Seurityprotoolsareanotherpromisingareafortheappliationofmodelheking
tehniques.The inreasing amount of ondential information (suh asmonetary
transations)sentoverinseureommuniationlinks(suhastheinternet)requires
more and more sophistiated enryption protools. Like hardware designs, these
protools an havesubtle bugs whih are diÆult to nd. It may be possible to
usethe sameexhaustivesearhtehniques asin model hekingto verifyseurity
protools. By examining allpossibleexeution traesof the protool in the
pres-ene ofamaliiousadversarywithwelldened apabilities, itmaybepossibleto
determineifanattakontheprotoolouldbesuessful.
Typially,seurityprotoolsanbethoughtofasaset ofprinipalswhihsend
queneofformattedandenryptedmessages,theseuritygoalsoftheprotoolan
be ahieved. For example, if a prinipal A reeives a message enrypted with a
keyknownonly byprinipal B, thenprinipal A should be ableto onludethat
prinipal B reatedthemessage. However,itwould beinorretto onludethat
prinipal A is talking to prinipal B. An adversaryould be replayingamessage
overheardduringapreviousonversationbetweenAandB.Iftheaimistokeepthe
messageseret,thenaslongastheadversarydoesnotlearnthekey,thisseurity
property is satised. If, however,the aim is to authentiate B to A, then learly
thisisnotsatisedsinethemessagewasnotneessarilysentbyB.
Sine the reasoning behind the orretness of these protools an be
sub-tle, researhers have tried turning to formal methods to prove protools orret.
In[Burrows,AbadiandNeedham1989℄,alogiofbeliefisdevelopedinwhihone
ouldformallyreasonaboutseurityprotoolsbystatingaxiomsabouttheprotool
and tryingtoderivetheorems aboutitsseurity.[Kindred and Wing1996℄ added
some automation to this proess by generating theory hekers for these logis.
In[Meadows1994℄,adierentapproahistakenby modellingaseurityprotool
intermsofasetofrewriterules.Theserulesapturethewaythattheadversaryan
learnnewinformationusingenryptionandderyption,andbyreeivingrepliesto
messagessentto partiipantsoftheprotool.In[WooandLam1993℄,theauthors
propose a model for authentiation and providea numberof inferene rules that
ould be used forprovingproperties in this model. The paper [Mithell, Mithell
andStern1997℄investigatedtheuseofMur',apreviouslyexistingmodelheker,
forverifyingseurityprotools.
Aspeialpurposemodelhekerforauthentiationprotoolsouldontaintwo
orthogonal omponents. The rst is a state exploration omponent. Eah honest
agent an be desribed by the sequene of ations that it takes during a run of
the protool,and an be viewed asa nite-state mahine.A trae ofthe ations
performed by the asynhronousomposition of these state mahines orresponds
toapossibleexeutionoftheprotoolbytheagents.Byperforminganexhaustive
searhofthestatespaeoftheomposition,itanbedeterminedifvariousseurity
propertiesareviolated.
The seond omponent would be the message derivation engine whih is used
to model what theadversaryis allowedtodo. It anbeimplementedasasimple
naturaldedution theorem proverforonstruting validmessages. Theadversary
anintereptmessages,misdiret messages,and generatenewmessagesusing
en-ryption,deryption,onatenation(pairing),andprojetion.Eahtimeamessage
issent,theadversaryintereptsthemessageandaddsittothesetofassumptions
itan use to derivenewmessages.Wheneveranhonest agentreeivesamessage,
themessagemusthavebeengeneratedbythederivationengine.
A rst prototypial implementation showsthat this framework anbe
suess-fullyused toanalyzethreatsand exhibitpossibleattaksin authentiation
proto-ols. It is also generalenoughto handle other kindsof seurity protools suh as
keyexhangeandeletroni ommere.Moreover,ombiningmodel hekingwith
other automated dedution tehniques ould make it possible to verify both the
for a widespreaduse it is additionallyneessary to integrate the model heking
approahwithother, morewell-establishedseuritydesignmethods.
