Abstract
We extend Alternation-Free Least Fixed Point Logic to be based on Belnap logic, while maintaining the close correspondence between static analysis and model checking pioneered by Bernhard Steffen, and opening up for handling access control policies central to the construction of secure IT systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arieli, O., Avron, A.: The value of the four values. Artif. Intell. 102(1), 97–141 (1998)
Bruns, G., Godefroid, P.: Model checking partial state spaces with 3-valued temporal logics. In: Halbwachs, N., Peled, D. (eds.) CAV 1999. LNCS, vol. 1633, pp. 274–287. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48683-6_25
Bruns, G., Godefroid, P.: Generalized model checking: reasoning about partial state spaces. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 168–182. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44618-4_14
Bruns, G., Huth, M.: Access-control policies via Belnap logic: effective and efficient composition and analysis. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, pp. 163–176. IEEE Computer Society (2008)
Bruns, G., Huth, M.: Access control via Belnap logic: intuitive, expressive, and analyzable policy composition. ACM Trans. Inf. Syst. Secur. 14(1):9:1–9:27 (2011)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 1977), pp. 238–252. ACM (1977)
Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Conference Record of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM (1979)
Cousot, P., Cousot, R.: Refining model checking by abstract interpretation. Autom. Softw. Eng. 6(1), 69–95 (1999)
Fitting, M.: Kleene’s three valued logics and their children. Fundam. Inform. 20(1/2/3), 113–131 (1994)
Godefroid, P., Huth, M., Jagadeesan, R.: Abstraction-based model checking using modal transition systems. In: Larsen, K.G., Nielsen, M. (eds.) CONCUR 2001. LNCS, vol. 2154, pp. 426–440. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44685-0_29
Godefroid, P., Jagadeesan, R.: Automatic abstraction using generalized model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 137–151. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_11
Godefroid, P., Jagadeesan, R.: On the expressiveness of 3-valued models. In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003. LNCS, vol. 2575, pp. 206–222. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36384-X_18
Hankin, C., Nielson, F., Nielson, H.R.: Advice from Belnap policies. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 234–247. IEEE Computer Society (2009)
Huth, M., Jagadeesan, R., Schmidt, D.: Modal transition systems: a foundation for three-valued program analysis. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 155–169. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45309-1_11
Knoop, J., Rüthing, O., Steffen, B.: Lazy code motion. In: Proceedings of the ACM SIGPLAN’92 Conference on Programming Language Design and Implementation (PLDI), pp. 224–234. ACM (1992)
Larsen, K.G.: Modal specifications. In: Proceedings of the International Workshop on Automatic Verification Methods for Finite State Systems, Grenoble, France, pp. 232–246 (1989)
Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of the Third Annual Symposium on Logic in Computer Science (LICS 1988), pp. 203–210. IEEE Computer Society (1988)
Nielson, F., Nanz, S., Nielson, H.R.: Modal abstractions of concurrent behavior. ACM Trans. Comput. Log. 12(3), 18:1–18:40 (2011)
Nielson, F., Nielson, H.R.: Model checking Is static analysis of modal logic. In: Ong, L. (ed.) FoSSaCS 2010. LNCS, vol. 6014, pp. 191–205. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12032-9_14
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-662-03811-6
Nielson, F., Nielson, H.R., Sagiv, S.: Kleene’s logic with equality. Inf. Process. Lett. 80(3), 131–137 (2001)
Nielson, F., Nielson, H.R., Seidl, H.: Cryptographic analysis in cubic time. Electr. Notes Theor. Comput. Sci. 62, 7–23 (2001)
Nielson, F., Seidl, H., Nielson, H.R.: A succinct solver for ALFP. Nord. J. Comput. 9(4), 335–372 (2002)
Nielson, H.R., Nielson, F.: Flow logic: a multi-paradigmatic approach to static analysis. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 223–244. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36377-7_11
Nielson, H.R., Nielson, F., Buchholtz, M.: Security for mobility. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2001. LNCS, vol. 2946, pp. 207–265. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24631-2_6
Nielson, H.R., Nielson, F., Pilegaard, H.: Flow logic for process calculi. ACM Comput. Surv. 44(1), 3:1–3:39 (2012)
Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Sci. Comput. Program. 83, 80–105 (2014)
Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1999, pp. 105–118. ACM (1999)
Schmidt, D., Steffen, B.: Program analysis as model checking of abstract interpretations. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 351–380. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49727-7_22
Shoham, S., Grumberg, O.: A game-based framework for CTL counter examples and 3-valued abstraction-refinement. ACM Trans. Comput. Log. 9(1), 1 (2007)
Steffen, B.: Data flow analysis as model checking. In: Ito, T., Meyer, A.R. (eds.) TACS 1991. LNCS, vol. 526, pp. 346–364. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-54415-1_54
Steffen, B., Knoop, J.: Finite constants: characterizations of a new decidable set of constants. In: Kreczmar, A., Mirkowska, G. (eds.) MFCS 1989. LNCS, vol. 379, pp. 481–491. Springer, Heidelberg (1989). https://doi.org/10.1007/3-540-51486-4_94
Steffen, B., Knoop, J., Rüthing, O.: The value flow graph: a program representation for optimal program transformations. In: Jones, N. (ed.) ESOP 1990. LNCS, vol. 432, pp. 389–405. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-52592-0_76
Steffen, B., Knoop, J., Rüthing, O.: Efficient code motion and an adaption to strength reduction. In: Proceedings of the International Joint Conference on Theory and Practice of Software Development, Volume 2, TAPSOFT 1991. LNCS, vol. 494, pp. 394–415. Springer (1991)
Zhang, F.: Model checking as static analysis. Ph.D. thesis, The Technical University of Denmark (DTU) (2012). Supervised by Flemming Nielson and Hanne Riis Nielson
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proofs of Key Facts
Proof of Fact 1. There is an easy graphical proof of the interesting cases. First observe that the Hasse diagram for \(\Rightarrow \) in Fig. 1 is obtained from the Hasse diagram for \(\leadsto \) by rotating it 90\(^\circ \) clockwise. Next observe that in the Hasse diagram for \(\Rightarrow \) the operator \(\otimes \) ‘moves to the left’ whereas the operator \(\oplus \) ‘moves to the right’. Similarly observe that the Hasse diagram for \(\leadsto \) in Fig. 1 is obtained from the Hasse diagram for \(\Rightarrow \) by rotating it 90\(^\circ \) anti-clockwise. Next observe that in the Hasse diagram for \(\leadsto \) the operator \(\wedge \) ‘moves to the right’ whereas the operator \(\vee \) ‘moves to the left’.
