Abstract: Natural language processing (NLP) and requirements engineering (RE) have had a long relationship, yet their combined use isn’t well established in industrial practice. This situation should soon change. The future evolution of the application of NLP technologies in RE can be viewed from four dimensions: discipline, dynamism, domain knowledge, and datasets.

Abstract: We increasingly live in cyber-physical spaces -- spaces that are both physical and digital, and where the two aspects are intertwined. Such spaces are highly dynamic and typically undergo continuous change. Software engineering can have a profound impact in this domain, by defining suitable modeling and specification notations as well as supporting design-time formal verification. In this paper, we present a methodology and a technical framework which support modeling of evolving cyber-physical spaces and reasoning about their spatio-temporal properties. We utilize a discrete, graph-based formalism for modeling cyber-physical spaces as well as primitives of change, giving rise to a reactive system consisting of rewriting rules with both local and global application conditions. Formal reasoning facilities are implemented adopting logic-based specification of properties and according model checking procedures, in both spatial and temporal fragments. We evaluate our approach using a case study of a disaster scenario in a smart city.

Abstract: This paper presents the formal modeling and performance analysis of one of Internet of Things (IoT) protocols. The Internet of Things is among the subjects best financed in the industry and studied in the academic world. The rapid evolution of mobile Internet, the manufacture of mini hardware, microcomputer, and machine-to-machine (M2M) enabled IoT technologies to be at the top of media subjects. These technologies allow things or devices that are not computers to act intelligently and to make collaborative decisions that are beneficial for certain applications. Hence, the intelligent decision making, the self configuration and the ad hoc networking are from the main characteristics of IoT. Therefore, the implementation of protocols for IoT must comply the standards and satisfy the good properties. Using formal methods in the study of developed protocols ensure these conditions. In this paper, we use probabilistic timed automata for the formal modeling of Message Queue Telemetry Transport (MQTT) and we use further statistical model checking of UPPAAL SMC tool-set for the performance evaluation of the protocol.

Abstract: Runtime verification is the process of observing a sequence of events generated by a running system and comparing it to some formal specification for potential violations. We show how the use of a runtime monitor can greatly speed up the testing phase of a video game under development by automating the detection of bugs when the game is being played. We take advantage of the fact that a video game, contrarily to generic software, follows a special structure that contains a “game loop.” This game loop can be used to centralize the instrumentation and generate events based on the game's internal state. We report on experiments made on a sample of six real-world video games of various genres and sizes by successfully instrumenting and efficiently monitoring various temporal properties over their execution, including actual bugs reported in the games' bug tracking database in the course of their development.

Abstract: Work in swarm robotics typically focuses on the bottom-up design of local rules for individual robots that create emergent swarm behaviors. In this paper, we take a top-down approach and consider the following problem: how can we specify a desired collective behavior and automatically synthesize decentralized controllers that can be distributed over robots to achieve the collective objective in a provably correct way? We propose a formal specification language for the high-level description of swarm behaviors on both swarm and individual levels. We present algorithms for automated synthesis of decentralized controllers and synchronization skeletons that describe how groups of robots must coordinate to satisfy the specification. We demonstrate our algorithms on a case study.

Abstract: In order to facilitate cooperation between underwater robots, it is a must for robots to exchange information with unambiguous meaning. However, heterogeneity, existing in information pertaining to different robots, is a major obstruction. Therefore, this paper presents a networked ontology, named the Smart and Networking Underwater Robots in Cooperation Meshes (SWARMs) ontology, to address information heterogeneity and enable robots to have the same understanding of exchanged information. The SWARMs ontology uses a core ontology to interrelate a set of domain-specific ontologies, including the mission and planning, the robotic vehicle, the communication and networking, and the environment recognition and sensing ontology. In addition, the SWARMs ontology utilizes ontology constructs defined in the PR-OWL ontology to annotate context uncertainty based on the Multi-Entity Bayesian Network (MEBN) theory. Thus, the SWARMs ontology can provide both a formal specification for information that is necessarily exchanged between robots and a command and control entity, and also support for uncertainty reasoning. A scenario on chemical pollution monitoring is described and used to showcase how the SWARMs ontology can be instantiated, be extended, represent context uncertainty, and support uncertainty reasoning.

