This talk presents a mechanizable framework for software development by refinement. The framework is based on a category of specifications. One of the key ideas of Designware is representing knowledge about programming concepts, such as algorithm design and datatype refinement, by means of taxonomies of design theories.�The framework is partially implemented in the research systems Specware, Designware, and Planware. Specware provides basic support for composing specifications and refinements, and generating code. Specware is intended to be general-purpose and has found use in industrial settings. Designware extends Specware with taxonomies of software design theories and support for constructing refinements from them. Planware builds on Designware to provide highly automated support for requirements acquisition and synthesis of high-performance scheduling algorithms.�I will also discuss how synthesis technology is being used to develop and deploy the next-generation transportation scheduling system for the Air Mobility Command at Scott AFB.
{"title":"Software synthesis and applications (abstract only)","authors":"Douglas R. Smith","doi":"10.1145/349360.351139","DOIUrl":"https://doi.org/10.1145/349360.351139","url":null,"abstract":"This talk presents a mechanizable framework for software development by refinement. The framework is based on a category of specifications. One of the key ideas of Designware is representing knowledge about programming concepts, such as algorithm design and datatype refinement, by means of taxonomies of design theories.\u0000The framework is partially implemented in the research systems Specware, Designware, and Planware. Specware provides basic support for composing specifications and refinements, and generating code. Specware is intended to be general-purpose and has found use in industrial settings. Designware extends Specware with taxonomies of software design theories and support for constructing refinements from them. Planware builds on Designware to provide highly automated support for requirements acquisition and synthesis of high-performance scheduling algorithms.\u0000I will also discuss how synthesis technology is being used to develop and deploy the next-generation transportation scheduling system for the Air Mobility Command at Scott AFB.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121581375","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
XML (eXtensible Markup Language) is a linear syntax for trees, which has gathered a remarkable amount of interest in industry. The acceptance of XML opens new venues for the application of formal methods such as specification of abstract syntax tree sets and tree transformations.��A notation for defining a set of XML trees is called a schema language. Such trees correspond to a specific user domain, such as XHTML, the class of XML documents that make sense as HTML.�A useful schema notation must: identify most of the syntactic requirements that the documents in the user domain follow; allow efficient parsing; be readable to the user; allow limited tree transformations corresponding to the insertion of defaults; be modular and extensible to support evolving classes of XML documents.par>In the present paper, we introduce the DSD (Document Structure Description) notation as our bid on how to meet the requirements above.
{"title":"DSD: A schema language for XML","authors":"Nils Klarlund, Anders Møller, M. I. Schwartzbach","doi":"10.1145/349360.351158","DOIUrl":"https://doi.org/10.1145/349360.351158","url":null,"abstract":"XML (eXtensible Markup Language) is a linear syntax for trees, which has gathered a remarkable amount of interest in industry. The acceptance of XML opens new venues for the application of formal methods such as specification of abstract syntax tree sets and tree transformations.\u0000\u0000A notation for defining a set of XML trees is called a schema language. Such trees correspond to a specific user domain, such as XHTML, the class of XML documents that make sense as HTML.\u0000A useful schema notation must: identify most of the syntactic requirements that the documents in the user domain follow; allow efficient parsing; be readable to the user; allow limited tree transformations corresponding to the insertion of defaults; be modular and extensible to support evolving classes of XML documents.par>In the present paper, we introduce the DSD (Document Structure Description) notation as our bid on how to meet the requirements above.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123739816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper examines the issue of completeness in specification language design. In the mid-80s we identified a set of 26 formal criteria to identify missing, incorrect, and ambiguous requirements for process-control systems. Experimental validation of the criteria on NASA and NASDA spacecraft systems have supported their usefulness in detecting commonly omitted but important information and engineers have been using them in checklist form on real systems. At the same time, we have extended the criteria and now have over 60. This paper shows how most of the criteria can be embedded in a formal specification language in ways that potentially allow automated checking or assist in manual reviews.
