The Mondex Case study is still the most substantial contribution to the Grand Challenge repository. It has been the target of a number of formal verification efforts. Those efforts concentrated on correctness proofs for refinement steps of the specification in various specification formalisms using different verification tools. In this paper we report on a Java Card implementation of the Mondex protocol and on proving its correctness using the KeY tool. The security properties to be proved are formalised in the Java Modelling Language and follow as closely as possible the concrete layer of the previous Z specification. This work demonstrates that with an appropriate specification language and verification tool, it is possible to bridge the gap between specification and implementation ensuring a fully verified result.
{"title":"Verifying the Mondex Case Study","authors":"P. Schmitt, Isabel Tonin","doi":"10.1109/SEFM.2007.47","DOIUrl":"https://doi.org/10.1109/SEFM.2007.47","url":null,"abstract":"The Mondex Case study is still the most substantial contribution to the Grand Challenge repository. It has been the target of a number of formal verification efforts. Those efforts concentrated on correctness proofs for refinement steps of the specification in various specification formalisms using different verification tools. In this paper we report on a Java Card implementation of the Mondex protocol and on proving its correctness using the KeY tool. The security properties to be proved are formalised in the Java Modelling Language and follow as closely as possible the concrete layer of the previous Z specification. This work demonstrates that with an appropriate specification language and verification tool, it is possible to bridge the gap between specification and implementation ensuring a fully verified result.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129729685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We describe the modeling and verification of TTCAN startup protocol using SAL model checker. For the modeling purposes we propose a new modeling framework called Synchronous Calendar which can be seen as an adaptation of Calendar based models introduced by Duterte and Sorea. A Synchronous Calendar can express dense time systems without relying on continuously varying clocks and supports synchronous message transmission. We capture both fault-free and fault-tolerant aspects of startup algorithm of TTCAN in two different models and verify the safety and liveness properties for them. Our verification technique relies on induction and abstraction methods which are supported by SAL model checker. To our knowledge this is the first work towards a formal analysis of TTCAN startup protocol.
{"title":"Modeling and Verification of TTCAN Startup Protocol Using Synchronous Calendar","authors":"I. Saha, Suman Roy, Kuntal Chakraborty","doi":"10.1109/SEFM.2007.27","DOIUrl":"https://doi.org/10.1109/SEFM.2007.27","url":null,"abstract":"We describe the modeling and verification of TTCAN startup protocol using SAL model checker. For the modeling purposes we propose a new modeling framework called Synchronous Calendar which can be seen as an adaptation of Calendar based models introduced by Duterte and Sorea. A Synchronous Calendar can express dense time systems without relying on continuously varying clocks and supports synchronous message transmission. We capture both fault-free and fault-tolerant aspects of startup algorithm of TTCAN in two different models and verify the safety and liveness properties for them. Our verification technique relies on induction and abstraction methods which are supported by SAL model checker. To our knowledge this is the first work towards a formal analysis of TTCAN startup protocol.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115902644","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The issues surrounding the question of atomicity, both in the past and nowadays, are briefly reviewed, and a picture of an ACID (atomic, consistent, isolated, durable) transaction as a refinement problem is presented. An example of a simple air traffic control system is introduced, and the discrepancies that can arise when read-only operations examine the state at atomic and finegrained levels are handled by retrenchment. Non-ACID timing aspects of the ATC example are also handled by retrenchment, and the treatment is generalised as the retrenchment Atomicity Pattern. The utility of the pattern is confirmed against a different case study, the Mondex Electronic Purse.
{"title":"Retrenchment and the Atomicity Pattern","authors":"R. Banach, Czeslaw Jeske, A. Hall, S. Stepney","doi":"10.1109/SEFM.2007.34","DOIUrl":"https://doi.org/10.1109/SEFM.2007.34","url":null,"abstract":"The issues surrounding the question of atomicity, both in the past and nowadays, are briefly reviewed, and a picture of an ACID (atomic, consistent, isolated, durable) transaction as a refinement problem is presented. An example of a simple air traffic control system is introduced, and the discrepancies that can arise when read-only operations examine the state at atomic and finegrained levels are handled by retrenchment. Non-ACID timing aspects of the ATC example are also handled by retrenchment, and the treatment is generalised as the retrenchment Atomicity Pattern. The utility of the pattern is confirmed against a different case study, the Mondex Electronic Purse.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125576248","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In model based formal methods, incompatible tools for different techniques is the norm. However, greater applicability to industrial scale systems increasingly requires combining the strengths of different techniques, in line with the verification grand challenge. The Frog tool embodies a construct-based specification syntax, and its meta-language Frog-CCL allows the generic configuration of both a constructs syntax and its proof obligations. For a specific system, Frog generates the system's verification conditions mechanically from the generic ones. Relationships between systems such as refinement and retrenchment can be configured. An example retrenchment between two simple systems illustrates the technique.