Aknowledgments
WewouldliketothankWolfgangHeinleforhelpwithinitialversionsofthishapter,
theeditorforhispatienewithusduringitspreparation,andtherefereesformany
usefulommentsandsuggestions.
Bibliography
AbadiM.,LamportL.andMerzS.[1996℄,ATLAsolutiontotheRPC{memoryspeiation
problem,in M.Broy,S.MerzandK.Spies,eds, `FormalSystemSpeiation:The RPC{
MemorySpeiationCaseStudy',Vol.1169ofLNCS,Springer,pp.21{66.
Aeto L., Bergueno A. and Larsen K. [1998℄,Model hekingviareahability testing for
timedautomata,inB.Steen,ed.,`Pro.4thInt.WorkshoponToolsandAlgorithmsforthe
Construtionand AnalysisofSystems(TACAS'98)',Vol.1384of LNCS,Springer,Lisbon,
pp.281{297.
AhoA. V.,HoproftJ.E.andUllmanJ.D.[1974℄,TheDesignandAnalysisofComputer
Algorithms,Addison{Wesley.
AjtaiM.andGurevihY.[1987℄,`Monotoneversuspositive',JournaloftheACM34,1004{
1015.
AlpernB.andShneiderF.[1985℄,`Deningliveness',InformationProessingLetters21,181{
185.
AlurR.[1991℄,TehniquesforAutomatiVeriationofReal{TimeSystems,PhDthesis,
Stan-fordUniversity.
Alur R.[1998℄,Timedautomata,in`VeriationofDigitaland HybridSystems',NATOASI
SummerShoolSeries,Springer.
Alur R., BraytonR. K.,Henzinger T.,QuadeerS. andRajamaniS. K.[1997℄,
Partial-order redutionin symbolistate spaeexploration,in `Pro. 9thInt. Conf.on Computer
AidedVeriation(CAV'97)',Vol.1254ofLNCS,Springer,Haifa,Israel,pp.340{351.
AlurR.,CouroubetisC.andDillD.[1990℄,Model{hekingforreal{timesystems,in`Pro.
5th Ann.IEEESymp.on LogiinComputerSiene(LICS '90)',IEEE Comp.So.Press,
pp.414{425.
Alur R. and Dill D.[1990℄, Automatafor modellingreal{timesystems,in `Pro.17th Int.
Conf.onAutomata,LanguagesandProgramming(ICALP'90)',Vol.443ofLNCS,Springer,
pp.322{335.
AlurR.andHenzingerT.A.[1992℄,Logisandmodelsofreal{time:Asurvey,in`Real{Time:
TheoryinPratie',LNCS,Springer.
AndersenH. R. [1994℄,Onmodel hekinginnite{statesystems,inA.Nerodeand
Matiya-sevih,eds, `Logi at St. Petersburg.Symp. on LogialFoundations of ComputerSiene
(LFCS'94)',Vol.813ofLNCS,Springer,St. Petersburg,Russia,July11{14.
AndersenH.R.,Stirling C.andWinskel G.[1994℄,Aompositionalproofsystemforthe
modal{alulus,in`Pro.9thAnn.IEEESymp.onLogiinComputerSiene(LICS'94)',
IEEEComputerSoietyPress,Paris,Frane,pp.144{153. BRICSReportRS{94{34.
AnuhitanukulA.[1995℄,SynthesisofReativePrograms,PhDthesis,Stanford.
ArherM.andHeitmeyerC.[1996℄,Mehanialveriationoftimedautomata:Aasestudy,
in`IEEEReal{TimeTehnologyandAppliationsSymp.(RTAS'96)',IEEEComputerSoiety
Press,BostonMA.
Aziz A., Sanwal K., Singhal V.and Brayton R. K.[1996℄, Verifyingontinuous Markov
hains,inR.AlurandT.Henzinger,eds,`Pro.8thWorkshoponComputerAidedVeriation
(CAV'96)',Vol.1102ofLNCS,Springer,pp.269{276.
