Results 1 - 10
of
24
Templates for Misuse Case Description
- PROCEEDINGS OF THE 7 TH INTERNATIONAL WORKSHOP ON REQUIREMENTS ENGINEERING, FOUNDATION FOR SOFTWARE QUALITY (REFSQ'2001
, 2001
"... Use cases have proven helpful for eliciting, communicating and documenting requirements. But whereas functional requirements are well supported, use cases provide less support for working with extra-functional requirements, such as security requirements. With the advent of e-commerce applications ..."
Abstract
-
Cited by 63 (1 self)
- Add to MetaCart
Use cases have proven helpful for eliciting, communicating and documenting requirements. But whereas functional requirements are well supported, use cases provide less support for working with extra-functional requirements, such as security requirements. With the advent of e-commerce applications, security and other extra-functional requirements are growing in importance. In an earlier paper, the authors have introduced the concept of misuse cases -- inverted use cases to denote functions that should not be possible to perform in a system. In this paper, security related misuse cases are elaborated in further detail through a discussion of templates for their textual description.
TAME: Using PVS strategies for special-purpose theorem proving
- Annals of Mathematics and Arti cial Intelligence
, 2000
"... TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, Lynch-Vaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theo ..."
Abstract
-
Cited by 49 (14 self)
- Add to MetaCart
(Show Context)
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, Lynch-Vaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for \automatic " proof and strategies designed to implement \natural " proof steps, i.e., proof steps that mimic the high-level steps in typical natural language proofs. TAME's \natural " proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in user-de ned strategies such asthose used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional \natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant Checking
, 2000
"... . Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a const ..."
Abstract
-
Cited by 39 (13 self)
- Add to MetaCart
(Show Context)
. Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a constraint solver for integer linear arithmetic, for discharging the verification conditions. The user interface of Salsa is designed to mimic the interfaces of model checkers; i.e., given a formula and a system description, Salsa either establishes the formula as an invariant of the system (but returns no proof) or provides a counterexample. In either case, the algorithm will terminate. Unlike model checkers, Salsa returns a state pair as a counterexample and not an execution sequence. Also, due to the incompleteness of induction, users must validate the counterexamples. The use of induction enables Salsa to combat the state explosion problem that plagues model checkers -- it can handle...
Applying Practical Formal Methods to the Specification and Analysis of Security Properties
, 2001
"... The SCR (Software Cost Reduction) toolset contains tools for specifying, debugging, and verifying system and software requirements. The utility of the SCR tools in detecting specification errors, many involving safety properties, has been demonstrated recently in projects involving practical system ..."
Abstract
-
Cited by 22 (0 self)
- Add to MetaCart
The SCR (Software Cost Reduction) toolset contains tools for specifying, debugging, and verifying system and software requirements. The utility of the SCR tools in detecting specification errors, many involving safety properties, has been demonstrated recently in projects involving practical systems, such as the International Space Station, a flight guidance system, and a U.S. weapons system. This paper briefly describes our experience in applying the tools in the development of two secure systems: a communications device and a biometrics standard for user authentication.
Software cost reduction
- of Software Engineering. 2nd edition
, 2002
"... Software Cost Reduction (SCR) is a set of techniques for designing software sys-tems developed by David Parnas and researchers from the U.S. Naval Research Laboratory (NRL) beginning in the late 1970s. A major goal of the original SCR research team was to evaluate the utility and scalability of soft ..."
Abstract
-
Cited by 21 (3 self)
- Add to MetaCart
(Show Context)
Software Cost Reduction (SCR) is a set of techniques for designing software sys-tems developed by David Parnas and researchers from the U.S. Naval Research Laboratory (NRL) beginning in the late 1970s. A major goal of the original SCR research team was to evaluate the utility and scalability of software engineer-
An Algorithm for Strengthening State Invariants Generated from Requirements Specifications
, 2001
"... In earlier work, we developed a xpoint algorithm for automatically generating state invariants, properties that hold in each reachable state of a state machine model, from state-based requirements specifications. Such invariants are useful both in validating requirements specifications and as auxili ..."
Abstract
-
Cited by 20 (8 self)
- Add to MetaCart
In earlier work, we developed a xpoint algorithm for automatically generating state invariants, properties that hold in each reachable state of a state machine model, from state-based requirements specifications. Such invariants are useful both in validating requirements specifications and as auxiliary lemmas in proofs that a requirements specification satisfies other invariant properties. This paper describes a new related algorithm that strengthens state invariants generated by our initial algorithm and demonstrates the new algorithm on a simplified version of an automobile cruise control system. The paper concludes by describing how the two algorithms were used togenerate state invariants fromarequirements specification of a cryptographic device and how the invariants in conjunction with a theorem prover were used toprove formally that the device satisfies a set of critical security properties.
