Abstract: Safety-critical systems are those systems whose failure could result in loss of life, significant property damage or damage to the environment. There are many well-known examples in application areas such as medical devices, aircraft flight control, weapons and nuclear systems. Many modern information systems are becoming safety-critical in a general sense because financial loss and even loss of life can result from their failure. Future safety-critical systems will be more common and more powerful. From a software perspective, developing safety-critical systems in the numbers required and with adequate dependability is going to require significant advances in areas such as specification, architecture, verification and the software process. The very visible problems that have arisen in the area of information system security suggests that security is a major challenge too.

Abstract: Writing unit test code is labor-intensive, hence it is often not done as an integral part of programming. However, unit testing is a practical approach to increasing the correctness and quality of software; for example, the Extreme Programming approach relies on frequent unit testing.In this paper we present a new approach that makes writing unit tests easier. It uses a formal specification language's runtime assertion checker to decide whether methods are working correctly, thus automating the writing of unit test oracles. These oracles can be easily combined with hand-written test data. Instead of writing testing code, the programmer writes formal specifications (e.g., pre- and postconditions). This makes the programmer's task easier, because specifications are more concise and abstract than the equivalent test code, and hence more readable and maintainable. Furthermore, by using specifications in testing, specification errors are quickly discovered, so the specifications are more likely to provide useful documentation and inputs to other tools. We have implemented this idea using the Java Modeling Language (JML) and the JUnit testing framework, but the approach could be easily implemented with other combinations of formal specification languages and unit test tools.

Abstract: In this paper we present ISLANDER, a tool for the specification and verification of agent mediated electronic institutions.We have defined a textual declarative language for the specification of the components of an institution. Also an ISLANDER editor is presented. It facilitates the work of the institution designer permitting the combination of graphical and textual specifications. We take the stance that a verifiable formal specification is needed before starting the development of complex systems. This tool is our first step towards having a framework for the design and development of infrastructures for open multi-agent systems.

Abstract: Praxis Critical Systems recently developed a secure certification authority for smart cards that had to satisfy performance and usability requirements while meeting stringent security constraints. The authors used a systematic process from requirements elicitation through formal specification, user interface prototyping, rigorous design, and coding to ensure these objectives' achievement. They show how a process that achieves normal commercial productivity can deliver a highly reliable system that meets all its throughput and usability goals.

Abstract: The Use Case formalism is an effective way of capturing both business process and functional system requirements in a very simple and easy-to-learn way Use Cases may be modeled in a graphical way (eg using the UML notation), mainly serving as a table of content for Use Cases System behavior can more effectively be specified by structured natural language (NL) sentences The use of NL as a way to specify the behavior of a system is however a critical point, due to the inherent ambiguity originating from different interpretations of natural language descriptions We discuss the use of methods, based on a linguistic approach, to analyze functional requirements expressed by means of textual (NL) Use Cases The aim is to collect quality metrics and detect defects related to such inherent ambiguity In a series of preliminary experiments, we applied a number of tools for quality evaluation of NL text (and, in particular, of NL requirements documents) to an industrial Use Cases document The result of the analysis is a set of metrics that aim to measure the quality of the NL textual description of Use Cases We also discuss the application of selected linguistic analysis techniques that are provided by some of the tools to semantic analysis of NL expressed Use Case

Abstract: Property specifications concisely describe what a software system is supposed to do. It is surprisingly difficult to write these properties correctly. There are rigorous mathematical formalisms for representing properties, but these are often difficult to use. No matter what notation is used, however, there are often subtle, but important, details that need to be considered. Propel aims to make the job of writing and understanding properties easier by providing templates that explicitly capture these details as options for commonly-occurring property patterns. These templates are represented using both "disciplined" natural language and finite-state automata, allowing the specifier to easily move between these two representations.

