Counterexample-guided abstraction refinement for symbolic model checking

Clarke, Edmund M.; Grumberg, Orna; Jha, Somesh; Lu, Yuanxu; Veith, Helmut

doi:10.1145/876638.876643

Cited by 755 publications

(613 citation statements)

References 76 publications

Supporting

Mentioning

605

Contrasting

Unclassified

Order By: Relevance

“…A three-level abstraction mechanism is built into the tool to work with the RW model-checking. CEGAR (CounterExample-Guided Abstraction Refinement [11]) is also implemented in the tool, which can be used with the abstraction.…”

Section: General Descriptionmentioning

confidence: 99%

See 1 more Smart Citation

Synthesising verified access control systems through model checking

Zhang

Ryan

Guelev

2008

JCS

View full text Add to dashboard Cite

We present a framework for evaluating and generating access control policies. The framework contains a modelling formalism called RW, which is supported by a model checking tool. RW is designed for modelling access control policies, and verifying their properties. The RW language is very expressive, allowing us to model complex access conditions which can depend on data values, other permissions, and agent roles.A property expresses the capability of a coalition of agents to achieve a goal, which may include reading and overwriting certain information. Given a model built based on a policy and a property, the model-checking algorithm decides whether the goal defined by the property is achievable by the coalition within the permissions the policy provides. In the case that the goal is achievable, the algorithm outputs strategies which may be used by the coalition to achieve the goal.The unachievability of legitimate goals may suggest that the policy does not provide the users enough permissions to carry out their actions. The achievability of malicious goals may reveal certain security holes in the policy. When malicious goals are achievable, the resulting strategies help to provide clues on amending the policy. The tool implements the algorithm and thus performs the RW model-checking. It can also convert a policy written in the RW language into a policy file in XACML. An access control system can then be built on the converted policy file.

show abstract

Section: General Descriptionmentioning

confidence: 99%

“…The repeating use of this procedure gradually rules out false strategies or guessing strategies found because of abstraction. This methodology is referred to as counterexample-guided abstraction refinement (CEGAR) in [11].…”

Section: Abstractionmentioning

confidence: 99%

Synthesising verified access control systems through model checking

Zhang

Ryan

Guelev

2008

JCS

View full text Add to dashboard Cite

show abstract

“…The last decade has witnessed impressive progress in the ability of tools to verify properties of hardware and software systems (e.g., [9,16,24]). The success has to a large extent concerned safety properties, e.g., absence of run-time errors, deadlocks, race conditions, etc.…”

Section: Introductionmentioning

confidence: 99%

“…The main technique of software model checking, using finite-state abstractions [16] has been difficult to apply when proving liveness properties, since abstractions may introduce spurious loops [33] that do not preserve liveness. Podelski and Rybalchenko therefore extended the framework of predicate abstraction to that of transition predicate abstraction [32], which involves constructing an abstraction of the transition relation and its transitive closure.…”

Section: Introductionmentioning

confidence: 99%

Proving Liveness by Backwards Reachability

Abdulla

Jönsson

Rezine

et al. 2006

CONCUR 2006 – Concurrency Theory

View full text Add to dashboard Cite

Abstract. We present a new method for proving liveness and termination properties for fair concurrent programs, which does not rely on finding a ranking function or on computing the transitive closure of the transition relation. The set of states from which termination or some liveness property is guaranteed is computed by a backwards reachability analysis. A central technique for handling concurrency is a check for certain commutativity properties. The method is not complete. However, it can be seen as a complement to other methods for proving termination, in that it transforms a termination problem into a simpler one with a larger set of terminated states. We show the usefulness of our method by applying it to existing programs from the literature. We have also implemented it in the framework of Regular Model Checking, and used it to automatically verify non-starvation for parameterized algorithms.

show abstract

“…Our approach consists of two broad stages. We first use model checking [13,11] in conjunction with CounterExample Guided Abstraction Refinement (CEGAR) [12] and predicate abstraction [17] to verify that a C program 152 S. Chaki C satisfies a policy S. The policy S may be expressed either as a linear temporal logic (LTL) formula or a finite state machine.…”

Section: Introductionmentioning

confidence: 99%

SAT-Based Software Certification

Chaki

2006

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Abstract. We formalize a notion of witnesses for satisfaction of linear temporal logic specifications by infinite state programs. We show how such witnesses may be constructed via predicate abstraction, and validated by generating verification conditions and proving them. We propose the use of SAT-based theorem provers and resolution proofs in proving these verification conditions. In addition to yielding extremely compact proofs, a SAT-based approach overcomes several limitations of conventional theorem provers when applied to the verification of programs written in real-life programming languages. We also formalize a notion of witnesses of simulation conformance between infinite state programs and finite state machine specifications. We present algorithms to construct simulation witnesses of minimal size by solving pseudo-Boolean constraints. We present experimental results on several non-trivial benchmarks which suggest that a SAT-based approach can yield extremely compact proofs, in some cases by a factor of over 10 5 , when compared to existing non-SAT-based theorem provers.

show abstract

Counterexample-guided abstraction refinement for symbolic model checking

Cited by 755 publications

References 76 publications

Synthesising verified access control systems through model checking

Synthesising verified access control systems through model checking

Proving Liveness by Backwards Reachability

SAT-Based Software Certification

Contact Info

Product

Resources

About