CTL

1
CTL Verification of web applications
2
Acknowledgement

• Some slides are taken and adapted from various
  presentations by Randal Bryant (CMU), Marsha
  Chechik (Toronto)

3
Background

• Motivation verification of web
  applications.Use of CTL is popular ? another
  variant of temporal logic.
• Model checker for verifying CTL SMV. Based on a
  technique called symbolic model checking.
• In contrast, SPIN model checking is called
  explicit state.
• Well show you how this symbolic MC works, but
  first well take a look at CTL, and the web
  application case study.

4
Overview

• CTL
• CTL vs LTL
• Modeling web applications, and expressing their
  properties using CTL
• Model checking CTL formulas
• Symbolic model checking
• BDD
• Definition
• Reducing BDD
• Operations on BDD

5
CTL

• Stands for Computation Tree Logic
• Consider this Kripke structure (labeling omitted)
  

In LTL, an execution is defined as a sequence
. . .
0
1
2
2
2
M
0
. . .
0
0
0
1
2
2
0
In CTL an execution is viewed as a tree
0
1
1
2
0
1
2
2
. . .
6
Example
login
private

• AG ( login ? EF private )
• A (? private U login)

7
CTL

• Informally, CTL is interpreted over computation
  trees. M ? Ms computation trees
  satisfies ?
• We have path quantifiers
• A ... holds for all path (starting at the
  trees root)
• E ... holds for some path
• Temporal operators
• X ... holds next time
• F ... holds in the future
• G ... always hold
• U until

8
Intuition of CTL operators
AX (all next) ?
EX (exists next) ?
AG ?
EG ?
9
Intuition of CTL operators
AF ?
EF ?
A ? U ?
E ? U ?
10
Syntax
? p // atomic (state) proposition
?? ?1 /\ ?2 EX ? AX ?
E?1 U ?2 A?1 U ?2
11
Derived operators

• ? \/ ? ?(?? /\ ??)
• ? ? ? ?? \/ ?
• EF ? E true U ?
• AF ? A true U ?
• EG ? ? AF ??
• AG ? ? EF ??

12
Semantics

• Let M ( S, s0, R, V ) be a Kripke structure ?
• M,s ? the state s satisfy ?
• M ? M satisfies ?, is defined as M, s0 ?
• A path in M is a sequence of states, like an
  execution, except that we dont have to start on
  s0.

S finite set of states S0 initial state R
S ? 2S transition relationV S ? Prop
observations
13
Semantics

• M,s p p ? V(s)
• M,s ?? not ( M,s ? )
• M,s EX? ( ?t? R s M,t ?
  )
• M,s AX? ( ?t? R s M,t ? )

14
Semantics

• M,s - E ? U ? There is a path ?
  in M, starting in s such that
• For some i?0, M,?i ?
• For all previous j, 0?jlti, M,?j ?
• M,s - A ? U ? For all path ? in M,
  starting in s, these hold

15
LTL vs CTL

• They are not really comparable.
• Some properties can be expressed in both
  AG (x0) (x0) AF (x0)
  ltgt(x0) Ax0 U y0 x0 U y0
• There are CTL properties that cant be expressed
  in LTL, e.g EF (x 0)

Explanation see comment.
x0
?
16
LTL vs CTL

• And there are LTL properties that cannot be
  expressed in CTL, e.g. ltgt (x0)
  E.g. AF AG (x0) does not express the
  property the above Kripke does not satisfy it.

x0
x0
?
17
LTL vs CTL

• Another example ltgt (x0) ? ltgt(y0)
• There are extension like CTL, where we can
  express fairness (actually CTL includes both CTL
  and LTL).

