# Gennaro ParlatoUniversità degli Studi del Molise | Università del Molise · Department of Biosciences and Territory

Gennaro Parlato

PhD in Computer Science

## About

74

Publications

13,557

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

1,661

Citations

Citations since 2016

Introduction

Additional affiliations

October 2018 - present

October 2016 - present

May 2011 - August 2021

Education

October 2002 - March 2006

## Publications

Publications (74)

Reasoning about data structures requires powerful logics supporting the combination of structural and data properties. We define a new logic called Mso-D (Monadic Second-Order logic with Data) as an extension of standard Mso on trees with predicates of the desired data logic. We also define a new class of symbolic data tree automata (Sdtas) to deal...

Reasoning about data structures requires powerful logics supporting the combination of structural and data properties. We define a new logic called Mso-D (Monadic Second-Order logic with Data) as an extension of standard Mso on trees with predicates of the desired data logic. We also define a new class of symbolic data tree automata ( Sdta s) to de...

Bounded verification techniques such as bounded model checking (BMC) have successfully been used for many practical program analysis problems, but concurrency still poses a challenge. Here we describe a new approach to BMC of sequentially consistent imperative programs that use POSIX threads. We first translate the multi-threaded program into a non...

Bounded verification techniques such as bounded model checking (BMC) have successfully been used for many practical program analysis problems, but concurrency still poses a challenge. Here we describe a new approach to BMC of sequentially consistent imperative programs that use POSIX threads. We first translate the multi-threaded program into a non...

A multi-stack pushdown system is a natural model of concurrent programs. The basic verification problems are in general undecidable (two stacks suffice to encode a Turing machine), and in the last years, there have been some successful approaches based on under-approximating the system behaviors. In this paper, we propose a restriction of the seman...

Concurrency poses a major challenge for program verification, but it can also offer an opportunity to scale when subproblems can be analysed in parallel. We exploit this opportunity here and use a parametrizable code-to-code translation to generate a set of simpler program instances, each capturing a reduced set of the original program’s interleavi...

Sequentialization translates concurrent programs into equivalent nondeterministic sequential programs so that the different concurrent schedules no longer need to be handled explicitly. However, existing sequentializations assume sequential consistency, which modern hardware architectures no longer guarantee. Here we describe a new approach to embe...

Trojan Horse attacks can lead to unauthorized data flows and can cause either a confidentiality violation or an integrity violation. Existing solutions to address this problem employ analysis techniques that keep track of all subject accesses to objects, and hence can be expensive. In this paper we show that for an unauthorized flow to exist in an...

Lazy sequentialization has proven to be one of the most effective techniques for concurrent program verification. The Lazy-CSeq sequentialization tool performs a “lazy” code-to-code translation from a concurrent program into an equivalent non-deterministic sequential program, i.e., it preserves the valuations of the program variables along its exec...

Lazy sequentialization has emerged as one of the most effective techniques to find bugs in concurrent programs. However, the size of the shared global and thread-local state still poses a problem for further scaling. We therefore use abstract interpretation to minimize the representation of the concurrent program’s state variables. More specificall...

Lazy sequentialization has emerged as one of the most effective techniques to find bugs in concurrent programs. However, the size of the shared global and thread-local state still poses a problem for further scaling. We there- fore use abstract interpretation to minimize the representation of the concurrent program’s state variables. More specifica...

Lazy sequentialization has emerged as one of the most promising approaches for concurrent program analysis but the only efficient implementation given so far works just for bounded programs. This restricts the approach to bug-finding purposes. In this paper, we describe and evaluate a new lazy sequentialization translation that does not unwind loop...

Lazy sequentialization is one of the most effective approaches for the bounded verification of concurrent programs. Existing tools assume sequential consistency (SC), thus the feasibility of lazy sequentializations for weak memory models (WMMs) remains untested. Here, we describe the first lazy sequentialization approach for the total store order (...

Sequentialization is one of the most promising approaches for the symbolic analysis of concurrent programs. However, existing sequentializations assume sequential consistency, which modern hardware architectures no longer guarantee. In this paper we describe an approach to embed weak memory models within eager sequentializations (a la Lal/Reps). Ou...

We consider the feasibility problem of integer linear programming (ILP). We show that solutions of any ILP instance can be naturally represented by an FO-definable class of graphs. For each solution there may be many graphs representing it. However, one of these graphs is of path-width at most 2n, where n is the number of variables in the instance....

