Analyzing Behavioural Scenarios over Tabular Specifications Using Model Checking

Tabular notations, in particular SCR specifications, have proved to be a useful means for formally describing complex requirements. The SCR method offers a powerful family of analysis tools, known as the SCR Toolset, but its availability is restricted by the Naval Research Laboratory of the USA. This toolset applies different kinds of analysis considering the whole set of behaviours associated with a requirements specification. In this paper we present a tool for describing and analyzing SCR requirements descriptions, that complements the SCR Toolset in two aspects. First, its use is not limited by any institution, and resorts to a standard model checking tool for analysis; and second, it allows to concentrate the analysis to particular sets of behaviours (subsets of the whole specifications), that correspond to particular scenarios explicitly mentioned in the specification. We take an operational notation that allows the engineer to describe behavioural "scenarios" by means of programs, and provide a translation into Promela to perform the analysis via Spin, an efficient off-the-shelf model checker freely available. In addition, we apply the SCR method to a Pacemaker system and we use its tabular specification as a running example of this article.Comment: In Proceedings LAFM 2013, arXiv:1401.056

Arguing satisfaction of security requirements

This chapter presents a process for security requirements elicitation and analysis, based around the construction of a satisfaction argument for the security of a system. The process starts with the enumeration of security goals based on assets in the system, then uses these goals to derive security requirements in the form of constraints. Next, a satisfaction argument for the system is constructed, using a problem-centered representation, a formal proof to analyze properties that can be demonstrated, and structured informal argumentation of the assumptions exposed during construction of the argument. Constructing the satisfaction argument can expose missing and inconsistent assumptions about system context and behavior that effect security, and a completed argument provides assurances that a system can respect its security requirements

A method for tailoring the information content of a software process model

The framework is defined for a general method for selecting a necessary and sufficient subset of a general software life cycle's information products, to support new software development process. Procedures for characterizing problem domains in general and mapping to a tailored set of life cycle processes and products is presented. An overview of the method is shown using the following steps: (1) During the problem concept definition phase, perform standardized interviews and dialogs between developer and user, and between user and customer; (2) Generate a quality needs profile of the software to be developed, based on information gathered in step 1; (3) Translate the quality needs profile into a profile of quality criteria that must be met by the software to satisfy the quality needs; (4) Map the quality criteria to set of accepted processes and products for achieving each criterion; (5) Select the information products which match or support the accepted processes and product of step 4; and (6) Select the design methodology which produces the information products selected in step 5

Experiences Using Formal Methods for Requirements Modeling

This paper describes three cases studies in the lightweight application of formal methods to requirements modeling for spacecraft fault protection systems. The case studies differ from previously reported applications of formal methods in that formal methods were applied very early in the requirements engineering process, to validate the evolving requirements. The results were fed back into the projects, to improve the informal specifications. For each case study, we describe what methods were applied, how they were applied, how much effort was involved, and what the findings were. In all three cases, the formal modeling provided a cost effective enhancement of the existing verification and validation processes. We conclude that the benefits gained from early modeling of unstable requirements more than outweigh the effort needed to maintain multiple representations

Formal Methods of V&V of Partial Specifications: An Experience Report

This paper describes our work exploring the suitability of formal specification methods for independent verification and validation (IV&V) of software specifications for large, safety critical systems. An IV&V contractor often has to perform rapid analysis on incomplete specifications, with no control over how those specifications are represented. Lightweight formal methods show significant promise in this context, as they offer a way of uncovering major errors, without the burden of full proofs of correctness. We describe an experiment in the application of the method SCR. to testing for consistency properties of a partial model of requirements for Fault Detection Isolation and Recovery on the space station. We conclude that the insights gained from formalizing a specification is valuable, and it is the process of formalization, rather than the end product that is important. It was only necessary to build enough of the formal model to test the properties in which we were interested. Maintenance of fidelity between multiple representations of the same requirements (as they evolve) is still a problem, and deserves further study

Applying an Operational Formal Method to Safety-Critical Systems

Despite thirty years of study by the academic community, industry has not embraced the systematic usage of formal methods. To address this concern, a formal method is proposed which possesses many of the qualities that practitioners have listed as lacking from current formal methods: inclusion of both a specification and verification model, a tabular notation that only requires knowledge of first-order logic, support for both composition and decomposition, application throughout the software life-cycle, and tool support. The presentation includes several applications to safety-critical software systems. Keywords and Phrases Formal methods, specification, trace-based systems, software development, concurrency, verification

Systems engineering approach to engine test stand development for micropatching evaluations

2022 Summer.Includes bibliographical references.This project applies systems engineering methodology to develop an engine test stand used to extract, patch and validate the binary file of a diesel engine electronic control module. Electronic control modules operate modern systems ranging from aircraft and spacecraft to automobiles, heavy trucks and industrial equipment. These systems are often used for decades, which may be beyond the period for which manufacturers provide support. The binary code operating these embedded controllers may need to be patched as part of maintenance or compatibility with updated requirements. The objective of this thesis is to design an evaluation system to test the extraction, patching and deployment of binary code operating an engine control module of a legacy engine platform, a Cummins 6.7L diesel engine with a Cummins CM2350 engine controller, which does not have source code available. However, through binary analysis and micropatching, it is possible to update the binary of the ECM firmware by applying a patch to change specific attributes of the operation of the ECU. To verify the results of the patch, the binary is deployed to the engine controller and the operation of the engine is assessed. An engine on a dynamometer test stand was reconfigured to be an evaluation platform for assuring non-interference attributes of the ECM binary. Requirements were identified, architecture was established, and validation was tied to corresponding test stand requirements. A method to solve an iterative numerical calculation with convergence criterion set incorrectly was implemented on the ECM, and that method was then patched with a correct convergence criterion. The evaluation system was documented for other operators to execute the evaluations