Mark Moriconi

Correct architecture refinement

A method is presented for the stepwise refinement of an abstract architecture into a relatively correct lower-level architecture that is intended to implement it. A refinement step involves the application of a predefined refinement pattern that provides a routine solution to a standard architectural design problem. A pattern contains an abstract architecture schema and a more detailed schema intended to implement it. The two schemas usually contain very different architectural concepts (from different architectural styles). Once a refinement pattern is proven correct, instances of it can be used without proof in developing specific architectures. Individual refinements are compositional, permitting incremental development and local reasoning. A special correctness criterion is defined for the domain of software architecture, as well as an accompanying proof technique. A useful syntactic form of correct composition is defined. The main points are illustrated by means of familiar architectures for a compiler. A prototype implementation of the method has been used successfully in a real application. >

Correctness and composition of software architectures

The design of a large system typically involves the development of a hierarchy of different but related architectures. A criterion for the relative correctness of an architecture is presented, and conditions for architecture composition are defined which ensure that the correctness of a composite architecture follows from the correctness of its parts. Both the criterion and the composition requirements reflect special considerations from the domain of software architecture.The main points are illustrated by means of familiar architecture for a compiler. A proof of the relative correctness of two different compiler architectures shows how to decompose a proof into generic properties, which are proved once for every pair of architectural styles, and instance-level properties, which must be proved for every architecture.

Secure software architectures

The computer industry is increasingly dependent on open architectural standards for their competitive success. This paper describes a new approach to secure system design in which the various representations of the architecture of a software system are described formally and the desired security properties of the system are proven to hold at the architectural level. The main ideas are illustrated by means of the X/Open distributed transaction processing reference architecture, which is formalized and extended for secure access control as defined by the Bell-LaPadula model. The extension allows vendors to develop individual components independently and with minimal concern about security. Two important observations were gleaned on the implications of incorporating security into software architectures.

A Designer/Verifier's Assistant

Since developing and maintaining formally verified programs is an incremental activity, one is not only faced with the problem of constructing specifications, programs, and proofs, but also with the complex problem of determining what previous work remains valid following incremental changes. A system that reasons about changes must build a detailed model of each development and be able to apply its knowledge, the same kind of knowledge an expert would have, to integrate new or changed information into an existing model.

The PegaSys System: pictures as formal documentation of large programs

PegsSys is an experimental system in which a user formally describes how a program is put together by means of a hierarchically structured collection of pictures, called formal dependency diagrams (FDDs). Icons in an FDD denote a wide range of data and control dependencies among the relatively coarse-grained entities contained in large programs. Dependencies considered atomic with respect to one level in a hierarchy can be decomposed into a number of dependencies at a lower level. Each dependency can be a predefined primitive of the FDD language or it can be defined by a PegaSys user in terms of the primitives. A PegsSys user is given the illusion that logical formulas do not exist, even though PegaSys reasons about them internally. This involves (1) checking whether an FDD is meaningful syntactically, (2) determining whether hierarchical refinements of an FDD are methodologically sound, and (3) deciding whether an FDD hierarchy is logically consistent with the program that it is intended to describe. The techniques used to provide these capabilities are discussed along with the logical properties that enable PegaSys to maintain the user illusion.

PegaSys: A system for graphical explanation of program designs

This paper is an initial report on a system, called PegaSys, that supports a new visual paradigm for describing and manipulating programs and their designs. A program design is described by a hierarchically structured collection of graphical pictures. These pictures are intended to be easy to understand, yet still serve as formal program documentation. Pictures in PegaSys capture a variety of concepts, including (but not limited to) what we believe to be the important design concepts represented in flowcharts, structure charts, dataflow diagrams, and module interconnection languages. PegaSys treats pictures as computationally meaningful structures, checking whether they make sense syntactically, whether hierarchical picture refinements adhere to certain methodological principles, and whether a picture is logically consistent with a program. This paper describes the key ideas that enable PegaSys to provide these capabilities, as well as important properties of the PegaSys design and underlying logical framework. PegaSys has been implemented on Xerox personal computers and takes advantage of a high-resolution bitmap display.

Automatic Construction of Verification Condition Generators From Hoare Logics

We define a method for mechanically constructing verification condition generators from a useful class of Hoare logics. Any verification condition generator constructed by our method is shown to be sound and deduction-complete with respect to the associated Hoare logic. The method has been implemented.

A practical approach to semantic configuration management

A configuration management (CM) tool is supposed to build a consistent software system following incremental changes to the system. The notion of consistency usually is purely syntactic, having to do with the sorts of properties analyzed by compilers. Semantic consistency traditionally has been studied in the field of formal methods and has been considered an impractical goal for CM. Although the semantic CM problem is undecidable, it is possible to obtain a structural approximation of the semantic effects of a change in a finite number of steps. Our approximation technique is formalized in logic and is based on information-theoretic properties of programs. The method in its present form applies to many but not all software systems, and it is programming-language independent. To the best of our knowledge, the semantic CM problem has not been formalized previously in nonsemantic terms, and we believe that our simplified formulation offers the potential for considerably more powerful debugging and configuration management tools.

Interactive Design and Verification: A Message Switching Network Example

Traditionally, program verification systems have inadequately supported the incremental aspects of designing and verifying programs. For example, they provide only minimal assistance in determining what previous work is affected by changes to specifications. Problems of this general nature arise frequently and pose difficult challenges for the user. This paper describes and illustrates how several such problems have been largely overcome by a recently developed program verification system.

PegaSys and the Role of Logic in programming Environments

The benefits of formal approaches to program development are widely recognized. However, most programming environments have taken little advantage of them. The problem of incorporating formalism into programming environments is discussed in light of two often-competing concerns: maintaining mathematical rigor and alleviating complication in the programming of large systems. The PegaSys system [1,2] represents a practical balance between the two. It deals with an interesting class of program properties that are easy to describe formally and to reason about mechanically. Systems such as PegaSys offer the possibility of increased use of formal methods in programming environments.