Applying the SCR Requirements Method to the Light Control Case Study
- Journal of Universal Computer Science
, 2000
"... Abstract: To date, the SCR (Software Cost Reduction) requirements method has been used in industrial environments to specify the requirements of many practical systems, including control systems for nuclear power plants and avionics systems. This paper describes the use of the SCR method to specify ..."
Abstract
-
Cited by 16 (6 self)
- Add to MetaCart
(Show Context)
Abstract: To date, the SCR (Software Cost Reduction) requirements method has been used in industrial environments to specify the requirements of many practical systems, including control systems for nuclear power plants and avionics systems. This paper describes the use of the SCR method to specify the requirements of the Light Control System (LCS), the subject of a case study at the Dagstuhl Seminar on Requirements Capture, Documentation, and Validation in June 1999. It introduces a systematic process for constructing the LCS requirements speci cation, presents the speci cation of the LCS in the SCR tabular notation, discusses the tools that we applied to the LCS speci cation, and concludes with a discussion of a number of issues that arose in developing the speci cation.
Certifying Adaptive Flight Control Software
- IN PROCEEDINGS, ISACC 2000: THE SOFTWARE RISK MANAGEMENT CONFERENCE
, 2000
"... As aircraft designs become more complex, automationhas become an important factor in improving safety and reliability. Automated flight control systems can respond intelligently to faults when it is impractical for a human to take control quickly. In recent years neural networks have been proposed ..."
Abstract
-
Cited by 12 (5 self)
- Add to MetaCart
As aircraft designs become more complex, automationhas become an important factor in improving safety and reliability. Automated flight control systems can respond intelligently to faults when it is impractical for a human to take control quickly. In recent years neural networks have been proposed for fault identification and accommodation purposes within flight control schemes because they are well suited to non-linear, multi-variable systems. Because neural networks learn to associate various control actions with particular input data patterns, they avoid the need to explicitly program all the relevant fault situations. A major
Generating optimized code from scr specifications
- Proceedings of LCTES 2006: ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems
, 2006
"... A promising trend in software development is the increasing adoption of model-driven design. In this approach, a developer first constructs an abstract model of the required program behavior in a language, such as Statecharts or Stateflow, and then uses a code generator to automatically transform th ..."
Abstract
-
Cited by 11 (7 self)
- Add to MetaCart
(Show Context)
A promising trend in software development is the increasing adoption of model-driven design. In this approach, a developer first constructs an abstract model of the required program behavior in a language, such as Statecharts or Stateflow, and then uses a code generator to automatically transform the model into an executable program. This approach has many advantages—typically, a model is not only more concise than code and hence more understandable, it is also more amenable to mechanized analysis. Moreover, automatic generation of code from a model usually produces code with fewer errors than hand-crafted code. One serious problem, however, is that a code generator may produce inefficient code. To address this problem, this paper describes a method for generating efficient code from SCR (Software Cost Reduction) specifications. While the SCR tabular notation and tools have been used successfully to specify, simulate, and verify numerous embedded systems, until now SCR has lacked an automated method for generating optimized code. This paper describes an efficient method for automatic code generation from SCR specifications, together with an implementation and an experimental evaluation. The method first synthesizes an execution-flow graph from the specification, then applies three optimizations to the graph, namely, input slicing, simplification, and output slicing, and then automatically generates code from the optimized graph. Experiments on seven benchmarks demonstrate that the method produces significant performance improvements in code generated from large specifications. Moreover, code generation is relatively fast, and the code produced is relatively compact.
Program synthesis from formal requirements specifications using APTS. Higher-Order and Symbolic Computation
- Proc. Joint 7th Eur. Softw. Eng. Conf. and 7th ACM SIGSOFT Symp. Foundations Softw. Eng
, 2003
"... Abstract. Formal specifications of software systems are extremely useful because they can be rigorously an-alyzed, verified, and validated, giving high confidence that the specification captures the desired behavior. To transfer this confidence to the actual source code implementation, a formal link ..."
Abstract
-
Cited by 10 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Formal specifications of software systems are extremely useful because they can be rigorously an-alyzed, verified, and validated, giving high confidence that the specification captures the desired behavior. To transfer this confidence to the actual source code implementation, a formal link is needed between the specifi-cation and the implementation. Generating the implementation directly from the specification provides one such link. A program transformation system such as Paige’s APTS can be useful in developing a source code generator. This paper describes a case study in which APTS was used to produce code generators that construct C source code from a requirements specification in the SCR (Software Cost Reduction) tabular notation. In the study, two different code generation strategies were explored. The first strategy uses rewrite rules to transform the parse tree of an SCR specification into a parse tree for the corresponding C code. The second strategy associates a relation with each node of the specification parse tree. Each member of this relation acts as an attribute, holding the C code corresponding to the tree at the associated node; the root of the tree has the entire C program as its member of the relation. This paper describes the two code generators supported by APTS, how each was used to synthesize code for two example SCR requirements specifications, and what was learned about APTS from these implementations.