Encapsulation and modularity are supported by various static access control mechanisms that manage implementation hiding and define interfaces adapted to different client profiles. Programming languages use numerous and very different mechanisms, the cumulative application of which is sometimes confusing and hard to predict. Furthermore, understanding and reasoning about access control independently from the programming languages is quite difficult. Tools based on a language-independent model of access control are presented to address these issues. These tools support access control handling via visualisation of access, checking of design requirements on access and source code generation. We believe in the contribution of such tools for improving understanding and enhancing use of access control from design to implementation.
{"title":"AGATE, access graph based tools for handling encapsulation","authors":"Gilles Ardourel, M. Huchard","doi":"10.1109/ASE.2001.989818","DOIUrl":"https://doi.org/10.1109/ASE.2001.989818","url":null,"abstract":"Encapsulation and modularity are supported by various static access control mechanisms that manage implementation hiding and define interfaces adapted to different client profiles. Programming languages use numerous and very different mechanisms, the cumulative application of which is sometimes confusing and hard to predict. Furthermore, understanding and reasoning about access control independently from the programming languages is quite difficult. Tools based on a language-independent model of access control are presented to address these issues. These tools support access control handling via visualisation of access, checking of design requirements on access and source code generation. We believe in the contribution of such tools for improving understanding and enhancing use of access control from design to implementation.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121097116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Summary form only given, as follows. A concurrent real-time system is a system of many components, that should deliver the result in a particular time interval. The design of such a system is generally complex, with high possibility of errors. Thus it is very important to be able to verify the correctness of the design itself, before going on to implementation stage. Model-checking is a powerful approach to design verification which provides techniques for automatic determination of whether a design (model) of the system satisfies desired properties expressed in formal logic. Main problems that model-checking algorithms have to address are: state space of any concurrent system grows exponentially with the number of components of the system - state explosion problem; Addition of time (for modeling real-time systems) means that there are infinitely many concrete states of the system. Both of these mean that model-checking takes a long time and a lot of space. There are a number of approaches to model-checking providing partial solutions to these problems. However a lot of improvement is still desired to make practical model-checking of real systems feasible. Moreover, the more expressive the design technique is, and the more expressive the specification language is, the more complex becomes the problem of model-checking. Current state of the art model-checkers have fairly simple modeling means and specification languages, thus restricting developer in their capabilities. In this project a relatively new approach to model checking is taken - the use of abstract game theory, with the model-checking algorithm being implemented as an abstract game. In this approach reasoning is made over sets of states satisfying some properties, not individual states, thus reducing the size of the state-space to be searched. Also in this project the more expressive models of concurrent real-time systems and the more expressive specification logics are to be brought together to allow checking of complex properties of complex systems. A tangible deliverable will be a model-checking tool that should have a number of advantages over current state of the art model-checkers.
