A conference management system with verified document confidentiality

We present a case study in verified security for realistic systems: the implementation of a conference management system, whose functional kernel is faithfully represented in the Isabelle theorem prover, where we specify and verify confidentiality properties. The various theoretical and practical challenges posed by this development led to a novel security model and verification method generally applicable to systems describable as input–output automata

CARET analysis of multithreaded programs

Dynamic Pushdown Networks (DPNs) are a natural model for multithreaded programs with (recursive) procedure calls and thread creation. On the other hand, CARET is a temporal logic that allows to write linear temporal formulas while taking into account the matching between calls and returns. We consider in this paper the model-checking problem of DPNs against CARET formulas. We show that this problem can be effectively solved by a reduction to the emptiness problem of B\"uchi Dynamic Pushdown Systems. We then show that CARET model checking is also decidable for DPNs communicating with locks. Our results can, in particular, be used for the detection of concurrent malware.Comment: Pre-proceedings paper presented at the 27th International Symposium on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur, Belgium, 10-12 October 2017 (arXiv:1708.07854

A Fully Verified Executable LTL Model Checker

International audienceWe present an LTL model checker whose code has been completely verified using the Isabelle theorem prover. The checker consists of over 4000 lines of ML code. The code is produced using recent Isabelle technology called the Refinement Framework, which allows us to split its correctness proof into (1) the proof of an abstract version of the checker, consisting of a few hundred lines of “formalized pseudocode”, and (2) a verified refinement step in which mathematical sets and other abstract structures are replaced by implementations of efficient structures like red-black trees and functional arrays. This leads to a checker that, while still slower than unverified checkers, can already be used as a trusted reference implementation against which advanced implementations can be tested. We report on the structure of the checker, the development process, and some experiments on standard benchmarks

Cooling of Molecular Ion Beams

An overview of the use of stored ion beams and phase space cooling (electron cooling) is given for the field of molecular physics. Emphasis is given to interactions between molecular ions and electrons studied in the electron cooler: dissociative recombination and, for internally excited molecular ions, electron-induced ro-vibrational cooling. Diagnostic methods for the transverse ion beam properties and for the internal exciation of the molecular ions are discussed, and results for phase space cooling and internal (vibrational) cooling are presented for hydrogen molecular ions

Coulomb-explosion imaging of CH2+: target-polarization effects and bond-angle distribution

The effect of target polarization fields on the bond-angle distribution following the foil-induced Coulomb explosion of CH2+ has been measured. Incorporating a detailed model description of the polarization effects and other target effects into a Monte Carlo simulation of the experiment, a good description of the various observables is obtained. In particular, the bond-angle distribution is found to agree with existing ab initio calculations.This work has been supported in part by the German-Israel Foundation for Scientific Research (GIF) under Contract No. I-707-55.7/2001, the Spanish Ministerio de Ciencia y Tecnología (Project Nos. BFM2003-04457-C02-01/02 and HA2001-0052), the DAAD in the framework of the Acciones Integrados Program 2002/03, and the European Community within the Research Training Network “Electron Transfer Reactions.” One of the authors (S.H.A.) thanks the Fundación Cajamurcia for a Postdoctoral Grant

Integration of Formal Proof into Unified Assurance Cases with Isabelle/SACM

Assurance cases are often required to certify critical systems. The use of formal methods in assurance can improve automation, increase confidence, and overcome errant reasoning. However, assurance cases can never be fully formalised, as the use of formal methods is contingent on models that are validated by informal processes. Consequently, assurance techniques should support both formal and informal artifacts, with explicated inferential links between them. In this paper, we contribute a formal machine-checked interactive language, called Isabelle/SACM, supporting the computer-assisted construction of assurance cases compliant with the OMG Structured Assurance Case Meta-Model. The use of Isabelle/SACM guarantees well-formedness, consistency, and traceability of assurance cases, and allows a tight integration of formal and informal evidence of various provenance. In particular, Isabelle brings a diverse range of automated verification techniques that can provide evidence. To validate our approach, we present a substantial case study based on the Tokeneer secure entry system benchmark. We embed its functional specification into Isabelle, verify its security requirements, and form a modular security case in Isabelle/SACM that combines the heterogeneous artifacts. We thus show that Isabelle is a suitable platform for critical systems assurance

Unravelling Site-Specific Photo-Reactions of Ethanol on Rutile TiO2(110)

