In addition to static structures, the Unified Modelling Language (UML) supports the specification of dynamic properties of objects by means of statechart and sequence diagrams. Moreover, the upcoming UML 2.0 standard defines several kinds of actions to specify invocations, computations and the access of structural features. The formal specification technique compositional Temporal Logic of Actions (cTLA) provides for modular descriptions of behavior constraints and its process composition operation corresponds to superposition. Furthermore, cTLA facilitates the selection of an arbitrary subsystem of a complex specification which is composed of processes. We introduce an approach for formal-based refinement verifications of detailed UML models which fulfill more abstract ones. In a first step of the verification, the abstract and the detailed model are transformed to cTLA specifications. Thereafter, we can prove that the cTLA specification of the more detailed model implies the cTLA description of the more abstract one by application of the model checker TLC (Temporal Logic Checker).

Abstract. Mutual trust is essential in performing economical transac-tions. In modern internet-based businesses, however, traditional trust gaining mechanisms cannot be used and new ways to build trust be-tween e-business partners have to be found. In consequence, a lot of models describing trust and the mechanisms to build it were developed. Unfortunately, most of these models neither provide the right formalism to model relevant aspects of the trust gaining process (e.g., context and time of a trust-related interaction), nor they allow refinement proofs ver-ifying that a trust management tool implements a certain trust model. Therefore, we propose the temporal logic-based specification and veri-fication technique cTLA which provides a formalism enabling to model context- and time-related aspects of a trust building process. Moreover, cTLA facilitates formal refinement proofs. In this paper, we discuss the application of cTLA to describe trust purposes by means of simple ex-ample systems which are used to decide about the application of certain policies based on the reputation of a party. In particular, we introduce a basic and a refined reputation system and sketch the proof that the refined system is a correct realization of the simple one. 1

Software systems made of software components are becoming more and more common. This paper surveys theories and techniques for designing and analyzing security of such systems. The paper gives an overview of security models, introduces formal foundations for system composition and security engineering, and investigates available techniques for security design and analysis, focusing on each technique’s adoption of composition mechanisms and support for security property.

Mueller (Kaiserslautern University), Bernd Reuther (Kaiserslautern University),

Foreword CaberNet 1 is the Network of Excellence (NoE) in distributed and dependable systems. It is funded by the

In contrast to traditional software, component-structured systems are developed by combining independently designed and sold software components. This technology promises an easier reuse of software building blocks and, in consequence, a significant reduction of the efforts and costs to produce software applications. On the other side, component-structured software is subject to a new class of security threats. In particular, a maliciously acting component may easily spoil the application incorporating it. In this paper we introduce an approach addressing this particular threat. A so-called security wrapper monitors the events passing the interface of a component and checks them for compliance with formally specified security policies guaranteeing a benevolent behavior of the checked component. We introduce the layout and functionality of the wrappers and outline the formal security specifications which can be easily derived from a set of specification patterns. Unfortunately, the security wrappers cause runtime overhead which, however, can be significantly reduced by relaxing the degree of monitoring trustworthy components. In order to support the decision, whether a component can be trusted, we developed a special trust information service. This service collects evaluation reports of a particular component running in various applications which are provided by the different security wrappers. Based on the evaluation reports, the trust information service computes a so-called trust value which is delivered to the security wrappers, and a wrapper adjusts the degree of supervision of a component based on its trust value. The use of the security wrappers as well as of the trust management approach is clarified by means of an e-commerce example realizing the automated procurement of goods for a fastfood restaurant.

This document presents a CaberNet vision of Research and Technology Development (RTD) in Distributed and Dependable systems. It takes as a basis the state-of-the-art (SOTA) Report prepared by John Bates in 1998: this document was commissioned by CaberNet as a first step towards the definition of a roadmap for European research in distributed and dependable systems. This report overviewed the developments in the main areas to which the CaberNet members made outstanding contributions, which were the most important at the time of its preparation, and analysed the most important trends in R&D in those areas

Language and Method Guidelines, 1 st version (Status: External release approved) Classification: (Confidential or open)

Abstract not found

We outline a specification style for reactive services that focuses on UML 2.0 collaborations and activities as reusable specification building blocks. In contrast to tra-ditional component-based approaches, a collaboration di-rectly describes the interactions between the components as well as the internal behavior necessary for a component to take part in it. To compose services from such reusable col-laborations, we use events identified as input and output pins on the activities that are connected together. While our approach is formally settled in temporal logic, in this paper we focus on an example specification from the viewpoint of a service engineer. 1.