the rodin platform for incremental modelling in event b
play

The Rodin Platform for Incremental Modelling in Event-B Stefan - PowerPoint PPT Presentation

Apr 28, 2023 •434 likes •1.12k views

The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deployproject.eu Outline Complex Systems Modelling in Event-B Interplay of proof and modelling Worked

  1. The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deploy‐project.eu

  2. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 2

  3. Design of complex systems • Need for rigorous modelling • The main purpose of modelling is reasoning – to improve our understanding of the system – to clarify assumptions about the system – to increase quality of system model • Need for refinement – Too many details to address final system directly 3

  4. Reasoning about complex systems • Requires rigorous reasoning – Formal notation – Formal reasoning • This is offered by formal proof – Why prove? • To incrementally improve a model • To take advantage of failing proofs – What to prove? • Proof obligations associated with each model 4

  5. List of core Event-B proof obligations • Feasibility of events • Invariant preservation by events • Refinement of events • Introduction of new events • Convergence of events • Enabledness of events 5

  6. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 6

  7. Example of an Event-B machine Invariant properties: • inv1 : A user is authorised to be in certain rooms parameters • inv2 : A user can be guards at most in one room ac3ons • inv3 : A user can only be in rooms where he is authorised to be 7

  8. Preservation of in ⊆ auth by event enter • Proof obligation: invariant in ⊆ auth guards u / ∈ dom( in ) u �→ r ∈ auth modified invariant ⊢ in ∪ { u �→ r } ⊆ auth 8

  9. Use of proof obligations for modelling • Modelling is an incremental activity Modelling Proof Obligations Proving • Proof obligations are automatically generated 9

  10. Creating a model incrementally • What does this mean? • We do not demonstrate the actual tool “Rodin” – But focus on essential features – Removed everything that could distract • Aim: – To illustrate method and tool – Not to get distracted by features of the Rodin tool • By way of an example – Access to a secure building 10

  11. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 11

  12. Description of the secure access model • Abstract model – Users , Rooms – Entering/leaving rooms; adding/removing authorisations • Refined model – Tokens – Data-refinement of abstract model • The model itself is not of importance – But the way we create it is important 12

  13. Focus on three modelling scenarios • Adding events 1. Reasoning about guards and invariants • Refining an event 2. Reasoning about parameters 3. Reasoning about guards and invariants 13

  14. Layout of the modelling canvas Model Proof ☐ ☐ � ☐ Mode ☐ Proof ☐ Obliga3ons ☐ ☐ ☐ proof obliga3on: ☐ ☐ proof succeeded: � ☐ proof failed:  ☐ ☐ ☐ 14

  15. Colouring conventions for formulas Model Proof ☐ ☐ � constants are blue‐green parameters are red ☐ ☐ ☐ ☐ utok ( t ) �→ rtok ( t ) ∈ auth ☐ ☐ ☐ ☐ ☐ variables are blue ☐ ☐ 15

  16. Creation of the abstract model Model Proof Summary: ☐ ☐ � ☐ • Variables: in , auth ☐ ☐ • Events: ☐ ☐ – enter – enter building ☐ ☐ – leave – leave building ☐ ☐ – addAuth – add authorisation ☐ ☐ – remAuth – remove authorisation 16

  17. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ 17

  18. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 18

  19. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 19

  20. Location and authorisation of users Model Proof  invariants � inv 1 : auth ∈ User ↔ Room  inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 20

  21. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 21

  22. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ Proof obliga3on: then ☐ act 1 : in := in ∪ { u �→ r } ☐ Preserva3on of end invariant inv3 ☐ ☐ ☐ 22

  23. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth ☐ ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 23

  24. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth  ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 24

  25. Entering a room Model Proof  event enter � any  u, r ☐ when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 25

  26. Entering a room Model Proof  event enter � any  u, r � when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 26

  27. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 27

  28. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 28

  29. Leaving a room Model Proof  event leave � any  u � when  � grd 1 : u ∈ dom( in )  then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 29