Abstract: Web services might be the most popular and powerful software development technology in today's software world. Yet it brings software developers and testers a lot of challenges also. This is mainly caused by the insufficient information provided by the WSDL file of a Web service. From the WSDL file, we can not get the information useful for testing, such as dependence information. To solve this problem, we proposed and practiced to extend the WSDL to support this kind of information description. In this paper, four kinds of extension are considered: input-output dependency, invocation sequence, hierarchical functional description and concurrent sequence specifications. Also their advantages are discussed.

Abstract: Goal orientation is an increasingly recognized paradigm for eliciting, structuring, analyzing and documenting system requirements. Goals are statements of intent ranging from high-level, strategic concerns to low-level, technical requirements on the software-to-be and assumptions on its environment. Achieving goals require the cooperation of agents such as software components, input/output devices and human agents. The assignment of responsibilities for goals to agents is a critical decision in the requirements engineering process as alternative agent assignments define alternative system proposals. The paper describes a systematic technique to support the process of refining goals, identifying agents, and exploring alternative responsibility assignments. The underlying principles are to refine goals until they are assignable to single agents, and to assign a goal to an agent only if the agent can realize the goal. There are various reasons why a goal may not be realizable by an agent, e.g., the goal may refer to variables that are not monitorable or controllable by the agent. The notion of goal realizability is first defined on formal grounds; it provides a basis for identifying a complete taxonomy of realizability problems. From this taxonomy we systematically derive a catalog of tactics for refining goals and identifying agents so as to resolve realizability problems. Each tactics corresponds to the application of a formal refinement pattern that relieves the specifier from verifying the correctness of refinements in temporal logic. Our techniques have been used in two case studies of significant size; excerpts are shown to illustrate the main ideas.

Abstract: We present a methodology and a tool to support test selection from regression test suites based on change analysis in object-oriented designs. We assume that designs are represented using the Unified Modeling Language (UML) and we propose a formal mapping between design changes and a classification of regression test cases, i.e., three categories: reusable, retestable, and obsolete. We provide evidence of the feasibility of the methodology and its usefulness by using our prototype tool on an industrial case study.

Abstract: This paper proposes a generic approach or protocol engineering through the analysis,the specification,and the verification of such protocols when several agents are involved. This approach is three folds:1)Starting from semi-formal specification by means o Protocol Diagrams (AUML),both formal specification of interaction protocols and their verification are allowed thanks to Colored Petri Nets (CPN);2) Debugging and qualitative analysis o interactions are based on distributed observation associated with the true concurrency semantics (i.e.CPN unfolding)and ;3)CPN formalism is extended to Recursive CPN (RCPN)with abstraction in order to deal with open protocols.The main interest of abstraction is the design of fexible protocols giving agents more autonomy during interaction.In addition,abstraction allows concise modeling and easier verification. measures,performance measures .

Abstract: Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. In this paper we describe a new approach to vulnerability analysis based on model checking. Our approach involves: • Formal specification of desired security properties. An example of such a property is "no ordinary user can overwrite system log files". • An abstract model of the system that captures its security-related behaviors. This model is obtained by composing models of system components such as the file system, privileged processes, etc. • A verification procedure that checks whether the abstract model satisfies the security properties, and if not, produces execution sequences (also called exploit scenarios) that lead to a violation of these properties. An important benefit of a model-based approach is that it can be used to detect known and as-yet-unknown vulnerabilities. This capability contrasts with previous approaches (such as those used in COPS and SATAN) which mainly address known vulnerabilities.This paper demonstrates our approach by modelling a simplified version of a UNIX-based system, and analyzing this system using model-checking techniques to identify nontrivial Vulnerabilities. A key contribution of this paper is to show that such an automated analysis is feasible in spite of the fact that the system models are infinite-state systems. Our techniques exploit some of the latest techniques in model-checking, such as constraint-based (implicit) representation of state-space, together with domain-specific optimizations that are appropriate in the context of vulnerability analysis.Clearly, a realistic UNIX system is much more complex than the one that we have modelled in this paper. Nevertheless, we believe that our results show automated and systematic vulnerability analysis of realistic systems to be feasible in the near future, as model-checking techniques continue to improve.

