Results 1  10
of
46
Detectors and Correctors: A Theory of FaultTolerance Components
 International Conference on Distributed Computing Systems
, 1998
"... In this paper, weshow that twotypes of tolerance components, namely detectors and correctors, appear in a rich class of faulttolerant systems. This class includes systems designed using the wellknown techniques of encapsulation and re nement, as well as systems designed using extant faulttolerance ..."
Abstract

Cited by 74 (11 self)
 Add to MetaCart
(Show Context)
In this paper, weshow that twotypes of tolerance components, namely detectors and correctors, appear in a rich class of faulttolerant systems. This class includes systems designed using the wellknown techniques of encapsulation and re nement, as well as systems designed using extant faulttolerance methods such as replication and the statemachine approach. Our demonstration is via a theory of detectors and correctors, which characterizes the particular role of these components in achieving various types of faulttolerance. Based on this theory and on our experience with using these components in designs, we suggest that detectors and correctors provide apowerful basis for e cient, componentbased design of faulttolerance.
TAME: A PVS Interface to Simplify Proofs for Automata Models
 In Proc. User Interfaces for Theorem Provers 1998 (UITP '98
, 1998
"... Although a number of mechanical provers have been introduced and applied widely by academic researchers, these provers are rarely used in the practical development of software. For mechanical provers to be used more widely in practice, two major barriers must be overcome. First, the languages provid ..."
Abstract

Cited by 51 (14 self)
 Add to MetaCart
(Show Context)
Although a number of mechanical provers have been introduced and applied widely by academic researchers, these provers are rarely used in the practical development of software. For mechanical provers to be used more widely in practice, two major barriers must be overcome. First, the languages provided by the mechanical provers for expressing the required system behavior must be more natural for software developers. Second, the reasoning steps supported by mechanical provers are usually at too low and detailed a level and therefore discourage use of the prover. To help remove these barriers, we are developing a system called TAME, a highlevel user interface to PVS for specifying and proving properties of automata models. TAME provides both a standard specification format for automata models and numerous highlevel proof steps appropriate for reasoning about automata models. In previous work, we have shown how TAME can be useful in proving properties about systems described as LynchVaa...
TAME: Using PVS strategies for specialpurpose theorem proving
 Annals of Mathematics and Arti cial Intelligence
, 2000
"... TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theo ..."
Abstract

Cited by 48 (14 self)
 Add to MetaCart
(Show Context)
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for \automatic " proof and strategies designed to implement \natural " proof steps, i.e., proof steps that mimic the highlevel steps in typical natural language proofs. TAME's \natural " proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in userde ned strategies such asthose used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional \natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
The IOA Language and Toolset: Support for Designing, Analyzing, and Building Distributed Systems
, 1998
"... This report describes a new language for distributed programming, the IOA language, together with a highlevel design and preliminary implementation for a suite of tools, the IOA toolset, to support the production of highquality distributed software. The language and tools are based on the I/O a ..."
Abstract

Cited by 34 (10 self)
 Add to MetaCart
This report describes a new language for distributed programming, the IOA language, together with a highlevel design and preliminary implementation for a suite of tools, the IOA toolset, to support the production of highquality distributed software. The language and tools are based on the I/O automaton model, which has been used to describe and verify distributed algorithms. The toolset supports a development process that begins with a highlevel specification, refines that specification via successively more detailed designs, and ends by automatically generating distributed programs. The toolset encourages system decomposition, which helps make distributed programs understandable and easy to modify. It also provides a variety of validation methods (theorem proving, model checking, and simulation), which can be used to ensure that the generated programs are correct, subject to assumptions about externallyprovided system services (e.g., communication services), and about the correctness of handcoded data type implementations.
Mechanical Verification of Timed Automata: A Case Study
 In Proc. 1996 IEEE RealTime Technology and Applications Symp. (RTAS'96). IEEE Computer
, 1996
"... This paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about realtime systems specified in the LynchVaandrager timed automata model. In using automated provers to prove propositions about ..."
Abstract

