Who watches the watchers: Validating the ProB Validation Tool

Over the years, ProB has moved from a tool that complemented proving, to a development environment that is now sometimes used instead of proving for applications, such as exhaustive model checking or data validation. This has led to much more stringent requirements on the integrity of ProB. In this paper we present a summary of our validation efforts for ProB, in particular within the context of the norm EN 50128 and safety critical applications in the railway domain.Comment: In Proceedings F-IDE 2014, arXiv:1404.578

Formal development of control software in the medical systems domain

In this thesis we describe the effectiveness of applying a number of formal techniques to the development of industrial control software at Philips Healthcare. We demonstrate how these techniques were tightly incorporated to the industrial workflow and the issues encountered during the application. The work was established in an industrial context, dealing with real industrial projects and a real product concerning the development of interventional X-ray systems. The results are very conclusive in the sense that the used formal techniques could deliver substantially better quality code compared to the code developed in conventional development methods. Also, the results show that the productivity of the formally developed code is better than the productivity of code developed by projects at Philips Healthcare or projects reported worldwide. The thesis also includes a number of design and specification guidelines that assist constructing verifiable components using model checking. The guidelines were successful in designing and verifying a controller component developed at Philips Healthcare. Hence, the guidelines can provide an effective framework to design verifiable control components in industrial settings

Correctness of model-based software composition (CMC). Proceedings. ECOOP 2003 Workshop #11 in association with the 17th European Conference on Object-Oriented Programming, Darmstadt, Germany, July 22, 2003

This proceedings contains the contributions to the Workshop on Correctness of Model-based Software Composition, held in conjunction with the 17th European Conference on Object-Oriented Programming (ECOOP), Darmstadt, Germany on July 22, 2003. While most events concentrate on realisations of composition on the technological level this workshop aims at closing the gap of ensuring the intended composition result supported by the usage of models. Two important problems in composition are first how to model the different assets (such as components, features or aspects) and second the composition of assets such that consistency and correctness is guaranteed. The first problem has been addressed in the Workshop on Model-based Software Reuse (ECOOP 2002). The latter problem occurs when dealing with, e.g., component interoperability, aspect weaving, feature interaction and (on a more abstract level) traceability between different views or models. One approach to deal with the composition problem is to use models allowing to model the composition. This allows checking the interoperability of the different assets to compose, the correctness of the configuration of assets and predicting properties of the assembled system (especially compliance with user requirements). In case of problem detection suitable resolution algorithms can be applied. 10 reviewed contributions give an overview about current research directions in correctness of model-based software compositions. Results from the discussions during the workshop may be found in the ECOOP 2003 workshop reader to be published by Springer LNCS. The web page of the workshop as well as the contributions of this proceedings may be found at URL: http://ssel.vub.ac.be/workshops/ECOOP2003/ Affiliated to previous ECOOP conferences a related workshop about feature interaction (ECOOP 2001) and an additional about model-based software reuse (ECOOP 2002) have been held. Their contributions are published as technical report No. 2001-14 and as technical report No. 2002-4, respectively, at the Universitaet Karlsruhe, Fakultaet fuer Informatik. URLs: http://www.info.uni-karlsruhe.de/~pulvermu/workshops/ecoop2001/ http://www.ubka.uni-karlsruhe.de/cgi-bin/psview?document=/ira/2001/14 http://www.info.uni-karlsruhe.de/~pulvermu/workshops/ECOOP2002/ http://www.ubka.uni-karlsruhe.de/cgi-bin/psview?document=/ira/2002/4 We would like to thank the program committee for their support as well as the authors and participants for their engaged contributions. The Workshop Organisers Ragnhild Van Der Straeten, Andreas Speck, Elke Pulvermueller, Matthias Clauss, Andreas Pleus

