A Scheme to Verify Services with Unboundedly many Clients using NuSMV

by   S Sheerazuddin, et al.

We study model checking of client - server systems, where the servers offer several types of services that may depend, at any time, on how many clients of specific types are active at that time. Since there are unboundedly many clients, the state space of such systems is infinite, rendering specification and verification hard. This problem can be circumvented by using a specification language which has monadic first-order (MFO) sentences closed with standard temporal modalities. The MFO sentences throw up a bound which can, in turn, be used to bound the state space of the input client - server system, thereby making the verification problem decidable. This scheme is implemented using the NuSMV tool.


page 1

page 2

page 3

page 4


Bounded Model Checking for Unbounded Client Server Systems

Bounded model checking (BMC) is an efficient formal verification techniq...

An authentication protocol based on chaos and zero knowledge proof

Port Knocking is a method for authenticating clients through a closed st...

NLP Service APIs and Models for Efficient Registration of New Clients

State-of-the-art NLP inference uses enormous neural architectures and mo...

Secure Client and Server Geolocation Over the Internet

In this article, we provide a summary of recent efforts towards achievin...

From C to Interaction Trees: Specifying, Verifying, and Testing a Networked Server

We present the first formal verification of a networked server implement...

Revisiting Comparative Performance of DNS Resolvers in the IPv6 and ECS Era

This paper revisits the issue of the performance of DNS resolution servi...

Data Analysis: Communicating with Offshore Vendors using Instant Messaging Services

The purpose of this study is to find whether the choice of correct analy...

1 Introduction

An important abstraction in the study of distributed systems is that of client - server systems [1]. Rather than consider the system as a flat parallel composition of processes, we study a hierarchy of server and clients: the latter send requests to the server and wait for response. Such a model is common in the analysis of web services ([2]).

Of particular interest in this context are systems where the number of active clients may be unbounded at any point of time. These are systems where the number of active processes at any system state is not known at design time but decided only at run time. Though at any point of time, only finitely many agents may be participating, there is no uniform bound on the number of agents. Design and verification of such systems is becoming increasingly important in distributed computing, especially is the context of web services. Well known examples of such services include Loan handling and Travel agency Web Services[3].

For example, a loan agency may handle clients of different types depending on the quantum of loans they seek. How much is granted may well depend on the number of active clients of different types. In the case of a travel agency, making bookings for one client may be very different from several of these clients together.

Since services handling unknown clients need to make decisions based upon request patterns that are not pre-decided, they need to conform to specific service policies that are articulated at design time. Due to concurrency and unbounded state information, the design and implementation of such services becomes complex and hence subject to logical flaws. Thus, there is a need for formal methods in specifying service policies and verifying that systems implement them correctly.

Model checking ([4]) is an important technique in this regard, whereby the system to be checked is modeled as a finite state system, and properties to be verified are expressed as constraints on the possible computations of the model. This facilitates algorithmic tools to be employed in verifying that the model is indeed correct with respect to those properties. When we find violations, we re-examine the finite-state abstraction, leading to a finer model, perhaps also refine the specifications and repeat the process. Finding good finite state abstractions forms an important part of the approach.

Modeling systems with unboundedly many clients is fraught with difficulties. Since we have no bound on the number of active processes, the state space is infinite. A finite state abstraction may not suffice since service policies may involve counting the number of active clients.

We propose a model for such systems with passive clients where clients simply send a request and wait for an answer and do not interact with the server between the send and receive. The passive client systems are modeled as state transition systems which identify clients only by the types of service (fixed a priori) that they are associated with. Thus, transitions over an alphabet of send-requests and receive-answers of different types suffice. The situation is more complex for systems with active clients, called session-oriented services in the literature [5].

Propositional temporal logics, for e.g., [6], have been extensively used for specifying safety and liveness requirements of reactive systems. Backed by a set of tools with theorem proving [7] and model checking [8] capabilities, temporal logic is a natural candidate for specifying service policies. In the context of Web Services, they have been extended with mechanisms for specifying message exchange between agents. There are several candidate temporal logics for message passing systems, for e.g., -LTL [9], but these work with a priori fixed number of agents, and for any message, the identity of the sender and the receiver are fixed at design time. We need to extend such logics with means for referring to agents in some more abstract manner (than by name).

