Cited By
View all- Hoang TSchneider STreharne HWilliams D(2016)Foundations for using linear temporal logic in Event-B refinementFormal Aspects of Computing10.1007/s00165-016-0376-028:6(909-935)Online publication date: 1-Nov-2016
On the limits of refinement-testing for model-checking CSP
Author: 
Toby MurrayAuthors Info & Claims
Toby MurrayAuthors Info & ClaimsPages 219 - 256
Abstract
Refinement-checking, as embodied in tools like FDR, PAT and ProB, is a popular approach for model-checking refinement-closed predicates of CSP processes. We consider the limits of this approach to model-checking these kinds of predicates. By adopting Clarkson and Schneider’s hyperproperties framework, we show that every refinement-closed denotational predicate of finitely-nondeterministic, divergence-free CSP processes can be written as the conjunction of a safety predicate and the refinement-closure of a liveness predicate. We prove that every safety predicate is refinement-closed and that the safety predicates correspond precisely to the CSP refinement checks in finite linear observations models whose left-hand sides (i.e. specification processes) are independent of the systems to which they are applied. We then show that there exist important liveness predicates whose refinement-closures cannot be expressed as refinement checks in any finite linear observations model, divergence-strict model or non-divergence-strict divergence-recording model, i.e. in any standard CSP model suitable for reasoning about the kinds of processes that FDR can handle, namely finitely-branching ones. These liveness predicates include liveness properties under intuitive fairness assumptions, branching-time liveness predicates and non-causation predicates for reasoning about authority. We conclude that alternative verification approaches, besides refinement-checking, currently under development for CSP should be further pursued.
References
References
[1]
Abdulla P, Chen Y-F, Holìk L, Mayr R, Vojnar T (2010) When simulation meets antichains. In: Tools and algorithms for the construction and analysis of systems (TACAS ’10). Lecture notes in computer science, vol 6015. Springer, Berlin, pp 158–174
[2]
Apt KR, Francez N, and Katz S Appraising fairness in languages for distributed programming Distrib Comput 1988 2 4 226-241
[3]
Abadi M and Lamport L The existence of refinement mappings Theor Comput Sci 1991 82 2 253-284
[4]
Alpern B and Schneider FB Defining liveness Inf Process Lett 1985 21 4 181-185
[5]
Brookes SD, Roscoe AW (1985) An improved failures model for communicating processes. In: Proceedings of the 1984 Carnegie-Mellon University seminar on concurrency. Lecture notes in computer science, vol 197. Springer, Berlin
[6]
Büchi JR (1962) On a decision method in restricted second order arithmetic. In: Proceedings of the 1st international congress on logic, methodology, and philosophy of science. Stanford University Press, Stanford, pp 1–11
[7]
Clarke EM, Emerson EA, and Sistla AP Automatic verification of finite-state concurrent systems using temporal logic specifications ACM Trans Programm Lang Syst (TOPLAS) 1986 8 2 244-263
[8]
Clarkson MR, Schneider FB (2008) Hyperproperties. In: Proceedings of the 21st IEEE computer security foundations symposium (CSF ’08), pp 51–65
[9]
Clarkson MR, Schneider FB (2010) Hyperproperties. J Comput Secur. Preprint. http://www.cs.cornell.edu/fbs/publications/Hyperproperties.JCS.pdf (in press)
[10]
Gardiner P, Goldsmith M, Hulance J, Jackson D, Roscoe B, Scattergood B, Armstrong P (2005) Failures-divergences refinement: FDR2 user manual. Formal Systems (Europe) Ltd
[11]
Goguen JA, Meseguer J (1982) Security policies and security models. In: Proceedings of the 1982 IEEE symposium on security and privacy (SP ’82), pp 11–20
[12]
Hoare CAR (1980) A model for communicating sequential processes. In: McKeag RM, Macnaughten AM (eds) On the construction of programs. Cambridge University Press, London, pp 229–254
[13]
Hoare CAR Communicating sequential processes 1985 Englewood Cliffs Prentice Hall
[14]
Holzmann GJ The SPIN model checker: primer and reference manual 2003 Reading Addison-Wesley
[15]
Isobe Y, Roggenbach M (2005) A generic theorem prover of CSP refinement. In: Proceedings of the 11th international conference on tools and algorithms for the construction and analysis of systems (TACAS 2005). Springer, Berlin, p 108
[16]
Isobe Y, Roggenbach M (2006) A complete axiomatic semantics for the CSP stable-failures model. In: Proceedings of the 17th international conference on concurrency theory (CONCUR ’06). Lecture notes in computer science, vol 4137. Springer, Berlin, pp 158–172
