Calculus for decision systems

The conceptualization of the term system has become highly dependent on the application domain. What a physicist means by the term system might be different than what a sociologist means by the same term. In 1956, Bertalanffy [1] defined a system as a set of units with relationships among them . This and many other definitions of system share the idea of a system as a black box that has parts or elements interacting between each other. This means that at some level of abstraction all systems are similar, what eventually differentiates one system from another is the set of underlining equations which describe how these parts interact within the system. ^ In this dissertation we develop a framework that allows us to characterize systems from an interaction level, i.e., a framework that gives us the capability to capture how/when the elements of the system interact. This framework is a process algebra called Calculus for Decision Systems (CDS). This calculus provides means to create mathematical expressions that capture how the systems interact and react to different stimuli. It also provides the ability to formulate procedures to analyze these interactions and to further derive other interesting insights of the system. ^ After defining the syntax and reduction rules of the CDS, we develop a notion of behavioral equivalence for decision systems. This equivalence, called bisimulation, allows us to compare decision systems from the behavioral standpoint. We apply our results to games in extensive form, some physical systems, and cyber-physical systems. ^ Using the CDS for the study of games in extensive form we were able to define the concept of subgame perfect equilibrium for a two-person game with perfect information. Then, we investigate the behavior of two games played in parallel by one of the players. We also explore different couplings between games, and compare - using bisimulation - the behavior of two games that are the result of two different couplings. The results showed that, with some probability, the behavior of playing a game as first player, or second player, could be irrelevant. ^ Decision systems can be comprised by multiple decision makers. We show that in the case where two decision makers interact, we can use extensive games to represent the conflict resolution. For the case where there are more than two decision makers, we presented how to characterize the interactions between elements within an organizational structure. Organizational structures can be perceived as multiple players interacting in a game. In the context of organizational structures, we use the CDS as an information sharing mechanism to transfer the inputs and outputs from one extensive game to another. We show the suitability of our calculus for the analysis of organizational structures, and point out some potential research extensions for the analysis of organizational structures. ^ The other general area we investigate using the CDS is cyber-physical systems. Cyber-physical systems or CPS is a class of systems that are characterized by a tight relationship between systems (or processes) in the areas of computing, communication and physics. We use the CDS to describe the interaction between elements in some simple mechanical system, as well as a particular case of the generalized railroad crossing (GRC) problem, which is a typical case of CPS. We show two approaches to the solution of the GRC problem. ^ This dissertation does not intend to develop new methods to solve game theoretical problems or equations of motion of a physical system, it aims to be a seminal work towards the creation of a general framework to study systems and equivalence of systems from a formal standpoint, and to increase the applications of formal methods to real-world problems

TiLA: Twin-in-the-Loop Architecture for Cyber-Physical Production Systems

Digital twin is a virtual replica of a real-world object that lives simultaneously with its physical counterpart. Since its first introduction in 2003 by Grieves, digital twin has gained momentum in a wide range of applications such as industrial manufacturing, automotive and artificial intelligence. However, many digital-twin-related approaches, found in industries as well as literature, mainly focus on modelling individual physical things with high-fidelity methods with limited scalability. In this paper, we introduce a digital-twin architecture called TiLA (Twin-in-the-Loop Architecture). TiLA employs heterogeneous models and online data to create a digital twin, which follows a Globally Asynchronous Locally Synchronous (GALS) model of computation. It facilitates the creation of a scalable digital twin with different levels of modelling abstraction as well as giving GALS formalism for execution strategy. Furthermore, TiLA provides facilities to develop applications around the twin as well as an interface to synchronise the twin with the physical system through an industrial communication protocol. A digital twin for a manufacturing line has been developed as a case study using TiLA. It demonstrates the use of digital twin models together with online data for monitoring and analysing failures in the physical system