  30. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 30

  31. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 31

  32. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 32

  33. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 33

  34. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 34

  35. Removing an authorisation Model Proof  event remAuth � any  u, r � when  Proof obliga3on: � grd 1 : u ∈ User  grd 2 : r ∈ Room Preserva3on of  then invariant inv3  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 35

  36. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User Possible remedies: � r ∈ Room • Modify ac3on:  ➞ Remove user u from building � ⊢  • Modify guard:  in ⊆ auth \ { u �→ r } ➞ Require user u not in building   • Modify guard:  ➞ Require user u not in room r ☐ u �→ r �∈ in ☐ 36

  37. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 37

  38. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : u �→ r �∈ in  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 38

  39. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User � u �→ r / ∈ in  � ⊢   in ⊆ auth \ { u �→ r }    ☐ ☐ 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B An open platform for Event-B modelling and proving Designed to model reactive discrete systems by engineers (no PhD required) Based on the

373 views • 8 slides
SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu

SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu

SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu Kobayashi (University of Tokyo), Aivar Kripsaar (RWTH Aachen University), Fuyuki Ishikawa (NII, Japan), and Shinichi Honiden (NII, Japan) Rodin

625 views • 39 slides
Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of

Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of

Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of Southampton, U.K. 2 Systerel, France RODIN Workshop 2016 Linz, Austria 23rd May 2015 From Rodin 2.8 to Rodin 3.0 (1/2) Major (necessary) changes

506 views • 17 slides
The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm

The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm

The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm Development used to take place in European projects: RODIN (2004-2007) DEPLOY (2008-2012) ADVANCE (2012-2014) Then switched to naSonal projects But

492 views • 5 slides
Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios

Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios

Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios Paliouras NCSR Demokritos http://cer.iit.demokritos.gr/ 16 April 2019 Motivation for Incremental CER Motivation for Incremental CER Delayed

642 views • 45 slides
A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm

A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm

A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm University of Oxford Computing Laboratory Designing Correct Circuits, March 2010 Introduction Motivation Goal Design of verified high-performance,

775 views • 33 slides
Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and Simulation) A formal basis for (low-level) representation of all discrete event modelling formalisms and simulator implementations

492 views • 26 slides
Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and Simulation) A formal basis for (low-level) representation of all discrete event modelling formalisms (and even others, after approximation)

660 views • 30 slides
Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya

Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya

June 2-3, 2014, Toulouse 5 th Rodin Workshop Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya Shchepetkov {khoroshilov,shchepetkov}@ispras.ru Institute for System Programming of the Russian Academy of

261 views • 15 slides
Timed Discrete Event Modelling and Simulation extend State Automata with time in state

Timed Discrete Event Modelling and Simulation extend State Automata with time in state

Timed Discrete Event Modelling and Simulation extend State Automata with time in state equivalent to Event Graphs time to transition schedule events Hans Vangheluwe hv@cs.mcgill.ca Modelling and Simulation: Discrete

713 views • 54 slides
Dialogue Modelling, Language Processing Dynamics and Linguistic Knowledge Eleni

Dialogue Modelling, Language Processing Dynamics and Linguistic Knowledge Eleni

Linguistic knowledge: the relevance of dialogue Dialogue Modelling: new challenge, new data, new solutions Dynamic Syntax: incremental structure/content growth Grammar design Dialogue Modelling, Language Processing Dynamics and Linguistic

1.45k views • 120 slides
System Modelling and Design Refining Software Engineering Ken Robinson School of Computer

System Modelling and Design Refining Software Engineering Ken Robinson School of Computer

Outline System Modelling and Design Refining Software Engineering Ken Robinson School of Computer Science & Engineering The University of New South Wales, Sydney Australia Ken Robinson 2009 c mailto::k.robinson@unsw.edu.au Rodin

