Deriving real-time action systems with multiple time bands using algebraic reasoning

The verify-while-develop paradigm allows one to incrementally develop programs from their specifications using a series of calculations against the remaining proof obligations. This paper presents a derivation method for real-time systems with realistic constraints on their behaviour. We develop a high-level interval-based logic that provides flexibility in an implementation, yet allows algebraic reasoning over multiple granularities and sampling multiple sensors with delay. The semantics of an action system is given in terms of interval predicates and algebraic operators to unify the logics for an action system and its properties, which in turn simplifies the calculations and derivations

Just forget it - The semantics and enforcement of information erasure

Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive ” noninterference property. (ii) By a judicious choice of language construct to support erasur

Probabilistic Model Checking for Energy Analysis in Software Product Lines

In a software product line (SPL), a collection of software products is defined by their commonalities in terms of features rather than explicitly specifying all products one-by-one. Several verification techniques were adapted to establish temporal properties of SPLs. Symbolic and family-based model checking have been proven to be successful for tackling the combinatorial blow-up arising when reasoning about several feature combinations. However, most formal verification approaches for SPLs presented in the literature focus on the static SPLs, where the features of a product are fixed and cannot be changed during runtime. This is in contrast to dynamic SPLs, allowing to adapt feature combinations of a product dynamically after deployment. The main contribution of the paper is a compositional modeling framework for dynamic SPLs, which supports probabilistic and nondeterministic choices and allows for quantitative analysis. We specify the feature changes during runtime within an automata-based coordination component, enabling to reason over strategies how to trigger dynamic feature changes for optimizing various quantitative objectives, e.g., energy or monetary costs and reliability. For our framework there is a natural and conceptually simple translation into the input language of the prominent probabilistic model checker PRISM. This facilitates the application of PRISM's powerful symbolic engine to the operational behavior of dynamic SPLs and their family-based analysis against various quantitative queries. We demonstrate feasibility of our approach by a case study issuing an energy-aware bonding network device.Comment: 14 pages, 11 figure

A discourse-based account of Spanish ser/estar

The study offers a discourse-based account of the Spanish copula forms ser and estar, which are generally considered to be lexical exponents of the stage-level/individual-level contrast. It argues against the popular view that the distinction between SLPs and ILPs rests on a fundamental cognitive division of the world that is reflected in the grammar. As it happens, conceptual oppositions like “temporary vs. permanent” or “arbitrary vs. essential“ provide only a preference for the interpretation of estar and ser. In addition, the evidence for an SLP/ILP impact on the grammar turns out to be far less conclusive than is currently assumed. The study argues against event-based accounts of the ser/estar contrast in particular, showing that ser and estar pattern alike in failing all of the standard eventuality tests. The discourse-based account proposed instead assumes that ser and estar both display the same lexical semantics (which is identical to the semantics of English be, German sein, etc.); estar differs from ser only in presupposing a relation to a specific discourse situation. By using estar a speaker restricts his or her claim to a specific discourse situation, whereas by using ser, the speaker makes no such restriction. The preference for interpreting estar predications as denoting temporary properties and ser predications as denoting permanent properties follows from economy principles driving the pragmatic legitimation of estars discourse dependence. The analysis proposed in this paper can also account for the observation that ser predications do not give rise to thetic judgements. The proposal is couched in terms of the framework of DRT