Paulius Stankaitis,Alexei Iliasov,David Adjepon-Yamoah,Alexander Romanovsky

DOI: https://doi.org/10.48550/arXiv.1611.02923

2016-11-09

Abstract:Event-B is one of more popular notations for model-based, proof driven specification. It offers a fairly high-level mathematical lan- guage based on FOL and ZF set theory and an economical yet expres- sive modelling notation. Model correctness is established by discharging proving a number conjectures constructed via a syntactic instantiation of schematic conditions. A large proportion of provable conjectures re- quires proof hints from a user. For larger models this becomes extremely onerous as identical or similar proofs have to be repeated over and over, especially after model refactoring stages. In the paper we briefly present a new Rodin Platform proof back-end based on the Why3 umbrella prover.

Software Engineering

Petr N. Devyanin,Alexey V. Khoroshilov,Victor V. Kuliamin,Alexander K. Petrenko,Ilya V. Shchepetkov

DOI: https://doi.org/10.1007/978-3-662-43652-3_30

2014-01-01

Abstract:The paper presents a work-in-progress on formal verification of operating system security model, which integrates control of confidentiality and integrity levels with role-based access control. The main goal is to formalize completely the security model and to prove its consistency and conformance to basic correctness requirements concerning keeping levels of integrity and confidentiality. Additional goal is to perform data flow analysis of the model to check whether it can preserve security in the face of certain attacks. Alloy and Event-B were used for formalization and verification of the model. Alloy was applied to provide quick constraint-based checking and uncover various issues concerning inconsistency or incompleteness of the model. Event-B was applied for full-scale deductive verification. Both tools worked well on first steps of model development, while after certain complexity was reached Alloy began to demonstrate some scalability issues.

Abeer Saeed Abdo Hadad,Chunyan Ma,Adeeb Abdulwakeel Obadi Ahmed

DOI: https://doi.org/10.1109/access.2020.2987972

IF: 3.9

2020-01-01

IEEE Access

Abstract:AADL is widely used to depict the architecture and behavior of real-time safety-critical systems such as avionics and aerospace. The development of these systems has strict requirements for building fault-free systems. Formal verification is frequently applied to verify the critical properties of the systems, such as safety and liveness; however, the formal verification is not supported by AADL. Model transformation is commonly applied to provide formal semantics; hence, the AADL model can be verified by a language that supports formal verification in addition to the ability to cover all AADL model behavior. Event-B, with its proof obligation, is increasingly used to model and verify safety-critical systems. This paper presents the transformation of the AADL model into Event-B, which captures most AADL components and behavioral actions to be effective in the verification of current real-time systems models. Then, we define theorems and invariants of safety and liveness properties to be proven by using the RODIN platform. To demonstrate the efficacy of our method, we model the AADL of movement authority (MA) control of the Chinese Train Control System, transform the AADL model to Event-B and verify its crucial properties.

Nuno Macedo,Alcino Cunha

DOI: https://doi.org/10.48550/arXiv.1603.03599

2016-03-11

Software Engineering

Abstract:Alloy and TLA+ are two formal specification languages that are increasingly popular due to their simplicity and flexibility, as well as the effectiveness of their companion model checkers, the Alloy Analyzer and TLC, respectively. Nonetheless, while TLA+ focuses on temporal properties, Alloy is better suited to handle structural properties, requiring ad hoc mechanisms to reason about temporal properties. Thus, both have limitations in the specification and analysis of systems rich in both static and dynamic properties. This paper explores the pros and cons of these two frameworks when handling this class of systems through the step-by-step modeling, specification and verification of an example.

Nuno Macedo,Alcino Cunha

DOI: https://doi.org/10.48550/arXiv.1209.5773

2012-09-26

Abstract:Alloy is an increasingly popular lightweight specification language based on relational logic. Alloy models can be automatically verified within a bounded scope using off-the-shelf SAT solvers. Since false assertions can usually be disproved using small counter-examples, this approach suffices for most applications. Unfortunately, it can sometimes lead to a false sense of security, and in critical applications a more traditional unbounded proof may be required. The automatic theorem prover Prover9 has been shown to be particularly effective for proving theorems of relation algebras [7], a quantifier-free (or point-free) axiomatization of a fragment of relational logic. In this paper we propose a translation from Alloy specifications to fork algebras (an extension of relation algebras with the same expressive power as relational logic) which enables their unbounded verification in Prover9. This translation covers not only logic assertions, but also the structural aspects (namely type declarations), and was successfully implemented and applied to several examples.

