CSE Dept, MNNIT Allahabad Jan 7, 2008

Model Checking

• Model checking is an automatic technique for verifying finite state

concurrent systems

• It comprises of three parts

– A framework for modeling systems, typically a description

language of some sort

– A specification language for describing the properties to be verified

– A Verification method to establish whether description of a system

satisfies the specification

Model Checking : Dharmendra 1

CSE Dept, MNNIT Allahabad Jan 7, 2008

Model Checking (Cont...)

False:Error trace
Model of
Architectural
Design
Model Checker
True:Satisfies formula
CWB-NC
Specification
of Property

Figure 1: Model Checking Methodology

Model Checking : Dharmendra 2

CSE Dept, MNNIT Allahabad Jan 7, 2008

Calculus of Communicating Systems(CCS)

• CCS is a process algebra developed for analytical modeling of

concurrent communicating systems

• CCS considers a system as a network of component which behave

according to their specification

• Each part is an agent

• Agents communicate with each other via ports

Model Checking : Dharmendra 3

CSE Dept, MNNIT Allahabad Jan 7, 2008

Syntax of CCS

E is the set of agent expressions which includes X set of agent

variables and K set of agent constants and formed as following :

1. α.E, a P ref ix (α ∈ Act)

2. Σi∈I Ei, a Summation (I an indexing set)

3. E1|E2, a Composition

4. E\L, a Restriction(L ⊆ L)

5. E[f ], a Relabeling (f a relabeling function)

Model Checking : Dharmendra 4

CSE Dept, MNNIT Allahabad Jan 7, 2008

An example: Vending Machine

• A big chocolate costs 2p, a little one costs 1p
• Only 2p and 1p coins can be used in the machine
big little

2p 1p

collect

• Machine V can be defined in terms of interaction with the

environment at its ports

def
V = 2p.big.collect.V + 1p.little.collect.V

Model Checking : Dharmendra 5

CSE Dept, MNNIT Allahabad Jan 7, 2008

Modal Mu-Calculus

• Expressive logic that can be used to encode a variety of temporal

logics

• The Syntax of Modal Mu-calculus:

– Formula variables X1,X2,...
– Atomic propositions p1,p2,.....
– Negation, conjunction and disjunction of formulae
– Existential modality: haif
– Universal modality: [a]f
– Least fixed point: µX.f (X)
– Greatest fixed point: νX.f (X)

Model Checking : Dharmendra 6

CSE Dept, MNNIT Allahabad Jan 7, 2008

Semantics of Modal Mu-Calculus

E v tt
E 2v ff
E v X iff E ∈ V (X)
E v Φ ∧ Ψ iff E v Φ ∧ E v Ψ
E v Φ ∨ Ψ iff E v Φ ∨ E v Ψ
a
E v [K]Φ iff ∀F ∈ {E 0 : E −→ E 0 and a ∈ K}.F v Φ
a
E v hKiΦ iff ∃F ∈ {E 0 : E −→ E 0 and a ∈ K}.F v Φ
S P
E v νX.Φ iff E ∈ {E ⊆ P : E ⊆ k ΦkV [E/X] }
T P
E v µX.Φ iff E ∈ {E ⊆ P : k ΦkV [E/X] ⊆ E}

Model Checking : Dharmendra 7

CSE Dept, MNNIT Allahabad Jan 7, 2008

Specifying properties using Mu-Calculus

• Vending machines behaviour could be captured through properties

1. V  [2p]hbigitt

2. V  [2p]hbigihcollectitt

3. V  [1p]hlittleitt

4. V  [1p]hlittleihcollectitt

5. V 2 [2p]hlittleihcollectitt

Model Checking : Dharmendra 8

CSE Dept, MNNIT Allahabad Jan 7, 2008

Modeling of Proxy Web Server using CCS

• We Model Web Proxy Pattern using CCS

• We write interesting properties of the web proxy pattern

• We verify using CWB-NC that model satisfies the property

Model Checking : Dharmendra 9

CSE Dept, MNNIT Allahabad Jan 7, 2008

Modeling Web Proxy Pattern

ans ans

req req reqest

CLIENT PROXY SERVER
reqest

reply reply

• Figure 2: Proxy Web Server

def
CLIENT = req.ans.CLIENT
def
PROXY = req.ans.PROXY +
req.request.reply.ans.PROXY
def
SERVER = request.reply.SERVER
ARCHITECTURE = CLIENT | PROXY|SERVER

Model Checking : Dharmendra 10

CSE Dept, MNNIT Allahabad Jan 7, 2008

Specifying Properties for Web Proxy Pattern

• There can be an independent message requests from client(P1)

• After a request eventually there will be an answer(P2)

• After a request has been made from the client systems response will
be either answer to the client or request to the server (P3)

• It is not possible to have both answer and request from the system
after request from client(P4)

• Immediately after request either answer or request will be generated

from the system(P5)

Model Checking : Dharmendra 11

CSE Dept, MNNIT Allahabad Jan 7, 2008

Specifying Invariants for Web Proxy Pattern

prop P1 = min Y = h’reqitt ∨ htiY

prop P2 = (not h’reqitt) ∨ EF ([’req]hansitt)
prop P3 = ((not h’reqitt) ∨ EF ([req]h’ansitt ∨ [req]h’requestitt))
prop P4 = ((not h’reqitt) ∨ EF ([req]h’ansitt ∧ [req]h’requestitt))
prop P5 = ((not h’reqitt) ∨ EF ((not([req]h’ansitt) ∧ [req]h’requestitt)
∨([req]h’ansitt ∧ not([req]h’requestitt))))

Model Checking : Dharmendra 12

CSE Dept, MNNIT Allahabad Jan 7, 2008

Thank you

Model Checking : Dharmendra 13