Lecture Notes in Computer Science 2067 EditedbyG.Goos,J.Hartmanis,andJ.vanLeeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Tokyo Franck Cassez Claude Jard Brigitte Rozoy Mark Dermot Ryan (Eds.) Modeling andVerification of Parallel Processes 4th Summer School, MOVEP 2000 Nantes, France, June 19-23, 2000 Revised Tutorial Lectures 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditors FranckCassez CNRS,IRCCyN 1ruedelaNoe,44321NantesCedex3,France E-mail:[email protected] ClaudeJard CNRS,IRISA CampusdeBeaulieu,35042Rennes,France E-mail:[email protected] BrigitteRozoy UniversitédeParisXI,LaboratoiredeRechercheenInformatique Bâtiment490,91405OrsayCedex,France E-mail:[email protected] MarkDermotRyan UniversityofBirmingham,SchoolofComputerScience Edgbaston,BirminghamB152TT,UK E-mail:[email protected] Cataloging-in-PublicationDataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Modelingandverificationofparallelprocesses:4thsummerschool/ MOVEP2000,Nantes,France,June19-23,2000.FranckCassez...(ed.). Berlin;Heidelberg;NewYork;Barcelona;HongKong;London;Milan; Paris;Tokyo:Springer,2001 (Lecturenotesincomputerscience;Vol.2067) ISBN3-540-42787-2 CRSubjectClassification(1998):D.2.4,F.3.1,F.4.1 ISSN0302-9743 ISBN3-540-42787-2Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. Springer-VerlagBerlinHeidelbergNewYork amemberofBertelsmannSpringerScience+BusinessMediaGmbH http://www.springer.de ©Springer-VerlagBerlinHeidelberg2001 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyPTP-Berlin,StefanSossna Printedonacid-freepaper SPIN:10781713 06/3142 543210 Foreword MOVEP 2000 was the fourth summer school in the series of MOVEP summer schools (MOdeling and VErification of Parallel processes), and was organized jointly by IRCCyN, IRISA, LRI (France), and the University of Birmingham (UK). It was held in Nantes, France on 19–23 June 2000 and continued the success of the first three MOVEP summer schools held in 1994, 1996, and 1998. MOVEPwasoriginallyaFrench-speakingschoolandwasinitiatedbyA.Arnold (LaBRI,Bordeaux),J.Beauquier(LRI,Orsay),andO.Roux(IRCCyN,Nantes) in 1994. MOVEP adopted English as its working language in 2000. MOVEP is a school devoted to the wide area of modeling and verifying soft- ware or hardware systems. The goal of MOVEP is to gather students, academic researchers, and industrial researchers interested in the development of safety critical systems and to provide a forum for discussion among people from com- puter science and automatic control. More than 100 people from Europe, North America, North Africa, and India attended MOVEP 2000. This volume contains tutorials and annotated bibliographies covering the main subjects adressed at MOVEP 2000. It gives a snapshot of the recent de- velopments in the domain as well as a useful introduction to many subjects. ThevolumecontainsfourtutorialscomprisingintroductorymaterialtoModel- Checking,TheoremProving,CompositionandAbstractionTechniques,andTimed Systems (with UPPAAL). Three research papers give some more detailed views of High-Level Message Sequence Charts, Industrial Applications of Model-Checking, and the use of Formal Methods in Security. Finally,fourannotatedbibliographiesgiveanoverviewofInfiniteState-Space Systems, Testing Transition Systems, Fault-Model-Driven Test Derivation, and Mobile Processes. The organizers of MOVEP 2000 would like to thank all the contributors for their commitment during the school and for their papers in this volume. It is a great pleasure for us to be the editors of this LNCS Tutorials volume and we hope to meet for the next MOVEP in June 2002. April 2001 F. Cassez, C. Jard, B. Rozoy and M. Ryan Program Committee H. Alla LAG, Grenoble, F A. Arnold LaBRI, Bordeaux, F E. Brinksma U. of Twente, NL A. Cimatti IRST, Trento, I J. Esparza TU. of Munich, D C. Jard IRISA, Rennes, F K. G. Larsen BRICS-Aalborg, DK F. Maraninchi UJF & Verimag, Grenoble, F S. Merz U. of Munich, D A. Petit LSV, Cachan, F A. Petrenko CRIM, Montr´eal, CA O. Roux IRCCyN, Nantes, F B. Rozoy LRI, Orsay, F J. Rushby SRI, USA M. Ryan U. of Birmingham, UK D. Sangiorgi INRIA, Sophia-Antipolis, F P.