Formal Languages and Automata Theory

Ana Jovanovic,Allison Sullivan

2024-03-23

Abstract:Writing declarative models has numerous benefits, ranging from automated reasoning and correction of design-level properties before systems are built, to automated testing and debugging of their implementations after they are built. Alloy is a declarative modeling language that is well-suited for verifying system designs. A key strength of Alloy is its scenario-finding toolset, the Analyzer, which allows users to explore all valid scenarios that adhere to the model's constraints up to a user-provided scope. However, even with visualized scenarios, it is difficult to write correct Alloy models. To address this, a growing body of work explores different techniques for debugging Alloy models. In order to develop and evaluate these techniques in an effective manor, this paper presents an empirical study of over 97,000 models written by novice users trying to learn Alloy. We investigate how users write both correct and incorrect models in order to produce a comprehensive benchmark for future use as well as a series of observations to guide debugging and educational efforts for Alloy model development.

Computer Science

Mohammad Nurullah Patwary,Ana Jovanovic,Allison Sullivan

2024-06-14

Abstract:Alloy is well known a declarative modeling language. A key strength of Alloy is its scenario finding toolset, the Analyzer, which allows users to explore all valid scenarios that adhere to the model's constraints up to a user-provided scope. Despite the Analyzer, Alloy is still difficult for novice users to learn and use. A recent empirical study of over 93,000 new user models reveals that users have trouble from the very start: nearly a third of the models novices write fail to compile. We believe that the issue is that Alloy's grammar and type information is passively relayed to the user despite this information outlining a narrow path for how to compose valid formulas. In this paper, we outline a proof-of-concept for a structure editor for Alloy in which user's build their models using block based inputs, rather than free typing, which by design prevents compilation errors.

Software Engineering

Ferhat Erata,Arda Goknil,Ivan Kurtev,Bedir Tekinerdogan

DOI: https://doi.org/10.1145/3236024.3264588

2024-03-05

Abstract:We present AlloyInEcore, a tool for specifying metamodels with their static semantics to facilitate automated, formal reasoning on models. Software development projects require that software systems be specified in various models (e.g., requirements models, architecture models, test models, and source code). It is crucial to reason about those models to ensure the correct and complete system specifications. AlloyInEcore allows the user to specify metamodels with their static semantics, while, using the semantics, it automatically detects inconsistent models, and completes partial models. It has been evaluated on three industrial case studies in the automotive domain (

Software Engineering,Programming Languages

WU Ming-hui,Jing Ying

DOI: https://doi.org/10.3785/j.issn.1008-973X.2011.02.014

2011-01-01

Abstract:Business process is with high complexity, and it is hard to keep the models consistent. In order to deal with the problem, an approach for business process modeling and formal verification was proposed. Combing with semantic ontology technology, based on unified modeling language (UML) extensions, the approach supports visual modeling with multiple views according to different concerns in business process. The business modeling consists of three stages of refinements: 1) whole abstract process; 2) declarative process; 3) imperative process. By adopting the concept of "environment ontology", the capabilities and behaviors of software can be specified by the effects of changing environment status. Based on the idea, the modeling related definitions and their formal semantics are presented. At last, an example of simplified products trading system demonstrates how to verify process model definition and model refinement specification with Alloy in details. The example shows that modeling business process approach and verifying the model specifications with Alloy can improve the model process flexibility and ensure models consistency.

Jun Sun,Yang Liu,Jin Song Dong,Jing Sun

DOI: https://doi.org/10.1109/tase.2008.12

2008-01-01

Abstract:Verification techniques like SAT-based bounded model checking have been successfully applied to a variety of system models. Applying bounded model checking to compositional process algebras is, however, not a trivial task. One challenge is that the number of system states for process algebra models is not statically known, whereas exploring the full state space is computationally expensive. This paper presents a compositional encoding of hierarchical processes as SAT problems and then applies state-of-the-art SAT solvers for bounded model checking. The encoding avoids exploring the full state space for complex systems so as to deal with state space explosion. We developed an automated analyzer which combines complementing model checking techniques (i.e., bounded model checking and explicit on-the-fly model checking) to validate system models against event-based temporal properties. The experiment results show the analyzer handles large systems.

