SLIDE 1
2
Outline
- Complex Systems Modelling in Event-B
- Interplay of proof and modelling
- Worked example: Access to secure building
- Tool Animation
- Conclusion
The Rodin Platform for Incremental Modelling in Event-B Stefan - - PowerPoint PPT Presentation
The Rodin Platform for Incremental Modelling in Event-B Stefan - - PowerPoint PPT Presentation
The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deployproject.eu Outline Complex Systems Modelling in Event-B Interplay of proof and modelling Worked
SLIDE 2
SLIDE 3
3
Design of complex systems
- Need for rigorous modelling
- The main purpose of modelling is reasoning
– to improve our understanding of the system – to clarify assumptions about the system – to increase quality of system model
- Need for refinement
– Too many details to address final system directly
SLIDE 4
4
Reasoning about complex systems
- Requires rigorous reasoning
– Formal notation – Formal reasoning
- This is offered by formal proof
– Why prove?
- To incrementally improve a model
- To take advantage of failing proofs
– What to prove?
- Proof obligations associated with each model
SLIDE 5
5
List of core Event-B proof obligations
- Feasibility of events
- Invariant preservation by events
- Refinement of events
- Introduction of new events
- Convergence of events
- Enabledness of events
SLIDE 6
6
Outline
- Complex Systems Modelling in Event-B
- Interplay of proof and modelling
- Worked example: Access to secure building
- Tool Animation
- Conclusion
SLIDE 7
7
Example of an Event-B machine
Invariant properties:
- inv1 : A user is
authorised to be in certain rooms
- inv2 : A user can be
at most in one room
- inv3 : A user can only
be in rooms where he is authorised to be
guards parameters ac3ons
SLIDE 8
8
in ⊆ auth u / ∈ dom(in) u → r ∈ auth ⊢ in ∪ {u → r} ⊆ auth
Preservation of in⊆auth by event enter
- Proof obligation:
invariant guards modified invariant
SLIDE 9
9
- Modelling is an incremental activity
- Proof obligations are automatically generated
Modelling
Use of proof obligations for modelling
Proving Proof Obligations
SLIDE 10
10
Creating a model incrementally
- What does this mean?
- We do not demonstrate the actual tool “Rodin”
– But focus on essential features – Removed everything that could distract
- Aim:
– To illustrate method and tool – Not to get distracted by features of the Rodin tool
- By way of an example
– Access to a secure building
SLIDE 11
11
Outline
- Complex Systems Modelling in Event-B
- Interplay of proof and modelling
- Worked example: Access to secure building
- Tool Animation
- Conclusion
SLIDE 12
12
Description of the secure access model
- Abstract model
– Users, Rooms – Entering/leaving rooms; adding/removing authorisations
- Refined model
– Tokens – Data-refinement of abstract model
- The model itself is not of importance
– But the way we create it is important
SLIDE 13
13
Focus on three modelling scenarios
- Adding events
- 1. Reasoning about guards and invariants
- Refining an event
- 2. Reasoning about parameters
- 3. Reasoning about guards and invariants
SLIDE 14
14
Layout of the modelling canvas
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Mode Proof Obliga3ons
proof obliga3on: ☐ proof succeeded: proof failed:
SLIDE 15
15
Colouring conventions for formulas
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
utok(t) → rtok(t) ∈ auth
constants are blue‐green parameters are red variables are blue
SLIDE 16
16
Creation of the abstract model
Summary:
- Variables: in, auth
- Events:
– enter – enter building – leave – leave building – addAuth – add authorisation – remAuth – remove authorisation
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
SLIDE 17
17
Location and authorisation of users
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv1 : auth ∈ User ↔ Room inv2 : in ∈ User → Room inv3 : in ⊆ auth
SLIDE 18
18
Location and authorisation of users
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv1 : auth ∈ User ↔ Room inv2 : in ∈ User → Room inv3 : in ⊆ auth initialisation act1 : in := ∅ act2 : auth := ∅
SLIDE 19
19
Location and authorisation of users
