Exploring model-based development for the verification of real-time Java code

Many safety- and security-critical systems are real-time systems and, as a result, tools and techniques for verifying real-time systems are extremely important. Simulation and testing such systems can be exceedingly time-consuming and these techniques provide only probabilistic measures of correctness. There are a number of model-checking tools for real-time systems. However, they provide formal verification for models, not programs. To increase the confidence in real-time programs written in real-time Java, this paper takes a modelling approach to the design of such programs. First, models can be mechanically verified, to check whether they satisfy particular properties, by using current real-time model-checking tools. Then, programs are derived from the model by following a systematic approach. To illustrate the approach we use a nontrivial example: a gear controller

Abstractions and Static Analysis for Verifying Reactive Systems

Fokkink, W.J. [Promotor]Sidorova, N. [Copromotor

Timing analysis of synchronous data flow graphs

Consumer electronic systems are getting more and more complex. Consequently, their design is getting more complicated. Typical systems built today are made of different subsystems that work in parallel in order to meet the functional re- quirements of the demanded applications. The types of applications running on such systems usually have inherent timing constraints which should be realized by the system. The analysis of timing guarantees for parallel systems is not a straightforward task. One important category of applications in consumer electronic devices are multimedia applications such as an MP3 player and an MPEG decoder/encoder. Predictable design is the prominent way of simultaneously managing the design complexity of these systems and providing timing guarantees. Timing guarantees cannot be obtained without using analyzable models of computation. Data flow models proved to be a suitable means for modeling and analysis of multimedia applications. Synchronous Data Flow Graphs (SDFGs) is a data flow model of computation that is traditionally used in the domain of Digital Signal Processing (DSP) platforms. Owing to the structural similarity between DSP and multimedia applications, SDFGs are suitable for modeling multimedia applications as well. Besides, various performance metrics can be analyzed using SDFGs. In fact, the combination of expressivity and analysis potential makes SDFGs very interesting in the domain of multimedia applications. This thesis contributes to SDFG analysis. We propose necessary and sufficient conditions to analyze the integrity of SDFGs and we provide techniques to capture prominent performance metrics, namely, throughput and latency. These perfor- mance metrics together with the mentioned sanity checks (conditions) build an appropriate basis for the analysis of the timing behavior of modeled applications. An SDFG is a graph with actors as vertices and channels as edges. Actors represent basic parts of an application which need to be executed. Channels represent data dependencies between actors. Streaming applications essentially continue their execution indefinitely. Therefore, one of the key properties of an SDFG which models such an application is liveness, i.e., whether all actors can run infinitely often. For example, one is usually not interested in a system which completely or partially deadlocks. Another elementary requirement known as boundedness, is whether an implementation of an SDFG is feasible using a lim- ited amount of memory. Necessary and sufficient conditions for liveness and the different types of boundedness are given, as well as algorithms for checking those conditions. Throughput analysis of SDFGs is an important step for verifying throughput requirements of concurrent real-time applications, for instance within design-space exploration activities. In fact, the main reason that SDFGs are used for mod- eling multimedia applications is analysis of the worst-case throughput, as it is essential for providing timing guarantees. Analysis of SDFGs can be hard, since the worst-case complexity of analysis algorithms is often high. This is also true for throughput analysis. In particular, many algorithms involve a conversion to another kind of data flow graph, namely, a homogenous data flow graph, whose size can be exponentially larger than the size of the original graph and in practice often is much larger. The thesis presents a method for throughput analysis of SD- FGs which is based on explicit state-space exploration, avoiding the mentioned conversion. The method, despite its worst-case complexity, works well in practice, while existing methods often fail. Since the state-space exploration method is akin to the simulation of the graph, the result can be easily obtained as a byproduct in existing simulation tools. In various contexts, such as design-space exploration or run-time reconfigu- ration, many throughput computations are required for varying actor execution times. The computations need to be fast because typically very limited resources or time can be dedicated to the analysis. In this thesis, we present methods to compute throughput of an SDFG where execution times of actors can be param- eters. As a result, the throughput of these graphs is obtained in the form of a function of these parameters. Calculation of throughput for different actor exe- cution times is then merely an evaluation of this function for specific parameter values, which is much faster than the standard throughput analysis. Although throughput is a very useful performance indicator for concurrent real-time applications, another important metric is latency. Especially for appli- cations such as video conferencing, telephony and games, latency beyond a certain limit cannot be tolerated. The final contribution of this thesis is an algorithm to determine the minimal achievable latency, providing an execution scheme for executing an SDFG with this latency. In addition, a heuristic is proposed for optimizing latency under a throughput constraint. This heuristic gives optimal latency and throughput results in most cases

