Formal Aspects of Computing最新文献

A calculus for the specification and verification of distributed concurrent interactive real time systems is introduced. Systems are specified by their interface behavior formalized by interface predicates and interface assertions. System designs in terms of architectures of distributed networks of interactive systems are constructed by concurrent composition of subsystems. The specification of system designs is calculated from the specifications of their subsystems. Verification is done by proof rules which are based on the concepts of causality and realizability justified by the operational model in terms of generalized Moore machines, Moore machines not restricted to finite state spaces. The calculus supports interface specification and reasoning both about untimed as well as timed distributed concurrent systems. This includes the design of cyber-physical systems. Real-time is used, in particular, to specify time sensitive behavior and to prove properties related to causality and realizability, properties which hold for all Moore machines. On this basis, a calculus is worked out and illustrated by small examples. The calculus is shown to be sound and relatively complete.

The C and C++ languages introduced the relaxed-memory concurrency into the language specification for efficiency purposes in 2011.

Trace semantics can provide the mathematical foundation for the proposed C++11 memory model, and there is a lack of investigation of trace semantics for C++11.

The Promising Semantics (PS) of Kang et al. provides the standard SC-style operational semantics for the C++11 concurrency model, where “SC” refers to “Sequential Consistency”. Inspired by PS, in this paper we first investigate the trace semantics for the relaxed read and write accesses under C++11, acting in the denotational semantics style. In our semantic model, a trace is in the form of a sequence of snapshots, and the snapshots record the modification in the relevant global or local variables, and the thread view. Moreover, the trace semantics for the release/acquire accesses under C++11 is also explored, based on the separated thread views and newly added message views.

When considering this trace model, different accesses bring in their unique snapshots, and make distinguished effects on the production of the sequences.

For any given program, the proposed trace semantics in this paper produces all the valid traces directly. Further, our trace semantics, together with that for TSO and MCA ARMv8, has the possibility to be the foundation of the meta model of the trace semantics for weak memory models.

Recently, due to the continued reduction in DNA sequencing cost, large-scale genetic samples are being gathered for accelerating predispositions to specific diseases, tailoring treatment of efficient drugs and therapies, etc. Massive genetic samples are encrypted-and-then-delegated to a public cloud to both save investment and maintenance costs and prevent the potential leakage of sensitive information. However, such a manner compromises the serviceability of a public cloud, since encryption inevitably breaks the semantic information of genetic samples. Secure count query of single-nucleotide polymorphisms (SNPs), as a kernel component for GWASs and related genomic analysis, is attracting much more attention.

Existing methods lack provable security, suffer low efficiency caused by multiple interactions with the cloud, etc. In this paper, a secure virtual CT-Tree (secure vCT-Tree) is carefully constructed to confuse the tree structure by introducing a hash function and a Paillier system. Furthermore, by delegating the secure vCT-Tree to the cloud, concrete models (i.e., SecCT and SecCT+) are presented to resolve secure count query problems on-the-fly. SecCT+ is a solution based on trusted execution environment while SecCT is a pure software solution. Both models advance the provable security of genetic research and are proven to be secure under the adaptive chosen keyword (query) attack (IND-CKA2) model. Furthermore, massive experiments are evaluated on realistic data to show the superiority of SecCT and SecCT+.

Formal Methods (FM) radically improve the quality of the code artefacts they help to produce. They are simple, probably accessible to first-year undergraduate students and certainly to second-year students and beyond. Nevertheless, in many cases, they are not part of a general recommendation for course curricula, i.e., they are not taught — and yet they are valuable.

One reason for this is that teaching “Formal Methods” is often confused with teaching logic and theory. This paper advocates what we call FM thinking: the application of ideas from Formal Methods applied in informal, lightweight, practical and accessible ways. And we will argue here that FM thinking should be part of the recommended curriculum for every Computer Science student. For even students who train only in that “thinking” will become much better programmers. But there will be others who, exposed to those ideas, will be ideally positioned to go further into the more theoretical background: why the techniques work; how they can be automated; and how new ones can be developed. Those students would follow subsequently a specialised, more theoretical stream, including topics such as semantics, logics, verification and proof-automation techniques.

Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existent methods to cover large areas in target code. We propose FuSeBMC v4, a test generator that synthesizes seeds with useful properties, that we refer to as smart seeds, to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. FuSeBMC works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so–called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage / find bugs. During seed generation and normal running, the Tracer subsystem aids coordination between the engines. This subsystem conducts additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the Tracer evaluates test-cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.

Permissionless blockchains commonly use resource challenges to defend against sybil attacks. For example, popular resource challenge designs include Proof-of-Work and Proof-of-Stake. It is well-known that simultaneously exploiting multiple resources can help make a permissionless blockchain more robust. For example, combining PoW and PoS can help to keep a blockchain secure, even when the attacker controls more than 50% of the computational power in the system.

While there have been existing efforts for combining multiple resources in blockchains, they only provide partial solutions. Specifically, it is currently still unclear how to combine PoW and PoS, or multiple resources in general, to achieve optimal resilience. Here by optimal resilience, we mean that the blockchain can tolerate every security region, unless that security region is proven to be impossible to tolerate. Existing designs are not able to achieve such optimal resilience.

