# Natarajan ShankarSRI International | SRI · Computer Science Laboratory

Natarajan Shankar

PhD in CS

## About

201

Publications

19,002

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

9,218

Citations

Citations since 2017

## Publications

Publications (201)

CDSAT (Conflict-Driven Satisfiability} is a paradigm for theory combination that works by coordinating theory modules to reason in the union of the theories in a conflict-driven manner. We generalize CDSAT to the case of nondisjoint theories by presenting a new CDSAT theory module for a theory of arrays with abstract length, which is an abstraction...

In this paper, we present a novel approach that seamlessly integrates requirements-based testing and model checking. Given a set of functional requirements and properties, both generic attributes and application specific constraints, expressed in our CLEAR requirements notation, our approach and the associated tool suite simultaneously generates an...

Search-based satisfiability procedures try to build a model of the input formula by simultaneously proposing candidate models and deriving new formulae implied by the input. Conflict-driven procedures perform non-trivial inferences only when resolving conflicts between formulæ and assignments representing the candidate model. CDSAT ( Conflict-Drive...

The functions of an autonomous system can generally be partitioned into those concerned with perception and those concerned with action. Perception builds and maintains an internal model of the world (i.e., the system’s environment) that is used to plan and execute actions to accomplish a goal established by human supervisors.

Many applications depend on solving the satisfiability of formulæ involving propositional logic and first-order theories, a problem known as Satisfiability Modulo Theory. This article presents a new method for satisfiability modulo a combination of theories, named CDSAT, for Conflict-Driven SATisfiability. CDSAT also solves Satisfiability Modulo As...

We propose a novel passive learning approach, TeLex, to infer signal temporal logic (STL) formulas that characterize the behavior of a dynamical system using only observed signal traces of the system. First, we present a template-driven learning approach that requires two inputs: a set of observed traces and a template STL formula. The unknown para...

We describe how the PVS theorem prover has been used to verify a safety property of a widely studied garbage collection algorithm. The safety property asserts that “nothing but garbage is ever collected”. The garbage collection algorithm and its composition with the user program can be regarded as a concurrent system with two processes working on a...

Autonomous robots increasingly depend on third-party off-the-shelf components and complex machine-learning techniques. This trend makes it challenging to provide strong design-time certification of correct operation. To address this challenge, we present SOTER, a programming framework that integrates the core principles of runtime assurance to enab...

There are two basic approaches to automated verification. In model checking, the system is viewed as a graph representing possible execution steps. Properties are established by exploring or traversing the graph structure. In deduction, both the system and its putative properties are represented by formulas in a logic, and the resulting proof oblig...

Search-based satisfiability procedures try to construct a model of the input formula by simultaneously proposing candidate models and deriving new formulae implied by the input. When the formulae are satisfiable, these procedures generate a model as a witness. Dually, it is desirable to have a proof when the formulae are unsatisfiable. Conflict-dri...

Search-based satisfiability procedures try to construct a model of the input formula by simultaneously proposing candidate models and deriving new formulae implied by the input. When the formulae are satisfiable, these procedures generate a model as a witness. Dually, it is desirable to have a proof when the formulae are unsatisfiable. Conflict-dri...

We formalize a Hoare logic for the partial correctness of while programs in PVS and prove its soundness and relative completeness. We use the PVS higher-order logic to define the syntax and semantics of a small imperative programming language, and describe a proof system for Hoare triples involving programs in this language. We prove the soundness...

We propose a novel passive learning approach, TeLEx, to infer signal temporal logic formulas that characterize the behavior of a dynamical system using only observed signal traces of the system. The approach requires two inputs: a set of observed traces and a template Signal Temporal Logic (STL) formula. The unknown parameters in the template can i...

The CDCL procedure for SAT is the archetype of conflict-driven procedures for satisfiability of quantifier-free problems in a single theory. In this paper we lift CDCL to CDSAT (Conflict-Driven Satisfiability), a system for conflict-driven reasoning in combinations of disjoint theories. CDSAT combines theory modules that interact through a global t...

