Retrenching the Purse: Hashing Injective CLEAR Codes, and Security Properties

The Mondex Electronic Purse is an outstanding example of industrial scale formal refinement, and was the first verification to achieve ITSEC level E6 certification. A formal abstract model and a formal concrete model were developed, and a formal refinement was hand-proved between them. Nevertheless, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. The retrenchment tower pattern is used to address one such issue in detail: the use of a hash function rather than a total injective function when clearing the highly constrained purse logs. A retrenchment is constructed from the lowest level model to a model using a hash, and is then lifted to create two refinement developments, working at different levels of detail, and connected via retrenchments. The tower development is appropriately validated, vindicating the design used.

[1]  John Derrick,et al.  Refinement in Z and Object-Z , 2001 .

[2]  Richard Banach,et al.  Maximally abstract retrenchments , 2000, ICFEM 2000. Third IEEE International Conference on Formal Engineering Methods.

[3]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[4]  Susan Stepney,et al.  Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern , 2005, FM.

[5]  Jim Woodcock,et al.  An Electronic Purse: Specification, Refinement and Proof , 2000 .

[6]  DPhil John Derrick BSc,et al.  Refinement in Z and Object-Z , 2001, Formal Approaches to Computing and Information Technology.

[7]  R. Banacha,et al.  Retrenchment : An Engineering Variation on Refinement , 2022 .

[8]  Susan Stepney,et al.  Retrenching the Purse: Finite Exception Logs, and Validating the Small , 2006, 2006 30th Annual IEEE/NASA Software Engineering Workshop.

[9]  Czeslaw Tadeusz Jeske,et al.  Algebraic Integration of Retrenchment and Refinement , 2006 .

[10]  Richard Banach,et al.  Controlling Control Systems: An Application of Evolving Retrenchment , 2002, ZB.

[11]  Susan Stepney,et al.  An Outline Pattern Language for Z: Five Illustrations and Two Tables , 2003, ZB.

[12]  Susan Stepney,et al.  Retrenching the Purse: The Balance Enquiry Quandary, and Generalised and (1, 1) Forward Refinements , 2007, Fundam. Informaticae.

[13]  Richard Banach,et al.  Sharp Retrenchment, Modulated Refinement and Simulation , 2005, Formal Aspects of Computing.

[14]  Richard Banach,et al.  Retrenchment: An Engineering Variation on Refinement , 1998, B.

[15]  Christian Jahl The information technology security evaluation criteria , 1991, [1991 Proceedings] 13th International Conference on Software Engineering.

[16]  Susan Stepney,et al.  Patterns to Guide Practical Refactoring: Examples Targetting Promotion in Z , 2003, ZB.

[17]  Richard Banach,et al.  Retrenching partial requirements into system definitions: a simple feature interaction case study , 2003, Requirements Engineering.