As our central contribution, this work proposes the novel design and formal security analysis of a blockchain protocol that combines PoS and PoW, which can be further generalized to multiple resources. Our blockchain is the very first blockchain that can achieve optimal resilience. Our design also overcomes a common tricky issue of PoW difficulty adjustment in previous designs. We have further implemented a research prototype of our blockchain design, and experimentally demonstrated its good end-to-end performance.

Dynamic programming (DP) is a broadly applicable algorithmic design paradigm for the efficient, exact solution of otherwise intractable, combinatorial problems. However, the design of such algorithms is often presented informally in an ad-hoc manner. It is sometimes difficult to justify the correctness of these DP algorithms. To address this issue, this paper presents a rigorous algebraic formalism for systematically deriving DP algorithms, based on semiring polymorphism. We start with a specification, construct a (brute-force) algorithm to compute the required solution which is self-evidently correct because it exhaustively generates and evaluates all possible solutions meeting the specification. We then derive, primarily through the use of shortcut fusion, an implementation of this algorithm which is both efficient and correct. We also demonstrate how, with the use of semiring lifting, the specification can be augmented with combinatorial constraints and through semiring lifting, show how these constraints can also be fused with the derived algorithm. This paper furthermore demonstrates how existing DP algorithms for a given combinatorial problem can be abstracted from their original context and re-purposed to solve other combinatorial problems.

This approach can be applied to the full scope of combinatorial problems expressible in terms of semirings. This includes, for example: optimization, optimal probability and Viterbi decoding, probabilistic marginalization, logical inference, fuzzy sets, differentiable softmax, and relational and provenance queries. The approach, building on many ideas from the existing literature on constructive algorithmics, exploits generic properties of (semiring) polymorphic functions, tupling and formal sums (lifting), and algebraic simplifications arising from constraint algebras. We demonstrate the effectiveness of this formalism for some example applications arising in signal processing, bioinformatics and reliability engineering. Python software implementing these algorithms can be downloaded from: http://www.maxlittle.net/software/dppolyalg.zip.

Modeling complex system requirements often requires specifying system components in separate models, which can be validated and verified in isolation from each other, and then integrating all components’ behavior in order to validate the operation of the whole system. If models are executable, as for state-based formal specifications, engines to orchestrate the simulation of separate component operational models are extremely useful.

This paper presents an approach for the co-simulation, according to predefined orchestration schemas, of state-based models of separate components of a Discrete Event System. More precisely, we exploit the Abstract State Machine (ASM) formal method as state-based formalism, and we (i) define a set of operators to compose ASMs that communicate with each other through I/O events, and (ii) present an engine to execute the compositional simulation of the ASMs as a whole assembly.

As proof of concepts, we use a set of model examples of Discrete Event Systems of increasing complexity to show the application of our approach and to evaluate its effectiveness in co-simulating models of real systems.

Universality of a concept here means wide conceptual and practical usefulness in mathematics and applications. The function concept owes its universality to simplicity, generality and powerful algebraic properties. Advantages proven in the sciences at large significantly benefit computing science as well. Universality critically depends on the definitional choices. The first half of this paper shows that a “function” in the sense prevalent throughout the sciences, namely, as fully specified by its domain and its values, entails the characteristics that most contribute to universality. This link is clarified by some less well-understood aspects, including the role of function types as partial specifications, the ramifications of having composition defined for any pair of functions, and unification by capturing various notions not commonly seen as functions. Simple but representative examples are given in diverse areas, mostly computing. When a codomain appears at all in basic textbooks, it mostly involves a self-contradicting definition, corrected by the labeled function variant. Either way, it severely reduces universality, especially for composition. Yet, the axiomatization of category theory common in theoretical computing science offers no other choice. The second half explores how waiving one axiom generalizes category theory to include a wider variety of concepts, primarily the conventional function variant. It is also shown how this can be done unobtrusively for typical categorical notions, such as products, coproducts, functors, natural transformations, adjunctions, Galois connections, and auxiliary concepts, illustrated by example definitions and technical comments. Allowing the familiar function variant renders category theory more appealing to a wider group of scientists. A lesson for mathematics in general is Rogaway’s maxim: “Your definitional choices should be justified”!

The relationship between states (status of a system) and modes (capabilities of a system) used to describe system requirements is often poorly defined. The unclear relationship could make systems of interest out of control because of the out of boundaries of the systems caused by the newly added modes. Formally modeling and verifying requirements can clarify the relationship, making the system safer. To this end, an innovative approach to analyzing requirements is proposed. The MoSt language (a Domain Specific Language implemented on the Xtext framework) is firstly designed for requirements modeling and a model validator is realized to check requirements statically. A code generator is then provided to realize the automatic model transformation from the MoSt model to a NuSMV model, laying the foundation for the dynamic checks of requirements through symbolic model checking. Next, a NuSMV runner is designed to connect the NuSMV with the validator to automate the whole dynamic checks. The grammar, the model validator, the code generator, and the NuSMV runner are finally integrated into a publicly available Eclipse-based tool. Two case studies have been employed to illustrate the feasibility of our approach. For each case study, we injected 14 errors. The results show that the static and dynamic checks can successfully detect all the errors.