Abstract: The design and development of novel security and authentication protocols is a challenging task. Design flaws, security and privacy issues as well as incomplete specifications pose risks for its users. Authcoin is a blockchain-based validation and authentication protocol for secure identity assurance. Formal methods, such as Colored Petri Nets (CPNs), are suitable to design, develop and analyze such new protocols in order to detect flaws and mitigate identified security risks. In this work, the Authcoin protocol is formalized using Colored Petri Nets resulting in a verifiable CPN model. An Agent-Oriented Modeling (AOM) methodology is used to create goal models and corresponding behavior models. Next, these models are used to derive the Authcoin CPN models. The modeling strategy as well as the required protocol semantics are explained in detail. Furthermore, we conduct a state-space analysis on the resulting CPN model and derive specific model properties. The result is a complete and correct formal specification that is used to guide future implementations of Authcoin.

Abstract: The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study.

Abstract: Automated planning is a prominent Artificial Intelligence challenge, as well as being a common capability requirement for intelligent autonomous agents. A critical aspect of what is called domain-independent planning, is the application knowledge that must be added to the planner to create a complete planning application. This is made explicit in (i) a domain model, which is a formal representation of the persistent domain knowledge, and (ii) an associated problem instance, containing the details of the particular problem to be solved. Both these components are used by automated planning engines for reasoning, in order to synthesize a solution plan. Formulating knowledge for use in planning engines is currently something of an ad-hoc process, where the skills of knowledge engineers significantly influence the quality of the resulting planning application. On top of that, a notion of quality of the knowledge captured within a domain model is missing; it is therefore hard to provide useful guidelines to knowledge engineers. This paper raises some issues relating to the engineering of application knowledge for automated planning, focussing on the domain model. It uses the idea of a domain model as a formal specification of a domain, and considers what it means to measure the quality of such a specification. To do this it proposes definitions of the attributes of a domain model and its encoding language, which are needed by the automated planning community in order to improve tools for supporting the engineering of planning knowledge, and to advance toward a shared and inclusive definition of quality of domain models.

Abstract: This paper presents Asm2C++, a tool that automatically generates executable C++ code for Arduino from a formal specification given as Abstract State Machines (ASMs). The code generation process follows the model-driven engineering approach, where the code is obtained from a formal abstract model by applying certain transformation rules. The translation process is highly configurable in order to correctly integrate the underlying hardware. The advantage of the Asm2C++ tool is that it is part of the Asmeta framework that allows to analyze, verify, and validate the correctness of a formal model.

Abstract: Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex \emph{process-based} attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case.

Abstract: Model-based design approaches for embedded systems aim at generating correct-by-construction control software, guaranteeing that the closed-loop system (controller and plant) meets given system level formal specifications. This technical note addresses control synthesis for safety and reachability properties of possibly nonlinear discrete-time hybrid systems. By means of a syntactical transformations that requires nonlinear terms to be Lipschitz continuous functions, we overapproximate nonlinear dynamics with a linear system whose controllers are guaranteed to be controllers of the original system. We evaluate performance of our approach on meaningful control synthesis benchmarks, also comparing it to a state-of-the-art tool.

Abstract: Today, phase A studies of future space systems are often conducted in special design facilities such as the Concurrent Engineering Facility (CEF) at the German Aerospace Center (DLR). Within these facilities the studies are performed following a defined process making use of a data model for information exchange. Quite often it remains unclear what exactly such a data model is and how it is implemented and applied. Nowadays, such a data model is usually a software using a formal specification describing its capabilities within a so called meta-model. This meta-model, often referred as Conceptual Data Model (CDM), is finally used and instantiated as system model during these CE studies. Such software also provides a user interface for instantiating and sharing the system model within the design team and it provides capabilities to analyze the system model on the fly. This is possible due to the semantics of the underlying CDM creating a common language used to exchange and process design information. This paper explains the implementation of the data model at DLR and shows information how it is applied in the concurrent engineering process of the CEF. It highlights important aspects concerning the modeling capabilities during a study and discusses how they can be implemented into a corresponding CDM. Accordingly, the paper presents important aspects such as rights management and data consistency and the implications of them to the software's underlying technology. A special use case of the data model is depicted and shows the flexibility of the implementation proven by a study of a multi module space station.

