of Dynamic Parametrized Architectures

. We propose a novel approach to the formal speciﬁcation and veriﬁcation of dynamic architectures that are at the core of adaptive systems such as critical infrastructure protection. Key features include run-time reconﬁguration based on adding and removing components and connections, resulting in systems with unbounded number of components. We provide a logic-based speciﬁcation of a Dynamic Parametrized Architecture (DPA), where parameters represent the inﬁnite-state space of possible conﬁgurations, and ﬁrst-order formulas represent the sets of initial conﬁgurations and reconﬁguration transitions. We encode information ﬂow properties as reachability problems of such DPAs, deﬁne a translation into an array-based transition system, and use a Satisﬁability Modulo Theories (SMT)-based model checker to tackle a number of case studies.


Introduction
In many applications, safety-critical systems are becoming more and more networked and open. For example, many critical infrastructures such as energy distribution, air traffic management, transport infrastructures, and industrial control nowadays employ remote communication and control. Critical infrastructure protection is becoming of paramount importance as witnessed for example by related European and US frameworks [1,2] which promote actions to make critical infrastructures more resilient.
In order to be resilient, a system must be adaptive, changing its architectural configuration at run-time, due to new requirements, component failures or attacks. A reconfiguration means adding and removing components and connections, so that the resulting system has an infinite state space where each state is an architectural configuration. In this context, simple reachability properties such as the existence of information flow paths become very challenging due to the interplay between communications and reconfigurations. The design, implementation, and certification of a system with such properties are the challenges of the European project CITADEL [3].
If the number of components is bounded, formal verification can be reduced to static verification by encoding in the state if the component is active or not with possibly an additional component to control the (de)activation (see, for example, [9]). If, instead, new components can be added, the encoding is less trivial. In principle, parametrized verification, by verifying a system considering any number of replicas of components, seems a good candidate, but we need the capability to encode in the state the activation of an unbounded number of components.
In this paper, we propose Dynamic Parametrized Architectures (DPAs), which extend a standard architecture description of components and connections with (1) parameters and symbolic constraints to define a set of configurations, (2) symbolic constraints to define the sets of initial configurations and reconfigurations. In particular, the architectural topology is represented by indexed sets of components and symbolic variables that can enable/disable the connections, while the constraints are specified with first-order formulas with quantifiers over the set of indices.
We propose to use Satisfiability Modulo Theories (SMT)-based model checking for array-based transition systems [13,19], a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. We define carefully the fragment of first-order logic used in the architecture description so that we can provide a translation into array-based transition systems.
In this paper, we focus on simple information "can-flow" properties over DPAs: we check if information can pass from one component to another one through a sequence of communications between connected components and reconfigurations. We automatically translate the DPA and the properties into an array-based transition system and we verify the properties with Model Checker Modulo Theories (MCMT) [19].
Summarizing, the contributions of the paper are: (1) to define a new formal specification of dynamic architectures; (2) to translate the reachability problem of dynamic architectures into reachability problems for infinite-state array-based transition systems; (3) to provide a prototype implementation and an experimental evaluation of the feasibility of the approach.
The rest of the paper is structured as follows: Sect. 2 gives an account of related work; Sect. 3 exemplifies the problem using a concrete language; Sect. 4 defines the abstract syntax and semantics of DPAs; Sect. 5 describes array-based transition systems and the translation from DPAs; Sect. 6 presents some benchmarks and experimental results; and, finally, in Sect. 7, we draw some conclusions and directions for future works.