{"title":"Completeness in formal specification language design for process-control systems","authors":"N. Leveson","doi":"10.1145/349360.351140","DOIUrl":"https://doi.org/10.1145/349360.351140","url":null,"abstract":"This paper examines the issue of completeness in specification language design. In the mid-80s we identified a set of 26 formal criteria to identify missing, incorrect, and ambiguous requirements for process-control systems. Experimental validation of the criteria on NASA and NASDA spacecraft systems have supported their usefulness in detecting commonly omitted but important information and engineers have been using them in checklist form on real systems. At the same time, we have extended the criteria and now have over 60. This paper shows how most of the criteria can be embedded in a formal specification language in ways that potentially allow automated checking or assist in manual reviews.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126853736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
TAME is a special-purpose interface to PVS designed to support developers of software systems in proving properties of automata models. One of TAME's major goals is to allow a software developer who has basic knowledge of standard logic, and can do hand proofs, to use PVS to represent and to prove properties about an automaton model without first becoming a PVS expert. A second goal is for a human to be able to read and understand the content of saved TAME proofs without running them through the PVS proof checker. A third goal is to make proving properties of automata with TAME less costly in human time than proving such properties using PVS directly. Recent work by Romijn and Devillers et al., based on the I/O automata model, has provided the basis for two case studies on how well TAME achieves these goals. Romijn specified the RPC-Memory Problem and its solution, while Devillers et al. specified a tree identify protocol. Hand proofs of specification properties were provided by the authors. In addition, Devillers et al. used PVS directly to mechanize the specifications and proofs of the tree identify protocol. In one case study, the third author, a new TAME user with no previous PVS experience, used TAME to create PVS specifications of the I/O automata presented by Romijn and Devillers et al. and to check the hand proofs of invariant properties. The PVS specifications and proofs of Devillers et al. hspace*{-.03in} provide the basis for the other case study, which compares the TAME approach to an alternate approach which uses PVS directly.
{"title":"Using TAME to prove invariants of automata models: Two case studies","authors":"M. Archer, C. Heitmeyer, E. Riccobene","doi":"10.1145/349360.351127","DOIUrl":"https://doi.org/10.1145/349360.351127","url":null,"abstract":"TAME is a special-purpose interface to PVS designed to support developers of software systems in proving properties of automata models. One of TAME's major goals is to allow a software developer who has basic knowledge of standard logic, and can do hand proofs, to use PVS to represent and to prove properties about an automaton model without first becoming a PVS expert. A second goal is for a human to be able to read and understand the content of saved TAME proofs without running them through the PVS proof checker. A third goal is to make proving properties of automata with TAME less costly in human time than proving such properties using PVS directly. Recent work by Romijn and Devillers et al., based on the I/O automata model, has provided the basis for two case studies on how well TAME achieves these goals. Romijn specified the RPC-Memory Problem and its solution, while Devillers et al. specified a tree identify protocol. Hand proofs of specification properties were provided by the authors. In addition, Devillers et al. used PVS directly to mechanize the specifications and proofs of the tree identify protocol. In one case study, the third author, a new TAME user with no previous PVS experience, used TAME to create PVS specifications of the I/O automata presented by Romijn and Devillers et al. and to check the hand proofs of invariant properties. The PVS specifications and proofs of Devillers et al. hspace*{-.03in} provide the basis for the other case study, which compares the TAME approach to an alternate approach which uses PVS directly.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114917686","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We show how UML class diagrams can be used to document design by refinement in the early design stages. This is illustrated by an example from the area of embedded real-time and hybrid systems. A precise semantics is given for the UML class diagrams by translation to the Z schema calculus.
