Event Systems and Access Control

We consider the interpretations of notions of access control (permissions, interdictions, obligations, and user rights) as run-time properties of information systems specified as event systems with fairness. We give proof rules for verifying that an access control policy is enforced in a system, and consider preservation of access control by refinement of event systems. In particular, refinement of user rights is non-trivial; we propose to combine low-level user rights and system obligations to implement high-level user rights

Modelling an Aircraft Landing System in Event-B (Full Report)

The failure of hardware or software in a critical system can lead to loss of lives. The design errors can be main source of the failures that can be introduced during system development process. Formal techniques are an alternative approach to verify the correctness of critical systems, overcoming limitations of the traditional validation techniques such as simulation and testing. The increasing complexity and failure rate brings new challenges in the area of verification and validation of avionic systems. Since the reliability of the software cannot be quantified, the \textit{correct by construction} approach can implement a reliable system. Refinement plays a major role to build a large system incrementally from an abstract specification to a concrete system. This paper contributes as a stepwise formal development of the landing system of an aircraft. The formal models include the complex behaviour, temporal behaviour and sequence of operations of the landing gear system. The models are formalized in Event-B modelling language, which supports stepwise refinement. This case study is considered as a benchmark for techniques and tools dedicated to the verification of behavioural properties of systems. The report is the full version of a paper published for the ABZ 2014 Case Study. i

Teaching programming methodology using Event B

International audienceEvent B is supported by the RODIN platform and provides a framework for teaching programming methodology based on the famous pre/post specifications, together with the refinement. We illustrate a methodology based on Event B and the refinement by developing Floyd's algorithm for computing the shortest distances of a graph, which is based on an algorithm design technique called dynamic programming. The development is based on a paradigm identifying a non-deterministic event with a procedure call and by introducing control states. We discuss points related to our lectures at the university

Generating Distributed Programs from Event-B Models

Distributed algorithms offer challenges in checking that they meet their specifications. Verification techniques can be extended to deal with the verification of safety properties of distributed algorithms. In this paper, we present an approach for combining correct-by-construction approaches and transformations of formal models (Event-B) into programs (DistAlgo) to address the design of verified distributed programs. We define a subset LB (Local Event-B) of the Event-B modelling language restricted to events modelling the classical actions of distributed programs as internal or local computations, sending messages and receiving messages. We define then transformations of the various elements of the LB language into DistAlgo programs. The general methodology consists in starting from a statement of the problem to program and then progressively producing an LB model obtained after several refinement steps of the initial LB model. The derivation of the LB model is not described in the current paper and has already been addressed in other works. The transformation of LB models into DistAlgo programs is illustrated through a simple example. The refinement process and the soundness of the transformation allow one to produce correct-by-construction distributed programs.Comment: In Proceedings VPT/HCVS 2020, arXiv:2008.0248

The invoice case study modelling in Event B

It introduces in a very progressive way the different notations and concepts required for developing the case study. Section 2 analyses the case study and extracts informations for constructing a first skeleton of B event-based model. The B event-based modelling technique is introduced in section 3 by writing an event~~B model. The first invoice case study model is given in section 4 and it completes the skeleton of the section 2. Section 5 defines the refinement of a event~~B model and it is used in the section 6 for deriving the second case study model; a refinement of this model is proposed and introduces an ordering over invoices. Sections 7 and 8 conclude our proof-based development of B event-based models for the case study. The complete B models are given in three figures

Proving Distributed Algorithms by Combining Refinement and Local Computations

Distributed algorithms are considered to be very complex to design and to prove; our paper contributes to the design of correct-by-construction distributed algorithms. The main idea relies upon the development of distributed algorithms following a top/down approach, which is clearly well known in earlier works of Dijkstra, and to use refinement for proving the correctness of the resulting algorithms. However, the link between the problem and the first model remains to be expressed and the refinement is a real help to justify in a very progressive way the choices of design. We propose in this work a framework combining local computations models and refinement to prove the correctness of a large class of distributed algorithms. Local computations models define abstract computing processes for solving problems by distributed algorithms and can be integrated into a the Event-B modelling language to define proof-based patterns for the design of distributed algorithms. We illustrate our approach by examples like the leader election protocol or the distributed coloring algorithm. Our proposal is integrated into an environment called ViSiDiA

Un système d'analyse de la qualité: de la norme au produit en passant par le raffinement

www.cnam.frLe projet RNRT EQUAST a pour but la réalisation d'un outil de mesure de la qualité de service en télévision numérique terrestre (TNT). Une norme (Digital Video Broadcasting DVB; Measurement guidelines for DVB systems. ETSI TR 101 290 v1.2.1) identifie un certain nombre de contrôles et de paramètres permettant l'évaluation de la qualité de transmission du réseau. La mise en oeuvre de cette norme en un outil implique des calculs et des contraintes temps-réel forte; elle nécessite une modélisation préalable du système constitué par les paramètres de ladite norme. A partir des documents de normalisation et en relation avec nos partenaires, nous avons extrait et conçu des modèles B événementiels intégrant progressivement, par la relation de raffinement, tous les paramètres à évaluer. Le raffinement assure la cohérence par la preuve du modèle final obtenu et apporte une hiérarchie de dépendances entre les paramètres de la norme. Cette hiérarchie est produite à partir de l'invariant du modèle du système produit et permet de proposer une architecture pour la conception de l'outil de mesure. Ainsi, nous pouvons proposer un ordonnancement correct des tâches de l'application. La connaissance de cet ordonnancement ainsi que la vue structurée du système aide le concepteur dans ses choix d'implantation électronique. Les modèles abstraits du système sont utilisés d'une part pour la mise en évidence de l'organisation des traitements attachés aux paramètres et d'autre part pour la traduction dans un ensemble de programmes SystemC conservant les propriétés des modèles. Afin de demeurer dans une approche préservant les propriétés, nous avons dû modéliser le scheduler SystemC décrit dans le manuel SystemC et monter que les traductions automatisées préservaient effectivement les propriétés des modèles abstraits dans les programmes SystemC

Intégration de contraintes temps-réel au sein d'un processus de développement incrémental basé sur la preuve (Livrable 2)

The report investigates the integration of time constraintes in the refinement-based development in Event B. Specific proof-based patterns are proposed for developing models including time-oriented aspects.Ce livrable est un rapport sur l'intégration de contraintes temporelles dans les modèles Event-B. Nous entendons par contraintes temporelles, les propriétés que possède, ou que l'on veut imposer à, un système, par rapport à son déroulement dans le temps. On parle aussi de propriétés temps- réel. Les systèmes seront en particulier des systèmes distribués, en effet : mis à part une mesure de la performance, les propriétés temps-réel ne sont utiles que si l'on s'intéresse à un ensemble de systèmes fonctionnant de manière concurrente ou distribuée. Nous allons donc étudier des systèmes dynamiques, qu'ils soient logiciels ou matériels, les définir et démontrer des propriétés, en particulier temps-réel, sur ces modèles

A Refinement Strategy for Hybrid System Design with Safety Constraints

International audienceWhenever continuous dynamics and discrete control interact, hybrid systems arise. As hybrid systems become ubiquitous and more and more complex, analysis and synthesis techniques are in high demand to design safe hybrid systems. This is however challenging due to the nature of hybrid systems and their designs, and the question of how to formulate and reason their safety problems. Previous work has demonstrated how to extend the discrete modeling language Event-B with continuous support to integrate traditional refinement in hybrid system design. In the same spirit, we extend previous work by proposing a strategy that can coherently refine an abstract hybrid system design with safety constraints down to a concrete one, integrated with implementable discrete control, that can behave safely. We demonstrate our proposal on a smart heating system that regulates room temperature between two references, and we share our experience

Event Systems and Access Control

We consider the interpretations of notions of access control (permissions, interdictions, obligations, and user rights) as run-time properties of information systems specified as event systems with fairness. We give proof rules for verifying that an access control policy is enforced in a system, and consider preservation of access control by refinement of event systems. In particular, refinement of user rights is non-trivial; we propose to combine low-level user rights and system obligations to implement high-level user rights