Results 1  10
of
13
An AutomataTheoretic Approach to Modular Model Checking
, 1998
"... this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
this paper we consider assumeguarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in 8CTL and 8CTL
Distributed Power Allocation for Vehicle Management Systems
"... Abstract — We consider the problem of designing distributed control protocolsfor aircraft vehicle management systemsthat cooperatively allocate electric power while meeting certain higher level goals and requirements, and dynamically reacting to the changes in the internal system state and external ..."
Abstract

Cited by 14 (11 self)
 Add to MetaCart
(Show Context)
Abstract — We consider the problem of designing distributed control protocolsfor aircraft vehicle management systemsthat cooperatively allocate electric power while meeting certain higher level goals and requirements, and dynamically reacting to the changes in the internal system state and external environment. A decentralized control problem is posed where each power distribution unit is equipped with a controller that implements a local protocol to allocate power to a certain subset of loads. We use linear temporal logic as the specification language for describing correct behaviors of the system (e.g., safe operating conditions) as well as the admissible dynamic behavior of the environment due to, for example, wind gusts and changes in system health. We start with a global specification and decompose it into local ones. These decompositions allow the protocols for each local controller to be separately synthesized and locally implemented while guaranteeing the global specifications to hold. Through a design example, we show that by refining the interface rules between power distribution units, it is possible to reduce the total power requirement. I.
Deductive Verification of Modular Systems
 In Compositionality: The Significant Difference
, 1997
"... . Effective verification methods, both deductive and algorithmic, exist for the verification of global system properties. In this paper, we introduce a formal framework for the modular description and verification of parameterized fair transition systems. The framework allows us to apply existing gl ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
. Effective verification methods, both deductive and algorithmic, exist for the verification of global system properties. In this paper, we introduce a formal framework for the modular description and verification of parameterized fair transition systems. The framework allows us to apply existing global verification methods, such as verification rules and diagrams, in a modular setting. Transition systems and transition modules can be described by recursive module expressions, allowing the description of hierarchical systems of unbounded depth. Apart from the usual parallel composition, hiding and renaming operations, our module description language provides constructs to augment and restrict the module interface, capablilities that are essential for recursive descriptions. We present proof rules for property inheritance between modules. Finally, module abstraction and induction allow the verification of recursively defined systems. Our approach is illustrated with a recursively defined arbiter for which we verify mutual exclusion and eventual access. 1
Robust Satisfaction
, 1999
"... In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system � and a property � , we say that � robustly satisfie ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system � and a property � , we say that � robustly satisfies � iff for every open system �� � , which serves as an environment to � , the composition ���� � � satisfies �. The problem of robust model checking is then to decide, given � and � , whether � robustly satisfies �. In this paper we study the robustmodelchecking problem. We consider systems modeled by nondeterministic Moore machines, and properties specified by branching temporal logic (for linear temporal logic, robust satisfaction coincides with usual satisfaction). We show that the complexity of the problem is EXPTIMEcomplete for CTL and the �calculus, and is 2EXPTIMEcomplete for CTL �. We partition branching temporal logic formulas into three classes: universal, existential, and mixed formulas. We show that each class has different sensitivity to the robustness requirement. In particular, unless the formula is mixed, robust model checking can ignore nondeterministic environments. In addition, we show that the problem of classifying a CTL formula into these classes is EXPTIMEcomplete.
Denotational Semantics of Object Specification
 ACTA INFORMATICA
, 1998
"... From an arbitrary temporal logic institution we show how to set up the corresponding institution of objects. The main properties of the resulting institution are studied and used in establishing a categorial, denotational semantics of several basic constructs of object specification, namely aggre ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
From an arbitrary temporal logic institution we show how to set up the corresponding institution of objects. The main properties of the resulting institution are studied and used in establishing a categorial, denotational semantics of several basic constructs of object specification, namely aggregation (parallel composition), interconnection, abstraction (interfacing) and monotonic specialization. A duality is established between the category of theories and the category of objects, as a corollary of the Galois correspondence between these concrete categories. The special case of linear temporal logic is analysed in detail in order to show that categorial products do reflect interleaving and reducts may lead to internal nondeterminism.
