15 research outputs found

    A Theory of Composing Protocols

    Get PDF
    In programming, protocols are everywhere. Protocols describe the pattern of interaction (or communication) between software systems, for example, between a user-space program and the kernel or between a local application and an online service. Ensuring conformance to protocols avoids a significant class of software errors. Subsequently, there has been a lot of work on verifying code against formal protocol specifications. The pervading approaches focus on distributed settings involving parallel composition of processes within a single monolithic protocol description. However we observe that, at the level of a single thread/process, modern software must often implement a number of clearly delineated protocols at the same time which become dependent on each other, e.g., a banking API and one or more authentication protocols. Rather than plugging together modular protocol-following components, the code must re-integrate multiple protocols into a single component. We address this concern of combining protocols via a novel notion of ‘interleaving’ composition for protocols described via a process algebra. User-specified, domain-specific constraints can be inserted into the individual protocols to serve as ‘contact points’ to guide this composition procedure, which outputs a single combined protocol that can be programmed against. Our approach allows an engineer to then program against a number of protocols that have been composed (re-integrated), reflecting the true nature of applications that must handle multiple protocols at once. We prove various desirable properties of the composition, including behaviour preservation: that the composed protocol implements the behaviour of both component protocols. We demonstrate our approach in the practical setting of Erlang, with a tool implementing protocol composition that both generates Erlang code from a protocol and generates a protocol from Erlang code. This tool shows that, for a range of sample protocols (including real-world examples), a modest set of constraints can be inserted to produce a small number of candidate compositions to choose from. As we increasingly build software interacting with many programs and subsystems, this new perspective gives a foundation for improving software quality via protocol conformance in a multi-protocol setting

    Zertifizierende verteilte Algorithmen

    Get PDF
    Eine Herausforderung der Softwareentwicklung ist, die Korrektheit einer Software sicherzustellen. Testen bietet es keine mathematische Korrektheit. Formale Verifikation ist jedoch oft zu aufwändig. Laufzeitverifikation steht zwischen den beiden Methoden. Laufzeitverifikation beantwortet die Frage, ob ein Eingabe-Ausgabe-Paar korrekt ist. Ein zertifizierender Algorithmus überzeugt seinen Nutzer durch ein Korrektheitsargument zur Laufzeit. Dafür berechnet ein zertifizierender Algorithmus für eine Eingabe zusätzlich zur Ausgabe noch einen Zeugen – ein Korrektheitsargument. Jeder zertifizierende Algorithmus besitzt ein Zeugenprädikat: Ist dieses erfüllt für eine Eingabe, eine Ausgabe und einen Zeugen, so ist das Eingabe-Ausgabe-Paar korrekt. Ein simpler Algorithmus, der das Zeugenprädikat für den Nutzer entscheidet, ist ein Checker. Die Korrektheit des Checkers ist folglich notwendig für den Ansatz und die formale Instanzverifikation, bei der wir Checker verifizieren und einen maschinen-geprüften Beweis für die Korrektheit eines Eingabe-Ausgabe-Paars zur Laufzeit gewinnen. Zertifizierende sequentielle Algorithmen sind gut untersucht. Verteilte Algorithmen, die auf verteilten Systemen laufen, unterscheiden sich grundlegend von sequentiellen Algorithmen: die Ausgabe ist über das System verteilt oder der Algorithmus läuft fortwährend. Wir untersuchen zertifizierende verteilte Algorithmen. Unsere Forschungsfrage ist: Wie können wir das Konzept zertifizierender sequentieller Algorithmen so auf verteilte Algorithmen übertragen, dass wir einerseits nah am ursprünglichen Konzept bleiben und andererseits die Gegebenheiten verteilter Systeme berücksichtigen? Wir stellen eine Methode der Übertragung vor. Die beiden Ziele abwägend entwickeln wir eine Klasse zertifizierender verteilter Algorithmen, die verteilte Zeugen berechnen und verteilte Checker besitzen. Wir präsentieren Fallstudien, Entwurfsmuster und ein Framework zur formalen Instanzverifikation.A major problem in software engineering is to ensure the correctness of software. Testing offers no mathematical correctness. Formal verification is often too costly. Runtime verification stands between the two methods. Runtime verification answers the question whether an input-output pair is correct. A certifying algorithm convinces its user at runtime by offering a correctness argument. For each input, a certifying algorithm computes an output and additionally a witness. Each certifying algorithm has a witness predicate – a predicate with the property: being satisfied for an input, output and witness implies the input-output pair is correct. A simple algorithm deciding the witness predicate for the user is a checker. Hence, the checker’s correctness is crucial to the approach and motivates formal instance verification where we verify checkers and obtain machine-checked proofs for the correctness of an input-output pair at runtime. Certifying sequential algorithms are well-established. Distributed algorithms, designed to run on distributed systems, behave fundamentally different from sequential algorithms: their output is distributed over the system or they even run continuously. We investigate certifying distributed algorithms. Our research question is: How can we transfer the concept of certifying sequential algorithms to distributed algorithms such that we are in line with the original concept but also adapt to the conditions of distributed systems? In this thesis, we present a method to transfer the concept: Weighing up both sometimes conflicting goals, we develop a class of certifying distributed algorithms that compute distributed witnesses and have distributed checkers. We offer case studies, design patterns and a framework for formal instance verification. Additionally, we investigate other methods to transfer the concept of certifying algorithms to distributed algorithms

    Actor programming with static guarantees

    Get PDF
    This thesis discusses two methodologies for applying type discipline to concurrent programming with actors: process types, and session types. A system based on each of the two is developed, and used as the basis for a comprehensive overview of process- and session- type merits and limitations. In particular, we analyze the trade-offs of the two approaches with regard to the expressiveness of the resulting calculi, versus the nature of the static guarantees offered. The first system discussed is based on the notion of a \emph{typestate}, that is, a view of an actor's internal state that can be statically tracked. The typestates used here capture what each actor handle \emph{may} be used for, as well as what it \emph{must} be used for. This is done by associating two kinds of tokens with each actor handle: tokens of the first kind are consumed when the actor receives a message, and thus dictate the types of messages that can be sent through the handle; tokens of the second kind dictate messaging obligations, and the type system ensures that related messages have been sent through the handle by the end of its lifetime. The next system developed here adapts session types to suit actor programming. Session types come from the world of process calculi, and are a means to statically check the messaging taking place over communication channels against a pre-defined protocol. Since actors do not use channels, one needs to consider pairs of actors as participants in multiple, concurrently executed---and thus interleaving---protocols. The result is a system with novel, parameterized type constructs to capture communication patterns that prior work cannot handle, such as the sliding window protocol. Although this system can statically verify the implementation of complicated messaging patterns, it requires deviations from industry-standard programming models---a problem that is true for all session type systems in the literature. This work argues that the typestate-based system, while not enforcing protocol fidelity as the session-inspired one does, is nevertheless more suitable for model actor calculi adopted by practical, already established frameworks such as Erlang and Akka

    Performance evaluation and model checking of probabilistic real-time actors

    Get PDF
    This dissertation is composed of two parts. In the first part, performance evaluation and verification of safety properties are provided for real-time actors. Recently, the actor-based language, Timed Rebeca, was introduced to model distributed and asynchronous systems with timing constraints and message passing communication. A toolset was developed for automated translation of Timed Rebeca models to Erlang. The translated code can be executed using a timed extension of McErlang for model checking and simulation. In the first part of this dissertation, we induce a new toolset that provides statistical model checking of Timed Rebeca models. Using statistical model checking, we are now able to verify larger models against safety properties comparing to McErlang model checking. We examine the typical case studies of elevators and ticket service to show the efficiency of statistical model checking and applicability of our toolset. In the second part of this dissertation, we enhance our modeling ability and cover more properties by performance evaluation and model checking of probabilistic real-time actors. Distributed systems exhibit probabilistic and nondeterministic behaviors and may have time constraints. Probabilistic Timed Rebeca (PTRebeca) is introduced as a timed and probabilistic actor-based language for modeling distributed real-time systems with asynchronous message passing. The semantics of PTRebeca is a Timed Markov Decision Process (TMDP). We provide SOS rules for PTRebeca, and develop two toolsets for analyzing PTRebeca models. The first toolset automatically generates a TMDP model from a PTRebeca model in the form of the input language of the PRISM model checker. We use PRISM for performance analysis of PTRebeca models against expected reachability and probabilistic reachability properties. Additionally, we develop another toolset to automatically generate a Markov Automaton from a PTRebeca model in the form of the input language of the Interactive Markov Chain Analyzer (IMCA). The IMCA can be used as the back-end model checker for performance analysis of PTRebeca models against expected reachability and probabilistic reachability properties. We present the needed time for the analysis of different case studies using PRISM-based and IMCA-based approaches. The IMCA-based approach needs considerably less time, and so has the ability of analyzing significantly larger models. We show the applicability of both approaches and the efficiency of our tools by analyzing a few case studies and experimental results.Þessi ritgerð er tvískipt. Í fyrri hlutanum er farið í mat og sannprófun á eiginleikum öryggis í rauntímalíkönum. Fyrir stuttu síðan var leikendabyggða málið, Timed Rebeca, notað við líkana dreifingu og ósamstillt kerfi með tímastillingu og samskipti í skilaboðum. Búið var til verkfærasett fyrir sjálfvirka þýðingu á Timed Rebeca líkön yfir í Erlang. Hægt er að nota þýdda kóðann með því að nota tímastillta framlengingu af McErlang fyrir líkanaprófun og hermun. Í fyrri hluta þessarar ritgerðar, ætlum við að kynna verkfærasettið sem veitir tölfræðilega prófun á líkön á Timed Rebeca líkön. Með því að nota tölfræðileg próf á líkön er núna hægt að sannreyna stærri líkön eins og í öryggiskröfum McErlang. Við rannsökum dæmigerðar ferilsathuganir af lyftum og miðasölu til að sýna fram á skilvirkni tölfræðilegra líkana og beitingu verkfærasettsins okkar. Í seinni hluta þessarar ritgerðar aukum við við getu líkanagerðarinnar og við náum yfir fleiri eiginleika með mati á framkvæmd og prófunum á líkönum á líkinda rauntíma leikara. Dreifð kerfi sýna líkindi og brigðgenga hegðun sem kunna að hafa tímamörk. Probabilistic Timed Rebeca (PTRebeca) er kynnt sem tímastillt og líkinda leikarabyggt mál líkindadreifðra rauntímakerfa með ósamstillta sendingu skilaboða. Merkingarfræði PTRebeca er Timed Markov Decision Process (TMDP). Við verðum með SOS reglur fyrir PTRebeca, og þróum tvö verkfærasett til að greina PTRebeca líkön.The work on this dissertation was supported by the project "Timed Asynchronous Reactive Objects in Distributed Systems: TARO" (nr.110020021) of the Icelandic Research Fund

    Deductive Verification of Concurrent Programs and its Application to Secure Information Flow for Java

    Get PDF
    Formal verification of concurrent programs still poses a major challenge in computer science. Our approach is an adaptation of the modular rely/guarantee methodology in dynamic logic. Besides functional properties, we investigate language-based security. Our verification approach extends naturally to multi-threaded Java and we present an implementation in the KeY verification system. We propose natural extensions to JML regarding both confidentiality properties and multi-threaded programs

    Methods and tools for the integration of formal verification in domain-specific languages

    Get PDF
    Domain specific Modeling Languages (DSMLs) are increasingly used at the early phases in the development of complex systems, in particular, for safety critical systems. The goal is to be able to reason early in the development on these models and, in particular, to fulfill verification and validation activities (V and V). A widely used technique is the exhaustive behavioral model verification using model-checking by providing a translational semantics to build a formal model from DSML conforming models in order to reuse powerful tools available for this formal domain. Defining a translational semantics, expressing formal properties to be assessed and analysing such verification results require such an expertise in formal methods that it restricts their adoption and may discourage the designers. It is thus necessary to build for each DSML, a toolchain which hides formal aspects for DSML end-users. The goal of this thesis consists in easing the development of such verification toolchains. Our contribution includes 1) expressing behavioral properties in the DSML level by relying on TOCL (Temporal Object Constraint Language), a temporal extension of OCL; 2) An automated transformation of these properties on formal properties while reusing the key elements of the translational semantics; 3) the feedback of verification results thanks to a higher-order transformation and a language which defines mappings between DSML and formal levels; 4) the associated process implementation. Our approach was validated by the experimentation on a subset of the development process modeling language SPEM, and on Ladder Diagram language used to specify programmable logic controllers (PLCs), and by the integration of a formal intermediate language (FIACRE) in the verification toolchain. This last point allows to reduce the semantic gap between DSMLs and formal domains

    Methods and tools for the integration of formal verification in domain-specific languages