Related Work
The approach closest to the one presented below is proposed in [31] as extension of the BIP (Behavior, Interaction, Priority) framework [6]. BIP has been extended for dynamic and parametrized connections in [7,23], and to allow spawning new components and interactions in [9]. The work in [31] proposes a second-order logic to specify constraints on the evolution of the architecture including creation/removal of components. However, no model checking procedure is provided to verify such dynamic architectures. In this paper, we restrict the logic, for example avoiding second-order quantification, so that the language is still suitable to describe interesting dynamics but can be translated into arraybased transition systems for model checking.
Since a system architecture can be seen as a graph of connections, graph grammars [29] are a good candidate for specification of dynamic architectures. In fact, in [21,26,32,33], the authors propose to model dynamic architectures in terms of graph transformation systems: the initial configuration is represented by a graph (or hypergraph) and reconfigurations as graph production rules, which are based on subgraph matching. In [21,26,32], there is no attempt at formal verification, while in [33] it is limited to finite-state model checking. Moreover, compared to our language, reconfigurations are limited to matching a finite subgraph which does not allow to express transition guards based on negation or updates that change sets of components. These limitations can be partly lifted considering infinite-state attributed graph grammars and related verification techniques [22]. After a first attempt to use these techniques as backends for DPAs, we concluded that in practice they do not scale very well on our benchmarks.
π-calculus [27] is another clear candidate to represent the semantics of dynamic architectures, since it has the ability to describe the creation of processes and their dynamic synchronizations. As is, it does not clearly define the topology of the network, but works such as [10,24] use it as underlying semantics for dynamic extensions of architecture specification languages. Also in this context, no previous work provided a concrete proposal for model checking showing the feasibility of the approach.
The analysis of how information can flow from one component to another is addressed in many contexts such as program analysis, process modeling, access control, and flow latency analysis. The novel challenge addressed by this paper is posed by the complexity of the adaptive systems' architectures, for which design and verification is an open problem. We propose a very rich system specification and we provide verification techniques for simple information flow properties formalized as reachability problems.
In this paper, we consider information flow as reachability, which is well studied for standard state machine models. More complex information flow properties extensively studied in the literature on security are related to the notion of non-interference. In the seminal work of Goguen and Meseguer [20], the simple information flow property is extended to make sure that components at different levels of security do not interfere. The verification of non-interference on DPAs is an open problem left for future work.

An Example of a Dynamic Parametrized Architecture
In this section, we describe an example of a dynamic architecture in an extended version of the Architecture Analysis and Design Language (AADL) [16], which is an industrial language standardized by SAE International [30]. The concrete language extension is under definition [12] within the CITADEL project, while in this paper we focus on the underlying formal specification and semantics of DPAs. In AADL, the system is specified in terms of component types, defining the interfaces and thus the input/output ports, and component implementations, defining how composite components are built from other components, called subcomponents, composed by connecting their ports. An example of an AADL component implementation is shown in Fig. 1. The system represents a network of computers, in which one is a database server that contains sensitive data; three are application servers that provide services to the clients, with two of them connected to the database server; and the others are clients. Each client is connected to one server and may be connected to other clients. As can be seen, the number of components and that of their connections are finite and static. The specification represents a single static architecture.
We now extend the example to consider an arbitrary number of servers and clients and to consider changes in the configurations so that computers and connections can be added/removed and computers can be compromised becoming untrusted (due to a failure or attack). We consider the system to be safe if no information can flow from the database to the untrusted clients; otherwise the system is unsafe. This dynamic version of the system is specified in Fig. 2 (for the moment, ignore the highlighted parts of the code), in an extended version of AADL. In particular, the extension has two layers: 1. Parametrized Architecture: the subcomponents can now be indexed sets (e.g., clients is a set indexed by C) and connections are specified iterating over the indices (e.g., there is a connection from servers[s] to clients[c] for each s in S, c in C); besides the sets of indices, the architecture is parametrized by other parameters that can be used in expressions that guard the connections (e.g., there exists a connection from servers[s] to clients[c] only if s = connectedTo[c]); notice that also parameters may be indexed sets.
2. Dynamic Parametrized Architecture: an initial formula defines the set of initial configurations; a set of reconfigurations defines the possible changes in the values of the parameters.
Analyzing the reconfigurations of the example (still ignoring the highlighted parts), we can see that every time an untrusted client is connected to a server, the server becomes untrusted as well. Since the connection with the database is disabled when the server is not trusted, one may erroneously think that no information can flow from the database to an untrusted client. In fact, the information can flow to the server while it is trusted, a reconfiguration may happen making the server untrusted, and the information can then flow to an untrusted client, making the system unsafe. The version of the example with the highlighted parts is safe because it introduces two phases (represented by the protected parameter) and it allows connection to the database only in the protected mode, while reconfigurations downgrading the servers are allowed only in the unprotected mode. Proving automatically that this system is safe is quite challenging.

Definitions
In the following, let N be a countable set of indexes (in practice, we set N = Z).
An index set is a finite subset of N . Given a set S and an index set I, S is indexed by I iff there exists a bijective mapping from I to S. If S is indexed by I, we write S = {s i } i∈I . An index set parameter is a variable whose domain is the set of finite subsets of N .