Finding the active sites of catalysts and photo-catalysts is crucial for an improved fundamental understanding and the development of efficient catalytic systems. Here we have studied the photo-activated dehydrogenation of ethanol on reduced and oxidized rutile TiO2(110) in ultrahigh vacuum conditions. Utilizing scanning tunnelling microscopy, various spectroscopic techniques and theoretical calculations we found that the photo-reaction proceeds most efficiently when the reactants are adsorbed on regular Ti surface sites, whereas species that are strongly adsorbed at surface defects such as O vacancies and step edges show little reaction under reducing conditions. We propose that regular Ti surface sites are the most active sites in photo-reactions on TiO2

Assignment of resonances in dissociative recombination of HD+ ions: high-resolution measurements compared with accurate computations

The collision-energy resolved rate coefficient for dissociative recombination of HD+ ions in the vibrational ground state is measured using the photocathode electron target at the heavy-ion storage ring TSR. Rydberg resonances associated with ro-vibrational excitation of the HD+ core are scanned as a function of the electron collision energy with an instrumental broadening below 1 meV in the low-energy limit. The measurement is compared to calculations using multichannel quantum defect theory, accounting for rotational structure and interactions and considering the six lowest rotational energy levels as initial ionic states. Using thermal equilibrium level populations at 300 K to approximate the experimental conditions, close correspondence between calculated and measured structures is found up to the first vibrational excitation threshold of the cations near 0.24 eV. Detailed assignments, including naturally broadened and overlapping Rydberg resonances, are performed for all structures up to 0.024 eV. Resonances from purely rotational excitation of the ion core are found to have similar strengths as those involving vibrational excitation. A dominant low-energy resonance is assigned to contributions from excited rotational states only. The results indicate strong modifications in the energy dependence of the dissociative recombination rate coefficient through the rotational excitation of the parent ions, and underline the need for studies with rotationally cold species to obtain results reflecting low-temperature ionized media.Comment: 15 pages, 10 figures. Paper to appear in Phys. Rev. A (version as accepted

CD44s and CD44v6 Expression in Head and Neck Epithelia

Background: CD44 splice variants are long-known as being associated with cell transformation. Recently, the standard form of CD44 (CD44s) was shown to be part of the signature of cancer stem cells (CSCs) in colon, breast, and in head and neck squamous cell carcinomas (HNSCC). This is somewhat in contradiction to previous reports on the expression of CD44s in HNSCC. The aim of the present study was to clarify the actual pattern of CD44 expression in head and neck epithelia. Methods: Expression of CD44s and CD44v6 was analysed by immunohistochemistry with specific antibodies in primary head and neck tissues. Scoring of all specimens followed a two-parameters system, which implemented percentages of positive cells and staining intensities from − to +++ (score = %×intensity; resulting max. score 300). In addition, cell surface expression of CD44s and CD44v6 was assessed in lymphocytes and HNSCC. Results: In normal epithelia CD44s and CD44v6 were expressed in 60–95% and 50–80% of cells and yielded mean scores with a standard error of a mean (SEM) of 249.5±14.5 and 198±11.13, respectively. In oral leukoplakia and in moderately differentiated carcinomas CD44s and CD44v6 levels were slightly increased (278.9±7.16 and 242±11.7; 291.8±5.88 and 287.3±6.88). Carcinomas in situ displayed unchanged levels of both proteins whereas poorly differentiated carcinomas consistently expressed diminished CD44s and CD44v6 levels. Lymphocytes and HNSCC lines strongly expressed CD44s but not CD44v6. Conclusion: CD44s and CD44v6 expression does not distinguish normal from benign or malignant epithelia of the head and neck. CD44s and CD44v6 were abundantly present in the great majority of cells in head and neck tissues, including carcinomas. Hence, the value of CD44s as a marker for the definition of a small subset of cells (i.e. less than 10%) representing head and neck cancer stem cells may need revision

Constrained Dynamic Tree Networks

We generalise Constrained Dynamic Pushdown Networks, introduced by Bouajjani\et al, to Constrained Dynamic Tree Networks.<br>In this model, we have trees of processes which may monitor their children.<br>We allow the processes to be defined by any computation model for which the alternating reachability problem is decidable.<br>We address the problem of symbolic reachability analysis for this model. More precisely, we consider the problem of computing an effective representation of their reachability<br>sets using finite state automata. <div>We show that backwards reachability sets starting from regular sets of configurations are always regular. </div><div>We provide an algorithm for computing backwards reachability sets using tree automata.<br><br></div