Verification, Model Checking, and Abstract Interpretation

We present an approach enabling end-users to prove security properties of the Java bytecode by statically analysing the code itself, thus eliminating the run time check for the access permission. The approach is based on the combination of two well-known techniques: abstract interpretation and model checking. By means of an operational abstract semantics of the bytecode, we built a finite transition system embodying security informations and abstracting from actual values. Then we model check it against some formulae expressing security properties. We use the SMV model checker. A main point of the paper is the definition of the properties that the abstract semantics must satisfy to ensure the absence of security leakages.

[1]  David A. Plaisted,et al.  A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[2]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[3]  Thomas A. Henzinger,et al.  Hybrid Automata with Finite Bisimulatioins , 1995, ICALP.

[4]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[5]  Kim Marriott,et al.  Precise and efficient groundness analysis for logic programs , 1993, LOPL.

[6]  Michael Codish,et al.  A Semantic Basis for the Termination Analysis of Logic Programs , 1999, J. Log. Program..

[7]  Chrysafis Hartonas,et al.  Full Abstractness for a Functional/Concurrent Language with Higher-Order Value-Passing , 1998, Inf. Comput..

[8]  Mads Tofte,et al.  Implementation of the typed call-by-value λ-calculus using a stack of regions , 1994, POPL '94.

[9]  Luca Cardelli,et al.  Mobility Types for Mobile Ambients , 1999, ICALP.

[10]  Ehud Shapiro,et al.  A Type System for Logic Programs , 1988, J. Log. Program..

[11]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[12]  Wang Yi,et al.  Compositional and Symbolic Model-Checking of Real-Time Systems , 1996 .

[13]  Pierpaolo Degano,et al.  Safe Ambients: Control Flow Analysis and Security , 2000, ASIAN.

[14]  Kwangkeun Yi,et al.  Towards a Cost-Effective Estimation of Uncaught Exceptions in SML Programs , 1997, SAS.

[15]  Andrei A. Voronenko On the complexity of the monotonicity verification , 2000, Proceedings 15th Annual IEEE Conference on Computational Complexity.

[16]  D. Wilde,et al.  A Library for Doing Polyhedral OperationsDoran , 1993 .

[17]  Matthew Hennessy Higher-Order Process and Their Models , 1994, ICALP.

[18]  C. C. Elgot Decision problems of finite automata design and related arithmetics , 1961 .

[19]  Kwangkeun Yi,et al.  Automatic generation and management of interprocedural program analyses , 1993, POPL '93.

[20]  Armin Biere,et al.  Combining Decision Diagrams and SAT Procedures for Efficient Symbolic Model Checking , 2000, CAV.

[21]  Paul Hudak,et al.  Monad transformers and modular interpreters , 1995, POPL '95.

[22]  Kwangkeun Yi,et al.  A cost-effective estimation of uncaught exceptions in Standard ML programs , 2002, Theor. Comput. Sci..

[23]  Rocco De Nicola,et al.  Three logics for branching bisimulation , 1995, JACM.

[24]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[25]  Toby Walsh,et al.  Clause Forms Generated by Bounded Model Checking , 1999 .

[26]  Howard Barringer,et al.  Practical CTL* model checking: Should SPIN be extended? , 2000, International Journal on Software Tools for Technology Transfer.

[27]  Nicolas Halbwachs,et al.  Automatic verification of parameterized linear networks of processes , 1997, POPL '97.

[28]  Peter J. Stuckey,et al.  A Framework for Analysis of Typed Logic Programs , 2001, FLOPS.

[29]  Mariangiola Dezani-Ciancaglini,et al.  A filter model for mobile processes , 1999, Math. Struct. Comput. Sci..

[30]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[31]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[32]  Robin Milner,et al.  An Algebraic Definition of Simulation Between Programs , 1971, IJCAI.

[33]  Amir Pnueli,et al.  Modularization and Abstraction: The Keys to Practical Formal Verification , 1998, MFCS.

[34]  Philippe Schnoebelen,et al.  Well-structured transition systems everywhere! , 2001, Theor. Comput. Sci..

[35]  Harald Ruess,et al.  Case Studies in Meta-Level Theorem Proving , 1998, TPHOLs.

[36]  Mariangiola Dezani-Ciancaglini,et al.  A filter lambda model and the completeness of type assignment , 1983, Journal of Symbolic Logic.