Cited by 33 (10 self)
 Add to MetaCart
(Show Context)
This paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about realtime systems specified in the LynchVaandrager timed automata model. In using automated provers to prove propositions about systems described by a specific mathematical model, both the proofs and the proof process can be simplified by exploiting the special properties of the mathematical model. Because both specifications and methods of reasoning about them tend to be repetitive, the use of a standard template for specifications, accompanied by standard shared theories and standard proof strategies or tactics, is often feasible. Presented are the PVS specification of three theories that underlie the timed automata model, a template for specifying timed automata models in PVS, and an example of its instantiation. Both hand proofs and the corresponding PVS proofs of two propositions are provided to illustrate h...
A Less Elementary Tutorial for the PVS Specification and Verification System
 Computer Science
, 1996
"... PVS is a verification system that provides a specification language integrated with support tools and a theoremprover. It has been used at SRI and elsewhere to perform verifications of several significant algorithms (primarily for faulttolerance) and large hardware designs. This tutorial introd ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
(Show Context)
PVS is a verification system that provides a specification language integrated with support tools and a theoremprover. It has been used at SRI and elsewhere to perform verifications of several significant algorithms (primarily for faulttolerance) and large hardware designs. This tutorial introduces some of the more powerful strategies provided by the PVS theorem prover. It consists of two parts: the first extends a previous tutorial by Ricky Butler[But93], demonstrating how his proofs may be performed in a more automated manner; the second uses the "unwinding theorem" from the noninterference formulation of security to introduce theoremproving strategies for induction that cannot be demonstrated in the framework of Ricky Butler's example. Using the more powerful strategies of PVS to automate easy proofs (and the easy parts of hard proofs) frees users to concentrate on truly difficult proofs. Automation also makes proofs more robust to changes in the specification, thereb...
SCR: A practical approach to building a high assurance COMSEC system
 IN PROC. 15TH ANNUAL COMPUTER SECURITY APPLICATIONS CONF. (ACSAC '99). IEEE COMPUTER
, 1999
"... To date, the tabularbased SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. This paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) de ..."
Abstract

Cited by 24 (14 self)
 Add to MetaCart
To date, the tabularbased SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. This paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) device called CD that must correctly manage encrypted communications. The paper summarizes how the tools in SCR* were used to validate and to debug the SCR specification and to demonstrate that the specification satisfies a set of critical security properties. The development of the CD specification involved many tools in SCR*: a specification editor, a consistency checker, a simulator, the TAME interface to the theorem prover PVS, and various other analysis tools. Our experience provides evidence that use of the SCR* toolset to develop highquality requirements specifications of moderately complex COMSEC systems is both practical and lowcost.
Elements of Mathematical Analysis in PVS
 Ninth international Conference on Theorem Proving in Higher Order Logics TPHOL
, 1996
"... . This paper presents the formalization of some elements of mathematical analysis using the PVS verification system. Our main motivation was to extend the existing PVS libraries and provide means of modelling and reasoning about hybrid systems. The paper focuses on several important aspects of PVS i ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
(Show Context)
. This paper presents the formalization of some elements of mathematical analysis using the PVS verification system. Our main motivation was to extend the existing PVS libraries and provide means of modelling and reasoning about hybrid systems. The paper focuses on several important aspects of PVS including recent extensions of the type system and discusses their merits and effectiveness. We conclude by a brief comparison with similar developments using other theorem provers. 1 Introduction PVS is a specification and verification system whose ambition is to make formal proofs practical and applicable to large and complex problems. The system is based on a variant of higher order logic which includes complex typing mechanisms such as predicate subtypes or dependent types. It offers an expressive specification language coupled with a theorem prover designed for efficient interactive proof construction. In previous work we have applied PVS to the requirements analysis of a substantially ...
Liveness with Invisible Ranking
 SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER
, 2006
"... The method of Invisible Invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems, and (2) a small model theor ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
(Show Context)
The method of Invisible Invariants was developed originally in order to verify safety properties of parameterized systems in a fully automatic manner. The method is based on (1) a project&generalize heuristic to generate auxiliary constructs for parameterized systems, and (2) a small model theorem implying that it is sufficient to check the validity of logical assertions of certain syntactic form on small instantiations of a parameterized system. The approach can be generalized to any deductive proof rule that (1) requires auxiliary constructs that can be generated by project&generalize, and (2) the premises resulting when using the constructs are of the form covered by the small model theorem. The method of invisible ranking, presented here, generalizes the approach to liveness properties of parameterized systems. Starting with a proof rule and cases where the method can be applied almost “as is,” the paper progresses to develop deductive proof rules for liveness and extend the small model theorem to cover many intricate families of parameterized systems.
Improving InterEnclave Information Flow for a Secure Strike Planning Application
 PROCEEDINGS OF 11TH COMPUTER SECURITY APPLICATIONS CONFERENCE
, 1995
"... DoD operates many system high enclaves with limited information flow between enclaves at different security levels. Too often, the result is duplication of operations and inconsistent and untimely data at different sites, which reduces the effectiveness of DoD decision support systems. This paper de ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
DoD operates many system high enclaves with limited information flow between enclaves at different security levels. Too often, the result is duplication of operations and inconsistent and untimely data at different sites, which reduces the effectiveness of DoD decision support systems. This paper describes our solution to this problem as it arises in installations of the Joint Maritime Command Information System (JMCIS), an integrated C4I system. Our approach views databases in more classified enclaves as potential replica sites for data from less classified enclaves. Replicated data flows from lower enclaves to higher ones via oneway connections, yielding a high assurance MLS (multilevel secure) distributed system. The oneway connections are the only trusted components. This approach is based on our work on SINTRA (Secure Information Through Replicated Architecture), and applies generally to any collection of systems each running a database at system high. It complements and exploi...