Abstract: As software systems become more complex, the overall system structure—or software architecture—becomes a central design problem. An important step toward an engineering discipline of software is a formal basis for describing and analyzing these designs. In the article we present a formal approach to one aspect of architectural design: the interactions among components. The key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We further provide a formal semantics and show how this leads to a system in which architectural compatibility can be checked in a way analogous to type-checking in programming languages.

Abstract: Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what "authentication" means. We suggest that the appropriate authentication requirement will depend upon the use to which the protocol is put, and identify several possible definitions of "authentication". We formalize each definition using the process algebra CSP, use this formalism to study their relative strengths, and show how the model checker FDR can be used to test whether a system running the protocol meets such a specification.

Abstract: This paper addresses the design of reactive real-time embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware application-specific integrated circuits (ASICs) with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.

Abstract: This dissertation presents methods for the formal modeling and specification of probabilistic systems, and algorithms for the automated verification of these systems. Our system models describe the behavior of a system in terms of probability, nondeterminism, fairness and time. The formal specification languages we consider are based on extensions of branching-time temporal logics, and enable the expression of single-event and long-run average system properties. This latter class of properties, not expressible with previous formal languages, includes most of the performance properties studied in the field of performance evaluation, such as system throughput and average response time. Our choice of system models and specification languages has been guided by the goal of providing efficient verification algorithms. The algorithms rely on the theory of Markov decision processes, and exploit a connection between the graph-theoretical and probabilistic properties of these processes. This connection also leads to new results about classical problems, such as an extension to the solvable cases of the stochastic shortest path problem, an improved algorithm for the computation of reachability probabilities, and new results on the average reward problem for semi-Markov decision processes.

Abstract: The author describes Mobi-D (Model-Based Interface Designer), a comprehensive environment that supports user-centered design through model-based interface development. In the Mobi-D paradigm, a series of declarative models, such as user-task, dialog, and presentation, are interrelated to provide a formal representation of an interface design. This contrasts to model-based systems, which use only one or two models in isolation and have no explicit notion as to how the various model elements are organized into an interface design.

Abstract: This chapter describes high-level design techniques for developing hardware or software and combinations of the two. The chapter gives both an overview of the key concepts found in a range existing languages and tools and a specific proposal for modeling the abstract behavior of a design. The aim of such high-level design techniques is to reduce the design time or effort by shifting as many decisions and analysises as possible from low-level to high-level models.

Abstract: The market for real-time applications has grown considerably in years, and in response engineering methods have also improved. Today's techniques, while adequate for building moderately complex embedded applications, are inadequate for building the large, highly reliable, very complex real-time applications that are increasingly in demand. To build such large systems, engineering teams need a more uniform, integrated approach than is available today. Ideally, the development approach would make uniform the representations of both application environments and control systems as they proceed through various system engineering phases. The ideal representation (or modeling) scheme should be effective not only for abstracting system designs but also for representing the application environment. It should also be capable of manipulating logical values and temporal characteristics at varying degrees of accuracy. This ideal modeling scheme is not likely to be realized through conventional object models. Although they are natural building blocks for modular systems, conventional object models lack concrete mechanisms to represent the temporal behavior of complex, dynamic systems. This article describes a real-time object structure that can flexibly yet accurately specify the temporal behavior of modeled subjects. This approach supports strong requirements-design traceability, the feasibility of thorough and cost-effective validation, and ease of maintenance.

Abstract: Software libraries are repositories which contain software components; as such, they represent a precious resource for the software engineer. As software libraries grow in size, it becomes increasingly difficult to maintain adequate precision and recall with informal retrieval algorithms. In this paper, we discuss the design and implementation of a storage and retrieval structure for software components that is based on formal specifications and on the refinement ordering between specifications.

Abstract: This paper presents a general methodology for the specification and the integration of functional modules in a distributed reactive robot architecture. The approach is based on a hybrid architecture basically composed of two levels: a lower distributed functional level controlled by a centralized decisional level. Due to this methodology, synchronous or asynchronous operating capabilities (servo-control, data processing, event monitoring) can be easily added to the functional level. They are encapsulated into modules, built according to a generic model, that are seen by the decisional level as homogeneous, programmable, reactive and robust communicant services. Each module is simply described with a specific language and is automatically produced by a generator of modules (G/sup en/oM) according to the generic model. G/sup en/oM also produces an interactive test program and interface libraries to control the module and to read the resulting data, which allow one to directly integrate the module into the architecture.