Rui Couto,José C. Campos,Nuno Macedo,Alcino Cunha

DOI: https://doi.org/10.4204/EPTCS.284.4

2018-11-27

Abstract:Alloy is a lightweight formal specification language, supported by an IDE, which has proven well-suited for reasoning about software design in early development stages. The IDE provides a visualizer that produces graphical representations of analysis results, which is essential for the proper validation of the model. Alloy is a rich language but inherently static, so behavior needs to be explicitly encoded and reasoned about. Even though this is a common scenario, the visualizer presents limitations when dealing with such models. The main contribution of this paper is a principled approach to generate instance visualizations, which improves the current Alloy Visualizer, focusing on the representation of behavior.

Human-Computer Interaction,Programming Languages,Software Engineering

Hongjiang Gao,Yongsheng Zhao,Jun Liu,Zheng Qin

2007-01-01

Abstract:With increasingly complexity in intellectualized information management systems (IIMS), the problem of their verification and validation is acquiring increasing importance, and rigorous design practices are needed in case of critical applications. In this paper, a practical approach for increasingly developing flexible and reliable formal specifications of IIMS using Event-B is described, with a roles-based collaboration model, exemplified on iterated contract net interaction protocol in the interaction of IIMS, and then B models generated with evt2b supported by Atelier B are then proven in consistency and correctness.

Alcino Cunha,Nuno Macedo,Chong Liu

DOI: https://doi.org/10.1007/s10009-024-00752-3

2024-05-24

International Journal on Software Tools for Technology Transfer

Abstract:This paper reports on the development and validation of a formal model for an automotive adaptive exterior lights system (ELS) with multiple variants in Alloy 6, which is the most recent version of the Alloy lightweight formal specification language that supports mutable relations and temporal logic. We explore different strategies to address variability, one in pure Alloy and another through an annotative language extension. We then show how Alloy and its Analyzer can be used to validate systems of this nature, namely by checking that the reference scenarios are admissible, and to automatically verify whether the established requirements hold. A prototype was developed to translate the provided validation sequences into Alloy and back to further automate the validation process. The resulting ELS model was validated against the provided validation sequences and verified for most of requirements for all variants.

computer science, software engineering

William Heaven,Alessandra Russo

DOI: https://doi.org/10.48550/arXiv.cs/0508109

2005-08-24

Abstract:Formal techniques have been shown to be useful in the development of correct software. But the level of expertise required of practitioners of these techniques prohibits their widespread adoption. Formal techniques need to be tailored to the commercial software developer. Alloy is a lightweight specification language supported by the Alloy Analyzer (AA), a tool based on off-the-shelf SAT technology. The tool allows a user to check interactively whether given properties are consistent or valid with respect to a high-level specification, providing an environment in which the correctness of such a specification may be established. However, Alloy is not particularly suited to expressing program specifications and the feedback provided by AA can be misleading where the specification under analysis or the property being checked contains inconsistencies. In this paper, we address these two shortcomings. Firstly, we present a lightweight language called "Loy", tailored to the specification of object-oriented programs. An encoding of Loy into Alloy is provided so that AA can be used for automated analysis of Loy program specifications. Secondly, we present some "patterns of analysis" that guide a developer through the analysis of a Loy specification in order to establish its correctness before implementation.

Software Engineering,Logic in Computer Science

Aboubakr Achraf El Ghazi,Mana Taghdiri

DOI: https://doi.org/10.48550/arXiv.1505.00672

2015-05-04

Abstract:This paper describes how Yices, a modern SAT Modulo theories solver, can be used to analyze the address-book problem expressed in Alloy, a first-order relational logic with transitive closure. Current analysis of Alloy models - as performed by the Alloy Analyzer - is based on SAT solving and thus, is done only with respect to finitized types. Our analysis generalizes this approach by taking advantage of the background theories available in Yices, and avoiding type finitization when possible. Consequently, it is potentially capable of proving that an assertion is a tautology - a capability completely missing from the Alloy Analyzer. This paper also reports on our experimental results that compare the performance of our analysis to that of the Alloy Analyzer for various versions of the address book problem.