{"title":"Model-checking real-time concurrent systems","authors":"I. Romanovsky","doi":"10.1109/ASE.2001.989852","DOIUrl":"https://doi.org/10.1109/ASE.2001.989852","url":null,"abstract":"Summary form only given, as follows. A concurrent real-time system is a system of many components, that should deliver the result in a particular time interval. The design of such a system is generally complex, with high possibility of errors. Thus it is very important to be able to verify the correctness of the design itself, before going on to implementation stage. Model-checking is a powerful approach to design verification which provides techniques for automatic determination of whether a design (model) of the system satisfies desired properties expressed in formal logic. Main problems that model-checking algorithms have to address are: state space of any concurrent system grows exponentially with the number of components of the system - state explosion problem; Addition of time (for modeling real-time systems) means that there are infinitely many concrete states of the system. Both of these mean that model-checking takes a long time and a lot of space. There are a number of approaches to model-checking providing partial solutions to these problems. However a lot of improvement is still desired to make practical model-checking of real systems feasible. Moreover, the more expressive the design technique is, and the more expressive the specification language is, the more complex becomes the problem of model-checking. Current state of the art model-checkers have fairly simple modeling means and specification languages, thus restricting developer in their capabilities. In this project a relatively new approach to model checking is taken - the use of abstract game theory, with the model-checking algorithm being implemented as an abstract game. In this approach reasoning is made over sets of states satisfying some properties, not individual states, thus reducing the size of the state-space to be searched. Also in this project the more expressive models of concurrent real-time systems and the more expressive specification logics are to be brought together to allow checking of complex properties of complex systems. A tangible deliverable will be a model-checking tool that should have a number of advantages over current state of the art model-checkers.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124023508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Designing and implementing security-critical systems correctly is difficult. In practice, most vulnerabilities arise from bugs in implementations. We present work towards systematic specification-based testing of security-critical systems using the CASE tool AutoFocus. Cryptographic systems are formally specified with state transition diagrams, a notation for state machines in the AutoFocus system., We show how to systematically generate test sequences for security properties based on the model that can be used to test the implementation for vulnerabilities. In particular we focus on the principle of fail-safety. We explain our method at the example of a part of the Common Electronic Purse Specifications (CEPS). Most commonly, attacks address vulnerabilities in the way security mechanisms are used, rather than the mechanisms themselves. Being able to treat security aspects with a general CASE tool within the context of system development enables detection of such vulnerabilities.
{"title":"Formally testing fail-safety of electronic purse protocols","authors":"J. Jürjens, Guido Wimmel","doi":"10.1109/ASE.2001.989840","DOIUrl":"https://doi.org/10.1109/ASE.2001.989840","url":null,"abstract":"Designing and implementing security-critical systems correctly is difficult. In practice, most vulnerabilities arise from bugs in implementations. We present work towards systematic specification-based testing of security-critical systems using the CASE tool AutoFocus. Cryptographic systems are formally specified with state transition diagrams, a notation for state machines in the AutoFocus system., We show how to systematically generate test sequences for security properties based on the model that can be used to test the implementation for vulnerabilities. In particular we focus on the principle of fail-safety. We explain our method at the example of a part of the Common Electronic Purse Specifications (CEPS). Most commonly, attacks address vulnerabilities in the way security mechanisms are used, rather than the mechanisms themselves. Being able to treat security aspects with a general CASE tool within the context of system development enables detection of such vulnerabilities.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134123920","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The Java programming language supports monitors. Monitor implementations, like other concurrent programs, are hard to test due to the inherent non-determinism. This paper presents the ConAn (Concurrency Analyser) tool for generating drivers for the testing of Java monitors. To obtain adequate controllability over the interactions between Java threads, the generated driver contains processes that are synchronized by a clock. The driver automatically executes the calls in the test sequence in the prescribed order and compares the outputs against the expected outputs specified in the test sequence. The method and tool are illustrated on an asymmetric producer-consumer monitor and their application to two other monitors is discussed.
{"title":"A concurrency test tool for Java monitors","authors":"Brad Long, D. Hoffman, P. Strooper","doi":"10.1109/ASE.2001.989843","DOIUrl":"https://doi.org/10.1109/ASE.2001.989843","url":null,"abstract":"The Java programming language supports monitors. Monitor implementations, like other concurrent programs, are hard to test due to the inherent non-determinism. This paper presents the ConAn (Concurrency Analyser) tool for generating drivers for the testing of Java monitors. To obtain adequate controllability over the interactions between Java threads, the generated driver contains processes that are synchronized by a clock. The driver automatically executes the calls in the test sequence in the prescribed order and compares the outputs against the expected outputs specified in the test sequence. The method and tool are illustrated on an asymmetric producer-consumer monitor and their application to two other monitors is discussed.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117290727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Proof-checking code for compliance to safety policies potentially enables a product-oriented approach to certain aspects of software certification. To date, previous research has focused on generic, low-level programming-language properties such as memory type safety. In this paper we consider proof-checking higher-level domain-specific properties for compliance to safety policies. The paper first describes a framework related to abstract interpretation in which compliance to a class of certification policies can be efficiently calculated. Membership equational logic is shown to provide a rich logic for carrying out such calculations, including partiality, for certification. The architecture for a domain-specific certifier is described, followed by an implemented case study. The case study considers consistency of abstract variable attributes in code that performs geometric calculations in Aerospace systems.