Formal verification of the pastry protocol

Pastry is a structured P2P algorithm realizing a Distributed Hash Table (DHT) over an underlying virtual ring of nodes. Hash keys are assigned to the numerically closest node, according to their Ids that both keys and nodes share from the same Id space. Nodes join and leave the ring dynamically and it is desired that a lookup request from arbitrary node for a key is routed to the responsible node for that key which then delivers the message as answer. Several implementations of Pastry are available and have been applied in practice, but no attempt has so far been made to formally describe the algorithm or to verify its properties. Since Pastry combines rather complex data structures, asynchronous communication, concurrency, resilience to churn, i.e. spontaneous join and departure of nodes, it makes an interesting target for verification. This thesis formally models and improves Pastry\u27s core algorithms, such that they provide the correct lookup service in the presence of churn and maintain a local data structures to adapt the dynamic updates of neighborhood. This thesis focuses on Join protocol of Pastry and formally defines different statuses (from "dead" to "ready") of a node according to its stage during join. Only "ready" nodes are suppose to have consistent key mapping among each other and are allowed to deliver the answer message. The correctness property is identified by this thesis tobe CorrectDelivery, stating that there is always at most one node that can deliver an answer to a lookup request for a key and this node is the numerically closest "ready" node to that key. This property is non-trivial to preserve in the presence of churn. The specification language TLA+ is used to model different versions of Pastry algorithm starting with CastroPastry, followed by HaeberlenPastry, IdealPastry and finally LuPastry. The TLA+ model checker TLC is employed to validate the models and to search for bugs. Models are simplified for more efficient checking with TLC and consequently mitigating the state explosion problem. Through this thesis, unexpected violations of CorrectDelivery in CastroPastry and HaeberlenPastry are discovered and analyzed. Based on the analysis, Haeberlen-Pastry is improved to a new design of the Pastry protocol IdealPastry, which is first verified using the interactive theorem prover TLAPS for TLA+. IdealPastry assumes that a "ready" node handles one joining node at a time and it assumes that (1) no departure of nodes (2) no concurrent join between two "ready" nodes closed to each other. The last assumption of IdealPastry is removed by its improved version LuPastry. In LuPastry, a "ready" node adds the joining node directly when it receives the join request and does not accepts any further join request until it gets the confirmation from the current joining node that it is "ready". LuPastry is proved to be correct w.r.t. CorrectDelivery under the assumption that no nodes leave the network, which cannot be further relaxed due to possible network separation when particular nodes simultaneously leave the network. The most subtle part of the deductive system verification is the search for an appropriate inductive invariant which implies the required safety property and is inductively preserved by all possible actions. The search is guided by the construction of the proof, where TLC is used to discover unexpected violations of a hypothetical invariant postulated in an earlier stage. The final proof of LuPastry consists of more than 10,000 proof steps, which are interactively checked in time by using TLAPS launching different back-end automated theorem provers. This thesis serves also as a case study giving the evidence of possibility and the methodology of how to formally model, to analyze and to manually conduct a formal proof of complex transition system for its safety property. Using LuPastry as template, a more general framework on verification of DHT can be constructed.Pastry ist ein P2P ( peer-to-peer) Algorithmus, der eine verteilte Hashtabelle (DHT) über einem als virtuellen Ring strukturierten Netzwerk realisiert. Knoten-Identifikatoren und Hash-Schlüssel entstammen derselben Menge, und jeder Knoten verwaltet die Schlüssel, die seinem Identifikator am nächsten liegen. Knoten können sich zur Laufzeit ins Netz einfügen bzw. es verlassen. Dennoch sollen Anfragen nach einem Schlüssel von beliebigen Knoten immer zu demjenigen Knoten weitergeleitet werden, der den Schlüssel verwaltet, und der die Anfrage dann beantwortet. Pastry wurde mehrfach implementiert und praktisch eingesetzt, aber der Algorithmus wurde bisher noch nie mathematisch präzise modelliert und auf Korrektheit untersucht. Da bei Pastry komplexe Datenstrukturen, asynchrone Kommunikation in einem verteilten Netzwerk und Robustheit gegen churn, d.h. spontanes Einfügen oder Verlassen von Knoten zusammenkommen, stellt das Protokoll eine interessante Fallstudie für formale Verifikationstechniken dar. In dieser Arbeit werden die Kernalgorithmen von Pastry modelliert, die Anfragen nach Schlüsseln in Gegenwart von churn behandeln und lokale Datenstrukturen verwalten, welche die jeweilige Nachbarschaftsbeziehungen zwischen Knoten zur Laufzeit widerspiegeln. Diese Dissertation behandelt insbesondere das Join-Protokoll von Pastry zum Einfügen neuer Knoten ins Netz, das jedem Knoten seinen Status (von dead\u27\u27 bis ready\u27\u27) zuweist. Knoten mit Status ready\u27\u27 müssen untereinander konsistente Modelle der Zuständigkeit für Schlüssel aufweisen und dürfen Anfragen nach Schlüsseln beantworten. Als zentrale Korrektheitseigenschaft wird in dieser Arbeit CorrectDelivery untersucht, die ausdrückt, dass zu jeder Zeit höchstens ein Knoten Anfragen nach einem Schlüssel beantworten darf, und dass es sich dabei um den Knoten mit Status ready\u27\u27 handelt, dessen Identifikator dem Schlüssel numerisch am nâchsten liegt. In Gegenwart von churn ist es nicht einfach diese Eigenschaft sicherzustellen. Wir benutzen die Spezifikationssprache TLA+, um verschiedene Versionen des Pastry-Protokolls zu modellieren: zunächst CastroPastry, gefolgt von HaeberlenPastry und IdealPastry, und schließlich LuPastry. Mit Hilfe des Modelcheckers TLC für TLA+ werden verschiedene qualitative Eigenschaften untersucht, um die Modelle zu validieren und Fehler zu finden. Dafür werden die Modelle zum Teil vereinfacht, um das Problem der Zustandsexplosion zu mindern und so die Effizienz des Modelchecking zu verbessern. Diese Arbeit konnte unerwartete Abläufe von CastroPastry und HaeberlenPastry aufdecken, bei denen die Eigenschaft CorrectDelivery verletzt wird. Auf der Grundlage dieser Analyse und einiger Verbesserungen von HaeberlenPastry wird das Protokoll IdealPastry entwickelt und seine Korrektheit mit Hilfe des interaktiven Theorembeweisers TLAPS für TLA+ gezeigt. IdealPastry stellt sicher, dass ein ready\u27\u27 Knoten zu jeder Zeit höchstens einen neuen Knoten ins Netz einfügt, und es nimmt an, dass (1) kein Knoten je das Netz verlässt und (2) keine zwei Knoten zwischen benachbarten ready\u27\u27 Knoten eingefügt werden. Der Algorithmus LuPastry verbessert IdealPastry und beseitigt Annahme (2) von IdealPastry. In dieser Version nimmt ein ready\u27\u27 Knoten den neu einzufügenden Knoten unmittelbar in seine Nachbarschaft auf und akzeptiert dann solange keinen weiteren neu hinzukommenden Knoten, bis der erste Knoten bestätigt, dass er Status ready\u27\u27 erreicht hat. LuPastry wird als korrekt bezüglich der Eigenschaft CorrectDelivery nachgewiesen, unter der Annahme, dass keine Knoten das Netz verlassen. Diese Annahme kann im allgemeinen nicht vermieden werden, da der Ring in separate Teilnetze zerfallen könnte, wenn bestimmte Knoten gleichzeitig das Netz verlassen. Die größte Herausforderung bei deduktiven Ansätzen zur Systemverifikation ist es, eine geeignete Invariante zu finden, die sowohl die angestrebte Sicherheitseigenschaft impliziert als auch induktiv von allen Systemaktionen erhalten wird. Während der Konstruktion des Korrektheitsbeweises wird TLC benutzt, um unerwartete Gegenbeispiele zu hypothetischen Invarianten zu finden, die zuvor postuliert wurden. Der Beweis des LuPastry-Protokolls besteht aus circa 10000 Beweisschritten, die von TLAPS und seinen integrierten automatischen Theorembeweisern verifiziert werden. Die vorliegende Arbeit dient auch als Fallstudie, welche die Möglichkeit der formalen Modellierung, Analyse und Korrektheitsbeweises von komplexen Transitionssystemen aufzeigt und die dabei notwendigen Einzelschritte und -techniken behandelt. LuPastry kann als Vorlage benutzt werden, um einen allgemeineren Rahmen für die Verifikation von DHT-Protokollen zu schaffen