Avionic systems involve complex time-dependent behaviors across interacting components. This paper presents a contract-based approach for formally verifying these behaviors in a compositional manner. A unique feature of our contract-based tool is the support of architectural specification for multi-rate platforms. An abstraction technique has also...

Requirements are informal and semi-formal descriptions of the expected behavior of a complex system from the viewpoints of its stakeholders (customers, users, operators, designers, and engineers). However, for the purpose of design, testing, and verification for critical systems, we can transform requirements into formal models that can be analyzed...

Reference counting is a popular technique for memory management. It tracks the number of active references to a data object during the execution of a program. Reference counting allows the memory used by a data object to be freed when there are no active references to it. We develop the metatheory of reference counting by presenting an abstract mod...

Cyber security research has produced numerous artificial diversity techniques such as address space layout randomization, heap randomization, instruction-set randomization, and instruction location randomization. To be most effective, these techniques must be high entropy and secure from information leakage which, in practice, is often difficult to...

Cyber-security has emerged as a pressing issue for transportation systems. Studies have shown that attackers can attack modern vehicles from a variety of interfaces and gain access to the most safety-critical components. Such threats become even broader and more challenging with the emergence of vehicle-to-vehicle (V2V) and vehicle-to-infrastructur...

The strong isolation guarantees of hardware virtualization have led to its widespread use. A consequence of this is that individual partitions contain much software that is designed to be used in a variety of environments and by a range of applications, while in practice only a limited subset is actually utilized. Similarly, the modular design of s...

WosLarry, OverbeekRoss, LuskEwing, and BoyleJim. Automated reasoning. Introduction and applications. Second edition of LI 464. McGraw-Hill, New York etc. 1992, xvi + 656 pp. + disk. - Volume 59 Issue 4 - Natarajan Shankar

The design of a complex cyber-physical system is centered around one or more models of computation (MoCs). These models define the semantic framework within which a network of sensors, controllers, and actuators operate and interact with each other. In this paper, we examine the foundations of a quasi-synchronous model of computation Our version of...

To become practical for assurance, automated for- mal methods must be made more scalable, automatic, and cost-effective. Such an increase in scope, scale, au- tomation, and utility can be derived from an emphasis on a systematic separation of concerns during verification. SAL (Symbolic Analysis Laboratory) attempts to address these issues. It is a...

The design of cyber-physical systems is challenging in that it involves the analysis and synthesis of software-intensive, distributed, real-time systems for controlling, possibly safety-relevant, plants in complex physical habitats. We tackle this formidable challenge with EFSMT, an exists-forall (EF) quantified first-order fragment of propositiona...

Software poses a range of engineering challenges. How do we capture the expected behavior of the software? How can we check if such behavioral descriptions are consistent and valid? How do we generate test instances that explore and examine different parts of the software. We focus on the underlying technology by which a number of these problems ca...

Static verification traditionally produces yes/no answers. It either provides a proof that a piece of code meets a property, or a counterexample showing that the property can be violated. Hence, the progress of static verification is hard to measure. Unlike in testing, where coverage metrics can be used to track progress, static verification does n...

Natural language (supplemented with diagrams and some mathematical notations)
is convenient for succinct communication of technical descriptions between the
various stakeholders (e.g., customers, designers, implementers) involved in the
design of software systems. However, natural language descriptions can be
informal, incomplete, imprecise and amb...

Integrated circuits (ICs) are now designed and fabricated in a globalized multivendor environment making them vulnerable to malicious design changes, the insertion of hardware Trojans/malware, and intellectual property (IP) theft. Algorithmic reverse engineering of digital circuits can mitigate these concerns by enabling analysts to detect maliciou...

The evidential tool bus (ETB) is a distributed framework for tool integration for the purpose of building and maintaining assurance cases. ETB employs Datalog as a metalanguage both for defining workflows and representing arguments. The application of Datalog in ETB differs in some significant ways from its use as a database query language. For exa...