Enhancing state space reduction techniques for model checking

Model-checking is een techniek voor het automatisch opsporen van fouten in en de verificatie van hardware en software. De techniek is gebaseerd op het doorzoeken van de globale toestandsruimte van het systeem. Deze toestandsruimte groeit vaak exponentieel met de grootte van de systeembeschrijving. Als gevolg hiervan is een van de voornaamste knelpunten in model-checking de zogenaamde toestandsexplosie. Er bestaan veel aanpakken om met dit probleem om te gaan. We presenteren verbeteringen van sommige bestaande technieken voor reductie van de toestandsruimte die gebaseerd zijn op expliciete enumeratie van die ruimte. We schenken vooral aandacht aan het verbeteren van verscheidene algoritmen die, hoewel ze slechts een deel van de toestandsruimte onderzoeken, nog steeds gegeven een eigenschap kunnen bewijzen of weerleggen. In het bijzonder is ons onderzoek toegespitst op twee typen reducties. Het eerste type, parti¨eleordening (PO) reductie, buit de onafhankelijkheid van acties in het systeem uit. Het tweede type is een klasse van reducties die voordeel halen uit symmetrie¨en van het systeem. De voornaamste bijdragen van dit proefschrift in verband met de parti¨ele ordening reductie zijn de volgende: – Het gebruik van systeemhi¨erarchie voor effici¨entere parti¨ele-ordening reductie door klustering van processen – De meeste model-checking technieken beschouwen het model als een platte compositie van processen. We laten zien hoe de reductie kan profiteren van de systeemstructuur door uitbuiting van de hi¨erarchie in het systeem (Hoofdstuk 2). – Correcte syntactische criteria om onafhankelijke acties te vinden voor parti¨ele ordening reductie voor systemen met synchronizerende communicaties die gecombineerd zijn met prioriteit-keuze en/of zwakke fairness (Hoofdstuk 3). – Parti¨ele-ordening reductie voor discrete tijd – We laten zien hoe het algoritme voor parti¨ele ordening reductie zonder tijd aangepast kan worden, in het geval tijd gerepresenteerd wordt middels gehele getallen (Hoofdstuk 4). De bijdragen betreffende symmetrie-gebaseerde reducties kunnen als volgt samengevat worden: – Effici¨ente heuristieken voor het vinden van representanten van equivalentieklassen voor symmetrie-gebaseerde reductie (Hoofdstuk 6). – Een effici¨ent algoritme voor model-checking onder zwakke fairness met toestandsruimte reductietechnieken die gebaseerd zijn op symmetrie (Hoofdstuk 7). Het succes van model-checking is voornamelijk gebaseerd op de relatief gemakkelijke implementatie in software gereedschappen. Bijna alle bovengenoemde theoretische resultaten zijn ge¨implementeerd in de praktijk en de ontwikkelde prototype implementaties zijn ge¨evalueerd in praktijkstudies. Het meeste implementatie werk is gerelateerd aan de model checker Spin. Van de praktische bijdragen in dit document noemen we: – DT Spin – een uitbreiding van Spin met discrete tijd die het in het proefschrift gepresenteerd discrete-tijd PO reductie algoritme bevat (Hoofdstuk 4). – if2pml – een vertaler van de modelleertaal IF naar Spins invoertaal Promela, die als het tweede deel van een vertaler van SDL naar Promela bedoeld is (Hoofdstuk 5). – SymmSpin – een symmetrie-reductie pakket voor Spin, gebaseerd op de heuristiek beschreven in dit proefschrift (Hoofdstuk 6). De implementaties zijn getest op voorbeelden uit de literatuur en het bedrijfsleven met bemoedigende resultaten. In het bijzonder noemen we MASCARA – een industrieel protocol dat draadloze communicatie met ATM combineert (Hoofdstuk 5). De experimenten zijn niet alleen een aanwijzing voor de kwaliteit van de resultaten en de implementatie, maar ze waren en zijn ook een inspiratie voor nieuw theoretisch werk. Een typerend voorbeeld is de verenigbaarheid van parti¨ele ordening reductie met prioriteit-keuze en fairness in modellen met rendez-vous communicatie. De verbetering van het parti¨ele-ordening algoritme was rechtstreeks ge¨inspireerd door experimenten met Spin en zijn discrete-tijd uitbreiding DT Spin, ontwikkeld in dit proefschrift

Principles of Security and Trust

This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems

Model-driven development of data intensive applications over cloud resources

The proliferation of sensors over the last years has generated large amounts of raw data, forming data streams that need to be processed. In many cases, cloud resources are used for such processing, exploiting their flexibility, but these sensor streaming applications often need to support operational and control actions that have real-time and low-latency requirements that go beyond the cost effective and flexible solutions supported by existing cloud frameworks, such as Apache Kafka, Apache Spark Streaming, or Map-Reduce Streams. In this paper, we describe a model-driven and stepwise refinement methodological approach for streaming applications executed over clouds. The central role is assigned to a set of Petri Net models for specifying functional and non-functional requirements. They support model reuse, and a way to combine formal analysis, simulation, and approximate computation of minimal and maximal boundaries of non-functional requirements when the problem is either mathematically or computationally intractable. We show how our proposal can assist developers in their design and implementation decisions from a performance perspective. Our methodology allows to conduct performance analysis: The methodology is intended for all the engineering process stages, and we can (i) analyse how it can be mapped onto cloud resources, and (ii) obtain key performance indicators, including throughput or economic cost, so that developers are assisted in their development tasks and in their decision taking. In order to illustrate our approach, we make use of the pipelined wavefront array