We show how UML (the industry standard in object-oriented modelling) can be used to express security requirements during system development. Using the extension mechanisms provided by UML, we incorporate standard concepts from formal methods regarding multi-level secure systems and security protocols. These definitions evaluate diagrams of various kinds and indicate possible vulnerabilities.

State Machines" (ASM). 13.4.1 Evolving algebras (abstract state machines) The basic idea of the "evolving algebras" (see, for instance, [Gur93,Gur95]) is perfectly summarized by their name. Essentially an evolving algebra (specification) consists of a description of a (nonlabeled) transition system, whose states are algebras on the same homogeneous signature built over the same universe (including Boolean values). Some of the operation symbols are qualified as "static" and their interpretation is the same in any (algebra which is a) state. The transitions are defined by rules of the following form: econd ) up 1 ; : : : up k where, for each j = 1; : : : ; k, the function update up j has form f j (e j 1 ; : : : ; e j n j ) := e j ; econd, e 1 1 , : : : , e 1 n1 , e 1 , : : : , e k 1 , : : : , e k nk , e k are "descriptions" (any possible mathematically intelligible expressions) of elements of the universe, the first describing a Boolean value, and for j = 1; : : : ; ...

The application of formal techniques can contribute much to the quality of software, which is of utmost importance for safety-critical embedded systems. These techniques, however, are not easy to apply. In particular, methodological guidance is often unsatisfactory. We address this problem by the concept of an agenda. An agenda is a list of activities to be performed for solving a task in software engineering. Agendas used to support the application of formal specification techniques provide detailed guidance for specifiers, templates of the used specification language that only need to be instantiated, and application independent validation criteria. We apply the agenda approach to a particular class of embedded safety-critical systems, the formal specification of which has been investigated in the case-studies of the German Espress project during the last two years. 1 Introduction Every software-based system potentially benefits from the application of formal techniques....

extend the kinds of the elements used in the diagrams, as stereotypes, tagged values and constraints. Moreover the language used for the constraints is not fixed; a particular one, OCL, has been defined but its use is not mandatory and can be replaced by other languages, including also natural language text. Notation UML is only a notation and not a method (see in [AR97] a detailed discussion on the difference between notation/formalism and method); thus it can be used in different ways by different methods, and a method may consider only parts of UML or different parts in different phases of the development process (see, e.g., [Wie98]). The UML documentation makes explicit the first two points; indeed such notes treat each kind of diagrams separately and do not consider their mutual relationships. For example wellformedness conditions and informal semantics do not cover groups of diagrams and just consider single diagrams in isolation. Why a Formal

Methods are needed to help using formal specifications in a practical way. We present a specification method that takes into account both the specification of concurrent activity and the specification of the data types involved. It is applied here to LOTOS specification, but it may be used for other formalisms. Our method is both constraint oriented (for the processes decomposition into parallel subprocesses) and state oriented (for the design of the sequential components). This latter aspect is based on (i) the design of an automaton from the external behaviour description, (ii) the generation of a LOTOS specification associated with this automaton. We illustrate our method through a simple example, a hospital.

this paper, together with their semantics.

. We herein deal with mixed specification formalisms, i.e. formalisms with both a static (data types) and a dynamic (behaviour) part. Our formalism is based on symbolic transition systems (STS) [9], that allow one to specify systems at an abstract level and to avoid state explosion. STS are a kind of guarded finite state/transition diagrams where states and transitions are labelled with open terms. Both dynamic and static parts of objects are specified, in a unifying approach, as formal structures that we call views. These components interpretation structures use STS, and we show how these may be derived from their view structures. The system is structured by means of collections of objects (with identities) . A temporal logic is used to glue the components altogether and expresses a generalized form of synchronous product [1]. We then show how a view structure and its interpretation structure may be obtained. The formalism is explained using a simplified phone service example. Keywor...

The notion of formal description techniques for timed systems (T-FDTs) has been introduced in [EDK98a] to provide a unifying framework for description techniques that are formal and that allow to describe the ongoing behavior of systems. In this paper we show that three well known temporal logics, MTL, MTL- R , and CTL*, can be embedded in this framework. Moreover, we provide evidence that a large number of dioeerent kinds of temporal logics can be considered as T-FDTs.

The aim of this thesis is to provide a specification methodology for reactive and concurrent systems that covers the whole process of designing a system. Starting from a high-level (very abstract) description we want to give the formal tools and guidelines to develop several steps in the refinement process of the specification. We would like to reach, as the final step of that process, an implementation in a "real" programming language as Java.

The goal of the thesis is the definition of a specification environment for Complex Distributed Software Applications. More precisely, the aim is to investigate all the issues connected to the realization of executable specifications for such applications, using new technologies rising in the fields of Logic Programming, Multi--Agent Systems and Distributed Software Engineering. In this context, we want to realize a set of tools that can be used for implementing and testing reliable software prototypes that solve real--world problems. 1 Introduction It is indeed well known that producing software is a hard matter. The need of adequate technologies for the realization of more and more complex programs originates Software Engineering (SE) [Pre94] that can be defined as the discipline for the construction of reliable software applications using solid and well founded techniques. Clearly, a suitable development process for software applications is influenced by the nature of softwa...