Skip to main content
SpringerLink
Log in

On the limits of refinement-testing for model-checking CSP

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

Refinement-checking, as embodied in tools like FDR, PAT and ProB, is a popular approach for model-checking refinement-closed predicates of CSP processes. We consider the limits of this approach to model-checking these kinds of predicates. By adopting Clarkson and Schneider’s hyperproperties framework, we show that every refinement-closed denotational predicate of finitely-nondeterministic, divergence-free CSP processes can be written as the conjunction of a safety predicate and the refinement-closure of a liveness predicate. We prove that every safety predicate is refinement-closed and that the safety predicates correspond precisely to the CSP refinement checks in finite linear observations models whose left-hand sides (i.e. specification processes) are independent of the systems to which they are applied. We then show that there exist important liveness predicates whose refinement-closures cannot be expressed as refinement checks in any finite linear observations model \({\mathcal{M}}\), divergence-strict model \({\mathcal{M}^\Downarrow}\) or non-divergence-strict divergence-recording model \({\mathcal{M}^\#}\), i.e. in any standard CSP model suitable for reasoning about the kinds of processes that FDR can handle, namely finitely-branching ones. These liveness predicates include liveness properties under intuitive fairness assumptions, branching-time liveness predicates and non-causation predicates for reasoning about authority. We conclude that alternative verification approaches, besides refinement-checking, currently under development for CSP should be further pursued.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abdulla P, Chen Y-F, Holìk L, Mayr R, Vojnar T (2010) When simulation meets antichains. In: Tools and algorithms for the construction and analysis of systems (TACAS ’10). Lecture notes in computer science, vol 6015. Springer, Berlin, pp 158–174

  2. Apt KR, Francez N, Katz S (1988) Appraising fairness in languages for distributed programming. Distrib Comput 2(4): 226–241

    Article  MATH  Google Scholar 

  3. Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2): 253–284

    Article  MathSciNet  MATH  Google Scholar 

  4. Alpern B, Schneider FB (1985) Defining liveness. Inf Process Lett 21(4): 181–185

    Article  MathSciNet  MATH  Google Scholar 

  5. Brookes SD, Roscoe AW (1985) An improved failures model for communicating processes. In: Proceedings of the 1984 Carnegie-Mellon University seminar on concurrency. Lecture notes in computer science, vol 197. Springer, Berlin

  6. Büchi JR (1962) On a decision method in restricted second order arithmetic. In: Proceedings of the 1st international congress on logic, methodology, and philosophy of science. Stanford University Press, Stanford, pp 1–11

  7. Clarke EM, Emerson EA, Sistla AP (1986) Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans Programm Lang Syst (TOPLAS) 8(2): 244–263

    Article  MATH  Google Scholar 

  8. Clarkson MR, Schneider FB (2008) Hyperproperties. In: Proceedings of the 21st IEEE computer security foundations symposium (CSF ’08), pp 51–65

  9. Clarkson MR, Schneider FB (2010) Hyperproperties. J Comput Secur. Preprint. http://www.cs.cornell.edu/fbs/publications/Hyperproperties.JCS.pdf (in press)

  10. Gardiner P, Goldsmith M, Hulance J, Jackson D, Roscoe B, Scattergood B, Armstrong P (2005) Failures-divergences refinement: FDR2 user manual. Formal Systems (Europe) Ltd

  11. Goguen JA, Meseguer J (1982) Security policies and security models. In: Proceedings of the 1982 IEEE symposium on security and privacy (SP ’82), pp 11–20

  12. Hoare CAR (1980) A model for communicating sequential processes. In: McKeag RM, Macnaughten AM (eds) On the construction of programs. Cambridge University Press, London, pp 229–254

  13. Hoare CAR (1985) Communicating sequential processes. Prentice Hall, Englewood Cliffs

    MATH  Google Scholar 

  14. Holzmann GJ (2003) The SPIN model checker: primer and reference manual. Addison-Wesley, Reading

    Google Scholar 

  15. Isobe Y, Roggenbach M (2005) A generic theorem prover of CSP refinement. In: Proceedings of the 11th international conference on tools and algorithms for the construction and analysis of systems (TACAS 2005). Springer, Berlin, p 108