?
Explanation see comment.
y0
x0
18
CTL
We can express all CTL formulas in CTL, but e.g.
this is also possible in CTL A(FG (x0))

• Allows more combinations of path and temporal
  quantifiers.
• A CTL formula is a state formula,
  syntax(State formula) ? p // p is
  atomic proposition ?? ?1 \/ ?2
  E f A f // f is a path
  formula(Path formula) f ?
  ?f f \/ g Xf Ff Gf f1 U f2

19
Back to Web Application

• Model web application as a graph (N,C), where
  N W ? P ? L ? Aeach component is
  disjoint.C N?2N defines the arrows in the
  graph, and such that
• A window can only be connected to pages
• A page can only be connected to links or actions
• A link or an action can only be connected to
  windows
• Called Web Application Graph (WAG)

W set of windows P set of pages L set of
links A set of actions
20
WAG

• Based onA Model Checking-based Method for
  Verifying Web Application Design, Donini et al,
  in Int. Workshop on Web Lang. and Formal Methods
  (WLFM), 2005.
• In their approach, WAG is obtained from UML
  design of the web application.
• Other possibilities
• By crawling a web site
• By analyzing log

21
Example
login
private
22
WAG as Kripke

• See a WAG as a Kripke structure, e.g. each node
  in the WAG is a state in the Kripke structure.
• Label each state with propositions w,p,l,a to
  express whether it is a window, or a page etc.
• Introduce other propositions of interest, e.g.
• login, logout To mark a login/logout action
• private To mark states considered private
• error To mark error page.
• Label the states with these propositions.

23
Now properties like these are well defined

• AG ( login ? EF private )
• A (? private U login)
• AG(logout ? A(? private U login))After
  logging out, it should be possible to log in
  again, and in the meantime no private page should
  be visible...
• Next, how to verify these properties??

24
Model checking CTL formulas

• Consider a Kripke M ( S, s0, R, V )
• We want to verify M ?
• Assume ? is expressed in CTLs (chosen) basic
  operators.
• The verification algorithm works by systematicly
  labelling M with subformulas of ?.
• After the labelling

Whenever we conclude a state s in M satisfies a
(sub-) formula f, we label s with f.
M ? iff s0 is labeled with ?
25
Labeling algorithm

• We perform the labeling inductively, over the
  subformulas of ?.
• Suppose now f is a formula to label next
  inductively we assume that M has been labeled
  with all subformulas of f. Consider now different
  forms of f
• it is an atomic proposition p add p to labels(s)
  if p?V(s).
• it is of the form ?g add ?g to labels(s) if
  g?labels(s).
• it is of the form f1 /\ f2 add f1 /\ f2 to the
  labels(s), if f1?labels(s) and f2 ?labels(s).
• it is of the form EXg add EXg to labels(s) if
  there is one successor state t (so, t ? R s)
  such that g?labels(t).
• it is of the form AXg add AXg to labels(s) if
  g?labels(t), for all successor states t (so, t ?
  R s).
• (next page)

Do this for every state s of M!
26
Labeling algorithm

• it is of the form Ef1 U f2 add Ef1 U f2 to
  labels(s) if f2? labels(s), then do this until
  the labels of every state in M do not
  change add Ef1 U f2 to labels(u) if f1?
  labels(u) and there is one successor state v
  such that Ef1 U f2 ? labels(v).(Will
  terminate, because the sets of labels grow but
  you only have finitely many possible subformulas
  of ? to use as labels).
• it is of the form Af1 U f2 add Af1 U f2 to
  labels(s) if f2? labels(s), then do this until
  the labels of every state in M do not
  change add Af1 U f2 to labels(u) if f1?
  labels(u) and for all successor states v such
  that Af1 U f2 ? labels(v).

27
Example
Formula to check E p U p/\q
E p U p/\q
E p U p/\q
Initial state is labeled with the target formula
so M satisfies the formula.
p /\ q
E p U p/\q
28
Example
Formula to check A p U p/\q
A p U p/\q
At the end, initial state is not labeled with the
target formula so M does not satisfies the
formula.
p /\ q
A p U p/\q
29
Symbolic representation

• You need the full statespace to do the labeling!
• Idea
• Use formulas to encode sets of states (e.g. to
  express the set of states labeled by something)
• A small formula can express a large set of states
  ? suggest a potential of space reduction.

