Abstract
Refinement-checking, as embodied in tools like FDR, PAT and ProB, is a popular approach for model-checking refinement-closed predicates of CSP processes. We consider the limits of this approach to model-checking these kinds of predicates. By adopting Clarkson and Schneider’s hyperproperties framework, we show that every refinement-closed denotational predicate of finitely-nondeterministic, divergence-free CSP processes can be written as the conjunction of a safety predicate and the refinement-closure of a liveness predicate. We prove that every safety predicate is refinement-closed and that the safety predicates correspond precisely to the CSP refinement checks in finite linear observations models whose left-hand sides (i.e. specification processes) are independent of the systems to which they are applied. We then show that there exist important liveness predicates whose refinement-closures cannot be expressed as refinement checks in any finite linear observations model \({\mathcal{M}}\), divergence-strict model \({\mathcal{M}^\Downarrow}\) or non-divergence-strict divergence-recording model \({\mathcal{M}^\#}\), i.e. in any standard CSP model suitable for reasoning about the kinds of processes that FDR can handle, namely finitely-branching ones. These liveness predicates include liveness properties under intuitive fairness assumptions, branching-time liveness predicates and non-causation predicates for reasoning about authority. We conclude that alternative verification approaches, besides refinement-checking, currently under development for CSP should be further pursued.
Similar content being viewed by others
References
Abdulla P, Chen Y-F, Holìk L, Mayr R, Vojnar T (2010) When simulation meets antichains. In: Tools and algorithms for the construction and analysis of systems (TACAS ’10). Lecture notes in computer science, vol 6015. Springer, Berlin, pp 158–174
Apt KR, Francez N, Katz S (1988) Appraising fairness in languages for distributed programming. Distrib Comput 2(4): 226–241
Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2): 253–284
Alpern B, Schneider FB (1985) Defining liveness. Inf Process Lett 21(4): 181–185
Brookes SD, Roscoe AW (1985) An improved failures model for communicating processes. In: Proceedings of the 1984 Carnegie-Mellon University seminar on concurrency. Lecture notes in computer science, vol 197. Springer, Berlin
Büchi JR (1962) On a decision method in restricted second order arithmetic. In: Proceedings of the 1st international congress on logic, methodology, and philosophy of science. Stanford University Press, Stanford, pp 1–11
Clarke EM, Emerson EA, Sistla AP (1986) Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans Programm Lang Syst (TOPLAS) 8(2): 244–263
Clarkson MR, Schneider FB (2008) Hyperproperties. In: Proceedings of the 21st IEEE computer security foundations symposium (CSF ’08), pp 51–65
Clarkson MR, Schneider FB (2010) Hyperproperties. J Comput Secur. Preprint. http://www.cs.cornell.edu/fbs/publications/Hyperproperties.JCS.pdf (in press)
Gardiner P, Goldsmith M, Hulance J, Jackson D, Roscoe B, Scattergood B, Armstrong P (2005) Failures-divergences refinement: FDR2 user manual. Formal Systems (Europe) Ltd
Goguen JA, Meseguer J (1982) Security policies and security models. In: Proceedings of the 1982 IEEE symposium on security and privacy (SP ’82), pp 11–20
Hoare CAR (1980) A model for communicating sequential processes. In: McKeag RM, Macnaughten AM (eds) On the construction of programs. Cambridge University Press, London, pp 229–254
Hoare CAR (1985) Communicating sequential processes. Prentice Hall, Englewood Cliffs
Holzmann GJ (2003) The SPIN model checker: primer and reference manual. Addison-Wesley, Reading
Isobe Y, Roggenbach M (2005) A generic theorem prover of CSP refinement. In: Proceedings of the 11th international conference on tools and algorithms for the construction and analysis of systems (TACAS 2005). Springer, Berlin, p 108
Isobe Y, Roggenbach M (2006) A complete axiomatic semantics for the CSP stable-failures model. In: Proceedings of the 17th international conference on concurrency theory (CONCUR ’06). Lecture notes in computer science, vol 4137. Springer, Berlin, pp 158–172
Isobe Y, Roggenbach M (2008) CSP-prover: a proof tool for the verification of scalable concurrent systems. J Comput Softw Jpn Soc Softw Sci Technol (JSSST) 25(4): 85–92
Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2): 125–143
Lamport L (2000) Fairness and hyperfairness. Distrib Comput 13(4): 239–245
Latvala T (2003) Efficient model checking of safety properties. In: Proceedings of the 10th international conference on model checking software (SPIN ’03). Springer, Berlin, pp 74–88
Lazić RS (1999) A semantic study of data independence with applications to model checking. D.Phil. thesis, Oxford University Computing Laboratory
Lewis D (1973) Causation. J Philos 70(17): 556–567
Leuschel M, Fontaine M (2008) Probing the depths of CSP-M: a new FDR-compliant validation tool. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 278–297
Liu Y (2009) Model checking concurrent and real-time systems: the PAT approach. PhD thesis, National University of Singapore. http://www.comp.nus.edu.sg/~liuyang/thesis/thesis.pdf
Leuschel M, Massart T, Currie A (2001) How to make FDR spin: LTL model checking of CSP by refinement. In: Proceedings of the international symposium of formal methods Europe on formal methods for increasing software productivity (FME ’01). Springer, Berlin, pp 99–118
Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and algorithms for the construction and analysis of systems (TACAS ’96). Lecture notes in computer science, vol 1055. Springer, Berlin, pp 147–166
Lowe G (2007) On information flow and refinement-closure. In: Proceedings of the 7th international workshop on issues in the theory of security (WITS ’07)
