Analyzing Consistency of Formal Requirements

In the development of safety-critical embedded systems, requirements-driven approaches are widely used. Expressing functional requirements in formal languages enables reasoning and formal testing. This paper proposes the Simplified Universal Pattern (SUP) as an easy to use formalism and compares it to SPS, another commonly used specification pattern system. Consistency is an important property of requirements that can be checked already in early design phases. However, formal definitions of consistency are rare in literature and tent to be either too weak or computationally too complex to be applicable to industrial systems. Therefore this work proposes a new formal consistency notion, called partial consistency, for the SUP that is a trade-off between exhaustiveness and complexity. Partial consistency identifies critical cases and verifies if these cause conflicts between requirement

A new set of improved value-at-risk backtests

We propose a new set of formal backtests for VaR-forecasts that significantly improve upon existing backtesting procedures. Our new test of unconditional coverage can be used for both directional and non-directional testing and is thus able to test separately whether a VaR-model is too conservative or underestimates the actual risk exposure. Second, we stress the importance of testing the property of independent and identically distributed (i.i.d.) VaRexceedances and propose a simple approach that explicitly tests for the presence of clusters in VaR-violation processes. Results from a simulation study indicate that our tests significantly outperform competing backtests in several distinct settings. In addition, the empirical analysis of a unique data set consisting of asset returns of an asset manager’s portfolios underline the usefulness of our new backtests especially in times of market turmoil

Chip and Skim: cloning EMV cards with the pre-play attack

EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures

Operational Semantics for Featherweight Lua

Lua is a small, embedded language to provide scripting in other languages. De- spite a clean, minimal syntax, it is still too complex for formal reasoning because of some syntactic sugar or specific syntax structures in Lua. This thesis develops Featherweight Lua (FWLua), following the tradition of lan- guages like Featherweight Java[1] and Featherweight JavaScript[2]. The goal is to develop a core of language features that, while remaining simple enough for formal reasoning, also remain faithful to the central characteristics of the language. Specifi- cally for Lua, the core features that are essential for our modeling include: ∙ First-class functions ∙ Tables as the central data construct ∙ Metatables that provide various “hooks” to change the behavior of tables To further validate this approach, we show how an extensive set of features from the full Lua programming language can be reduced to FWLua. Finally, we include a reference implementation written in Haskell as a tool for further testing and experimenting with the language. With this research, we provide a basis for future research into the Lua programming language

Formal Methods Based Development of a PCA Infusion Pump Reference Model: Generic Infusion Pump (GIP) Project

As software becomes ever more ubiquitous and complex in medical devices, it becomes increasingly important to assure that it performs safely and effectively. The critical nature of medical devices necessitates that the software used therein be reliable and free of errors. It becomes imperative, therefore, to have a conformance review process in place to ascertain the correctness of the software and to ensure that it meets all requirements and standards. Formal methods have long been suggested as a means to design and develop medical device software. However, most manufacturers shy from using these techniques, citing them as too complex and time consuming. As a result, (potentially life-threatening) errors are often not discovered until a device is already on the market. In this paper we present a safety model based approach to software conformance checking. Safety models enable the application of formal methods to software conformance checking, and provide a framework for rigorous testing. To illustrate the approach, we develop the safety model for a Generic Infusion Pump (GIP), and explain how it can be used to aid software conformance checking in a regulatory environment

Testing from Structured Algebraic Specifications: The Oracle Problem

Work in the area of specification-based testing has pointed out that testing can be effectively used to verify programs against formal specifications. The aim is to derive test information from formal specifications so that testing can be rigorously applied whenever full formal verification is not cost-effective. However, there are still several obstacles to be overcome in order to establish testing as a standard in formal frameworks. Accurate interpretation of test results is an extremely critical one. This thesis is concerned with testing programs against structured algebraic specifications where axioms are expressed in first-order logic with equations, the usual connectives and quantifiers. The main issue investigated is the so-called oracle problem, that is, whether a decision procedure can be defined for interpreting the results of tests according to a formal specification. In this context, testing consists in checking whether specification axioms are satisfied by programs. Consequently, tests exercise operations referred to by the axioms and oracles evaluate the axioms according to the results produced by the tests. The oracle problem for flat (unstructured) specifications often reduces to the problem of comparing two values of a non-observable sort, namely the equality problem, and also how to deal with quantifiers which may demand infinite test sets. Equality on non-observable sorts is interpreted up to behavioural equivalence with observational equivalence as an important special case. However, a procedure for implementing such a behavioural equality may be hard to define or even impossible. In this thesis, a solution to the oracle problem for flat specifications is presented which tackles the equality problem by using a pair of approximate equalities, one finer than behavioural equality and one coarser, and taking the syntactic position of quantifiers in formulae into account. Additionally, when structured specifications are considered, the oracle problem can be harder. The reason is that specifications may be composed of parts over different signatures, and the structure must be taken into account in order to interpret test results according to specification axioms. Also, an implementation of hidden (non-exported) symbols may be required in order to check axioms which refer to them. Two solutions to the oracle problem for structured specifications are presented in this thesis based on a compositional and a non-compositional style of testing, namely structured testing and flat testing respectively. Structured testing handles the oracle problem more effectively than flat testing and under fewer assumptions. Furthermore, testing from structured specifications may require an approach which lies in between flat and structured testing. Therefore, based on normalisation of ordinary specifications, three normal forms are presented for defining a more practical and combined approach to testing and also coping more effectively with the oracle problem. The use of normal forms gives rise to a style of testing called semi-structured testing where some parts of the specification are replaced by normal forms and the result is checked using structured testing. Testing from normal forms can be very convenient whenever the original specification is too complex or oracles cannot be defined from it