Automated compositional proofs for realtime systems. Full version with appendices available online from http://www.elet.polimi.it/upload/furia
, 2005
"... Abstract. We present a framework for formally proving that the composition of the behaviors of the different parts of a complex, realtime system ensures a desired global specification of the overall system. The framework is based on a simple compositional rely/guarantee circular inference rule, plu ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a framework for formally proving that the composition of the behaviors of the different parts of a complex, realtime system ensures a desired global specification of the overall system. The framework is based on a simple compositional rely/guarantee circular inference rule, plus a small set of conditions concerning the integration of the different parts into a whole system. The reference specification language is the TRIO metric linear temporal logic. The novelty of our approach with respect to existing compositional frameworks — most of which do not deal explicitly with realtime requirements — consists mainly in its generality and abstraction from any assumptions about the underlying computational model and from any semantic characterizations of the temporal logic language used in the specification. Moreover, the framework deals equally well with continuous and discrete time. It is supported by a tool, implemented on top of the proofchecker PVS, to perform deductionbased verification through theoremproving of modular realtime axiom systems. As an example of application, we show the verification of a realtime version of the oldfashioned but still relevant “benchmark ” of the dining philosophers problem.
Composing Invariants
, 2003
"... We explore the question of the composition of invariance speci cations in a context of formal methods applied to concurrent and reactive systems. Depending on how compositionality is stated and how invariants are de ned, invariance speci cations may or may not be compositional. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We explore the question of the composition of invariance speci cations in a context of formal methods applied to concurrent and reactive systems. Depending on how compositionality is stated and how invariants are de ned, invariance speci cations may or may not be compositional.
A Relyguarantee Discipline for Open Distributed Systems Design
 Information Processing Letters
, 1999
"... A number of authors has studied the design of distributed systems considering the existence of an environment over which little (if any) control is retained. Perhaps the most systematic of these studies suggest the use of rely and guarantee conditions that assert respectively what is assumed from th ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
A number of authors has studied the design of distributed systems considering the existence of an environment over which little (if any) control is retained. Perhaps the most systematic of these studies suggest the use of rely and guarantee conditions that assert respectively what is assumed from the environment and what the system is committed to insure as long as the assumptions hold, a refinement of the pre and post conditions adopted in sequential program design. We propose a new relyguarantee discipline based on linear time future temporal connectives and show how it can be applied in designing open distributed systems.
Towards Practical Privacy Policy Enforcement
"... Organizations that use private information typically must provide assurances to regulators that their practices ensure that regulations are met. However, to the extent that they rely on electronic information systems for the management of private information, they really have no basis for providing ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Organizations that use private information typically must provide assurances to regulators that their practices ensure that regulations are met. However, to the extent that they rely on electronic information systems for the management of private information, they really have no basis for providing those assurances. This paper proposes a framework for the design and implementation of information systems that provably enforce privacy policies. The privacy policies we aim to enforce are expressed in firstorder temporal logic (FOTL). They capture not only safety, but also liveness requirements, which are essential in privacy policy. For a variety of reasons, prior work in runtime monitoring is of limited use in privacy policy enforcement. Among these reasons are the need to support liveness requirements, a desire to ensure through static verification that runtime policy violations do not occur, and above all, a recognition that users of electronic information systems require meaningful explanations when actions they attempt to initiate are denied. The latter is particularly relevant in the context of privacy policy because the (human) subject of information often needs to consent to having their personal information shared. So when a denial occurs, it may be that the user needs to seek permission from the subject to share his/her information. For all these reasons, our approach requires us to draw on and solve problems in diverse areas of computer science. We inventory open problems that must be solved, several of which we solve here.
Verification of Open Systems
, 2006
"... In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system M and a property #, we say that M robustly satisf ..."
Abstract
 Add to MetaCart
In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system M and a property #, we say that M robustly satisfies # i# for every open system M # , which serves as an environment to M , the composition M#M # satisfies #. The problem of robust model checking is then to decide, given M and #, whether M robustly satisfies #. In essence, robust model checking focuses on reasoning algorithmically about interaction. In this