Multi-Formalism Specification and Verification in Verisoft Thorsten - - PowerPoint PPT Presentation

multi formalism specification and verification in verisoft
SMART_READER_LITE
LIVE PREVIEW

Multi-Formalism Specification and Verification in Verisoft Thorsten - - PowerPoint PPT Presentation

Nov 08, 2022 197 likes •395 views

Multi-Formalism Specification and Verification in Verisoft Thorsten Bormer Universit at Koblenz-Landau June 15th, 2007 Component Overview Application Email Client Signature Software (User Interface) Module Com piler Networking /

slide-1
SLIDE 1

Multi-Formalism Specification and Verification in Verisoft

Thorsten Bormer

Universit¨ at Koblenz-Landau

June 15th, 2007

slide-2
SLIDE 2

Component Overview

Networking / Communication Application Software Software System Hardware Tools TCP/IP Mail Server (SMTP) Memory Manage− ment Email Client

(User Interface)

Signature Module Operating System Micro− kernel Processor Host System Com− piler

Keyboard Screen Network File System

  • T. Bormer (UKL)

June 15th, 2007 2 / 18

slide-3
SLIDE 3

Specification/Implementation Layers

Requirement Specification System Specification Email Client SMTP

  • T. Bormer (UKL)

June 15th, 2007 3 / 18

slide-4
SLIDE 4

Top level Specification: One Email Client...

Signature Module SMTP + TCP/IP Email Client

signMail checkSig getKey updateScreen sendMail getMail

network events screen/kbd events

Screen + Keyboard

Email System

  • T. Bormer (UKL)

June 15th, 2007 4 / 18

slide-5
SLIDE 5

Top level Specification: One Email Client...

screen/kbd events network events

TCP/IP SMTP +

  • T. Bormer (UKL)

June 15th, 2007 5 / 18

slide-6
SLIDE 6

Top level Specification: ... or Two Clients?

Signature Module Email Client

signMail checkSig getKey updateScreen sendMail getMail

Screen + Keyboard Signature Module Email Client

signMail checkSig getKey updateScreen sendMail getMail

Screen + Keyboard SMTP + TCP/IP

screen/kbd events screen/kbd events

Email Systems Two Communicating

  • T. Bormer (UKL)

June 15th, 2007 6 / 18

slide-7
SLIDE 7

Specification using Histories

Components communicate using events

❄ ✻ ❄ ✻ ❄ ✻

. . . ,(sender, receiver, message),. . . Signature SMTP Client

Specification on histories can be combined Computation of component is determined by events received

  • T. Bormer (UKL)

June 15th, 2007 7 / 18

slide-8
SLIDE 8

Example of Compontent specification

Example from the Component Specification of the Email Client: “The User can enter any Email at will.” Let m be a string representing an email message. {h | h = hinit ◦ h′ ∧ ∃k.(h′ ↓kbd,email= k ∧ mailclientState(h′).email = m)}

  • T. Bormer (UKL)

June 15th, 2007 8 / 18

slide-9
SLIDE 9

Specification/Implementation Layers

Requirement Specification System Specification Email Client SMTP

  • T. Bormer (UKL)

June 15th, 2007 9 / 18

slide-10
SLIDE 10

Specification/Implementation of the eMail Component

Requirement Specification System Specification Email Client SMTP Component Spec. C0 Implementation Event Loop Mail Functions Hoare Spec. Statecharts Event Loop Mail Functions ? ? B A

  • T. Bormer (UKL)

June 15th, 2007 10 / 18

slide-11
SLIDE 11

Specification/Implementation of the eMail Component

Requirement Specification System Specification Email Client SMTP Component Spec. C0 Implementation Event Loop Mail Functions Hoare Spec. Statecharts Event Loop Mail Functions ? ? B A

  • T. Bormer (UKL)

June 15th, 2007 11 / 18

slide-12
SLIDE 12

Specification with Automata

H

typing

Edit Pub. Key Not Changed Changed H

move cursor

Edit Email

typing

Changed Not Changed H

poll / new email arrived

Checked Not Checked Sent Unsigned Signed Command Mode Run Mode

move cursor check [SUCCESS] send sign [SUCCESS] [SUCCESS]

Receive Mode Send Mode

generate key pair insert pub. key quit viewing edit|view quit editing edit|view quit viewing | editing

[SUCCESS] sign

  • T. Bormer (UKL)

June 15th, 2007 12 / 18

slide-13
SLIDE 13

Relation: Implementation/Automata/Histories

H

typing

Edit Pub. Key Not Changed Changed H

move cursor

Edit Email

typing

Changed Not Changed H

poll / new email arrived

Checked Not Checked Sent Unsigned Signed Command Mode Run Mode

move cursor check [SUCCESS] send sign [SUCCESS] [SUCCESS]

Receive Mode Send Mode

generate key pair insert pub. key quit viewing edit|view quit editing edit|view quit viewing | editing

Update Screen Command Get Command Execute Update Screen

{Pre} {Post} C0 Implementation Proc main loop Specification with Histories

  • T. Bormer (UKL)

June 15th, 2007 13 / 18

slide-14
SLIDE 14

Enhancing Automata with Structure

Unsigned Signed

sign [success]

Unsigned stateInv: mailLength>0 Signed stateInv: isSigned(mail)

[pre]sign/[post]

  • T. Bormer (UKL)

June 15th, 2007 14 / 18

slide-15
SLIDE 15

Implementation of the Event Loop

Event Loop while (cmd != CMD QUIT) { applicConfUpdateScreen ( applicConf ,

  • sConf ) ;
  • sConfGetKeyStroke ( osConf ,

key ) ; cmd = command(∗ key , applicConf − >s t a t e ) ; applicConfUpdateScreen ( applicConf ,

  • sConf ) ;

execute ( applicConf , cmd ,∗ key ) ; }

  • T. Bormer (UKL)

June 15th, 2007 15 / 18

slide-16
SLIDE 16

Connection Automaton ↔ C0

Current Status verified that C0 implementation performs single transition in the statechart have to show that ’event loop’ implements automaton Verification of ’event loop’ prove using Hoare-logic that one iteration always performs a valid transition prove using temporal logic that event loop implements automaton

  • T. Bormer (UKL)

June 15th, 2007 16 / 18

slide-17
SLIDE 17

Conclusion

integration of specification/verification non-trivial task But: we’re almost done! verification of the ’event loop’ will be covered by my diploma thesis grateful for comments!

  • T. Bormer (UKL)

June 15th, 2007 17 / 18

slide-18
SLIDE 18

Thank you for your attention!

  • T. Bormer (UKL)

June 15th, 2007 18 / 18