Review of : Model Checking by Edmund

The goal of model checking is to determine if a given property holds in a particular system. For example, we may want to know that a server never sends sensitive data to the wrong client. Model checking has been used effectively in practice for many finite-state systems, including real-time applications, and for some infinite families of finite systems. Theorem proving and testing are other approaches for system verification. A key advantage of model checking over theorem proving is that it’s verification procedure can be fully automated. As for testing, the results from a model checker, as with any formal method, are obviously more conclusive. There are three main components to model checking; describing the system, stating the property, and verifying that the property holds in the system. The system is typically described by either a finite Kripke structure, M = (S,R,L), or a slightly more general model, Mgen = (S, T, L), where S is a finite set of states, R is a binary relation on states, T is a set of binary relations on states, and L is a function from states to atomic propositions. Often, a subset of S will be designated as the start states. For simplicity, we require that there is at least one transition out of each state (i.e. ∀s ∈ S∃s.(s, s) ∈ R) and define a path to be an infinite sequence of states, s1, s2, . . . in which (si, si + 1) is in R. In symbolic model checking, the state transition graphs are viewed as boolean formulas and represented using ordered binary decision diagrams (OBDD), because there are very efficient algorithms to manipulate OBDDs. A binary decision diagram (BDD)is a graph in which each terminal node is associated with a true or false value and any path from a designated root node to a terminal node corresponds to a set of variable assignments that make the encoded formula have the terminal node’s value. An OBDD is a BDD in canonical form; all redundant nodes and edges are removed and there is an ordering on the nodes such that the i node in any root-to-leaf path is associated with the same variable in the encoded formula. The most common logics to express system properties are Computational Tree Logic (CTL), Linear Temporal Logic (LTL), CTL , and propositional μ-calculus. CTL and LTL are sub-logics of CTL . Any CTL formula can also be expressed in the propositional μ-calculus. Although more complicated than the others, the propositional μ-calculus is particularly interesting, because