[17]
Isobe Y and Roggenbach M CSP-prover: a proof tool for the verification of scalable concurrent systems J Comput Softw Jpn Soc Softw Sci Technol (JSSST) 2008 25 4 85-92
[18]
Lamport L Proving the correctness of multiprocess programs IEEE Transactions on Software Engineering, 1977 3 2 125-143
[19]
Lamport L Fairness and hyperfairness Distrib Comput 2000 13 4 239-245
[20]
Latvala T (2003) Efficient model checking of safety properties. In: Proceedings of the 10th international conference on model checking software (SPIN ’03). Springer, Berlin, pp 74–88
[21]
Lazić RS (1999) A semantic study of data independence with applications to model checking. D.Phil. thesis, Oxford University Computing Laboratory
[22]
Lewis D Causation J Philos 1973 70 17 556-567
[23]
Leuschel M, Fontaine M (2008) Probing the depths of CSP-M: a new FDR-compliant validation tool. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 278–297
[24]
Liu Y (2009) Model checking concurrent and real-time systems: the PAT approach. PhD thesis, National University of Singapore. http://www.comp.nus.edu.sg/~liuyang/thesis/thesis.pdf
[25]
Leuschel M, Massart T, Currie A (2001) How to make FDR spin: LTL model checking of CSP by refinement. In: Proceedings of the international symposium of formal methods Europe on formal methods for increasing software productivity (FME ’01). Springer, Berlin, pp 99–118
[26]
Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and algorithms for the construction and analysis of systems (TACAS ’96). Lecture notes in computer science, vol 1055. Springer, Berlin, pp 147–166
[27]
Lowe G (2007) On information flow and refinement-closure. In: Proceedings of the 7th international workshop on issues in the theory of security (WITS ’07)
[28]
Lowe G Specification of communicating processes: temporal logic versus refusals-based refinement Form Aspects Comput 2008 20 3 277-294
[29]
Lowe G (2009) On CSP refinement tests that run multiple copies of a process. In: Proceedings of the seventh international workshop on automated verification of critical systems (AVoCS ’07). Electronic notes in theoretical computer science, vol 250, pp 153–170
[30]
Lehmann DJ, Pnueli A, Stavi J (1981) Impartiality, justice and fairness: the ethics of concurrent termination. In: Proceedings of the 8th colloquium on automata, languages and programming (ICALP 1981). Lecture notes in computer science, vol 115. Springer, Berlin, pp 264–277
[31]
Miller MS (2006) Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University
[32]
Murray T, Lowe G (2007) Authority analysis for least privilege environments. In: Proceedings of the joint workshop on foundations of computer security and automated reasoning for security protocol analysis (FCS-ARSPA ’07), pp 113–130
[33]
Murray T, Lowe G (2009) On refinement-closed security properties and nondeterministic compositions. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250, pp 49–68
[34]
Mukarram A (1993) A refusal testing model for CSP. D.Phil. thesis, University of Oxford
[35]
Murray T (2010) Analysing the security properties of object-capability patterns. D.Phil. thesis, University of Oxford
[36]
Paulson LC (1994) Isabelle: a generic theorem prover. Lecture notes in computer science, vol 828. Springer, Berlin
[37]
Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th annual symposium on foundations of computer science, pp 46–57
[38]
Puhakka A (2003) Using fairness in process-algebraic verification. Technical Report 24, Institute of Software Systems, Tampere University of Technology
[39]
Puhakka A (2005) Using fairness constraints in process-algebraic verification. In: Proceedings of the second international colloquium on theoretical aspects of computing (ICTAC 2005). Lecture notes in computer science, vol 3722. Springer, Berlin, pp 546–561
[40]
Puhakka A, Valmari A (2001) Liveness and fairness in process-algebraic verification. In: Proceedings of the 12th international conference on concurrency theory (CONCUR ’01). Lecture notes in computer science, vol 2154. Springer, Berlin, pp 202–217
[41]
Roscoe AW, Paul HB Gardiner, Goldsmith MH, Hulance JR, Jackson DM, Scattergood JB (1995) Hierarchical compression for model-checking CSP or how to check 1020 dining philosophers for deadlock. In: Proceedings of the first international workshop on tools and algorithms for construction and analysis of systems (TACAS ’95). Springer, London, pp 133–152
