We give a semantics for Message Flow Graphs(MFGs), which play the role for interprocess communication that Program Dependence Graphs play for control ow in parallel processes. MFGs have been used to analyse parallel code, and are closely related to Message Sequence Charts and Time Sequence Diagrams in telecommunications systems. Our requirements are rstly, to determine unambiguously exactly what execution traces are speci ed by anMFG, and secondly, to use a nite-state interpretation. Our methods function for both asynchronous and synchronous communications. From a set of MFGs, we de ne a transition system of global states, and from that a Buchi automaton by considering safety and liveness properties of the system. In order easily to describe liveness properties, we interpret the traces of the transition system as a model of Manna-Pnueli temporal logic. Finally,we describe the expressive power of MFGs by mimicking an arbitrary Buchi automaton by means of a set of MFGs. 1.

Model checking is an automated technique for verifying that a system satisfies a set of required properties. Such properties are typically expressed as temporal logic formulas, in which atomic propositions are predicates over state variables of the system. In event-based system descriptions, states are not characterized by state variables, but rather by the behavior that originates in these states in terms of actions. In this context, it is natural for temporal formulas to be built from atomic propositions that are predicates on the occurrence of actions. The paper identifies limitations in this approach and introduces "fluent" propositions that permit formulas to naturally express properties that combine state and action. A fluent is a property of the world that holds after it is initiated by an action and ceases to hold when terminated by another action. The paper describes an approach to model checking fluent-based linear-temporal logic properties, with its implementation and application in the LTSA tool.

Abstract Software execution environments like operating systems, mobile code platforms and scriptable applications must protect themselves against potential demages caused by malicious code. Monitoring the execution history of the latter provides an effective means for controlling the access pattern of system services. Several authors have recently proposed increasingly general automata models for characterizing various classes of security policies enforceable by execution monitoring. An open question raised by Bauer, Ligatti and Walker is whether one can further classify the space of security policies by constraining the capabilities of the execution monitor. This paper presents a novel information-based approach to address the research problem. Specifically, security policies are characterized by the information consumed by an enforcing execution monitor. By restricting the execution monitor to track only a shallow history of previously granted access events, a precise characterization of a class of security policies enforceable by restricted access of information is identified. Although provably less expressive than the general class of policies enforceable by execution monitoring, this class does contain naturally occurring policies including Chinese Wall policy, low-water-mark policy, one-out-of-k authorization, assured pipelines, etc. Encouraged by this success, the technique is generalized to produce a lattice of policy classes. Within the lattice, policy classes are ordered by the information required for enforcing member policies. Such a fine-grained policy classification lays the semantic foundation for future studies on special-purpose policy languages. 1 Introduction Software execution environments like operating systems, mobile code platforms and scriptable applications must protect themselves against potential demages caused by malicious 1

We analyze the space of security policies that can be enforced by monitoring programs at runtime. Our program monitors are automata that examine the sequence of program actions and transform the sequence when it deviates from the specified policy. The simplest such automaton truncates the action sequence by terminating a program. Such automata are commonly known as security automata, and they enforce Schneider's EM class of security policies. We define automata with more powerful transformational abilities, including the ability to insert a sequence of actions into the event stream and to suppress actions in the event stream without terminating the program. We give a set-theoretic characterization of the policies these new automata are able to enforce and show that they are a superset of the EM policies.

We study in a first part of this paper safety and liveness properties for any given program semantics. We give a topological definition of these properties using a safety preorder. Then, we consider the case of branching time semantics where a program is modeled by a set of infinite computation trees modulo bisimulation. We propose and study a safety preorder for this semantics based on simulation and dealing with silent actions. We focus on regular safety properties and characterize them by both tree-automata and formulas of a branching time logic. We show that verifying safety properties on trees reduces to simulation testing. 1 Introduction The properties of parallel systems may be classified according to the type of behaviors they describe. Several classes of properties are distinguished such as safety, liveness, fairness, termination or recurrence properties. Such a classification allows structuring a program specification into several components; each of these components may be ...

who are interested in the interdisciplinary methods and applications relevant to the analysis, design and management of complex systems. 15 St. Mary’s St. Brookline MA 02446 l 617.358.1295 l www.bu.edu/systems

The thesis proposes a number of techniques for elaborating requirements constructively from high-level goals. The techniques are based on the KAOS goal-oriented method for requirements engineering. This method consists in identifying goals and refining them into subgoals until the latter can be assigned as responsibilities of single agents such as humans, devices and software. Domain properties and assumptions about the software environment are also used during the goal refinement process. The method supports the exploration of alternative goal refinements and alternative responsibility assignments of goals to agents. It also supports the identification and resolution of conflicts between goals, and the identification and resolution of exceptional agent behaviors, called obstacles, that violate goals and assumptions produced during the goal refinement process. The thesis enriches the KAOS framework through three kinds of techniques: (a) techniques for identifying agents, goal refinements, and alternative responsibility assignments, and for deriving agent interfaces from such responsibility assignments; (b) techniques for deriving operational requirements from goal specifications; (c) techniques for generating obstacles to the satisfaction of idealized goals and assumptions, and for generating alternative obstacle resolutions. The result is a coherent body of systematic techniques for requirements elaboration that are both theoretically well-founded (a formal model of agent is defined) and effective in practice (the techniques are validated on two real case studies of significant size: the London ambulance despatching system, and the Bay Area Rapid Transit train system).

The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an event-based approach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio [BKS83], is a state-based approach to distributed computing. Using weakest-precondition formulae, Morgan [Mor90a] has defined a correspondence between action systems and the failures-divergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [Mor90a], Woodcock & Morgan [WM90] have shown that simulation is sound and complete in the CSP failures-divergences model. In this thesis, Morgan's correspondence is extended to the CSP infinite-traces model [Ros88] in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinite-traces model, though completeness is lost in certain cases. The new correspondence is then extended to include a notion of internal action. This allows the ...

We propose a semantics for Message Sequence Charts (MSCs). Our requirements are: to determine unambiguously which execution traces are allowed by an MSC; and to use a finite-state interpretation. Our semantics handles both synchronous and asynchronous communication. We define a global state automaton from an MSC, by first defining a transition system of global states, and from that a Buchi automaton. In using MSCs, properties of the environment and liveness properties of the MSC itself may be underspecified. We propose a method using temporal logic formulas to specify the required liveness properties. Keyword Codes: F.3.2; D.2.1; 2. Keywords: Semantics of Programming Languages; Requirements/Specifications; Protocol specification, testing and verification. 1. INTRODUCTION The purpose of this paper is to to propose a precise semantics for Message Sequence Charts (MSCs) [16]. Our interpretation also suffices to give a semantics for Time Sequence Diagrams [34]. We explain our semantics...

Several optimal algorithms have been proposed for the complementation of nondeterministic B uchi word automata. Due to the intricacy of the problem and the exponential blow-up that complementation involves, these algorithms have never been used in practice, even though an effective complementation construction would be of significant practical value. Recently, Kupferman and Vardi described a complementation algorithm that goes through weak alternating automata and that seems simpler than previous algorithms. We combine their algorithm with known and new minimization techniques. Our approach is based on optimizations of both the intermediate weak alternating automaton and the final nondeterministic automaton, and involves techniques of rank and height reductions, as well as direct and fair simulation.