AzizA.,SinghalV.,BalarinF.,BraytonR.K.andSangiovanni-VinentelliA.L.[1995℄,
It usually works { the temporal logi of stohasti systems,in P. Wolper, ed., `Pro. 7th
WorkshoponComputerAidedVeriation(CAV'95)',Vol.939ofLNCS,Springer,pp.155{
166.
BaharR.I.,FrohmE.A.,GaonaC.M.,HahtelG.D.,Mai iE.,PardoA.andSomenzi
F.[1993℄,Algebraideisiondiagramsandtheirappliations,in`Pro.Int.Conf.onComputer
BaierC.,ClarkeE.M.,Hartonas-GarmhausenV.,KwiatkowskaM.andRyanM.[1997℄,
Symbolimodelhekingforprobabilistiproesses,in`Pro.Int.Conf.onAutomata,
Lan-guagesandProgramming(ICALP'97))',Vol.1256ofLNCS,pp.430{437.
Ben-Ari M., Manna Z.and PnueliA.[1983℄, `Thetemporallogi ofbranhingtime',Ata
Informatia20,207{226.
BensalemS., BouajaniA., Loiseaux C.and Sifakis J.[1992℄, Propertypreserving
simula-tions,inG.V.Bohmannand D.K.Probst,eds,`Pro.4thInt. Conf.on ComputerAided
Veriation(CAV'92)'.
BerezinS.,ClarkeE.M.,JhaS.andMarreroW.[1996℄,Modelhekingalgorithmsforthe
{alulus,TehnialReportCMU{CS{96{180,CMU.
BermannC.L.[1991℄,`Ciruitwidth,registeralloationandorderedbinarydeisiondiagrams',
IEEETrans.onComputer{Aided Design10(8),1059{1066.
Bern J., Meinel C. and
Slobodov
a A. [1995℄, Global rebuilding of BDDs { avoiding the
memoryrequirementmaxima,inP.Wolper, ed.,`Pro.7th Workshop onComputerAided
Veriation(CAV'95)',Vol.939ofLNCS,Springer,pp.4{15.
BhatG.andCleavelandR.[1996℄,EÆientloalmodelhekingforfragmentsofthemodal{
alulus,inT.MargariaandB.Steen,eds,`Pro.ToolsandAlgorithmsfortheConstrution
andAnalysisofSystems(TACAS'96)',Vol.1055ofLNCS,Springer,pp.107{126.
BiereA.[1997℄,EÆzienteModellprufungdes{KalkulsmitbinarenEntsheidungsdiagrammen,
PhDthesis,UniversityofKarlsruhe,Germany.
Biere A., CimattiA., Fujita M. and Zhu Y.[1999℄, Symbolimodel hekingusing SAT
proeduresinsteadofBDDs,in`Pro.36thACM/IEEEDesignAutomationConferene(DAC
'99)'.
Biere A.,CimattiA. andZhuY.[1999℄,SymbolimodelhekingwithoutBDDs,in`Pro.
ToolsandAlgorithmsfortheAnalysisandConstrutionofSystems(TACAS'99)',Vol.1579
ofLNCS,Springer.
Bjrner N., BrowneA., Chang E., Col
on M., Kapur A., Manna Z., Simpa H. B. and
Uribe T.E.[1995℄,STeP:TheStanfordtheoremprover{user'smanual,TehnialReport
STAN{CS{TR{95{1562,DepartmentofComputerSiene,StanfordUniversity.
BjrnerN.,BrowneA.,ChangE., Col
onM.,KapurA.,MannaZ.,SipmaH.B.andUribe
T.E.[1996℄,STeP:Dedutive{algorithmiveriationofreativeandreal{timesystems,in
`Pro.8thWorkshopComputerAidedVeriation(CAV'96)',Vol.1102ofLNCS,Springer.
BlakburnP.,deRijkeM.andVenemaY.[2000℄,ModalLogi,Elsevier.draft,395pp.