A method for transforming untrusted applications into trusted executables through static previrtualization is disclosed. For example, the method receives an untrusted application and extracts a system call from the untrusted application. The method then determines if the system call is privileged or non-privileged. If the system call is privileged,...

An increasing number of organizations are migrating their critical information technology services, from healthcare to business intelligence, into public cloud computing environments. However, even if cloud technologies are continuously evolving, they still have not reached a maturity level that allows them to provide users with high assurance abou...

Efficient and scalable verification of nonlinear real arithmetic constraints is essential in many automated verification and synthesis tasks for hybrid systems, control algorithms, digital signal processors, and mixed analog/digital circuits. Despite substantial advances in verification technology, complexity issues with classical decision procedur...

The design of cyber-physical systems is challenging in that it includes the
analysis and synthesis of distributed and embedded real-time systems for
controlling, often in a nonlinear way, the environment. We address this
challenge with EFSMT, the exists-forall quantified first-order fragment of
propositional combinations over constraints (including...

Psychologists have argued that human behavior is the result of the interaction between two different cognitive modules. System 1 is fast, intuitive, and error-prone, whereas System 2 is slow, logical, and reliable. When it comes to reasoning, the field of automated deduction has focused its attention on the slow System 2 processes. We argue that th...

Systems are increasingly being constructed from off-the-shelf components acquired through a globally distributed and untrusted supply chain. Often only post-synthesis gate-level netlists or actual silicons are available for security inspection. This makes reasoning about hardware trojans particularly challenging given the enormous scale of the prob...

Systems that gather fine-grained provenance metadata must process and store large amounts of information. Filtering this metadata as it is collected has a number of benefits, including reducing the amount of persistent storage required and simplifying subsequent provenance queries. However, writing these filters in a procedural language is verbose...

Formal and semi-formal tools are now being used in large projects both for development and certification. A typical project integrates many diverse tools such as static analyzers, model checkers, test generators, and constraint solvers. These tools are usually integrated in an ad hoc manner. There is, however, a need for a tool integration framewor...

The first step in building a cyber-physical system is the construction of a faithful model that captures the relevant behaviors. Dimensional consistency provides the first check on the correctness of such models and the physical quantities represented in it. Though manual analysis of dimensions is used in physical sciences to find errors in formula...

Robot manipulators are widely used in many industrial automation applications. A robot manipulator moves the end-effector to the configuration instructed by the user. The user input from a master unit is transformed into the desired configuration through forward kinematics. This configuration is communicated to the robot controller, which employs i...

The negative cost cycle detection (NCCD) problem in weighted directed graphs is a fundamental problems in theoretical computer science with applications in a wide range of domains ranging from maximum flows to image segmentation. From the perspective of program verification, this problem is identical to the problem of checking the satisfiability of...

We, the organizers and participants, report on our experiences from the 1st Verified Software Competition, held in August 2010 in Edinburgh at the VSTTE 2010 conference.

Matlab Simulink™ is a member of a class of visual languages that are used for modeling and simulating physical and cyber-physical
system. A Simulink model consists of blocks with input and output ports connected using links that carry signals. We provide
a contract-based type system of Simulink with annotations and dimensions/units associated with...

Recent years have witnessed dramatic improvements in the capabilities of propositional satisfiability procedures or SAT solvers. The speedups are the result of numerous optimizations including conflict-directed backjumping. We use the Prototype Verification System (PVS) to verify a satisfiability procedure based on the Davis–Putnam–Logemann–Lovelan...

Rewriting is a form of inference, and one that interacts in several ways with other forms of inference such as decision procedures
and proof search. We discuss a range of issues at the intersection of rewriting and inference. How can other inference procedures
be combined with rewriting? Can rewriting be used to describe inference procedures? What...

In one version of Gilbreath’s card trick, a deck of cards is arranged as a series of quartets, where each quartet contains a card from each suit and all the quartets feature the same ordering of the suits. For example, the deck could be a repeating sequence of spades, hearts, clubs, and diamonds, in that order, as in the deck below.
$${\langle 5\sp...

