Transposing the notion of software frameworks to the abstraction level of formal specifications and verifications, we developed a framework supporting the formal hazard analysis of chemical plants. It provides generic specification modules for the description of safety properties, specifica-tion modules for the description of plant models, and theo-rems stating that certain subsystem structures of the plant model imply certain safety properties. Using the framework for hazard analysis, one firstly describes the plant and its control equipment as a composition of framework module instances. Secondly, one expresses the different safety prop-erties of interest by parameterized framework modules. Fi-nally, a safety property is proven when an appropriate the-orem instance of the framework can be found. Thus, the framework facilitates the formal modeling. Moreover, the efforts for formal verifications are reduced drastically since framework theorem instances can replace explicit proofs. The framework utilizes modular temporal logic spec-ifications supported by the specification language cTLA which is a variant of Lamport’s temporal logic of actions TLA and in particular is devoted to the compositional de-scription of process systems. 1

Abstract. Formal description techniques, verification methods, and their tool-based automated application meanwhile provide valuable support for the formal analysis of communication protocol designs. Nevertheless the practical analysis of modern protocols still requires relatively great efforts and therefore many protocol developments do not employ formal methods. In that context the transfer protocol framework aims to complementary support. It supplies a rich collection of specification modules and guides their efficient composition to service and protocol specifications. Moreover the functional relations between service properties and implementing protocol mechanisms have been investigated systematically. The framework provides a collection of corresponding theorems to be applied to protocol correctness proofs. In result protocol verification can be reduced to the selection, instantiation, and proper arrangement of framework theorems. The verification process can further be supported by special tool-assistance. The tool COAST identifies the compositional structure of a protocol specification mechanically and selects according framework theorems. It splits service property proofs into arrangements of subproofs where the subproofs can mainly be accomplished by application of the selected framework theorems. After outlining the general transfer protocol framework approach we concentrate on the introduction of the tool COAST. We describe its functions and clarify its application by means of the verification of the complex real-life high-speed data transfer protocol XTP.

this paper were developed

This report describes the formal specification language cTLA in its 2003 version which can be translated into the language PROMELA of the well-known automated verification tool SPIN. The report describes the semantical background, the semantics, and the syntax of cTLA. cTLA is based on Leslie Lamport's Temporal Logic of Actions. In contrary to Lamport's TLA+-syntax, cTLA supports a modular process-oriented specification style and has a programming language like look. 1 State Transition Systems and Temporal Logic of Actions A state transition system can be used to model an event-discrete dynamic system which starts in an initial state and thereafter performs a sequence of state transitions. The system stays in its present state until a transition occurs which atomically changes the state into a successor state, where again the system stays until the next transition occurs. A state transition system STS ::= 0 , T > is defined by: S a set of states, S 0 the set of initial states, S 0 # S, T the set of transitions, T # S S. Let Sys be an STS. The set of state sequences SQ Sys of Sys is defined by: SQ Sys ::= { sq :sq # S # # sq = 0 , s 1 , s 2 , s 3 , s 4 , ...> # s 0 # S 0 # Forall i # IN : [ i , s i+1 > # T s i = s i+1 ] } Moreover, the set of reachable states SR Sys of Sys is defined by: SR Sys ::= { s : s # S # Exists sq # SQ Sys , i # IN : [ sq = 0 , s 1 , s 2 , s 3 , s 4 , ...> # s = s i ] } Note that state sequences have infinite length, and that stuttering steps (where s i = s i+1 holds) are possible. Finite transition sequences (where a system terminates after a finite number of transitions) can be modeled by infinite state sequences under the assumption that a system performs an infinite sequence of stuttering steps after its termination. The tempor...

Since many security incidents of networked computing infrastructures arise from inadequate technical management actions, we aim at a method supporting the formal analysis of those implications which administration activities may have towards system security. We apply the specification language cTLA which supports the modular description of process systems and facilitates the construction of a modeling framework. The framework defines a generic modeling structure and provides re-usable model elements. Due to cTLA's connection to the temporal logic of actions TLA, formal analysis can resort to symbolic reasoning. Supplementarily, automated analysis can be applied. We focus here on automated analysis. It is supported by translation of cTLA specifications into suitable model descriptions for the powerful model checking tool SPIN. We outline the utilized methods and tools, and report on the modeling and SPIN-based analysis of IP-Hijacking.

Methods used to specify real-time control software should enable the expression of functional, control and real-time requirements. They should enable multi-disciplinary system development and promote reuse of specifications. This paper describes a specification of a real-time control software developed using the DisCo method. DisCo is an object-oriented action-based method with precise semantics in logic. The specification is layered and partly reusable. It consists of functional, control and real-time parts. The real-time part includes layers which specify generic periodic and aperiodic events. The control part specifies the control algorithms, and the functional part the rest of the system. The three parts are specified using stepwise refinements and combined in a simple way. Although the specification presented is quite small, the techniques used are applicable when specifying larger systems with complex real-time behavior.

A practical theory for operational specification of reactive systems is described. Reasoning on temporal properties is made possible at high levels of abstraction, and rigorous refinement towards implementation is supported. The paper discusses how the underlying logic, execution model, and refinement methods fit together, and how object-orientation, distribution, and real time are supported. A closer look is taken on the specification of real-time properties. The approach is illustrated by a logically layered specification of simple mobile robot control software. 1 Introduction Since conventional thinking of software engineering is dominated by languages, tools, and informal design methods, their inherent complexities burden most attempts to provide theoretical understanding of the fundamentals. In particular, an appropriate theory should allow to ignore unnecessary detail at the level of specification. Ideally, specification languages and tools should also reflect an underlying theo...