BoigelotB.andGodefroidP.[1996℄,Symboliveriationofommuniationprotoolswith
innitestatespaesusingqdds, inR.AlurandT.Henzinger,eds,`Pro.8thWorkshop on
ComputerAidedVeriation(CAV'96)',Vol.1102ofLNCS,Springer,pp.1{12.
Bor
alvA.[1997℄,Theindustrialsuessofveriationtoolsbasedonstalmark'smethod,in
O.Grumberg,ed.,`Pro.9thWorkshoponComputerAidedVeriation(CAV'97)',Vol.1254
ofLNCS,Springer.
Brae K. S., Rudell R. L. and Bryant R. E.[1990℄, EÆient implementation of a BDD
pakage,in`Pro.27thACM/IEEEDesignAutomationConferene(DAC'90)',pp.40{45.
BradfieldJ.andStirlingC.[1991℄,Loalmodelhekingforinnitestatespaes,in`Pro.
3rdWorkshoponComputerAidedVeriation(CAV'91)',LNCS,Springer.
BrowneM.C.andClarkeE.M.[1986℄,SML:Ahighlevellanguageforthedesignand
veri-ationofnitestatemahines,in`IFIPWG10.2Int.WorkingConf.fromHDLDesriptions
toGuaranteedCorretCiruitDesigns',IFIP,Grenoble,Frane.
Browne M. C., Clarke E.M. and Dill D. [1985℄,Cheking the orretness of sequential
iruits,in`Pro.1985Int.IEEEConf.onComputerDesign',IEEE,PortChester,NewYork.
BrowneM.C.,ClarkeE.M.andDillD.[1986℄,Automatiiruitveriationusingtemporal
logi: Twonew examples,in `FormalAspets of VLSIDesign', ElsevierSienePublishers
BrowneM.C.,ClarkeE.M.andGrumbergO.[1988℄,`CharaterizingniteKripke
stru-turesinpropositionaltemporallogi',TheoretialComputerSiene59(1{2),115{131.
BrowneM.C.,ClarkeE.M.andGrumbergO.[1989℄,`Reasoningaboutnetworkswithmany
identialnite{stateproesses',InformationandComputation81(1),13{31.
BrowneM.,ClarkeE.M.,DillD.andMishraB.[1986℄,`Automativeriationofsequential
iruitsusingtemporallogi',IEEETrans.onComputersC-35(12),1035{1044.
BryantR.E.[1986℄,`Graph{basedalgorithmsforBooleanfuntionmanipulation',IEEETrans.
onComputersC{35(8),677{691.
BryantR. E.[1991℄,`OntheomplexityofVLSIimplementationsandgraphrepresentations
ofBooleanfuntionswithappliationtointegermultipliation',IEEETrans.onComputers
40(2),205{213.
BryantR.E.[1992℄,`SymboliBooleanmanipulationwithorderedbinarydeisiondiagrams',
ACMComputingSurveys24(3),293{317.
B
uhi J.R.[1962℄,Onadeisionmethod inrestritedseondorderarithmeti,in`Pro.Int.
Congr.Logi,MethodandPhilosophyofSiene1960',StanfordUniversityPress,PaloAlto,
CA,USA,pp.1{12.
Burh J.R., ClarkeE. M., DillD., Long D.E.and MMillan K.L. [1994℄,`Symboli
modelhekingfor sequential iruitveriation',IEEE Trans.onComputerAided Design
ofIntegrated Ciruits13(4),401{424.
BurhJ.R.,ClarkeE.M.,GrumbergO.,LongD.E.andMMillanK.L.[1992℄,
`Auto-mativeriationofsequentialiruitdesigns',Phil.Trans.R.So.Lond.A339,105{120.
BurhJ.R.,ClarkeE.M.andLongD.E.[1991a℄,RepresentingiruitsmoreeÆientlyin
symbolimodelheking, in`Pro.28thACM/IEEEDesign AutomationConferene(DAC
'91)'.
BurhJ.R.,ClarkeE.M.andLongD.E.[1991b℄,Symbolimodelhekingwithpartitioned
transitionrelations,inA.HalaasandP.B.Denyer,eds,`Pro.Int.Conf.onVeryLargeSale
Integration(VLSI'91)',Edinburgh,Sotland.