30
Example
E.g. the set of states where q holds is encoded
by the formula x?y Similarly, the set of
states where p holds 0,1,2, can be encoded by
formula ?(xy)
4 states, can be encoded by 2 boolean variables x
and y. St-0 ?x?y St-1 ?xy St-2
x?y St-3 xy
Notation well write xy to implicitly mean x /\ y
31
Example
The transition relation R can be encoded as a
formula too use x and y to express the next
state. This automaton is represented by ?x?y
/\ (?x?y \/ ?xy) \/ ?xy /\ x?y
\/ x?y /\ ?x?y \/ xy /\ (xy \/ x?y
) Well, not a very compact formula, but it can
be simplified
States encoding St-0 ?x?y St-1 ?xy
St-2 x?y St-3 xy
?x(?y?x \/ yx?y) \/ x(?y?x?y \/ yx)
32
Another example
0
1
The transition relation can be encoded by this
(smaller) formula ?(x?y) /\
x?y \/ ?y?xy
2
3
States encoding St-0 ?x?y St-1 ?xy
St-2 x?y St-3 xy
If state?2, next state is 2
If state is either 0 or 2, next state is 1
33
Back to the model checking algorithm

• When we label states with a formula f, we are
  basically calculating the set of states (of M)
  that satisfy f.
• Introduce this notation Wf the set of
  states satisfying f s s?S, M,s
  f
• We now encode Wf as as a boolean formula
• When f is an atomic proposition ? you have seen
  the examples.

34
Labeling

• E.g. the states satisfying EX(p/\q), where p,q
  atomic props, can be encoded by
• E.g. the states satisfying Ep U q can be
  computed by
• Let K0 Wq
• Iteratively compute Kis
• Stop when Ki1 Ki then WEp U q Ki

?x,y R /\ Wp x,y/x,y /\ Wq x,y/x,y
Ki1 Ki \/ ( ?x,y R /\ Wp /\ Ki
x,y/x,y )
35
So

• Recall checking if M ? can be done by
  checking if the initial state satisfies ?.
• Now, checking if a state (of M) satisfies ? can
  be done by checking if the encoding of this state
  makes the formula W? true. E.g. for state 0
  (encoded by xF and yF), check if the value of
  W?F,F/x,y ? true
• Checking one set V is a subset of another W, can
  be done by checking if V ? W is valid.
• Checking if V and W are equal can be done by
  checking if V ? W is valid.

36
Example, EXp
Wp ?(xy) WEXp ?x,y R /\ ?(xy)
look at def. R true
States encoding St-0 ?x?y St-1 ?xy
St-2 x?y St-3 xy
37
Example, EX p U q
K0 Wq x?y K1 K0
\/ (?x,y R /\ Wp /\
K0xy,y/x,y) x?y \/ (?x,y R
/\ ?(xy) /\ x?y)
x?y \/ ?xy K2 Till fix point.
States encoding St-0 ?x?y St-1 ?xy
St-2 x?y St-3 xy
38
So, how to proceed ?

• Ok, so we have adapted the model checking
  algorithm so that now it works symbolically!
• But to make this works, we need a way to
  efficiently check the validity of boolean
  formulas e.g. f ? g
• In general this is an NP-hard problem.
• But there are techniques that perform well in
  limited cases.

39
Canonical representation

• simplest/standard form.
• Here, a canonical representation Cf of a formula
  f is a representation such that
• Gives us a way to check equivalence.
• Only useful if the cost of constructing Cf, Cg
  and checking Cf Cg is cheaper than directly
  checking f ? g.
• Some possibilities
• Truth table ? exponentially large.
• DNF/CNF ? also can be exponentially large.

f ? g iff Cf Cg
40
BDD

• Binary Decision Diagram a compact, and canonical
  representation of a boolean formula.
• Can be constructed and combined efficiently.
• Invented by Bryant"Graph-Based Algorithms for
  Boolean Function Manipulation". Bryant, in IEEE
  Transactions on Computers, C-35(8),1986.

41
(Canonically) Representing a boolean formula
E.g. ?x1 x2 x3 \/ x1 ? x2 x3 \/
x1 x2 x3
Or with a binary decision tree
with truth table

• Each node xi represents a decision
• Blue out-edge from xi ? assigning 1 to xi
• Red out-edge from xi ? assigning 0 to xi
• Function value determined by leaf value.

