Analyzing and Predicting Verification of Data-Aware Process Models – a Case Study with Spectrum Auctions

Verification techniques play an essential role in detecting undesirable behaviors in many applications like spectrum auctions. By verifying an auction design, one can detect the least favorable outcomes, e.g., the lowest revenue of an auctioneer. However, verification may be infeasible in practice, given the vast size of the state space on the one hand and the large number of properties to be verified on the other hand. To overcome this challenge, we leverage machine-learning techniques. In particular, we create a dataset by verifying properties of a spectrum auction first. Second, we use this dataset to analyze and predict outcomes of the auction and characteristics of the verification procedure. To evaluate the usefulness of machine learning in the given scenario, we consider prediction quality and feature importance. In our experiments, we observe that prediction models can capture relationships in our dataset well, though one needs to be careful to obtain a representative and sufficiently large training dataset. While the focus of this article is on a specific verification scenario, our analysis approach is general and can be adapted to other domains

A Spatial Logic for a Simplicial Complex Model

Collective Adaptive Systems often consist of many heterogeneous components typically organised in groups. These entities interact with each other by adapting their behaviour to pursue individual or collective goals. In these systems, the distribution of these entities determines a space that can be either physical or logical. The former is defined in terms of a physical relation among components. The latter depends on logical relations, such as being part of the same group. In this context, specification and verification of spatial properties play a fundamental role to support the design of a system and predict its behaviour. For this reasons, different tools and techniques have been proposed to specify and verify the properties of space. However, these approaches are mainly based on graphs. These are used to model spatial relations, describing a form of proximity among pairs of entities. Unfortunately, these graph-based models do not permit considering relations among more than two entities that may arise when one is interested in describing \emph{multi-dimensional} aspects of space. In this work, we propose a spatial logic interpreted on \emph{simplicial complexes}. These are topological objects able to represent surfaces and volumes efficiently that generalise graphs with higher-order edges. We discuss how the satisfaction of logical formulas can be verified by a correct and complete model checking algorithm, which is linear to the dimension of the simplicial complex and logical formula. The expressiveness of the proposed logic is studied in terms of the spatial variants of classical \emph{bisimulation} and \emph{branching bisimulation} relations defined over simplicial complexes

The OpenModelica integrated environment for modeling, simulation, and model-based development

OpenModelica is a unique large-scale integrated open-source Modelica- and FMI-based modeling, simulation, optimization, model-based analysis and development environment. Moreover, the OpenModelica environment provides a number of facilities such as debugging; optimization; visualization and 3D animation; web-based model editing and simulation; scripting from Modelica, Python, Julia, and Matlab; efficient simulation and co-simulation of FMI-based models; compilation for embedded systems; Modelica- UML integration; requirement verification; and generation of parallel code for multi-core architectures. The environment is based on the equation-based object-oriented Modelica language and currently uses the MetaModelica extended version of Modelica for its model compiler implementation. This overview paper gives an up-to-date description of the capabilities of the system, short overviews of used open source symbolic and numeric algorithms with pointers to published literature, tool integration aspects, some lessons learned, and the main vision behind its development.Fil: Fritzson, Peter. Linköping University; SueciaFil: Pop, Adrian. Linköping University; SueciaFil: Abdelhak, Karim. Fachhochschule Bielefeld; AlemaniaFil: Asghar, Adeel. Linköping University; SueciaFil: Bachmann, Bernhard. Fachhochschule Bielefeld; AlemaniaFil: Braun, Willi. Fachhochschule Bielefeld; AlemaniaFil: Bouskela, Daniel. Electricité de France; FranciaFil: Braun, Robert. Linköping University; SueciaFil: Buffoni, Lena. Linköping University; SueciaFil: Casella, Francesco. Politecnico di Milano; ItaliaFil: Castro, Rodrigo Daniel. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Ciudad Universitaria. Instituto de Investigación en Ciencias de la Computación. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Instituto de Investigación en Ciencias de la Computación; ArgentinaFil: Franke, Rüdiger. Abb Group; AlemaniaFil: Fritzson, Dag. Linköping University; SueciaFil: Gebremedhin, Mahder. Linköping University; SueciaFil: Heuermann, Andreas. Linköping University; SueciaFil: Lie, Bernt. University of South-Eastern Norway; NoruegaFil: Mengist, Alachew. Linköping University; SueciaFil: Mikelsons, Lars. Linköping University; SueciaFil: Moudgalya, Kannan. Indian Institute Of Technology Bombay; IndiaFil: Ochel, Lennart. Linköping University; SueciaFil: Palanisamy, Arunkumar. Linköping University; SueciaFil: Ruge, Vitalij. Fachhochschule Bielefeld; AlemaniaFil: Schamai, Wladimir. Danfoss Power Solutions GmbH & Co; AlemaniaFil: Sjolund, Martin. Linköping University; SueciaFil: Thiele, Bernhard. Linköping University; SueciaFil: Tinnerholm, John. Linköping University; SueciaFil: Ostlund, Per. Linköping University; Sueci