Abstract: Graph database systems are increasingly adapted for storing and processing heterogeneous network-like datasets. However, due to the novelty of such systems, no standard data model or query language has yet emerged. Consequently, migrating datasets or applications even between related technologies often requires a large amount of manual work or ad-hoc solutions, thus subjecting the users to the possibility of vendor lock-in. To avoid this threat, vendors are working on supporting existing standard languages (e.g. SQL) or creating standardised languages. In this paper, we present a formal specification for openCypher, a high-level declarative graph query language with an ongoing standardisation effort. We introduce relational graph algebra, which extends relational operators by adapting graph-specific operators and define a mapping from core openCypher constructs to this algebra. We propose an algorithm that allows systematic compilation of openCypher queries.

Abstract: The Internet of Things (IoT) is facilitating the development of novel and cost-effective applications that promise to deliver efficient and improved medical facilities to patients and health organisations. This includes the use of smart 'things' as medical sensors attached to patients to deliver real-time data. However, the security of patient data is an ever-present concern in the healthcare arena. In the wider deployment of IoT-enabled smart healthcare systems one particular issue is the need to protect smart 'things' from unauthorised access. Commonly used access control approaches e.g. Attribute Based Access Control (ABAC), Role Based Access Control (RBAC) and capability based access control do not, in isolation, provide a complete solution for securing access to IoT-enabled smart healthcare devices. They may, for example, require an overly-centralised solution or an unmanageably large policy base. To address these issues we propose a novel access control architecture which improves policy management by reducing the required number of authentication policies in a large-scale healthcare system while providing fine-grained access control. We devise a hybrid access control model employing attributes, roles and capabilities. We apply attributes for role-membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterised based on further attributes of the user and are then used to access specific services provided by IoT 'things'. We also provide a formal specification of the model and a description of its implementation and demonstrate its application through different use-case scenarios. Evaluation results of core functionality of our architecture are provided.

Abstract: As the number of Web APIs is rapidly increasing, it is an urgent issue to discover qualified Web APIs and provide value-added services by orchestrating them. However, most of the interface descriptions of Web APIs are informal, and the Web API SLA contracts, which are a key to quality of services orchestration, require manual operations at the consumers. Meanwhile, applying the blockchain, the distributed ledger technology, to various domains beyond Fintech is attracting attention because of its fault-tolerant and anti-tampering. However, it isn't applied to Web API SLA contracts, yet. In this article, the authors propose a formal specification description of Web APIs together with its associated SLA specifications based on RDF, and an SLA contract method based on the common SLA contract platform built on the blockchain. We implemented the prototype of the SLA contract platform, and applied it to the examples for demonstrating its feasibility. Those experiences prove the feasibility of the proposed Web API SLA contract method and its supporting platform.

Abstract: This chapter discusses formal methods, which consist of a set of mathematic techniques that provide an extra level of confidence in the correctness of the software. They consist of a formal specification language and employ a collection of tools to support the syntax checking of the specification, as well as the proof of properties of the specification. They allow questions to be asked about what the system does independently of the implementation, and they may be employed to formally state the requirements of the proposed system, and to derive a program from its mathematical specification. They may be used to provide a rigorous proof that the implemented program satisfies its specification, and they have been applied mainly to the safety critical field.

Abstract: Software and hardware are increasingly being formally verified against specifications, but how can we verify the specifications themselves? This paper explores what it means to formally verify a specification. We solve three challenges: (1) How to create a secondary, higher-level specification that can be effectively reviewed by processor designers who are not experts in formal verification; (2) How to avoid common-mode failures between the specifications; and (3) How to automatically verify the two specifications against each other. One of the most important specifications for software verification is the processor specification since it defines the behaviour of machine code and of hardware protection features used by operating systems. We demonstrate our approach on ARM's v8-M Processor Specification, which is intended to improve the security of Internet of Things devices. Thus, we focus on establishing the security guarantees the architecture is intended to provide. Despite the fact that the ARM v8-M specification had previously been extensively tested, we found twelve bugs (including two security bugs) that have all been fixed by ARM.