[37]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[38]  D. E. Rutherford,et al.  Introduction to Lattice Theory , 1966 .

[39]  Fausto Spoto,et al.  Class Analysis of Object-Oriented Programs through Abstract Interpretation , 2001, FoSSaCS.

[40]  Michele Bugliesi,et al.  Secure safe ambients , 2001, POPL '01.

[41]  Michael O. Rabin,et al.  The choice coordination problem , 1982, Acta Informatica.

[42]  Howard Wong-Toi,et al.  Symbolic approximations for verifying real-time systems , 1995 .

[43]  Julian Bradfield Verifying Temporal Properties of Systems , 1992, Progress in Theoretical Computer Science.

[44]  Chin-Laung Lei,et al.  Efficient Model Checking in Fragments of the Propositional Mu-Calculus (Extended Abstract) , 1986, LICS.

[45]  Samuel Eilenberg,et al.  Automata, languages, and machines. A , 1974, Pure and applied mathematics.

[46]  Yehoshua Sagiv,et al.  Automatic Termination Analysis of Logic Programs , 1997, ICLP.

[47]  Nils Klarlund,et al.  MONA: Monadic Second-Order Logic in Practice , 1995 .

[48]  J. A. Robinson,et al.  A Machine-Oriented Logic Based on the Resolution Principle , 1965, JACM.

[49]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[50]  Edmund M. Clarke,et al.  Characterizing Finite Kripke Structures in Propositional Temporal Logic , 1988, Theor. Comput. Sci..

[51]  Richard Gerber,et al.  Symbolic Model Checking of Infinite State Systems Using Presburger Arithmetic , 1997, CAV.

[52]  Patrick Cousot,et al.  Inductive definitions, semantics and abstract interpretations , 1992, POPL '92.

[53]  William H. Winsborough,et al.  Compile-time memory reuse in logic programming languages through update in place , 1999, TOPL.

[54]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[55]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[56]  J. Büchi Weak Second‐Order Arithmetic and Finite Automata , 1960 .

[57]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[58]  Dana S. Scott,et al.  Some Domain Theory and Denotational Semantics in Coq , 2009, TPHOLs.

[59]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[60]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[61]  Nancy G. Leveson,et al.  Analyzing Safety and Fault Tolerance Using Time Petri Nets , 1985, TAPSOFT, Vol.2.

[62]  Gilberto Filé,et al.  A unifying view of abstract domain design , 1996, CSUR.

[63]  Amir Pnueli,et al.  Parameterized Verification with Automatically Computed Inductive Assertions , 2001, CAV.

[64]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[65]  Robin Milner,et al.  A Modal Characterisation of Observable Machine-Behaviour , 1981, CAAP.

[66]  Gérard Boudol,et al.  Lambda-Calculi for (Strict) Parallel Functions , 1994, Inf. Comput..

[67]  Michael Norrish C formalised in HOL , 1998 .

[68]  Jens Palsberg,et al.  Object-oriented type inference , 1991, OOPSLA 1991.

[69]  Stavros Tripakis,et al.  Model Checking of Real-Time Reachability Properties Using Abstractions , 1998, TACAS.

[70]  Parosh Aziz Abdulla,et al.  Symbolic Reachability Analysis Based on SAT-Solvers , 2000, TACAS.

[71]  Pierre-Yves Schobbens,et al.  Proving feature non-interaction with Alternating-Time Temporal Logic , 2000, FIREworks.

[72]  Annalisa Bossi,et al.  Typed Norms , 1992, ESOP.

[73]  Parosh Aziz Abdulla,et al.  Handling Global Conditions in Parameterized System Verification , 1999, CAV.

[74]  Edmund M. Clarke,et al.  Model checking, abstraction, and compositional verification , 1993 .

[75]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[76]  K. Yi Program Analysis System Zoo , 2001 .

[77]  Wolfgang Reif,et al.  Do You Trust Your Model Checker? , 2000, FMCAD.

[78]  Konrad Slind,et al.  Another Look at Nested Recursion , 2000, TPHOLs.

[79]  Samson Abramsky,et al.  Domain Theory in Logical Form , 1991, LICS.

[80]  Amir Pnueli,et al.  Algorithmic Verification of Linear Temporal Logic Specifications , 1998, ICALP.

[81]  Gerda Janssens,et al.  A Module Based Analysis for Memory Reuse in Mercury , 2000, Computational Logic.