We present the MU-CSeq tool for the verification of multi-threaded C programs with dynamic thread creation, dynamic memory allocation, and pointer arithmetic. It is based on sequentializing the programs over the new notion of individual memory location unwinding (IMU). IMU is derived from the notion of memory unwinding that has been implemented in...

We describe an approach to design static analysis and verification tools for concurrent programs that separates intra-thread computation from inter- thread communication by means of a shared memory abstraction (SMA). We formally characterize the concept of thread-asynchronous transition systems that underpins our approach and that allows us to desi...

We study the formal language theory of multistack pushdown automata (MPA) restricted to computations where a symbol can be popped from a stack S only if it was pushed within a bounded number of contexts of S (scoped MPA). We show that scoped MPA are indeed a robust model of computation, by focusing on the corresponding theory of visibly MPA (MVPA)....

Sequentialization translates concurrent programs into (under certain
assumptions) equivalent nondeterministic sequential programs and so reduces
concurrent verification to its sequential counterpart. In previous work, we have
developed and implemented in the Lazy-CSeq tool a lazy sequentialization schema
for bounded programs that introduces very sm...

Lazy-CSeq is a context-bounded verification tool for sequentially consistent C programs using POSIX threads. It first translates a multi-threaded C program into a bounded nondeterministic sequential C program that preserves bounded reachability for all round-robin schedules up to a given number of rounds. It then reuses existing high-performance bo...

We describe a new CSeq module that implements improved algorithms for the verification of multi-threaded C programs with dynamic thread creation. It is based on sequentializing the programs according to a guessed sequence of write operations in the shared memory (memory unwinding, MU). The original algorithm (implemented in MU-CSeq 0.1) stores the...

We describe a new CSeq module for the verification of multi-threaded
C programs with dynamic thread creation. This module implements a variation
of the lazy sequentialization algorithm implemented in Lazy-CSeq. The main
novelty is that we do not bound here the number of round-robin schedules in an
execution and the loops that do not contain a threa...

We describe a new sequentialization-based approach to the symbolic verification of multi-threaded programs with shared memory and dynamic thread creation. Its main novelty is the idea of memory unwinding, i.e., an explicit representation of the sequence of write operations into the shared memory. For the verification, we nondeterministically guess...

We describe a version of the lazy sequentialization schema by La Torre, Madhusudan, and Parlato that is optimized for bounded programs, and avoids the re-computation of the local state of each process at each context switch. Lazy-CSeq implements this sequentialization schema for sequentially consistent C programs using POSIX threads. Experiments sh...

We consider the feasibility problem of integer linear programming (ILP). We
show that solutions of any ILP instance can be naturally represented by an
FO-definable class of graphs. For each solution there may be many graphs
representing it. However, one of these graphs is of path-width at most 2n,
where n is the number of variables in the instance....

We give a general approach to show the closure under com-plement and decide the emptiness for many classes of multistack visibly pushdown automata (Mvpa). A central notion in our approach is the vis-ibly path-tree, i.e., a stack tree with the encoding of a path that denotes a linear ordering of the nodes. We show that the set of all such trees with...

We study the formal language theory of multistack pushdown automata (Mpa) restricted to computations where a symbol can be popped from a stack S only if it was pushed within a bounded number of contexts of S (scoped
Mpa). We contribute to show that scoped Mpa are indeed a robust model of computation, by focusing on the corresponding theory of visib...

Bounded model checking (BMC) has successfully been used for many practical program verification problems, but concurrency still poses a challenge. Here we describe a new approach to BMC of sequen-tially consistent C programs using POSIX threads. Our approach first translates a multi-threaded C program into a nondeterministic sequen-tial C program t...

We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential a nd distributed automata with auxiliary storage (stacks, queu es) that have recently been proved. Our generalization relies o n reducing emptiness of these automata to finite-stategraph automata (without storage) defined on monadic...

In this paper we present Vac, an automatic tool for ver-ifying security properties of administrative Role-based Access Control (RBAC). RBAC has become an increasingly popular access control model, particularly suitable for large organizations, and it is implemented in sev-eral software. Automatic security analysis of administrative RBAC sys-tems is...

Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. For every model, it is necessary to analyze and prove that the corresponding system is secure. Such...

