Ramesh Bharadwaj

SCR*: A Toolset for Specifying and Analyzing Software Requirements

A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method and its support tools. This paper describes the SCR (Software Cost Reduction) tools, part of a “practical” formal method—a. method with a solid mathematical foundation that software developers can apply without theorem proving skills, knowledge of temporal and higher order logics, or consultation with formal methods experts. The SCR method provides a tabular notation for specifying requirements and a set of “light-weight” tools that detect several classes of errors automatically. The method also provides support for more “heavy-duty” tools, such as a model checker. To make model checking feasible, users can automatically apply one or more abstraction methods.

Model Checking Complete Requirements Specifications Using Abstraction

Although model checking has proven remarkably effective in detecting errors in hardware designs, its success in the analysis of software specifications has been limited. Model checking algorithms for hardware verification commonly use Binary Decision Diagrams (BDDs) to represent predicates involving the many Boolean variables commonly found in hardware descriptions. Unfortunately, BDD representations may be less effective for analyzing software specifications, which usually contain not only Booleans but variables spanning a wide range of data types. Further, software specifications typically have huge, sometimes infinite, state spaces that cannot be model checked directly using conventional symbolic methods. One promising but largely unexplored approach to model checking software specifications is to apply mathematically sound abstraction methods. Such methods extract a reduced model from the specification, thus making model checking feasible. Currently, users of model checkers routinely analyze reduced models but often generate the models in ad hoc ways. As a result, the reduced models may be incorrect. This paper, an expanded version of (Bharadwaj and Heitmeyer, 1997), describes how one can model check a complete requirements specification expressed in the SCR (Software Cost Reduction) tabular notation. Unlike previous approaches which applied model checking to mode transition tables with Boolean variables, we use model checking to analyze properties of a complete SCR specification with variables ranging over many data types. The paper also describes two sound and, under certain conditions, complete methods for producing abstractions from requirements specifications. These abstractions are derived from the specification and the property to be analyzed. Finally, the paper describes how SCR requirements specifications can be translated into the languages of Spin, an explicit state model checker, and SMV, a symbolic model checker, and presents the results of model checking two sample SCR specifications using our abstraction methods and the two model checkers.

Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant Checking

Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance, Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a constraint solver for integer linear arithmetic, for discharging the verification conditions. The user interface of Salsa is designed to mimic the interfaces of model checkers; i.e., given a formula and a system description, Salsa either establishes the formula as an invariant of the system (but returns no proof) or provides a counterexample. In either case, the algorithm will terminate. Unlike model checkers, Salsa returns a state pair as a counterexample and not an execution sequence. Also, due to the incompleteness of induction, users must validate the counterexamples. The use of induction enables Salsa to combat the state explosion problem that plagues model checkers - it can handle specifications whose state spaces are too large for model checkers to analyze. Also, unlike general purpose theorem provers, Salsa concentrates on a single task and gains efficiency by employing a set of optimized heuristics.

SOL: A Verifiable Synchronous Language for Reactive Systems

Abstract SOL (Secure Operations Language) is a synchronous programming language for implementing reactive systems. The utility of SOL hinges upon the fact that it is a secure language, i.e., most programs in SOL are amenable to fully automated static analysis techniques, such as automatic theorem proving using decision procedures or model checking. Among the unique features of SOL is the ability to express a wide class of enforceable safety and security policies (including the temporal aspects of software component interfaces) in the language itself, thereby opening up the possibility of eliminating runaway computations and malicious code, such as worms and viruses.

Secure middleware for situation-aware naval C/sup 2/ and combat systems

There is an increasing need within the Navy & Marine Corps for building distributed situation-aware applications that are rapidly reconfigurable and survivable in the face of attacks and changing mission needs. For the Navys vision of Network Centric Warfare and Total Ship Computing to succeed, there is an urgent need for a secure, robust, and survivable network infrastructure for disseminating mission-critical information in a timely manner. It is widely believed that intelligent software agents provide the ability to build robust, agile, and efficient distributed applications. We outline how SINS (Secure Infrastructure for Networked Systems) being developed at the Naval Research Laboratory will provide commanders and warfighters the necessary middleware for constructing situation-aware Command and Control (C/sup 2/) and combat applications. We pay particular attention to the correctness, survivability, and efficiency of the underlying middleware architecture, and develop a middleware definition language SOL (Secure Operations Language) that enables C/sup 2/ and Combat applications to use this infrastructure in a seamless and scalable manner.