BurhJ.R.,Clarke E.M., MMillanK.L.,DillD.andHwangL.J.[1992℄,`Symboli
modelheking:10 20
statesandbeyond',InformationandComputation98(2),142{170.also
in5thIEEELICS90.
BurhJ.R.,ClarkeE.M.,MMillanK.L.andDillD.L.[1990℄,Sequentialiruit
veria-tionusingsymbolimodelheking,in`Pro.27thACM/IEEEDesignAutomationConferene
(DAC'90)'.
BurgessJ.[1984℄,Basitenselogi,inF.G.D.Gabbay,ed.,`HandbookofPhilosophialLogi',
Reidel,hapterII.2,pp.89{134.
Burkart O. and Esparza J.[1997℄, `More innite results', Eletroni Notes in Theoretial
ComputerSiene6.http://www.elsevier.nl/loate/ents/volume6.html.
BurrowsM.,AbadiM.andNeedhamR.[1989℄,Alogiofauthentiation,TehnialReport39,
DECSystemsResearhCenter.
BurstallM.[1974℄,Programprovingashandsimulationwithalittleindution,in`Pro.IFIP
Congress,Stokholm',NorthHolland,pp.308{312.
ChandraA.andHarelD.[1980℄,`Computablequeriesforrelationaldatabases',J.ofComputer
andSystemSienes21,156{178.
ClarkeE.M.andDraghiesuI.A.[1988℄,Expressibilityresultsforlineartimeandbranhing
timelogis, in `LinearTime,BranhingTime and PartialOrderinLogis and Models for
Conurreny',Vol.354ofLNCS,Springer,pp.428{437.
ClarkeE.M.,DraghiesuI.A.andKurshanR.P.[1990℄,Auniedapproahforshowing
language ontainmentand equivalene between varioustypesof!{automata,inA. Arnold
and N.D.Jones,eds,`Pro.15thColl. onTreesinAlgebraandProgramming',Vol.407of
ClarkeE.M.andEmersonE.A.[1981℄,Synthesisofsynhronizationskeletonsforbranhing
timetemporallogi,in`Pro.WorkshoponLogiofPrograms',Vol.131ofLNCS,Springer,
YorktownHeights,NY.
ClarkeE.M.,EmersonE.A.andSistlaA.P.[1986℄,`Automativeriationofnite{state
onurrentsystemsusingtemporallogispeiations',ACMTransationsonProgramming
LanguagesandSystems8(2),244{263.
Clarke E.M.,FilkornT.and JhaS.[1993℄,Exploitingsymmetryintemporallogi model
heking,inC.Couroubetis,ed.,`Pro.5thWorkshoponComputerAidedVeriation(CAV
'93)',Vol.697ofLNCS,Springer,Elounda,Crete.
ClarkeE.M.,FujitaM.andHeinleW.[1997℄,Hybridspetraltransformdiagrams,in`Pro.
1stInt.Conf.onInformation,CommuniationsandSignalProessing(ICICS'97)'.
ClarkeE.M.,FujitaM.,MGeerP.,YangJ.andZhaoX.[1993℄,Multi{terminalbinary
de-isiondiagrams:AneÆientdatastrutureformatrixrepresentation,in`Pro.Int.Workshop
onLogiSynthesis(IWLS'93)',TahoeCity.
Clarke E.M., FujitaM.andZhaoX.[1995℄,Hybriddeisiondiagrams|-overomingthe
limitationsofMTBDDs and BMDs,in`Pro. IEEEInt.Conf. on ComputerAidedDesign
(ICCAD'95)',IEEEComputerSoietyPress,pp.54{60.
Clarke E.M.,FujitaM.andZhaoX.[1996℄,Multi{terminalbinarydeisiondiagramsand
hybriddeisiondiagrams,inT.SasaoandM.Fujita,eds,`RepresentationsofDisrete
Fun-tions',Kluweraademipublishers,hapter4,pp.93{108.