Fundamental Approaches to Software Engineering

computer software maintenance; computer software selection and evaluation; formal logic; formal methods; formal specification; programming languages; semantics; software engineering; specifications; verificatio

A Comprehensive Study of Declarative Modelling Languages

Declarative behavioural modelling is a powerful modelling paradigm that enables users to model system functionality abstractly and formally. An abstract model is a concise and compact representation of key characteristics of a system, and enables the stakeholders to reason about the correctness of the system in the early stages of development. There are many different declarative languages and they have greatly varying constructs for representing a transition system, and they sometimes differ in rather subtle ways. In this thesis, we compare seven formal declarative modelling languages B, Event-B, Alloy, Dash, TLA+, PlusCal, and AsmetaL on several criteria. We classify these criteria under three main categories: structuring transition systems (control modelling), data descriptions in transition systems (data modelling), and modularity aspects of modelling. We developed this comparison by completing a set of case studies across the data- vs. control-oriented spectrum in all of the above languages. Structurally, a transition system is comprised of a snapshot declaration and snapshot space, initialization, and a transition relation, which is potentially composed of individual transitions. We meticulously outline the differences between the languages with respect to how the modeller would express each of the above components of a transition system in each language, and include discussions regarding stuttering and inconsistencies in the transition relation. Data-related aspects of a formal model include use of basic and composite datatypes, well-formedness and typechecking, and separation of name spaces with respect to global and local variables. Modularity criteria includes subtransition systems and data decomposition. We employ a series of small and concise exemplars we have devised to highlight these differences in each language. To help modellers answer the important question of which declarative modelling language may be most suited for modelling their system, we present recommendations based on our observations about the differentiating characteristics of each of these languages

Formal Methods Case Studies for DO-333

RTCA DO-333, Formal Methods Supplement to DO-178C and DO-278A provides guidance for software developers wishing to use formal methods in the certification of airborne systems and air traffic management systems. The supplement identifies the modifications and additions to DO-178C and DO-278A objectives, activities, and software life cycle data that should be addressed when formal methods are used as part of the software development process. This report presents three case studies describing the use of different classes of formal methods to satisfy certification objectives for a common avionics example - a dual-channel Flight Guidance System. The three case studies illustrate the use of theorem proving, model checking, and abstract interpretation. The material presented is not intended to represent a complete certification effort. Rather, the purpose is to illustrate how formal methods can be used in a realistic avionics software development project, with a focus on the evidence produced that could be used to satisfy the verification objectives found in Section 6 of DO-178C