delays are included. The usefulness of our approach is demonstrated by verifying safe human-robot interaction in the presence of constrained collisions, which was out of reach for existing methods.

Robotics,Systems and Control

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/icis.2011.20

2011-01-01

Abstract:Language-based information flow security provides a way to enforce either the baseline noninterference property or more relaxed properties specifying intended information release. This paper presents a new approach for enforcing information release policy on programming language with I/O channels. First we present a relaxed security property complying with the security policy on the what-dimension of declassification. Second we propose an enforcement mechanism for the security property based on reach ability analysis of pushdown system. The self-composition is equipped with a store-match pattern, which reduces the cost of verification by avoiding duplication of I/O channels. The pattern also facilitates characterization of the security property. The experimental results show the preciseness of our enforcement.

Yongwang Zhao,David Sanan,Fuyuan Zhang,Yang Liu

DOI: https://doi.org/10.48550/arxiv.1810.07855

2018-01-01

Abstract:Reactive systems are composed of a well defined set of input events that the system reacts with by executing an associated handler to each event. In concurrent environments, event handlers can interact with the execution of other programs such as hardware interruptions in preemptive systems, or other instances of the reactive system in multicore architectures. State of the art rely-guarantee based verification frameworks only focus on imperative programs, being difficult to capture in the rely and guarantee relations interactions with possible infinite sequences of event handlers, and the input arguments to event handlers. In this paper, we propose the formalisation in Isabelle/HOL of an event-based rely-guarantee approach for concurrent reactive systems. We develop a Pi-Core language which incorporates a concurrent imperative and system specification language by `events', and we build a rely-guarantee proof system for Pi-Core and prove its soundness. Our approach can deal with multicore and interruptible concurrency. We use two case studies to show this: an interruptible controller for stepper motors and an ARINC 653 multicore kernel, and prove the functional correctness and preservation of invariants of them in Isabelle/HOL.

Lingjie Shu,Jianqi Shi,Xin Ye,Ningkang Jiang,Yichun Li

DOI: https://doi.org/10.1145/3034950.3034984

2017-01-01

Abstract:Nowadays, Pushdown System is widely used in program verification including malware detection. We model the software systems into pushdown systems and use model-checking to verify them. The reachability analysis is the base of model-checking problems. It is an iterative work on transitions and configuration rules. However, with the rise of the complexity and scalability of those software systems, the size of transitions and configurations rules rises as well. This means the traditional methods are not suitable for such work. Therefore, we propose a new parallel reachability analysis method for such scene. Our methods can handle massive data sets and return the result in acceptable time.

Yike Huang,Xiaohong Chen,Zhi Jin,Tingliang Zhou

DOI: https://doi.org/10.1109/rew61692.2024.00035

2024-01-01

Abstract:The importance of real-time requirements inconsistency detection is increasingly manifested in safety -critical system development. Most existing tools use state-based detection methods for real-time requirements verification, but they sometimes struggle to efficiently detect results when faced with complex system requirements. Moreover, adding device properties into the verification has increased the complexity of the state space. As a complementary, in this paper, we present a lightweight efficient method for real-time requirements existence inconsistency detection for safety-critical systems. We reduce the real-time existential inconsistencies detection problem into a constraint solving problem. The real-time requirements and involved device properties are encoded into SMT formulas, which can be detected quickly by using a constraint solver such as Z3. Through a case study and experimental evaluation, it is shown that our method can efficiently detect real-time existential inconsistencies in requirements. This provides a practical solution to detect certain types of errors in the early stage, avoiding possible future expensive costs.

Fuyuan Zhang,Yongwang Zhao,David Sanán,Yang Liu,Alwen Tiu,Shang-Wei Lin,Zhimin Wu,Jun Sun

DOI: https://doi.org/10.1007/978-3-319-95582-7_31

2018-01-01

Abstract:Scalable and automatic formal verification for concurrent systems is always demanding. In this paper, we propose a verification framework to support automated compositional reasoning for concurrent programs with shared variables. Our framework models concurrent programs as succinct automata and supports the verification of multiple important properties. Safety verification and simulations of succinct automata are parallel compositional, and safety properties of succinct automata are preserved under refinements. We generate succinct automata from infinite state concurrent programs in an automated manner. Furthermore, we propose the first automated approach to checking rely-guarantee based simulations between infinite state concurrent programs. We have prototyped our algorithms and applied our tool to the verification of multiple refinements.

Rüdiger Ehlers,Bernd Finkbeiner

DOI: https://doi.org/10.4204/EPTCS.54.13

2011-06-07

Abstract:The distinction between safety and liveness properties is a fundamental classification with immediate implications on the feasibility and complexity of various monitoring, model checking, and synthesis problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose behavior is characterized by the interplay of uncontrolled environment inputs and controlled system outputs. We show that reactive safety is a strictly larger class of properties than standard safety. We provide algorithms for checking if a property, given as a temporal formula or as a word or tree automaton, is a reactive safety property and for translating such properties into safety automata. Based on this construction, the standard verification and synthesis algorithms for safety properties immediately extend to the larger class of reactive safety.

Formal Languages and Automata Theory,Logic in Computer Science