Abstract: In the recent past, a relevant effort has been devoted to the definition of process modeling languages (PMLs). The resulting languages and environments -although technically successful-did not receive much attention from industry. On the contrary, researchers and practitioners have recently started experimenting with the usage of UML as a PML. Being so popular and widely used, UML has an important competitive advantage compared to any specialized PML. However, it has also a main limitation. While most PMLs are executable by some process engine, UML was conceived as a non-executable, semi-formal language. The work described here aims at assessing the possibility of employing a subset of UML as an executable PML. The article proposes a formalization of the semantics of the UML subset and presents the translation of UML process models into code, which can be enacted in the OPSS process-centered environment. The paper also presents a case study to validate the approach. We expect that process modeling by means of UML is easier and available to a larger community of software process managers. Moreover, process enactment makes the process more efficient, reliable, predictable and controllable, as widely shown by previous research.

Abstract: Theories, Implementations, and Transformations.- Incremental Proof of the Producer/Consumer Property for the PCI Protocol.- Controlling Control Systems: An Application of Evolving Retrenchment.- Checking Z Data Refinements Using an Animation Tool.- Encoding Object-Z in Isabelle/HOL.- Characters + Mark-up = Z Lexis.- Extraction of Abstraction Invariants for Data Refinement.- An Approach to Combining B and Alloy.- Software Construction by Stepwise Feature Introduction.- The Semantics of Circus.- Handling Inconsistencies in Z Using Quasi-Classical Logic.- Loose Specification and Refinement in Z.- On Using Conditional Definitions in Formal Theories.- A Theory of Generalised Substitutions.- Reinforced Condition/Decision Coverage (RC/DC): A New Criterion for Software Testing.- A Comparison of the BTT and TTF Test-Generation Methods.- A Formal Analysis of the CORBA Security Service.- Type Synthesis in B and the Translation of B to PVS.- "Higher-Order" Mathematics in B.- ABS Project: Merging the Best Practices in Software Design from Railway and Aircraft Industries.- Generalised Substitution Language and Differentials.- Communicating B Machines.- Synchronized Parallel Composition of Event Systems in B.- Global and Communicating State Machine Models in Event Driven B: A Simple Railway Case Study.- Verification of Dynamic Constraints for B Event Systems under Fairness Assumptions.- A Formal Model of the UML Metamodel: The UML State Machine and Its Integrity Constraints.- Coming and Going from UML to B: A Proposal to Support Traceability in Rigorous IS Development.

Abstract: We describe a tool that supports verification of workflow models specified in UML activity graphs. The tool translates an activity graph into an input format for a model checker according to a semantics we published earlier. With the model checker arbitrary propositional requirements can be checked against the input model. If a requirement fails to hold an error trace is returned by the model checker. The tool automatically translates such an error trace into an activity graph trace by high-lighting a corresponding path in the activity graph. One of the problems that is dealt with is that model checkers require a finite state space whereas workflow models in general have an infinite state space. Another problem is that strong fairness is necessary to obtain realistic results. Only model checkers that use a special model checking algorithm for strong fairness are suitable for verifying workflow models. We analyse the structure of the state space. We illustrate our approach with some example verifications.

Abstract: We describe a method for finding security flaws in source code by way of static analysis. The method is notable because it allows a user to specify a wide range of security properties while also leveraging a set of predefined common flaws. It works by using an automated theorem prover to analyze verification conditions generated from C source code and a set of specifications that define security properties. We demonstrate that the method can be used to identify real vulnerabilities in real programs.

Abstract: Developers of complex systems have to address concerns such as security, availability of services, and timeliness that often are non-orthogonal to traditional design structures, that is, the concerns cross-cut traditional design units. We illustrate how an aspect-oriented approach to modeling allows developers to encapsulate such design concerns so that they can be woven into a design in a systematic and consistent manner. The paper focuses on the use of aspects for modeling and weaving in security concerns.

Abstract: PENG is a computer-processable controlled natural language designed for writing unambiguous and precise specifications. PENG covers a strict subset of standard English and is precisely defined by a controlled grammar and a controlled lexicon. In contrast to other controlled languages, the author does not need to know the grammatical restrictions explicitly. ECOLE, a look-ahead text editor, indicates the restrictions while the specification is written. The controlled lexicon contains domain-specific content words that can be defined by the author on the fly and predefined function words. Specifications written in PENG can be deterministically translated into discourse representations structures to cope with anaphora and presuppositions and also into first-order predicate logic. To test the formal properties of PENG, we reformulated Schubert's steamroller puzzle in PENG, translated the resulting specification via discourse representation structures into first-order predicate logic with equality, and proved the steamroller's conclusion with OTTER, a standard theorem prover.

Abstract: Coq is a proof assistant based on a higher-order logic. Coq allows to handle calculus mathematical assertions and to check mechanically proofs of these assertions. It helps to find formal proofs, and allows extraction of a certified program from the constructive proof of its formal specification. This document is a tutorial for the version V7.2 of Coq which is available from http://coq.inria.fr.

Abstract: In this paper we present a concept for automated testing of object-oriented applications and a tool called SeDiTeC that implements these concepts for Java applications. SeDiTeC uses UML sequence diagrams, that are complemented by test case data sets consisting of parameters and return values for the method calls, as test specification and therefore can easily be integrated into the development process as soon as the design phase starts. SeDiTeC supports specification of several test case data sets for each sequence diagram as well as to combine several sequence diagrams to so-called combined sequence diagrams thus reducing the number of diagrams needed. For classes and their methods whose behavior is specified in sequence diagrams and the corresponding test case data sets SeDiTeC can automatically generate test stubs thus enabling testing right from the beginning of the implementation phase. Validation is not restricted to comparing the test case data sets with the observed data, but can also include validation of pre- and postconditions.

Abstract: In object-oriented software development, requirements of different stakeholders are often manifested in use case models which complement the static domain model by dynamic and functional requirements. In the course of development, these requirements are analyzed and integrated to produce a consistent overall requirements specification. Iterations of the model may be triggered by conflicts between requirements of different parties.However, due to the diversity, incompleteness, and informal nature, in particular of functional and dynamic requirements, such conflicts are difficult to find. Formal approaches to requirements engineering, often based on logic, attack these problems, but require highly specialized experts to write and reason about such specifications.In this paper, we propose a formal interpretation of use case models consisting of UML use case, activity, and collaboration diagrams. The formalization, which is based on concepts from the theory of graph transformation, allows to make precise the notions of conflict and dependency between functional requirements expressed by different use cases. Then, use case models can be statically analyzed, and conflicts or dependencies detected by the analysis can be communicated to the modeler by annotating the model.An implementation of the static analysis within a graph transformation tool is presented.

Abstract: In object-oriented software development, requirements of different stakeholders are often manifested in use case models which complement the static domain model by dynamic and functional requirements. In the course of development, these requirements are analyzed and integrated to produce a consistent overall requirements specification. Iterations of the model may be triggered by conflicts between requirements of different parties. However, due to the diversity, incompleteness, and informal nature, in particular of functional and dynamic requirements, such conflicts are difficult to find. Formal approaches to requirements engineering, often based on logic ' attack these problems, but require highly specialized experts to write and reason about such specifications. We propose a formal interpretation of use case models consisting of UML use case, activity, and collaboration diagrams. The formalization, which is based on concepts from the theory of graph transformation, allows to make precise the notions of conflict and dependency between functional requirements expressed by different use cases. Then, use case models can be statically analyzed, and conflicts or dependencies detected by the analysis can be communicated to the modeler by annotating the model. An implementation of the static analysis within a graph transformation tool is presented.

Abstract: The main goal of this contribution is to advocate the increased use of formal methods (FM) in the field of performance evaluation (PE). Moreover, we try to reduce the mutual reservations between both areas, formal specification techniques and performance evaluation since both can profit from such an integration: FMs may find their way into a new and very attractive area of applications and some fundamental problems of PE may be overcome. The first part summarizes the evolution of PE, its methodology and the basic concepts of performance modeling and analysis, elaborated in specific contributions of this book. Classical modeling and analysis techniques have a high standard and have been quite successful. However, there are important problem classes still open, and there are some fundamental deficiencies: Task interdependencies and synchronization, interfacing in modeling hierarchies, methods and tools for automating the performance engineering process are typical examples. We therefore advocate the integration of FMs and PE and survey three advanced approaches, again, treated in detail in specific contributions: Stochastic Petri-Nets, Stochastic Activity Networks and Stochastic Process Algebras. We try to summarize our own experience with these techniques and conclude with a list of challenging topics and current research directions.

Abstract: The Agent Society framework that we have developed distinguishes between the mechanisms though which the structure and global behavior of the model is described and coordinated, and the aims and behavior of the service-providers (agents) that populate the model. In this framework contracts are used to integrate the top-down specification of organizational structures with the autonomy of participating agents. In this paper we introduce LCR, a very expressive logic for describing interaction in multi-agent systems. We also show how LCR behaves in contrary-to-duty situations common to deontic logic frameworks. LCR makes it possible to check whether agents in an agent society follow some desired interaction patterns and whether desired social states are preserved by agent activity. LCR is used as a formal basis for the framework for agents societies that we are developing.

Abstract: The problem of testing modular systems against algebraic specifications is discussed. We focus on systems where the decomposition into parts is specified by a Casl-style architectural specification and the parts (units) are developed separately, perhaps by an independent supplier. We consider how to test such units without reference to their context of use. This problem is most acute for generic units where the particular instantiation cannot be predicted.

Abstract: The problem of testing modular systems against algebraic specifications is discussed. We focus on systems where the decomposition into parts is specified by a CASL-style architectural specification and the parts (units) are developed separately, perhaps by an independent supplier. We consider how to test such units without reference to their context of use. This problem is most acute for generic units where the particular instantiation cannot be predicted.

Abstract: Concurrency is used in modern software systems as a means of addressing performance, availability, and reliability requirements. The collaboration of multiple independently executing components is fundamental to meeting such requirements and such collaboration is realized by synchronizing component execution.Using current technologies developers are faced with a tension between correct synchronization and performance. Developers can be confident when simple forms of synchronization are used, for example, locking all accesses to shared data. Unfortunately, such simple approaches can result in significant run-time overhead, and, in fact, there are many cases in which such simple approaches cannot implement required synchronization policies. Implementing more sophisticated (and less constraining) synchronization policies may improve run-time performance and satisfy synchronization requirements, but fundamental difficulties in reasoning about concurrency make it difficult to assess their correctness.This paper describes an approach to automatically synthesizing complex synchronization implementations from formal high-level specifications. Moreover, the generated coded is designed to be processed easily by software model-checking tools such as Bandera. This enables the generated synchronization solutions to be verified for important system correctness properties. We believe this is an effective approach because the tool-support provided makes it simple to use, it has a solid semantic foundation, it is language independent, and we have demonstrated that it is powerful enough to solve numerous challenging synchronization problems.

Abstract: This paper describes a way of using the process algebra CSP to enable controlled interaction between B machines. This approach supports compositional verification: each of the controlled machines, and the combination of controller processes, can be analysed and verified separately in such a way as to guarantee correctness of the combined communicating system. Reasoning about controlled machines separately is possible due to the introduction of guards and assertions into description of the controller processes in order to capture assumptions about other controlled machines and provide guarantees to the rest of the system. The verification process can be completely supported by different tools. The use of separate controller processes facilitates the iterative development and analysis of complex control flows within the system. The approach is motivated and illustrated with a non-trivial running example.