Abstract: Inheritance is one of the key issues of object-orientation. The inheritance mechanism allows for the definition of a subclass which inherits the features of a specific superclass. This means that methods and attributes defined for the superclass are also available for objects of the subclass. Existing methods for object-oriented modeling and design abstract from the dynamic behavior of objects when defining inheritance. Nevertheless, it would be useful to have a mechanism which allows for the inheritance of dynamic behavior. This paper describes a Petri-net-based approach to the formal specification and verification of this type of inheritance. We use Petri nets to specify the dynamics of an object class. The Petri-net formalism allows for a graphical representation of the life cycle of objects which belong to a specific object class. Four possible inheritance relations are defined. These inheritance relations can be verified automatically. Moreover, four powerful transformation rules which preserve specific inheritance relations are given. To illustrate the relevance of these results, the application to workflow management is demonstrated.

Abstract: Successfully applying formal methods to software development promises to move us closer to a true engineering discipline. The authors offer suggestions for overcoming the problems that have hindered the use of formal methods thus far.

Abstract: This paper presents a method of formally specifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP Object-Z provides a convenient way of modelling complex data structures needed to define the component processes of such systems, and CSP enables the concise specification of process interactions The basis of the integration is a semantics of Object-Z classes identical to that of CSP processes This allows classes specified in Object-Z to be used directly within the CSP part of the specification

Abstract: Current workflow management systems (WFMSs) are only applicable in a reliable and secure manner if the business process (BP) to be supported is well structured. As ad hoc deviations from preplanned BPs are rather the norm and form a key part of process flexibility, this limits the applicability of today's workflow (WF) technology significantly. We present a framework for the support of ad hoc structural changes of WFs. Basic to our approach is a conceptual, graph based WF model which has a formal foundation in its syntax and operational semantics. Based upon this model, we have developed a complete and minimal set of change operations which support users in modifying the structure of WFs at runtime, while preserving their correctness and consistency.

Abstract: ion of a Problem Domain Specification and Design

Abstract: The widely accepted possible benefits of formal methods on the one hand and their minor use compared to informal or graphical description techniques on the other hand have repeatedly lead to the claim that formal methods should be put to a more indirect or transparent use. We show how such an indirect approach can be incorporated in a CASE tool prototype by basing it upon formally defined hierarchical description techniques. We demonstrate the immediate benefits by introducing consistency notions gained from the formalization. Additionally, we show how the formalization can be used to apply automated property validation. Finally, we discuss some further techniques that could be based on the underlying formalization.

Abstract: There is much interest in developing a firm semantic base for object-oriented modeling concepts. By providing precise characterizations of object-oriented (OO) modeling concepts one gains the ability to build a precise OO model of behavior and structure that can be rigorously analyzed. We present the current results of our ongoing formalization of the Unified Modeling Language (UML). UML is a proposed common OO modeling language, thus it is important that it has a formally defined semantic base. The focus of this paper is the formalization of the primary UML constructs used to build class structures. We use the Z notation to precisely express the meaning of UML class structures.

Abstract: Reusing similar requirements fragments is one of the most promising ways to reduce the elaboration time and increase the requirements' quality. This paper investigates the application of analogical reasoning techniques to complete partial requirement specifications. A case base is assumed to be available; it contains requirements frameworks involving goals, constraints, objects, actions and agents from systems which have already been specified. We show how a rich requirements meta-model, coupled with an expressive formal assertion language, may increase the effectiveness of analogical reuse. An acquisition problem is first specified by a requirements engineer as a query formulated in the vocabulary of the specification fragments built so far. Source cases and partial mappings are found by query generalization followed by a search through the case base. Once analogies have been confirmed, mappings are completed by the use of relevance rules that distinguish, in the formal assertions, what is relevant to the analogy from what is irrelevant. The best analogies are then selected and extended in such a way that the logical properties of the answers to the query may be verified, thus increasing confidence in the analogy. The approach is illustrated by analogical acquisition of specifications of a meeting scheduler in the KAOS goal-oriented specification language.

Abstract: We develop a general constraint logic programming (CLP) based framework for specification and verification of real time systems. Our framework is based on the notion of timed automata that have traditionally been used for specifying real time systems. In our framework, a user models the ordering of real time events as the grammar of a language accepted by a timed automata, the real time constraints on these events are then captured as denotations of the grammar productions specified by the user. The grammar can be specified as a Definite Clause Grammar (DCG), while the denotations can be specified in constraint logic. The resulting specification can hence be regarded as a constraint logic program (CLP), and is executable. Many interesting properties of the real time system can be verified by posing appropriate queries to this CLP program. A major advantage of our approach is that it is constructive in nature, i.e., it can be used for computing the conditions under which a property will hold for a given real time system. Our framework also suggests new types of formalisms that we call constraint automata and timed push down automata.

Abstract: The authors present a framework for testing timing constraints of real-time systems. The tests are automatically derived from specifications of minimum and maximum allowable delays between input/output events in the execution of a system. The test derivation scheme uses a graphical specification formalism for timing constraints, and the real-time process algebra Algebra of Communicating Shared Resources (ACSR) for representing tests and process models. The use of ACSR to describe test sequences has two main advantages. First, tests can be applied to an ACSR model of the software system within the ACSR semantic framework for model validation purposes. Second, ACSR has concise notation and a precise semantics that will facilitate the translation of real-time tests into a software test language for software validation purposes.

Abstract: Despite extensive development over many years and significant demonstrated benefits, formal methods remain poorly accepted by industrial practitioners. Many reasons have been suggested for this situation such as a claim that they extent the development cycle, that they require difficult mathematics, that inadequate tools exist, and that they are incompatible with other software packages. There is little empirical evidence that any of these reasons is valid. The research presented here addresses the question of why formal methods are not used more widely. The approach used was to develop a formal specification for a safety-critical application using several specification notations and assess the results in a comprehensive evaluation framework. The results of the experiment suggests that there remain many impediments to the routine use of formal methods.

Abstract: G. Bruns (1995) has proposed a version of value-passing CCS in which an agent language, based on that proposed by Milner, is augmented with a rich data language. The data language can be used to describe sets, tuples and sequences etc. constructed from integer, Boolean and string constants. Z is a widely used formal specification language in which sets, tuples and sequences can be described, but also additional constructs such as free types and bindings. In addition, Z has a rich structuring mechanism-its schema calculus. Z is frequently used to specify the operations of a system on its state, and has a refinement calculus and formal semantics. This article introduces ZCCS, a version of value-passing CCS in which the data language used to describe the action/agent parameters and conditions is Z. We introduce the style and syntax of ZCCS and illuminate this with a small example. In addition, we present an operational semantics for ZCCS.

Abstract: We present the first source-level profiler for a compiled, nonstrict, higher-order, purely functional language capable of measuring time as well as space usage. Our profiler is implemented in a production-quality optimizing compiler for Haskell and can successfully profile large applications. A unique feature of our approach is that we give a formal specification of the attribution of execution costs to cost centers. This specification enables us to discuss our design decisions in a precise framework, prove properties about the attribution of costs, and examine to effects of different program transformations on the attribution of costs. Since it is not obvious how to map this specification onto a particular implementation, we also present an implementation-oriented operational semantics, and prove it equivalent to the specification.

Abstract: 00-Method is an 00 Methodology that blends the use of formal specification systems with conventional 00 methodologies based on practice. In contrast to other approaches in this field ([Jun95,Esd93]), a set of graphical models provided by the methodology allows analysts to introduce the relevant system information to obtain the conceptual model through a requirements collection phase, so that an 00 formal specification in Oasis ([Pas92, Pas95-1 ]), can be generated at any time. This formal specification acts as a high-level system repository. Furthermore, a software prototype which is functionally equivalent to the Oasis specification is also generated in an automated way. This is achieved by defining an execution model which gives the pattern for obtaining a concrete implementation in a declarative or an imperative software development environment (depending on the user choice). The methodology is supported by a CASE workbench.

Abstract: Hypermedia design is usually ad hoc. Whereas the original Relationship Management Methodology (RMM) provides a structured approach to design and implementation of hypermedia applications, it has limitations that constrain the usability of the kinds of applications it can construct. This paper provides extensions to RMM that enable it to model a much richer class of applications, thereby making the methodology more attractive for software developers to use. The paper also presents a graphical and programming language notation for RMM's new m-slice construct, which is at the core of the extensions presented.

Abstract: The Gurevich's Abstract State Machine formalism is used to specify the well known Kerberos Authentication System based on the Needham-Schroeder authentication protocol. A complete model of the system is reached through stepwise re nements of ASMs, and is used as a basis both to discover the minimum assumptions to guarantee the correctness of the system and to analyse its security weaknesses. Each re ned model comes together with a correctness re nement theorem.

Abstract: Although formal methods for developing computer systems have been available for more than a decade, few have had significant impact in practice. A major barrier to their use is that software developers find formal methods difficult to understand and apply. One exception is a formal method called SCR for specifying computer system requirements which, due to its easy to use tabular notation and its demonstrated scalability, has already achieved some success in industry. Recently a set of software tools, including a specification editor, a consistency checker, a simulator, and a verifier has been developed to support the SCR method. This paper describes recent enhancements to the SCR tools: a new dependency graph browser which displays the dependencies among the variables in the specification, an improved consistency checker which produces detailed feedback about detected errors, and an assertion checker which checks application properties during simulation. To illustrate the tool enhancements, a simple automobile cruise control system is presented and analyzed.