Journal of Logical and Algebraic Methods in Programming最新文献

We propose CRYSTAL framework for automated cybersecurity assurance of cyber-physical systems (CPS) at design-time and runtime. We build attack models and apply formal verification to recognize potential attacks that may lead to security violations. We focus on both communication and computation in designing the attack models. We build a monitor to check and manage security at runtime and use a reference model, called Tiny Digital Twin, in detecting attacks. The Tiny Digital Twin is an abstract behavioral model that is automatically derived from the state space generated by model checking during design-time. Using CRYSTAL, we are able to systematically model and check complex coordinated attacks. In this paper we discuss the applicability of CRYSTAL in security analysis and attack detection for different case studies, Temperature Control System (TCS), Pneumatic Control System (PCS), and Secure Water Treatment System (SWaT). We provide a detailed description of the framework and explain how it works in different cases.

There exists a broad family of multiparty sessions in which the progress of one session participant is not unconditional, but depends on the choices performed by other participants. These sessions fall outside the scope of currently available session type systems that guarantee progress. In this work we propose the first type system ensuring that well-typed multiparty sessions, including those exhibiting the aforementioned dependencies, fairly terminate. Fair termination is termination under a fairness assumption that disregards those interactions deemed unfair and therefore unrealistic. Fair termination, combined with the usual safety properties ensured within sessions, not only is desirable per se, but it entails livelock freedom and enables a compositional form of static analysis such that the well-typed composition of fairly terminating sessions results in a fairly terminating program.

We introduce regular languages of morphisms in free monoidal categories, with their associated grammars and automata. These subsume the classical theory of regular languages of words and trees, but also open up a much wider class of languages of planar string diagrams. We give a pumping lemma for monoidal languages, generalizing the one for words and trees. We use the algebra of monoidal and cartesian restriction categories to investigate the properties of regular monoidal languages, and provide sufficient conditions for their recognizability by deterministic monoidal automata.

Modal Transition Systems (MTS) are a well-known formalism that extend Labelled Transition Systems (LTS) with the possibility of specifying necessary and permitted behaviour. Coherent MTS (CMTS) have been introduced to model Software Product Lines (SPL) based on a correspondence between the necessary and permitted modalities of MTS transitions and their associated actions, and the core and optional features of SPL. In this paper, we address open problems of the coherent fragment of MTS and introduce the notions of refinement and thorough refinement of CMTS. Most notably, we prove that refinement and thorough refinement coincide for CMTS, while it is known that this is not the case for MTS. We also define (thorough) equivalence and strong bisimilarity of both MTS and CMTS. We show their relations and, in particular, we prove that also strong bisimilarity and equivalence coincide for CMTS, whereas they do not for MTS. Finally, we extend our investigation to CMTS equipped with Constraints (MTSC), originally introduced to express alternative behaviour, and we prove that novel notions of refinement and strong thorough refinement coincide for MTSC, and so do their extensions to strong (thorough) equivalence and strong bisimilarity.

During recent years, significant research has been done in the direction of enriching the traditional control-flow perspective of processes with additional dimensions, such as data and decisions. To represent data-aware process models, various formalisms have been proposed. In this work, we focus on Data Petri nets (DPNs), an extension to a Petri net with data. Data in a DPN is set as variable values. Process activities, represented as transitions, can inspect and update variable values. This work is dedicated to soundness verification of data-aware process models represented as DPNs. We show the flaw in one of the algorithms for checking soundness of DPNs with variable-operator-variable conditions. The algorithm fails to detect some types of livelocks and, thus, is incorrect in the general case. In this report, we propose an advanced version of this algorithm, which correctly verifies soundness of DPNs and which can also be used for DPNs has composite conditions on transitions. To verify soundness, the algorithm refines a DPN by splitting some of its transitions, constructs an abstract state space of a refined DPN, and inspects it for soundness properties. The report justifies correctness of the proposed algorithm for DPNs with variables of real data type or any finite data types. The algorithm is implemented, and the results of its performance evaluation demonstrate practical applicability of the algorithm for process models of small and medium sizes.