A natural and direct approach to refer to unknown clients is to use logical variables: rather than work with atomic propositions , we use monadic predicates to refer to property being true of client . We can then quantify over such existentially and universally to specify policies relating clients. We are thus naturally led to the realm of Monadic First Order Temporal Logics ()[10]. It is easily seen that is expressive enough to frame almost every requirement specification of client - server systems of the kind discussed above. Unfortunately is undecidable [11], and we need to limit the expressiveness to have a decidable verification problem.

Decidable fragments of are very few; the one-variable fragment [12], [13] and the monodic fragment [11] are the only nontrivial ones in the literature. The decidability results from the fact that there is at most one free variable in the scope of temporal modalities. The “packed” monodic fragment with equality is decidable as well ([14]). [15] offers similar results for restricted branching time logics with first-order extensions. [16] and [17] extend these techniques for first-order temporal epistemic logics. However, the techniques developed are not automata theoretic, and hence better suited to studying axiom systems and satisfiability, rather than model checking.

We propose a fragment of monadic temporal logic, named Monadic First-order Sentential Temporal Logic (), for which satisfiability and model checking are decidable. This language is weak in expressive power but reasoning in such a logic is already sufficient to express a broad range of service policies in systems with unboundedly many active clients.

The current paper is a revised version of [18] where this class of systems was introduced and the logic and its satisfiability was studied. In this paper, we provide a practical scheme to implement specification and verification of such client - server systems using NuSMV.

The work closest to ours is that of LeeTL [19] and Graded-CTL [20]. Graded-CTL is a strict extension of CTL with graded quantifiers and that can be used to reason about at least or all but possible behaviours in a system. This can, in turn, be used to generate multiple counterexamples in one run of the model checker. The model checking problem for this logic is solved [21] by extending the NuSMV tool to accept specifications in graded-CTL.

LeeTL is an extension of LTL that is used to specify properties of object-based systems with dynamic object creation. The formulas in LeeTL can be encoded into an extension of Büchi automata. This enables adaptation of standard LTL model checking algorithm for model checking LeeTL formulas.

In our case, the logic is expressively equivalent to LTL and the model checking problem is solved by implementing a layer over NuSMV which accepts specification in and encodes it into LTL. The model for system is also considerably different from standard Kripke structures, with its semantics given by multi-counter automata, and has to be encoded into SMV format, by transforming it into a finite-state system using a bound computed from the specification.

The paper is structured as follows. First, we describe a system model for server with passive clientele called Service for Passive clientS (). Thereafter, we propose a logic to specify the peoperties of -like systems, namely Monadic First-order Sentential Temporal Logic(). We then study model checking of against using NuSMV in the penultimate section. We conclude the paper with a brief discussion on possible future work.

2 A Model for Client - Server Systems

In this section we describe an automaton model for client - server systems that admits unbounded number of agents. We consider the simpler case where the clients send requests to the server and wait for the response (either yes or no). The challenge here is twofold: to give a finite (and simple) description of an inherently infinite-state system–owing to a lack of bound on the number of clients and to constrain the model so that it allows decidable reasoning, in particular, reachability should be decidable in such a model. This model was first described in [18].

Fix , a countable set of client names. In general, this set would be recursively generated using a naming scheme, for instance using sequence numbers and time-stamps generated by processes. We choose to ignore this structure for the sake of technical simplicity. We will use etc. with or without subscripts to denote elements of .

Fix , a finite service alphabet. We use etc. to denote elements of , and they are thought of as types of services provided by a server. This means that when two clients ask for a service of the same type, given by an element of it can tell them apart only by their name. We could in fact then insist that server’s behaviour be identical towards both, but we do not make such an assumption, to allow for generality.

We will assume a map that partitions into disjoint sets of service types. For , let which is also assumed to be countable with a pre-defined order. (This is so that we never run out of client names for any type.) For the rest of the paper we fix a triple for the discourse and discuss a class of systems and specifications over this alphabet.

An extended alphabet is a set . These refer to requests for such service and answers to such requests, as well as the “silent” internal action .

We define below systems of services that handle passive clientele. Servers are modeled as state transition systems which identify clients only by the type of service they are associated with. Thus, transitions are associated with client types rather than client names.