Testing by Dualization

Software engineering requires rigorous testing to guarantee the product's quality. Semantic testing of functional correctness is challenged by nondeterminism in behavior, which makes testers difficult to write and reason about. This thesis presents a language-based technique for testing interactive systems. I propose a theory for specifying and validating nondeterministic behaviors, with guaranteed soundness and correctness. I then apply the theory to testing practices, and show how to derive specifications into interactive tester programs. I also introduce a language design for producing test inputs that can effectively detect and reproduce invalid behaviors. I evaluate the methodology by specifying and testing real-world systems such as web servers and file synchronizers, demonstrating the derived testers' ability to find disagreements between the specification and the implementation

ITL Monitor: Compositional Runtime Analysis with Interval Temporal Logic

Runtime verification has gained significant interest in recent years. It is a process in which the execution trace of a program is analysed while it is running. A popular language for specifying temporal requirements for runtime verification is Linear Temporal Logic (LTL), which is excellent for expressing properties such as safety and liveness. Another formalism that is used is Interval Temporal Logic (ITL). This logic has constructs for specifying the behaviour of programs that can be decomposed into subintervals of activity. Traditionally, only a restricted subset of ITL has been used for runtime verification due to the limitations imposed by making the subset executable. In this thesis an alternative restriction of ITL was considered as the basis for constructing a library of runtime verification monitors (ITL-Monitor). The thesis introduces a new first-occurrence operator (|>) into ITL and explores its properties. This operator is the basis of the translation from runtime monitors to their corresponding ITL formulae. ITL-Monitor is then introduced formally, and the algebraic properties of its operators are analysed. An implementation of ITL-Monitor is given, based upon the construction of a Domain Specific Language using Scala. The architecture of the underlying system comprises a network of concurrent actors built on top of Akka - an industrial strength distributed actor framework. A number of example systems are constructed to evaluate ITL-Monitor's performance against alternative verification tools. ITL-Monitor is also subjected to a simulation that generates a very large quantity of state data. The monitors were observed to deliver consistent performance across execution traces of up to a million states, and to verify subintervals of up to 300 states against ITL formulae with evaluation complexity of O(n^3)

SAT-based Analysis, (Re-)Configuration & Optimization in the Context of Automotive Product documentation

Es gibt einen steigenden Trend hin zu kundenindividueller Massenproduktion (mass customization), insbesondere im Bereich der Automobilkonfiguration. Kundenindividuelle Massenproduktion führt zu einem enormen Anstieg der Komplexität. Es gibt Hunderte von Ausstattungsoptionen aus denen ein Kunde wählen kann um sich sein persönliches Auto zusammenzustellen. Die Anzahl der unterschiedlichen konfigurierbaren Autos eines deutschen Premium-Herstellers liegt für ein Fahrzeugmodell bei bis zu 10^80. SAT-basierte Methoden haben sich zur Verifikation der Stückliste (bill of materials) von Automobilkonfigurationen etabliert. Carsten Sinz hat Mitte der 90er im Bereich der SAT-basierten Verifikationsmethoden für die Daimler AG Pionierarbeit geleistet. Darauf aufbauend wurde nach 2005 ein produktives Software System bei der Daimler AG installiert. Später folgten weitere deutsche Automobilhersteller und installierten ebenfalls SAT-basierte Systeme zur Verifikation ihrer Stücklisten. Die vorliegende Arbeit besteht aus zwei Hauptteilen. Der erste Teil beschäftigt sich mit der Entwicklung weiterer SAT-basierter Methoden für Automobilkonfigurationen. Wir zeigen, dass sich SAT-basierte Methoden für interaktive Automobilkonfiguration eignen. Wir behandeln unterschiedliche Aspekte der interaktiven Konfiguration. Darunter Konsistenzprüfung, Generierung von Beispielen, Erklärungen und die Vermeidung von Fehlkonfigurationen. Außerdem entwickeln wir SAT-basierte Methoden zur Verifikation von dynamischen Zusammenbauten. Ein dynamischer Zusammenbau repräsentiert die chronologische Zusammenbau-Reihenfolge komplexer Teile. Der zweite Teil beschäftigt sich mit der Optimierung von Automobilkonfigurationen. Wir erläutern und vergleichen unterschiedliche Optimierungsprobleme der Aussagenlogik sowie deren algorithmische Lösungsansätze. Wir beschreiben Anwendungsfälle aus der Automobilkonfiguration und zeigen wie diese als aussagenlogisches Optimierungsproblem formalisiert werden können. Beispielsweise möchte man zu einer Menge an Ausstattungswünschen ein Test-Fahrzeug mit minimaler Ergänzung weiterer Ausstattungen berechnen um Kosten zu sparen. DesWeiteren beschäftigen wir uns mit der Problemstellung eine kleinste Menge an Fahrzeugen zu berechnen um eine Testmenge abzudecken. Im Rahmen dieser Arbeit haben wir einen Prototypen eines (Re-)Konfigurators, genannt AutoConfig, entwickelt. Unser (Re-)Konfigurator verwendet im Kern SAT-basierte Methoden und besitzt eine grafische Benutzeroberfläche, welche interaktive Konfiguration erlaubt. AutoConfig kann mit Instanzen von drei großen deutschen Automobilherstellern umgehen, aber ist nicht alleine darauf beschränkt. Mit Hilfe dieses Prototyps wollen wir die Anwendbarkeit unserer Methoden demonstrieren