42
But we can compact the tree
E.g. by merging the duplicate leaves
We can compact this further by merging duplicate
subgraphs
43
Results
Note this is from Bryants paper in 1986. They
use their version of MC at that time, running it
on an DEC VAX 11/780, with about 1 MIP speed ?
44
Definitions

• A boolean formula (proposition logic formula)
  e.g. x . y \/ z can be seen as a function
  In Bryants paper this is called a boolean
  function.
• As you have seen, we can represent a boolean
  function with a BDD but we will also impose a
  fix ordering in which variables can occur in
  the BDD
• This is called ordered BDD (OBDD)
• The chosen order influences the size of the BDD!
• For simplicity, in this presentation well
  typically just assume a lexicographic ordering.

f(x,y,z) x.y \/ z
45
Effect of ordering
Consider
xyz \/ ?yz
Order y,z,z
Order x,y,z
This means that in any path ? in the BDD, from
the root to a leaf, a node x may before y in ?,
iff this allowed by the given (pre-defined)
ordering. Furthermore, note that the above two
graphs are already minimum (they cant be reduced
any further).
46
The difference can be huge
consider a1b1 \/ a2b2 \/ a3b3
Here red for value 1, green for 0.
47
Definition
var(v)

• An (ordered) BDD is a directed acyclic graph,
  with a single root, such that
• Each leaf v is labeled by 0 or 1 this label is
  denoted by label(v).
• Each non-leaf node v is labeled by a variable
  var(v) has two successors
• low(v) ? pointed to by the red edge
• high(v) ? pointed to by the blue edge
• Well keep the arrow-heads implicit.

value(v)
the high(v) of the root v
the low (v) of the root v
48
Definition

• Introduce index(v) to express the order in which
  the variable in v appears in the given
  variable-ordering.E.g. when we impose the
  ordering y,z,x the value of index(v) are shown.
• Furthermore, if low(v) is non-leaf then index
  v lt index(low(v)
• The same with high(v).

0
1
1
2
49
Definition

• The boolean function induced by a BDD B with root
  r is fr(x1,,xn), where fv is defined recursively
  as follows
• If a is a leaf fv(x1,,xn) value(a)
• Else, let var(v) xi, then fv(x1,,xn)
  ?xi . flow(v)(x1,,xn) \/ xi .
  fhigh(v)(x1,,xn)

50
Reducing BDD

• A BDD may not be optimal ? we may be able to
  compact (to reduce) it.
• When a BDD has been reduced maximally, it is
  canonical

Every boolean formula (boolean function) has a
canonical representation in the form of a
maximally reduced BDD.
51
Reducing BDD
By sharing leaves
52
Reducing BDD
x
y
y
By sharing duplicate subgraphs
z
z
z
z
x
1
0
y
y
z
z
z
z
z
1
0
0
1
53
Reducing BDD
Implying that along this path, the value of y
does not matter so we can just as well remove
it from the graph.
x
y
z
0
1
54
The reduction algorithm

• First label each node with a unique id for a
  node v, id(v) will denote this id-label remember
  this initial labelling.
• We perform the reduction by first re-assign the
  ids-labeling. Through out the procedure, we will
  maintain this invariant
• We do this re-labeling inductively
• At leaves, re-arrange their ids such that for any
  two leaves a and b, id(a)id(b) iff value(a)
  value(b).? will keep the above invariant.

id(u) id(v) iff fu fv
55
The reduction algorithm

• Now suppose we have done the id re-labeling for
  all non-leaves w with index(w)gti. Suppose
  index(v)i we re-label v as follows
• If id(low(v)) id(high(v)) suppose
  var(v) xthen v is redundant! So,
  set id(v) to id(low(v)).

fv ?x flow(v) \/ x f high(v)
?x flow(v) \/ x f low(v) // by
inv flow(v)
56
The reduction algorithm

• (Continued, the inductive case)
• If there is another non-leaf u, such that 1.
  var(u) var(v) suppose this is x 2.
  id(low(u)) id(low(v)) 3. id(high(u))
  id(high(v))So, we can replace v with u
  we encode this by setting id(u) to id(v).

fv ?x flow(v) \/ x f high(v)
?x flow(u) \/ x f high(u) // by
inv fu
57
Example
Initial labeling
After labeling, it could be
Inducing this graph
Well do this example by hand.
58
Building a BDD

• So far we can reduce a BDD.
• Recall in CTL model checking, e.g. to the set of
  states satisfying EX p is calculated by
  constructing this formulaSince formulas are
  now represented as BDDs, this implies the need to
  combine BDDs.
• The combinators should be efficient!