Reversible computing is a programming paradigm allowing one to execute programs both in the standard, forward direction as well as backwards, recovering past states. A relevant application of reversible computing is causal-consistent reversible debugging, which allows one to explore concurrent computations backwards and forwards to find a bug. The basic idea is that any action can be undone, provided that its consequences are undone beforehand. This approach has been put into practice in CauDEr, a Causal-consistent reversible Debugger for the Erlang programming language. CauDEr provides the ability to explore a concurrent computation back and forward in a step-by-step way as well as to undo an action far in the past including all and only its consequences (rollback), and to replay an action from a log, together with its causes. CauDEr supports the functional, concurrent and distributed fragment of Erlang. However, Erlang also includes imperative primitives to manage a map (shared among all the processes of a same node) associating process identifiers to names. Here we extend CauDEr and the related theory, including rollback and replay, to support such imperative primitives. From a theoretical point of view, the imperative primitives create different causal structures to those derived from the concurrent Erlang fragment previously handled in CauDEr, yet we show that the main results proved for previous versions of CauDEr are still valid. From a practical point of view, this allows one to debug a larger subset of Erlang programs, as shown with a small case study of a server providing mathematical functionalities.

Refinement guarantees that the concrete version of a model does not violate the constraints introduced at the abstract level. The peculiarity of refinement, however, is that we have no guarantee about the preservation of the behavior of the model. For example, a trace (a set of desirable states and transitions) created on the abstract model may not replay on the concrete model. Its manual recreation, usually via animation, is necessary to run the trace, as the model may have changed significantly during refinement. However, this is a labor-intensive and error-prone task. To this end, this article presents an automatic trace refining technique and tool called BERT (B and Event-B Trace Refinement Technique) that allows modelers to ensure the behavioral integrity of high-level traces at the concrete level. The cost- and time-effectiveness of BERT are shown in industrial-strength case studies from the automotive and aviation domains.

We extend the free cornering of a symmetric monoidal category, a double categorical model of concurrent interaction, to support branching communication protocols and iterated communication protocols. We validate our constructions by showing that they inherit significant categorical structure from the free cornering, including that they form monoidal double categories. We also establish some elementary properties of the novel structure they contain. Further, we give a model of the free cornering in terms of strong functors and strong natural transformations, inspired by the literature on computational effects.

Formal methods and machine learning are two research fields with drastically different foundations and philosophies. Formal methods utilise mathematically rigorous techniques for software and hardware systems' specification, development and verification. Machine learning focuses on pragmatic approaches to gradually improve a parameterised model by observing a training data set. While historically, the two fields lack communication, this trend has changed in the past few years with an outburst of research interest in the robustness verification of neural networks. This paper will briefly review these works, and focus on the urgent need for broader and more in-depth communication between the two fields, with the ultimate goal of developing learning-enabled systems with excellent performance and acceptable safety and security. We present a specification language, MLS², and show that it can express a set of known safety and security properties, including generalisation, uncertainty, robustness, data poisoning, backdoor, model stealing, membership inference, model inversion, interpretability, and fairness. To verify MLS² properties, we promote the global optimisation-based methods, which have provable guarantees on the convergence to the optimal solution. Many of them have theoretical bounds on the gap between current solutions and the optimal solution.

RoboChart is a core notation in the RoboStar framework. It is a timed and probabilistic domain-specific and state machine-based language for robotics. RoboChart supports shared variables and communication across entities in its component model. It has formal denotational semantics given in CSP. The semantic technique of Interaction Trees (ITrees) represents behaviours of reactive and concurrent programs interacting with their environments. Recent mechanisation of ITrees, ITree-based CSP semantics and a Z mathematical toolkit in Isabelle/HOL bring new applications of verification and animation for state-rich process languages, such as RoboChart. In this paper, we use ITrees to give RoboChart novel operational semantics, implement it in Isabelle, and use Isabelle's code generator to generate verified and executable animations. We illustrate our approach using an autonomous chemical detector and patrol robot models, exhibiting nondeterminism and using shared variables. With animation, we show two concrete scenarios for the chemical detector when the robot encounters different environmental inputs and three for the patrol robot when its calibrated position is in other corridor sections. We also verify that the animated scenarios are trace refinements of the CSP denotational semantics of the RoboChart models using FDR, a refinement model checker for CSP. This ensures that our approach to resolve nondeterminism using CSP operators with priority is sound and correct.