Luke Wildman

Model checking z specifications using SAL

The Symbolic Analysis Laboratory (SAL) is a suite of tools for analysis of state transition systems. Tools supported include a simulator and four temporal logic model checkers. The common input language to these tools was originally developed with translation from other languages, both programming and specification languages, in mind. It is, therefore, a rich language supporting a range of type definitions and expressions. In this paper, we investigate the translation of Z specifications into the SAL language as a means of providing model checking support for Z. This is facilitated by a library of SAL definitions encoding the Z mathematical toolkit.

A method for verifying concurrent Java components based on an analysis of concurrency failures

The Java programming language supports concurrency. Concurrent programs are harder to verify than their sequential counterparts due to their inherent non‐determinism and a number of specific concurrency problems, such as interference and deadlock. In previous work, we have developed the ConAn testing tool for the testing of concurrent Java components. ConAn has been found to be effective at testing a large number of components, but there are certain classes of failures that are hard to detect using ConAn. Although a variety of other verification tools and techniques have been proposed for the verification of concurrent software, they each have their strengths and weaknesses. In this paper, we propose a method for verifying concurrent Java components that includes ConAn and complements it with other static and dynamic verification tools and techniques. The proposal is based on an analysis of common concurrency problems and concurrency failures in Java components. As a starting point for determining the concurrency failures in Java components, a Petri‐net model of Java concurrency is used. By systematically analysing the model, we come up with a complete classification of concurrency failures. The classification and analysis are then used to determine suitable tools and techniques for detecting each of the failures. Finally, we propose to combine these tools and techniques into a method for verifying concurrent Java components. Copyright

Mutation-based exploration of a method for verifying concurrent Java components

Summary form only given. The Java programming language supports concurrency. Concurrent programs are harder to verify than their sequential counterparts due to their inherent nondeterminism and a number of specific concurrency problems such as interference and deadlock. In previous work, we proposed a method for verifying concurrent Java components based on a mix of code inspection, static analysis tools, and the ConAn testing tool. The method was derived from an analysis of concurrency failures in Java components, but was not applied in practice. In this paper, we explore the method by applying it to an implementation of the well-known readers-writers problem and a number of mutants of that implementation. We only apply it to a single, well-known example, and so we do not attempt to draw any general conclusions about the applicability or effectiveness of the method. However, the exploration does point out several strengths and weaknesses in the method, which enable us to fine-tune the method before we carry out a more formal evaluation on other, more realistic components.

A UML approach to the generation of test sequences for Java-based concurrent systems

Starting with a UML specification that captures the underlying functionality of some given Java-based concurrent system, we describe a systematic way to construct, from this specification, test sequences for validating an implementation of the system. The approach is to first extend the specification to create UML state machines that directly address those aspects of the system we wish to test. To be specific, the extended UML state machines can capture state information about the number of waiting threads or the number of threads blocked on a given object. Using the SAL model checker we can generate from the extended UML state machines sequences that cover all the various possibilities of events and states. These sequences can then be directly transformed into test sequences suitable for input into a testing tool such as ConAn. As an illustration, the methodology is applied to generate sequences for testing a Java implementation of the producer-consumer system.

SIFA: a tool for evaluation of high-grade security devices

We describe a tool for analysing information flow in security hardware. It identifies both sub-circuits critical to the preservation of security as well as the potential for information flow due to hardware failure. The tool allows for the composition of both logical and physical views of circuit designs. An example based on a cryptographic device is provided.

Testing concurrent java components

Testing concurrent software is notoriously difficult due to problems with non-determinism and synchronisation. While tools and techniques for the testing of sequential components are well-understood and widely used, similar tools and techniques for concurrent components are not commonly available. This tutorial will look at the problems associated with testing concurrent components and propose techniques for dealing with these problems. The ConAn (Concurrency Analyser) testing tool supports these techniques for the testing of concurrent Java components and will be discussed and demonstrated in the tutorial. The limitations of the techniques and ConAn, as well as additional V&V tools and techniques to address these limitations will be presented.

Modelling Java concurrency with Object-Z

In this paper, we present a formal model of Java concurrency using the Object-Z specification language. This model captures the Java thread synchronization concepts of locking, blocking, waiting and notification. In the model, we take a viewpoints approach, first capturing the role of the objects and threads, and then taking a system view where we capture the way the objects and threads cooperate and communicate. As a simple illustration of how the model can, in general be applied, we use Object-Z inheritance to integrate the model with the classical producer-consumer system to create a specification directly incorporating the Java concurrency constructs.

Towards Libraries for Z

We consider adding parametrised libraries to Z as a strict extension to the current notation. We examine a simple modularisation facility with only generic sets as parameters, similar to current Z generic schemas.

Model-Based Generation of Interlocking Controller Software from Control Tables

Railroad interlocking software drives specialised micro-devices, known as interlocking controllers. These controllers primarily actuate railroad points and change signal aspects in real-time, based on sensor and timer input. Due to their central function in railroad control, interlocking controllers and their firmware are safety-critical. The firmware programs, which mimic physical relays, are written in variants of domain-specific programming languages based on ladder logic. The programs have to comply with a more abstract specification of allowable states of sections of railroad track and equipment, known as a control table. The translation of a track layout and associated control tables into ladder logic-based code is manual, and hence subject to costly review and rework cycles. In this report, we describe a case study that uses a model-driven tool-chain as an automated alternative to the existing process. The two domain languages, control table and ladder logic, were modelled and transformations were implemented between the two models, and from model to program text. We report on implementation challenges, and describe the outlook and scalability of the approach in this application domain.

Fault evaluation for security-critical communication devices

Communications devices for government or military applications must keep data secure, even when their electronic components fail. Combining information flow and risk analyses could make fault-mode evaluations for such devices more efficient and cost-effective. Conducting high-grade information security evaluations for computer communications devices is intellectually challenging, time-consuming, costly, and error prone. We believe that our structured approach can reveal potential fault modes because it simplifies evaluating a devices logical design and physical construction. By combining information-flow and risk-analysis techniques, evaluators can use the process to produce a thorough and transparent security argument. In other work, we have applied static analysis techniques to the evaluation problem, treating a devices schematic circuitry diagram as an information flow graph. This work shows how to trace information flow in different operating modes by representing connectivity between components as being conditional on specific device states. We have also developed a way to define the security-critical region of components with particular security significance by identifying components that lie on a path from a high-security data source to a low-security sink. Finally, to make these concepts practical, we have implemented them in an interactive analysis tool that reads schematic diagrams written in the very high speed integrated circuit (VHSIC) hardware description language.