{"title":"Configurable Proof Obligations in the Frog Toolkit","authors":"Simon Fraser, R. Banach","doi":"10.1109/SEFM.2007.12","DOIUrl":"https://doi.org/10.1109/SEFM.2007.12","url":null,"abstract":"In model based formal methods, incompatible tools for different techniques is the norm. However, greater applicability to industrial scale systems increasingly requires combining the strengths of different techniques, in line with the verification grand challenge. The Frog tool embodies a construct-based specification syntax, and its meta-language Frog-CCL allows the generic configuration of both a constructs syntax and its proof obligations. For a specific system, Frog generates the system's verification conditions mechanically from the generic ones. Relationships between systems such as refinement and retrenchment can be configured. An example retrenchment between two simple systems illustrates the technique.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131281465","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Summary form only given. This talk describes new advances that allow us to automatically prove both liveness properties and heap-shape properties of concurrent programs. The talk focuses on recent thread-modular extensions to the program termination prover TERMINATOR and shape analysis tool SLAyer and their application to Windows device drivers.
{"title":"Automatically Proving Concurrent Programs Correct","authors":"B. Cook","doi":"10.1109/SEFM.2007.10","DOIUrl":"https://doi.org/10.1109/SEFM.2007.10","url":null,"abstract":"Summary form only given. This talk describes new advances that allow us to automatically prove both liveness properties and heap-shape properties of concurrent programs. The talk focuses on recent thread-modular extensions to the program termination prover TERMINATOR and shape analysis tool SLAyer and their application to Windows device drivers.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123589050","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Development by formal stepwise refinement offers a guarantee that an implementation satisfies a specification. But refinement is frequently defined in such a restrictive way as to disallow some useful development steps. Here we define feature refinement to overcome some limitations of refinement and show its usefulness by applying it to examples taken from the literature. Using partial relations as a canonical state-based semantics and labelled transition systems as a canonical event-based semantics, we define functions formally linking the state- and event-based operational semantics. We can then use this link to move notions of refinement between the event- and state-based worlds. An advantage of this abstract approach is that it is not restricted to a specific syntax or even a specific interpretation of the operational semantics.
{"title":"Feature Refinement","authors":"S. Reeves, David Streader","doi":"10.1109/SEFM.2007.14","DOIUrl":"https://doi.org/10.1109/SEFM.2007.14","url":null,"abstract":"Development by formal stepwise refinement offers a guarantee that an implementation satisfies a specification. But refinement is frequently defined in such a restrictive way as to disallow some useful development steps. Here we define feature refinement to overcome some limitations of refinement and show its usefulness by applying it to examples taken from the literature. Using partial relations as a canonical state-based semantics and labelled transition systems as a canonical event-based semantics, we define functions formally linking the state- and event-based operational semantics. We can then use this link to move notions of refinement between the event- and state-based worlds. An advantage of this abstract approach is that it is not restricted to a specific syntax or even a specific interpretation of the operational semantics.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124287623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Much of the embedded software development market has necessarily tight constraints on program size and processor power, hence developers use handwritten C rather than autocode. They rely primarily on testing to find errors in their code. We have an established software development tool known commercially as Perfect Developer, which uses a powerful automatic theorem prover and inference engine to reason about requirements and specifications. We have found that automated reasoning can be used to discharge a very high proportion of verification conditions arising from the specification and refinement of software components described in our formal specification language, Perfect. The Perfect Developer tool set can also generate code in a C++ subset or in Java, and the output code is then virtually certain to meet the stated specification, reducing the need for exhaustive testing. However, this is not helpful to developers of embedded software who are constrained to write code by hand. We therefore decided to investigate whether automated reasoning could provide a similar degree of success in the verification of annotated C code. We present our preliminary findings.