Proof of Fact 3. The interesting cases are when \(op_i\in \{\otimes ,\oplus \}\) and \(op_{3-i}\in \{\wedge ,\vee \}\) (for \(i\in \{1,2\}\)) as the other cases follow since \((\mathsf{Four},\leadsto )\) and \((\mathsf{Four},\Rightarrow )\) are distributive lattices. It is straightforward to validate the remaining eight interesting cases.
Proof of Fact 4. There is an easy graphical proof of these laws. For the first two we observe that negation (\(\lnot \)) is also the dualisation operator on \((\mathsf{Four},\Rightarrow )\) where \(\wedge \) is greatest lower bound and \(\vee \) is least upper bound. For the next two observe that negation (\(\lnot \)) works ‘sideways’ on \((\mathsf{Four},\leadsto )\). The remaining four laws are analogous.
Proof of Fact 7. We first show the equation \((f_1 > f_2) = f_1\oplus (f_2\otimes {\sim }(f_1\oplus (\lnot f_1)))\) by considering two cases for the value of \(f_1\). If \(f_1=\bot \) we note that \((f_1\oplus (\lnot f_1))=\bot \) and hence that \( f_1\oplus (f_2\otimes {\sim }(f_1\oplus (\lnot f_1))) = \bot \oplus (f_2 \otimes \top ) = f_2 \) as desired. If \(f_1\ne \bot \) we note that \((f_1\oplus (\lnot f_1))=\top \) and hence that \( f_1\oplus (f_2\otimes {\sim }(f_1\oplus (\lnot f_1))) = f_1\oplus (f_2 \otimes \bot ) = f_1 \) as desired.
For the general result, it follows from [1, Proposition 17] that all multi-argument functions over Four are expressible in terms of \(\lnot \), \(\oplus \), \(\bot \) and \(\supset \) defined by
Define \(S[f] = (f\wedge \top )\otimes (\lnot (f\wedge \top ))\) and note that
so that is suffices to verify that \( (f_1 \supset f_2) = (f_2\otimes ( S[f_1] ))\oplus ( \mathsf{t}\otimes ( {\sim }S[f_1] )) \).
B Least Fixed Point CTL Suffices for CTL
We need to show that the following CTL operators can be defined using the least fixed point fragment of CTL: \(\mathbf A [\phi _{1} \mathbf U \phi _{2}]\), \(\mathbf{EF }\phi \), \(\mathbf{AG }\phi \) and \(\mathbf{EG }\phi \). This is standard in the two-valued setting but also holds in our setting as expressed by the following facts (where we dispense with the proofs). We begin with two facts on path formulas.
Fact 8
For any M and \(\pi \), \([(M,\pi ) \models ^{} \mathbf F \phi ]=[(M,\pi ) \models ^{} \mathbf{true }{} \mathbf U \phi ]\).
Fact 9
For any M and \(\pi \), \([(M,\pi ) \models ^{} \mathbf G \phi ]=\lnot [(M,\pi ) \models ^{} \mathbf F \lnot \phi ]\).
We continue with four facts on state formulas. (One may check that we have the equivalence \(\mathbf{AX }\phi \equiv \lnot \mathbf{EX }\lnot \phi \) but the explicit presence of \(\mathbf{AX }\) in least fixed point CTL is helpful for our development.)
Fact 10
The equivalence \(\mathbf{EF }\phi \equiv \mathbf E [\mathbf{true }{} \mathbf U \phi ]\) holds in three-valued CTL.
Fact 11
The equivalence \(\mathbf{EG }\phi \equiv \lnot \mathbf{AF }\lnot \phi \) holds in three-valued CTL.
Fact 12
The equivalence \(\mathbf{AG }\phi \equiv \lnot \mathbf{EF }\lnot \phi \) holds in three-valued CTL.
Fact 13
The equivalence \(\mathbf A [\phi _{1}{} \mathbf U \phi _{2}]\equiv \lnot \mathbf E [\lnot \phi _{2}{} \mathbf U (\lnot \phi _{1}\wedge \lnot \phi _{2})]\wedge \mathbf{AF }\phi _{2}\) holds in three-valued CTL.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Nielson, F., Nielson, H.R., Zhang, F. (2019). Multi-valued Logic for Static Analysis and Model Checking. In: Margaria, T., Graf, S., Larsen, K. (eds) Models, Mindsets, Meta: The What, the How, and the Why Not?. Lecture Notes in Computer Science(), vol 11200. Springer, Cham. https://doi.org/10.1007/978-3-030-22348-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-22348-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22347-2
Online ISBN: 978-3-030-22348-9
eBook Packages: Computer ScienceComputer Science (R0)