Formal Techniques for Safety-Critical Systems

The overall specification of a cyber-physical system can be given in terms of the desired behaviour of its physical components operating within the real world. The specification of its control software can then be derived from the overall specification and the properties of the real-world phenomena, including their relationship to the computer system’s sensors and actuators. The control software specification then becomes a combination of the guarantee it makes about the system behaviour and the real-world assumptions it relies upon. Such specifications can easily become complicated because the complete system description deals with properties of phenomena at widely different time granularities, as well as handling faults. To help manage this complexity, we consider layering the specification within multiple time bands, with the specification of each time band consisting of both the rely and guarantee conditions for that band, both given in terms of the phenomena of that band. The overall specification is then the combination of the multiple rely-guarantee pairs. Multiple rely-guarantee pairs can also be used to handle faults. Rely-Guarantee Specifications. Earlier research with Michael Jackson and Cliff Jones [3,4] looked at specifying a real-time control system in terms of assumptions about the behaviour of the system’s environment – a rely condition – and the behaviour to be ensured by the system – a guarantee condition – provided its environment continues to satisfy the rely condition. Often the specification of the system’s desired behaviour is best described in terms of the behaviour of physical objects in the real-world that are to be controlled by the computer system, in which case rely conditions are needed to link the real-world phenomena (which may not be directly accessible to the computer) to the computer’s view of the world, i.e. the computer’s sensors and actuators. Multiple Rely-Guarantee Pairs. Our earlier work [4] allowed a specification to be structured into multiple rely-guarantee pairs, where each guarantee is paired with a rely condition expressing the assumptions about the behaviour of the environment needed to be able to achieve that guarantee. This allows one to give separate specifications of different aspects of the behaviour of a system. It also allows one to separate the specification of “normal” behaviour of the system C. Artho and P.C. Ölveczky (Eds.): FTSCS 2013, CCIS 419, pp. 1–2, 2014. DOI: 10.1007/978-3-319-05416-2 1, c © Springer International Publishing Switzerland 2014

[1]  Torbjörn Ekman,et al.  Pluggable checking and inferencing of nonnull types for Java , 2007, J. Object Technol..

[2]  K. Rustan M. Leino,et al.  Loop Invariants on Demand , 2005, APLAS.

[3]  Jun Pang,et al.  Protecting query privacy in location-based services , 2013, GeoInformatica.

[4]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[5]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[6]  Atsushi Igarashi,et al.  Union types for object-oriented programming , 2006, SAC.

[7]  Lu Yan,et al.  Towards an integrated architecture for peer-to-peer and ad hoc overlay network applications , 2004, Proceedings. 10th IEEE International Workshop on Future Trends of Distributed Computing Systems, 2004. FTDCS 2004..

[8]  Jorge Sousa Pinto,et al.  Verification conditions for source-level imperative programs , 2011, Comput. Sci. Rev..

[9]  Vitaly Shmatikov,et al.  Information Hiding, Anonymity and Privacy: a Modular Approach , 2004, J. Comput. Secur..

[10]  Patrice Chalin,et al.  Non-null References by Default in Java: Alleviating the Nullity Annotation Burden , 2007, ECOOP.

[11]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[12]  Yongjian Li,et al.  An inductive approach to strand spaces , 2011, Formal Aspects of Computing.

[13]  Jun Pang,et al.  Formal Analysis of Privacy in an eHealth Protocol , 2012, ESORICS.

[14]  K. Rustan M. Leino,et al.  Weakest-precondition of unstructured programs , 2005, PASTE '05.

[15]  Jun Pang,et al.  A formal framework for quantifying voter-controlled privacy , 2009, J. Algorithms.

[16]  Tom Chothia,et al.  Analysing the MUTE Anonymous File-Sharing System Using the Pi-Calculus , 2006, FORTE.

[17]  Bart Jacobs,et al.  Weakest pre-condition reasoning for Java programs with JML annotations , 2004, J. Log. Algebraic Methods Program..

[18]  Steve A. Schneider,et al.  CSP and Anonymity , 1996, ESORICS.

[19]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[20]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[21]  Wolter Pieters,et al.  Provable anonymity , 2005, FMSE '05.

[22]  Todd D. Millstein,et al.  Generating error traces from verification-condition counterexamples , 2005, Sci. Comput. Program..

[23]  Ken Mano,et al.  Theorem-proving anonymity of infinite-state systems , 2007, Inf. Process. Lett..

[24]  David Brumley,et al.  Efficient Directionless Weakest Preconditions , 2011 .

[25]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[26]  Laurent Hubert A non-null annotation inferencer for Java bytecode , 2008, PASTE '08.

[27]  Yongjian Li,et al.  An Inductive Approach to Provable Anonymity , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[28]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[29]  Laurie J. Hendren,et al.  Staged Static Techniques to Efficiently Implement Array Copy Semantics in a MATLAB JIT Compiler , 2011, CC.

[30]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[31]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[32]  Catuscia Palamidessi,et al.  Probabilistic Anonymity , 2005, CONCUR.

[33]  Jean-Louis Lanet,et al.  Java Applet Correctness: A Developer-Oriented Approach , 2003, FME.

[34]  Bertrand Meyer,et al.  Inferring Loop Invariants Using Postconditions , 2010, Fields of Logic and Computation.

[35]  Simona Orzan,et al.  A Framework for Automatically Checking Anonymity with mu CRL , 2006, TGC.

[36]  Alex Potanin,et al.  Java Bytecode Verification for @NonNull Types , 2008, CC.

[37]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[38]  Vitaly Shmatikov,et al.  Probabilistic Model Checking of an Anonymity System , 2004 .

[39]  Jun Pang,et al.  Measuring query privacy in location-based services , 2012, CODASPY '12.

[40]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[41]  Jun Pang,et al.  Weak Probabilistic Anonymity , 2007, SecCO@CONCUR.

[42]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[43]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[44]  Manu Sridharan,et al.  Snugglebug: a powerful approach to weakest preconditions , 2009, PLDI '09.

[45]  Jun Pang,et al.  Analyzing an Electronic Cash Protocol Using Applied Pi Calculus , 2007, ACNS.

[46]  Tobias Nipkow,et al.  Isabelle/HOL , 2002, Lecture Notes in Computer Science.

[47]  Michael J. C. Gordon,et al.  Forward with Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[48]  Ritu Chadha,et al.  On the Mechanical Derivation of Loop Invariants , 1993, J. Symb. Comput..

[49]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).