Specification, analysis and implementation of architectural patterns for dependable software systems

Ensuring dependability of distributed applications is a difficult problem since developers must carefully consider issues such as network and node failures, deadlocks, live-locks, starvation, distributed coordination, and synchronization. The creation of architectural patterns for dependable software systems can provide effective guidelines, similar to design patterns, to system architects. In this paper, we present an agent specification language, associated tools, and agent-based middleware for specifying, analyzing and implementing architectural patterns for dependable software systems. The language we present is an extension of the secure operations language (SOL), which supports the behavioral specification of agents in addition to specification of agent interfaces, agent composition, and inter-agent interactions. Extended SOL can be used in the design of architectural patterns that implement the security, real-time, and fault-tolerance requirements of a given application. SOL also supports early and automated analyses of an applications functional requirements with respect to performance critical properties. Further, the language has a precisely defined semantics for composition, which enables the automated analysis of architectural designs and the impact of design choices on dependability requirements. The agent-based middleware secure infrastructure for networked systems (SINS), being developed at the Naval Research Laboratory, enables the rapid development and deployment of dependable distributed applications. Architectural patterns specified in extended SOL can be used to automatically derive an implementation, and to assign SINS agents to processors that constitute the distributed execution environment.

Verifiable middleware for secure agent interoperability

There is an increasing need, within organizations such as the Department of Defense and NASA, for building distributed applications that are rapidly re-configurable and survivable in the face of attacks and changing mission needs. Existing methods and tools are inadequate to deal with the multitude of challenges posed by application development for systems that may be distributed over multiple physical nodes separated by vast geographical distances. The problem is exacerbated in a hostile and unforgiving environment such as space where, in addition, systems are vulnerable to failures. It is widely believed that intelligent software agents are central to the development of agile, efficient, and robust distributed applications. This paper presents details of agent-based middleware that could be the basis for developing such applications. We pay particular attention to the correctness, survivability, and efficiency of the underlying middleware architecture, and develop a middleware definition language that permits applications to use this infrastructure in a scalable and seamless manner.

Service composition in a secure agent-based architecture

We describe an agent-based situation-aware survivable architecture for the discovery and composition of Web services. Our architecture provides for proofs that guarantee the consistency of service level agreements between service providers and their clients. The architecture is based on decentralized situation-aware ambients (SAAs) which are autonomous agents that process information about the current situation, and discover and compose services syntactically to adapt to changing situations. The agents run on the secure infrastructure for networked systems (SINS) under development at the Center for High Assurance Computer Systems of the Naval Research Laboratory.

SOLj: A Domain-Specific Language (DSL) for Secure Service-Based Systems

We present SOLj (Secure Operations Language-Java), an event-driven domain-specific synchronous programming extension of Java for developing secure service-based systems. The language has capabilities for handling service invocations asynchronously, includes strong typing for the enforcement of information flow and security policies, and exception handling mechanisms to deal with failures of components or services (both benign and Byzantine). Applications written in SOLj are formally verifiable using static analysis techniques. SOLj programs may be deployed, configured, and run on SINS (Secure Infrastructure for Networked Systems) under development at the Naval Research Laboratory

A Formal Approach to Developing Reliable Event-Driven Service-Oriented Systems

In this paper, we present a formal framework for developing distributed service-oriented systems in an event-driven secure synchronous programming environment. More precisely, we present a synchronous programming language called SOL (Secure Operations Language) that has (i) capabilities for handling service invocations asynchronously, (ii) strong typing to ensure enforcement of information flow and security policies, and (iii) the ability to deal with failures (both benign and byzantine) of components. SOL is supported by formal operational semantics. Applications written in our framework can be verified using formal static checking techniques like theorem proving. The framework runs on the top of the SINS (secure infrastructure for networked systems) infrastructure that we have developed.