269 research outputs found
Experiences with formal engineering: model-based specification, implementation and testing of a software bus at Neopost
We report on the actual industrial use of formal methods during the development of a software bus. During an internship at Neopost Inc., of 14 weeks, we developed the server component of a software bus, called the XBus, using formal methods during the design, validation and testing phase: we modeled our design of the XBus in the process algebra mCRL2, validated the design using the mCRL2-simulator, and fully automatically tested our implementation with the model-based test tool JTorX. This resulted in a well- tested software bus with a maintainable architecture. Writing the model (mdev), simulating it, and testing the implementation with JTorX only took 17% of the total development time. Moreover, the errors found with model-based testing would have been hard to find with conventional test methods. Thus, we show that formal engineering can be feasible, beneficial and cost-effective.\ud
The findings above, reported earlier by us in (Sijtema et al., 2011) [1], were well- received, also in industrially oriented conferences (Ferreira and Romanenko, 2010) [2] and [3]. In this paper, we look back on the case study, and carefully analyze its merits and shortcomings. We reflect on (1) the added benefits of model checking, (2) model completeness and (3) the quality and performance of the test process.\ud
Thus, in a second phase, after the internship, we model checked the XBus protocolāthis was not done in [1] since the Neopost business process required a working implementation after 14 weeks. We used the CADP tool evaluator4 to check the behavioral requirements obtained during the development. Model checking did not uncover errors in model mdev, but revealed that model mdev was neither complete nor optimized: in particular, requirements to the so-called bad weather behavior (exceptions, unexpected inputs, etc.) were missing. Therefore, we created several improved models, checked that we could validate them, and used them to analyze quality and performance of the test process. Model checking was expensive: it took us approx. 4 weeks in total, compared to 3 weeks for the entire model-based testing approach during the internship.\ud
In the second phase, we analyzed the quality and performance of the test process, where we looked at both code and model coverage. We found that high code coverage (almost 100%) is in most cases obtained within 1000 test steps and 2 minutes, which matches the fact that the faults in the XBus were discovered within a few minutes.\ud
Summarizing, we firmly believe that the formal engineering approach is cost-effective, and produces high quality software products. Model checking does yield significantly better models, but is also costly. Thus, system developers should trade off higher model quality against higher costs
Model-based Safety and Security Co-analysis: a Survey
We survey the state-of-the-art on model-based formalisms for safety and
security analysis, where safety refers to the absence of unintended failures,
and security absence of malicious attacks. We consider ten model-based
formalisms, comparing their modeling principles, the interaction between safety
and security, and analysis methods. In each formalism, we model the classical
Locked Door Example where possible. Our key finding is that the exact nature of
safety-security interaction is still ill-understood. Existing formalisms merge
previous safety and security formalisms, without introducing specific
constructs to model safety-security interactions, or metrics to analyze trade
offs
ATM:a Logic for Quantitative Security Properties on Attack Trees
Critical infrastructure systems - for which high reliability and availability are paramount - must operate securely. Attack trees (ATs) are hierarchical diagrams that offer a flexible modelling language used to assess how systems can be attacked. ATs are widely employed both in industry and academia but - in spite of their popularity - little work has been done to give practitioners instruments to formulate queries on ATs in an understandable yet powerful way. In this paper we fill this gap by presenting ATM, a logic to express quantitative security properties on ATs. ATM allows for the specification of properties involved with security metrics that include "cost", "probability" and "skill" and permits the formulation of insightful what-if scenarios. To showcase its potential, we apply ATM to the case study of a CubeSAT, presenting three different ways in which an attacker can compromise its availability. We showcase property specification on the corresponding attack tree and we present theory and algorithms - based on binary decision diagrams - to check properties and compute metrics of ATM-formulae
Querying Fault and Attack Trees:Property Specification on a Water Network
We provide an overview of three different query languages whose objective is to specify properties on the highly popular formalisms of fault trees (FTs) and attack trees (ATs). These are BFL, a Boolean Logic for FTs, PFL, a probabilistic extension of BFL and ATM, a logic for security metrics on ATs. We validate the framework composed by these three logics by applying them to the case study of a water distribution network. We extend the FT for this network - found in the literature - and we propose to model the system under analysis with the Fault Trees/Attack Trees (FT/ATs) formalism, combining both FTs and ATs in a unique model. Furthermore, we propose a novel combination of the showcased logics to account for queries that jointly consider both the FT and the AT of the model, integrating influences of attacks on failure probabilities of different components. Finally, we extend the domain specific language for PFL with novel constructs to capture the interplay between metrics of attacks - e.g., "cost", success probabilities - and failure probabilities in the system
ATM: a Logic for Quantitative Security Properties on Attack Trees
Critical infrastructure systems - for which high reliability and availability
are paramount - must operate securely. Attack trees (ATs) are hierarchical
diagrams that offer a flexible modelling language used to assess how systems
can be attacked. ATs are widely employed both in industry and academia but - in
spite of their popularity - little work has been done to give practitioners
instruments to formulate queries on ATs in an understandable yet powerful way.
In this paper we fill this gap by presenting ATM, a logic to express
quantitative security properties on ATs. ATM allows for the specification of
properties involved with security metrics that include "cost", "probability"
and "skill" and permits the formulation of insightful what-if scenarios. To
showcase its potential, we apply ATM to the case study of a CubeSAT, presenting
three different ways in which an attacker can compromise its availability. We
showcase property specification on the corresponding attack tree and we present
theory and algorithms - based on binary decision diagrams - to check properties
and compute metrics of ATM-formulae
Intuitive control of rolling sound synthesis
International audienceThis paper presents a rolling sound synthesis model which can be intuitively controlled. To propose this model, different aspects of the rolling phenomenon are explored : physical modeling, perceptual attributes and signal morphology. A source-filter model for rolling sounds synthesis is presented with associated intuitive controls
- ā¦