Clarke E. M.and GrumbergO. [1987a℄, Avoiding the state explosion problem in
tempo-ralmodelhekingalgorithms,in`Pro.6thAnn.ACMSymp.onPriniplesofDistributed
Computing',pp.294{303.
Clarke E. M.and GrumbergO. [1987b℄,Researh on automativeriation ofnite{state
onurrentsystems,TehnialReportCMU-CS-87-105,CarnegieMellonUniversity.
ClarkeE.M.,GrumbergO.andBrowneM.C.[1986℄,Reasoningaboutnetworkswithmany
identialnite-stateproesses,in`Pro.5th Ann.ACMSymp.onPriniplesof Distributed
Computing',ACM,pp.240{248.
ClarkeE.M.,GrumbergO.andHamaguhiK.[1997℄,`AnotherlookatLTLmodelheking',
FormalMethodsinSystemDesign10,47{71.
ClarkeE.M.,GrumbergO.,HiraishiH.,JhaS.,LongD.E., MMillanK.L.andNess
L. A. [1993℄, Veriation of the Futurebus+ ahe oherene protool, in L.Claesen, ed.,
`Pro.11thInt.Symp.onComputerHardwareDesriptionLanguagesandtheirAppliations',
North{Holland.
Clarke E. M., GrumbergO. and JhaS. [1995℄, Parametrizednetworks,in S.Smolka and
I.Lee,eds,`Pro.6thInt.Conf.onConurrenyTheory(CONCUR'95)',Vol.962ofLNCS,
Springer.
Clarke E.M.,GrumbergO.andLongD.E.[1993℄,Modelheking,inM.Broy,ed.,
`De-dutiveProgramDesign',SpringerNATOASIseriesF,pp.305{350.
ClarkeE.M.,GrumbergO.andLongD.E.[1994a℄,`Modelhekingandabstration',ACM
TransationsonProgrammingLanguagesandSystems16(5),1512{1542. alsoin19thACM
POPL'92.
Clarke E.M.,GrumbergO.andLongD.E.[1994b℄,Veriationtoolsfornite{state
on-urrentsystems,inJ.W.deBakker,W.P.deRoeverandG.Rozenberg,eds,`ADeadeof
Conurreny{ReetionsandPerspetives',Vol.803ofLNCS,Springer,pp.124{175.REX
Shool/Symposium,Nordwijkerhout,TheNetherlands,June1993.
Clarke E. M., Grumberg O., MMillan K. and Zhao X. [1994℄, EÆient generation of
ounterexamplesandwitnessesinsymbolimodelheking,TehnialReportCMU{CS{94{
204,CarnegieMellonUniversity,Pittsburgh.
ClarkeE.M.,GrumbergO.,MineaM.andPeledD.[1999℄,`Statespaeredutionsusing
partialordertehniques',Int.JournalonSoftwareToolsforTehnologyTransfer.toappear.
ClarkeE.M.,JhaS.,LuY.andMineaM.[1997℄,EquivalenehekingusingabstratBDDs.
manusript.
ClarkeE.M.,KhairaK.andZhaoX.[1993℄,Wordlevelmodelheking|anewapproah
forverifyingarithmetiiruits,in`Pro.30th ACM/IEEEDesignAutomationConferene
(DAC'93)',IEEEComputersoietypress.
Clarke E. M., Kimura S., Long D. E., Mihaylov S., Shwab S. A. and Vidal J. P.
[1992℄,Symboliomputationalgorithmson sharedmemorymultiproessors,inN.Suzuki,
ed.,`SharedMemoryMultiproessing',MITPress,pp.53{80.
Clarke E.M., Long D.E.and MMillan K.L.[1989℄, Compositionalmodelheking, in
`Pro.4thAnn.IEEESymp.onLogiinComputerSiene(LICS'89)',Asilomar,Calif.
ClarkeE.M.,LongD.E.andMMillanK.L.[1991℄,`Alanguageforompositional
spei-ationandveriationofnitestatehardwareontrollers',Pro.IEEE79(9),1283{1292.