A team of researchers from SRI International Computer Science Laboratory has proposed a long-term research program toward the construction of error-free software systems. The research project, called the Verified Software Initiative, will make an effort to a comprehensive theory of programming that covers the features needed to build practical and...

Automated deduction uses computation to perform symbolic logical reasoning. It has been a core technology for program verification from the very beginning. Satisfiability solvers for propositional and first-order logic significantly automate the task of deductive program verification. We introduce some of the basic deduction techniques used in soft...

Digital evidence is playing an increasingly important role in prosecuting crimes. The reasons are manifold: financially lucrative
targets are now connected online, systems are so complex that vulnerabilities abound and strong digital identities are being
adopted, making audit trails more useful. If the discoveries of forensic analysts are to hold u...

On the one hand, we would like verification tools to feature powerful automation, but on the other hand, we also want to be
able to trust the results with a high degree of confidence. The question of trust in verification tools has been debated for
a long time. One popular way of achieving trust in verification tools is through proof generation. Ho...

PVS is now 15 years old, and has been extensively used in research, industry, and teaching. The system is very expressive, with unique features such as predicate subtypes, recursive and corecursive datatypes, inductive and coinductive definitions, judgements, conversions, tables, and theory interpretations. The prover supports a combination of deci...

The Knaster-Tarski theorem asserts the existence of least and greatest
fixpoints for any monotonic function on a complete lattice. More
strongly, it asserts the existence of a complete lattice of such
fixpoints. This fundamental theorem has a fairly straightforward proof.
We use a mechanically checked proof of the Knaster-Tarski theorem to
illustra...

PVS is a comprehensive interactive tool for specification and verification combining an expressive specification language
with an integrated suite of tools for theorem proving and model checking. PVS has many academic and industrial users and has
been applied to a wide range of verification tasks. In this note, we summarize some of its applications...

Solvers for satisfiability modulo theories (SMT) check the satisfiability of first-order formulas containing operations from
various theories such as the Booleans, bit-vectors, arithmetic, arrays, and recursive datatypes. SMT solvers are extensions
of Boolean satisfiability solvers (SAT solvers) that check the satisfiability of formulas built from...

Satisfiability procedures are used to check if a formula representing a constraint has a solution. They are gaining popularity
as core engines for a number of applications. These procedures can be adapted for uses beyond testing satisfiability. We describe
the underlying ideas and enumerate some of the applications and extensions of satisfiability...

We have argued previously that the effectiveness of a verification system derives not only from the power of its individual features for expression and deduction, but from the extent to which these capabilities are integrated: the whole is more than the sum of its parts [19,21]. Here, we illustrate this thesis by describing a simple construct for t...

We present an approach to the verification of the real-time behavior of concurrent programs and describe its mechanization using the PVS proof checker. Our approach to real-time behavior extends previous verification techniques for concurrent programs by proposing a simple model for real-time computation and introducing a new operator for reasoning...

We describe a formal specification and verification in PVS for the general theory of SRT division, and for the hardware design of a specific implementation. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to be developed in a readable manner that is similar to textbook p...

PVS stands for Prototype Verification System. It consists of a specification language integrated with support tools and a theorem prover. PVS tries to provide the mechanization needed to apply formal methods both rigorously and productively.
This tutorial serves to introduce PVS and its use in the context of hardware verification. In the first sect...

The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness of theorem provers for hardware verification throug...

Although automated proof checking tools for general-purpose logics have been successfully employed in the verification of digital systems, there are inherent limits to the efficient automation of expressive logics. If the expressiveness is constrained, there are useful logic fragments for which efficient decision procedures can be found. The model...

Logical algorithms are defined in terms of individual computation steps that are based on logical inferences. We present a
uniform framework for formalizing logical algorithms based on inference systems. We present inference systems for algorithms
such as resolution, the Davis–Putnam–Logemann–Loveland procedure, equivalence and congruence closure,...