[82]  Laurent Fribourg,et al.  Reachability Analysis of (Timed) Petri Nets Using Real Arithmetic , 1999, CONCUR.

[83]  Dennis Dams,et al.  Abstract interpretation and partition refinement for model checking , 1996 .

[84]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[85]  Leslie Lamport,et al.  What Good is Temporal Logic? , 1983, IFIP Congress.

[86]  Hugo De Man,et al.  Compiling multi-dimensional data streams into distributed DSP ASIC memory , 1991, 1991 IEEE International Conference on Computer-Aided Design Digest of Technical Papers.

[87]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[88]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[89]  Kedar S. Namjoshi,et al.  Ameliorating the state explosion problem , 1998 .

[90]  Robert K. Brayton,et al.  Alternating RQ Timed Automata , 1993, CAV.

[91]  Winfrid G. Schneeweiss A Necessary and Sufficient Criterion for the Monotonicity of Boolean Functions with Deterministic and Stochastic , 1996, IEEE Trans. Computers.

[92]  Bruno Monsuez,et al.  Polymorphic Types and Widening Operators , 1993, WSA.

[93]  David A. Schmidt Binary Relations for Abstraction and Refinement , 2000 .

[94]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[95]  Yehoshua Sagiv,et al.  Inference of Monotonicity Constraints in Datalog Programs , 1989, PODS.

[96]  Torben Amtoft,et al.  What Are Polymorphically-Typed Ambients? , 2001, ESOP.

[97]  Martin C. Rinard,et al.  Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[98]  Ofer Shtrichman Tuning SAT Checkers for Bounded Model Checking , 2000, CAV 2000.

[99]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[100]  Mads Tofte,et al.  A theory of stack allocation in polymorphically typed languages , 1993 .

[101]  Bruno Monsuez,et al.  Polymorphic Typing by Abstract Interpretation , 1992, FSTTCS.

[102]  Didier Rémy,et al.  Objective ML: An Effective Object-Oriented Extension to ML , 1998, Theory Pract. Object Syst..

[103]  Laurent Fribourg,et al.  A Decompositional Approach for Computing Least Fixed-Points of Datalog Programs with Z-Counters , 2004, Constraints.

[104]  Giorgio Delzanno,et al.  Model Checking in CLP , 1999, TACAS.

[105]  Patrick Cousot,et al.  Temporal abstract interpretation , 2000, POPL '00.

[106]  Pierre Wolper,et al.  Automata-Theoretic Techniques for Modal Logics of Programs , 1986, J. Comput. Syst. Sci..

[107]  Orna Grumberg,et al.  Abstract Interpretation of Reactive Systems: Abstractions Preserving 'I1CTL *. 3CTL * and CTL * , 1994 .

[108]  Supratik Mukhopadhyay,et al.  Beyond Region Graphs: Symbolic Forward Analysis of Timed Automata , 1999, FSTTCS.

[109]  Robin Milner,et al.  Principal type-schemes for functional programs , 1982, POPL '82.

[110]  Enrico Giunchiglia,et al.  Applying the Davis-Putnam Procedure to Non-clausal Formulas , 1999, AI*IA.

[111]  Matthew Hennessy A fully abstract denotational model for higher-order processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[112]  Robert W. Sumners,et al.  Correctness Proof of a BDD Manager in the Context of Satisfiability Checking , 2000, ACL 2000.

[113]  Bernard Boigelot Symbolic Methods for Exploring Infinite State Spaces , 1998 .

[114]  Jean Goubault-Larrecq,et al.  Reflecting BDDs in Coq , 2000, ASIAN.

[115]  David A. SchmidtKansas Limiting State Explosion with Filter-Based Re nement , 1997 .

[116]  Davide Sangiorgi,et al.  Extensionality and intensionality of the ambient logics , 2001, POPL '01.

[117]  Hubert Comon-Lundh,et al.  Multiple Counters Automata, Safety Analysis and Presburger Arithmetic , 1998, CAV.

[118]  Stephan Merz,et al.  Model Checking , 2000 .

[119]  Wolfgang Thomas,et al.  Automata on Infinite Objects , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[120]  Danny De Schreye,et al.  Automatic Inference of Norms: A Missing Link in Automatic Termination Analysis , 1993, ILPS.