We address the state reachability problem in concurrent pro-grams running over the TSO weak memory model. This problem has been shown to be decidable with non-primitive recursive complexity in the case of finite-state threads. For recursive threads this problem is unde-cidable. The aim of this paper is to provide under-approximate analyses for TSO...

We implement a new sequentialization algorithm for multi-threaded C programs with dynamic thread creation as a new CSeq module. The novel basic idea of this algorithm is to fix (by a nondeterministic guess) the sequence of write operations in the shared memory and then simulate the behavior of the program according to any scheduling that respects t...

We describe a version of the lazy sequentialization schema by La Torre, Madhusudan, and Parlato that is optimized for bounded programs, and avoids the re-computation of the local state of each process at each context switch. Lazy-CSeq implements this sequentialization schema for sequentially consistent C programs using POSIX threads. Experiments sh...

Sequentialization translates concurrent programs into equivalent nondeterministic sequential programs so that the different concurrent schedules no longer need to be handled explicitly. It can thus be used as a concurrency preprocessing technique for automated sequential program verification tools. Our CSeq tool implements a novel sequentialization...

We propose a new approach to heap analysis through an abstract domain of
automata, called automatic shapes. The abstract domain uses a particular
kind of automata, called quantified data automata on skinny trees
(QSDAs), that allows to define universally quantified properties of
singly-linked lists. To ensure convergence of the abstract fixed-point...

We contribute to the theory of formal languages of visibly multistack pushdown automata (MVPA).
First, we show closure under the main operations and decidability of the main decision problems for the class of MVPA restricted to computations where a symbol can be popped out of a stack S only if it was pushed within the last k contexts of S, for a g...

Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the analysis of ARBAC policies without separate admi...

Sequentialization translates concurrent programs into equivalent non-deterministic sequential programs so that the different concurrent schedules no longer need to be handled explicitly. It can thus be used as a concurrency pre-processor for many sequential program verification techniques. CSeq implements sequentialization for C and uses ESBMC as s...

We present a novel framework to reason about programs
based on encodings of computations as graphs. The main insight here is to rearrange the programs such that given a bound k, each computation can be explored according to any tree decomposition of width k of the corresponding behaviour graph. This produces under-approximations parameterized on k,...

We present a novel fixed-point algorithm to solve reachability of multi-stack pushdown systems restricted to runs where matching push and pop transitions happen within a bounded number of context switches. The followed approach is compositional, in the sense that the runs of the system are summarized by bounded-size interfaces. Moreover, it is suit...

We exhibit assertion-preserving (reachability preserving) transformations
from parameterized concurrent shared-memory programs, under a k-round
scheduling of processes, to sequential programs. The salient feature of the
sequential program is that it tracks the local variables of only one thread at
any point, and uses only O(k) copies of shared vari...

Today, Role Based Access Control (RBAC) is the de facto model used for advanced access control, and is widely deployed in diverse enterprises of all sizes. Several extensions to the authorization as well as the administrative models for RBAC have been adopted in recent years. In this paper, we consider the temporal extension of RBAC (TRBAC), and de...

Today, Role Based Access Control (RBAC) is the de facto model used for advanced access control, and is widely deployed in diverse enterprises of all sizes. Several extensions to the authorization as well as the administrative models for RBAC have been adopted in recent years. In this paper, we consider the temporal extension of RBAC (TRBAC), and de...

We propose a novel scheme for proving administrative role-based access control (ARBAC) policies correct with respect to security properties using the powerful abstraction-based tools available for program verification. Our scheme uses a combination of abstraction and reduction to program verification to perform security analysis. We convert ARBAC p...

We propose an approach for reducing the TSO reachability analysis of concurrent programs to their SC reachability analysis,
under some conditions on the explored behaviors. First, we propose a linear code-to-code translation that takes as input a concurrent program P and produces a concurrent program P′ such that, running P′ under SC yields the sam...

We propose a general framework for compositional underapproximate concurrent program analyses by reduction to sequential program analyses—so-called sequentializations. We notice the existing sequentializations—based on bounding the number of execution contexts, execution rounds, or delays from a deterministic task-schedule—rely on three key feature...

We define a new logic, STRAND, that allows reasoning with heap-manipulating programs using deductive verification and SMT solvers. STRAND logic ("STRucture ANd Data" logic) formulas express constraints involving heap structures and the data they contain; they are defined over a class of pointer-structures R defined using MSO-defined relations over...

We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finite-state graph automata (without storage) restricted to monadic...

