Abstract. The B method is a well known approach to the formal specification and development of sequential computer programs. Inspired by action systems, the B method has evolved to incorporate system modelling and distributed system development. This extension is called Event-B. Even though several of the structuring mechanisms of the original B method are absent from Event-B, the desire to define and maintain structured data persists. We propose the introduction of records to Event-B for this purpose. Our approach upholds the refinement principles of Event-B by allowing the stepwise development of records too. 1

Model Driven Architecture (MDA) gains increasing acceptance in software engineering community. MDA promotes system development by gradual transformation of system models expressed in Unified Modelling Language (UML). UML modelling facilitates better understanding of system requirements, but it is yet insufficient for guaranteeing overall correctness of the final product. In this paper we propose an approach to formalizing model-driven development in the B Method. The B Method is a top-down approach to the development of systems correct by construction. We show how the proposed approach facilitates structuring complex system requirements, requirements changes and traceability, integration of emergent requirements and navigation through the overall design space. To validate the proposed approach we conduct a case study – development of Ad hoc On-Demand Distant Vector routing protocol.

Inconsistencies in various data structures, such as missing log records and modified operating system files, have long been used by intrusion investigators and forensic analysts as indicators of suspicious activity. This paper describes a rigorous methodology for developing such inconsistency checks and verifying their correctness. It is based on the use of the B Method – a formal method of software development. The idea of the methodology is to (1) formulate a state-machine model of the (sub)system in which inconsistencies are being detected, (2) formulate consistency criteria for the state of that model, (3) rigorously verify correctness of these criteria using the B Method, and (4) automatically search evidential data for violations of the formulated consistency criteria using ConAlyzer utility developed for this purpose. The methodology is illustrated on an FTP server example. Automated checking for inconsistencies in evidential data Much of advanced digital forensics comes from observations of how the operating

This paper develops a case study using the process algebra CSP to enable controlled interaction between B machines. This illustrates how B machines are essential components within a combined communicating system. The development steps used to build the case study are new; they are applications of theoretical results which allow us to focus on the external interface of a combined communicating system, compositionally verify it, and show that it is a refinement of a more abstract specification described in CSP. This allows safety and liveness properties to be established for combinations of communicating B machines.

The more obvious and well known drawbacks of using refinement as the sole means of progressing from an abstract model to a concrete implementation are reviewed. Retrenchment is presented in a simple partial correctness framework as a more flexible development concept for formally capturing the early otherwise preformal stages of development, and briefly justified. Given both a retrenchment of an abstract model, and a refinement of the same model, the problem of finding a model that is both a refinement of the retrenchment and a retrenchment of the refinement, is examined. A construction is given that solves the problem in a universal manner, giving the most abstract reconciliation of the two. The universality amounts to the fact that any similar reconciliation of the original retrenchment and refinement is refinable from the universal one, factoring through it.

Abstract. Event-B [15] is a formal modeling method intended to support refinement, an initial system description at a high level of abstraction with detail added in successive understandable steps. The refinement process may be carried to its logical conclusion, specification of all detail needed to define an executable in a high-level language, and automatic generation of source code from the model via a suitable tool. The introduction of the RODIN [20] tool-set allows such extensions to be provided by third-party developers [3], and translation of Event-B to the C [12] programming language has always been intended [2]. This paper discusses the requirements of such a tool, introduces the B2C extension to RODIN that has been developed to meet these needs, and describes its use on a practical example. 1.

Abstract. A Virtual Machine (VM) is a program running on a conventional microprocessor that emulates the binary instruction set, registers, and memory space of an idealized computing machine: a well-known example being the Java Virtual Machine (JVM). Despite there being many binary instruction set architectures (ISA) in existence, all share a set of core properties which have been tailored to their particular applications. An abstract model may capture these generic properties and be subsequently refined to a particular machine, providing a reusable template for development of formally proven ISAs: this is a task to which the EventB [16,18] notation is well suited. This paper describes a project to use the RODIN tool-set [24] to perform such a process, ultimately producing the MIDAS (Microprocessor Instruction and Data Abstraction System) VM, capable of running binary executables compiled from high-level languages such as C [9]. The abstract model is incrementally refined to a model capable of automatic translation to C source code, and compilation for a hardware platform using a standard compiler. A second C compiler, targeted to the VM itself, allows C programs to be executed on it. 1

Abstract. It is believed that reusability in formal development should reduce the time and cost of formal modelling within a production environment. Along with the ability to reuse formal models, it is desirable to avoid unnecessary re-proof when reusing models. Event-B is a formal method that allows modelling and refinement of systems. Event-B supports generic developments through the context construct. Nevertheless Event-B lacks the ability to instantiate and reuse generic developments in other formal developments. We propose a way of instantiating generic models and extending the instantiation to a chain of refinements. We define sufficient proof obligations to ensure that the proofs associated to a generic development remain valid in an instantiated development thus avoiding re-proofs. Key words: formal methods, event-B, reusability, generic instantiation 1

Abstract. It is not surprising that students are unconvinced about the benefits of formal methods if we do not show them how these methods can be integrated with other activities in the software lifecycle. In this paper, we describe an approach to integrating formal specification with more traditional verification and validation techniques in a course that teaches formal specification and specification-based testing. This is accomplished through a series of assignments on a single software component that involves specifying the component in Object-Z, validating that specification using inspection and a specification animation tool, and then testing an implementation of the specification using test cases derived from the formal specification. 1

Model-driven development has gained increasing acceptance in the engineering community. Via abstraction and gradual model transformation, it offers an efficient way to cope with complexity of modern software-intensive systems, typical examples of which are distributed telecommunicating systems and communication protocols. However, variety of models representing the system structure and behaviour from different viewpoints and at different levels of abstraction raise the question of model consistency and their adherence to the predefined architectural rules. In this paper we formalize a development flow of distributed telecommunicating systems and communication protocols as an architectural profile in UML. We specify and formally verify this profile. The profile allows us to check adherence of models to the predefined architectural rules. Furthermore, by formalizing and verifying intra- and interconsistency rules, we ensure that the models do not contradict to each other. We use the B Method as our formal framework. The presented work establishes a basis for automating model-driven development of telecommunicating systems and communication protocols.