[121]  C.-H. Luke Ong,et al.  Non-determinism in a functional setting , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[122]  Luca Cardelli,et al.  Equational properties of mobile ambients , 1999, Mathematical Structures in Computer Science.

[123]  Pierre Jouvelot,et al.  Polymorphic type, region and effect inference , 1992, Journal of Functional Programming.

[124]  John P. Gallagher,et al.  Abstract Interpretation over Non-deterministic Finite Tree Automata for Set-Based Analysis of Logic Programs , 2002, PADL.

[125]  Leslie Lamport,et al.  "Sometime" is sometimes "not never": on the temporal logic of programs , 1980, POPL '80.

[126]  Luca Cardelli,et al.  Anytime, anywhere: modal logics for mobile ambients , 2000, POPL '00.

[127]  R. Hindley The Principal Type-Scheme of an Object in Combinatory Logic , 1969 .

[128]  Radha Jagadeesan,et al.  Abstraction-Based Model Checking Using Modal Transition Systems , 2001, CONCUR.

[129]  Sanjay V. Rajopadhye,et al.  Optimizing memory usage in the polyhedral model , 2000, TOPL.

[130]  Flemming Nielson,et al.  Abstract Interpretation of Mobile Ambients , 1999, SAS.

[131]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[132]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[133]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[134]  Patrice Godefroid,et al.  Generalized Model Checking: Reasoning about Partial State Spaces , 2000, CONCUR.

[135]  Krzysztof R. Apt,et al.  Limits for Automatic Verification of Finite-State Concurrent Systems , 1986, Inf. Process. Lett..

[136]  Radha Jagadeesan,et al.  Model checking partial state spaces with 3-valued temporal logics , 2001 .

[137]  Vineet Kahlon,et al.  Reducing Model Checking of the Many to the Few , 2000, CADE.

[138]  Fabio Somenzi,et al.  Efficient Büchi Automata from LTL Formulae , 2000, CAV.

[139]  Edmund M. Clarke,et al.  Reasoning about Networks with Many Identical Finite State Processes , 1989, Inf. Comput..

[140]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1999 .

[141]  Thomas Wilke CTL+ is Exponentially more Succinct than CTL , 1999, FSTTCS.

[142]  Marcus Nilsson,et al.  Transitive Closures of Regular Relations for Verifying Infinite-State Systems , 2000, TACAS.

[143]  Kim G. Larsen,et al.  A modal process logic , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[144]  Jan Maluszy¿ski Lower-bound Time-complexity Analysis of Logic Programs , 1997 .

[145]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[146]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[147]  Armando Tacchella,et al.  Benefits of Bounded Model Checking at an Industrial Setting , 2001, CAV.

[148]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[149]  Thomas P. Murtagh,et al.  Lifetime analysis of dynamically allocated objects , 1988, POPL '88.

[150]  S. Shankar Sastry,et al.  O-Minimal Hybrid Systems , 2000, Math. Control. Signals Syst..

[151]  D. D. Schreye,et al.  Exploiting the power of typed norms in automatic inference of interargument relations , 1997 .

[152]  Amir Pnueli,et al.  Automatic Deductive Verification with Invisible Invariants , 2001, TACAS.

[153]  Gerardo Lafferriere,et al.  A New Class of Decidable Hybrid Systems , 1999, HSCC.

[154]  Thomas A. Henzinger,et al.  Modularity for Timed and Hybrid Systems , 1997, CONCUR.

[155]  Benjamin Goldberg,et al.  Escape analysis on lists , 1992, PLDI '92.

[156]  Frédéric Mesnard,et al.  Applying Static Analysis Techniques for Inferring Termination Conditions of Logic Programs , 2001, SAS.

[157]  Amir Pnueli,et al.  Symbolic model checking with rich assertional languages , 2001, Theor. Comput. Sci..

[158]  Andy King,et al.  Typed Norms for Typed Logic Programs , 1996, LOPSTR.

[159]  David S. Warren On Copy Avoidance in Single Assignment Languages , 1993 .

[160]  H. Andersen An Introduction to Binary Decision Diagrams , 1997 .

[161]  Jean-Christophe Filliâtre,et al.  Verification of non-functional programs using interpretations in type theory , 2003, J. Funct. Program..

[162]  Fausto Spoto,et al.  A Foundation of Escape Analysis , 2002, AMAST.

[163]  Paul Feautrier,et al.  Optimizing Storage Size for Static Control Programs in Automatic Parallelizers , 1997, Euro-Par.

