Thomas Göthel

Verifying the Implementation of an Operating System Scheduler

In this paper, we applied our approach for verifying low-level code to the scheduler of the real-time operating system BOSS. We developed its high-level specification in CSP-OZ and showed that it enforces the BOSS scheduling strategy. Furthermore, we presented a low-level CSP M model, which has been semi-automatically synthesized from its implementation. Using the automatic FDR2 refinement checker, we proved that the low-level model is a failures-divergence refinement of the CSP M encoding of the schedulers CSP-OZ specification. First, this means that the methods are terminating. Second, the implementation respects the pre- and post-conditions of its specification. Third, the implementation produces exactly the schedules that are described by the CSP-OZ specification. We intend to examine other components of BOSS using our approach. Another objective is to extend it to enable the verification of real-time systems by using our formalization of Timed CSP in the Isabelle/HOL theorem prover [T. Gothel and S. Glesner, 2009].

Adaptive Knowledge Bases in Self-Adaptive System Design

Self-adaptive systems allow for flexible solutions in changing environments. Usually, a fixed set of predefined rules is used to define the adaptation possibilities of a system. The main problem of such systems is to cope with environment behaviours that were not anticipated at design-time. In this case, no adaptation rule might be applicable or adaptations might not have the expected effect. In this paper, we propose an extended architecture of IBMs MAPE-K loop to cope with this problem. We impose a structure on the knowledge base consisting of an abstract system and environment model, a global goal model, and a set of (current) adaptation rules. Furthermore, we introduce an evaluation component that deletes failed adaptation rules, as well as a learning component that uses run-time models to autonomously generate new rules if the current ones are not applicable. With our approach, not only functional components can dynamically be adapted but also the adaptation logic itself.

Modular Design and Verification of Distributed Adaptive Real-Time Systems Based on Refinements and Abstractions

A promising way to cope with complexity in verifying large systems is to perform modular verification where components are verified separately. However, in the context of adaptive systems, it is difficult to apply this principle because adaptation behaviour and functional behaviour are often intertwined. In this paper, we present and apply a design pattern for distributed adaptive real-time systems using the process calculus Timed CSP. Our pattern explicitly differentiates between functional data and adaptive control data and thereby allows for a strict separation of adaptation and functional components. We enable the modular verification of functional and adaptation behaviour, respectively, based on the notion of process refinement in Timed CSP. The verification of refinements is automated using industrial-strength proof tools. As the notion of refinement can also be used to justify abstractions, we furthermore enable abstractionbased verification, where a detailed system is abstracted to facilitate more efficient verification efforts. This is especially important in the industrial development of adaptive systems using languages like SystemC where a designer not necessarily applies fine-grained refinements, but implements larger parts of the functional and adaptation logic possibly at the same time. Therefore, we discuss how common refinements and abstractions from the context of Timed CSP can be used as a formal basis for refinements and abstractions in SystemC.

Specification, Verification and Implementation of Business Processes Using CSP

Nowadays, the problem in business process management (BPM) is that BPM systems should both be easy to use for business process developers and be based on a sound formal method. Business process management systems are often based on semiformal modeling techniques such as event-driven process chains (EPC) or UML. Unlike semiformal modeling techniques, the process calculus CSP comes with mature verification sup- port. Surprisingly little work has been done on using CSP for business process modeling and management. In this paper, we present our approach to business process management, which is based on the observation that CSP is well suited not only for specifying business processes and verifying work???ows but also for executing work???ows using our CSP4J framework. We report on a work???ow server, which is specified in CSP and implemented using our CSP4J framework. The server accepts work???ows that are modeled in CSP and also implemented using CSP4J. This allows us to integrate the mature verification support of CSP into both the management system itself and the development process of the end users’ business process definitions.

Model Transformations to Mitigate the Semantic Gap in Embedded Systems Verification

The VATES project addresses the problem of verifying embedded software by employing a novel combination of methods that are well-established on the level of declarative models, in particular process-algebraic specifications, as well as of methods that work especially well on the level of executable code. Beginning with executable code, we (automatically) extract a model in the form of a processalgebraic system description formulated in Communicating Sequential Processes (CSP). For this low-level CSP description, we can prove that it refines a high-level CSP specification which was previously developed. To relate the (Low-Level Virtual Machine) LLVM code with the low-level CSP model we designed an operational semantics of LLVM. In ongoing work we investigate the extraction algorithm with respect to preservation of semantics. Thereby, we are finally able to prove that given LLVM code formally conforms to its high-level CSP-based specification. In this paper we give an overview of results of VATES so far and show that this approach has the potential to seamlessly integrate modeling, implementation, transformation and verification stages of embedded system development.