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000

Physically informed runtime verification for cyber physical systems

textCyber-physical systems (CPS) are an integration of computation with physical processes. CPS have gained popularity both in industry and the research community and are represented by many varied mission critical applications. Debugging CPS is important, but the intertwining of the cyber and physical worlds makes it very difficult. Formal methods, simulation, and testing are not sufficient in guarantee required correctness. Runtime Verification (RV) provides a perfect complement. However the state of the art in RV lacks either efficiency or expressiveness, and very few RV technologies are specifically designed for CPS. The CPS community requires an intuitive, expressive, and practical RV middleware toolset to improve the state of the art. In this proposal, I take an incremental and realistic approach to identify and address the research challenges in CPS verification and validation. Firstly, I carry out a systematic analysis of the state of the art and state of the practice in verifying and validating CPS using a structured on-line survey, semi-structured interviews, and an exhaustive literature review. From the findings obtained, I identify the key research gaps and propose research directions to address these research gaps. My second work is to work on the most pertinent research direction proposed, which is to provide a practical and physically informed runtime verification tool-sets specifically designed for CPS as a sound foundation to the trial and error practice identified as the state of the art in verifying and validating CPS. I create an expressive yet intuitive language (BraceAssertion) to specify CPS properties. I develop a framework (BraceBind) to supplement CPS runtime verification with a real time simulation environment which is able to integrate physical models from various simulation platform. Based on BraceAssertion and BraceBind, which collectively captures the combination of logical content and physical environment, I develop a practical runtime verification framework (Brace), which is efficient, effective, expressive in capturing both local and global properties, and guarantee predictable runtime monitors behavior even with unpredictable surge of events. I evaluate the tool-set with increasingly complex real CPS applications of smart agent systems.Electrical and Computer Engineerin

Verificare: a platform for composable verification with application to SDN-Enabled systems

Software-Defined Networking (SDN) has become increasing prevalent in both the academic and industrial communities. A new class of system built on SDNs, which we refer to as SDN-Enabled, provide programmatic interfaces between the SDN controller and the larger distributed system. Existing tools for SDN verification and analysis are insufficiently expressive to capture this composition of a network and a larger distributed system. Generic verification systems are an infeasible solution, due to their monolithic approach to modeling and rapid state-space explosion. In this thesis we present a new compositional approach to system modeling and verification that is particularly appropriate for SDN-Enabled systems. Compositional models may have sub-components (such as switches and end-hosts) modified, added, or removed with only minimal, isolated changes. Furthermore, invariants may be defined over the composed system that restrict its behavior, allowing assumptions to be added or removed and for components to be abstracted away into the service guarantee that they provide (such as guaranteed packet arrival). Finally, compositional modeling can minimize the size of the state space to be verified by taking advantage of known model structure. We also present the Verificare platform, a tool chain for building compositional models in our modeling language and automatically compiling them to multiple off-the-shelf verification tools. The compiler outputs a minimal, calculus-oblivious formalism, which is accessed by plugins via a translation API. This enables a wide variety of requirements to be verified. As new tools become available, the translator can easily be extended with plugins to support them

Automated Validation of State-Based Client-Centric Isolation with TLA ⁺

Clear consistency guarantees on data are paramount for the design and implementation of distributed systems. When implementing distributed applications, developers require approaches to verify the data consistency guarantees of an implementation choice. Crooks et al. define a state-based and client-centric model of database isolation. This paper formalizes this state-based model in, reproduces their examples and shows how to model check runtime traces and algorithms with this formalization. The formalized model in enables semi-automatic model checking for different implementation alternatives for transactional operations and allows checking of conformance to isolation levels. We reproduce examples of the original paper and confirm the isolation guarantees of the combination of the well-known 2-phase locking and 2-phase commit algorithms. Using model checking this formalization can also help finding bugs in incorrect specifications. This improves feasibility of automated checking of isolation guarantees in synthesized synchronization implementations and it provides an environment for experimenting with new designs.</p

QUALITY IMPROVEMENT AND VALIDATION TECHNIQUES ON SOFTWARE SPECIFICATION AND DESIGN

Ph.DDOCTOR OF PHILOSOPH

A Survey of Practical Formal Methods for Security

In today's world, critical infrastructure is often controlled by computing systems. This introduces new risks for cyber attacks, which can compromise the security and disrupt the functionality of these systems. It is therefore necessary to build such systems with strong guarantees of resiliency against cyber attacks. One way to achieve this level of assurance is using formal verification, which provides proofs of system compliance with desired cyber security properties. The use of Formal Methods (FM) in aspects of cyber security and safety-critical systems are reviewed in this article. We split FM into the three main classes: theorem proving, model checking, and lightweight FM. To allow the different uses of FM to be compared, we define a common set of terms. We further develop categories based on the type of computing system FM are applied in. Solutions in each class and category are presented, discussed, compared, and summarised. We describe historical highlights and developments and present a state-of-the-art review in the area of FM in cyber security. This review is presented from the point of view of FM practitioners and researchers, commenting on the trends in each of the classes and categories. This is achieved by considering all types of FM, several types of security and safety-critical systems, and by structuring the taxonomy accordingly. The article hence provides a comprehensive overview of FM and techniques available to system designers of security-critical systems, simplifying the process of choosing the right tool for the task. The article concludes by summarising the discussion of the review, focusing on best practices, challenges, general future trends, and directions of research within this field