{"title":"Completeness in formal specification language design for process-control systems","authors":"E. Olderog, A. Ravn","doi":"10.1145/349360.351142","DOIUrl":"https://doi.org/10.1145/349360.351142","url":null,"abstract":"We show how UML class diagrams can be used to document design by refinement in the early design stages. This is illustrated by an example from the area of embedded real-time and hybrid systems. A precise semantics is given for the UML class diagrams by translation to the Z schema calculus.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125309559","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
When a program P fails to satisfy a requirement R supposedly ensured by a detailed specification S that was used to implement P, there is a question about whether the problem arises in S or in P. We call this determination fault origin adjudication and illustrate its significance in various software engineering contexts. The primary contribution of this paper is a framework for formal fault origin adjudication for network protocols using the NS simulator and the SPIN model checker. We describe our architecture and illustrate its use in a case study involving a standard specification for packet radio routing.
{"title":"Fault origin adjudication","authors":"K. Bhargavan, Carl A. Gunter, Davor Obradovic","doi":"10.1145/349360.351132","DOIUrl":"https://doi.org/10.1145/349360.351132","url":null,"abstract":"When a program <italic>P</italic> fails to satisfy a requirement <italic>R</italic> supposedly ensured by a detailed specification <italic>S</italic> that was used to implement <italic>P</italic>, there is a question about whether the problem arises in <italic>S</italic> or in <italic>P</italic>. We call this determination <italic>fault origin adjudication</italic> and illustrate its significance in various software engineering contexts. The primary contribution of this paper is a framework for formal fault origin adjudication for network protocols using the NS simulator and the SPIN model checker. We describe our architecture and illustrate its use in a case study involving a standard specification for packet radio routing.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127632080","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A trusted computing base requires true separation of processes. Modern approaches relegate separation to a component of the operating system called the kernel. Although the kernel represents only a small portion of the code of the entire operating system, it is among the most intensively used portions. With separation as the focus, this paper will describe a kernel that provides strict separation between processes, allowing for the remainder of the operating system, residing outside the kernel, to run only as processes in user mode under control of the kernel. The kernel is therefore tasked with implementing the critical operating system functions of providing access to resources, communications between processes, and scheduling of process threads.�Strict separation between processes enables the evaluation of a system to check that the system meets its security policy. It is to this end that the Department of Defense in conjunction with Motorola Space and Systems Technology Group outlined the development of a separation kernel with the use of the correct by construction methodology supported by the Specware system under development at Kestrel Institute. Since the initial prototype of the kernel, Motorola has extended and incorporated this separation kernel design into their smart card and cryptographic processor technologies.
{"title":"Government, industry, and academia: Teaming to design high confidence information security applications","authors":"W. B. Martin, P. D. White, W. Vanfleet","doi":"10.1145/349360.351128","DOIUrl":"https://doi.org/10.1145/349360.351128","url":null,"abstract":"A trusted computing base requires true separation of processes. Modern approaches relegate separation to a component of the operating system called the kernel. Although the kernel represents only a small portion of the code of the entire operating system, it is among the most intensively used portions. With separation as the focus, this paper will describe a kernel that provides strict separation between processes, allowing for the remainder of the operating system, residing outside the kernel, to run only as processes in user mode under control of the kernel. The kernel is therefore tasked with implementing the critical operating system functions of providing access to resources, communications between processes, and scheduling of process threads.\u0000Strict separation between processes enables the evaluation of a system to check that the system meets its security policy. It is to this end that the Department of Defense in conjunction with Motorola Space and Systems Technology Group outlined the development of a separation kernel with the use of the correct by construction methodology supported by the Specware system under development at Kestrel Institute. Since the initial prototype of the kernel, Motorola has extended and incorporated this separation kernel design into their smart card and cryptographic processor technologies.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126324344","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Automatic state exploration tools (model checkers) have had some success when applied to protocols and hardware designs, but there are fewer success stories about software. This is unfortunate, since the software problem is worsening even faster than the hardware and protocol problems. Model checking of concurrent programs is especially interesting, because they are notoriously difficult to test, analyze, and debug by other methods.�This talk will be a description of our initial efforts to check Java programs using a model checker. The model checker supports dynamic allocation, thread creation, and recursive procedures (features that are not necessary for hardware verification), and has some special optimizations and checks tailored to multi-threaded Java program. I will also discuss some of the challenges for future efforts in this area.
