A Modeling and Formal Approach for the Precise Specification of Security Patterns

International audienceNon-functional requirements such as Security and Dependability (S &D) become more important as well as more difficult to achieve. In fact, the integration of security features requires the availability of both application domain specific knowledge and security expertise at the same time. Hence, capturing and providing this expertise by the way of security patterns can support the integration of S&D features by design to foster reuse during the process of software system development.The solution envisaged here is based on combining metamodeling techniques and formal methods to represent security pattern at two levels of abstraction fostering reuse during the process of pattern development and during the process of pattern-based development. The contribution of this work is twofold: (1) An improvement of our previous pattern modeling language for representing security pattern in the form of a subsystem providing appropriate interfaces and targeting security properties, (2) Formal specification and validation of pattern properties, using the interactive Isabelle/HOL proof assistant. The resulting validation artifacts may mainly complete the definitions, and provide semantics for the interfaces and the properties in the context of S&D. As a result, validated patterns will be used as bricks to build applications through a Model-Driven engineering approach

Towards a Rule-level Verification Framework for Property-Preserving Graph Transformations

International audienceWe report in this paper a method for proving that a graph transformation is property-preserving. Our approach uses a relational representation for graph grammar and a logical representation for graph properties with first-order logic formulas. The presented work consists in identifying the general conditions for a graph grammar to preserve graph properties, in particular structural properties. We aim to implement all the relevant notions of graph grammar in the Isabelle/HOL proof assistant in order to allow a (semi) automatic verification of graph transformation with a reasonable complexity. Given an input graph and a set of graph transformation rules, we can use mathematical induction strategies to verify statically if the transformation preserves a particular property of the initial graph. The main highlight of our approach is that such a verification is done without calculating the resulting graph and thus without using a transformation engine

Integrating verifiable Assume/Guarantee contracts in UML/SysML

International audienceThe compositional approach based on components and driven by requirements is a common method used in the development of critical real-time embedded systems. Since the satisfaction of a requirement is subject to the composition of several components, defining abstract and partial behaviors for components with respect to the point of view of the requirement allows for a manageable design of systems. In this paper we consider such specifications in the form of contracts. A contract for a component is a pair (assumption, guarantee) where the assumption is an abstraction of the component's environment behavior and the guarantee is an abstraction of the component's behavior given that the environment behaves like the assumption. In previous work we have defined a formal contract-based theory for Timed Input/Output Automata with the aim of using it to express the semantics of UML/SysML models. In this paper we propose an extension of the UML/SysML language with a syntax and semantics for contracts and for the relations they must satisfy. Besides the important role that contracts have in design, they can also be used for the verification of requirement satisfaction and for their traceability

Bad smells in design and design patterns

International audienceTo give a consistent and more valuable property on models, model-driven processes should be able to reuse the expert knowledge generally expressed in terms of patterns. We focus our work on the design stage and on the systematically use of design patterns. Choose a good design pattern and ensure the correct integration of the chosen pattern are non trivial for a designer who wants to use them. To help designers, we propose design inspection in order to detect “bad smells in design” and models reworking through use of design patterns. The automatic detection and the explanation of the misconceptions are performed thanks to spoiled patterns. A “spoiled pattern” is a pattern which allows to instantiate inadequate solutions for a given problem: requirements are respected, but architecture is improvable

Safety Contracts for Timed ReactiveComponents in SysML

International audienceA variety of system design and architecture description languages, such as SysML, UML or AADL, allows the decomposition of complex system designs into communicating timed components. In this paper we consider the contract-based specification of such components. A contract is a pair formed of an assumption, which is an abstraction of the component’s environment, and a guarantee, which is an abstraction of the component’s behavior given that the environment behaves according to the assumption. Thus, a contract concentrates on a specific aspect of the component’s functionality and on a subset of its interface, which makes it relatively simpler to specify. Contracts may be used as an aid for hierarchical decomposition during design or for verification of properties of composites. This paper defines contracts for components formalized as a variant of timed input/output automata, introduces compositional results allowing to reason with contracts and shows how contracts can be used in a high-level modeling language (SysML) for specification and verification, based on an example extracted from a real-life system