Formal Methods for Trustworthy Voting Systems : From Trusted Components to Reliable Software

Voting is prominently an important part of democratic societies, and its outcome may have a dramatic and broad impact on societal progress. Therefore, it is paramount that such a society has extensive trust in the electoral process, such that the system’s functioning is reliable and stable with respect to the expectations within society. Yet, with or without the use of modern technology, voting is full of algorithmic and security challenges, and the failure to address these challenges in a controlled manner may produce fundamental flaws in the voting system and potentially undermine critical societal aspects. In this thesis, we argue for a development process of voting systems that is rooted in and assisted by formal methods that produce transparently checkable evidence for the guarantees that the final system should provide so that it can be deemed trustworthy. The goal of this thesis is to advance the state of the art in formal methods that allow to systematically develop trustworthy voting systems that can be provenly verified. In the literature, voting systems are modeled in the following four comparatively separable and distinguishable layers: (1) the physical layer, (2) the computational layer, (3) the election layer, and (4) the human layer. Current research usually either mostly stays within one of those layers or lacks machine-checkable evidence, and consequently, trusted and understandable criteria often lack formally proven and checkable guarantees on software-level and vice versa. The contributions in this work are formal methods that fill in the trust gap between the principal election layer and the computational layer by a reliable translation of trusted and understandable criteria into trustworthy software. Thereby, we enable that executable procedures can be formally traced back and understood by election experts without the need for inspection on code level, and trust can be preserved to the trustworthy system. The works in this thesis all contribute to this end and consist in five distinct contributions, which are the following: (I) a method for the generation of secure card-based communication schemes, (II) a method for the synthesis of reliable tallying procedures, (III) a method for the efficient verification of reliable tallying procedures, (IV) a method for the computation of dependable election margins for reliable audits, (V) a case study about the security verification of the GI voter-anonymization software. These contributions span formal methods on illustrative examples for each of the three principal components, (1) voter-ballot box communication, (2) election method, and (3) election management, between the election layer and the computational layer. Within the first component, the voter-ballot box communication channel, we build a bridge from the communication channel to the cryptography scheme by automatically generating secure card-based schemes from a small formal model with a parameterization of the desired security requirements. For the second component, the election method, we build a bridge from the election method to the tallying procedure by (1) automatically synthesizing a runnable tallying procedure from the desired requirements given as properties that capture the desired intuitions or regulations of fairness considerations, (2) automatically generating either comprehensible arguments or bounded proofs to compare tallying procedures based on user-definable fairness properties, and (3) automatically computing concrete election margins for a given tallying procedure, the collected ballots, and the computed election result, that enable efficient election audits. Finally, for the third and final component, the election management system, we perform a case study and apply state-of-the-art verification technology to a real-world e-voting system that has been used for the annual elections of the German Informatics Society (GI – “Gesellschaft für Informatik”) in 2019. The case study consists in the formal implementation-level security verification that the voter identities are securely anonymized and the voters’ passwords cannot be leaked. The presented methods assist the systematic development and verification of provenly trustworthy voting systems across traditional layers, i.e., from the election layer to the computational layer. They all pursue the goal of making voting systems trustworthy by reliable and explainable formal requirements. We evaluate the devised methods on minimal card-based protocols that compute a secure AND function for two different decks of cards, a classical knock-out tournament and several Condorcet rules, various plurality, scoring, and Condorcet rules from the literature, the Danish national parliamentary elections in 2015, and a state-of-the-art electronic voting system that is used for the German Informatics Society’s annual elections in 2019 and following