Sat-based Model Checking for Region Automata

For successful software verification, model checkers must be capable of handling a large number of program variables. Traditional, BDD-based model checking is deficient in this regard, but SAT-based model checking, i.e. bounded model checking (BMC), shows some promise. However, unlike traditional model checking, for which time systems have been thoroughly researched, BMC is less capable of modeling timing behavior-an essential task for verifying many types of software. Here we propose a new SAT-based model checker, named xBMC, to solve the reachability problem of real-time systems. In xBMC, we encode the behavior of region automata as Boolean formulas, and efficiently represent region graph via kinds of discrete interpretations. In an experiment using well-developed model checkers to detect collisions in Fischer’s protocol, xBMC outperformed both traditional (Kronos [12], Uppaal [22], and RED [35]) and bounded (SAL [27]) model checkers by being able to verify up to 22 processes, followed by RED with 15 processes. Moreover, to support both property refutation and verification, we also implement a complete inductive algorithm in xBMC to prevent the requirement of reaching an intrinsic threshold, i.e. the number of regions. In another experiment to verify the client authentication protocol of Cornell Single Sign-on Services, xBMC proves the protocol correctness efficiently since a proof is constructed in a rather small inductive steps. We conclude that combing efficient Boolean encoding, inductive methods, and SAT solver’s capability, xBMC provides an effective and practical method for timing behavior verification. a