Results 1  10
of
11
Specifications and proofs for Ensemble Layers
 TACAS '99
, 1999
"... Ensemble is a widely used group communication system that supports distributed programming by providing precise guarantees for synchronization, message ordering, and message delivery. Ensemble eases the task of distributedapplication programming, but as a result, ensuring the correctness of Ensemb ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
Ensemble is a widely used group communication system that supports distributed programming by providing precise guarantees for synchronization, message ordering, and message delivery. Ensemble eases the task of distributedapplication programming, but as a result, ensuring the correctness of Ensemble itself is a difficult problem. In this paper we use I/O automata for formalizing, specifying, and verifying the Ensemble implementation. We focus specifically on message total ordering, a property that is commonly used to guarantee consistency within a process group. The systematic verification of this protocol led to the discovery of an error in the implementation.
An objectoriented approach to verifying group communication systems
, 1998
"... Group communication system assist the development of faulttolerant distributed algorithms by providing precise guarantees on message ordering, delivery, and synchronization. Ensemble is a widely used group communication system that is highly modular and configurable. Formally verifying Ensemble is ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Group communication system assist the development of faulttolerant distributed algorithms by providing precise guarantees on message ordering, delivery, and synchronization. Ensemble is a widely used group communication system that is highly modular and configurable. Formally verifying Ensemble is a formidable task, but it has wideranging benefits, from formal assistance in the design of new distributed applications, to ensuring the reliability of critical distributed algorithms for all applications that use Ensemble. In this paper, we present a verification framework that we are using the verify Ensemble in the Nuprl proof development system. The framework is based on I/O automata, which are ideal for the verification in some respects: they they specify modular components that range from concrete protocol code to abstract services. But traditional I/O automata do not allow reuse of formal theorems as automata are composed. We present a new typetheoretic basis for I/O automata that preserves safety properties during composition using an objectoriented methodology.
A logic of events
, 2003
"... There is a wellestablished theory and practice for creating correctbyconstruction functional programs by extracting them from constructive proofs of assertions of the form ∀x: A.∃y: B.R(x, y). There have been several efforts to extend this methodology to concurrent programs, say by using linear l ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
There is a wellestablished theory and practice for creating correctbyconstruction functional programs by extracting them from constructive proofs of assertions of the form ∀x: A.∃y: B.R(x, y). There have been several efforts to extend this methodology to concurrent programs, say by using linear logic, but there is no practice and the results are limited. In this paper we define a logic of events that justifies the extraction of correct distributed processes from constructive proofs that system specifications are achievable, and we describe an implementation of an extraction process in the context of constructive type theory. We show that a class of message automata, similar to IO automata and to active objects, are realizers for this logic. We provide a relative consistency result for the logic. We show an example of protocol derivation in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1
Formal Foundations of Computer Security
 Science for Peace and Security Series D: Information and Communication Security, Vol
, 2008
"... We would like to know with very high confidence that private data in computers is not unintentionally disclosed and that only authorized persons or processes can modify it. Proving security properties of software systems has always been hard because we are trying to show that something bad cannot ha ..."
Abstract

Cited by 9 (6 self)
 Add to MetaCart
(Show Context)
We would like to know with very high confidence that private data in computers is not unintentionally disclosed and that only authorized persons or processes can modify it. Proving security properties of software systems has always been hard because we are trying to show that something bad cannot happen no matter what a hostile adversary tries
Predicate transformers for infinitestate automata in nuprl type theory
 In Proceedings of 3 rd Irish Workshop in Formal Methods
, 1999
"... This paper has two goals. The first is to present a formalization in Nuprl type theory of a very general methodology for system description, specification and verification. The method is especially suitable for describing distributed systems, and is based on a modification of the I/O automata of Lyn ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
This paper has two goals. The first is to present a formalization in Nuprl type theory of a very general methodology for system description, specification and verification. The method is especially suitable for describing distributed systems, and is based on a modification of the I/O automata of Lynch & Tuttle. By using infinite extendible records as the state spaces of automata we gain a key inheritance property that make modular verification tractible. The second goal is to show how we can state and prove metatheorems about the method in Nuprl by a reflection procedure whereby we define syntax and semantics for both system descriptions and specifications within Nuprl type theory. We can then define a syntactic predicate transformation algorithm that generates syntactic verification conditions, and then prove the metatheorem that shows that the truth of (the meanings of) the verification conditions implies that (the meaning of) the description satisfies (the meaning of) the specification. 1
Knowledgebased synthesis of distributed systems using event structures