Definition 1. An architectural configuration is a pair (C, E), where C is a set of components and E ⊆ C × C is a set of connections between components.
We now define a more structured version of architecture, still flat but in which components are grouped into sets. We use indexed sets of components. If c ∈ C and C ∈ C we write simply (abusing notation) c ∈ C.
For example, consider index sets I 1 ,

Definition 4. An assignment to a system of parameters
The following definitions refer to formulas of the logic for systems of parameters and the evaluation (under an assignment μ) · μ of its expressions and formulas. These are defined later in Sect. 4.2.

Definition 5. A parametrized architecture is a tuple
is a system of parameters; -P is a finite set of parametrized indexed sets of components; each set P ∈ P is associated with an index set I P ∈ I; and free variables x, y.
Given an assignment μ to the system of parameters (I, V), the instantiated (structured architectural) configuration defined by the assignment μ is given by Syntactic restrictions: formulas in Ψ and Φ are quantifier-free and do not contain index set predicates =, ⊆.
we get the configuration in the previous example. A configuration μ (A) is directly reachable from a configuration μ(A) iff τ μμ = and κ μ = . Syntactic restrictions: where I ∈ I, I ∈ I are variables of sort is (each variable I ∈ I may appear at most once), t, t k are terms over (I, V) of sort idx, V ∈ V is a variable of one of the sorts vs k (for each V , either atoms of the form 4 appear in β, or at most a single atom of the form 5 appears: atoms of forms 4, 5 never appear together), e are terms over (I, V) of sorts el k , and j is a variable of sort idx; furthermore, value V [t k ] of every introduced (by an atom of form 1,with I = I V and I = I V ) parameter must be set in β with an atom of form 4 or 5; finally, the frame condition γ β is a conjunction of for all V ∈ V which do not appear in a conjunct of form 5 in β, where t V is the (possibly empty) set of all terms which appear as indexes of V in β, and • transition formulas I = I for all I ∈ I which do not appear in conjuncts of forms 1, 2 in β.
(In practice, when specifying the transition formulas, the frame condition γ β is generated automatically from β, instead of being specified directly by the user.) Example: Consider the parametrized architecture from the previous example, with ι : . This defines the set of initial architectures which contains only the single architecture from the previous example and two transitions. The transition τ 1 adds a new index i ∈ I C 1 into the index set I 1 , adding two new components C 1i and C 2i and a new parameter V [i] and sets the value of the newly added parameter V [i] to , adding a connection between the two new components C 1i and C 2i . The transition τ 2 changes the value of some V [i] to ⊥, removing the connection between components C 1i and C 2i and adding connections between component C 1i and each of the components C 3j , j ∈ I 2 . -c k1 = c Psrcisrc ∈ C e r(k 1 ) Psrc for some i src , and ρ src (i src /x) e r(k 1 ) = (the information originates in a source component); -c km = c P dst i dst ∈ C e r(km) P dst for some i dst , and ρ dst (i dst /x) e r(km) = (the information is received by a destination component); -for all n such that 1 ≤ n < m, c kn = c kn+1 (the intermediate components form a chain over which the information propagates); -for all n, 1 ≤ n < m, for all configurations e k such that k n < k < k n+1 ,

Logic for Systems of Parameters
In the following, we define a many-sorted first-order logic [15]. Signatures contain no quantifier symbols except those explicitly mentioned.
Syntax. Theory T IDX = (Σ IDX , C IDX ) of indexes with a single sort idx (in practice, we are using the theory of integers with sort int and with standard operators). A finite number K of theories T EL k = (Σ EL k , C EL k ) of elements, each with a single sort el k with a distinguished constant symbol d el k (a default value) (in practice, we consider the theory of booleans with sort bool and the theory of integers, the same as the theory T IDX ).
The theory SP EL1,...,ELK IDX (or simply SP EL IDX ) of systems of parameters with indexes in T IDX and elements in EL 1 , . . . , EL K is a combination of the above theories. Its sort symbols are idx, is, el 1 , . . . , el K , vs 1 , . . . , vs K , where is is a sort for index sets and vs k is a sort for indexed sets of parameters of sort el k . The set of variable symbols for each sort vs k contains a countable set of variables {V I k,n } n∈N for each variable symbol I of sort is (we omit the superscript and subscripts when they are clear from the context). The signature is the union of the signatures of the above theories, Σ IDX ∪ K k=1 Σ EL k , with the addition of: for sort idx, quantifier symbols ∀, ∃, and ∀ I , ∀ I C , ∃ I , ∃ I C for all variables I of the sort is; predicate symbol ∈ of sort (idx, is); predicate symbols =, ⊆ of sort (is, is); function symbols ∪, ∩, \ of sort (is, is, is); for every n ∈ N, n-ary function symbol {·, . . . , ·} (n) (we write simply {·, . . . , ·}) of sort (idx, . . . , idx, is); function symbols ·[·] k , k = 1, . . . , K (we write simply ·[·]) of sorts (vs k , idx, el k ). The subscripted quantifier symbols are a syntactic sugar for quantification over index sets and their complements: all occurrences of the quantifiers ∀ I i φ, ∀ I C i φ,

Semantics. A structure M = (idx
, respectively, after which the formula is evaluated in the standard manner.