  16. Isobe Y, Roggenbach M (2006) A complete axiomatic semantics for the CSP stable-failures model. In: Proceedings of the 17th international conference on concurrency theory (CONCUR ’06). Lecture notes in computer science, vol 4137. Springer, Berlin, pp 158–172

  17. Isobe Y, Roggenbach M (2008) CSP-prover: a proof tool for the verification of scalable concurrent systems. J Comput Softw Jpn Soc Softw Sci Technol (JSSST) 25(4): 85–92

    Google Scholar 

  18. Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2): 125–143

    Article  MathSciNet  MATH  Google Scholar 

  19. Lamport L (2000) Fairness and hyperfairness. Distrib Comput 13(4): 239–245

    Article  Google Scholar 

  20. Latvala T (2003) Efficient model checking of safety properties. In: Proceedings of the 10th international conference on model checking software (SPIN ’03). Springer, Berlin, pp 74–88

  21. Lazić RS (1999) A semantic study of data independence with applications to model checking. D.Phil. thesis, Oxford University Computing Laboratory

  22. Lewis D (1973) Causation. J Philos 70(17): 556–567

    Article  Google Scholar 

  23. Leuschel M, Fontaine M (2008) Probing the depths of CSP-M: a new FDR-compliant validation tool. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 278–297

  24. Liu Y (2009) Model checking concurrent and real-time systems: the PAT approach. PhD thesis, National University of Singapore. http://www.comp.nus.edu.sg/~liuyang/thesis/thesis.pdf

  25. Leuschel M, Massart T, Currie A (2001) How to make FDR spin: LTL model checking of CSP by refinement. In: Proceedings of the international symposium of formal methods Europe on formal methods for increasing software productivity (FME ’01). Springer, Berlin, pp 99–118

  26. Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and algorithms for the construction and analysis of systems (TACAS ’96). Lecture notes in computer science, vol 1055. Springer, Berlin, pp 147–166

  27. Lowe G (2007) On information flow and refinement-closure. In: Proceedings of the 7th international workshop on issues in the theory of security (WITS ’07)

  28. Lowe G (2008) Specification of communicating processes: temporal logic versus refusals-based refinement. Form Aspects Comput 20(3): 277–294

    Article  MATH  Google Scholar 

  29. Lowe G (2009) On CSP refinement tests that run multiple copies of a process. In: Proceedings of the seventh international workshop on automated verification of critical systems (AVoCS ’07). Electronic notes in theoretical computer science, vol 250, pp 153–170

  30. Lehmann DJ, Pnueli A, Stavi J (1981) Impartiality, justice and fairness: the ethics of concurrent termination. In: Proceedings of the 8th colloquium on automata, languages and programming (ICALP 1981). Lecture notes in computer science, vol 115. Springer, Berlin, pp 264–277

  31. Miller MS (2006) Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University

  32. Murray T, Lowe G (2007) Authority analysis for least privilege environments. In: Proceedings of the joint workshop on foundations of computer security and automated reasoning for security protocol analysis (FCS-ARSPA ’07), pp 113–130

  33. Murray T, Lowe G (2009) On refinement-closed security properties and nondeterministic compositions. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250, pp 49–68

  34. Mukarram A (1993) A refusal testing model for CSP. D.Phil. thesis, University of Oxford

  35. Murray T (2010) Analysing the security properties of object-capability patterns. D.Phil. thesis, University of Oxford

  36. Paulson LC (1994) Isabelle: a generic theorem prover. Lecture notes in computer science, vol 828. Springer, Berlin

  37. Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th annual symposium on foundations of computer science, pp 46–57

  38. Puhakka A (2003) Using fairness in process-algebraic verification. Technical Report 24, Institute of Software Systems, Tampere University of Technology

  39. Puhakka A (2005) Using fairness constraints in process-algebraic verification. In: Proceedings of the second international colloquium on theoretical aspects of computing (ICTAC 2005). Lecture notes in computer science, vol 3722. Springer, Berlin, pp 546–561

  40. Puhakka A, Valmari A (2001) Liveness and fairness in process-algebraic verification. In: Proceedings of the 12th international conference on concurrency theory (CONCUR ’01). Lecture notes in computer science, vol 2154. Springer, Berlin, pp 202–217

