Foundations of the B method

B is a method for specifying, designing and coding software systems. It is based on Zermelo-Fraenkel set theory with the axiom of choice, the concept of generalized substitution and on structuring mechanisms (machine, refinement, implementation). The concept of refinement is the key notion for developing B models of (software) systems in an incremental way. B models are accompanied by mathematical proofs that justify them. Proofs of B models convince the user (designer or specifier) that the (software) system is effectively correct. We provide a survey of the underlying logic of the B method and the semantic concepts related to the B method; we detail the B development process partially supported by the mechanical engine of the prover

Proved Development of the Real-Time Properties of the IEEE 1394 Root Contention Protocol with the Event B Method

We present a model of the IEEE 1394 Root Contention Protocol with a proof of Safety. This model has real-time properties which are expressed in the language of the event B method: first-order classical logic and set theory. Verification is done by proof using the event B method and its prover, we also have a way to model-check models. Refinement is used to describe the studied system at different levels of abstraction: first without time to fix the scheduling of events abstracly, and then with more and more time constraints

The invoice case study modelling in Event B

It introduces in a very progressive way the different notations and concepts required for developing the case study. Section 2 analyses the case study and extracts informations for constructing a first skeleton of B event-based model. The B event-based modelling technique is introduced in section 3 by writing an event~~B model. The first invoice case study model is given in section 4 and it completes the skeleton of the section 2. Section 5 defines the refinement of a event~~B model and it is used in the section 6 for deriving the second case study model; a refinement of this model is proposed and introduces an ordering over invoices. Sections 7 and 8 conclude our proof-based development of B event-based models for the case study. The complete B models are given in three figures

Formal verification of tamper-evident storage for e-voting

International audienceThe storage of votes is a critical component of any voting system. In traditional systems there is a high level of transparency in the mechanisms used to store votes, and thus a reasonable degree of trustworthiness in the security of the votes in storage. This degree of transparency is much more difficult to attain in electronic voting systems, and so the specific mechanisms put in place to ensure the security of stored votes require much stronger verification in order for them to be trusted by the public. There are many desirable properties that one could reasonably expect a vote store to exhibit. From the point of view of security, we argue that {\it tamper-evident} storage is one of the most important requirements: the changing, or deletion of already validated and stored votes should be detectable; as should the addition of unauthorised votes after the election is concluded. We propose the application of formal methods (in this paper, event-B) for guaranteeing, through construction, the correctness of a vote store with respect to the requirement for {\it tamper-evident} storage. We illustrate the utility of our refinement-based approach by verifying --- through the application of a reusable formal design pattern --- a store design that uses a specific PROM technology and applies a specific encoding mechanism

Un système d'analyse de la qualité: de la norme au produit en passant par le raffinement

www.cnam.frLe projet RNRT EQUAST a pour but la réalisation d'un outil de mesure de la qualité de service en télévision numérique terrestre (TNT). Une norme (Digital Video Broadcasting DVB; Measurement guidelines for DVB systems. ETSI TR 101 290 v1.2.1) identifie un certain nombre de contrôles et de paramètres permettant l'évaluation de la qualité de transmission du réseau. La mise en oeuvre de cette norme en un outil implique des calculs et des contraintes temps-réel forte; elle nécessite une modélisation préalable du système constitué par les paramètres de ladite norme. A partir des documents de normalisation et en relation avec nos partenaires, nous avons extrait et conçu des modèles B événementiels intégrant progressivement, par la relation de raffinement, tous les paramètres à évaluer. Le raffinement assure la cohérence par la preuve du modèle final obtenu et apporte une hiérarchie de dépendances entre les paramètres de la norme. Cette hiérarchie est produite à partir de l'invariant du modèle du système produit et permet de proposer une architecture pour la conception de l'outil de mesure. Ainsi, nous pouvons proposer un ordonnancement correct des tâches de l'application. La connaissance de cet ordonnancement ainsi que la vue structurée du système aide le concepteur dans ses choix d'implantation électronique. Les modèles abstraits du système sont utilisés d'une part pour la mise en évidence de l'organisation des traitements attachés aux paramètres et d'autre part pour la traduction dans un ensemble de programmes SystemC conservant les propriétés des modèles. Afin de demeurer dans une approche préservant les propriétés, nous avons dû modéliser le scheduler SystemC décrit dans le manuel SystemC et monter que les traductions automatisées préservaient effectivement les propriétés des modèles abstraits dans les programmes SystemC