Definition 2.1

A Service for Passive Clients (SPS) is a tuple where is a finite set of states, is a server transition relation and is the set of initial states.

Note that an is a finite state description. A transition of the form refers implicitly to a new client of type rather than to any specific client name. The meaning of this is provided in the run generation mechanism described below.

A configuration of an is a pair where and is a finite subset of . Thus a configuration specifies the control state of the server, as well as the finite set of active clients at that configuration.

Let denote the set of all configurations of ; note that it is this infinite configuration space that is navigated by runs of , defined below. A configuration is said to be initial if and .

We can extend the transition relation to configurations as follows: iff and the following conditions hold:

  • when , ;

  • when , , where is the least element of ;

  • when , , and where is the least in the enumeration of .

A run of an on is a sequence of configurations , where is initial, and for all , . Let denote the set of all runs of .

Let be a run as defined above; is said to be accepting if where . (Often we may wish to consider final configurations to be ones in which , the set of active agents, is empty. We do not impose this constraint here for the sake of generality.) We define the language accepted by as: there exists an accepting run of on .

Note that runs have considerable structure. For instance, the configuration space can have an infinite path generated by a self-loop of the form in which corresponds to an unbounded sequence of service requests of a particular type. By studying only finite runs, we miss some interesting properties but since runs include counter behaviour, we already have plenty of complexity in the system.

2.1 Algorithms on

We can view as automaton models for servers with unbounded clients. Indeed, when we have client types, such systems correspond to -counter automata without zero-tests

. These automata, long studied as Vector addition systems with states, and as Petri Nets, have a rich automata theory. Briefly, every request of type

corresponds to incrementing a counter of that type, every answer corresponds to a decrement, and the system gets stuck when it attempts to answer a non-existent request. Such a correspondence with multi-counter automata is fortunate: this means that we can simply borrow results from classical automata theory. Therefore, though the configuration space of an is infinite, reachability is decidable, according to the celebrated theorem proved independently by Mayr and Kosaraju. We state the following theorem without proof, and refer the reader to [22], [23], [24].

Theorem 2.2

The class of languages recognized by are closed under union and intersection but not under complementation. Given an , checking whether it accepts a non-empty language is decidable.

3 Monadic First-order Sentential Temporal Logic

We now describe a logical language to specify and verify SPS-like systems. This logic was first presented in [18]. Such a language has two mutually exclusive dimensions. One, captured by fragment, talking about the plurality of clients asking for a variety of services. The other, captured by fragment, talks about the temporal variations of services being rendered. Furthermore, the fragment has to be multi-sorted to cover the multiplicity of service types. Keeping these issues in mind, we frame a logical language, which we call Monadic First-order Sentential Temporal Logic (), a combination of and multi-sorted . In the case of , atomic formulae are propositional constants which have no further structure. In , there are two kind of atomic formulae, basic server properties from , and -sentences over client properties . Consequently, these formulae are interpreted over sequences of -structures juxtaposed with -models.

At the outset, we fix , a finite set of client types. The set of client formulae are defined over a countable set of atomic client predicates , which are composed of disjoint predicates of type , for each . Also, let be a countable supply of variable symbols and be a countable set of client names. is divided into disjoint sets of types from via . Similarly, is divided using . We use to denote elements in and for elements in .

Formally, the set of client formulae is defined as follows:


Let be the set of all sentences in , then, the server formulae are defined as follows:

Derived modalities (“eventually”) and (“always”) are defined in the usual way: and , where and are standard propositional constants.

3.1 Semantics

is interpreted over sequences of models composed with models. Formally, a model is a triple where

  1. , where , , gives the local properties of the server at instance ,

  2. , where , where , gives the identity of the clients of each type being served at instance and

  3. , where , and gives the properties satisfied by each live agent at th instance, in other words, the corresponding states of live agents.
    Alternatively, can be given as , an equivalent form.

3.1.1 Satisfiability Relations ,

Let be a valid model and be a partial map consistent with respect to and . Then, the relations and can be defined, via induction over the structure of and , respectively, as follows:

  1. iff .

  2. iff .

  3. iff .

  4. iff or .

  5. iff .

  6. iff , and , .

  7. iff and .

  8. iff .

  9. iff .

  10. iff or .

  11. iff and .