?x,y R /\ Wp x,y/x,y /\ Wq x,y/x,y
59
Basic operations to combine BDDs

• Apply f1 ltopgt f2
• Restrict f xb
• Compose f1 xf2
• Satisfy-one Return a single combination of
  the variables of f that would make it true, else
  return nothing.

60
Restriction

• f(x,y,z) yc the function f where y is
  fixed to the constant c. Now, how to construct
  the BDD of the new function?? Well f(x,y,z)
  y0 ? replace all y nodes by left
  sub-tree f(x,y,z) y1 ? replace all y
  nodes by right sub-tree

x
Example f (x,y.z) xyz \/ ?yz So,
f(x,y,z) y0 z
z
z
0
1
Reduced version.
0
1
After replacing y
61
Restriction

• With restriction we can encodes boolean
  quantifications (?y f(x,y) )
  f(x,y) y0 \/ f(x,y) y1 (?y
  f(x,y) ) ? (? y ? f(x,y))(Recall that
  we need this in the MC algorithm).

62
Apply

• Apply, denoted by f ltopgt g , means the boolean
  function obtained by applying op to f and
  g.E.g. assuming they take x,y as parameters, f
  ltandgt g means the function that maps x,y to
  f(x,y) /\ g(x,y).
• A single algorithm to implement /\, \/, xor
• We can even implement ?f , namely as f ltxorgt
  1
• We can also use apply to check implication
  

f ? g is valid iff f ltandgt ?g is
unsatisfiable.
63
Apply

• So, given the BDDs of f and g, how to construct
  the BDD of f ltopgt g ?
• There is this Shannon expansion
• This tells us how to implement apply
  recursively !Detail, see paper.

f ltopgt g ?x . (f x0 ltopgt g x0 ) \/
x . ( f x1 ltopgt g x1 )
64
Example
f(x,y,z) xyz \/ ?yz
g(y,z) ?yz
Now, construct the BDD of h(x,y,z) f(z,y,z)
/\ g(y,z) (we should end up with a BDD of ?yz)
65
Example
u1
v1
u2
v2
u3
Well do this by hand.
u4
v3
u5
v4
We name the nodes, just so that we can refer to
them.
f ltandgt g ?x . (f x0 ltandgt g x0 )
\/ x . ( f x1 ltandgt g x1 )
66
Notice this resulting sequence of recursion
u1
apply(u1,v1)
v1
u2
apply(u3,v1)
apply(u2,v1)
u3
apply(u5,v3)
v2
apply(u4,v3)
v3
apply(u3,v2)
u4
u5
v4
apply(u3,v2)
apply(u5,v4)
apply(u5,v4)
apply(u4,v3)
Repeated call in recursion! To avoid this,
maintain a table to keep track of already
computed results.
apply(u4,v3)
67
And substitution

• Recall in CTL model checking, e.g. to the set of
  states satisfying EX p is calculated by
  constructing this formulaSo, how to we
  construct the BDD representing e.g. fx,y/x,y
  ?
• Just replace x,y in the BDD with x,y, assuming
  this does not violate the BDDs ordering
  constraint (e.g. if xlty but xgty).

?x,y R /\ Wp x,y/x,y /\ Wq x,y/x,y
68
The cost of various operations

• Reduce f O(GlogG)where G is the graph
  of fs BDD.
• Apply f1 ltopgt f2 O(G1G2)
• Restrict f xb O(GlogG)
• Compose f1 xf2 O(G12G2)
• Satisfy-one O(n)n is the number of
  parameters in the target boolean function.