    Get PDF
    Les langages dédiés de modélisation (DSMLs) sont de plus en plus utilisés dans les phases amont du développement des systèmes complexes, en particulier pour les systèmes critiques embarqués. L’objectif est de pouvoir raisonner très tôt dans le développement sur ces modèles et, notamment, de conduire des activités de vérification et validation (V and V). Une technique très utilisée est la vérification des modèles comportementaux par exploration exhaustive (model-checking) en utilisant une sémantique de traduction pour construire un modèle formel à partir des modèles métiers pour réutiliser les outils performants disponibles pour les modèles formels. Définir cette sémantique de traduction, exprimer les propriétés formelles à vérifier et analyser les résultats nécessite une expertise dans les méthodes formelles qui freine leur adoption et peut rebuter les concepteurs. Il est donc nécessaire de construire pour chaque DSML, une chaîne d’outils qui masque les aspects formels aux utilisateurs. L’objectif de cette thèse est de faciliter le développement de telles chaînes de vérification. Notre contribution inclut 1) l’expression des propriétés comportementales au niveau métier en s’appuyant sur TOCL (Temporal Object Constraint Language), une extension temporelle du langage OCL; 2) la transformation automatique de ces propriétés en propriétés formelles en réutilisant les éléments clés de la sémantique de traduction; 3) la remontée des résultats de vérification grâce à une transformation d’ordre supérieur et un langage de description de correspondance entre le domaine métier et le domaine formel et 4) le processus associé de mise en oeuvre. Notre approche a été validée par l’expérimentation sur un sous-ensemble du langage de modélisation de processus de développement SPEM, et sur le langage de commande d’automates programmables Ladder Diagram, ainsi que par l’intégration d’un langage formel intermédiaire (FIACRE) dans la chaîne outillée de vérification. Ce dernier point permet de réduire l’écart sémantique entre les DSMLs et les domaines formels. ABSTRACT : Domain specific Modeling Languages (DSMLs) are increasingly used at the early phases in the development of complex systems, in particular, for safety critical systems. The goal is to be able to reason early in the development on these models and, in particular, to fulfill verification and validation activities (V and V). A widely used technique is the exhaustive behavioral model verification using model-checking by providing a translational semantics to build a formal model from DSML conforming models in order to reuse powerful tools available for this formal domain. Defining a translational semantics, expressing formal properties to be assessed and analysing such verification results require such an expertise in formal methods that it restricts their adoption and may discourage the designers. It is thus necessary to build for each DSML, a toolchain which hides formal aspects for DSML end-users. The goal of this thesis consists in easing the development of such verification toolchains. Our contribution includes 1) expressing behavioral properties in the DSML level by relying on TOCL (Temporal Object Constraint Language), a temporal extension of OCL; 2) An automated transformation of these properties on formal properties while reusing the key elements of the translational semantics; 3) the feedback of verification results thanks to a higher-order transformation and a language which defines mappings between DSML and formal levels; 4) the associated process implementation. Our approach was validated by the experimentation on a subset of the development process modeling language SPEM, and on Ladder Diagram language used to specify programmable logic controllers (PLCs), and by the integration of a formal intermediate language (FIACRE) in the verification toolchain. This last point allows to reduce the semantic gap between DSMLs and formal domains

    NOW: Orchestrating services in a nomadic network using a dedicated workflow language

    Get PDF
    AbstractOrchestrating services in nomadic or mobile ad hoc networks is not without a challenge, since these environments are built upon volatile connections. Services residing on mobile devices are exposed to (temporary) network failures, which must be considered the rule rather than the exception. This paper proposes a dedicated workflow language built on top of an ambient-oriented programming language that supports dynamic service discovery and communication primitives resilient to network failures. The proposed workflow language, NOW, has support for high level workflow abstractions for control flow, rich network and service failure detection, and failure handling through compensating actions, and dynamic data flow between the services in the environment. By adding this extra layer of abstraction, the application programmer is offered a flexible way to develop applications for nomadic networks

    Twenty years of rewriting logic

    Get PDF
    AbstractRewriting logic is a simple computational logic that can naturally express both concurrent computation and logical deduction with great generality. This paper provides a gentle, intuitive introduction to its main ideas, as well as a survey of the work that many researchers have carried out over the last twenty years in advancing: (i) its foundations; (ii) its semantic framework and logical framework uses; (iii) its language implementations and its formal tools; and (iv) its many applications to automated deduction, software and hardware specification and verification, security, real-time and cyber-physical systems, probabilistic systems, bioinformatics and chemical systems
    corecore