 In Proc. 11th Int. Conf. on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2004), Lecture Notes in Computer Science
, 2005
"... To produce a program guaranteed to satisfy a given specification one can synthesize it from a formal constructive proof that a computation satisfying that specification exists. This process is particularly effective if the specifications are written in a highlevel language that makes it easy for de ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
To produce a program guaranteed to satisfy a given specification one can synthesize it from a formal constructive proof that a computation satisfying that specification exists. This process is particularly effective if the specifications are written in a highlevel language that makes it easy for designers to specify their goals. We consider a highlevel specification language that results from adding knowledge to a fragment of Nuprl specifically tailored for specifying distributed protocols, called event theory. We then show how highlevel knowledgebased programs can be synthesized from the knowledgebased specifications using a proof development system such as Nuprl. Methods of Halpern and Zuck [1992] then apply to convert these knowledgebased protocols to ordinary protocols. These methods can be expressed as heuristic transformation tactics in Nuprl. 1
AssumeGuarantee Verification for Interface Automata
"... Abstract. Interface automata provide a formalism capturing the high level interactions between software components. Checking compatibility, and other safety properties, in an automatabased system suffers from the scalability issues inherent in exhaustive techniques such as model checking. This work ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Interface automata provide a formalism capturing the high level interactions between software components. Checking compatibility, and other safety properties, in an automatabased system suffers from the scalability issues inherent in exhaustive techniques such as model checking. This work develops a theoretical framework and automated algorithms for modular verification of interface automata. We propose sound and complete assumeguarantee rules for interface automata, and learningbased algorithms to automate assumption generation. Our algorithms have been implemented in a practical modelchecking tool and have been applied to a realistic NASA case study. 1
Formal Specification and Verification of the IntrusionTolerant Enclaves Protocol
 International Journal of Network Security
, 2003
"... ..."
(Show Context)
AND
, 1987
"... We present a new model for describing and reasoning about transactionprocessing algorithms. The model provides a comprehensive, uniform framework for rigorous correctness proofs. The model generalizes previous work on concurrency control to encompass nested transactions and typespecific concurrenc ..."
Abstract
 Add to MetaCart
(Show Context)
We present a new model for describing and reasoning about transactionprocessing algorithms. The model provides a comprehensive, uniform framework for rigorous correctness proofs. The model generalizes previous work on concurrency control to encompass nested transactions and typespecific concurrency control algorithms. Using our model, we describe general conditions for a concurrency control algorithm to be correcti.e., to ensure that transactions appear to be atomic. We also present a new concurrency control algorithm for abstract data types in a nested transaction system. The algorithm uses commutativity properties of operations to allow high levels of concurrency. The results of operations, in addition to their names and arguments, can be used in checking for conflicts, further increasing concurrency. We show, using our general model, that the new algorithm is correct. We also present a readupdate locking algorithm due to Moss and prove it correct. The correctness proofs for the algorithms are modular, in the sense that we consider a system structure consisting of many objects, with concurrency control and recovery performed independently
Caltech
"... Abstract This article presents a theory of classes and inheritance built on top of constructive typetheory. Classes are defined using dependent and very dependent function types that are found in the Nuprl constructive type theory. Inheritance is defined in terms of a general subtypingrelation over ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract This article presents a theory of classes and inheritance built on top of constructive typetheory. Classes are defined using dependent and very dependent function types that are found in the Nuprl constructive type theory. Inheritance is defined in terms of a general subtypingrelation over the underlying types. Among the basic types is the intersection type which plays a critical role in the applications because it provides a method of composing program components.The class theory is applied to defining algebraic structures such as monoids, groups, rings, etc. and relating them. It is also used to define communications protocols as infinite stateautomata. The article illustrates the role of these formal automata in defining the services of a distributed group communications system. In both applications the inheritance mechanismsallow reuse of proofs and the statement of general properties of system composition. 1 Introduction The results presented here were created as part of a broad effort to understand how to use computers to significantly automate the design and development of software systems. This is one of the main goals of the "PRL project " at Cornell1. One of the basic tenants of our approach to this task is that we should seek the most naturally expressive formal language in which to specify the services, characteristics and constraints that a software system must satisfy. If the formal expression of services is close to a natural one, then people can more readily use it. We also want to allow very compact notations for concepts used to describe systems, and this effect is also a consequence of expressive richness. We have discovered that it is frequently the case that the system we have built to implement one formal language will support an even richer one. So we have come to see our work as also progressively improving the reach of our tools.