Runtime Management and Quantitative Evaluation of Changing System Goals

A key challenge in cyber-physical systems is their highly dynamic nature including changing system goals. Therefore, these systems have to autonomously manage their system goals and continuously evaluate their achievement at run-time. However, with the increasing complexity of system goals including, e.g., priorities, dependencies, and conflicts among goals, abinary or qualitative judgement of achievement of goals is not sufficient any more. Instead, it is necessary to quantify the degree to which the goals are fulfilled in order to balance the cost-benefit ratio at run-time. In this paper, we present a hierarchical and modular goal model that allows for capturing complex relations between subgoals, e.g., dependencies and conflicts. We provide an algorithm that efficiently evaluates gradual achievement of goalsat run-time. Due to the modular structure of our model and our evaluation, goals can easily be added, removed, and changed at run-time. With our approach, we a) ease the design of goal-aware autonomous systems by providing an explicit structure that emphasises relations between subgoals, b) provide an automatic quantification of the satisfaction of complex system goals that can be used to, e.g., evaluate autonomous decisions at runtime, andc) enable runtime management of changing system goals.

Formal Models for Analysing Dynamic Adaptation Behaviour in Real-Time Systems

Self-adaptive systems are able to autonomously adapt themselves to react to dynamic changes in their environment. They, thereby, provide suitable mechanisms to deal with uncertain environment settings, as is required in modern reactive systems, such as cyber-physical systems. However, design and analysis of adaptation logic is complex and error-prone. Thus, early design-time analysis of the adaptation logic is necessary, especially in safety-critical applications. In this paper, we cope with the problem of comprehensively analysing time-dependent self-adaptive systems. We consider rule-based adaptation as a generic mechanism to describe adaptation logic. We automatically extract formal timed models of the functional components from a SystemC system-level implementation. This ensures that analysis results on the models correspond to the actual running system. To analyse the adaptation behaviours, we embed the extracted functional models in a formal, generic, and abstract MAPE-K loop modelled with timed automata. We classify important adaptation properties and show how they can be generally verified on the resulting models together with an abstract model of the environment, which we assume to be given. To evaluate our approach, we analyse the widely used web-based information system Znn.com.

Towards Service-Oriented Design of Hybrid Systems Modeled in Simulink

Simulink is widely used in model-driven design.However, the complexity of hybrid systems that are modeled in Simulink limits the applicability of reuse techniques, which impedes cost-efficient design of complex systems. In particular, a systematic use and reuse of complex submodels, e.g. components with varying structure and functionality, is currently not supported. In this paper, we present an approach for service-oriented design in Simulink. The main idea is that we create a modular representation of complex Simulink structures as services with an expressive and formally defined dynamic interface. A dynamic interface captures not only the types of input and output signals but also their discrete and continuous behavior. Our main contribution is threefold: First, we introduce services in Simulink. Second, we transfer the concept of feature modeling to Simulink to express the variability of a service. Third, we introduce the novel concept of hybrid contracts to define the dynamic interface of a service. With our approach, we enable the designer 1) to define hybrid services that are reusable, and 2) to efficiently develop complex hybrid systems from a given set of services. We demonstrate this with a case study of a hybrid temperature control system.

The VATES-diamond as a verifier's best friend

Within a model-based software engineering process it needs to be ensured that properties of abstract specifications are preserved by transformations down to executable code. This is even more important in the area of safety-critical real-time systems where additionally non-functional properties are crucial. In the VATES project, we develop formal methods for the construction and verification of embedded systems. We follow a novel approach that allows us to formally relate abstract process algebraic specifications to their implementation in a compiler intermediate representation. The idea is to extract a low-level process algebraic description from the intermediate code and to formally relate it to previously developed abstract specifications. We apply this approach to a case study from the area of real-time operating systems and show that this approach has the potential to seamlessly integrate modeling, implementation, transformation and verification stages of embedded system development.

Refinement-Based Verification of Communicating Unstructured Code

Formal model refinement aims at preserving safety and liveness properties of models. However, there is usually a verification gap between model and executed code, especially if concurrent processes are involved. The reason for this is that a manual implementation and further code optimizations can introduce implementation errors. In this paper, we present a framework that allows for formally proving a failures refinement between a CSP specification and its low-level implementation. The implementation is given in a generic unstructured language with gotos and an abstract communication instruction. We provide a failures-based denotational semantics of it with an appropriate Hoare calculus. Since failures-based refinement is compositional w.r.t. parallel composition of concurrent components and preserves safety and liveness properties, this contributes to reducing the verification gap between high-level specifications and their low-level implementations.