Validity-Guided Synthesis of Reactive Systems from Assume-Guarantee Contracts

Automated synthesis of reactive systems from specifications has been a topic of research for decades. Recently, a variety of approaches have been proposed to extend synthesis of reactive systems from proposi- tional specifications towards specifications over rich theories. We propose a novel, completely automated approach to program synthesis which reduces the problem to deciding the validity of a set of forall-exists formulas. In spirit of IC3 / PDR, our problem space is recursively refined by blocking out regions of unsafe states, aiming to discover a fixpoint that describes safe reactions. If such a fixpoint is found, we construct a witness that is directly translated into an implementation. We implemented the algorithm on top of the JKind model checker, and exercised it against contracts written using the Lustre specification language. Experimental results show how the new algorithm outperforms JKinds already existing synthesis procedure based on k-induction and addresses soundness issues in the k-inductive approach with respect to unrealizable results.Comment: 18 pages, 5 figures, 2 table

A comparison of winter wheat cultivar rankings in groups of Polish locations

The grouping of locations from local-scale multi-environmental trials (METs) into megaenvironments has been criticized. Some European countries, e.g. the Czech Republic, Poland and Germany, have been characterized as possessing homogeneous environmental conditions. For aligned environmental conditions, it has been assumed that cultivar rankings will be similar and consequently cannot be used to designate mega-environments. An example of METs at the local scale is the Polish Post Registration Variety Testing System. The objective of this study was to determine groups of test sites within 16 Polish regions which are characterized by similar yield ranking of 50 winter wheat cultivars over three growing seasons (2011–2013). The compatibility of these cultivar yield rankings across regions was evaluated using Pearson correlation coefficients. Thereby, the 16 regions were divided into six groups (mega-environments) of locations. Regions within each group have similar cultivar rankings, whereas between groups, we observed different cultivar rankings, indicating crossover interactions. Besides similar cultivar yield responses the regions within megaenvironments were characterized also by similar environmental (soil and/or climate) conditions

Effect of pH of injection vehicle on the biological activity of pregnant mare serum (P. M. S.) and chorionic (H. C. G.) gonadotrophins on the weight of the ovary and uterus in immature rats

O artigo apresenta resumo em inglês.Systemic investigations on the effect of pH on the biological activity of pregnant mare serum and chorionic gonadotropins have been carried out using intact immature rats. With the P. M. S. the uterine and the ovarian weight responses showed the lowest values at pH 3 and pH 10 and highest values at pH 7, at moderate doses of hormones. However, the observed differences were not statistically significant. With the H.C.G. the uterine and ovarian weight responses showed the lowest values at pH 3 and highest values at pH 7 and pH 10. Significant difference in the ovarian weight response between pH 3 and those of the pH 7 — pH 10 could be demonstrated, whereas no significant difference was found with the results obtained in the uterine weights groups

An Improved Implementation and Abstract Interface for Hybrid

Hybrid is a formal theory implemented in Isabelle/HOL that provides an interface for representing and reasoning about object languages using higher-order abstract syntax (HOAS). This interface is built around an HOAS variable-binding operator that is constructed definitionally from a de Bruijn index representation. In this paper we make a variety of improvements to Hybrid, culminating in an abstract interface that on one hand makes Hybrid a more mathematically satisfactory theory, and on the other hand has important practical benefits. We start with a modification of Hybrid's type of terms that better hides its implementation in terms of de Bruijn indices, by excluding at the type level terms with dangling indices. We present an improved set of definitions, and a series of new lemmas that provide a complete characterization of Hybrid's primitives in terms of properties stated at the HOAS level. Benefits of this new package include a new proof of adequacy and improvements to reasoning about object logics. Such proofs are carried out at the higher level with no involvement of the lower level de Bruijn syntax.Comment: In Proceedings LFMTP 2011, arXiv:1110.668

