formal methods and cryptography
play

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 - PowerPoint PPT Presentation

Feb 27, 2023 •6 likes •1.22k views

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

  1. Modeling e.g. Dolev-Yao Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt” For each user X, public operation E X and private operation D X D X (E X (m)) can be rewritten as m Separate(Pair(a,b)) gives a,b No other rewritings; each party can use terms it received and rewrite them (according to the protocol); adversary can obtain the closure of all terms sent out in the network 6

  2. Security Properties 7

  3. Security Properties Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) 7

  4. Security Properties Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary 7

  5. Security Properties Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property 7

  6. Security Properties Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] ) 7

  7. Security Properties Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] ) e.g.: (in BAN logic) “(A believes B said X) at some point ⇒ (B said X) before that point” 7

  8. Security Properties 8

  9. Security Properties Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security 8

  10. Security Properties Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs 8

  11. Security Properties Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent 8

  12. Security Properties Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent (But spi calculus incorporates an ideal shared-key encryption and no other cryptographic features; typically limited to secure communication tasks) 8

  13. An Example 9

  14. An Example Needham-Schroeder-Lowe (public-key) protocol 9

  15. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” 9

  16. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” 9

  17. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) 9

  18. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key 9

  19. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this an example, to show that they can find the bug in the original Needham-Schroeder protocol (1978) 9

  20. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this an example, to show that they can find the bug in the original Needham-Schroeder protocol (1978) Or new bugs in extended settings 9

  21. Initiator ( M init ): Responder ( M resp ): initialize ( self , other ); initialize ( self , other ); newrandom ( na ); receive ( a na enc ); pair ( self , na , a na ); decrypt ( self , a na enc , a na ); encrypt ( other , a na , a na enc ); separate ( a na , a , na ); send ( a na enc ); test ( a == other ); receive ( b na nb enc ); newrandom ( nb ); decrypt ( self , b na nb enc , b na nb ); pair ( other , na , b na ); separate ( b na nb , b , na nb ); pair ( b na , nb , b na nb ); test ( b == other ); encrypt ( other , b na nb , b na nb enc ); separate ( na nb , na2 , nb ); send ( b na nb enc ); test ( na == na2 ); receive ( nb enc ); encrypt ( other , nb , nb enc ); decrypt ( self , nb enc , nb2 ); send ( nb enc ); test ( nb == nb2 ); pair ( self , other , a b ); pair ( self , x , b a x ); pair ( a b , x , a b x ); pair ( Finished , b a x , out ); pair ( Finished , a b x , out ); output ( out ); output ( out ); done ; done ; Version 1: x = na (Initiator’s nonce output as secret key) Version 2: x = nb (Responder’s nonce output as secret key) [NSL protocol, from Canetti-Herzog 2006] 10

  22. Automated Analysis 11

  23. Automated Analysis Not necessarily very efficient 11

  24. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system 11

  25. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions 11

  26. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (single session) 11

  27. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (single session) Sometimes state-exploration (using model-checking tools) can be used to discover (some) flaws, but does not prove security 11

  28. What does Security in a Formal Model mean? 12

  29. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) 12

  30. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model 12

  31. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models 12

  32. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models Security against adversaries who use only operations permitted by the formal model 12

  33. What does Security in a Formal Model mean? 13

  34. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? 13

  35. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model 13

  36. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following: 13

  37. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following: Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model 13

  38. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model 13

  39. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security definitions 13

  40. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security Soundness of the formal model and formal security definitions property for the computational task and primitive used 13

  41. Soundness of Formal Models 14

  42. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) 14

  43. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model 14

  44. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) 14

  45. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. 14

  46. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption) 14

  47. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption) A somewhat general framework by Backes et al. (CCS 2009) 14

  48. Soundness of Formal Models 15

  49. Soundness of Formal Models Several challenges 15

  50. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness 15

  51. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason 15

  52. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session 15

  53. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session Only a few security properties have been considered (related to authentication and secure communication). Need to identify automatically verifiable (and sufficient) criteria for each new task 15

  54. Universal Composition 16

  55. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) 16

  56. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] 16

  57. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment 16

  58. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions 16

  59. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize 16

  60. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize Advantages: 1. Security for concurrent sessions. 2. Easy to use as a sub-module in higher level protocols and analyze security. Analysis of higher level protocols often “automatable” 16

  61. Composition Logic 17

  62. Composition Logic On going research 17

  63. Composition Logic On going research Protocol Composition Logic of Mitchell et al. 17

  64. Composition Logic On going research Protocol Composition Logic of Mitchell et al. Formal model and soundness theorems by Canetti-Herzog 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge, UK 2013.03.0408 18th Estonian Winter School in Computer Science EWSCS 2013 EasyCrypt pipeline ProofGeneral Frontend Emacs Shell EasyCrypt

724 views • 47 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Lecture 7: Formal Methods for Requirements Engineering 2017-05-29 Prof. Dr. Andreas Podelski, Dr.

Lecture 7: Formal Methods for Requirements Engineering 2017-05-29 Prof. Dr. Andreas Podelski, Dr.

Softwaretechnik / Software-Engineering Lecture 7: Formal Methods for Requirements Engineering 2017-05-29 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universitt Freiburg, Germany 7 2017-05-29 main Topic Area

870 views • 56 slides
Understanding Computation 1 Mathematics & Computation -Mathematics has been around for a

Understanding Computation 1 Mathematics & Computation -Mathematics has been around for a

Understanding Computation 1 Mathematics & Computation -Mathematics has been around for a long time as a method of computing. -Efforts to find canonical way of computations. -Machines have helped with calculations. Can we use

745 views • 28 slides
Invariants and State in Testing and Formal Methods Dick Hamlet Portland State University

Invariants and State in Testing and Formal Methods Dick Hamlet Portland State University

Invariants and State in Testing and Formal Methods Dick Hamlet Portland State University Supported by NSF CCR-0112654 and SFI E.T.S. Walton Fellowship 1/10 The Simplest Context Meaning of a program with persistent state:

315 views • 28 slides
Lecture 1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute Model

Lecture 1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute Model

Lecture 1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute Model Checking and Systems Verification January - April 2015 1 / 25 What are we interested in? 2 / 25 What are we interested in? Software Controllers Code

1.05k views • 40 slides
Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in Mathematics January 8, 2020 1 / 35 marijn@cmu.edu Computer-Aided Mathematics Chromatic Number of the Plane Clausal Proof Optimization

634 views • 52 slides
DevOps Meets Formal Modelling in High-Criticality Complex Systems Marta Olszewska, Marina Wald

DevOps Meets Formal Modelling in High-Criticality Complex Systems Marta Olszewska, Marina Wald

DevOps Meets Formal Modelling in High-Criticality Complex Systems Marta Olszewska, Marina Wald n 1 st International Workshop on Quality-Aware DevOps (QUDOS 2015) 1 st September 2015, Bergamo, Italy Roadmap Why? Motivation and goals

638 views • 31 slides
Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University,

Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University,

Automatic Synthesis of Code Using Genetic Programming Doron A. Peled Bar Ilan University, Israel 1 Why not synthesize the software directly from specification? Specification System Specification Model checking/ Revision testing

694 views • 51 slides
61A Lecture 5 Announcements Office Hours: You Should Go! You are not alone!

61A Lecture 5 Announcements Office Hours: You Should Go! You are not alone!

61A Lecture 5 Announcements Office Hours: You Should Go! You are not alone! http://cs61a.org/office-hours.html 3 Environments for Higher-Order Functions Environments Enable Higher-Order Functions Functions are first-class: Functions are

308 views • 16 slides

More recommend