Policy refinement is a key but still unsolved area of policy based management. Goal oriented requirements engineering methodologies have been suggested as a prominent alternative to address policy refinement. Practical approaches that capture the administrative requirements and enable systematic policy refinement are still missing although such integrated solutions are rather convenient to make policy-based management systems really useful. In this paper we present a functional solution for goal oriented policy refinement grounded in linear temporal logic and reactive systems analysis techniques. We describe the technical foundations and demonstrate how these were used to develop an integrated solution for policy refinement, focusing on the details of the implemented prototype. Our policy analysis techniques that enable systematic policy refinement are demonstrated through a scenario applied to the domain of QoS Management for Differentiated Services (DiffServ) networks. 1.

This paper presents an interactive proof method for the verification of temporal properties of concurrent systems based on symbolic execution. Symbolic execution is a well known and very intuitive strategy for the verification of sequential programs. We have carried over this approach to the interactive verification of arbitrary linear temporal logic properties of (infinite state) parallel programs. The resulting proof method is very intuitive to apply and can be automated to a large extent. It smoothly combines first order reasoning with reasoning in temporal logic. The proof method has been implemented in the interactive verification environment KIV and has been used in several case studies. 1

Abstract. A proof method is described which combines compositional proofs of interleaved parallel programs with the intuitive and highly automatic strategy of symbolic execution. As logic we use an extended variant of Interval Temporal Logic that allows to formulate programs directly in the Simple Programming Language (SPL). The notation includes a complex interleaving operator. The interactive proof method we use for temporal properties is symbolic execution with induction. Here, we show how to combine this proof method with an assumption-guarantee approach to decompose proofs for safety properties. We demonstrate the application of this technique with a producer-channel-consumer case study. 1 1

Abstract. In our approach for the engineering of reactive services, we specify systems as collaborations by means of UML 2.0 activities. In automated and correctness-preserving steps, the collaborative models are transformed into executable code. The semantics of the activities are defined using temporal logic. This formal fundament can be utilized to prove that the collaborations fulfill certain general well-formedness properties which can be verified by the model checker TLC. This is quite relevant since communication delays in the interactions between the participants realizing a collaboration aggravate the design of correct collaborative behavior. The well-known state space explosion problem of model checkers is mitigated by using special external state machines which define the interface behavior of sub-activities. The generation of the formal input for TLC from the activities is completely automated, so that the engineers working on the activities do not need to be experts in temporal logic and model checking. In this paper, we describe the utilization of TLC to detect and correct design errors by means of an example. 1

Abstract. Being the de facto industry standard of software modeling, UML is well accepted and extensively used. However, using different diagrams to model different aspects of a system brings the risk of inconsistency among diagrams. In this paper, we investigate an approach to check the consistency between the sequence diagrams and statechart diagrams using the SPIN model checker. To deal with the hierarchy structure of statechart diagrams, we propose a formalism called Split Automata, a variant of automata, which is helpful to bridge the statechart diagrams to SPIN efficiently. Compared with the existing work on model checking UML which do not have formal verification for their translation from UML to the model checker, we formally define the semantics and prove that the automatically translated model (i.e. Split Automata) does simulate the UML model. Via this way, we can guarantee that the translated models does represent the original models with respect to the checking motivation.

UML state machines provide an operational view of the behavior of software systems. However, properties of the execution history of state machines cannot be expressed modularly. This often leads to model elements addressing the same concern scattered all over the machine. We present an initial approach to aspect-oriented state machines, which show considerably better modularity in designs of history dependent behavior than normal UML state machines.

One of the languages used in the industrial practice of the model-driven development (MDD) is UML-RT. The language is a proper profile of UML 2 and it targets especially development of embedded systems. In UML-RT, UML-RT State Machines are used to model behavior. This paper presents a technique for a symbolic execution of these machines, which introduces modular treatment of action code. This feature clearly separates the symbolic execution of the state machine itself from the symbolic execution of its action code and thus facilitates support of different action languages. The separation is achieved via a formalization of UML-RT State Machines in which functions are used to represent the result of the symbolic execution of the action code. Key parts of the technique are formalized, an implementation is presented and an example is used to illustrate the symbolic execution itself and how it can be used for different purposes including reachability analysis, invariant checking, output analysis and test case generation. The evaluation of our tool on two case studies is also discussed. 1