Dynamic epistemic modelling

This paper introduces DEMO, a Dynamic Epistemic Modelling tool. DEMO llows modelling epistemic updates, graphical display of update results, graphical display of action models, formula evaluation in epistemic models, translation of dynamic epistemic formulas to PDL formulas, and so on. The paper implements a reduction of dynamic epistemic logic to PDL. The reduction of dynamic epistemic logic to automata PDL from Van Benthem and Kooi is also discussed and implemented. Epistemic models are minimized under bisimulation, and update action models are minimized under action emulation (the appropriate structural notion for having the same update effect). The paper is an exemplar of tool building for epistemic updatelogic. It contains the full code of an implementation in Haskell in `literate programming' style, of DEM

STATE ESTIMATION AND OBSERVABILITY OF SYSTEMS OVER FINITE ALPHABETS

In this dissertation, the state estimation problem for systems over finite alphabets is studied, focusing in particular on a significant special instance of such systems consisting of an LTI system with a finite input set and an output quantizer. The need for new notions of observability is motivated, and a set of new notions of observability are formulated quantifying the degree to which the output of such systems can be predicted by an observer. The characterization of observability is investigated, with both necessary and sufficient conditions derived in terms of the dynamics of the system, the properties of the quantizer, and the finite alphabet sets. The use of deterministic finite state machine as observers is also explored, with a view towards understanding their advantages and limitations. Building on the notion of finite memory observability, a control design problem is formulated. Lastly, an idea inspired by the characterization of observability is applied to solve some remaining open questions in the theory of bisimulation

Contextual Lumpability

Quantitative analysis of computer systems is often based on Markovian models. Among the formalisms that are used in practice, Markovian process algebras have found many applications, also thanks to their compositional nature that allows one to specify systems as interacting individual automata that carry out actions. Nevertheless, as with all state-based modelling techniques, Markovian process algebras suffer from the well-known state space explosion problem. State aggregation, specifically lumping, is one of the possible methods for tackling this problem. In this paper we revisit the notion of Markovian bisimulation which has previously been shown to induce a lumpable relation in the underlying Markov process. Here we consider the coarser relation of contextual lumpability, and taking the specific example of strong equivalence in PEPA, we propose a slightly relaxed definition of Markovian bisimulation, named lumpable bisimilarity, and prove that this is a characterisation of the notion of contextual lumpability for PEPA components. Moreover, we show that lumpable bisimilarity induces the largest contextual lumping over the Markov process underlying any PEPA component. We provide an algorithm for lumpable bisimilarity and study both its time and space complexity. 1

New Directions in Model Checking Dynamic Epistemic Logic

Dynamic Epistemic Logic (DEL) can model complex information scenarios in a way that appeals to logicians. However, its existing implementations are based on explicit model checking which can only deal with small models, so we do not know how DEL performs for larger and real-world problems. For temporal logics, in contrast, symbolic model checking has been developed and successfully applied, for example in protocol and hardware verification. Symbolic model checkers for temporal logics are very efficient and can deal with very large models. In this thesis we build a bridge: new faithful representations of DEL models as so-called knowledge and belief structures that allow for symbolic model checking. For complex epistemic and factual change we introduce transformers, a symbolic replacement for action models. Besides a detailed explanation of the theory, we present SMCDEL: a Haskell implementation of symbolic model checking for DEL using Binary Decision Diagrams. Our new methods can solve well-known benchmark problems in epistemic scenarios much faster than existing methods for DEL. We also compare its performance to to existing model checkers for temporal logics and show that DEL can compete with established frameworks. We zoom in on two specific variants of DEL for concrete applications. First, we introduce Public Inspection Logic, a new framework for the knowledge of variables and its dynamics. Second, we study the dynamic gossip problem and how it can be analyzed with epistemic logic. We show that existing gossip protocols can be improved, but that no perfect strengthening of "Learn New Secrets" exists

Better Late Than Never: A Fully-abstract Semantics for Classical Processes

We present Hypersequent Classical Processes (HCP), a revised interpretation of the "Proofs as Processes" correspondence between linear logic and the {\pi}-calculus initially proposed by Abramsky [1994], and later developed by Bellin and Scott [1994], Caires and Pfenning [2010], and Wadler [2014], among others. HCP mends the discrepancies between linear logic and the syntax and observable semantics of parallel composition in the {\pi}-calculus, by conservatively extending linear logic to hyperenvironments (collections of environments, inspired by the hypersequents by Avron [1991]). Separation of environments in hyperenvironments is internalised by $\otimes$ and corresponds to parallel process behaviour. Thanks to this property, for the first time we are able to extract a labelled transition system (lts) semantics from proof rewritings. Leveraging the information on parallelism at the level of types, we obtain a logical reconstruction of the delayed actions that Merro and Sangiorgi [2004] formulated to model non-blocking I/O in the {\pi}-calculus. We define a denotational semantics for processes based on Brzozowski derivatives, and uncover that non-interference in HCP corresponds to Fubini's theorem of double antiderivation. Having an lts allows us to validate HCP using the standard toolbox of behavioural theory. We instantiate bisimilarity and barbed congruence for HCP, and obtain a full abstraction result: bisimilarity, denotational equivalence, and barbed congruence coincide

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000

A Machine-Checked, Type-Safe Model of Java Concurrency : Language, Virtual Machine, Memory Model, and Verified Compiler

The Java programming language provides safety and security guarantees such as type safety and its security architecture. They distinguish it from other mainstream programming languages like C and C++. In this work, we develop a machine-checked model of concurrent Java and the Java memory model and investigate the impact of concurrency on these guarantees. From the formal model, we automatically obtain an executable verified compiler to bytecode and a validated virtual machine