Karin Greimel

RATSY – a new requirements analysis tool with synthesis

Formal specifications play an increasingly important role in system design-flows Yet, they are not always easy to deal with In this paper we present RATSY, a successor of the Requirements Analysis Tool RAT RATSY extends RAT in several ways First, it includes a new graphical user interface to specify system properties as simple Buchi word automata Second, it can help debug incorrect specifications by means of a game-based approach Third, it allows correct-by-construction synthesis of systems from their temporal properties These new features and their seamless integration assist in property-based design processes.

Robustness in the presence of liveness

Systems ought to behave reasonably even in circumstances that are not anticipated in their specifications We propose a definition of robustness for liveness specifications which prescribes, for any number of environment assumptions that are violated, a minimal number of system guarantees that must still be fulfilled This notion of robustness can be formulated and realized using a Generalized Reactivity formula We present an algorithm for synthesizing robust systems from such formulas For the important special case of Generalized Reactivity formulas of rank 1, our algorithm improves the complexity of [PPS06] for large specifications with a small number of assumptions and guarantees.

Synthesizing robust systems

Systems should not only be correct but also robust in the sense that they behave reasonably in unexpected situations. This article addresses synthesis of robust reactive systems from temporal specifications. Existing methods allow arbitrary behavior if assumptions in the specification are violated. To overcome this, we define two robustness notions, combine them, and show how to enforce them in synthesis. The first notion applies to safety properties: If safety assumptions are violated temporarily, we require that the system recovers to normal operation with as few errors as possible. The second notion requires that, if liveness assumptions are violated, as many guarantees as possible should be fulfilled nevertheless. We present a synthesis procedure achieving this for the important class of GR(1) specifications, and establish complexity bounds. We also present an implementation of a special case of robustness, and show experimental results.

Open Implication

We argue that the usual trace-based notions of implication and equivalence for linear temporal logics are too strong and should be complemented by the weaker notions of open implication and open equivalence. Although open implication is harder to compute, it can be used to advantage both in model checking and in synthesis. We study the difference between trace-based equivalence and open equivalence and describe an algorithm to compute open implication of Linear Temporal Logic formulas with an asymptotically optimal complexity. We also show how to compute open implication while avoiding Safras construction. We have implemented an open-implication solver for Generalized Reactivity(1) specifications. In a case study, we show that open equivalence can be used to justify the use of an alternative specification that allows us to synthesize much smaller systems in far less time.

Formal Analysis of a TPM-Based Secrets Distribution and Storage Scheme

Trusted computing introduces the Trusted Platform Module (TPM) as a root of trust on an otherwise untrusted computer. The TPM can be used to restrict the use of cryptographic keys to trusted states, i.e., to situations in which the computer runs trusted software. This allows for the distribution of intellectual property or secrets to a remote party with a reasonable security that such secrets will not be obtained by a malicious or compromised client. We model a specific protocol for the distribution of secrets proposed by Sevine et al. A formal analysis using the NuSMV model checker shows that the protocol allows an intruder to give the client an arbitrary secret, without the client noticing. We propose an alternative that prevents this scenario.

Formal security policy models for smart card evaluations

For high security ICs, a security evaluation by an independent institution is of great importance to strengthen the confidence in the security of the product. Common Criteria (CC) is a widely used evaluation method for security products. In many countries, CC evaluations are required by law for certain IT products. For high assurance, CC requires a formal model of the implemented security policies. We show how such a formal security policy model based on temporal logic and model checking can be developed for the real world evaluation of a Security IC. We argue that temporal logics and model checking is suitable for the formal requirements of a CC Evaluation Assurance Level 6 evaluation, because models and security requirements can be developed by anybody with moderate knowledge of formal methods. Additionally, proofs (or refutations) are generated automatically.

Specification-centered robustness

In addition to being correct, a system should be robust, that is, it should behave reasonably even after receiving unexpected inputs. In this paper, we summarize two formal notions of robustness that we have introduced previously for reactive systems. One of the notions is based on assigning costs for failures on a user-provided notion of incorrect transitions in a specification. Here, we define a system to be robust if a finite number of incorrect inputs does not lead to an infinite number of incorrect outputs. We also give a more refined notion of robustness that aims to minimize the ratio of output failures to input failures. The second notion is aimed at liveness. In contrast to the previous notion, it has no concept of recovery from an error. Instead, it compares the ratio of the number of liveness constraints that the system violates to the number of liveness constraints that the environment violates.

Model checking specifications of smart cards

Formally verifying a product in an early phase of the design process has several advantages. First, errors and contradictions in the specification can be found early. Second, an unambiguous common understanding of the specification is created. In summary, the quality and security of a product can be significantly increased. This paper describes how formal verification can be integrated into the industrial design process of a smart card in a practical way. The described method allows to reach high assurance levels in Common Criteria certifications.