[164]  Javier Esparza,et al.  Model Checking LTL Using Constraint Programming , 1997, ICATPN.

[165]  Fausto Spoto Watchpoint Semantics: A Tool for Compositional and Focussed Static Analyses , 2001, SAS.

[166]  Leon Sterling,et al.  The Art of Prolog , 1987, IEEE Expert.

[167]  ADOLFO PIPERNO,et al.  A FILTER MODEL FOR CONCURRENT -CALCULUS MARIANGIOLA DEZANI-CIANCAGLINI AND UGO DE'LIGUORO DIPARTIMENTO DI INFORMATICA UNIVERSIT , 1998 .

[168]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[169]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[170]  Rob J. van Glabbeek,et al.  Branching time and abstraction in bisimulation semantics , 1996, JACM.

[171]  Ernst-Rüdiger Olderog,et al.  Verification of Sequential and Concurrent Programs , 1997, Graduate Texts in Computer Science.

[172]  Karsten Stahl,et al.  Verifying Universal Properties of Parameterized Networks , 2000, FTRTFT.

[173]  Karsten Stahl,et al.  Abstracting WS1S Systems to Verify Parameterized Networks , 2000, TACAS.

[174]  Christian Holzbaur OFAI clp(Q,R) Manual , 1995 .

[175]  Radha Jagadeesan,et al.  Modal Transition Systems: A Foundation for Three-Valued Program Analysis , 2001, ESOP.

[176]  Orna Grumberg,et al.  Network Grammars, Communication Behaviors and Automatic Verification , 1989, Automatic Verification Methods for Finite State Systems.

[177]  Matthew B. Dwyer,et al.  Tool-supported program abstraction for finite-state verification , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[178]  Samir Genaim,et al.  Inferring termination conditions for logic programs using backwards analysis , 2001, APPIA-GULP-PRODE.

[179]  Leonid Libkin Variable Independence, Quantifier Elimination, and Constraint Representations , 2000, ICALP.

[180]  Luca Cardelli,et al.  Types for mobile ambients , 1999, POPL '99.

[181]  Nikolaos S. Papaspyrou Denotational semantics of ANSI C , 2001, Comput. Stand. Interfaces.

[182]  C.-H. Luke Ong,et al.  Full Abstraction in the Lazy Lambda Calculus , 1993, Inf. Comput..

[183]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[184]  M. Dezani-Ciancaglini,et al.  A Lambda Model Characterizing Computational Behaviours of Terms , 2001 .

[185]  Danny De Schreye,et al.  Termination of Logic Programs: The Never-Ending Story , 1994, J. Log. Program..

[186]  Giorgio Levi,et al.  Derivation of Proof Methods by Abstract Interpretation , 1998, PLILP/ALP.

[187]  Orna Kupferman,et al.  Modular Model Checking , 1997, COMPOS.

[188]  Wim Vanhoof,et al.  Pos(T): Analyzing Dependencies in Typed Logic Programs , 2001, Ershov Memorial Conference.

[189]  Joseph Y. Halpern,et al.  Decision procedures and expressiveness in the temporal logic of branching time , 1982, STOC '82.

[190]  A. Prasad Sistla,et al.  Reasoning in a Restricted Temporal Logic , 1993, Inf. Comput..

[191]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[192]  E. Clarke,et al.  Verifying Safety Properties of a PowerPC TM 1 Microprocessor Using Symbolic Model Checking without BDDs , 1999 .

[193]  Kedar S. Namjoshi,et al.  Reasoning about rings , 1995, POPL '95.

[194]  David A. Schmidt From Trace Sets to Modal-Transition Systems by Stepwise Abstract Interpretation , 2003 .

[195]  Sanjay V. Rajopadhye,et al.  Memory Reuse Analysis in the Polyhedral Model , 1996, Euro-Par, Vol. I.

[196]  Thomas A. Henzinger,et al.  A User Guide to HyTech , 1995, TACAS.

[197]  Alan Mycroft,et al.  Polymorphic Type Schemes and Recursive Definitions , 1984, Symposium on Programming.

[198]  Wim Vanhoof,et al.  When Size Does Matter , 2001, LOPSTR.

[199]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[200]  Professor Dr. Wolfgang Reisig Elements of Distributed Algorithms , 1998, Springer Berlin Heidelberg.