We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...

The eorts of researchers over the past 20 years has yielded an impressive array of verification tools. However, no single tool or method is going to solve the verification problem. An entire spectrum of formal methods and tools are needed ranging from test case generators, static analyzers, and type checkers, to invariant generators, decision pro-...

We consider the problem of finding irredundant bases for inconsistent sets of equalities and disequalities. These are subsets of inconsistent sets which do not contain any literals which do not contribute to the unsatisfiability in an essential way, and can therefore be discarded. The approach we are pursuing here is to decorate derivations with pr...

SAL (see http://sal.csl.sri.com) is an open suite of tools for analysis of state machines; it constitutes part of our vision for a Symbolic Analysis Laboratory that will eventually encompass SAL, the PVS verification system, the ICS decision procedures, and other tools developed
in our group and elsewhere.
SAL provides a language similar to that o...

s, linear arithmetic, and lists. The ground (i.e., quanti er-free) fragment of many combinations is decidable when the fully quanti ed combination is not, and practical experience indicates that automation of the ground case is adequate for most applications. Practical experience also suggests several other desiderata for an eective deductive servi...

The development of an Integrated Canonizer/Solver (ICS) system that can be embedded in applications to provide deductive services is discussed. It is suggested that ICS can be used as a standalone application that reads formulas interactively, and can also be included as a library in any application that requires embedded deduction. ICS returns a j...

SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers.

SAL 2 augments the specification language and explicit-state model checker of SAL 1 with high-performance symbolic and bounded model checkers, and with novel infinite bounded and witness model checkers. The bounded model checker can use several di#erent SAT solvers, while the infinite bounded model checker similarly can use several different ground...

Ag is a specification language presented as a syntactic sugaring of the First-Order Dy- namic Logic of Fork Algebras. This language is particularly attractive due to its expressive power, easy-to-understand semantics, and the existence of a complete deductive system. We will briefly present the language together with a complete deductive calculus a...

The use of Herbrand functions (sometimes called Skolemization) plays an important role in classical theorem proving and logic programming. We define a notion of Herbrand function for the full intuitionistic predicate calculus. This definition is based on the view that the proof-theoretic role of Herbrand functions (to replace universal quantifiers)...

Formal analyses can provide valuable assurance for high confidence software and systems. The analyses can range from strong typechecking through test case generation and static analysis to model checking and full verification. In all cases, the tools that support the analyses use formal deduction in some way or other. ICS is a fully automatic, high...

Cyberlogic is an enabling foundation for building and analyzing protocols that involve the exchange of electronic forms of evidence. The key ideas underlying Cyberlogic are extremely simple. First, evidence is encoded by means of numbers using digital certificates and nonces. Second, predicates are signed by private keys so that a decryption of suc...

Embedded control systems typically comprise continuous control laws combined with discrete mode logic. These systems are modeled using a hybrid automaton formalism, which is obtained by combining the discrete transition system formalism with continuous dynamical systems. This paper develops automated analysis techniques for asserting correctness of...

Verification seeks to prove or refute putative properties of a given program. Deductive verification is carried out by constructing
a proof that the program satisfies its specification, whereas model checking uses state exploration to find computations where
the property fails. Model checking is largely automatic but is effective only for programs...

Cyberlogic is an enabling foundation for building and analyzing pro-tocols that involve the exchange of electronic forms of evidence. The key ideas underlying Cyberlogic are extremely simple. First, evidence is encoded by means of numbers using digital certificates and nonces. Second, predicates are signed by private keys so that a decryption of su...

The automated construction of mathematical proof is a basic activity in computing. Since the dawn of the field of automated reasoning, there have been two divergent schools of thought. One school, best represented by Alan Robinson's resolution method, is based on simple uniform proof search procedures guided by heuristics. The other school, pioneer...