Abstract: This paper presents the approach to functional test automation of services (black-box testing) and service architectures (grey-box testing) that has been developed within the MIDAS project and is accessible on the MIDAS SaaS. In particular, the algorithms and techniques adopted for addressing input and oracle generation, dynamic scheduling, and session planning issues supporting service functional test automation are illustrated. More specifically, the paper details: (i) the test input generation based on formal methods and temporal logic specifications, (ii) the test oracle generation based on service formal specifications, (iii) the dynamic scheduling of test cases based on probabilistic graphical reasoning, and (iv) the reactive, evidence-based planning of test sessions with on-the-fly generation of new test cases. Finally, the utilisation of the MIDAS prototype for the functional test of operational services and service architectures in the healthcare industry is reported and assessed. A planned evolution of the technology deals with the testing and troubleshooting of distributed systems that integrate connected objects.

Abstract: Component and Connector (C&C) view specifications, with corresponding verification and synthesis techniques, have been recently suggested as a means for formal yet intuitive structural specification of C&C models. In this paper we report on our recent experience in applying C&C views in industrial practice, where we aimed to answer questions such as: could C&C views be practically used in industry, what are challenges of systems engineers that the use of C&C views could address, and what are some of the technical obstacles in bringing C&C views to the hands of systems engineers. We describe our experience in detail and discuss a list of lessons we have learned, including, e.g., a missing abstraction concept in C&C models and C&C views that we have identified and added to the views language and tool, that engineers can create graphical C&C views quite easily, and how verification algorithms scale on real-size industry models. Furthermore, we report on the non-negligible technical effort needed to translate Simulink block diagrams to C&C models. We make all materials mentioned and used in our experience electronically available for inspection and further research.

Abstract: We design controllers from formal specifications for positive discrete-time monotone systems that are subject to bounded disturbances. Such systems are widely used to model the dynamics of transportation and biological networks. The specifications are described using signal temporal logic (STL), which can express a broad range of temporal properties. We formulate the problem as a mixed-integer linear program (MILP) and show that under the assumptions made in this paper, which are not restrictive for traffic applications, the existence of open-loop control policies is sufficient and almost necessary to ensure the satisfaction of STL formulas. We establish a relation between satisfaction of STL formulas in infinite time and set-invariance theories and provide an efficient method to compute robust control invariant sets in high dimensions. We also develop a robust model predictive framework to plan controls optimally while ensuring the satisfaction of the specification. Illustrative examples and a traffic management case study are included.

Abstract: The validation of formal specifications is a challenging task. It is one of the factors that impede the penetration of formal methods into the common practices of software development. This paper discusses the issue of validating formal models by executing them in the context of Event-B. The most important problem lies in the non-determinism which often prevents purely automatic tools to execute models. In this paper, we first present and discuss the techniques we have created to allow the execution of models at all levels of abstraction. These techniques rely on users to overcome the barriers resulting from non-deterministic features by either modifying the model or providing ad hoc implementations. Then, we present our main contribution, the formal definition of the notion of fidelity, that guarantees that all the observable behaviors of the executable models are indeed specified by the original (non-deterministic) models. The notion of fidelity can be expressed in terms of proof obligations.

Abstract: Executable Domain-Specific Modeling Languages (xDSMLs) are typically defined by metamodels that specify their abstract syntax, and model interpreters or compilers that define their execution semantics. To face the proliferation of xDSMLs in many domains, it is important to provide language engineering facilities for opportunistic reuse, extension, and customization of existing xDSMLs to ease the definition of new ones. Current approaches to language reuse either require to anticipate reuse, make use of advanced features that are not widely available in programming languages, or are not directly applicable to metamodel-based xDSMLs. In this paper, we propose a new language implementation pattern, named Revisitor, that enables independent extensibility of the syntax and semantics of metamodel-based xDSMLs with incremental compilation and without anticipation. We seamlessly implement our approach alongside the compilation chain of the Eclipse Modeling Framework, thereby demonstrating that it is directly and broadly applicable in various modeling environments. We show how it can be employed to incrementally extend both the syntax and semantics of the fUML language without requiring anticipation or re-compilation of existing code, and with acceptable performance penalty compared to classical handmade visitors.