-Y. Schobbens U. of Namur, B R. Valette LAAS-CNRS, Toulouse, F M. Wonham U. of Toronto, CA Organizing Committee Franck Cassez IRCCyN/CNRS, Nantes Claude Jard IRISA/CNRS, Rennes Brigitte Rozoy LRI, Orsay Mark Ryan U. of Birmingham Local Arrangements Patricia Galloyer IRCCyN, Nantes Marie-No¨elle Georgeault IRISA, Rennes Nicole Labaronne IRCCyN, Nantes MOVEP 2000 Sponsors CNRS, INRIA, France Telecom, Ville de Nantes, Conseil R´egional des Pays de la Loire, Conseil G´en´eral de Loire Atlantique, Universit´e de Nantes, Universit´e de Rennes 1, Ecole Centrale de Nantes, EEC. Contents Tutorials and Papers......................................... 1 Model Checking: A Tutorial Overview ................................ 3 Stephan Merz (Universita¨t Mu¨nchen, Germany) Theorem Proving for Verification..................................... 39 John Rushby (Computer Science Laboratory, SRI International, Menlo Park, USA) Composition and Abstraction........................................ 58 Antti Valmari (Tampere University of Technology, Finland) Uppaal – Now, Next, and Future.................................... 99 TobiasAmnell(UppsalaUniversity,Sweden),GerdBehrmann(Aalborg University,Denmark),JohanBengtsson(UppsalaUniversity,Sweden), Pedro R. D’Argenio (University of Twente, The Netherlands), Alexandre David (Uppsala University, Sweden), Ansgar Fehnker (University of Nijmegen, The Netherlands), Thomas Hune (Aarhus University, Denmark), Bertrand Jeannet, Kim G. Larsen (Aalborg University,Denmark),M.OliverMo¨ller(AarhusUniversity,Denmark), Paul Pettersson (Uppsala University, Sweden), Carsten Weise (Ericsson Eurolab Deutschland GmbH, Germany), Wang Yi (Uppsala University, Sweden) HMSCs as Partial Specifications ... with PNs as Completions ............ 125 BenoitCaillaud,PhilippeDarondeau,Lo¨ıcH´elou¨et,andGillesLesventes (IRISA, Rennes, France) Industrial Applications of Model Checking ............................ 153 Alessandro Cimatti (ITC-IRST, Trento, Italy) Formal Methods in Practice: The Missing Links. A Perspective from the Security Area...................................................... 169 Dominique Bolignano, Daniel Le M´etayer, Claire Loiseaux (Trusted Logic) Annotated Bibliographies ................................... 181 Verification of Systems with an Infinite State Space .................... 183 Javier Esparza (Technische Universita¨t Mu¨nchen, Germany) Testing Transition Systems: An Annotated Bibliography ................ 187 Ed Brinksma, Jan Tretmans (University of Twente, The Netherlands) X Table of Contents Fault Model-Driven Test Derivation from Finite State Models: Annotated Bibliography ...................................................... 196 Alexandre Petrenko (CRIM, Montreal, Canada) Mobile Processes: A Commented Bibliography ......................... 206 Silvano Dal Zilio (Microsoft Research, Cambridge, U.K.) Author Index................................................... 223 Model Checking: A Tutorial Overview Stephan Merz Institut fu¨r Informatik, Universit¨at Mu¨nchen [email protected] Abstract. We survey principles of model checking techniques for the automatic analysis of reactive systems. The use of model checking is exemplifiedbyananalysisoftheNeedham-Schroederpublickeyprotocol. Wethenformallydefinetransitionsystems,temporallogic,ω-automata, and their relationship. Basic model checking algorithms for linear- and branching-time temporal logics are defined, followed by an introduction tosymbolicmodelcheckingandpartial-orderreductiontechniques.The paper ends with a list of references to some more advanced topics. 1 Introduction Computerized systems pervade more and more our everyday lives. We rely on digital controllers to supervise critical functions of cars, airplanes, and indus- trialplants.Digitalswitchingtechnologyhasreplacedanalogcomponentsinthe telecommunication industry, and security protocols enable e-commerce applica- tionsandprivacy.Whereimportantinvestmentsorevenhumanlivesareatrisk, qualityassurancefortheunderlyinghardwareandsoftwarecomponentsbecomes paramount, and this requires formal models that describe the relevant part of the systems at an adequate level of abstraction. The systems we are focussing onareassumedtomaintainanongoinginteractionwiththeirenvironment(e.g., the controlled system or other components of a communication network) and are therefore called reactive systems [60,94]. Traditional models that describe computer programs as computing some result from given input values are inad- equate