3.2 Specification Examples Using

In this section, we would like to show that our logic adequately captures many of the facets of SPS-like systems. We consider the Loan Approval Web Service [18], and frame specifications to demonstrate the use of .

In a Loan Approval System, clients (customers) apply for loans of different sizes and wait for the appropriate response from the server (loan officer). The client with a request for a particular loan amount can be seen as a client of that type. Therefore, we can have client types as say, and client properties as . Here means a loan request of type (size) high, means a loan request of type (size) low and means a loan request of type (size) medium. Now, we can write a few simple specifications in as follows:

  1. which means initially there are no pending requests.

  2. which means whenever there is a request of type low there is an approval for type low in the next instant.

  3. which means there is no request of type low taken up as long as there is a high request pending.

  4. which means there is at least one request of each type pending all the time.

  5. which is similar to , there are no pending medium or low requests with a high request.

Note that none of these formulae make use of equality () predicate. Using , we can make stronger statements as follows:

  1. which means at all times there is exactly one pending request of type high.

  2. which means at all times there is at most one pending request of type high.

In the same vein, using , we can count the requests of each type and say more interesting things. For example, if asserted at a point means there are at most requests of type pending then we can frame the following formula:

  • which means, if there are at most two pending requests of type high at successive instants then thereafter the number stabilizes.

Unfortunately, owing to a lack of provision for free variables in the scope of temporal modalities, we can’t write specifications which seek to match requests and approvals. Here is a sample.

which means, if there is a request of type at some point of time then the same is approved some time in future.

The challenge is to come up with appropriate constraints on specifications which allow us to express interesting properties as well as remain decidable to verify.

4 Model Checking against

For model checking the client-server system is modeled as an SPS, , and the specification is given by a formula in . The problem is to check if the system satisfies the specification , denoted by . In order to do this we bound the using and define an interpreted version.

Bounded Interpreted

Let be an and be a specification in . From we compute , the variables of type occurring in , for each . Let . Also, can have at most client predicates in it, and . For each , we define the bound . Let and . Further, .

Now, we are in a position to define an interpreted form of bounded SPS. The interpreted is as follows:

  1. , where each configuration satisfies the following condition: for each , for each , .

  2. as follows: iff and the following conditions hold:

    1. when , and .

    2. when , and .

    3. when , and .

In order to use a model checking tool, we need to eliminate quantifiers from and thereby convert it to a standard LTL form. This can be done as follows. Let be an sentence of type occurring in . Convert into an equivalent propositional logic formula using the bound (and model ) in the standard way [25]. For uniformity, we replace by and by , respectively.

Once we have transformed every sentence occurring in to equivalent propositional formula, turns out to be an LTL formula . Therefore, we can model check against using NuSMV. Consequently, we can assert the following theorem:

Theorem 4.1 ([18])

can be checked in double exponential time.

4.1 Model Checking Using NuSMV

We check whether a -based system satisfies an specification as follows. We employ the .smv encoding for describing the and related specification, as in the case of standard NuSMV input, which has CTL/LTL specifications, instead. The following NuSMV code describes an followed by an formula. Though, the syntax of is standard Kripke, it has a different multi-counter automata semantics. Therefore, it has to be converted to standard finite state transition machine along with a translation to LTL from which is accomplished through quantifier elimination of MFO-sentences.

For simplicity, we assume that the admits no internal action and also, only one client type . Consequently, the input alphabet can be modeled by a single input variable in the NuSMV encoding. Therefore, encodes and encodes . The state set is modeled by the system variable which admits two possible states and . Initially the system is in state . When, there is a request in state , the system moves to state . When there is a response in state , the system moves to . In all other scenarios, the state does not change.

IVAR ip : boolean;
VAR  loc : {s0,s1};
  loc=s0 & ip=TRUE : s1;
  loc=s1 & ip=FALSE : s0;
  TRUE : loc;

 G((Ex)p(x) -> X((Ex)q(x)))

Along with the NuSMV code there is an specification, , where represents and represents . Here the predicates and encode and , respectively. The specification means that at all time instances, if there is a new request then it is followed immediately by a response in the next instance.

The pseudo-NuSMV input above is converted to standard NuSMV input as given below. A brief explanation is given alongside the code. There is no change in the behaviour of . The modified code has the behaviour of the newly added variables, , and .

