Citation Context

...ed predicate abstraction of Java programs. 1. INTRODUCTION Model checking is becoming an increasingly successful technique for analyzing software requirement specifications and software design models =-=[1, 4, 9]-=-. The main reason for this trend is that, at high levels of abstraction, the limitations of model checking are often avoided with minimal cost. This is convenient because it is well known that discove...

Citation Context

... C -positive, (Q4-Œ ). QSef:Jp ‚ X—L@fi . (Q5-Œ Now, we construct an & -sequence / é , and (Q1) through (Q5) are satisfied for as follows: for all Œ*Ì A , – (10) :KJJJ: :KJJ (9) <Ÿp Notice that /ké : =-=(11)-=- ‚ for all Œ I$A . It can be checked that: /ké <Ÿp ‚ÿ ÿ ÿ ÿ ÿ ÿ ÿ ‚ ÿ Hence, the C desired -i.o. ' witness of can be ÎÏ constructed. ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ < 13 – for all Œ Ì A , Xh– (12) QSef: X8Ž y ê Qqe4...

Citation Context

...tems [18, 56]. Originally applied to hardware verication, model checking has become a promising technique for analyzing software requirements specications [2, 14, 15, 38] and software design models [1=-=, 24, 40]-=-. One reason for this trend is that, at high levels of abstraction, the scalability limitations of model checking can be avoided while providing useful information about a system. This is convenient b...

Citation Context

...ludes structuring mechanisms that allow one to build modularized specifications of complex systems with layering [9]. It has been successfully used to specify a number of interesting realtime systems =-=[1, 2, 9, 10, 11, 12]-=-. The ASTRAL Software Development Environment (SDE) [20, 22] is an integrated set of design and analysis tools , which includes, among others, an explicit-state model checker, a symbolic model checker...

Citation Context

...d in elections have recently undergone a thorough and independent scrutiny to evaluate their quality. See, for instance, [23], [24], [3], [5], where the authors highlight some serious design and implementation flaws, which could be exploited to compromise elections. The papers also suggest a drastic change in the way in which electronic voting systems are designed, developed, and tested. With respect to the third area, several works describe the use of formal methods to specify, model, analyze, and assess complex and safety-critical systems (see, for instance, [25], [26], [27], [28] and [29], [30], [31]). The application of formal methods in the e-voting area, however, has been, so 111666! Authorized licensed use limited to: UNIVERSITA TRENTO. Downloaded on July 09,2010 at 08:25:55 UTC from IEEE Xplore. Restrictions apply. far, limited. We mention [32], [33], that present the formal specification and verification of an electronic voting protocol using !-calculus and [34], [35] where the authors present a tool, FSMC+, that has been used to specify and verify the control logic of an e-voting machine. Our work builds upon and improves those presented above by widening the scope of the ana...

Citation Context

...is gives a different decidability result when the approximation techniques in this paper are used. These generalizations have practical motivation. For example, many complex real-world specifications =-=[10, 13, 15, 27]-=- written in real-time specification language ASTRAL [10] use generalized clock constraints and parameterized durations in almost every specification. Therefore, the results presented in this paper may...

Citation Context

...e complex real-time embedded systems that are required to operate in a (possibly) hostile environment. Another and more relevant reason is the poor design and poor implementation of (some of) the systems currently deployed for elections in various countries. See, for instance, [1], [2], [3], [4], for related matters. There are a number of ways in which the integrity and assurance of a complex and safety-critical system’s correct behavior with respect to a specification can be achieved. Among them, formal verification has been shown to improve the security and quality of complex systems (e.g., [5], [6], [7], [8]). These approaches allow designers to prove, test, or otherwise examine interesting properties of a complex process whose behavior is specified abstractly, and then interactively refine the behavioral specification to be as close to an implementation as appropriate for a given assurance level. The use of such techniques for e-voting systems is discussed in [9], [10], [11], [12], [13]. This paper complements [13] where the authors formally specified the ES&S voting system using the ASTRAL [14] language. A number of critical requirements, as they are documented in the ES&S manual...