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv1 : auth ∈ User ↔ Room inv2 : in ∈ User → Room inv3 : in ⊆ auth initialisation act1 : in := ∅ act2 : auth := ∅
SLIDE 20
20
Location and authorisation of users
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv1 : auth ∈ User ↔ Room inv2 : in ∈ User → Room inv3 : in ⊆ auth initialisation act1 : in := ∅ act2 : auth := ∅
SLIDE 21
21
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 22
22
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
Proof obliga3on: Preserva3on of invariant inv3
SLIDE 23
23
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Proof obliga3on: Preserva3on of invariant inv3 Preservation of invariant inv3
in ⊆ auth u / ∈ dom(in) u → r ∈ auth ⊢ in ∪ {u → r} ⊆ auth
SLIDE 24
24
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Proof obliga3on: Preserva3on of invariant inv3 Preservation of invariant inv3
in ⊆ auth u / ∈ dom(in) u → r ∈ auth ⊢ in ∪ {u → r} ⊆ auth
SLIDE 25
25
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 26
26
Entering a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 27
27
Leaving a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event leave any u when grd1 : u ∈ dom(in) then act1 : in := {u} ⊳ − in end
SLIDE 28
28
Leaving a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event leave any u when grd1 : u ∈ dom(in) then act1 : in := {u} ⊳ − in end
SLIDE 29
29
Leaving a room
Model Proof
☐ ☐ ☐ ☐ ☐ ☐
event leave any u when grd1 : u ∈ dom(in) then act1 : in := {u} ⊳ − in end
SLIDE 30
30
Adding an authorisation
Model Proof
☐ ☐ ☐ ☐ ☐ ☐
event addAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth ∪ {u → r} end
SLIDE 31
31
Adding an authorisation
Model Proof
☐ ☐ ☐ ☐ ☐ ☐
event addAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth ∪ {u → r} end
SLIDE 32
32
Adding an authorisation
Model Proof
☐ ☐ ☐ ☐
event addAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth ∪ {u → r} end
SLIDE 33
33
Removing an authorisation
Model Proof
☐ ☐ ☐ ☐
event remAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth \ {u → r} end
SLIDE 34
34
Removing an authorisation
Model Proof
☐ ☐ ☐ ☐
event remAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth \ {u → r} end
SLIDE 35
35
Removing an authorisation
Model Proof
☐ ☐
event remAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth \ {u → r} end
Proof obliga3on: Preserva3on of invariant inv3
SLIDE 36
36
Removing an authorisation
Model Proof
☐ ☐
in ⊆ auth u ∈ User r ∈ Room ⊢ in ⊆ auth \ {u → r}
Preservation of invariant inv3 Possible remedies:
- Modify ac3on:
➞ Remove user u from building
- Modify guard:
➞ Require user u not in building
- Modify guard:
➞ Require user u not in room r
u → r ∈ in
SLIDE 37
37
Removing an authorisation
Model Proof
☐ ☐
event remAuth any u, r when grd1 : u ∈ User grd2 : r ∈ Room then act1 : auth := auth \ {u → r} end
SLIDE 38
38
Removing an authorisation
Model Proof
☐ ☐
event remAuth any u, r when grd1 : u ∈ User grd2 : u → r ∈ in then act1 : auth := auth \ {u → r} end
SLIDE 39
39
Removing an authorisation
Model Proof
☐ ☐
in ⊆ auth u ∈ User u → r / ∈ in ⊢ in ⊆ auth \ {u → r}
Preservation of invariant inv3
SLIDE 40
40
Removing an authorisation
Model Proof
☐ ☐
in ⊆ auth u ∈ User u → r / ∈ in ⊢ in ⊆ auth \ {u → r}
Preservation of invariant inv3
SLIDE 41
41
Creation of the refined model
Summary:
- Variables: tok, auth
- Events:
– enter – enter building – other events not shown
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
SLIDE 42
42
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
axioms axm1 : utok ∈ Token → User axm2 : rtok ∈ Token → Room
Abstract model of a record type with two fields utok and rtok
SLIDE 43
43
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv4 : ∀ u, r · u → r ∈ in ⇔ ∃ t · t ∈ tok ∧ u = utok(t) ∧ r = rtok(t)
Using some set‐theore3c nota3on of Event‐B inv4 can be stated more concisely: in = utok−1 ; (tok ⊳ rtok)
SLIDE 44
44
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv4 : in = utok−1 ; (tok ⊳ rtok)
SLIDE 45
45
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv4 : in = utok−1 ; (tok ⊳ rtok) initialisation act1 : tok := ∅ act2 : auth := ∅
SLIDE 46
46