We first look at the specification and compute the bound from the sentences contained therein. Then, the formula is converted to LTL form by eliminating the quantifiers from the sentences, in the standard way. The bound computed above, is used to define limit of the variable in the modified SMV code and also the size of the arrays and .

In the present case, the bound is as the number of predicates in the original specification is ( and ) and only one variable is used.

IVAR  ip : boolean;
VAR   loc : {s0,s1};
VAR   ctr: 0..4;
VAR   p : array 1..4 of boolean;
VAR   q : array 1..4 of boolean;
 next(loc):= case
        loc=s0 & ip=TRUE  : s1;
        loc=s1 & ip=FALSE : s0;
        TRUEΨΨ  : loc;
--ctr tracks the number of active clients.
--it’s value may range from 0 to 4.
--these values give the client names.
 next(ctr):= case
        ip=TRUEΨ & ctr <4 : ctr + 1;
        ip=FALSE & ctr >0 : ctr - 1;
        TRUEΨΨ   : ctr;
--p[i] is TRUE means request from client i is active
--p[i] is FALSE means request from client i is inactive
 next(p[1]):= case
        p[1]=FALSE & ip=TRUE & ctr=0 : TRUE;
        p[1]=TRUE & ip=FALSE & ctr=1 : FALSE;
        TRUEΨΨΨ     : p[1];
 next(p[2]):= case
        p[2]=FALSE & ip=TRUE & ctr=1 : TRUE;
        p[2]=TRUE & ip=FALSE & ctr=2 : FALSE;
        TRUEΨΨΨ     : p[2];
 next(p[3]):= case
        p[3]=FALSE & ip=TRUE & ctr=2 : TRUE;
        p[3]=TRUE & ip=FALSE & ctr=3 : FALSE;
        TRUEΨΨΨ     : p[3];
 next(p[4]):= case
        p[4]=FALSE & ip=TRUE & ctr=3 : TRUE;
        p[4]=TRUE & ip=FALSE & ctr=4 : FALSE;
        TRUEΨΨΨ     : p[4];
--q[i] is TRUE means request from client i is served
--q[i] moves to FALSE in the next time instance.
 next(q[1]):= case
        q[1]=FALSE & ip=FALSE & ctr=1 : TRUE;
        q[1]=TRUEΨΨ      : FALSE;
        TRUEΨΨΨ     : q[1];
 next(q[2]):= case
        q[2]=FALSE & ip=FALSE & ctr=2 : TRUE;
        q[2]=TRUEΨΨ      : FALSE;
        TRUEΨΨΨ     : q[2];
 next(q[3]):= case
        q[3]=FALSE & ip=FALSE & ctr=3 : TRUE;
        q[3]=TRUEΨΨ      : FALSE;
        TRUEΨΨΨ     : q[3];
 next(q[4]):= case
        q[4]=FALSE & ip=FALSE & ctr=4 : TRUE;
        q[4]=TRUEΨΨ      : FALSE;
        TRUEΨΨΨ     : q[4];

 G ( (p[1] | p[2] | p[3] | p[4]) ->
            (q[1] | q[2] | q[3] | q[4]) )

This NuSMV description is sent for model checking using NuSMV, which, accordingly, decides whether the specification holds true for the system. It is not difficult to see that this scheme can be easily extended to systems with multiple client types. The code for this tool is available on bitbucket https://bitbucket.org/ssnmfotl/nusmv-mfotl-code.

5 Discussion & Future Work

We have presented a simple model for client - server systems where the number of clients is known only at run-time and hence unbounded. The model is equivalent to multi-counter automata and so we can decide reachability properties. We also proposed a simple temporal logic over sentences of a monadic first-order logic. We proposed a practical scheme to implement model checking such client - server systems against the given logic specifications.

The immediate challenge is to extend the theory to include active clients, where there is non-trivial interaction between the client and server between the send-request and the request-response. We call these client - server systems with active clientele. However, for such systems we need specifications that admit temporal modalities in the scope of quantifiers, and controlling the expressiveness while retaining decidability is challenging.