Abstract: Social network data are being mined for extracting interesting patterns. Such data are collected by different researchers and organizations and are usually also shared via different channels. These data usually have huge volume because there are millions of social network users throughout the world. In this context, ownership protection of such data sets with huge volume becomes relevant. Digital watermarking is a more demanding solution than any other technique for ensuring rights protection and integrity of the original data sets. The objective of this paper is to devise a reversible watermarking technique for the social network data to prove ownership rights and also provide a mechanism for data recovery. Robustness of the proposed technique is evaluated through attack analysis using experimental study. In this paper, Z notation-based formal specification is also provided to show the working of the proposed reversible watermarking technique for social network data sets for enabling data trust in Cyber, Physical, and Social Computing (CPSCom).

Abstract: Embedded critical systems need to be validated very thoroughly; it usually results in very long and onerous test phases. Formal techniques, in particular formal specification languages and associated proof tools, could be an advantageous alternative, or at least a good complement and allow a significant reduction of test phases. However, for these techniques to be used in practice, one issue to consider is their efficiency and scalability on complex industrial systems.Case studies have played an essential role in the history of formal methods. They have allowed to illustrate the application of formal techniques for modelling and verification, to compare different methods in terms of expressivity, performance and easiness of use. They have also permitted to enact the progress made by these methods.Dagstuhl seminar 9523 is about the famous Steam Boiler case study in 1995 had a lot of impact on the formal methods community. This case study allowed the assessment of formal techniques, the comparison of different formal techniques, the identification of areas for future work.

Abstract: Multi-cloud computing has been proposed as a way to reduce vendor lock-in, to improve resiliency during outages and geo-presence, to boost performance and to lower costs. However, semantic differences between cloud providers, as well as their heterogeneous management interfaces, make changing from one provider to another very complex and costly. This is quite challenging for the implementation of multi-cloud systems. In this paper, we aim to take advantage of formal methods to define a precise semantics for multi-clouds. We propose fclouds, a formal-based framework for semantic interoperability in multi-clouds. This framework contains a catalogue of formal models that mathematically describe cloud APIs and reason over them. A precise alignment can be described between their concepts, which promotes semantic interoperability.

Abstract: With the increasing number of smart services implemented in smart cities, it is important yet challenging to dynamically detect service conflicts with respect to safety and performance requirements. In this paper, we propose a framework for monitoring the operation of smart cities and services at runtime. We formalize a set of typical safety and performance requirements from different domains in smart cities (e.g., transportation, emergency, and environment) using Signal Temporal Logic. We present a case study based on a smart city simulator, in which actions of smart services and their predicted effects on city states are converted into signal traces over time and monitored continuously using formal specifications. The experimental results demonstrate the feasibility of using runtime monitoring to detect various conflicts of smart services.

Abstract: Separation kernels are fundamental software of safety and security-critical systems, which provide their hosted applications with spatial and temporal separation as well as controlled information flows among partitions. The application of separation kernels in critical domain demands the correctness of the kernel by formal verification. To the best of our knowledge, there is no survey paper on this topic. This paper presents an overview of formal specification and verification of separation kernels. We first present the background including the concept of separation kernel and the comparisons among different kernels. Then, we survey the state of the art on this topic since 2000. Finally, we summarize research work by detailed comparison and discussion.

Abstract: System health management is an important feature of autonomy, enhancing consistency checks, overall system robustness and even some degree of self-awareness. Seemingly unrelated, debugging and analysis of such complex systems is another challenge during development that should not be underrated. We propose that the so-called runtime monitoring of relevant properties and system requirements is a viable technique to support both aforementioned concepts. A suitable monitoring approach for a cyber-physical system has to be efficient and capable of supervising various specifications, possibly relating different data sources and data history. We present a formal approach for log-analysis and monitoring for the DLR ARTIS framework using the stream-based specification language LOLA, currently developed at Saarland University, for the runtime monitoring of formal specifications. We have evaluated this approach by specifying relevant properties as LOLA stream equations. While we have identified a number of possible improvements in the specification language, we have demonstrated, even with the current language, that online and offline monitoring of relevant properties is indeed possible and gives engineers a powerful tool for debugging as well as implementing health management concepts.