{"title":"Certifying domain-specific policies","authors":"M. Lowry, T. Pressburger, Grigore Roşu","doi":"10.1109/ASE.2001.989793","DOIUrl":"https://doi.org/10.1109/ASE.2001.989793","url":null,"abstract":"Proof-checking code for compliance to safety policies potentially enables a product-oriented approach to certain aspects of software certification. To date, previous research has focused on generic, low-level programming-language properties such as memory type safety. In this paper we consider proof-checking higher-level domain-specific properties for compliance to safety policies. The paper first describes a framework related to abstract interpretation in which compliance to a class of certification policies can be efficiently calculated. Membership equational logic is shown to provide a rich logic for carrying out such calculations, including partiality, for certification. The architecture for a domain-specific certifier is described, followed by an implemented case study. The case study considers consistency of abstract variable attributes in code that performs geometric calculations in Aerospace systems.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"24 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123457891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A high-bandwidth, always-on Internet connection makes computers in homes and small offices attractive targets for network-based attacks. Network security gateways can protect such vulnerable hosts from attackers, but differing sets of customer needs require different feature mixes. The safest way to address this market is to provide a family of products, each member of which requires little or no end-user configuration. Since the products are closely related, the effort to validate n of them should be much less than n times the effort to validate one; however validating the correctness and security of even one such device is notoriously difficult, due to the oft-observed fact that no practical amount of testing can show the absence of security flaws. One would instead like to prove security properties, even when the products are implemented using off-the-shelf technologies that don't lend themselves to formal reasoning. The author describes how the specification modeling and validation tools of the Interactive Specification Acquisition Tools (ISAT) suite are used to help validate members of a particular family of network security gateway products built using widely available open source technologies.
{"title":"Specification modeling and validation applied to a family of network security products","authors":"R. Hall","doi":"10.1109/ASE.2001.989792","DOIUrl":"https://doi.org/10.1109/ASE.2001.989792","url":null,"abstract":"A high-bandwidth, always-on Internet connection makes computers in homes and small offices attractive targets for network-based attacks. Network security gateways can protect such vulnerable hosts from attackers, but differing sets of customer needs require different feature mixes. The safest way to address this market is to provide a family of products, each member of which requires little or no end-user configuration. Since the products are closely related, the effort to validate n of them should be much less than n times the effort to validate one; however validating the correctness and security of even one such device is notoriously difficult, due to the oft-observed fact that no practical amount of testing can show the absence of security flaws. One would instead like to prove security properties, even when the products are implemented using off-the-shelf technologies that don't lend themselves to formal reasoning. The author describes how the specification modeling and validation tools of the Interactive Specification Acquisition Tools (ISAT) suite are used to help validate members of a particular family of network security gateway products built using widely available open source technologies.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123467541","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we address dynamic reconfiguration from the point of view of the enforcement of the policies that organisations wish to see imposed through the way information systems support business. We address the process of evolution by proposing a primitive-coordination context-for modelling the circumstances in which reconfiguration can and should take place. The idea is for business policies to emerge as properties of process executions when controlled through the coordination contexts that will have been defined for supporting business activities.
