Abstract. We perform host-based intrusion detection by constructing a model from a program’s binary code and then restricting the program’s execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new dataflow analysis algorithm for context-sensitive recovery of static data. The environment—configuration files, command-line parameters, and environment variables—constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution. Our new static data-flow analysis associates a program’s data flows with specific calling contexts that use the data. We use this analysis to differentiate systemcall arguments flowing from distinct call sites in the program. Using a new average reachability measure suitable for evaluation of call-stackbased program models, we demonstrate that our techniques improve the precision of several test programs ’ models from 76 % to 100%.

Fault-tolerance and timing have often been considered to be implementation issues of a program, quite distinct from the functional safety and liveness properties. Recent work has shown how these non-functional and functional properties can be verified in a similar way. However, the more practical question of determining whether a real-time program will meet its deadlines, i.e. showing that there is a feasible schedule, is usually done using scheduling theory, quite separately from the verification of other properties of the program. This makes it hard to use the results of scheduling analysis in the design, or re-design, of fault-tolerant, real-time programs. This paper shows how fault-tolerance, timing and schedulability can be specified and verified using a single notation and model. This allows a unified view to be taken of the functional and non-functional properties of programs and a simple transformational method to be used to combine these properties. It also permits results fro...

this paper we describe TLA from a logical perspective; our description of TLA has three aspects: 1. As a logic, TLA has a precise syntax and semantics. We define these in the next section. Our intent is not to develop a new TLA, but rather to explain and to refine Lamport's definition of TLA [19]. 2. Like HOL [13] and other logics, TLA can serve for representing reactive systems in several styles. In particular, a specification may describe concurrent steps as interleaved or simultaneous; communication between components may be synchronous or asynchronous. We discuss a few styles in section 3. 3. Proofs in TLA rely on basic rules of temporal logic, rules for refinement, and rules for composition. We state the principal rules in sections 4 and 5. Following [7, 8], we show that some of them arise from general logical (or algebraic) considerations, largely independent of the details of TLA This paper is a self-contained presentation of TLA. It is however not a survey, in that it includes technical novelties and in that it is far from comprehensive. Lamport's original work on TLA [19] provides much additional, useful material, and in particular some motivation for the TLA approach and a proof system for TLA. Other papers discuss mechanical verification in TLA [11, 16], refinement and composition [6, 4], real-time systems and hybrid systems [5, 18, 12], and medium-size examples [20]. There are also works on PTLA [1, 29], a propositional logic based on a preliminary version of TLA. Finally, the logic TLR has many similarities with TLA [28]. 2 Mart'in Abadi and Stephan Merz 2 A Definition of TLA

A real-time program can be developed by refining a specification into program code. Verification of the timing properties of the program is then usually done at two levels: verification of the ordering of timed actions in the program and proof that execution of the program on a specific system will meet its timing requirements. Refinement is done within a formal model but the second step requires a different framework in which scheduling theory analysis is used and actual program execution times can be taken into account. The implementation of a program on a system is said to be feasible or schedulable if it will meet all the timing deadlines. This paper shows how the feasibility of scheduling a real-time program can also be proved as a step in the refinement of the program from its specification. Verification of this step of refinement makes use of methods from scheduling theory within a formal system development framework. Keywords: real-time program; specification; refinement; fea...

ions for sessions as objects. Abstractions for patterns of sessions. 2. Abstractions for synchronizing between sessions. We will extend the abstractions and theory of concurrent threads sharing an address space to concurrent sessions sharing an internet or intranet. Past research has developed constructs for thread creation, waiting, notify, suspension, and resumption; this deliverable will be a set of constructs for session creation and termination, one session waiting for other sessions, session supension and resumption, and so on. 3. Version of prototype that includes initiator control of sessions and use of Web technology for finding objects and declaring object interfaces. Graphical user interfaces for defining initial session topology. 4. Release of a prototype collaborative problem-solving environment and games applications. 5. Evaluation by problem-solving environment consortium dealing with a specific application such as air quality monitoring and modeling in Southern Californ...

This paper shows how the feasibility of scheduling a real-time program consisting of a number of parallel processes (tasks) can be proved as a step in the refinement of the program from its specification. Verification of this step of refinement makes formal use of methods and results from real-time scheduling theory. Keywords: real-time program; specification; refinement; schedulability; feasibility. 1 Introduction A typical real-time program is required to respond to external events within specified time bounds and so it must be executed on a system that is sufficiently fast. In general, external events may occur at a rate which results in more than one process of the program being simultaneously under execution; if, at any time, there are fewer processors in the system than active processes, scheduling decisions must be taken to allocate processors to processes. Schedulability is the condition under which a scheduler can execute a real-time program on a system and meet its deadlin...

Republic of China and Portugal through a contribution to the UNU Endownment Fund. As well as providing twothirds of the endownment fund, the Macau authorities also supply UNU-IIST with its office premises and furniture and subsidise fellow accommodation. The mission of UNU-IIST is to assist developing countries in the application and development of software technology. UNU-IIST contributes through its programmatic activities: 1. Advanced development projects, in which software techniques supported by tools are applied, 2. Research projects, in which new techniques for software development are investigated, 3. Curriculum development projects, in which courses of software technology for universities in developing countries are developed, 4. University development projects, which complement the curriculum development projects by aiming to strengthen all aspects of computer science teaching in universities in developing countries, 5. Schools and Courses, which typically teach advanced software development techniques, 6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and 7. Dissemination, in which UNU-IIST regularly distributes to developing countries information on international progress of software technology.