  41. Roscoe AW, Paul HB Gardiner, Goldsmith MH, Hulance JR, Jackson DM, Scattergood JB (1995) Hierarchical compression for model-checking CSP or how to check 1020 dining philosophers for deadlock. In: Proceedings of the first international workshop on tools and algorithms for construction and analysis of systems (TACAS ’95). Springer, London, pp 133–152

  42. Roscoe AW (1994) Model-checking CSP. In: Roscoe AW (ed) A classical mind: essays in honour of C. A. R. Hoare. Prentice-Hall, Englewood Cliffs, pp 353–378

  43. Roscoe AW (1997) The theory and practice of concurrency. Prentice Hall, Upper Saddle River. http://www.comlab.ox.ac.uk/people/bill.roscoe/publications/68b.pdf

  44. Roscoe AW (2001) Compiling shared variable programs into CSP. In: Proceedings of the 2001 PROGRESS workshop. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/82.ps

  45. Roscoe AW (2004) Finitary refinement checks for infinitary specifications. In: Proceedings of communicating process architectures (CPA 2004)

  46. Roscoe AW (2005) On the expressive power of CSP refinement. Form Aspects Comput 17(2): 93–112

    Article  MATH  Google Scholar 

  47. Roscoe AW (2005) Seeing beyond divergence. In: Proceedings of communicating sequential processes: the first 25 years: symposium on the occasion of 25 years of CSP, 7–8 July 2004. Lecture notes in computer science, vol 3525. Springer, Berlin, p 15

  48. Roscoe AW (2008) The three platonic models of divergence-strict CSP. In: Proceedings of the 5th international colloquium on theoretical aspects of computing (ICTAC 2008). Lecture notes in computer science, vol 5160. Springer, Berlin, pp 23–49

  49. Roscoe AW (2009) Revivals, stuckness and the hierarchy of CSP models. J Logic Algebr Program 78(3): 163–190

    Article  MathSciNet  MATH  Google Scholar 

  50. Reed JN, Sinclair JE, Roscoe AW (2004) Responsiveness of interoperating components. Formal Aspects of Computing 16(4): 394–411

    Article  MATH  Google Scholar 

  51. Sistla AP (1994) Safety, liveness and fairness in temporal logic. Form l Aspects Comput 6(5): 495–511

    Article  MATH  Google Scholar 

  52. Sun J, Liu Y, Dong JS (2009) Model checking CSP revisited: introducing a process analysis toolkit. In: Leveraging applications of formal methods, verification and validation. Communications in computer and information science, vol 17. Springer, Berlin, pp 307–322

  53. Sun J, Liu Y, Dong JS, Wang HH (2008) Specifying and verifying event-based fairness enhanced systems. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 5–24

  54. Samuel DG, Roggenbach M, Isobe Y (2009) The stable revivals model in CSP-prover. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250. Elsevier Science Publishers B. V., Amsterdam, pp 119–134

  55. Völzer H, Varacca D, Kindler E (2005) Defining fairness. In: Proceedings of the 16th international conference on concurrency theory (CONCUR ’05). Lecture notes in computer science, vol 3653. Springer, Berlin, pp 458–472

  56. Vardi MY, Wolper P (1986) An automata-theoretic approach to automatic program verification. In: Proceedings of the first IEEE symposium on logic in computer science (LICS ’86), pp 322–331

  57. Wolper P, Vardi MY, Sistla AP (1983) Reasoning about infinite computation paths. In: Proceedings of the 24th annual symposium on foundations of computer science (SFCS ’83). IEEE Computer Society, pp 185–194

Download references

Author information

Authors and Affiliations

  1. Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford, OX1 3QD, UK

    Toby Murray

  2. NICTA, Sydney, Australia

    Toby Murray

  3. School of Computer Science and Engineering, UNSW, Sydney, Australia

    Toby Murray

Authors
  1. Toby Murray
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Toby Murray.

Additional information

Jim Woodcock

Rights and permissions

Reprints and permissions

About this article

Cite this article

Murray, T. On the limits of refinement-testing for model-checking CSP. Form Asp Comp 25, 219–256 (2013). https://doi.org/10.1007/s00165-011-0183-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-011-0183-6

Keywords

Search

Navigation