{"title":"Model checking Java programs","authors":"D. Dill","doi":"10.1145/349360.351124","DOIUrl":"https://doi.org/10.1145/349360.351124","url":null,"abstract":"Automatic state exploration tools (model checkers) have had some success when applied to protocols and hardware designs, but there are fewer success stories about software. This is unfortunate, since the software problem is worsening even faster than the hardware and protocol problems. Model checking of concurrent programs is especially interesting, because they are notoriously difficult to test, analyze, and debug by other methods.\u0000This talk will be a description of our initial efforts to check Java programs using a model checker. The model checker supports dynamic allocation, thread creation, and recursive procedures (features that are not necessary for hardware verification), and has some special optimizations and checks tailored to multi-threaded Java program. I will also discuss some of the challenges for future efforts in this area.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"90 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132801286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Active Networks are a new type of networks where all elements are programmable. Active packets can contain fragments of code to be executed on intermediate nodes they pass through. Active nodes provide the necessary environment and resources for the packets to be processed. In giving the users the capability to program the network as they desire, there is an issue of security risks. This paper presents a formal model for an active node that can be used to specify and verify the correct operation of the node. The model is used to verify that scenarios where privacy of data is violated or functionality of a node is compromised never occur. The proposed model is generic to any type of active node and is written using the Prototype Verification System (PVS).
{"title":"Formal modeling of active network nodes using PVS","authors":"Cindy Kong, P. Alexander, Darryl D. Dieckman","doi":"10.1145/349360.351130","DOIUrl":"https://doi.org/10.1145/349360.351130","url":null,"abstract":"Active Networks are a new type of networks where all elements are programmable. Active packets can contain fragments of code to be executed on intermediate nodes they pass through. Active nodes provide the necessary environment and resources for the packets to be processed. In giving the users the capability to program the network as they desire, there is an issue of security risks. This paper presents a formal model for an active node that can be used to specify and verify the correct operation of the node. The model is used to verify that scenarios where privacy of data is violated or functionality of a node is compromised never occur. The proposed model is generic to any type of active node and is written using the Prototype Verification System (PVS).","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122337027","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
While it is becoming more common to see model checking applied to software requirements specifications, it is seldom applied to software implementations. The Automated Software Engineering group at NASA Ames is currently investigating the use of model checking for actual source code, with the eventual goal of allowing software developers to augment traditional testing with model checking. Because model checking suffers from the state-explosion problem, one of the main hurdles for program model checking is reducing the size of the program. In this paper we investigate the use of abstraction techniques to reduce the state-space of a real-time operating system kernel written in C++. We show how informal abstraction arguments could be formalized and improved upon within the framework of predicate abstraction, a technique based on abstract interpretation. We introduce some extensions to predicate abstraction that all allow it to be used within the class-instance framework of object-oriented languages. We then demonstrate how these extensions were integrated into an abstraction tool that performs automated predicate abstraction of Java programs.
{"title":"Using predicate abstraction to reduce object-oriented programs for model checking","authors":"W. Visser, Seungjoon Park, J. Penix","doi":"10.1145/349360.351125","DOIUrl":"https://doi.org/10.1145/349360.351125","url":null,"abstract":"While it is becoming more common to see model checking applied to software requirements specifications, it is seldom applied to software implementations. The Automated Software Engineering group at NASA Ames is currently investigating the use of model checking for actual source code, with the eventual goal of allowing software developers to augment traditional testing with model checking. Because model checking suffers from the state-explosion problem, one of the main hurdles for program model checking is reducing the size of the program. In this paper we investigate the use of abstraction techniques to reduce the state-space of a real-time operating system kernel written in C++. We show how informal abstraction arguments could be formalized and improved upon within the framework of predicate abstraction, a technique based on abstract interpretation. We introduce some extensions to predicate abstraction that all allow it to be used within the class-instance framework of object-oriented languages. We then demonstrate how these extensions were integrated into an abstraction tool that performs automated predicate abstraction of Java programs.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2000-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116080390","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: