Abstract: Caring for security at requirements engineering time is a message that has finally received some attention recently. However, it is not yet very clear how to achieve this systematically through the various stages of the requirements engineering process. The paper presents a constructive approach to the modeling, specification and analysis of application-specific security requirements. The method is based on a goal-oriented framework for generating and resolving obstacles to goal satisfaction. The extended framework addresses malicious obstacles (called anti-goals) set up by attackers to threaten security goals. Threat trees are built systematically through anti-goal refinement until leaf nodes are derived that are either software vulnerabilities observable by the attacker or anti-requirements implementable by this attacker. New security requirements are then obtained as countermeasures by application of threat resolution operators to the specification of the anti-requirements and vulnerabilities revealed by the analysis. The paper also introduces formal epistemic specification constructs and patterns that may be used to support a formal derivation and analysis process. The method is illustrated on a Web-based banking system for which subtle attacks have been reported recently.

Abstract: Informally described design patterns are useful for communicating proven solutions for recurring design problems to developers, but they cannot be used as compliance points against which solutions that claim to conform to the patterns are checked. Pattern specification languages that utilize mathematical notation provide the needed formality, but often at the expense of usability. We present a rigorous and practical technique for specifying pattern solutions expressed in the unified modeling language (UML). The specification technique paves the way for the development of tools that support rigorous application of design patterns to UML design models. The technique has been used to create specifications of solutions for several popular design patterns. We illustrate the use of the technique by specifying observer and visitor pattern solutions.

Abstract: We present a framework that supports the formal verification of early requirements specifications. The framework is based on Formal Tropos, a specification language that adopts primitive concepts for modeling early requirements (such as actor, goal, and strategic dependency), along with a rich temporal specification language. We show how existing formal analysis techniques, and in particular model checking, can be adapted for the automatic verification of Formal Tropos specifications. These techniques have been implemented in a tool, called the T-Tool, that maps Formal Tropos specifications into a language that can be handled by the NuSMV model checker. Finally, we evaluate our methodology on a course-exam management case study. Our experiments show that formal analysis reveals gaps and inconsistencies in early requirements specifications that are by no means trivial to discover without the help of formal analysis tools.

Abstract: We argue that essential facets of Web services, and especially those useful to understand their interaction, can be described using process-algebraic notations. Web service description and execution languages such as BPEL are essentially process description languages; they are based on primitives for behaviour description and message exchange which can also be found in more abstract process algebras. One legitimate question is therefore whether the formal approach and the sophisticated tools introduced for process algebra can be used to improve the effectiveness and the reliability of Web service development. Our investigations suggest a positive answer, and we claim that process algebras provide a very complete and satisfactory assistance to the whole process of Web service development. We show on a case study that readily available tools based on process algebra are effective at verifying that Web services conform to their requirements and respect properties. We advocate their use both at the design stage and for reverse engineering issues. More prospectively, we discuss how they can be helpful to tackle choreography issues.

Abstract: We propose a new specification framework for information hiding properties such as anonymity and privacy. The framework is based on the concept of a function view, which is a concise representation of the attacker's partial knowledge about a function. We describe system behavior as a set of functions, and formalize different information hiding properties in terms of views of these functions. We present an extensive case study, in which we use the function view framework to systematically classify and rigorously define a rich domain of identity-related properties, and to demonstrate that privacy and anonymity are independent. The key feature of our approach is its modularity. It yields precise, formal specifications of information hiding properties for any protocol formalism and any choice of the attacker model as long as the latter induce an observational equivalence relation on protocol instances. In particular, specifications based on function views are suitable for any cryptographic process calculus that defines some form of indistinguishability between processes. Our definitions of information hiding properties take into account any feature of the security model, including probabilities, random number generation, timing, etc., to the extent that it is accounted for by the formalism in which the system is specified. Partially supported by ONR grants N00014-02-1-0109 and N00014-01-1-0837 and DARPA contract N66001-00-C-8015.

Abstract: The presence of crosscutting concerns, i.e., functionalities that are not assigned to a single modular unit in the implementation, is one of the major problems in software understanding and evolution. In fact, they are hard to locate (scattering) and may give rise to multiple ripple effects (tangling). Aspect oriented programming offers mechanisms to factor them out into a modular unit, called an aspect. Aspect identification in existing code is supported by means of dynamic code analysis. Execution traces are generated for the use cases that exercise the main functionalities of the given application. The relationship between execution traces and executed computational units (class methods) is subjected to concept analysis. In the resulting lattice, potential aspects are detected by determining the use-case specific concepts and examining their specific computational units. When these come from multiple modules (classes) which contribute to multiple use-cases, a candidate aspect is recognized.

Abstract: Finite automata and regular languages have been useful in a wide variety of problems in computing, communication and control, including formal modeling and verification. Traditional automata do not admit an explicit modeling of time, and consequently, timed automata [2] were introduced as a formal notation to model the behavior of real-time systems. Timed automata accept timed languages consisting of sequences of events tagged with their occurrence times. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theoretical results concerning decision problems of reachability, language inclusion and language equivalence for timed automata and its variants, with some new proofs and comparisons. We conclude with a discussion of some open problems.

Abstract: In this paper we propose a methodology for automatically synthesizing motion task controllers based on linear temporal logic (LTL) specifications. The proposed design of the underlying multi-agent controllers possesses a special structure that allows for implicit satisfaction of basic liveness and safety specifications. The resulting closed loop system is of hybrid nature combining the continuous dynamics of the underlying system with the automatically synthesized switching logic that enforces the LTL specification. The effectiveness of the proposed scheme is verified through non-trivial computer simulations.

Abstract: The XML role-based access control (X-RBAC) specification language addresses multidomain environments' policy-specification needs. X-RBAC is based on an extension of the widely accepted US National Institute of Standards and Technology role-based access-control (RBAC) model. In addition to allowing specification of RBAC policies and facilitating specification of timing constraints on roles and access requirements, X-RBAC provides a framework for specifying mediation policies in a multidomain environment where RBAC policies have been employed.

Abstract: The paper studies failure diagnosis of discrete-event systems (DESs) with linear-time temporal logic (LTL) specifications. The LTL formulas are used for specifying failures in the system. The LTL-based specifications make the specification specifying process easier and more user-friendly than the formal language/automata-based specifications; and they can capture the failures representing the violation of both liveness and safety properties, whereas the prior formal language/automaton-based specifications can capture the failures representing the violation of only the safety properties (such as the occurrence of a faulty event or the arrival at a failed state). Prediagnosability and diagnosability of DESs in the temporal logic setting are defined. The problem of testing prediagnosability and diagnosability is reduced to the problem of model checking. An algorithm for the test of prediagnosability and diagnosability, and the synthesis of a diagnoser is obtained. The complexity of the algorithm is exponential in the length of each specification LTL formula, and polynomial in the number of system states and the number of specifications. The requirement of nonexistence of unobservable cycles in the system, which is needed for the diagnosis algorithms in prior methods to work, is relaxed. Finally, a simple example is given for illustration.

Abstract: We describe a tool that supports verification of workflow models specified in UML activity diagrams. The tool translates an activity diagram into an input format for a model checker according to a mathematical semantics. With the model checker, arbitrary propositional requirements can be checked against the input model. If a requirement fails to hold, an error trace is returned by the model checker, which our tool presents by highlighting a corresponding path in the activity diagram. We summarize our formal semantics, discuss the techniques used to reduce an infinite state space to a finite one, and motivate the need for strong fairness constraints to obtain realistic results. We define requirement-preserving rules for state space reduction. Finally, we illustrate the whole approach with a few example verifications.

Abstract: This paper presents Web Service Analysis Tool (WSAT), a tool for analyzing and verifying composite web service designs, with the state of the art model checking techniques. Web services are loosely coupled distributed systems communicating via XML messages. Communication among web services is asynchronous, and it is supported by messaging platforms such as JMS which provide FIFO queues to store incoming messages. Data transmission among web services is standardized via XML, and the specification of web service itself (invocation interface and behavior signature) relies on a stack of XML based standards (e.g. WSDL, BPEL4WS, WSCI and etc.). The characteristics of web services, however, raise several challenges in the application of model checking: (1) Numerous competing web service standards, most of which lack formal semantics, complicate the formal specification of web service composition. (2) Asynchronous messaging makes most interesting verification problems undecidable, even when XML message contents are abstracted away [3]. (3) XML data and expressive XPath based manipulation are not supported by current model checkers.

Abstract: There has been significant recent interest, within the aspect-oriented software development (AOSD) community, in representing crosscutting concerns at various stages of the software lifecycle. However, most of these efforts have concentrated on the design and implementation phases. We focus in This work on representing aspects during use case modeling. In particular, we focus on scenario-based requirements and show how to compose aspectual and non-aspectual scenarios so that they can be simulated as a whole. Non-aspectual scenarios are modeled as UML sequence diagrams. Aspectual scenarios are modeled as interaction pattern specifications (IPSs). In order to simulate them, the scenarios are transformed into a set of executable state machines using an existing state machine synthesis algorithm. Previous work composed aspectual and non-aspectual scenarios at the sequence diagram level. In This work, the composition is done at the state machine level.

Abstract: Our research deals with the use of software architecture (SA) as a reference model for testing the conformance of an implemented system with respect to its architectural specification. We exploit the specification of SA dynamics to identify useful schemes of interactions between system components and to select test classes corresponding to relevant architectural behaviors. The SA dynamics is modeled by labeled transition systems (LTSs). The approach consists of deriving suitable LTS abstractions called ALTSs. ALTSs offer specific views of SA dynamics by concentrating on relevant features and abstracting away from uninteresting ones. Intuitively, deriving an adequate set of test classes entails deriving a set of paths that appropriately cover the ALTS. Next, a relation between these abstract SA tests and more concrete, executable tests needs to be established so that the architectural tests derived can be refined into code-level tests. We use the TRMCS case study to illustrate our hands-on experience. We discuss the insights gained and highlight some issues, problems, and solutions of general interest in architecture-based testing.

Abstract: Prior research attempts to formalize the structure of object-oriented design patterns for a more precise specification of design patterns. It also allows automation support to be developed for user-defined design patterns in the future CASE tools. Targeting to a particular type of automation (e.g. verification of pattern instances), previous specification approaches over-specify pattern structures to a certain extend. Over-specification makes pattern specification ambiguous and disallows the specification language to be used for specifying compound patterns. In this paper, we present the structural properties of design patterns which reveal the true abstract nature of pattern structures. To support these properties so as to solve the over-specification problem, we propose an extension to UML 1.5 (basically UML 1.4 with Action semantics). The specialization and refining mechanism of UML provides also a smooth support for the instantiation, refinement and integration of pattern structures specified in UML. Our work makes no significant extension to the UML 1.5 meta-model but more in a UML Profile approach to ease the migration of our work to UML 2.0, which has not yet officially released by OMG during this work.

Abstract: This paper presents the results of a case study on generating test cases for a fragment of the smart card GSM 11-11 standard. The generation method is based on an original approach using the B notation and techniques of constraint logic programming with sets. The GSM 11-11 technical specifications were formalized with the B notation. From this B specification, a system of constraints was derived, equivalent to this formal model. Using a set constraint solver, boundary states were computed and test cases were obtained by traversing the constrained reachability graph of the specifications. The purpose of this project was to evaluate the contribution of this testing environment, called B-TESTING-TOOLS, in an industrial process on a real life-size application, by comparing the generated test sequences with the already used and high-quality manually-designed tests. This comparison enabled us to validate our approach and showed its effectiveness in the validation process of critical applications: the case study gives a wide coverage (about 85%) of the generated tests compared to the pre-existing tests and a saving of 30% in test design time.

Abstract: There is no consensus about the definition of the concept of trust. In this paper formal definitions of different kinds of trust are given in the framework of modal logic. This framework also allows to define a logic for deriving consequences from a set of assumptions about trust.Trust is defined as a mental attitude of an agent with respect to some property held by another agent. These properties are systematically analysed and we propose 6 epistemic properties, 4 deontic properties and 1 dynamic property.

Abstract: Web services advocate loosely coupled systems, although current loosely coupled applications are limited to stateless services. The reason for this limitation is the lack of a method supporting matchmaking of state dependent services exemplarily specified in BPEL. In particular, the sender's requirement that the receiver must support all possible messages sent at a certain state are not captured by models currently used for service discovery. Annotated deterministic finite state automata provide this expressiveness. In this paper the transformation of a local process specification given in BPEL to annotated deterministic finite state automata is presented.

Abstract: Reverse engineering is the process of comprehending software and producing a model of it at a high abstraction level, suitable for documentation, maintenance, or reengineering. But from a manager's viewpoint, there are two painful problems: 1) It's difficult or impossible to predict how much time reverse engineering will require. 2) There are no standards to evaluate the quality of the reverse engineering that the maintenance staff performs. Model-driven reverse engineering can overcome these difficulties. A model is a high-level representation of some aspect of a software system. MDRE uses the features of modeling technology but applies them differently to address the maintenance manager's problems. Our approach to MDRE uses formal specification and automatic code generation to reverse the reverse-engineering process. Models written in a formal specification language called SLANG describe both the application domain and the program being reverse engineered, and interpretations annotate the connections between the two. The ability to generate a similar version of a program gives managers a fixed target for reverse engineering. This, in turn, enables better effort prediction and quality evaluation, reducing development risk.

Abstract: The advent of Web services has made automated workflow composition relevant to Web based applications. One technique, that has received some attention, for automatically composing workflows is AI-based classical planning. However, classical planning suffers from the paradox of first assuming deterministic behavior of Web services, then requiring the additional overhead of execution monitoring to recover from unexpected behavior of services. To address these concerns, we propose using Markov decision processes (MDPs), to model workflow composition. Our method models both, the inherent stochastic nature of Web services, and the dynamic nature of the environment. The resulting workflows are robust to nondeterministic behaviors of Web services and adaptive to a changing environment. Using an example scenario, we demonstrate our method and provide empirical results in its support.

Abstract: This paper gives an overview of the ArchWare European Project. The broad scope of ArchWare is to respond to the ever-present demand for software systems that are capable of accommodating change over their lifetime, and therefore are evolvable. In order to achieve this goal, ArchWare develops an integrated set of architecture-centric languages and tools for the model-driven engineering of evolvable software systems based on a persistent run-time framework. The ArchWare Integrated Development Environment comprises: (a) innovative formal architecture description, analysis, and refinement languages for describing the architecture of evolvable software systems, verifying their properties and expressing their refinements; (b) tools to support architecture description, analysis, and refinement as well as code generation; (c) enactable processes for supporting model-driven software engineering; (d) a persistent run-time framework including a virtual machine for process enactment. It has been developed using ArchWare itself and is available as Open Source Software.

Abstract: In many occasions would one encounter the task of maintaining the consistency of two pieces of structured data that are related by some transform — synchronising bookmarks in different web browsers, the source and the view in an editor, or views in databases, to name a few. This paper proposes a formal model of such tasks, basing on a programming language allowing injective functions only. The programmer designs the transformation as if she is writing a functional program, while the synchronisation behaviour is automatically derived by algebraic reasoning. The main advantage is being able to deal with duplication and structural changes. The result will be integrated to our structure XML editor in the Programmable Structured Document project.

Abstract: The unified modelling language has been introduced as a notation for modelling and reasoning about large and complex systems, and their design, across a wide range of application domains. System modelling and analysis techniques, especially those based on formal methods, are more and more used for enhancing traditional system engineering techniques for improving system quality. In particular this holds for model-based formal test case derivation using formal conformance testing. The contribution of the present paper is to provide a solid mathematical basis for conformance testing and automatic test case generation for UML statecharts (UMLSCs). We propose a formal conformance-testing relation for input-enabled transition systems with transitions labelled by input/output-pairs (IOLTSs). IOLTSs provide a suitable semantic model for a behavioural subset of UMLSCs. We also provide an algorithm which, for a UMLSC specification and the alphabet of implementations, generates a test suite. The algorithm is proven exhaustive and sound w.r.t. the conformance relation.

Abstract: Design patterns provide guidance to system designers on how to structure individual classes or groups of classes, as well as constraints on the interactions among these classes, to enable them to implement flexible and reliable systems. Patterns are usually described informally. While such informal descriptions are useful and even essential, if we want to be sure that designers precisely and unambiguously understand the requirements that must be met when applying a given pattern, and be able to reliably predict the behaviors the resulting system exhibits, we also need formal characterizations of the patterns. In this paper, we develop an approach to formalizing design patterns. The requirements that a designer must meet with respect to the structures of the classes, as well as with respect to the behaviors exhibited by the relevant methods, are captured in the responsibilities component of the pattern's specification; the benefits that results by applying the pattern, in terms of specific behaviors that the resulting system is guaranteed to exhibit, are captured in the rewards component. One important aspect of many design patterns is their flexibility; our approach is designed to ensure that this flexibility is retained in the formalization of the pattern. We illustrate the approach by applying it to a standard design pattern.

Abstract: The integration of UML and formal methods such as B and SMV provides a bridge between graphical specification techniques usable by mainstream software engineers, and precise analysis and verification techniques, essential for the development of high integrity and critical systems. In this paper we define a translation from UML class diagrams into B, which is used to verify the consistency of UML models and to verify that expected properties of these models hold.

Abstract: We consider the problem of specifying and verifying cryptographic security protocols for XML web services. The security specification WS-Security describes a range of XML security tokens, such as username tokens, public-key certificates, and digital signature blocks, amounting to a flexible vocabulary for expressing protocols. To describe the syntax of these tokens, we extend the usual XML data model with symbolic representations of cryptographic values. We use predicates on this data model to describe the semantics of security tokens and of sample protocols distributed with the Microsoft WSE implementation of WS-Security. By embedding our data model within Abadi and Fournet's applied pi calculus, we formulate and prove security properties with respect to the standard Dolev-Yao threat model. Moreover, we informally discuss issues not addressed by the formal model. To the best of our knowledge, this is the first approach to the specification and verification of security protocols based on a faithful account of the XML wire format.

Abstract: The successful analysis technique model checking can be employed as a test-case generation technique to generate tests from formal models. When using a model checker for test case generation, we leverage the witness (or counter-example) generation capability of model-checkers for constructing test cases. Test criteria are expressed as temporal properties and the witness traces generated for these properties are instantiated to create complete test sequences, satisfying the criteria. In this report we describe an experiment where we investigate the fault finding capability of test suites generated to provide three specification coverage metrics proposed in the literature (state, transition, and decision coverage). Our findings indicate that although the coverage may seem reasonable to measure the adequacy of a test suite, they are unsuitable when used to generate test suites. In short, the generated test sequences technically provide adequate coverage, but do so in a way that tests only a small portion of the formal model. We conclude that automated testing techniques must be pursued with great caution and that new coverage criteria targeting formal specifications are needed.

Abstract: Requirements engineers need to make sure that the requirements models and specifications they are building do accurately capture what stakeholders really want. Requirements animation has been recognized to be a promising approach to support this. The principle is to simulate an executable version of the requirements model and to visualize the simulation in some form appealing to stakeholders. Most animation tools available to date simulate operational models. Such models in general do not directly reflect the objectives, constraints and assumptions stated declaratively by stakeholders. It is also not possible to focus the animation on particular portions of a complex model relevant to some specific concern. The paper describes a tool aimed at overcoming such limitations by animating goal-oriented requirements models. The tool automatically generates parallel state machines from goal operationalizations, instantiates those machines to specific instances created by users at animation time, executes them from concurrent events input by multiple users, monitors property violations at animation time, and visualizes concurrent simulations in terms of animated scenes in the domain.

Abstract: This paper provides an overview of the foundations of the run-time semantics underlying the Unified Modeling Language as defined in revision 2.0 of the official OMG standard. One of the problems with the format used for that standard is that the information relating to semantics is scattered throughout the text making it difficult to obtain a global understanding of how the various fragments fit together. This has led many to incorrectly conclude that UML has little or no semantic content. One of the objectives of this paper is to provide a clear and concise description of the structure and essential content of UML run-time semantics. This can serve as a convenient starting point for researchers who want to work on the problem of UML semantics and, in particular, those who are interested in producing formal models of those semantics.