for the description of reactive systems. Instead, the behavior of reactive systems is usually modelled by transition systems. The term model checking designates a collection of techniques for the auto- matic analysis of reactive systems. Subtle errors in the design of safety-critical systems that often elude conventional simulation and testing techniques can be (and have been) found in this way. Because it has been proven cost-effective and integrates well with conventional design methods, model checking is being adopted as a standard procedure for the quality assurance of reactive systems. The inputs to a model checker are a (usually finite-state) description of the system to be analysed and a number of properties, often expressed as formulas of temporal logic, that are expected to hold of the system. The model checker either confirms that the properties hold or reports that they are violated. In the lattercase,itprovidesacounter-example:arunthatviolatestheproperty.Such aruncanprovidevaluablefeedbackandpointstodesignerrors.Inpractice,this view turns out to be somewhat idealized: quite frequently, available resources F. Cassez et al. (Eds.): MOVEP 2000, LNCS 2067, pp. 3−38, 2001. Springer-Verlag Berlin Heidelberg 2001 4 S. Merz only permit to analyse a rather coarse model of the system. A positive verdict fromthemodelcheckeristhenoflimitedvaluebecausebugsmaywellbehidden by the simplifications that had to be applied to the model. On the other hand, counter-examples may be due to modelling artefacts and no longer correspond to actual system runs. In any case, one should keep in mind that the object of analysis is always an abstract model of the system. Standard procedures such as codereviewsarenecessarytoensurethattheabstractmodeladequatelyreflects the behavior of the concrete system in order for the properties of interest to be established or falsified. Model checkers can be of some help in this validation task because it is possible to perform “sanity checks”, for example to ensure that certain runs are indeed possible or that the model is free of deadlocks. This paper is intended as a tutorial overview of some of the fundamental principles of model checking, based on a necessarily subjective selection of the large body of model checking literature. We begin with a case study in sec- tion 2 where the application of model checking is considered from a user’s point of view. Section 3 reviews transition systems, temporal logics, and automata- theoretic techniques that underly some approaches to model checking. Section 4 introduces basic model checking algorithms for linear-time and branching-time logics.Finally,section5collectssomerathersketchyreferencestomoreadvanced topics. Much more material can be found in other contributions to this volume and in the textbooks and survey papers [27,28,69,97,124] on the subject. The paper contains many references to the relevant literature, in the hope that this survey can also serve as an annotated bibliography. 2 Analysis of a Cryptographic Protocol 2.1 Description of the Protocol Let us first consider, by way of example, the analysis of a public-key authen- tication protocol suggested by Needham and Schroeder [104] using the model checker Spin [65]. Two agents A(lice) and B(ob) try to establish a common se- cret over an insecure channel in such a way that both are convinced of each other’s presence and no intruder can get hold of the secret without breaking the underlying encryption algorithm. This is one of the fundamental problems in cryptography: for example, a shared secret could be used to generate a session key for subsequent communication between the agents. The protocol is pictorially represented in Fig. 1.1 It requires the exchange of three messages between the participating agents. Notation such as (cid:1)M(cid:2)C denotes that message M is encrypted using agent C’s public key. Throughout, weassumetheunderlyingencryptionalgorithmtobesecureandtheprivatekeys ofthehonestagentstobeuncompromised.Therefore,onlyagentC candecrypt (cid:1)M(cid:2)C to learn M. 1 The original protocol includes communication between the agents and a central key server to distribute the public keys of the agents. We concentrate on the core authentication protocol, assuming all public keys to be known to all agents.