Results 1  10
of
55
Formal Modeling and Analysis of a Flash Filesystem in Alloy
"... Abstract. This paper describes the formal modeling and analysis of a design for a flashbased filesystem in Alloy. We model the basic operations of a filesystem as well as features that are crucial to NAND flash hardware, such as wearleveling and eraseunit reclamation. In addition, we address the ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This paper describes the formal modeling and analysis of a design for a flashbased filesystem in Alloy. We model the basic operations of a filesystem as well as features that are crucial to NAND flash hardware, such as wearleveling and eraseunit reclamation. In addition, we address the issue of fault tolerance by modeling a mechanism for recovery from interrupted filesystem operations due to unexpected power loss. We analyze the correctness of our flash filesystem model by checking trace inclusion against a POSIXcompliant abstract filesystem, in which a file is modeled simply as an array of data elements. The analysis is fully automatic and complete within a finite scope. 1
The Margrave Tool for Firewall Analysis
"... Writing and maintaining firewall configurations can be challenging, even for experienced system administrators. Tools that uncover the consequences of configurations and edits to them can help sysadmins prevent subtle yet serious errors. Our tool, Margrave, offers powerful features for firewall anal ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
Writing and maintaining firewall configurations can be challenging, even for experienced system administrators. Tools that uncover the consequences of configurations and edits to them can help sysadmins prevent subtle yet serious errors. Our tool, Margrave, offers powerful features for firewall analysis, including enumerating consequences of configuration edits, detecting overlaps and conflicts among rules, tracing firewall behavior to specific rules, and verification against security goals. Margrave differs from other firewallanalysis tools in supporting queries at multiple levels (rules, filters, firewalls, and networks of firewalls), comparing separate firewalls in a single query, supporting reflexive ACLs, and presenting exhaustive sets of concrete scenarios that embody queries. Margrave supports realworld firewallconfiguration languages, decomposing them into multiple policies that capture different aspects of firewall functionality. We present evaluation on networkingforum posts and on an inuse enterprise firewallconfiguration. 1
Alchemy: Transmuting Base Alloy Specifications into Implementations
 FSE
, 2008
"... Alloy specifications are used to define lightweight models of systems. We present Alchemy, which compiles Alloy specifications into implementations that execute against persistent databases. Alchemy translates a subset of Alloy predicates into imperative update operations, and it converts facts into ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Alloy specifications are used to define lightweight models of systems. We present Alchemy, which compiles Alloy specifications into implementations that execute against persistent databases. Alchemy translates a subset of Alloy predicates into imperative update operations, and it converts facts into database integrity constraints that it maintains automatically in the face of these imperative actions. In addition to presenting the semantics and an algorithm for this compilation, we present the tool and outline its application to a nontrivial specification. We also discuss lessons learned about the relationship between Alloy specifications and imperative implementations.
Symbolic Bounded Model Checking of Abstract State Machines
, 2009
"... Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets, sequences, maps, and userdefined data types. The availability of highlevel data types allow state elements to be represented both abstractly an ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets, sequences, maps, and userdefined data types. The availability of highlevel data types allow state elements to be represented both abstractly and faithfully at the same time. In this paper we look at symbolic analysis of ASMs. We consider ASMs over a fixed state background T that includes linear arithmetic, sets, tuples, and maps. For symbolic analysis, ASMs are translated into guarded update systems called model programs. We formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC) as a satisfiability problem modulo T. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable (Σ 1 1complete); and even when restricting to finite sets the problem remains rehard (Σ 0 1hard). On the other hand, BMPC is shown to be decidable for a class of basic model programs that are common in practice. We use Satisfiability Modulo Theories (SMT) for solving BMPC; an instance of the BMPC problem is mapped to a formula, the formula is satisfiable modulo T if and only if
Symbolic query exploration
 in ICFEM’09
, 2009
"... Abstract. We study the problem of generating a database and parameters for a given parameterized SQL query satisfying a given test condition. We introduce a formal background theory that includes arithmetic, tuples, and sets, and translate the generation problem into a satisfiability or model genera ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We study the problem of generating a database and parameters for a given parameterized SQL query satisfying a given test condition. We introduce a formal background theory that includes arithmetic, tuples, and sets, and translate the generation problem into a satisfiability or model generation problem modulo the background theory. We use the satisfiability modulo theories (SMT) solver Z3 in the concrete implementation. We describe an application of model generation in the context of the database unit testing framework of Visual Studio. 1
InputOutput Model Programs
, 2009
"... Model programs are used as highlevel behavioral specifications typically representing abstract state machines. For modeling reactive systems, one uses inputoutput model programs, where the action vocabulary is divided between two conceptual players: the input player and the output player. The pla ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Model programs are used as highlevel behavioral specifications typically representing abstract state machines. For modeling reactive systems, one uses inputoutput model programs, where the action vocabulary is divided between two conceptual players: the input player and the output player. The players share the action vocabulary and make moves that are labeled by actions according to their respective model programs. Conformance between the two model programs means that the output (input) player only makes output (input) moves that are allowed by the input (output) players model program. In a bounded game, the total number of moves is fixed. Here model programs use a background theory T containing linear arithmetic, sets, and tuples. We formulate the bounded game conformance checking problem, or BGC, as a theorem proving problem modulo T and analyze its complexity.