Given an undirected and vertex weighted graph G = (V,E,w), the Weighted Feedback Vertex Problem (WFVP) consists of finding a subset F ⊆ V of vertices of minimum weight such that each cycle in G contains at least one vertex in F. The WFVP on general graphs is known to be NP-hard and to be polynomially solvable on some special classes of graphs (e.g....

We propose a novel scheme for proving administrative role-based access control (ARBAC) policies correct with respect to security properties using the powerful abstraction based tools available for program veri?cation. Our scheme uses a combination of abstraction and reduction to program verification to perform security analysis. We convert ARBAC po...

We consider the verification of parameterized Boolean programs— abstractions of shared-memory concurrent programs with an unbounded number of threads. We propose that such programs can be model-checked by iteratively considering the program under k-round schedules, for increasing values of k, using a novel compositional construct called linear inte...

Concurrent compositions of recursive programs with finite data are a natural abstraction model for concurrent programs. Since reachability is undecidable for this class, a restricted form of reachabil- ity has become popular in the formal verification literature, where the set of states reached within k context-switches, for a fixed small con- stan...

We give a translation from concurrent programs to sequential programs that reduces the context-bounded reachability problem
in the concurrent program to a reachability problem in the sequential one. The translation has two salient features: (a) the
sequential program tracks, at any time, the local state of only one thread (though it does track mult...

We show that recursive programs where variables range over fi- nite domains can be effectively and efficiently analyzed by describ- ing the analysis algorithm using a formula in a fixed-point calcu- lus. In contrast with programming in traditional languages, a fixed- point calculus serves as a high-level programming language to eas- ily, correctly,...

We show that recursive programs where variables range over finite domains can be effectively and efficiently analyzed by describing the analysis algorithm using a formula in a fixed-point calculus. In contrast with programming in traditional languages, a fixed-point calculus serves as a high-level programming language to easily, correctly, and succ...

In this paper we study optimization problems with verifiable one-parameter selfish agents introduced by Auletta et al. (ICALP 2004). Our goal is to allocate load among the agents, provided that the secret data of each agent is a single positive real number: the cost they incur per unit load. In such a setting the payment is given after the load com...

Infinite-state automata are a new invention: they are automata that have an infinite number of states represented by words,
transitions defined using rewriting, and with sets of initial and final states. Infinite-state automata have gained recent
interest due to a remarkable result by Morvan and Stirling, which shows that automata with transitions...

A hierarchical state machine (Hsm) is a finite state machine where a vertex can either expand to another hierarchical state machine (box) or be a basic vertex (node). Each node is labeled with atomic propositions. We study an extension of such model which allows atomic propositions to label also boxes (Shsm). We show that Shsms can be exponentially...

We show that the bounded context-switching reachability problem for concurrent finite systems communicating using unbounded
FIFO queues is decidable, where in each context a process reads from only one queue (but is allowed to write onto all other
queues). Our result also holds when individual processes are finite-state recursive programs provided...

We define a new class of languages defined by multi-stack automata that forms a robust subclass of context-sensitive languages, with decidable emptiness and closure under boolean operations. This class, called multi-stack visibly pushdown languages (MVPLs), is defined using multi-stack pushdown automata with two restrictions: (a) the pushdown autom...

Recursive state machines (rsms) are models for programs with recursive procedural calls. While Ltl model-checking is Exptime-complete on such models, on finite-state machines, it is Pspace-complete in general and becomes Np-complete for interesting fragments. In this paper, we systematically study the computational complexity of model-checking rsms...

A hierarchical state machine (HSM) is a flnite state machine where a vertex can either expand to another hierarchical state machine (box) or be a basic vertex (node). Each node is labeled with atomic propositions. We study an extension of such model which allows atomic propositions to label also boxes (SHSM). We show that SHSMs can be exponentially...

In this paper we study optimization problems with verifiable one-parameter selfish agents introduced by Auletta et al. (ICALP 2004). Our goal is to allocate load among the agents, provided that the secret data of each agent is a single positive rational number: the cost they incur per unit load. In such a setting the payment is given after the load...

Given an undirected and vertex weighted graph G, the Weighted Feedback Vertex Problem (WFVP) consists in finding a subset F⊆V of vertices of minimum weight such that each cycle in G contains at least one vertex in F. The WFVP on general graphs is known to be NP-hard. In this paper we introduce a new class of graphs, namely the diamond graphs, and g...