Achim D. Brucker

HOL-OCL: a formal proof environment for UML/OCL

We present the theorem proving environment HOLOCL that is integrated in a Model-driven Engineering (MDE) framework. HOLOCL allows to reason over uml class models annotated with OCL specifications. Thus, HOLOCL strengthens a crucial part of the uml to an object-oriented formal method. HOLOCL provides several derived proof calculi that allow for formal derivations establishing the validity of UML/OCL formulae. These formulae arise naturally when checking the consistency of class models, when formally refining abstract models to more concrete ones or when discharging side-conditions from model-transformations.

SecureBPMN: modeling and enforcing access control requirements in business processes

Modern enterprise systems have to comply to regulations such as Basel III resulting in complex security requirements. These requirements need to be modeled at design-time and enforced at runtime. Moreover, modern enterprise systems are often business-process driven, i.e., the system behavior is described as high-level business processes that are executed by a business process execution engine. Consequently, there is a need for an integrated and tool-supported methodology that allows for specifying and enforcing compliance and security requirements for business process-driven enterprise systems. In this paper, we present a tool chain supporting both the design-time modeling as well as the run-time enforcement of security requirements for business process-driven systems.

A Proposal for a Formal OCL Semantics in Isabelle/HOL

We present a formal semantics as a conservative shallow embedding of the Object Constraint Language (OCL). OCL is currently under development within an open standardization process within the OMG; our work is an attempt to accompany this process by a proposal solving open questions in a consistent way and exploring alternatives of the language design. Moreover, our encoding gives the foundation for tool supported reasoning over OCL specifications, for example as basis for test case generation.

On theorem prover-based testing

HOL-TestGen is a specification and test case generation environment extending the interactive theorem prover Isabelle/HOL. As such, Testgen allows for an integrated workflow supporting interactive theorem proving, test case generation, and test data generation. The HOL-TestGen method is two-staged: first, the original formula is partitioned into test cases by transformation into a normal form called test theorem. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test-hypotheses which can be proven over concrete programs. Due to the generality of the underlying framework, our system can be used for black-box unit, sequence, reactive sequence and white-box test scenarios. Although based on particularly clean theoretical foundations, the system can be applied for substantial case-studies.

Symbolic test case generation for primitive recursive functions

We present a method for the automatic generation of test cases for HOL formulae containing primitive recursive predicates. These test cases can be used for the animation of specifications as well as for black-box testing of external programs. Our method is two-staged: first, the original formula is partitioned into test cases by transformation into a Horn-clause normal form (HCNF). Second, the test cases are analyzed for instances with constant terms satisfying the premises of the clauses. Particular emphasis is put on the control of test hypotheses and test hierarchies to avoid intractability. We applied our method to several examples, including AVL-trees and the red-black tree implementation in the standard library from SML/NJ.

An approach to modular and testable security models of real-world health-care applications

We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features. We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationships. The model is given in Higher-order Logic (HOL) and processed together with suitable test specifications in the TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.

A specification-based test case generation method for UML/OCL

Automated test data generation is an important method for the verification and validation of UML/OCL specifications. In this paper, we present an extension of DNF-based test case generation methods to class models and recursive query operations on them. A key feature of our approach is an implicit representation of object graphs avoiding a representation based on object-ids; thus, our approach avoids the generation of isomorphic object graphs by using a concise and still human-readable symbolic representation.

Model-Based Firewall Conformance Testing

Firewalls are a cornerstone of todays security infrastructure for networks. Their configuration, implementing a firewall policy, is inherently complex, hard to understand, and difficult to validate. We present a substantial case study performed with the model-based testing tool TestGen . Based on a formal model of firewalls and their policies in higher-order logic hol , we first present a derived theory for simplifying policies. We discuss different test plans for test specifications. Finally, we show how to integrate these issues to a domain-specific firewall testing tool holTestGen / fw .

Test-sequence generation with Hol-TestGen with an application to firewall testing

HOL-TESTGEN is a specification and test case generation environment extending the interactive theorem prover Isabelle/HOL. Its method is two-staged: first, the original formula is partitioned into test cases by transformation into a normal form called test theorem. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test hypotheses which can be proven over concrete programs. Although originally designed for black-box unit-tests, HOL-TESTGENs underlying logic and deduction engine is powerful enough to be used in test-sequence generation, too. We develop the theory for test-sequence generationwith HOL-TESTGEN and describe its use in a substantial case-study in the field of computer security, namely the black-box test of configured firewalls.

A model transformation semantics and analysis methodology for SecureUML

SecureUML is a security modeling language for formalizing access control requirements in a declarative way. It is equipped with a uml notation in terms of a uml profile, and can be combined with arbitrary design modeling languages. We present a semantics for SecureUML in terms of a model transformation to standard uml/ocl. The transformation scheme is used as part of an implementation of a tool chain ranging from front-end visual modeling tools over code-generators to the interactive theorem proving environment hol-ocl. The methodological consequences for an analysis of the generated ocl formulae are discussed.