Logic in Computer Science

Julien Brunel,Laurent Rioux,Stéphane Paul,Anthony Faucogney,Frédérique Vallée

DOI: https://doi.org/10.4204/EPTCS.150.2

2014-05-06

Abstract:We propose an approach based on Alloy to formally model and assess a system architecture with respect to safety and security requirements. We illustrate this approach by considering as a case study an avionic system developed by Thales, which provides guidance to aircraft. We show how to define in Alloy a metamodel of avionic architectures with a focus on failure propagations. We then express the specific architecture of the case study in Alloy. Finally, we express and check properties that refer to the robustness of the architecture to failures and attacks.

Software Engineering

Ryan Dancy,Nancy A. Day,Owen Zila,Khadija Tariq,Joseph Poremba

2024-11-25

Abstract:Alloy is a well-known, formal, declarative language for modelling systems early in the software development process. Currently, it uses the Kodkod library as a back-end for finite model finding. Kodkod translates the model to a SAT problem; however, this method can often handle only problems of fairly low-size sets and is inherently finite. We present Portus, a method for translating Alloy into an equivalent many-sorted first-order logic problem (MSFOL). Once in MSFOL, the problem can be evaluated by an SMT-based finite model finding method implemented in the Fortress library, creating an alternative back-end for the Alloy Analyzer. Fortress converts the MSFOL finite model finding problem into the logic of uninterpreted functions with equality (EUF), a decidable fragment of first-order logic that is well-supported in many SMT solvers. We compare the performance of Portus with Kodkod on a corpus of 49 expert Alloy models. Our method is fully integrated into the Alloy Analyzer.

Software Engineering,Logic in Computer Science

Han Peng,Chenglie Du,Lei Rao,Zhouzhou Liu

DOI: https://doi.org/10.3745/jips.01.0043

2019-01-01

Journal of Information Processing Systems

Abstract:The Event-B design pattern is an excellent way to quickly develop a formal model of the system. Researchers have proposed a number of Event-B design patterns, but they all lack formal behavior semantics. This makes the analysis, verification, and simulation of the behavior of the Event-B model very difficult, especially for the control-intensive systems. In this paper, we propose a novel method to transform the Event-B synchronous control flow design pattern into the labeled transition system (LTS) behavior model. Then we map the design pattern instantiation process of Event-B to the instantiation process of LTS model and get the LTS behavior semantic model of Event-B model of a multi-level complex control system. Finally, we verify the linear temporal logic behavior properties of the LTS model. The experimental results show that the analysis and simulation of system behavior become easier and the verification of the behavior properties of the system become convenient after the Event-B model is converted to the LTS model.

Ning Ge,Arnaud Dieumegard,Eric Jenn,Laurent Voisin

DOI: https://doi.org/10.48550/arxiv.1610.07410

2016-01-01

Abstract:This work addresses the correct translation of an Event-B model to C code via an intermediate formal language, HLL. The proof of correctness follows two main steps. First, the final refinement of the Event-B model, including invariants, is translated to HLL. At that point, additional properties (e.g., deadlock-freeness, liveness properties, etc.) are added to the HLL model. The proof of the invariants and additional properties at the HLL level guarantees the correctness of the translation. Second, the C code is automatically generated from the HLL model for most of the system functions and manually for the remaining ones; in this case, the HLL model provides formal contracts to the software developer. An equivalence proof between the C code and the HLL model guarantees the correctness of the code.

Ana Jovanovic,Allison Sullivan

DOI: https://doi.org/10.1007/s10270-024-01220-x

2024-10-29

Software & Systems Modeling

Abstract:Writing declarative models has numerous benefits, ranging from automated reasoning and correction of design-level properties before systems are built, to automated testing and debugging of their implementations after they are built. Alloy is a declarative modeling language that is well-suited for verifying system designs. A key strength of Alloy is its scenario-finding toolset, the Analyzer, which allows users to explore all valid scenarios that adhere to the model's constraints up to a user-provided scope. Despite the Analyzer, writing correct Alloy models remains a difficult task, partly due to Alloy's expressive operators, which allow for succinct formulations of complex properties but can be difficult to reason over manually. To further add to the complexity, Alloy's grammar was recently expanded to support linear temporal logic, increasing both the expressibility of Alloy and the burden for accurately expressing properties. To address this, this paper presents Alloy , an extension to Alloy's mutation testing framework that accounts for the newly introduced temporal logic, including updating Alloy 's test generation capability to produce temporal test cases. Experimental results reveal Alloy is efficient at generating and checking mutations and Alloy 's automatically generated tests are effective at detecting faulty temporal models.

computer science, software engineering