Background Notions on SMT-Based Model Checking
Many-sorted first-order logic of arrays. The target logic for the translation is the many-sorted first-order logic [15] with theories for indexes, elements and arrays as defined in [18]. Following that paper, we fix a theory T I = (Σ I , C I ) for indexes whose only sort symbol is index and we fix theories T E k = (Σ E k , C E k ), k = 1, . . . , K whose only sort symbols are elem k , respectively. The theory A E1,...,EK I (or simply A E I ) of arrays with indexes in T I and elements in E 1 , . . . , E K is defined as the combination of theories T I , T E1 , . . . , T EK as follows. The sort symbols of A E I are index, elem 1 , . . . , elem K , array 1 , . . . , array K , the signature is Σ : Array-Based Transition Systems. In the following, i, j denote variables of the sort index, i denotes a set of such variables, a denotes a variable of one of the array sorts, a denotes a set of such variables, notation a[i] denotes the set of terms {a[i] : a ∈ a, i ∈ i}, and φ(x), ψ(x) denote quantifier free Σ(x) formulas.
-Init(a) is the initial Σ(a)-formula of the form

∀i.φ(i, a[i]).
(1) -T r(a, a ) is the transition Σ(a, a )-formula and is a disjunction of formulas of the form where each t k is a Σ(a)-term which may contain nested if-then-else operators.
Given an array-based system S = (a, Init, T r) and a Σ(a)-formula U (unsafe formula) of the form an instance of the array-based safety problem is to decide whether there exists n ∈ N such that the formula Init(a 0 ) ∧ T r(a 0 , a 1 ) ∧ · · · ∧ T r(a n−1 , a n ) ∧ U (a n ) is A E I -satisfiable. Decidability of the Array-Based Safety Problem. The array-based safety problem is in general undecidable (Thm. 4.1. in [18]), but it becomes decidable under 1) the following assumptions on the theory T I of indexes: local finiteness, closedness under substructures, decidability of SMT(T I ), 2) assumptions of local finiteness of T E and of decidability of SMT(T E ), and 3) further assumptions on the array-based transition system under analysis (for details see Theorem 3.3. and Theorem 4.6. in [18]).

Encoding into SMT-Based Model Checking
Translation of Formulas. We recursively define the translation · A of formulas and transition formulas of SP EL IDX to formulas of A E I . We set the index and element sorts to correspond, i.e. index := idx and elem k := el k , k = 1, . . . , K.
In practice, we set T I to be the theory of integers (with sort index = int), number of element theories to K = 2, and we set E 1 = T I and E 2 to be the theory of Booleans (with sort elem 2 = bool).