Block public access: Trust safety verification of access control policies

© 2020 Owner/Author. Data stored in cloud services is highly sensitive and so access to it is controlled via policies written in domain-specific languages (DSLs). The expressiveness of these DSLs provides users flexibility to cover a wide variety of uses cases, however, unintended misconfigurations can lead to potential security issues. We introduce Block Public Access, a tool that formally verifies policies to ensure that they only allow access to trusted principals, i.e. that they prohibit access to the general public. To this end, we formalize the notion of Trust Safety that formally characterizes whether or not a policy allows unconstrained (public) access. Next, we present a method to compile the policy down to a logical formula whose unsatisfiability can be (1) checked by SMT and (2) ensures Trust Safety. The constructs of the policy DSLs render unsatisfiability checking PSPACE-complete, which precludes verifying the millions of requests per second seen at cloud scale. Hence, we present an approach that leverages the structure of the policy DSL to compute a much smaller residual policy that corresponds only to untrusted accesses. Our approach allows Block Public Access to, in the common case, syntactically verify Trust Safety without having to query the SMT solver. We have implemented Block Public Access and present an evaluation showing how the above optimization yields a low-latency policy verifier that the S3 team at AWS has integrated into their authorization system, where it is currently in production, analyzing millions of policies everyday to ensure that client buckets do not grant unintended public access

Gospodarka światowa w XXI wieku: współczesne uwarunkowania i wyzwania

Praca recenzowana / peer-reviewed pape

Formal Model-Based Assurance Cases in Isabelle/SACM : An Autonomous Underwater Vehicle Case Study

Isabelle/SACM is a tool for automated construction of model-based assurance cases with integrated formal methods, based on the Isabelle proof assistant. Assurance cases show how a system is safe to operate, through a human comprehensible argument demonstrating that the requirements are satisfied, using evidence of various provenances. They are usually required for certification of critical systems, often with evidence that originates from formal methods. Automating assurance cases increases rigour, and helps with maintenance and evolution. In this paper we apply Isabelle/SACM to a fragment of the assurance case for an autonomous underwater vehicle demonstrator. We encode the metric unit system (SI) in Isabelle, to allow modelling requirements and state spaces using physical units. We develop a behavioural model in the graphical RoboChart state machine language, embed the artifacts into Isabelle/SACM, and use it to demonstrate satisfaction of the requirements

Stratified Abstraction of Access Control Policies

The shift to cloud-based APIs has made application security critically depend on understanding and reasoning about policies that regulate access to cloud resources. We present stratified predicate abstraction, a new approach that summarizes complex security policies into a compact set of positive and declarative statements that precisely state who has access to a resource. We have implemented stratified abstraction and deployed it as the engine powering AWS’s IAM Access Analyzer service, and hence, demonstrate how formal methods and SMT can be used for security policy explanation

Needle & knot : binder boilerplate tied up

To lighten the burden of programming language mechanization, many approaches have been developed that tackle the substantial boilerplate which arises from variable binders. Unfortunately, the existing approaches are limited in scope. They typically do not support complex binding forms (such as multi-binders) that arise in more advanced languages, or they do not tackle the boilerplate due to mentioning variables and binders in relations. As a consequence, the human mechanizer is still unnecessarily burdened with binder boilerplate and discouraged from taking on richer languages. This paper presents Knot, a new approach that substantially extends the support for binder boilerplate. Knot is a highly expressive language for natural and concise specification of syntax with binders. Its meta-theory constructively guarantees the coverage of a considerable amount of binder boilerplate for well-formed specifications, including that for well-scoping of terms and context lookups. Knot also comes with a code generator, Needle, that specializes the generic boilerplate for convenient embedding in COQ and provides a tactic library for automatically discharging proof obligations that frequently come up in proofs of weakening and substitution lemmas of type-systems. Our evaluation shows, that Needle & Knot significantly reduce the size of language mechanizations (by 40% in our case study). Moreover, as far as we know, Knot enables the most concise mechanization of the POPLmark Challenge (1a + 2a) and is two-thirds the size of the next smallest. Finally, Knot allows us to mechanize for instance dependentlytyped languages, which is notoriously challenging because of dependent contexts and mutually-recursive sorts with variables

Software engineering processes for self-adaptive systems

In this paper, we discuss how for self-adaptive systems some activities that traditionally occur at development-time are moved to run-time. Responsibilities for these activities shift from software engineers to the system itself, causing the traditional boundary between development-time and run-time to blur. As a consequence, we argue how the traditional software engineering process needs to be reconceptualized to distinguish both development-time and run-time activities, and to support designers in taking decisions on how to properly engineer such systems. Furthermore, we identify a number of challenges related to this required reconceptualization, and we propose initial ideas based on process modeling. We use the Software and Systems Process Engineering Meta-Model (SPEM) to specify which activities are meant to be performed off-line and on-line, and also the dependencies between them. The proposed models should capture information about the costs and benefits of shifting activities to run-time, since such models should support software engineers in their decisions when they are engineering self-adaptive systems