Modelling SystemC scheduler by refinement

Systems on Chip, or shortly SoCs, and SoC architectures denote a challenging set of problems of specification, modelling techniques, security issues and structuring questions. Our methodology, for designing models of (SoC) system from requirements, leads to formally justify hints on the future architectural choices of that system; it is based on the B event-based method, which integrates the incremental development of models using a theorem prover to validate each step of development called refinement. The target system is generally expressed using a programming language notation like SystemC; the SystemC language is used by electronic designers to describe different parts of the system (hardware and software); SystemC constitutes a general framework for simulating and validating the design of the system under construction. The semantics of SystemC is based on its scheduling algorithm described in the language reference manual and we develop a B model of the scheduling. The B \textit{scheduling} model left unspecified parameters depending on the simulated SystemC program and those parameters are instantiated from the operational semantics of the developed SystemC program. By instantiation, we obtain a B abstract model of the simulated program and we can study properties of the SystemC program by simulation. B models are completely validated by the proof assistant of the event-B method. Finally, our models provide a sound framework for understanding the scheduling process

Intégration de contraintes temps-réel au sein d'un processus de développement incrémental basé sur la preuve (Livrable 2)

The report investigates the integration of time constraintes in the refinement-based development in Event B. Specific proof-based patterns are proposed for developing models including time-oriented aspects.Ce livrable est un rapport sur l'intégration de contraintes temporelles dans les modèles Event-B. Nous entendons par contraintes temporelles, les propriétés que possède, ou que l'on veut imposer à, un système, par rapport à son déroulement dans le temps. On parle aussi de propriétés temps- réel. Les systèmes seront en particulier des systèmes distribués, en effet : mis à part une mesure de la performance, les propriétés temps-réel ne sont utiles que si l'on s'intéresse à un ensemble de systèmes fonctionnant de manière concurrente ou distribuée. Nous allons donc étudier des systèmes dynamiques, qu'ils soient logiciels ou matériels, les définir et démontrer des propriétés, en particulier temps-réel, sur ces modèles

Time Constraint Patterns for Event B Development

ISSN : 0302-9743 (Print) ; 1611-3349 (Online) ; ISBN : 978-3-540-68760-3International audienceDistributed applications are based on algorithms which should be able to deal with time constraints. It is mandatory to express time constraints in (mathematical) models and the current work intends to integrate time constraints in the modelling process based on event B models and refinement. The starting point of our work is the event B development of the IEEE 1394 leader election protocol; from standard documents, we derive temporal requirements to solve the contention problem and we propose a method for introducing time constraints using a pattern. The pattern captures time constraints in a generic event B development and it is applied to the IEEE 1394 case study

Static Analysis of Aspect Interaction and Composition in Component Models

International audienceComponent based software engineering and aspect orientation are claimed to be two complementary approaches. While the former ensures the modularity and the reusability of software entities, the latter enables the modularity of crosscutting concerns that cannot be modularized by regular components. Nowadays, several approaches and frameworks are dedicated to integrate aspects into component models. However, when several aspects are woven, interferences may appear which results on undesirable behaviors. The contribution of this paper is twofold. First, we show how aspectualized component models can be formally modeled in Uppaal model checker in order to detect potential interferences among aspects. Second, we provide an extendible catalog of composition operators used for aspect composition. We illustrate our general approach with an airport Internet service example

Event-B Patterns for Specifying Fault-Tolerance in Multi-Agent Interaction

Interaction in a multi-agent system is susceptible to failure. A rigorous development of a multi-agent system must include the treatment of fault-tolerance of agent interactions for the agents to be able to continue to function independently. Patterns can be used to capture fault-tolerance techniques. A set of modelling patterns is presented that specify fault-tolerance in Event-B specifications of multi-agent interactions. The purpose of these patterns is to capture common modelling structures for distributed agent interaction in a form that is re-usable on other related developments. The patterns have been applied to a case study of the contract net interaction protocol