Translation of a Dynamic Information Flow Problem to an Array-
of the set of boolean array symbols a I which model index sets, the set of array symbols a V which model sets of parameters, and the set of boolean array symbols a P which model information taint of the component instances.
The initial formula Init is set to Here the third conjunct models the initial taint of the source components, by specifying that a source component with index j is tainted iff it is present in the system and satisfies the constraint ρ src , and the last conjunct models the fact that initially all non-source components are not tainted. Definition 6). The transition formula T r is set to Here T aint(P, Q) is the following formula that models taint propagation between two connected component instances of which the first one is tainted: Reconf k is obtained from τ k by the following steps.
Differentiation of Primed Parameter Accesses. We say that accesses to a primed parameter V ∈ V in τ k are differentiated if for all pairs of conjuncts of form 4 in β k as defined in Definition 6, V [t 1 ] = e 1 and V [t 2 ] = e 2 , α k contains a top-level conjunct (t 1 = t 2 ), i.e., α k is of the form α k ∧ (t 1 = t 2 ). We may assume that in τ k , accesses to all primed parameters V ∈ V are differentiated. Note that if the accesses to some primed parameter V ∈ V in τ k are not differentiated, then for a pair of undifferentiated accesses V [t 1 ] = e 1 and V [t 2 ] = e 2 formula τ k can be rewritten as a disjunction of two formulas τ = k and τ = k which are of the same general form as τ k and are defined by It is easy to verify that the formulas τ k and τ = k ∨τ = k are equivalent. By continuing the rewriting recursively, τ can be transformed into a disjunction of formulas with differentiated accesses to primed parameters.
For a symbol I ∈ I , there is exactly one conjunct in τ k in which I appears in the equality, and it is one of I = I ∪ {t k } k , I = I \ {t k } k , or I = I. In all three cases, value of I is a function of the value of I and some terms over (I, V), and therefore the conjunct can be rewritten as ∀j (j ∈ I ↔ U pdate I (j)) where U pdate I is a term of sort bool over (I, V) and a free variable. For example, for the first case we have U pdate I (j) = (j ∈ I ∨ k (j = t k )). The conjuncts in τ k of the form t ∈ I can be rewritten as U pdate I (t). From τ k we obtain τ k by performing the above rewriting of conjuncts which contain I , for all I ∈ I . It is easy to verify that τ k and τ k are equivalent formulas.
For a symbol V ∈ V , the set of conjuncts in the τ k in which V occurs is either In both cases, the set of conjuncts can be rewritten as ∀j (V [j] = U pdate V (j)), where U pdate V is a term of sort sort V ; in the first case, Formula τ k is obtained from τ k by performing the above rewrites for every V ∈ V . It is easy to verify that τ k and τ k are equivalent. From the invariant formula κ we obtain the next-state invariant κ by first distributing set membership operator over the set operations (e.g. transforming t ∈ I ∪ J to t ∈ I ∨ t ∈ J), and then replacing, for all I ∈ I, each term of the form t ∈ I with the term U pdate I (t), and replacing, for all V ∈ V, each term of the form V [t] with the term U pdate V (t). Analogously, from the formula ρ src and component guards ψ P , P ∈ P we obtain their next-state versions ρ src and ψ P , P ∈ P by performing the same transformations. Reconf k is set to Here the last conjunct updates the information taint for all components, by setting it to true iff the component is present in the next state and it is currently tainted. The third conjunct performs the same update for source components, taking care to also taint the source components which satisfy the next-state source condition ρ src . Finally, the unsafe formula U is set to modeling the set of states in which there exists a destination component with index i which satisfies the destination condition ρ dst and is tainted.
The following theorems state that the information flow problem can be reduced to the array-based safety problem, using the above translation. The detailed proofs can be found in the extended version of the paper at https://es. fbk.eu/people/stojic/papers/fm18. Theorem 1. Problem (S, U), S = (a, Init, T r), which is obtained by translation from an arbitrary information flow problem, where a is given by (4), Init is given by (5), T r is given by (6), (7), (8), and U is given by (9), is an array-based safety problem.
The proof amounts to the inspection of the obtained formulas, to confirm that they are indeed in the required fragment. Theorem 2. Let DIF P = (D, P src , ρ src , P dst , ρ dst ) be an arbitrary instance of the dynamic information flow problem, and ASP = (S, U) the array-based safety problem obtained by translation from DIF P . There is an information flow witness trace for DIF P if and only if ASP is unsafe.
The proof involves constructing, for an information flow witness trace for DIF P , a counterexample (unsafe) trace of the problem ASP , and vice-versa.
Decidability. The dynamic information flow problem is undecidable in general (it is straightforward to model Minsky 2-counter machines [28]), but it is decidable under certain assumptions inherited from the array-based transition systems (see the remark on decidability at the end of Sect. 5.1).

Setup
Back-End Solver. We use MCMT [4] version 2.5.2 to solve array-based safety problems. MCMT is a model checker for array-based systems, based on the SMT solver Yices 1 . We run MCMT with the default settings. The time-out for testing is set to 1000 seconds.
Translation Implementation. We have implemented in C the translation from the extended version of AADL to the input language for MCMT using the parser generator GNU Bison. The input language of MCMT is low level and as such is not suitable for manual modeling of anything but the simplest examples, being instead intended as a target language for automatic generation from specifications written in a higher level language [17]. The translation follows the same outline as its theoretical description in Sect. 5.2, but is more complicated due to the specific features, limitations and idiosyncracies of the target MCMT input language. In particular, the more constraining limitations of MCMT, in addition to the theoretical restrictions on formulas from Sect. 5.1, are: -The initial formula can contain at most two universally quantified variables. is 50. -The unsafe formula can contain at most four existentially quantified variables. -A term can contain at most ten index variables.
Our translator inherits the above restrictions on the formulas specified in the extended AADL model. While these restrictions do not severely limit the expressivity of the language, the limitation on the maximum number of transitions limits the size of the examples that can be handled by the present version of the tool.
Hardware. We have used a desktop PC based on an Intel R Core TM i7 CPU 870 clocked at 2.93GHz, with 8 GB of main memory and running Ubuntu 14.04.5 LTS.
Distribution Tarball. The translator, tested models, scripts which automatically perform the translation from extended AADL to MCMT input language and run MCMT, as well as setup and usage instructions can be found at https:// es.fbk.eu/people/stojic/papers/fm18/.