Seed value chains for Sorghum and Millet in Mali: A state-based system in transition

"This paper reviews the structure and performance of the sorghum and millet seed sector in Mali. The Sahel is the origin of pearl millet and sorghum, seed selection and management of these crops is embedded in local cultures, and most producers of these crops are subsistence oriented. Despite seed sector reform, no certified seed of these crops is sold in local markets and farmers prefer to rely on themselves or each other for seed. The dominant source of certified seed is the national seed service. Certified seed is multiplied by contracted farmers and seed producer groups, and supplied to farmers through farmers' associations, development organizations, and extension services. The informal sector supplies farmers with non-certified seed directly and indirectly through village grain markets. There is no consensus about whether it is lack of effective demand or supply that constrains farmer use of certified sorghum and millet seed, but researchers generally conclude that the process of certifying seed is too lengthy, some mechanism must be established for production and trade of locally-adapted landraces, and Mali's highly structured farmers' associations could play an even stronger role in testing and promoting demand for certified seed. Recommendations have included the use of small packs and seed auctions where market infrastructure is sparse, and in more commercialized areas, involvement of agro-input dealers, shopkeepers and traders. Still, estimated adoption rates for improved millet (under 10 percent of crop area) and sorghum seed (under 20 percent of crop area) could be as high as can be expected in this challenging natural environment and institutional context." from Author's AbstractSeeds, Formal sector, Informal sector, Millet, Sorghum, Seed markets, Biodiversity,

Rapid Software Development Life Cycle in Small Projects

Small software projects are becoming more usual nowadays. Whether a small project is conducted privately or professionally, the management of the project and its phases is much easier with proper tools and frameworks. The research target of this thesis is to find out a proper life cycle model for small software projects. This thesis is conducted for Softwarehouse, a professional division of IT services in the University of Turku. The official guide for Scrum framework is adhered in software development but when it comes to formally managing various phases of a software project (planning, design, implementation, testing, reviewing etc.) there is room for improvement. Managing software projects with a proper set of tools and procedures would be beneficial as Softwarehouse works on many projects concurrently. The intended life cycle model has to be formal and heavy enough so that the benefits of agile project management can be received. However too rigid a model can be too arduous and exhausting to use, which could result in the decrease of Softwarehouse’s production volume. Therefore the model has to be light enough to maintain rapid software development and creative atmosphere within the Softwarehouse. This thesis begins by giving outline of existing software development life cycle models and followed by relevant literary exploration. After this the research case is explained in greater detail. These give the foundation and rationale to propose a suitable model. The model is experimented empirically and reviewed by partaking personnel. The results are reviewed and discussed. Finally topics for future research are suggested

Constructing an Interval Temporal Logic for Real-Time Systems

A real-time system is one that involves control of one or more physical devices with essential timing requirements. Examples of these systems are command and control systems, process control systems, flight control systems, and the space shuttle avionics systems. The characteristics of these systems are that severe consequences will occur if the logical and physical timing specifications of the systems are not met. Formal specification and verification are among the techniques to achieve reliable software for real-time systems, in which testing may be impossible or too dangerous to perform. This paper presents a modal logic, Interval Temporal , built upon a classical predicate logic In this logic system, we consider formulas that can be used to reason about timing properties of systems, in particular, responsiveness assertions. A responsiveness assertion describes constraints that a program must satisfy within an interval. Thus, it can be utilized to characterize behaviors of life-critical systems. We assume that a program P can be identified with a theory, a collection of formulas characterizing sequences of states of P with arbitrary initial states. In the following, we describe syntax and semantics of the logic, present a proof rule for responsiveness assertions, and show soundness and relative completeness of responsiveness assertions that we consider. There are other approaches to build temporal logics for real-time systems, which are included in bibliography