1 Sharing Bad Practices in Design to Improve the Use of Patterns

To ensure the use of good analysis and design practices and an easier maintenance of software, analysts and designers may use patterns. To help them, we propose models inspection in order to detect instantiations of “spoiled pattern ” and models reworking through the use of the design patterns. As a design pattern allows the instantiation of the best known solution for a given problem, a “spoiled pattern ” allows the instantiation of alternative solutions for the same problem: requirements are respected, but architecture is improvable. We have collected a set of alternative solutions and deduced the corresponding spoiled patterns. We have defined a first catalog of these improvable practices from several experiments with students. To overcome the limits imposed by this method (restricted public, limited problems and tiresome validation process), we would like to open this problematic to the expert community. Therefore, we propose a collaborative website sharing bad practices in object oriented design to improve the use of patterns

A Precondition Calculus for Correct-by-Construction Graph Transformations

We aim at assisting developers to write, in a Hoare style, provably correct graph transformations expressed in the ALCQ Description Logic. Given a postcondition and a transformation rule, we compute the weakest precondition for developers. However, the size and quality of this formula may be complex and hard to grasp. We seek to reduce the weakest precondition’s complexness by a static analysis based on an alias calculus. The refined precondition is presented to the developer in terms of alternative formulae, each one specifying a potential matching of the source graph. The developer chooses then the formulae that correspond to his intention to obtain finally a correct-byconstruction Hoare triple

Safety contracts for timed reactive components

A variety of system design and architecture description languages, such as SysML, UML or AADL, allows the decomposition of complex system designs into communicating timed components. In this paper we consider the contract-based specification of such components. A contract is a pair formed of an assumption, which is an abstraction of the component’s environment, and a guarantee, which is an abstraction of the component’s behavior given that the environment behaves according to the assumption. Thus, a contract concentrates on a specific aspect of the component’s functionality and on a subset of its interface, which makes it relatively simpler to specify. Contracts may be used as an aid for hierarchical decomposition during design or for verification of properties of composites. This paper defines contracts for components formalized as a variant of timed input/output automata, introduces compositional results allowing to reason with contracts and shows how contracts can be used in a high-level modeling language (SysML) for specification and verification, based on an example extracted from a real-life system

Attribute Computations in the DPoPb Graph Transformation Engine

One of the challenges of attributed graph rewriting systems concerns the implementation of attribute computations. Most of the existing systems adopt the standard algebraic approach where graphs are attributed using sigma-algebras. However, for the sake of efficiency considerations and convenient uses, these systems do not generally implement the whole attribute computations but rely on programs written in a host language. In previous works we introduced the Double Pushout Pullback (DPoPb) framework which integrates attributed graph rewriting and computation on attributes in a unified categorical approach. This paper discusses the DPoPb’s theoretical and practical advantages when using inductive types and lambda-calculus. We also present an implementation of the DPoPb system in the Haskell language which thoroughly covers the semantics of this graph rewriting system

A User-centric Process Management for System and Software Engineering Projects

In traditional process environments, process modeling is performed by process designers and process enacting is performed by process actors. Due to this separation, there is often a gap between process models and their real enactments. As a consequence, the operational level of process environments has stayed low, especially in system and software industry, because they are not directly relevant to process actors’ needs. In order to facilitate the usage of process environments, this paper presents a solution that enables process actors to perform both the modeling and enacting of their real processes. To this end, first, an end-user process modeling approach was proposed to allow each process actor to easily describe the process fragment containing the activities carried out by his role. Second, an artifact-centric process engine was developed to enact activities coming from different process fragments. Our process engine does not require predefined work-sequence relations among these activities to synchronize them, but deduces such dependencies from their exchanged artifacts. As a result, the process engine can enact even a partially defined process where some fragments are missing