Faithful mapping of model classes to mathematical structures’, Int. Workshop Specification and Verification of ComponentBased Systems
, 2007
"... Abstraction techniques are indispensable for the specification and verification of the functional behavior of programs. In objectoriented specification languages like JML, a powerful abstraction technique is the use of model classes, that is, classes that are only used for specification purposes an ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstraction techniques are indispensable for the specification and verification of the functional behavior of programs. In objectoriented specification languages like JML, a powerful abstraction technique is the use of model classes, that is, classes that are only used for specification purposes and that provide objectoriented interfaces for essential mathematical concepts such as sets or relations. While the use of model classes in specifications is natural and powerful, they pose problems for verification. Program verifiers map model classes to their underlying logics. Flaws in a model class or the mapping can easily lead to unsoundness and incompleteness. This article proposes an approach for the faithful mapping of model classes to mathematical structures provided by the theorem prover of the program verifier at hand. Faithfulness means that a given model class semantically corresponds to the mathematical structure it is mapped to. Our approach enables reasoning about programs specified in terms of model classes. It also helps in writing consistent and complete modelclass specifications as well as in identifying and checking redundant specifications. 1
Symbolic Bounded Model Checking of Abstract State Machines
, 2009
"... Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets or sequences. The availability of highlevel data types allow state elements to be represented both abstractly and faithfully at the same time. Asm ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
(Show Context)
Abstract State Machines (ASMs) allow modeling system behaviors at any desired level of abstraction, including a level with rich data types, such as sets or sequences. The availability of highlevel data types allow state elements to be represented both abstractly and faithfully at the same time. AsmL is a rich ASMbased specification and programming language. In this paper we look at symbolic analysis of model programs written in AsmL with a background T of linear arithmetic, sets, tuples, and maps. We first provide a rigorous account for the update semantics of AsmL in terms of T, and formulate the problem of bounded path exploration of model programs, or the problem of Bounded Model Program Checking (BMPC) as a satisfiability modulo T problem. Then we investigate the boundaries of decidable and undecidable cases for BMPC. In a general setting, BMPC is shown to be highly undecidable, it is effectively equivalent to satisfiability in secondorder Peano arithmetic with sets (Σ1 1complete); and even when restricting to finite sets the problem is as hard as the halting problem of
Computational Logic in the Undergraduate Curriculum
"... Logic provides the mathematical basis for hardware design and software development. In fact, digital circuits and computer programs are logic formulas expressed in a formal language. Accordingly, educated computer scientists should have experience in reasoning about the formulas that their digital c ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Logic provides the mathematical basis for hardware design and software development. In fact, digital circuits and computer programs are logic formulas expressed in a formal language. Accordingly, educated computer scientists should have experience in reasoning about the formulas that their digital circuits and programs represent. An exemplary way to get this experience is to use computational logic in support of such reasoning. This paper searches the typical undergraduate curriculum in computer science for opportunities to include material on computational logic in the context of hardware and software design and implementation. It explains how computational logic has been included as an element of two courses required in most computer science programs. It discusses some successes and a few missteps that the author has experienced over the past nine years in developing this material and using it in the classroom, and it suggests opportunities for similar efforts in other courses.
Comparison of Model Checking Tools for Information Systems
"... Abstract. This paper compares six model checkers (Alloy, cadp, fdr2, NuSMV, ProB, Spin) for the validation of information system specifications. The same case study (a library system) is specified using each model checker. Fifteen properties of various types are checked using temporal logics (CTL an ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper compares six model checkers (Alloy, cadp, fdr2, NuSMV, ProB, Spin) for the validation of information system specifications. The same case study (a library system) is specified using each model checker. Fifteen properties of various types are checked using temporal logics (CTL and LTL), firstorder logic and failuredivergence (fdr2). Three characteristics are evaluated: ease of specifying information system i) behavior, ii) properties, and iii) the number of IS entity instances that can be checked. The paper then identifies the most suitable features required to validate information systems using a model checker. 1