Heiko Krumm

A framework for modeling transfer protocols

The notion of specification frameworks transposes the framework approach from software development to the level of formal modeling and analysis. A specification framework is devoted to a special application domain. It supplies reusable specification modules and guides the construction of specifications. Moreover, it provides theorems to be used as building blocks of verifications. By means of a suitable framework, specification and verification tasks can be reduced to the selection, parametrization and combination of framework elements resulting in a substantial support which opens formal analysis even for real-sized problems. The transfer protocol framework addressed here is devoted to the design of data transfer protocols. Specifications of used and provided communication services as well as protocol specifications can be composed from its specification modules. The theorems correspond to the relations between protocol mechanism combinations and those properties of the provided service which are implemented by them. This article centers on the application of this framework which is discussed with the help of the specification of a sliding window protocol. Moreover the structure of its verification is described. The specification and verification technique applied is based on L. Lamport’s temporal logic of actions (TLA). We use the variant cTLA which particularly supports the modeling of process systems. ” 2000 Elsevier Science B.V. All rights reserved.

Service-Orientation and Flexible Service Binding in Distributed Automation and Control Systems

An experimental study shows the feasibility of service-oriented architectures for industrial automation and control systems even with respect to lower, real-time dependent control functions. For that purpose, general SOA-guidelines were refined in order to cover the distribution of control functions between services and the lay-out and management of device-based sensor, actor and control services. Particular emphasis was placed on the dynamic lease-based binding of services which on the one hand provides flexible and loose coupling of system components but on the other hand has to ensure reliable communication and cooperation. The guidelines were applied to the experimental implementation of a manufacturing cell control system using a real-time version of the Java runtime environment. The device profile for Web services (DPWS) was used as basic infrastructure technology. Test and evaluation were performed under distributed simulation of technical processes and devices. We shortly describe DPWS, present the architecture guidelines, outline the experimental control system implementation, and report on its evaluation.

Trust-adapted enforcement of security policies in distributed component-structured applications

Software component technology on the one hand supports the cost-effective development of specialized applications. On the other hand, however it introduces special security problems. Some major problems can be solved by the automated run-time enforcement of security policies. Each component is controlled by a wrapper which monitors the components behavior and checks its compliance with the security behavior constraints of the components employment contract. Since control functions and wrappers can cause substantial overhead, we introduce trust-adapted control functions where the intensity of monitoring and behavior checks depends on the level of trust, the component, its hosting environment, and its vendor have currently in the eyes of the application administration. We report on wrappers and a trust information service, outline the embedding security model and architecture, and describe a Java Bean based experimental implementation.

Policy modeling and refinement for network security systems

In todays network environments the integrated design and management of different security technologies and mechanisms are of great interest. Especially in large networks, the security management should be supported by approaches with an appropriate level of abstraction, such that a system can be considered independently of the complex configuration details of its various component mechanisms. Furthermore, the employment of the security services and the design of their configurations should be supported by a structured technique that separates the consideration of the system as a whole from the detailed design of the subsystems. Pursuing these goals, this papers offers an approach to modeling network security systems, based on the concepts of policy-based management and model-based management, and analyzes the policy representation and refinement as well as the model validation enabled by this modeling.

Integration of a legacy automation system into a SOA for devices

Although networked embedded devices (NED) and service-oriented architectures (SOA) are often proclaimed as next generation technologies in industrial automation, there are some steps to take before they can be widely adopted. At the moment, productive systems are not SOA-ready and that is why integration approaches are interesting for manufacturers and operators of industrial plants. We suggest a solution for the integration of a legacy system into a so-called SOA for devices. Therefore, we use a thin abstraction layer which provides the technical functions of an industrial plant as re-usable services which can be arranged in control hierarchies and used as well in higher-level workflows. This enables a SOA-based automation with new control and monitoring approaches to be built upon the device services. To evaluate our solution a legacy material flow facility is used.

Model-Based Tool-Assistance for Packet-Filter Design

The design of suitable packet-filters protecting subnets against network-based attacks is usually difficult and error-prone. Therefore, tool-assistance shall facilitate the design task and shall contribute to the correctness of the filters, i.e., the filters should be consistent with the other security mechanisms of the computer network, in particular with its access control schemes. Moreover, they should just enable the corresponding necessary traffic. Our tool approach applies a three-layered model describing the access control and network topology aspects of the system on three levels of abstraction. Each lower layer refines its upper neighbour and is accompanied with access control models. At the top level, role based access control is applied. The lowest level specifies packet filter configurations which can be implemented by means of the Linux kernel extension IPchains. The derivation of filter configurations is substantially supported by tool assistance in the course of an interactive design process.

Verification of UML-based real-time system designs by means of cTLA

The Unified Modeling Language UML is well-suited for the design of real-time systems. In particular the design of dynamic system behaviors is supported by interaction diagrams and statecharts. Real-time aspects of behaviors can be described by time constraints. The semantics of the UML, however, is non-formal. In order to enable formal design verification, we therefore propose to complement the UML based design by additional formal models which refine UML diagrams to precise formal models. We apply the formal specification technique cTLA which is based on L. Lamports Temporal Logic of Actions, TLA. In particular cTLA supports modular definitions of process types and the composition of systems from coupled process instances. Since process composition has superposition character each process system has all of the relevant properties of its constituting processes. Therefore mostly small subsystems are sufficient for the verification of system properties and it is not necessary to use complete and complex formal system models. We present this approach by means of an example and also exemplify the formal verification of its hard real-time properties.

Model-based configuration of VPNs

The design of suitable configurations for virtual private networks (VPNs) is usually difficult and error-prone. The abstract objectives of design are given by high level policies representing various requirements and the designers are often faced with conflicting requirements. Moreover, it is difficult to find a suitable mapping of high level policies to those low level network configurations which correctly and completely implement the abstract objectives. We apply the approach of model-based management where the system itself as well as the management objectives are represented by graphical object instance diagrams. A combination of tool and libraries supports their interactive construction and automated analysis. The implementation of the approach focuses on VPNs which are based on the Linux IPsec software FreeS/WAN.

Support of cooperating and distributed business processes

Workflow management systems/business process management systems (BPMS) provide for an integral support of computer-based information processing, personal activities, business procedures and their relationships to organizational structures. They support the modeling and analysis of so-called business processes and offer means for the application-near design and implementation of computer-based business process assistance. Mainly, the BPMSs concentrate on the support of enterprise-internal processes. Our approach extends the scope of business process management. Enterprise-internal processes are viewed as sub-processes of global inter-enterprise processes. Additional global process assistance is based on the definition of global activity models and global information models. Features of dynamic naming and binding can be provided by business process brokers, which extend the concepts of object trading to the trading of opportunities to participate in global processes.

Compositional specification and verification of high-speed transfer protocols

Transfer protocols are composed from basic protocol mechanisms and accordingly a complex protocol can be verified by a series of relatively simple mechanism proofs. Our approach applies L. Lamport’s Temporal Logic of Actions (TLA). It is based on a modular compositional TLA-style and supports the analysis of flexibly configured high-speed transfer protocols.