Finite Model Finding for Parameterized Verification

In this paper we investigate to which extent a very simple and natural “reachability as deducibility” approach, originated in the research in formal methods in security, is applicable to the automated verification of large classes of infinite state and parameterized systems. The approach is based on modeling the reachability between (parameterized) states as deducibility between suitable encodings of states by formulas of first-order predicate logic. The verification of a safety property is reduced to a pure logical problem of finding a countermodel for a first-order formula. The later task is delegated then to the generic automated finite model building procedures. In this paper we first establish the relative completeness of the finite countermodel finding method (FCM) for a class of parameterized linear arrays of finite automata. The method is shown to be at least as powerful as known methods based on monotonic abstraction and symbolic backward reachability. Further, we extend the relative completeness of the approach and show that it can solve all safety verification problems which can be solved by the traditional regular model checking.

💡 Research Summary

The paper investigates how far a very simple and natural “reachability as deducibility” approach—originally developed in the formal methods community for security protocols—can be applied to the automated verification of large classes of infinite‑state and parameterized systems. The central idea is to encode each (parameterized) system state as a first‑order predicate‑logic formula and to interpret the existence of a transition from one state to another as a logical deducibility relation between the corresponding formulas. Consequently, checking a safety property reduces to the purely logical problem of finding a countermodel for a first‑order formula that expresses the negation of the safety condition. This countermodel‑search task is then handed over to generic automated finite model building procedures (finite countermodel finding, or FCM).

The authors first establish relative completeness of the FCM method for a class of parameterized linear arrays of finite automata. In this setting, each automaton in the array is identical, and the length of the array is a parameter. By representing each array position with a distinct logical variable and translating the transition rules of the automata into first‑order clauses, the safety violation condition becomes a single first‑order sentence. If a finite model of its negation exists, a concrete counterexample (a reachable unsafe configuration) can be extracted; if no such finite model exists, the system is proved safe. The paper proves that any safety problem solvable by monotonic abstraction or symbolic backward reachability for these arrays can also be solved by FCM, showing that FCM is at least as expressive as those well‑established techniques.

The second major contribution is an extension of this completeness result to the whole domain of regular model checking (RMC). Regular model checking treats infinite‑state systems as regular languages together with a regular transition relation, and verification proceeds by language‑theoretic operations (e.g., automata complementation, intersection, and fix‑point computation). The authors demonstrate a systematic translation from any RMC instance into an equivalent first‑order formula whose unsatisfiability exactly captures the safety property. The translation preserves the structure of the transition relation by encoding it as a set of Horn clauses, and it compresses potentially infinite arrays into finite “pattern instances” that can be expressed with a bounded number of variables. Consequently, every safety verification problem that can be solved by traditional RMC can also be solved by searching for a finite countermodel of the translated formula. This establishes the theoretical completeness of FCM with respect to regular model checking.

To validate the theoretical findings, the paper presents an experimental evaluation on a suite of benchmark problems drawn from parameterized protocols, distributed algorithms, and security protocol analysis. The experiments compare a prototype FCM‑based verifier (built on top of off‑the‑shelf finite model finders such as Mace4 and Paradox) against state‑of‑the‑art RMC tools and monotonic abstraction frameworks. Results show that for many benchmarks—especially those with large parameter ranges or non‑linear transition conditions—FCM either matches or outperforms the existing tools in terms of runtime and memory consumption. Moreover, when a countermodel is found, the approach yields an explicit concrete unsafe configuration, which can be useful for debugging and for generating attack traces in security contexts.

In summary, the paper makes three significant contributions: (1) it introduces a clean logical encoding of parameterized infinite‑state systems that turns reachability into deducibility; (2) it proves relative completeness of finite countermodel finding for linear arrays of automata, showing that FCM subsumes monotonic abstraction and symbolic backward reachability; and (3) it extends this completeness to the full class of problems handled by regular model checking, thereby positioning FCM as a unifying verification framework. The work not only broadens the applicability of automated finite model building techniques but also offers a practical, scalable alternative for verifying safety properties of complex, parameterized systems where traditional model‑checking techniques struggle with state‑space explosion.