Clarke E. M., MMillan K.L., ZhaoX., Fujita M. andYangJ.[1993℄, Spetral
trans-forms forlargeBooleanfuntions withappliations totehnology mapping,in `Pro.30th
ACM/IEEE Design Automation Conferene (DAC '93)', IEEE Computer Soiety Press,
pp.54{60.
ClarkeE.M.andMishraB.[1984℄,Automativeriationofasynhronousiruits,in`Pro.
WorkshoponLogisofPrograms',Vol.164ofLNCS,Springer,pp.101{115.
Clarke E. M.and Zhao X.[1994℄,Combiningsymboli omputationand theorem proving:
someproblemsofRamanujan,inA.Bundy,ed.,`12thInt. Conf.onAutomated Dedution
(CADE'94)',Vol.814ofLNCS,Springer,Nany,Frane,pp.758{763.
Cleaveland R.[1990℄, `Tableau{based modelhekinginthe propositional{alulus',Ata
Informatia27(8),725{747.
Cleaveland R. and Steffen B. [1993℄, `A linear{time model{heking algorithm for the
alternation{freemodal{alulus',FormalMethodsinSystemDesign2(2),121{147.
CouroubetisC., Vardi M.Y., Wolper P. andYannakakis M.[1992℄,`MemoryeÆient
algorithms for the veriation of temporal properties', Formal Methods in System Design
1,275{288.
CouroubetisC. and Yannakakis M.[1995℄, `The omplexityof probabilistiveriation',
JournaloftheACM42(4),857{907.
Cousot P. and Cousot R. [1977℄,Abstrat interpretation:a unied lattie model for stati
analysisofprogramsbyonstrutionorapproximationofxpoints,in`Pro.4thAnn.ACM
Symp.onPriniplesofProgrammingLanguages(POPL'77)'.
CousotP.andCousotR.[1979℄,Systematidesignofprogramanalysisframeworks,in`Pro.
6thAnn.ACMSymp.onPriniplesofProgrammingLanguages(POPL'79)'.
DamM.[1994℄,`CTL
andECTL
asfragmentsofthemodal{alulus',TheoretialComputer
Siene126,77{96.
DamM.[1995℄,Compositionalproofsystemsformodelhekinginnitestateproesses,in`Pro.
6thInt.Conf.onConurrenyTheory(CONCUR'95)',Vol.962ofLNCS,Springer,pp.12{26.
DamsD.[1995℄,Abstratinterpretationandpartitionrenementformodelheking,PhDthesis,
TehnialUniversityEindhoven.
Dams D., GrumbergO. and Gerth R. [1994℄, Abstrat interpretation of reative systems:
Abstrations preserving 8CTL
,9CTL
and CTL
, in E.-R.Olderog, ed., `Programming
Conepts, Methods and Caluli (PROCOMET '94)', IFIP Transations, North Holland /
Elsevier,Amsterdam,pp.561{581.
Davey A. A. and Priestley H. A. [1990℄, Introdution to Latties and Order, Cambridge
MathematialTextbooks,CambridgeUniversityPress.
DawarA., LindellS.andWeinsteinS.[1996℄,Firstorderlogi,xedpointlogiandlinear
order,inH.Kleine-Buning,ed.,`Pro.ComputerSieneLogi(CSL'95)',Vol.1092ofLNCS,
Springer,pp.161{177.
deRoever,W.,Langmaak,H.andPnueli,A.,eds[1998℄,Compositionality:TheSigniant
Dill D. [1989℄, Timing assumptions and veriation of nite{state onurrent systems, in
J.Sifakis,ed.,`Pro.Int.WorkshoponAutomatiVeriationMethodsforFiniteState
Sys-tems',Vol.407ofLNCS,Springer,Grenoble,Frane,pp.197{212.
Dill D.L. andClarke E.M.[1986℄, `Automativeriationof asynhronousiruits using
temporallogi',IEEEProeedings133(5).
