Julien Brunel

Lightweight specification and analysis of dynamic systems with rich configurations

Model-checking is increasingly popular in the early phases of the software development process. To establish the correctness of a software design one must usually verify both structural and behavioral (or temporal) properties. Unfortunately, most specification languages, and accompanying model-checkers, excel only in analyzing either one or the other kind. This limits their ability to verify dynamic systems with rich configurations: systems whose state space is characterized by rich structural properties, but whose evolution is also expected to satisfy certain temporal properties. To address this problem, we first propose Electrum, an extension of the Alloy specification language with temporal logic operators, where both rich configurations and expressive temporal properties can easily be defined. Two alternative model-checking techniques are then proposed, one bounded and the other unbounded, to verify systems expressed in this language, namely to verify that every desirable temporal property holds for every possible configuration.

Towards a categorical framework to ensure correct software evolutions

Distributed software, such as satellite software are now developed and managed by several actors. In this context supporting the maintenance and therefore the evolution of such applications is complex and need a formal framework. In this article, we propose a first step towards such a formal framework to ensure the correctness of software evolutions. Using category theory, we can model software and represent patches. This modeling allows to identify the proof obligations that the provider of a patch has to discharge in order to ensure that its patch preserves the correctness of the software.

Decision Procedures for a Deontic Logic Modeling Temporal Inheritance of Obligations

In nowadays applications of temporal deontic logic to the verification of security policies, an issue arises concerning the temporal inheritance of future directed obligations that have net yet been met. We investigate decision procedures for temporal deontic logics that account for this particular interaction between time and obligation.

On Finite Domains in First-Order Linear Temporal Logic

We consider First-Order Linear Temporal Logic (FO-LTL) over linear time. Inspired by the success of formal approaches based upon finite-model finders, such as Alloy, we focus on finding models with finite first-order domains for FO-LTL formulas, while retaining an infinite time domain. More precisely, we investigate the complexity of the following problem: given a formula \(\varphi \) and an integer n, is there a model of \(\varphi \) with domain of cardinality at most n? We show that depending on the logic considered (FO or FO-LTL) and on the precise encoding of the problem, the problem is either NP-complete, NEXPTIME-complete, PSPACE-complete or EXPSPACE-complete. In a second part, we exhibit cases where the Finite Model Property can be lifted from fragments of FO to their FO-LTL extension.

A formal treatment of agents, goals and operations using alternating-time temporal logic

The aim of this paper is to provide a formal framework for Requirements Engineering modelling languages featuring agents, behavioural goals and operations as main concepts. To do so, we define Khi, a core modelling language, as well as its formal semantics in terms of a fragment of the multi-agent temporal logic ATL*, called ATLKHI. Agents in the sense of concrete and provided entities, called actors, are defined by their capabilities. They also pursue behavioural goals that are realised by operations, which are themselves gathered into abstract, required, agents, that we call roles. Then a notion of assignment, between (coalitions of) actors and roles is defined. Verifying the correctness of a given assignment then reduces to the validity of an ATLKHI formula that confronts the capabilities of (coalitions of) actors with the operations in roles played by the said actors. The approach is illustrated through a toy example featuring an online shopping marketplace.

Preservation of obligations in a temporal and deontic framework

We study logical properties that concern the preservation of future-directed obligations that have not been fulfilled yet. Our starting point is a product of temporal and deontic logics. We investigate some modifications of the semantics of the product in order to satisfy preservation properties, without loosing too much of the basic properties of the product. We arrive at a semantics in which we only consider ideal histories that share the same past as the current one, and that enables a characterization of the states in which the obligations propagate. These are the states where any obligation of a formula that concerns the present moment is not violated. When there are such violations, the deontic realm switches to a lower level of ideality.

Proposition of an Action Layer for Electrum

Electrum is an extension of Alloy that adds (1) mutable signatures and fields to the modeling layer; and (2) connectives from linear temporal logic (with past) and primed variables a la \(\textsf {TLA}^+\) to the constraint language. The analysis of models can then be translated into a SAT-based bounded model-checking problem, or to an LTL-based unbounded model-checking problem. Electrum has proved to be useful to model and verify dynamic systems with rich configurations. However, when specifying events, the tedious and sometimes error-prone handling of traces and frame conditions (similarly as in Alloy) remained necessary. In this paper, we introduce an extension of Electrum with a so-called “action” layer that addresses these questions.

Safety and Security Assessment of Behavioral Properties Using Alloy

In this paper, we propose a formal approach to supporting safety and security engineering, in the spirit of Model-Based Safety Assessment, using the Alloy language. We first implement a system modeling framework, called Coy, allowing to model system architectures and their behavior with respect to component failures. Then we illustrate the use of Coy by defining a fire detection system example and analyzing some safety and security requirements. An interesting aspect of this approach lies in the “declarative” style provided by Alloy, which allows the lean specification of both the model and its properties.

The electrum analyzer: model checking relational first-order temporal specifications

This paper presents the Electrum Analyzer, a free-software tool to validate and perform model checking of Electrum specifications. Electrum is an extension of Alloy that enriches its relational logic with LTL operators, thus simplifying the specification of dynamic systems. The Analyzer supports both automatic bounded model checking, with an encoding into SAT, and unbounded model checking, with an encoding into SMV. Instance, or counter-example, traces are presented back to the user in a unified visualizer. Features to speed up model checking are offered, including a decomposed parallel solving strategy and the extraction of symbolic bounds. Source code: https://github.com/haslab/Electrum Video: https://youtu.be/FbjlpvjgMDA

Evaluating the Assignment of Behavioral Goals to Coalitions of Agents

We present a formal framework for solving what we call the “assignment problem”: given a set of behavioral goals for a system and a set of agents described by their capabilities to make the system evolve, the problem is to find a “good” assignment of goals to (coalitions of) agents. To do so, we define \({\textsc {Kore}}\), a core modelling framework as well as its semantics in terms of a strategy logic called \(\text {USL}\). In \({\textsc {Kore}}\), agents are defined by their capabilities, which are pre- and post-conditions on the system variables, and goals are defined in terms of temporal logic formulas. Then, an assignment associates each goal with the coalition of agents that is responsible for its satisfaction. Our problem consists in defining and checking the correctness of this assignment. We define different criteria for modelling and formalizing this notion of correctness. They reduce to the satisfaction of \(\text {USL}\) formulas in a structure derived from the capabilities of agents. Thus, we end up with a procedure for deciding the correctness of the assignment. We illustrate our approach using a toy example featuring exchanges of resources between a provider and two clients.