[42]
Roscoe AW (1994) Model-checking CSP. In: Roscoe AW (ed) A classical mind: essays in honour of C. A. R. Hoare. Prentice-Hall, Englewood Cliffs, pp 353–378
[43]
Roscoe AW (1997) The theory and practice of concurrency. Prentice Hall, Upper Saddle River. http://www.comlab.ox.ac.uk/people/bill.roscoe/publications/68b.pdf
[44]
Roscoe AW (2001) Compiling shared variable programs into CSP. In: Proceedings of the 2001 PROGRESS workshop. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/82.ps
[45]
Roscoe AW (2004) Finitary refinement checks for infinitary specifications. In: Proceedings of communicating process architectures (CPA 2004)
[46]
Roscoe AW On the expressive power of CSP refinement Form Aspects Comput 2005 17 2 93-112
[47]
Roscoe AW (2005) Seeing beyond divergence. In: Proceedings of communicating sequential processes: the first 25 years: symposium on the occasion of 25 years of CSP, 7–8 July 2004. Lecture notes in computer science, vol 3525. Springer, Berlin, p 15
[48]
Roscoe AW (2008) The three platonic models of divergence-strict CSP. In: Proceedings of the 5th international colloquium on theoretical aspects of computing (ICTAC 2008). Lecture notes in computer science, vol 5160. Springer, Berlin, pp 23–49
[49]
Roscoe AW Revivals, stuckness and the hierarchy of CSP models J Logic Algebr Program 2009 78 3 163-190
[50]
Reed JN, Sinclair JE, and Roscoe AW Responsiveness of interoperating components Formal Aspects of Computing 2004 16 4 394-411
[51]
Sistla AP Safety, liveness and fairness in temporal logic Form l Aspects Comput 1994 6 5 495-511
[52]
Sun J, Liu Y, Dong JS (2009) Model checking CSP revisited: introducing a process analysis toolkit. In: Leveraging applications of formal methods, verification and validation. Communications in computer and information science, vol 17. Springer, Berlin, pp 307–322
[53]
Sun J, Liu Y, Dong JS, Wang HH (2008) Specifying and verifying event-based fairness enhanced systems. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 5–24
[54]
Samuel DG, Roggenbach M, Isobe Y (2009) The stable revivals model in CSP-prover. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250. Elsevier Science Publishers B. V., Amsterdam, pp 119–134
[55]
Völzer H, Varacca D, Kindler E (2005) Defining fairness. In: Proceedings of the 16th international conference on concurrency theory (CONCUR ’05). Lecture notes in computer science, vol 3653. Springer, Berlin, pp 458–472
[56]
Vardi MY, Wolper P (1986) An automata-theoretic approach to automatic program verification. In: Proceedings of the first IEEE symposium on logic in computer science (LICS ’86), pp 322–331
[57]
Wolper P, Vardi MY, Sistla AP (1983) Reasoning about infinite computation paths. In: Proceedings of the 24th annual symposium on foundations of computer science (SFCS ’83). IEEE Computer Society, pp 185–194
Recommendations
Compositional CSP Traces Refinement Checking
Compositional verification using assume-guarantee reasoning has recently seen an uprise due to the introduction of automatic techniques for learning assumptions. In this paper, we transfer this technique to a setting with CSP as modelling and property ...
SAT-solving in CSP trace refinement
In this paper, we address the problem of applying SAT-based bounded model checking (BMC) and temporal k-induction to asynchronous concurrent systems. We investigate refinement checking in the process-algebraic setting of Communicating Sequential ...
CSP-OZ-DC: a combination of specification techniques for processes, data and time
CSP-OZ-DC is a new combination of three well researched formal techniques for the specification of processes, data and time: CSP [Hoare 1985], Object-Z [Smith 2000], and Duration Calculus [Zhou et al. 1991]. This combination is illustrated by specifying ...
Comments
Information & Contributors
Information
Published In
© British Computer Society 2011.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 March 2013
Accepted: 27 May 2011
Revision received: 21 March 2011
Received: 02 August 2010
Published in FAC Volume 25, Issue 2
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 31Total Downloads
- Downloads (Last 12 months)22
- Downloads (Last 6 weeks)5
Reflects downloads up to 27 Jul 2024
Other Metrics
Citations
Cited By
View all- Hoang TSchneider STreharne HWilliams D(2016)Foundations for using linear temporal logic in Event-B refinementFormal Aspects of Computing10.1007/s00165-016-0376-028:6(909-935)Online publication date: 1-Nov-2016
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in