Results 1  10
of
475
Composing Specifications
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 1993
"... ..."
(Show Context)
An OldFashioned Recipe for Real Time
, 1993
"... this paper appeared in ACM Transactions on Programming Languages and Systems 16, 5 (September 1994) 1543 1571. The appendix was published electronically by the ACM. Contents ..."
Abstract

Cited by 228 (13 self)
 Add to MetaCart
this paper appeared in ACM Transactions on Programming Languages and Systems 16, 5 (September 1994) 1543 1571. The appendix was published electronically by the ACM. Contents
Recognizing Safety and Liveness
 Distributed Computing
, 1986
"... This paper substantiates that experience by formalizing safety and liveness in a way that permits the relationship between safety and invariance and between liveness and wellfoundedness to be demonstrated for a large class of properties. In so doing, we give new characterizations of safety and liven ..."
Abstract

Cited by 223 (6 self)
 Add to MetaCart
This paper substantiates that experience by formalizing safety and liveness in a way that permits the relationship between safety and invariance and between liveness and wellfoundedness to be demonstrated for a large class of properties. In so doing, we give new characterizations of safety and liveness and prove that they satisfy the formal definitions in [Alpera & Schneider 85a]
A general theory of composition for trace sets closed under selective interleaving functions
 In Proc. IEEE Symposium on Research in Security and Privacy
, 1994
"... ..."
(Show Context)
All from one, one for all: on model checking using representatives
 LNCS
, 1993
"... Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based ..."
Abstract

Cited by 184 (6 self)
 Add to MetaCart
(Show Context)
Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1
Forward and Backward Simulations Part I: Untimed Systems
 Information and Computation
, 1995
"... A unified, comprehensive presentation of simulation techniques for verification of concurrent systems is given, in terms of a simple untimed automaton model. In particular, (1) refinements, (2) forward and backward simulations, (3) hybrid forwardbackward and backwardforward simulations, and (4) hi ..."
Abstract

Cited by 151 (18 self)
 Add to MetaCart
(Show Context)
A unified, comprehensive presentation of simulation techniques for verification of concurrent systems is given, in terms of a simple untimed automaton model. In particular, (1) refinements, (2) forward and backward simulations, (3) hybrid forwardbackward and backwardforward simulations, and (4) history and prophecy relations are defined. History and prophecy relations are abstract versions of the history and prophecy variables of Abadi and Lamport, as well as the auxiliary variables of Owicki and Gries. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. Finally, it is shown how invariants can be incorporated into all the simulations. Even though many results are presented here for the first time, this paper can also be read as a survey (in a simple setting) of the research literature on simulation techniques. The development for untimed automata is designed to support a similar development for timed automata...
Modular EventBased Systems
 THE KNOWLEDGE ENGINEERING REVIEW
, 2006
"... Eventbased systems are developed and used to integrate components in loosely coupled systems. Research and product development focused so far on e#ciency issues but neglected methodological support to build such systems. In this article, the modular design and implementation of an event system is p ..."
Abstract

Cited by 147 (11 self)
 Add to MetaCart
(Show Context)
Eventbased systems are developed and used to integrate components in loosely coupled systems. Research and product development focused so far on e#ciency issues but neglected methodological support to build such systems. In this article, the modular design and implementation of an event system is presented which supports scopes and event mappings, two new and powerful structuring methods that facilitate engineering and coordination of components in eventbased systems. We give a
Edit automata: Enforcement mechanisms for runtime security policies
 International Journal of Information Security
, 2005
"... We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified pol ..."
Abstract

Cited by 142 (7 self)
 Add to MetaCart
We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: They may terminate the application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream. After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a settheoretic characterization of the policies each sort of automaton can enforce and we provide examples of policies that can be enforced by one sort of automaton but not another. 1