896 views • 67 slides
Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th

Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th

Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th August 2011 Date: 11 August 2011 Client : Ofgem Contents Background Objectives of the study Modelling methodology Key assumptions and

454 views • 16 slides
Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive

Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive

Outline Axiomatization of Physics Identity and Objecthood Conclusions Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive Identities for Physics Outline Axiomatization of Physics Identity and

934 views • 75 slides
From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing

From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing

From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing Symposium 14 16 March 2006 Parallel session Workflow (BPM) IDS Scheer & ARIS Platform Platform IDS Scheer & ARIS Founded 1984 by

661 views • 30 slides
Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor:

Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor:

Extreme Event Modelling Liwei Wu Supervisor: Dr. Xiang Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor: Dr. Xiang Zhou Models Threshold Models Application Simulation of data from normal

671 views • 49 slides
Action Recognition and Detection with Deep Learning Yue Zhao Multimedia Lab, CUHK

Action Recognition and Detection with Deep Learning Yue Zhao Multimedia Lab, CUHK

Action Recognition and Detection with Deep Learning Yue Zhao Multimedia Lab, CUHK https://zhaoyue-zephyrus.github.io Why do we need to understand action? Various real-world applications Anomaly detection in video surveillance

751 views • 30 slides
31. . ArchJava A Lig ightweight Java Ext xtension fo for Archit itecture Provided and

31. . ArchJava A Lig ightweight Java Ext xtension fo for Archit itecture Provided and

Fakultt Informatik - Institut Software- und Multimediatechnik - Softwaretechnologie Prof. Amann - CBSE 31. . ArchJava A Lig ightweight Java Ext xtension fo for Archit itecture Provided and Required Ports and Servic ices

343 views • 11 slides
SMART CITIES Conference ITS Market Analysis Ju Pogaar doc. dr. Boris Horvat Abelium d.o.o.

SMART CITIES Conference ITS Market Analysis Ju Pogaar doc. dr. Boris Horvat Abelium d.o.o.

SMART CITIES Conference ITS Market Analysis Ju Pogaar doc. dr. Boris Horvat Abelium d.o.o. Contents 1. Smart passenger transport Key players Services Fees and payment Safety Community Differentials Conflicts 2.

581 views • 18 slides
Flexible Network Services as Frameworks? Zhi-Li Zhang Qwest Chair Professor & Distinguished

Flexible Network Services as Frameworks? Zhi-Li Zhang Qwest Chair Professor & Distinguished

Network Support for Emerging Applications: Flexible Network Services as Frameworks? Zhi-Li Zhang Qwest Chair Professor & Distinguished McKnight University Professor Dept. of Computer Science & Eng., University of Minnesota

795 views • 67 slides
COSC 1020 The StringTokenizer Class Yves Lesp erance Allows you to easily extract

COSC 1020 The StringTokenizer Class Yves Lesp erance Allows you to easily extract

COSC 1020 The StringTokenizer Class Yves Lesp erance Allows you to easily extract tokens/components from a String. e.g. import type.lang.*; import java.util.StringTokenizer; public class TokenizerEg { public static void main(String[]

311 views • 5 slides
CSE 3341: Principles of Programming Languages Recursive Descent Parsing Jeremy Morris 1

CSE 3341: Principles of Programming Languages Recursive Descent Parsing Jeremy Morris 1

CSE 3341: Principles of Programming Languages Recursive Descent Parsing Jeremy Morris 1 Parsing A grammar is a generator for a language The rules tell us how to create strings in the language A parser is a recognizer for a language

798 views • 32 slides
RaisingtheCurtainonCulturalDiversity:

RaisingtheCurtainonCulturalDiversity:

RaisingtheCurtainonCulturalDiversity: IntegratingInclusionintotheArts

624 views • 23 slides
Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Outline Review LL parsing Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm Constructing LR parsing tables 2 Top-Down Parsing: Review Top-Down Parsing: Review Top-down parsing expands a

470 views • 13 slides

More recommend