Benchmarks and Results
In the following diagrams, arrows between (sets of) components represent connections from all components in the source set to all components in the destination set, unless further restricted in the model description. All sets of components are dynamic, allowing addition/removal of components.
Converging Model. This model contains 2n + 1 sets of components a 0 , . . . , a n−1 , b 0 , . . . , b n−1 , c, with the connections shown as black arrows in Fig. 3. There are also connections between all pairs of components in the same set. We test for information flow from the set a n/2 to the set b 0 . The unsafe model in addition contains the connections shown as red arrows. Results for the model are in Fig. 7. We hit the MCMT limitation on the number of transitions (see Sect. 6.1) for n = 7 for the safe model, and for n = 5 for the unsafe model. Number of calls made by MCMT to the underlying SMT solver ranges from 211 (safe, n = 1) to 29907 (safe, n = 6). m 0 models a messenger which is intended to allow components within the same set to communicate; m 0 can connect in turn to any single component in a or in b, but not at the same time. We test for information flow from set a to set b. The system as described is unsafe because m 0 can connect to some a[i], disconnect, and then connect to some b[j], therefore establishing a path for flow of information. The safe model removes such paths by using Boolean parameters to record whether m 0 has previously connected to components in a and b. If it has previously connected to one of these sets, then it is not allowed to connect to the other set before it is scrubbed (which is modeled by removing and re-adding it). For n = 2 (Fig. 4), the system is extended with another set of components c and another messenger m 1 which is shared by b and c, and we check for information flow between a and c. Results are shown in Fig. 5.
Network Model. This is the model whose safe version is specified in Fig. 2, while the highlighted parts are omitted in the unsafe version. Results are shown in Fig. 5.

Sequence
Model. This is a scalable example which models a sequence of n sets of components a 0 , . . . , a n−1 (see Fig. 6 ignoring the dashed loop-back arrow). There is a connection from a x [i] to a y [j] iff (x = y − 1 ∨ x = y) ∧ i < j. We check for information flow from a 0 [0] to a n−1 [n − 2] in the safe version and from a 0 [0] to a n−1 [n − 1] in the unsafe version. The results are shown in Fig. 8. The verification of this model times out for n = 6 (safe) and n = 7 (unsafe). Number of calls to the SMT solver ranges from 116 (unsafe, n = 1) to 60799 (unsafe, n = 6). Ring Model. This model is the same as the Sequence model, but with additional connections from a n−1 [i] to a 0 [j] (dashed loop-back arrow in Fig. 6) which are present only when i < j +n in the safe version (i < j + n + 1 in the unsafe version), and we check for information flow from a 0 [0] to a n−1 [n − 2] in both the safe and unsafe versions. The results are shown in Fig. 9. The verification of this model times out for n = 6 (safe) and n = 5 (unsafe). Number of calls to the SMT solver ranges from 188 (unsafe, n = 1) to 130068 (unsafe, n = 4).

Conclusions and Future Work
We propose a new logic-based specification of dynamic architectures where the architectural topology is represented by a set of parameters, while first-order formulas over such parameters define the sets of initial configurations and reconfigurations. The Dynamic Parametrized Architectures so defined can be translated into array-based transition systems, which are amenable to SMT-based model checking. We provide an initial experimental evaluation of various DPAs proving safe and unsafe cases with the MCMT model checker. The results show that the approach is feasible and promising.
As future work, we aim at trying other SMT-based model checkers such as Cubicle [13] and nuXmv [11]. We will investigate new algorithms that directly exploit the topology of the architecture. We will extend the specification to incorporate component behavior and more complex interactions, as well as more general properties. Finally, we are interested in generating certifying proofs for the safe DPAs, possibly exploiting the existing automatic generation of proofs for array-based transition systems [14].