Dingel J.and Filkorn T. [1995℄,Model heking for innitestate systems using data
ab-stration, assumption{ommitmentstylereasoningand theoremproving,in P.Wolper,ed.,
`Pro.7thWorkshoponComputerAidedVeriation(CAV'95)',Vol.939ofLNCS,Springer,
pp.45{69.
EdelkampS.andReffelF.[1998℄,OBDDsinheuristisearh,inO.Herzog andA.Gunter,
eds, `Pro.KI-98: Advanes inArtiial Intelligene',Vol.1504 of LNCS/LNAI, Springer,
pp.81{92.
EhrenfeuhtA.[1961℄,`Anappliation ofgamestothe ompletenessproblemforformalized
theories',Fund.Math.49,129{141.
EmersonE.A. [1985℄,Automata,tableaux,and temporal logi,inR.Parikh, ed.,`Pro.Int.
Conf.onLogisofPrograms',Vol.193ofLNCS,Springer,pp.79{88.
EmersonE.A.[1990℄,Temporalandmodallogi,inJ.vanLeeuwen,ed.,`Handbookof
Theo-retialComputerSiene',Vol.B,Elsevier,pp.997{1072.
Emerson E.A. and Clarke E. M. [1980℄,Charaterizing orretnessproperties of parallel
programsusingxpoints,in`Pro.17thInt.Coll.onAutomata,LanguagesandProgramming
(ICALP'80)',Vol.85ofLNCS,EATCS,Springer,pp.169{181.
EmersonE.A.andClarkeE.M.[1982℄,`Usingbranhingtimelogi tosynthesize
synhro-nizationskeletons',SieneofComputerProgramming2,241{266.
Emerson E. A. and Halpern J. Y. [1985℄, `Deision proedures and expressiveness in the
temporallogiofbranhingtime',Journalof ComputerandSystemSienes30(1),1{24.
EmersonE.A.andHalpernJ.Y.[1986℄,\`sometimes"and\notnever"revisited:onbranhing
timevs.lineartime',JournaloftheACM33,151{178.
Emerson E. A., JutlaC. S. and SistlaA. P.[1993℄,On model{hekingfor fragments of
{alulus, in C.Couroubetis,ed., `Pro. 5thWorkshop on ComputerAidedVeriation
(CAV'93)',Vol.697ofLNCS,Springer.
EmersonE.A.andLeiC.L.[1985℄,Modalitiesformodelheking:Branhingtimestrikesbak,
in `Pro. 12thSymp.on PriniplesofProgrammingLanguages(POPL'85)', NewOrleans,
La.
EmersonE.A.andLeiC.L.[1986℄,EÆientmodelhekinginfragmentsofthepropositional
{alulus,in`Pro.1stSymp.onLogiinComputerSiene(LICS'86)',Boston,Mass.
EmersonE.A.andSistlaA.P.[1984℄,`Deidingfullbranhingtimelogi',Informationand
Control61,175{201.
EmersonE.A. andSistlaA.P.[1993℄,Symmetryandmodelheking,inC.Couroubetis,
ed., `Pro.5th Workshop on Computer AidedVeriation (CAV'93)', Vol. 697 of LNCS,
Springer,Elounda,Crete.
EndersR.,FilkornT.andTaubnerD.[1993℄,`GeneratingBDDsforsymbolimodel
hek-ing',DistributedComputing6,155{164.
Esparza J.[1994℄,`Modelhekingusing net unfoldings',Siene of ComputerProgramming
23(2{3),151{195.
FeltE., YorkG.,Brayton R. andVinentelli A.S. [1993℄,Dynamivariable reordering
forBDDminimization,in`Pro.EuropeanDesignAutomationConferene(EuroDAC'93)',
pp.130{135.
Fisher M.J.and Ladner R. E.[1979℄, `Propositionaldynamilogi of regularprograms',
JournalofComputerandSystemSienes18(2),194{211.
FittingM.[1983℄,Proofmethodsformodaland intuitionistilogis,Reidel,Dordreht.
Frass
eR.[1954℄,Surquelqueslassiationsdessystemesderelations,SeriesA1,Publiations