{"title":"Verification of C Programs Using Automated Reasoning","authors":"David Crocker, Judith Carlton","doi":"10.1109/SEFM.2007.44","DOIUrl":"https://doi.org/10.1109/SEFM.2007.44","url":null,"abstract":"Much of the embedded software development market has necessarily tight constraints on program size and processor power, hence developers use handwritten C rather than autocode. They rely primarily on testing to find errors in their code. We have an established software development tool known commercially as Perfect Developer, which uses a powerful automatic theorem prover and inference engine to reason about requirements and specifications. We have found that automated reasoning can be used to discharge a very high proportion of verification conditions arising from the specification and refinement of software components described in our formal specification language, Perfect. The Perfect Developer tool set can also generate code in a C++ subset or in Java, and the output code is then virtually certain to meet the stated specification, reducing the need for exhaustive testing. However, this is not helpful to developers of embedded software who are constrained to write code by hand. We therefore decided to investigate whether automated reasoning could provide a similar degree of success in the verification of annotated C code. We present our preliminary findings.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127197613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the present paper we use a variation of a well-known example (dining philosophers) to illustrate how deontic logics can be used to specify, and verify, systems with fault- tolerant characteristics. Towards this goal, we first introduce our own version of a prepositional deontic logic, and then some of its most important meta properties are described. Our main goal is to show that our deontic formalism is suitable for use in practical examples, and also to prepare the ground for more inclusive formalisms.
{"title":"An ought-to-do deontic logic for reasoning about fault-tolerance: the diarrheic philosophers","authors":"Pablo F. Castro, T. Maibaum","doi":"10.1109/SEFM.2007.7","DOIUrl":"https://doi.org/10.1109/SEFM.2007.7","url":null,"abstract":"In the present paper we use a variation of a well-known example (dining philosophers) to illustrate how deontic logics can be used to specify, and verify, systems with fault- tolerant characteristics. Towards this goal, we first introduce our own version of a prepositional deontic logic, and then some of its most important meta properties are described. Our main goal is to show that our deontic formalism is suitable for use in practical examples, and also to prepare the ground for more inclusive formalisms.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134398682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Krishna K. Mehra, S. Rajamani, A. Sistla, Sumit Kumar Jha
Enterprise software systems need to deal with two dominant data models. While object oriented languages (such as Java, C#, C++) are the dominant ways to write business logic, relational databases are the dominant ways to store data. Object-relational (OR) maps are widely used to mediate between these two data models. We present a system to verify correctness of OR maps. We formulate simple correctness conditions for OR maps, and convert these conditions to validity of formulas in first order logic. We have built a verification tool called ROUND TRIP that is able to both validate and find errors in OR maps defined in the ESQL language of the Microsoft EDM data model.
{"title":"Verification of Object Relational Maps","authors":"Krishna K. Mehra, S. Rajamani, A. Sistla, Sumit Kumar Jha","doi":"10.1109/SEFM.2007.45","DOIUrl":"https://doi.org/10.1109/SEFM.2007.45","url":null,"abstract":"Enterprise software systems need to deal with two dominant data models. While object oriented languages (such as Java, C#, C++) are the dominant ways to write business logic, relational databases are the dominant ways to store data. Object-relational (OR) maps are widely used to mediate between these two data models. We present a system to verify correctness of OR maps. We formulate simple correctness conditions for OR maps, and convert these conditions to validity of formulas in first order logic. We have built a verification tool called ROUND TRIP that is able to both validate and find errors in OR maps defined in the ESQL language of the Microsoft EDM data model.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134537650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
B. Aichernig, B. Peischl, Martin Weiglhofer, F. Wotawa
Various research prototypes and a well-founded theory of model based testing (MBT) suggests the application of MBT to real-world problems. In this article we report on applying the well-known TGV tool for protocol conformance testing of a Session Initiation Protocol (SIP) server. Particularly, we discuss the performed abstractions along with corresponding rationales. Furthermore, we show how to use structural and fault-based techniques for test purpose design. We present first empirical results obtained from applying our test cases to a commercial implementation and to a popular open source implementation of a SIP Registrar. Notably, in both implementations our input output labeled transition system model proved successful in revealing severe violations of the protocol.
{"title":"Protocol Conformance Testing a SIP Registrar: an Industrial Application of Formal Methods","authors":"B. Aichernig, B. Peischl, Martin Weiglhofer, F. Wotawa","doi":"10.1109/SEFM.2007.31","DOIUrl":"https://doi.org/10.1109/SEFM.2007.31","url":null,"abstract":"Various research prototypes and a well-founded theory of model based testing (MBT) suggests the application of MBT to real-world problems. In this article we report on applying the well-known TGV tool for protocol conformance testing of a Session Initiation Protocol (SIP) server. Particularly, we discuss the performed abstractions along with corresponding rationales. Furthermore, we show how to use structural and fault-based techniques for test purpose design. We present first empirical results obtained from applying our test cases to a commercial implementation and to a popular open source implementation of a SIP Registrar. Notably, in both implementations our input output labeled transition system model proved successful in revealing severe violations of the protocol.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131800980","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: