Extended OCL for Goal Monitoring

Monitoring human-computer interaction aids the analysis for understanding how well software meets its purpose. In particular, monitoring human-computer interactions with respect to a user's goal model helps to determine user satisfaction. By formalizing a goal model, runtime monitors can be automatically derived. The REQMON system monitors the satisfaction of goal models. Recently, an OCL compiler was developed for REQMON. The OCL was extended slightly to address temporal and real-time constraints. Now, goal models can be represented in the extended OCL, from which runtime monitors can be compiled. The resulting REQMON system appears to be easier to use comes the abstract

Invariant-driven specifications in Maude

AbstractThis work presents a general mechanism for executing specifications that comply with given invariants, which may be expressed in different formalisms and logics. We exploit Maude’s reflective capabilities and its properties as a general semantic framework to provide a generic strategy that allows us to execute Maude specifications taking into account user-defined invariants. The strategy is parameterized by the invariants and by the logic in which such invariants are expressed. We experiment with different logics, providing examples for propositional logic, (finite future time) linear temporal logic and metric temporal logic

ECL: the Event Constraint Language, an Extension of OCL with Events

The Clock Constraint Specification Language (\ccsl) has been informally introduced in the specifications of the \uml Profile for Modeling and Analysis of Real-Time and Embedded systems (MARTE). In a previous report entitled ''Syntax and Semantics of the Clock Constraint Specification Language'', we equipped a kernel of \ccsl with an operational semantics. In the present report we pursue this clarification effort by giving a mathematical characterization to each \ccsl constructs.On utilise souvent un metamodèle pour spécifier les concepts et les relations d'un langage de modélisation dédié à un domaine particulier. Lorsque cela est nécessaire, on peut ajouter des règles de bonne formation structurelles en OCL (Object Constraint Language). OCL permet également de donner des pré et des post conditions sur l'execution de méthodes. Cependant, OCL et les techniques de métamodélisation existantes ne sont pas suffisantes pour exprimer le parallélisme, les causalités et les comportements temporels d'un modèle. Dans ce rapport nous présentons une approches basée sur les modèles pour exprimer le parallélisme, les causalités et les comportements temporels d'une manière formelle et explicite, directement au sein d'un modèle. Afin de s'intégrer facilement dans un flôt de conception et de bénéficier de l'outillage existant, l'approche est une extension du langage OCL. Notre approche permet alors la spécification d'invariants comportementaux. Des examples simples permettent d'illustrer l'approche

DASH: Declarative Modelling with Control State Hierarchy (Preliminary Version)

We present a new language, called DASH, for describing formal behavioural models. DASH combines common modelling constructs to describe abstractly both data and control in an integrated manner. DASH uses the Alloy language for describing data and its operations declaratively, and adds syntax for labelled control state hierarchy common in Statecharts descriptions of transition systems. In addition, DASH accommodates multiple factoring paradigms for modelling (control states, events, and conditions) and includes syntactic sugar (e.g., transition comprehension, transition templates) to write models that are concise and easy to understand. We describe the formal semantics of DASH, which carefully mix the usual semantic understanding of control state hierarchy with the declarative perspective, for creating abstract models early in system development. We implement these semantics in a translator from DASH to Alloy taking advantage of Alloy language features. We demonstrate DASH, our tool, and model checking analysis in the Alloy Analyzer using several case studies. The key novel insight of our work is in combining seamlessly common data and control modelling paradigms in a way that will be intuitive for those used to either paradigm, and enabling automatic analysis of the integrated model

Web Service Transaction Correctness

In our research we investigate the problem of providing consistency, availability and durability for Web Service transactions. First, we show that the popular lazy replica update propagation method is vulnerable to loss of transactional updates in the presence of hardware failures. We propose an extension to the lazy update propagation approach to reduce the risk of data loss. Our approach is based on the buddy system, requiring that updates are preserved synchronously in two replicas, called buddies. The rest of the replicas are updated using lazy update propagation protocols. Our method provides a balance between durability (i.e., effects of the transaction are preserved even if the server, executing the transaction, crashes before the update can be propagated to the other replicas) and efficiency (i.e., our approach requires a synchronous update between two replicas only, adding a minimal overhead to the lazy replication protocol). Moreover, we show that our method of selecting the buddies ensures correct execution and can be easily extended to balance workload, and reduce latency observable by the client. Second, we consider Web Service transactions that consume anonymous and attribute based resources. We show that the availability of the popular lazy replica update propagation method can be achieved while increasing its durability and consistency. Our system provides a new consistency constraint, Capacity Constraint, which allows the system to guarantee that resources are not over consumed and also allows for higher distribution of the consumption. Our method provides; 1.) increased availability through the distribution of element master\u27s by using all available clusters, 2.) consistency by performing the complete transaction on a single set of clusters, and 3.) guaranteed durability by updating two clusters synchronously with the transaction. Third, we consider each transaction as a black box. We model the corresponding metadata, i.e., transaction semantics, as UML specifications. We refer to these WS-transactions as coarse grained WS-transactions. We propose an approach that guarantees the availability of the popular lazy replica update propagation method while increasing the durability and consistency. In this section we extend the Buddy System to handle course grained WS-transactions, using UML stereotypes that allow scheduling semantics to be embedded into the design model. This design model is the then exported and consumed by a service dispatcher to provide: 1.) High availability by distributing service requests across all available clusters. 2.) Consistency by performing the complete transaction on a single set of clusters. 3.) Durability by updating two clusters synchronously. Finally, we consider enforcement of integrity constraints in a way that increases availability while guaranteeing the correctness specified in the constraint. We organize these integrity constraints into three categories: entity, domain and hierarchical constraints. Hierarchical constraints offer an opportunity for optimization because of an expensive aggregation calculation required in the enforcement of the constraint. We propose an approach that guarantees that the constraint cannot be violated but it also allows the distribution of write operations among many clusters to increase availability. In our previous work, we proposed a replica update propagation method, called the Buddy System, which guaranteed durability and increased availability of web services. In this section we extend the Buddy System to enforce the hierarchical data integrity constraints

Framework for automatic verification of UML design models : application to UML 2.0 interactions

Software-intensive systems have become extremely complex and susceptible to defects and vulnerabilities. At the same time, the consequences of software errors have also become much more severe. In order to reduce the overall development cost and assure the security and reliability of the final product, it is of critical importance to investigate techniques able to detect defects as early as possible in the software development process, where the costs of repairing a software flaw are much lower than at the maintenance phase. In this research work, we propose an approach for detecting flaw at the design phase by combining two highly successful techniques in the information technology (IT) industry in the field of modeling languages and verification technologies. The first one is the Unified Modeling Language (UML). It has become the de facto language for software specification and design. UML is now used by a wide range of professionals with very different background. The second one is Model Checking , which is a formal verification technique that allows the desired properties to be verified through the inspection of all possible states of the model under consideration. Despite the fact that Model Checking gives significant capabilities to developers in order to create a secure design of the system, they are still not very popular in the UML community. There are many challenges faced by UML developers when it comes to combine UML with model checking (e.g., developer are not familiar with formal logics, the verification result is not in the UML notation, and the generation of the model checkers code from UML models is a problematic task). The proposed approach addresses these problems by implementing a new verification framework with support to property specification without using the complexity of formal languages, UML-like notation for the verification results, and a fully automatic verification proces

Dash: Declarative Behavioural Modelling in Alloy

An abstract model is a representation of the fundamental characteristics and properties of a system, and its purpose is to provide feedback to stakeholders about the correctness of the system during the early stages of development. This thesis presents Dash, a new language for the formal specification of abstract behavioural models, which combines the control-oriented constructs of statecharts with the declarative modelling of Alloy. From statecharts, Dash inherits a means to specify hierarchy, concurrency, and communication, three useful aspects to describe the behaviour of reactive systems. From Alloy, Dash uses the expressiveness of relational logic and set theory to abstractly and declaratively describe structures, data, and operations. The purpose of a Dash model is to formally describe a transition system, and for this reason transitions are first-class constructs of the language. Dash provides features such as factoring, transition comprehension, and layering, to systematically declare and organise the transitions of a model. The integration between statecharts and Alloy is done in Dash at the semantic level. The semantics of Dash use the notion of big steps and small steps to formally describe changes in a system, and address the mismatch between declarative and control-oriented formalisms regarding the frame problem. This thesis presents several case studies to demonstrate the modelling capabilities and automated analysis of Dash models. The case studies range from heavily data-oriented systems to highly hierarchical and concurrent systems. Behaviours can be specified using a temporal logic and the Alloy Analyzer is used for performing analyses. We extended the notion of significance axioms and significant scopes to concurrent Dash models, to avoid spurious instances of a model and ensure that a big enough search space is explored by the Analyzer to check for interesting behaviours and provide useful feedback about a model

Representing Dynamic Invariants in Ontologically Well-Founded Conceptual Models

Conceptual models often capture the invariant aspects of the phenomena we perceive. These invariants may be considered static when they refer to structures we perceive in phenomena at a particular point in time or dynamic/temporal when they refer to regularities across different points in time. While static invariants have received significant attention, dynamics enjoy marginal support in widely-employed techniques such as UML and OCL. This thesis aims at addressing this gap by proposing a technique for the representation of dynamic invariants of subject domains in UML-based conceptual models. For that purpose, a temporal extension of OCL is proposed. It enriches the ontologically well-founded OntoUML profile and enables the expression of a variety of (arbitrary) temporal constraints. The extension is fully implemented in the tool for specification, verification and simulation of enriched OntoUML models

Formally Verifiable Object-Oriented System Specifications with UML for Railway Signalling and Safety Systems

Um die Präzision und Überprüfbarkeit der Systemanforderungsspezifikationen zu erhöhen, empfehlen die CENELEC-Normen für die Eisenbahnsysteme den Einsatz von formalen Methoden, die über eindeutige Syntax und Semantik verfügen. In der vorliegenden Arbeit werden für die Spezifikation und Verifikation von Eisenbahnsicherungssystemen formal fundierte grafische Beschreibungsmittel zur Verfügung gestellt. Diese Beschreibungsmittel sind eine Auswahl von Diagrammen der Unified Modeling Language (UML), die unterschiedliche Sichten in der Systemanforderungsspezifikation darstellen. Durch die Klassendiagramme kann die Systemstruktur beschrieben werden. Die Zustandsdiagramme und die Sequenzdiagramme werden für die Spezifikation des dynamischen Systemverhaltens verwendet. In den Klassendiagrammen werden für die Relationen Assoziation, Aggregation, Komposition und Vererbung formale Definitionen eingeführt, die die präzise Spezifikation von Beziehungen unter den Systemkomponenten ermöglichen. Weiter werden auf Basis dieser Definitionen Kriterien für die Konsistenzüberprüfung zwischen den verschiedenen Teilen der Systemspezifikation eingeführt. In den Zustandsdiagrammen werden die Aktionen, ihre Ausführung, unterschiedliche Zustandsarten und ihre Aktivierung formal definiert. Transitionen zwischen den Zuständen und deren Ausführung sind weitere Punkte, die dabei präzisiert werden. Über die eingeführten formalen Semantiken für angewendete Notationen werden Schemata für die Transformation von Zustandsdiagrammen der UML in eine formal verifizierbare Form definiert. Dadurch ist eine formale Verifikation der Systemanforderungsspezifikation durchführbar, die auf der Technik Model-Checking basiert. Die Anwendbarkeit der präsentierten Spezifikationsmittel und die formale Verifikation über die Technik Model-Checking werden am Beispiel des eingleisigen Bahnübergangs im Funkfahrbetrieb demonstriert. Dadurch sind für die Erstellung einer formal verifizierbaren Systemanforderungsspezifikation Beschreibungsmittel bereitgestellt, die aufgrund ihrer grafischen Gestalt für die Ingenieure der Eisenbahnsicherungstechnik handhabbar sind, und die Forderung der CENELEC-Normen nach Erhöhung der Präzision und Verifizierbarkeit erfüllen.In order to increase precision und verifiability of system requirements specifications the CENELEC standards for Railway Signalling and Safety Systems recommend the use of formal methods, which possess unambiguous syntax and semantics. In this thesis, formal-based graphical notations are provided for specifying and verifying Railway Signalling and Safety Systems. These notations are a selection of diagrams from the Unified Modeling Language (UML) which represent different views for system requirements specifications. System structures can be described by employing class diagrams. State diagrams and sequence diagrams are used for specifying the dynamic system behaviour. In class diagrams, formal definitions are introduced for the relations association, aggregation, composition and inheritance. This enables the precise specification of relations between system components. Furthermore, on the basis of these definitions criteria for consistency checks between the different parts of a system specification are introduced. By means of state diagrams actions, their execution, different kinds of states and their activation are defined formally. Transitions between states and their execution are further items which are rendered more precise within this scope. The introduced formal semantics of the notations employed are used to define rules for the transformation of UML state diagrams into formally verifiable forms. Thereby, the formal verification of system requirements specifications based on the technique of model checking becomes feasible. The applicability of the presented means of specification and formal verification by model checking is demonstrated on the example of the singletrack level crossing in radio-based operation. This ensures that notations for specification and formal verification of system requirements are provided, which are usable for engineers in Railway Signalling and Safety Systems and which meet the demands of the CENELEC standards for increasing precision and verifiability

