Results 1  10
of
75
Foundations of Attack Trees
 International Conference on Information Security and Cryptology – ICISC 2005. LNCS 3935
, 2005
"... Abstract. Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispens ..."
Abstract

Cited by 47 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispensable to precisely understand how attack trees can be manipulated during construction and analysis. We provide a denotational semantics, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, we study transformations between attack trees, and we study the attribution and projection of an attack tree.
Liveness in Rewriting
 IN PROC. 14TH RTA, LNCS 2706
, 2002
"... In this paper, we show how the problem of verifying liveness properties is related to termination of term rewrite systems (TRSs). We formalize liveness in the framework of rewriting and present a sound and complete transformation to transform liveness problems into TRSs. Then the transformed TRS ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
(Show Context)
In this paper, we show how the problem of verifying liveness properties is related to termination of term rewrite systems (TRSs). We formalize liveness in the framework of rewriting and present a sound and complete transformation to transform liveness problems into TRSs. Then the transformed TRS terminates if and only if the original liveness property holds. This shows that liveness and termination are essentially equivalent. To apply our approach in practice, we introduce a simpler sound transformation which only satis es the `only if'part. By re ning existing techniques for proving termination of TRSs we show how liveness properties can be veri ed automatically. As examples, we prove a liveness property of a waiting line protocol for a network of processes and a liveness property of a protocol on a ring of processes.
Closing the gap between runtime complexity and polytime computability
 In Proceedings of RTA 2010, volume 6 of LIPIcs
, 2010
"... Abstract. In earlier work, we have shown that for confluent term rewrite systems, innermost polynomial runtime complexity induces polytime computability of the functions defined. In this paper, we generalise this result to full rewriting. For that, we again exploit graph rewriting. We give a new pro ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
(Show Context)
Abstract. In earlier work, we have shown that for confluent term rewrite systems, innermost polynomial runtime complexity induces polytime computability of the functions defined. In this paper, we generalise this result to full rewriting. For that, we again exploit graph rewriting. We give a new proof of the adequacy of graph rewriting for full rewriting that allows for a precise control of the resources copied. In sum we completely describe an implementation of rewriting on a Turing machine. We show that the runtime complexity with respect to rewrite systems is polynomially related to the runtime complexity on a Turing machine. Our result strengthens the evidence that the complexity of a rewrite system is truthfully represented through the length of derivations. Moreover our result allows the classification of deterministic as well as nondeterministic polytimecomputation based on runtime complexity analysis of rewrite systems. 1.
DataOblivious Stream Productivity
, 2008
"... We are concerned with demonstrating productivity of specifications of infinite streams of data, based on orthogonal rewrite rules. In general, this property is undecidable, but for restricted formats computable sufficient conditions can be obtained. The usual analysis, also adopted here, disregards ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
We are concerned with demonstrating productivity of specifications of infinite streams of data, based on orthogonal rewrite rules. In general, this property is undecidable, but for restricted formats computable sufficient conditions can be obtained. The usual analysis, also adopted here, disregards the identity of data, thus leading to approaches that we call dataoblivious. We present a method that is provably optimal among all such dataoblivious approaches. This means that in order to improve on our algorithm one has to proceed in a dataaware Fashion.
A Tool for Writing and Debugging Algebraic Specifications
 Proceedings of the 26th International Conference on Software Engineering (ICSE 2004), IEEE Computer Society Press
, 2004
"... Despite their benefits, programmers rarely use formal specifications, because they are difficult to write and they require an up front investment in time. To address these issues, we present a tool that helps programmers write and debug algebraic specifications. Given an algebraic specification, our ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Despite their benefits, programmers rarely use formal specifications, because they are difficult to write and they require an up front investment in time. To address these issues, we present a tool that helps programmers write and debug algebraic specifications. Given an algebraic specification, our tool instantiates a prototype that can be used just like any regular Java class. The tool can also modify an existing application to use the prototype generated by the interpreter instead of a handcoded implementation. The tool improves the usability of algebraic specifications in the following ways: (i) A programmer can “run ” an algebraic specification to study its behavior. The tool reports in which way a specification is incomplete for a client application. (ii) The tool can check whether a specification and a handcoded implementation behave the same for a particular run of a client application. (iii) A prototype can be used when a handcoded implementation is not yet available. Two case studies demonstrate how to use the tool. 1.
Productivity of Stream Definitions
, 2008
"... We give an algorithm for deciding productivity of a large and natural class of recursive stream definitions. A stream definition is called ‘productive’ if it can be evaluated continually in such a way that a uniquely determined stream in constructor normal form is obtained as the limit. Whereas prod ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
We give an algorithm for deciding productivity of a large and natural class of recursive stream definitions. A stream definition is called ‘productive’ if it can be evaluated continually in such a way that a uniquely determined stream in constructor normal form is obtained as the limit. Whereas productivity is undecidable for stream definitions in general, we show that it can be decided for ‘pure’ stream definitions. For every pure stream definition the process of its evaluation can be modelled by the dataflow of abstract stream elements, called ‘pebbles’, in a finite ‘pebbleflow net(work)’. And the production of a pebbleflow net associated with a pure stream definition, that is, the amount of pebbles the net is able to produce at its output port, can be calculated by reducing nets to trivial nets.
Complexity Analysis of Term Rewriting Based on Matrix and Context Dependent Interpretations
, 2008
"... For a given (terminating) term rewriting system one can often estimate its derivational complexity indirectly by looking at the proof method that established termination. In this spirit we investigate two instances of the interpretation method: matrix interpretations and context dependent interpreta ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
(Show Context)
For a given (terminating) term rewriting system one can often estimate its derivational complexity indirectly by looking at the proof method that established termination. In this spirit we investigate two instances of the interpretation method: matrix interpretations and context dependent interpretations. We introduce a subclass of matrix interpretations, denoted as triangular matrix interpretations, which induce polynomial derivational complexity and establish tight correspondence results between a subclass of context dependent interpretations and restricted triangular matrix interpretations. The thus obtained new results are easy to implement and considerably extend the analytic power of existing results. We provide ample numerical data for assessing the viability of the method.
Complexity analysis by rewriting
"... Abstract. In this paper we introduce a restrictive version of the multiset path order, called polynomial path order. This recursive path order induces polynomial bounds on the maximal number of innermost rewrite steps. This result opens the way to automatically verify for a given program, written ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we introduce a restrictive version of the multiset path order, called polynomial path order. This recursive path order induces polynomial bounds on the maximal number of innermost rewrite steps. This result opens the way to automatically verify for a given program, written in an eager functional programming language, that the maximal number of evaluation steps starting from any function call is polynomial in the input size. To test the feasibility of our approach we have implemented this technique and compare its applicability to existing methods. 1