1,161 research outputs found
Recommended from our members
Automated verification of refinement laws
Demonic refinement algebras are variants of Kleene algebras. Introduced by von Wright as a light-weight variant of the refinement calculus, their intended semantics are positively disjunctive predicate transformers, and their calculus is entirely within first-order equational logic. So, for the first time, off-the-shelf automated theorem proving (ATP) becomes available for refinement proofs. We used ATP to verify a toolkit of basic refinement laws. Based on this toolkit, we then verified two classical complex refinement laws for action systems by ATP: a data refinement law and Back's atomicity refinement law. We also present a refinement law for infinite loops that has been discovered through automated analysis. Our proof experiments not only demonstrate that refinement can effectively be automated, they also compare eleven different ATP systems and suggest that program verification with variants of Kleene algebras yields interesting theorem proving benchmarks. Finally, we apply hypothesis learning techniques that seem indispensable for automating more complex proofs
Refinement Calculus of Reactive Systems
Refinement calculus is a powerful and expressive tool for reasoning about
sequential programs in a compositional manner. In this paper we present an
extension of refinement calculus for reactive systems. Refinement calculus is
based on monotonic predicate transformers, which transform sets of post-states
into sets of pre-states. To model reactive systems, we introduce monotonic
property transformers, which transform sets of output traces into sets of input
traces. We show how to model in this semantics refinement, sequential
composition, demonic choice, and other semantic operations on reactive systems.
We use primarily higher order logic to express our results, but we also show
how property transformers can be defined using other formalisms more amenable
to automation, such as linear temporal logic (suitable for specifications) and
symbolic transition systems (suitable for implementations). Finally, we show
how this framework generalizes previous work on relational interfaces so as to
be able to express systems with infinite behaviors and liveness properties
On a New Notion of Partial Refinement
Formal specification techniques allow expressing idealized specifications,
which abstract from restrictions that may arise in implementations. However,
partial implementations are universal in software development due to practical
limitations. Our goal is to contribute to a method of program refinement that
allows for partial implementations. For programs with a normal and an
exceptional exit, we propose a new notion of partial refinement which allows an
implementation to terminate exceptionally if the desired results cannot be
achieved, provided the initial state is maintained. Partial refinement leads to
a systematic method of developing programs with exception handling.Comment: In Proceedings Refine 2013, arXiv:1305.563
Compositional closure for Bayes Risk in probabilistic noninterference
We give a sequential model for noninterference security including probability
(but not demonic choice), thus supporting reasoning about the likelihood that
high-security values might be revealed by observations of low-security
activity. Our novel methodological contribution is the definition of a
refinement order and its use to compare security measures between
specifications and (their supposed) implementations. This contrasts with the
more common practice of evaluating the security of individual programs in
isolation.
The appropriateness of our model and order is supported by our showing that
our refinement order is the greatest compositional relation --the compositional
closure-- with respect to our semantics and an "elementary" order based on
Bayes Risk --- a security measure already in widespread use. We also relate
refinement to other measures such as Shannon Entropy.
By applying the approach to a non-trivial example, the anonymous-majority
Three-Judges protocol, we demonstrate by example that correctness arguments can
be simplified by the sort of layered developments --through levels of
increasing detail-- that are allowed and encouraged by compositional semantics
Using Indexed and Synchronous Events to Model and Validate Cyber-Physical Systems
Timed Transition Models (TTMs) are event-based descriptions for modelling,
specifying, and verifying discrete real-time systems. An event can be
spontaneous, fair, or timed with specified bounds. TTMs have a textual syntax,
an operational semantics, and an automated tool supporting linear-time temporal
logic. We extend TTMs and its tool with two novel modelling features for
writing high-level specifications: indexed events and synchronous events.
Indexed events allow for concise description of behaviour common to a set of
actors. The indexing construct allows us to select a specific actor and to
specify a temporal property for that actor. We use indexed events to validate
the requirements of a train control system. Synchronous events allow developers
to decompose simultaneous state updates into actions of separate events. To
specify the intended data flow among synchronized actions, we use primed
variables to reference the post-state (i.e., one resulted from taking the
synchronized actions). The TTM tool automatically infers the data flow from
synchronous events, and reports errors on inconsistencies due to circular data
flow. We use synchronous events to validate part of the requirements of a
nuclear shutdown system. In both case studies, we show how the new notation
facilitates the formal validation of system requirements, and use the TTM tool
to verify safety, liveness, and real-time properties.Comment: In Proceedings ESSS 2015, arXiv:1506.0325
Abstract Hidden Markov Models: a monadic account of quantitative information flow
Hidden Markov Models, HMM's, are mathematical models of Markov processes with
state that is hidden, but from which information can leak. They are typically
represented as 3-way joint-probability distributions.
We use HMM's as denotations of probabilistic hidden-state sequential
programs: for that, we recast them as `abstract' HMM's, computations in the
Giry monad , and we equip them with a partial order of increasing
security. However to encode the monadic type with hiding over some state
we use rather
than the conventional that suffices for
Markov models whose state is not hidden. We illustrate the
construction with a small
Haskell prototype.
We then present uncertainty measures as a generalisation of the extant
diversity of probabilistic entropies, with characteristic analytic properties
for them, and show how the new entropies interact with the order of increasing
security. Furthermore, we give a `backwards' uncertainty-transformer semantics
for HMM's that is dual to the `forwards' abstract HMM's - it is an analogue of
the duality between forwards, relational semantics and backwards,
predicate-transformer semantics for imperative programs with demonic choice.
Finally, we argue that, from this new denotational-semantic viewpoint, one
can see that the Dalenius desideratum for statistical databases is actually an
issue in compositionality. We propose a means for taking it into account
Hidden-Markov Program Algebra with iteration
We use Hidden Markov Models to motivate a quantitative compositional
semantics for noninterference-based security with iteration, including a
refinement- or "implements" relation that compares two programs with respect to
their information leakage; and we propose a program algebra for source-level
reasoning about such programs, in particular as a means of establishing that an
"implementation" program leaks no more than its "specification" program.
This joins two themes: we extend our earlier work, having iteration but only
qualitative, by making it quantitative; and we extend our earlier quantitative
work by including iteration. We advocate stepwise refinement and
source-level program algebra, both as conceptual reasoning tools and as targets
for automated assistance. A selection of algebraic laws is given to support
this view in the case of quantitative noninterference; and it is demonstrated
on a simple iterated password-guessing attack
- …