  • [1] Alex Berson. Client/server architecture. McGraw-Hill, Inc., New York, NY, USA, 1992.
  • [2] Srini Narayanan and Sheila A. McIlraith. Simulation, verification and automated composition of web services. In WWW, pages 77–88, 2002.
  • [3] IBM. Web services business process execution language version 1.1. Technical report, www.ibm.com/developerworks/library/ws-bpel, 2003.
  • [4] Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model Checking. MIT Press, 2000.
  • [5] Vassilis Christophides, Richard Hull, Gregory Karvounarakis, Akhil Kumar, Geliang Tong, and Ming Xiong. Beyond discrete e-services: Composing session-oriented services in telecommunications. In TES, pages 58–73, 2001.
  • [6] Mordechai Ben-Ari, Amir Pnueli, and Zohar Manna. The temporal logic of branching time. Acta Inf., 20:207–226, 1983.
  • [7] Lan Zhang, Ullrich Hustadt, and Clare Dixon. Ctl-rp: A computation tree logic resolution prover. AI Commun., 23:111–136, April 2010.
  • [8] Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, Norwell, MA, USA, 1993.
  • [9] B. Meenakshi and Ramaswamy Ramanujam. Reasoning about message passing in finite state environments. In ICALP, pages 487–498, 2000.
  • [10] Dov M. Gabbay, Ian M. Hodkinson, and Mark A. Reynolds. Temporal Logic. Part 1. Clarendon Press, 1994.
  • [11] Ian M. Hodkinson, Frank Wolter, and Michael Zakharyaschev. Decidable fragment of first-order temporal logics. Ann. Pure Appl. Logic, 106(1-3):85–134, 2000.
  • [12] Joseph Y. Halpern and Moshe Y. Vardi. The complexity of reasoning about knowledge and time. I. Lower Bounds. J. Comput. Syst. Sci., 38(1):195–237, 1989.
  • [13] A. Prasad Sistla and Lenore D. Zuck. On the eventuality operator in temporal logic. In LICS, pages 153–166, 1987.
  • [14] Ian M. Hodkinson. Monodic packed fragment with equality is decidable. Studia Logica, 72(2):185–197, 2002.
  • [15] Ian M. Hodkinson, Frank Wolter, and Michael Zakharyaschev. Decidable and undecidable fragments of first-order branching temporal logics. In LICS, pages 393–402, 2002.
  • [16] Francesco Belardinelli and Alessio Lomuscio. Interactions between time and knowledge in a first-order logic for multi-agent systems. In KR, 2010.
  • [17] Francesco Belardinelli and Alessio Lomuscio. A complete first-order logic of knowledge and time. In KR, pages 705–714, 2008.
  • [18] S. Sheerazuddin. Temporal specifications for services with unboundedly many passive clients. In ICDCN, volume 6522 of Lecture Notes in Computer Science, pages 179–190. Springer, 2011.
  • [19] Pouria Mellati, Ehsan Khamespanah, and Ramtin Khosravi. Leetl: Ltl with quantifications over model objects. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software, SPIN 2017, pages 41–49, New York, NY, USA, 2017. ACM.
  • [20] Alessandro Ferrante, Margherita Napoli, and Mimmo Parente. Ctl model-checking with graded quantifiers. In Automated Technology for Verification and Analysis, 6th International Symposium, ATVA 2008, Seoul, Korea, October 20-23, 2008. Proceedings, pages 18–32, 2008.
  • [21] Alessandro Ferrante, Maurizio Memoli, Margherita Napoli, Mimmo Parente, and Francesco Sorrentino. A nusmv extension for graded-ctl model checking. In Computer Aided Verification, 22nd International Conference, CAV 2010, Edinburgh, UK, July 15-19, 2010. Proceedings, pages 670–673, 2010.
  • [22] John E. Hopcroft and Jean-Jacques Pansiot. On the reachability problem for 5-dimensional vector addition systems. Theor. Comput. Sci., 8:135–159, 1979.
  • [23] S. Rao Kosaraju. Decidability of reachability in vector addition systems (preliminary version). In STOC, pages 267–281, 1982.
  • [24] Ernst W. Mayr. An algorithm for the general petri net reachability problem. In STOC, pages 238–246, 1981.
  • [25] George S. Boolos, Richard P. Burgess, and Richard C. Jeffrey. Computability and Logic: 5th Ed. Cambridge University Press, New York, NY, USA, 2007.