{"title":"Enforcing business policies through automated reconfiguration","authors":"L. Andrade, J. Fiadeiro, M. Wermelinger","doi":"10.1109/ASE.2001.989844","DOIUrl":"https://doi.org/10.1109/ASE.2001.989844","url":null,"abstract":"In this paper, we address dynamic reconfiguration from the point of view of the enforcement of the policies that organisations wish to see imposed through the way information systems support business. We address the process of evolution by proposing a primitive-coordination context-for modelling the circumstances in which reconfiguration can and should take place. The idea is for business policies to emerge as properties of process executions when controlled through the coordination contexts that will have been defined for supporting business activities.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129346566","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents an approach to checking a running program against Linear Temporal Logic (LTL) specifications. LTL is a widely used logic for expressing properties of programs viewed as sets of executions. Our approach consists of translating LTL formulae to finite-state automata, which are used as observers of the program behavior. The translation algorithm we propose modifies standard LTL to Buchi automata conversion techniques to generate automata that check finite program traces. The algorithm has been implemented in a tool, which has been integrated with the generic JPaX framework for runtime analysis of Java programs.
{"title":"Automata-based verification of temporal properties on running programs","authors":"D. Giannakopoulou, K. Havelund","doi":"10.1109/ASE.2001.989841","DOIUrl":"https://doi.org/10.1109/ASE.2001.989841","url":null,"abstract":"This paper presents an approach to checking a running program against Linear Temporal Logic (LTL) specifications. LTL is a widely used logic for expressing properties of programs viewed as sets of executions. Our approach consists of translating LTL formulae to finite-state automata, which are used as observers of the program behavior. The translation algorithm we propose modifies standard LTL to Buchi automata conversion techniques to generate automata that check finite program traces. The algorithm has been implemented in a tool, which has been integrated with the generic JPaX framework for runtime analysis of Java programs.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129255987","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We argue that the evolution of requirements specifications can be supported by a cycle composed of two phases: analysis and revision. We investigate an instance of such a cycle, which combines two techniques of logical abduction and inductive learning to analyze and revise specifications respectively.
{"title":"An analysis-revision cycle to evolve requirements specifications","authors":"A. Garcez, A. Russo, B. Nuseibeh, J. Kramer","doi":"10.1109/ASE.2001.989828","DOIUrl":"https://doi.org/10.1109/ASE.2001.989828","url":null,"abstract":"We argue that the evolution of requirements specifications can be supported by a cycle composed of two phases: analysis and revision. We investigate an instance of such a cycle, which combines two techniques of logical abduction and inductive learning to analyze and revise specifications respectively.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125425156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Module cohesion describes the degree to which different actions performed by a module contribute towards a unified function. High module cohesion is a desirable property of a program. The program modifications during successive maintenance interventions can have negative effect on the structure of the program resulting in less cohesive modules. Therefore, metrics that measure module cohesion are important for software restructuring during maintenance. The existing static slice based module cohesion metrics significantly overestimate cohesion due to the limitations of static slicing. In this paper, we present a novel program execution based approach to measure module cohesion of legacy software. We define cohesion metrics based on definition-use pairs in the dynamic slices of the outputs. Our approach significantly improves the accuracy of cohesion measurement. We implemented our technique and measured module cohesion for several programs. Cohesion measurements using our technique were found to be more insightful than static slice based measurements.
{"title":"Program execution based module cohesion measurement","authors":"Neelam Gupta, Praveen R. Rao","doi":"10.1109/ASE.2001.989800","DOIUrl":"https://doi.org/10.1109/ASE.2001.989800","url":null,"abstract":"Module cohesion describes the degree to which different actions performed by a module contribute towards a unified function. High module cohesion is a desirable property of a program. The program modifications during successive maintenance interventions can have negative effect on the structure of the program resulting in less cohesive modules. Therefore, metrics that measure module cohesion are important for software restructuring during maintenance. The existing static slice based module cohesion metrics significantly overestimate cohesion due to the limitations of static slicing. In this paper, we present a novel program execution based approach to measure module cohesion of legacy software. We define cohesion metrics based on definition-use pairs in the dynamic slices of the outputs. Our approach significantly improves the accuracy of cohesion measurement. We implemented our technique and measured module cohesion for several programs. Cohesion measurements using our technique were found to be more insightful than static slice based measurements.","PeriodicalId":433615,"journal":{"name":"Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001)","volume":"36 5","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2001-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114129280","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: