Certifying proofs for SAT-based model checking

In the context of formal verification, certifying proofs are proofs of the correctness of a model in a deduction system produced automatically as outcome of the verification. They are quite appealing for high-assurance systems because they can be verified independently by proof checkers, which are usually simpler to certify than the proof-generating tools.Model checking is one of the most prominent approaches to formal verification of temporal properties and is based on an algorithmic search of the system state space. Although modern algorithms integrate deductive methods, the generation of proofs is typically restricted to invariant properties only.In this paper, we solve this issue in the context of Linear-time Temporal Logic. By exploiting the k-liveness algorithm, we show how to extend proof generation capabilities for invariant checking to cover full LTL properties, in a simple and efficient manner, with essentially no overhead for the model checker. We implemented the technique on top of an IC3 engine, and show the feasibility of the approach on a variety of benchmarks.

SAT-based model checking has become a prominent approach to the verification of temporal properties. However, while invariant model checking can produce simple proofs based on induction, proof generation for SAT-based model checking of liveness properties is much more complex. In this paper, we focus on a recently developed algorithm, called rlive, which has been proved quite effective in practice. rlive tries to find a counterexample with a series of reachability checks, while iteratively blocking shoals, i.e., set of states that cannot be extended with fair paths. Despite the complexity of the algorithm, we show that the shoals are sufficient to generate a proof in a deductive system for temporal properties. We implement the approach in an existing certifying model checking framework based on the PVS theorem prover, and we experimentally evaluate it on liveness verification problems from the hardware model checking competition, generating proofs using the nuXmv model checker and checking them with PVS.

In recent times, Bounded Model Checking (BMC) engines have gained wide prominence in formal verification. Different BMC engines exist, differing in their optimization, representations and solving mechanisms used to represent and navigate the underlying state transition of the given design to be verified. The objective of this article is to examine if combinations of BMC engines can help to combine their strengths. We propose an approach that can create a sequencing of BMC engines that can reach better depth in formal verification, as opposed to executing them alone for a specified time. Our approach uses machine learning, specifically, the Multi-Armed Bandit paradigm of reinforcement learning, to predict the best-performing BMC engine for a given unrolling depth of the underlying circuit design. We evaluate our approach on a set of benchmark designs from the Hardware Model Checking Competition (HWMCC) benchmarks and show that it outperforms the state-of-the-art BMC engines in terms of the depth reached or time taken to deduce a property violation. The synthesized BMC engine sequences reach better depths than HWMCC results and the state-of-the-art technique, super_deep, for more than 80% of the cases. It also outperforms single engine runs for more than 92% of the cases where a property violation is not found within a given time duration. For designs where property violations are found within the given time duration, the synthesized sequences found the property violation in a lesser time than HWMCC for all the designs and outperformed both super_deep and single engine runs for more than 87% of the designs.

This paper discusses a Unified Modelling Language (UML) based formal verification methodology for early error detection in the model-based software development cycle. Our approach proposes a UML-based formal verification process utilising functional and behavioural modelling artifacts of UML. It reinforces these artifacts with formal model transition and property verification. The main contribution is a UML to Labelled Transition System (LTS) Translator application that automatically converts UML Statecharts to formal models. Property specifications are derived from system requirements and corresponding Computational Tree Logic (CTL)/Linear Temporal Logic (LTL) model checking procedure verifies property entailment in LTS. With its ability to verify CTL and LTL specifications, the methodology becomes generic for verifying all types of embedded system behaviours. The steep learning curve associated with formal methods is avoided through the automatic formal model generation and thus reduces the reluctance of using formal methods in software development projects. A case study of an embedded controller used in military applications validates the methodology. It establishes how the methodology finds its use in verifying the correctness and consistency of UML models before implementation.

In Consensus layer of Ethereum, the Beacon Chain is the main component that maintains details related to validator status, attestations, penalties, and rewards according to the behavior of validators. A large amount of Ethers (ETH, Ethereum cryptocurrency) of different validators are at stake in Consensus layer of Ethereum right now and any change in ETH value due to slashing or rewards is managed by the Beacon Chain. Beacon Chain is a safety-critical system and any error or bug in it can affect the complete network of Consensus layer of Ethereum. A single mistake can cause a huge loss of ETH on stake and problems such as invalid block insertion and security attacks. The reference implementation of Beacon Chain developed by the Ethereum Foundation gives a complete operational description of the Beacon Chain. In this work, we focus on the formal modeling and verification of reference implementation of the epoch processing of Beacon Chain to ensure that the Beacon Chain epoch mechanism is designed correctly and robustly and that there exists very little chance of any bug. To achieve this goal, we utilize model checking, the most effective technique based on formal methods that is used to ensure the correctness of safety-critical systems. In this work, formal modeling is done for the epoch processing operations of the Beacon Chain using Process Meta Language (PROMELA). For verification purposes, safety properties are defined for each epoch processing operation of the Beacon Chain, and we formalize these properties using Linear Temporal Logic (LTL). Formal models and LTL formulas are given as input to the model checker to check whether these formal models satisfy LTL formulas. The SPIN model checker is utilized for the formal verification of the Beacon Chain.

Preliminary results are presented of a comparison made between a model checking tool developed by our research group and Spin, a public domain model checking package. The theoretical fundaments of both tools are explicit model checking based on language emptiness. Using a simple example consisting of a set of logic controllers for driving the operation of pressurized tanks, we compare the computing performance of each stage in the model checking procedure for safety and liveness properties given as linear temporal logic (LTL) formulas. The controller ladder logic is modeled as a generalized Buchi automaton. Numerical results show a better performance of our tool for domains of up to 10 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">3</sup> states

In recent times, Bounded Model Checking (BMC) engines are gaining wide prominence and showing great effectiveness in formal verification. Today, an arsenal of different BMC engines exist, differing widely in the optimization, representations and solving mechanisms used to represent and navigate the underlying state transition system as they look for property violations. When having a concrete verification task at hand, a designer is often confronted with the problem of engine selection, and more often than not, has to resort to manually designed selection heuristics or machine-learned strategies using carefully selected features of the design. It has been observed that these different engines have different strengths and weaknesses, depending on the nature of the verification task, the property and the complexity of the design. The objective of this paper is to examine if combinations of these engines can help to combine the strengths. We propose an approach that can create a sequencing of BMC engines that can reach better depth in formal verification, as opposed to executing them alone for a specified time. Our approach uses machine learning, specifically, the Multi-Armed Bandit paradigm of Reinforcement Learning, to predict the best-performing BMC engine for a given unrolling depth of the underlying design transition system. We evaluate our approach on a set of benchmark designs and show that it outperforms the state-of-the-art BMC engines in terms of the depth reached or time taken to deduce a property violation on the Hardware Model Checking Competition (HWMCC) benchmarks. Our results demonstrate the potential of machine learning to enhance the efficiency and effectiveness of formal verification, particularly in selecting the best-performing BMC engine sequence for a given verification task.

Linear Temporal Logic (LTL) Model Checking (MC) has been applied to many fields. However, the state explosion problem and the exponentially computational complexity restrict the further applications of LTL model checking. A lot of approaches have been presented to address these problems. And they work well. However, the essential issue has not been resolved due to the limitation of inherent complexity of the problem. As a result, the running time of LTL model checking algorithms will be inacceptable if a LTL formula is too long. To this end, this study tries to seek an acceptable approximate solution for LTL model checking by introducing the Machine Learning (ML) technique. And a method for predicting LTL model checking results is proposed, using the several ML algorithms including Boosted Tree (BT), Random Forest (RF), Decision tree (DT) or Logistic Regression (LR), respectively. First, for a number of Kripke structures and LTL formulas, a data set A containing model checking results is obtained, using one of the existing LTL model checking algorithm. Second, the LTL model checking problem can be induced to a binary classification problem of machine learning. In other words, some records in A form a training set for the given machine learning algorithm, where formulas and kripke structures are the two features, and model checking results are the one label. On the basis of it, a ML model M is obtained to predict the results of LTL model checking. As a result, an approximate LTL model checking technique occurs. The experiments show that the new method has the similar max accuracy with the state of the art algorithm in the classical LTL model checking technique, while the average efficiency of the former method is at most 6.3 million times higher than that of the latter algorithms, if the length of each of LTL formulas equals to 500. These results indicate that the new method can quickly and accurately determine LTL model checking result for a given Kripke structure and a given long LTL formula, since the new method avoids the famous state explosion problem.

A Bounded Model Checker for Timed Automata and Its Application to LTL Properties

It is very important to formally verify security specifications of information systems for ensuring their security. Thus we have proposed a formal verification method of security specifications with ISO/IEC 15408. However, to use the method, verifiers have to be familiar with Z notation, linear temporal logic, NuSMV input language, theorem proving, model checking, and ISO/IEC 15408. Moreover, the verifiers also have to prepare some tools supporting the formal verification. Therefore, the verifiers cannot utilize the method easily. To easily verify security specifications based on the method, this paper presents a support tool for the method, named "FORVEST". FORVEST supports the verifiers by guiding the verifiers appropriately and providing information of Z notation, linear temporal logic, theorem proving, model checking, and ISO/IEC 15408 when they are needed. FORVEST also provides an environment where verifiers can access and use tools of model checking and theorem proving through a Web browser. By using FORVEST, verifiers can easily perform the formal verification.

Floods after monsoon rains are frequent disasters that affect millions of lives in Pakistan. Human lives are lost, agriculture economies are destroyed, and livestock animals, houses, fruit farms, and crops are lost which are the major livelihoods of thousands of people in Punjab. Each year there are heavy rains in the monsoon season and, due to global warming, there is the rapid melting of snow in northern glaciers; these factors subsequently cause floods. There is also loss of life due to the spread of waterborne diseases and snake bites. Flood monitoring provides early detection of a flood and the calculation of its intensity, which results in reduced human life losses and economic losses. Most casualties are caused by the lack of timely real-time, authentic information about the high-risk areas, and flood intensity, speed, and direction. Therefore, the proposed approach is centered on formal modeling and verification of safety and liveness properties of flood monitoring perceivers. Each flood perceiver has several sensors. It requires the collection of information starting from the flood perceiver, observer, and environmental forecast. This information is processed to determine the flood intensity level. We have developed a CP-Nets’ formal model and model-checked it. We have verified the safety and liveness properties of correctness by exhaustive verification of the system using model-based proof obligations (Event-B method using Rodin). Our objective in this research is to propose a correct, reliable, and efficient flood warning, monitoring, and rescue (WMR) SoS based on formal methods. We have used formal modeling and model-checking based on state-of-the-art hierarchical CP-Nets supported by exhaustive formal proof obligations of Event-B.

PurposeThe purpose of this paper is to develop new simple logics and translations for hierarchical model checking. Hierarchical model checking is a model-checking paradigm that can appropriately verify systems with hierarchical information and structures.Design/methodology/approachIn this study, logics and translations for hierarchical model checking are developed based on linear-time temporal logic (LTL), computation-tree logic (CTL) and full computation-tree logic (CTL*). A sequential linear-time temporal logic (sLTL), a sequential computation-tree logic (sCTL), and a sequential full computation-tree logic (sCTL*), which can suitably represent hierarchical information and structures, are developed by extending LTL, CTL and CTL*, respectively. Translations from sLTL, sCTL and sCTL* into LTL, CTL and CTL*, respectively, are defined, and theorems for embedding sLTL, sCTL and sCTL* into LTL, CTL and CTL*, respectively, are proved using these translations.FindingsThese embedding theorems allow us to reuse the standard LTL-, CTL-, and CTL*-based model-checking algorithms to verify hierarchical systems that are modeled and specified by sLTL, sCTL and sCTL*.Originality/valueThe new logics sLTL, sCTL and sCTL* and their translations are developed, and some illustrative examples of hierarchical model checking are presented based on these logics and translations.

Efficient symbolic and explicit-state model checking approaches have been developed for the verification of linear time temporal logic (LTL) properties. Several attempts have been made to combine the advantages of the various algorithms. Model checking LTL properties usually poses two challenges: one must compute the synchronous product of the state space and the automaton model of the desired property, then look for counterexamples that is reduced to finding strongly connected components (SCCs) in the state space of the product. In case of concurrent systems, where the phenomenon of state space explosion often prevents the successful verification, the so-called saturation algorithm has proved its efficiency in state space exploration. This paper proposes a new approach that leverages the saturation algorithm both as an iteration strategy constructing the product directly, as well as in a new fixed-point computation algorithm to find strongly connected components on-the-fly by incrementally processing the components of the model. Complementing the search for SCCs, explicit techniques and component-wise abstractions are used to prove the absence of counterexamples. The resulting on-the-fly, incremental LTL model checking algorithm proved to scale well with the size of models, as the evaluation on models of the Model Checking Contest suggests.

&lt;div class="section abstract"&gt;&lt;div class="htmlview paragraph"&gt;Formal verification plays an important role in proving the safety of autonomous vehicles (AV). It is crucial to find errors in the AV system model to ensure safety critical features are not compromised. Model checking is a formal verification method which checks if the finite state machine (FSM) model meets system requirements. These requirements can be expressed as linear Temporal logic (LTL) formulae to describe a sequence of states with linear Temporal properties to be satisfied. NuSMV is a dedicated software for performing model checking based on Temporal logic formulae on FSM models. However, NuSMV does not provide model-based design. On the other hand, Stateflow in MATLAB/SIMULINK is a powerful tool for designing the model and offers an interactive Graphical User Interface (GUI) for the user/verifier but is not as efficient as NuSMV in model checking. Hence, model transformation becomes vital to convert the AV model in Stateflow to an input language of model checking software such as NuSMV. In this paper, we model an AV using Stateflow, which consists of cruise control, lane change/abortion, obstacle avoidance and gap maintenance blocks in the form of FSMs. We design an automatic verification tool to perform model transformation using a C compiler with NuSMV library included. Guard conditions are represented by Boolean expressions to capture the transition sequence between different blocks. LTL specifications of safety critical requirements are verified to guarantee the validity of the AV system design. When guard conditions fail, i.e., system requirements are not met, the verification tool will give a counterexample as the output. A case study is performed to show how this verification tool can help designers to make modifications based on the counterexamples to better meet the system requirements. We also perform a benchmark verification using the design verifier in SIMULINK to compare the performance. &lt;span class="xref"&gt;&lt;sup&gt;1&lt;/sup&gt;&lt;/span&gt;&lt;/div&gt;&lt;/div&gt;

Complex and sophisticated power management strategies are a commonplace design policies today in order to manage the power consumption of complex low power digital integrated circuits. These global power management strategies are implemented in software/firmware and are used to orchestrate the switching between power states of multiple power domains in local power controllers which resides in hardware. In this paper, we propose a methodology of verifying such global power management softwares with safety linear temporal logic (LTL) properties using bounded model checking based verification approach. We present our results on several test cases of significant complexity to demonstrate the feasibility of the proposed framework.