Ground decision procedures for combinations of theories are used in many systems for automated deduction. There are two basic paradigms for combining decision procedures. The Nelson-Oppen method combines decision procedures for disjoint theories by exchanging equality information on the shared variables. In Shostak's method, the combination of the...

The automated construction of mathematical proof is a basic activity in computing. Since the dawn of the field of automated
reasoning, there have been two divergent schools of thought. One school, best represented by Alan Robinson’s resolution method,
is based on simple uniform proof search procedures guided by heuristics. The other school, pioneer...

Functional programs are more amenable to rigorous mathematical analysis than imperative programs, but are typically less ef- cient in terms of execution space and time. The update of aggregate data structures, such as arrays, are a signi cant source of space/time ine ciencies in functional programming. Imperative programs can execute such updates i...

Decision procedures for combinations of theories are at the core of many modern theorem provers such as ACL2, Ehdm, PVS, SIMPLIFY, the Stanford Pascal Veri er, STeP, SVC, and Z/Eves. Shostak, in 1984, published a decision procedure for the combination of canonizable and solvable theories. Recently, Ruess and Shankar showed Shostak's method to be in...

Summary form only given. The automated construction of mathematical proof is a basic activity in computing. Since the dawn of the field of automated reasoning, there have been two divergent schools of thought. One school, best represented by Alan Robinson's resolution method, is based on simple uniform proof search procedures guided by heuristics....

We address the problem of combining individual decision procedures into a single decision procedure. Our combination approach is based on using the canonizer obtained from Shostak's combination algorithm for equality. We illustrate our approach with a combination algorithm for equality, disequality, arithmetic inequality, and propositional logic. U...

In automated reasoning, there is a perceived trade-o between expressiveness and automation. Higher-order logic is typically viewed as expressive but resistant to automation, in contrast with rstorder logic and its fragments. We argue that higher-order logic and its variants actually achieve a happy medium between expressiveness and automation, part...

The purpose of this task was to provide a mechanism for theory interpretations in a prototype verification system (PVS) so that it is possible to demonstrate the consistency of a theory by exhibiting an interpretation that validates the axioms. The mechanization makes it possible to show that one collection of theories is correctly interpreted by a...

Decision procedures are at the core of many industrial-strength verification systems such as ACL2 [KM97], PVS [ORS92], or STeP [MtSg96]. Effective use of decision procedures in these verification systems require the management of large assertional contexts. Many existing decision procedures, however, lack an appropriate API for managing contexts an...

Decision procedures for equality in a combination of theories are at the core of a number of verification systems. Shostak's decision procedure for equality in the combination of solvable and canonizable theories has been around for nearly two decades. Variations of this decision procedure have been implemented in a number of systems including STP,...

Computer programs are formal texts that are composed by programmers and executed by machines. Formal methods are used to predict the execution-time behavior of a program text through formal, symbolic calculation. Automation in the form of computer programs can be used to execute formal calculations so that they are reproducible and checkable. Deduc...

ver linear arithmetic terms and propositional logic [1]. The theory currently includes: The usual propositional constants true, false and connectives not, &, |, =>, <=>. Equality (=) and disequality (/=). 1 Rational constants and the arithmetic operators +, *, -; multiplication is restricted to multiplication by constants. Arithmetic predicates inc...

Most of the properties established during verification are either invariants or depend crucially on invariants. The effectiveness
of automated formal verification is therefore sensitive to the ease with which invariants, even trivial ones, can be automatically
deduced. While the strongest invariant can be defined as the least fixed point of the str...

this paper is for a generic functional language and requires no prior knowledge of PVS.

We present a detailed description of a machine-assisted verification of an algorithm for self-stabilizing mutual exclusion that is due to Dijkstra [Dij74]. This verification was constructed using PVS. We compare the mechanical verification to the informal proof sketch on which it is based. This comparison yields several observations regarding the c...

. We describe a formal specification and verification in PVS for the general theory of SRT division, and for the hardware design of a specific implementation. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to be developed in a readable manner that is similar to textbook...