Requirements Specification, Behavioral Specification and Checking of object-oriented Interlocking Systems using Multi-Object Logics, UML State Machines and Multi-Object Checking

Rechner haben durch ihre Programmierbarkeit und ihre Leistungsfähigkeit in nahezu sämtliche Bereiche des täglichen Lebens Einzug gehalten. Für den Einsatz rechnergestützter Systeme in sicherheitskritischen Umgebungen ist ein Nachweis für die korrekte Funktion von Hard- und Software zu erbringen. Unter dem Gesichtspunkt der Wirtschaftlichkeit erfordert die Entwicklung sicherheitskritischer Systeme den Einsatz automatisierbarer Verfahren, die diesen Nachweis unterstützen. Während relevante Normen die Anwendung formaler und damit automatisierbarer Verfahren empfehlen, existieren keinerlei Kriterien, welche Formalismen wie adäquat oder gar effizient eingesetzt werden können. Universelle Beschreibungssprachen wie die Unified Modeling Language (UML) erfahren durch die hohe Verfügbarkeit von Entwicklungswerkzeugen zunehmende Verbreitung, können den Anforderungen an Formalität und Verifikationsunterstützung jedoch nicht nachkommen. In der vorliegenden Arbeit wird eine Methodik zur Unterstützung des Entwicklungsprozesses sicherheitskritischer Systeme an einem Beispiel aus der Leit- und Sicherungstechnik im Eisenbahnwesen entwickelt. Die Methodik greift dabei Darstellungskonzepte der UML geeignet auf, so dass vorhandene Entwicklungswerkzeuge weiterhin Verwendung finden können. Die vorgestellte Methodik umfasst die Formalisierung der funktionalen Anforderungen in Formeln in der Multi-Objektlogik D1, die über mehrfach erweiterten Kripke-Strukturen interpretiert werden. Mehrfach erweiterte Kripke-Strukturen bilden ebenfalls die Grundlage für kommunizierende Zustandsmaschinen, die durch Zerlegung aus UML-Zustandsmaschinen generiert werden können. Durch die gemeinsame Basis von Anforderungs- und Verhaltensspezifikation wird die Anwendung des effizienten, automatisierbaren Multi-Object Checking Verfahrens zur Verifikation möglich. Im Rahmen der vorliegenden Arbeit wurde dieses Verfahren um einen Mechanismus zur Generierung von Fehlerszenarien erweitert. Dieser findet sowohl bei der Verifikation zur Fehlerlokalisation im Modell als auch bei der Validation zur Generierung von Testfällen Anwendung, so dass nicht nur die Verifikation sondern auch die Validation geeignet unterstützt werden. Die Anwendbarkeit der Methodik wird an einem Fallbeispiel, der Entwicklung einer Stellwerkslogik, demonstriert.Due to their programmability and their high capabilities, computers have entered almost all areas of everyday life. In order to use computer-based systems in a safety-critical environment, the proper function of hardware and software has to be certified. For economic reasons, the development of safety-critical systems requires automation providing such evidence. Whereas relevant norms recommend the application of formal and for this reason automatable methods, criteria regarding how to apply which formalism adequately or even efficiently do not exist yet. As a result of their large amount of available development tools, modeling languages like the Unified Modeling Language (UML) have become more and more popular. However, the UML does not meet the requirements as to formality or as to verification support. In this thesis, a methodology to support the development process of safety-critical systems is developed, using an example of the operation and control technology in railway systems. The methodology reuses UML concepts in such a way that existing development tools can be applied. The provided methodology includes the formalization of functional requirements as Multi-Object Logic D1 formulas. These formulas are interpreted over several times extended Kripke structures which are the basis for communicating state machines. As UML state machines can be decomposed into communicating state machines, UML state machines become applicable in the behavior specification phase. Due to the common basis of the requirements and the behavioral specification, the Multi-Object Checking procedure can be utilized for verification. In this thesis, the Multi-Object Checking procedure is extended by a scenario generation feature in case a Multi-Object Checking property does not hold. This feature can be applied both to verification for fault localization in the model and to validation for test case generation. The applicability of the methodology is demonstrated, using the example of the development of an interlocking logic