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv4 : in = utok−1 ; (tok ⊳ rtok) initialisation act1 : tok := ∅ act2 : auth := ∅
SLIDE 47
47
Replacing Users and Rooms by Tokens
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
invariants inv4 : in = utok−1 ; (tok ⊳ rtok) initialisation act1 : tok := ∅ act2 : auth := ∅
SLIDE 48
48
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth then act1 : tok := tok ∪ {t} end
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 49
49
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth then act1 : tok := tok ∪ {t} end
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 50
50
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth then act1 : tok := tok ∪ {t} end
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
Proof obliga3on: Strengthening of guard grd2
SLIDE 51
51
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ u → r ∈ auth
Strengthening of guard grd2 Must relate t to u and r Choose witnesses for u and r:
u = utok(t) r = rtok(t)
SLIDE 52
52
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth then act1 : tok := tok ∪ {t} end
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
SLIDE 53
53
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth with u | u = utok(t) r | r = rtok(t) then act1 : tok := tok ∪ {t} end
SLIDE 54
54
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd2
t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) → rtok(t) ∈ auth
SLIDE 55
55
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd2
t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) → rtok(t) ∈ auth
Proof obliga3on: Strengthening of guard grd1
SLIDE 56
56
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth with u | u = utok(t) r | r = rtok(t) then act1 : tok := tok ∪ {t} end
Proof obliga3on: Strengthening of guard grd1
SLIDE 57
57
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd1
in = utok−1 ; (tok ⊳ rtok) t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) / ∈ dom(in)
SLIDE 58
58
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd1
in = utok−1 ; (tok ⊳ rtok) t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) / ∈ dom(utok−1 ; (tok ⊳ rtok))
SLIDE 59
59
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd1
in = utok−1 ; (tok ⊳ rtok) t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) / ∈ dom((utok−1 ⊲ tok) ; rtok)
rtok is total
SLIDE 60
60
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd1
in = utok−1 ; (tok ⊳ rtok) t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) / ∈ dom(utok−1 ⊲ tok)
SLIDE 61
61
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
Strengthening of guard grd1
in = utok−1 ; (tok ⊳ rtok) t ∈ tok utok(t) → rtok(t) ∈ auth ⊢ utok(t) / ∈ utok[tok]
Guard is too weak. is a beSer choice for guard grd1
t ∈ tok utok(t) / ∈ utok[tok]
SLIDE 62
62
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
event enter any t when grd1 : t ∈ tok grd2 : utok(t) → rtok(t) ∈ auth with u | u = utok(t) r | r = rtok(t) then act1 : tok := tok ∪ {t} end
SLIDE 63
63
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
event enter any t when grd1 : utok(t) ∈ utok[tok] grd2 : utok(t) → rtok(t) ∈ auth with u | u = utok(t) r | r = rtok(t) then act1 : tok := tok ∪ {t} end
SLIDE 64
64
Entering a room (refined model)
Model Proof
☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐
abstract event enter any u, r when grd1 : u ∈ dom(in) grd2 : u → r ∈ auth then act1 : in := in ∪ {u → r} end
event enter any t when grd1 : utok(t) ∈ utok[tok] grd2 : utok(t) → rtok(t) ∈ auth with u | u = utok(t) r | r = rtok(t) then act1 : tok := tok ∪ {t} end
SLIDE 65
65
Outline
- Complex Systems Modelling in Event-B
- Interplay of proof and modelling
- Worked example: Access to secure building
- Tool Animation
- Conclusion
SLIDE 66
66
Conclusion
- Close relationship between modelling and proving
- Proof can give hints for improvements of model
- Incremental modelling based on heuristics
– As opposed to refinement based on proof
- There was no time to show
– finding invariants by inspection of proofs – modifying an abstract model to improve a refinement
SLIDE 67
67
Community
- Web:
– www.event-b.org – wiki.event-b.org
- Credits