Lowe G (2008) Specification of communicating processes: temporal logic versus refusals-based refinement. Form Aspects Comput 20(3): 277–294
Lowe G (2009) On CSP refinement tests that run multiple copies of a process. In: Proceedings of the seventh international workshop on automated verification of critical systems (AVoCS ’07). Electronic notes in theoretical computer science, vol 250, pp 153–170
Lehmann DJ, Pnueli A, Stavi J (1981) Impartiality, justice and fairness: the ethics of concurrent termination. In: Proceedings of the 8th colloquium on automata, languages and programming (ICALP 1981). Lecture notes in computer science, vol 115. Springer, Berlin, pp 264–277
Miller MS (2006) Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University
Murray T, Lowe G (2007) Authority analysis for least privilege environments. In: Proceedings of the joint workshop on foundations of computer security and automated reasoning for security protocol analysis (FCS-ARSPA ’07), pp 113–130
Murray T, Lowe G (2009) On refinement-closed security properties and nondeterministic compositions. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250, pp 49–68
Mukarram A (1993) A refusal testing model for CSP. D.Phil. thesis, University of Oxford
Murray T (2010) Analysing the security properties of object-capability patterns. D.Phil. thesis, University of Oxford
Paulson LC (1994) Isabelle: a generic theorem prover. Lecture notes in computer science, vol 828. Springer, Berlin
Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th annual symposium on foundations of computer science, pp 46–57
Puhakka A (2003) Using fairness in process-algebraic verification. Technical Report 24, Institute of Software Systems, Tampere University of Technology
Puhakka A (2005) Using fairness constraints in process-algebraic verification. In: Proceedings of the second international colloquium on theoretical aspects of computing (ICTAC 2005). Lecture notes in computer science, vol 3722. Springer, Berlin, pp 546–561
Puhakka A, Valmari A (2001) Liveness and fairness in process-algebraic verification. In: Proceedings of the 12th international conference on concurrency theory (CONCUR ’01). Lecture notes in computer science, vol 2154. Springer, Berlin, pp 202–217
Roscoe AW, Paul HB Gardiner, Goldsmith MH, Hulance JR, Jackson DM, Scattergood JB (1995) Hierarchical compression for model-checking CSP or how to check 1020 dining philosophers for deadlock. In: Proceedings of the first international workshop on tools and algorithms for construction and analysis of systems (TACAS ’95). Springer, London, pp 133–152
Roscoe AW (1994) Model-checking CSP. In: Roscoe AW (ed) A classical mind: essays in honour of C. A. R. Hoare. Prentice-Hall, Englewood Cliffs, pp 353–378
Roscoe AW (1997) The theory and practice of concurrency. Prentice Hall, Upper Saddle River. http://www.comlab.ox.ac.uk/people/bill.roscoe/publications/68b.pdf
Roscoe AW (2001) Compiling shared variable programs into CSP. In: Proceedings of the 2001 PROGRESS workshop. http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/82.ps
Roscoe AW (2004) Finitary refinement checks for infinitary specifications. In: Proceedings of communicating process architectures (CPA 2004)
Roscoe AW (2005) On the expressive power of CSP refinement. Form Aspects Comput 17(2): 93–112
Roscoe AW (2005) Seeing beyond divergence. In: Proceedings of communicating sequential processes: the first 25 years: symposium on the occasion of 25 years of CSP, 7–8 July 2004. Lecture notes in computer science, vol 3525. Springer, Berlin, p 15
Roscoe AW (2008) The three platonic models of divergence-strict CSP. In: Proceedings of the 5th international colloquium on theoretical aspects of computing (ICTAC 2008). Lecture notes in computer science, vol 5160. Springer, Berlin, pp 23–49
Roscoe AW (2009) Revivals, stuckness and the hierarchy of CSP models. J Logic Algebr Program 78(3): 163–190
Reed JN, Sinclair JE, Roscoe AW (2004) Responsiveness of interoperating components. Formal Aspects of Computing 16(4): 394–411
Sistla AP (1994) Safety, liveness and fairness in temporal logic. Form l Aspects Comput 6(5): 495–511
Sun J, Liu Y, Dong JS (2009) Model checking CSP revisited: introducing a process analysis toolkit. In: Leveraging applications of formal methods, verification and validation. Communications in computer and information science, vol 17. Springer, Berlin, pp 307–322
Sun J, Liu Y, Dong JS, Wang HH (2008) Specifying and verifying event-based fairness enhanced systems. In: Formal methods and software engineering, proceedings of the 10th international conference on formal engineering methods (ICFEM ’08). Springer, Berlin, pp 5–24
Samuel DG, Roggenbach M, Isobe Y (2009) The stable revivals model in CSP-prover. In: Proceedings of the eighth international workshop on automated verification of critical systems (AVoCS ’08). Electronic notes in theoretical computer science, vol 250. Elsevier Science Publishers B. V., Amsterdam, pp 119–134
Völzer H, Varacca D, Kindler E (2005) Defining fairness. In: Proceedings of the 16th international conference on concurrency theory (CONCUR ’05). Lecture notes in computer science, vol 3653. Springer, Berlin, pp 458–472
Vardi MY, Wolper P (1986) An automata-theoretic approach to automatic program verification. In: Proceedings of the first IEEE symposium on logic in computer science (LICS ’86), pp 322–331
Wolper P, Vardi MY, Sistla AP (1983) Reasoning about infinite computation paths. In: Proceedings of the 24th annual symposium on foundations of computer science (SFCS ’83). IEEE Computer Society, pp 185–194
Author information
Authors and Affiliations
Corresponding author
Additional information
Jim Woodcock
Rights and permissions
About this article
Cite this article
Murray, T. On the limits of refinement-testing for model-checking CSP. Form Asp Comp 25, 219–256 (2013). https://doi.org/10.1007/s00165-011-0183-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-011-0183-6