Detailed Table of Contents

Preface...... xiv

Acknowledgment...... xix

Section 1 Modeling for Dependability

Chapter 1 Towards a Holistic Approach to Fault Management: Wheels Within a Wheel...... 1 Moises Goldszmidt, Microsoft Corporation, USA Miroslaw Malek, Humboldt-Universität zu Berlin, Germany Simin Nadjm-Tehrani, Linköping University, Sweden Priya Narasimhan, Carnegie Mellon University, USA Felix Salfner, Humboldt-Universität zu Berlin, Germany Paul A. S. Ward, University of Waterloo, Canada John Wilkes, Google Inc., USA

This chapter argues that the problem of improving fault management systems can only be addressed in a holistic way. The authors analyze 6 realistic scenarios and explain why local optimizations will not be successful. Thus, existing approaches that only improve isolated steps of the fault management loop are likely to fail in practice, while the approach proposed in the chapter is viable and makes the improving process more dynamic and adaptable.

Chapter 2 Exceptions for Dependability...... 11 Emil Sekerinski, McMaster University, Canada

This chapter studies the very interesting problem of exception handling. The author provides a systematic technical presentation of the theory of exception handling with try-catch statements, whose semantics is defined via weakest exceptional preconditions. The rules defined for the programming language are enriched with try-catch statements, and non-determinism can be used for reasoning about the correctness of programs in dependable systems. Chapter 3 Network Availability for Distributed Applications...... 36 Luigia Petre, Åbo Akademi University, Finland Kaisa Sere, Åbo Akademi University, Finland Marina Waldén, Åbo Akademi University, Finland

This chapter presents a formal model for network availability. The modelling language is provided by topological action systems and the network availability aspects are embedded onto a high-level specifi- cation that meets the functional requirements. The embedding is modelled via superposition refinement that ensures that the correctness properties of the distributed application are preserved.

Section 2 Ensuring Dependability

Chapter 4 Formal Stepwise Development of Scalable and Reliable Multiagent Systems...... 58 Denis Grotsev, Kazakh National University, Kazakhstan Alexei Iliasov, Newcastle University, UK Alexander Romanovsky, Newcastle University, UK

This chapter studies the development of large-scale, dynamically-reconfigurable multi-agent systems. The process is modelled via stepwise refinement and tool-supported by the Event-B formal framework. The required notions and constraints are introduced gradually, thus handling the complexity of these systems. Reliability and scalability are also ensured during the formal development process.

Chapter 5 Development of Safety-Critical Control Systems in Event-B Using FMEA...... 75 Yuliya Prokhorova, Åbo Akademi University, Finland Elena Troubitsyna, Åbo Akademi University, Finland Linas Laibinis, Åbo Akademi University, Finland Vyacheslav Kharchenko, National Aerospace University KhAI, Ukraine

This chapter proposes the integration of a safety analysis method – the Failure Mode and Effect Analy- sis— into the development process of control systems. The integration is carried out using the stepwise refinement approach, tool-supported by the Event-B formal framework. The proposed methodology is illustrated with a case study of a heater controller.

Chapter 6 Towards Designing FPGA-Based Systems by Refinement in B...... 92 Sergey Ostroumov, Åbo Akademi University, Finland Elena Troubitsyna, Åbo Akademi University, Finland Linas Laibinis, Åbo Akademi University, Finland Vyacheslav Kharchenko, National Aerospace University KhAI, Ukraine This chapter presents a design methodology for developing a specific implementation for integrated circuits, namely the Field-Programmable Gate Array-based systems. The proposed framework is based on stepwise refinement and tool-supported by the Event-B formalism. The methodology is illustrated on a case study of an airplane anti-icing system.

Chapter 7 Online Testing of Nondeterministic Systems with the Reactive Planning Tester...... 113 Jüri Vain, Tallinn University of Technology, Estonia Marko Kääramees, Tallinn University of Technology, Estonia Maili Markvardt, Tallinn University of Technology, Estonia

This chapter provides an approach for improving the online testing computational effort via offline computation of the test targets and decisions. The authors demonstrate how to extend the model of the implementation under test with traps - the functions that indicate whether certain logical conditions are satisfied. The approach gives better test coverage comparing to commonly used test strategies such as anti-ants and random choice. Thus, an alternative way of ensuring the dependability of systems is provided.

Chapter 8 Development of Controllers Using Simulink and Contract-Based Design...... 151 Pontus Boström, Åbo Akademi University, Finland Mikko Huova, Tampere University of Technology, Finland Marta (Pląska) Olszewska, Åbo Akademi University & Turku Centre for Computer Science, Finland Matti Linjama, Tampere University of Technology, Finland Mikko Heikkilä, Tampere University of Technology, Finland Kaisa Sere, Åbo Akademi University, Finland Marina Waldén, Åbo Akademi University, Finland

In this chapter, the authors propose a methodology for developing digital hydraulic controllers. Their approach is based on combining the formal contract-based design principles with the Simulink graphical language for the model-based design of control systems. The influence of the contracts on the develop- ment process and on the system quality is also analyzed.

Section 3 Security Fundamentals

Chapter 9 Modeling Security Goals and Software Vulnerabilities...... 171 David Byers, Linköping University, Sweden Nahid Shahmehri, Linköping University, Sweden

This chapter presents a graph-based language for modelling security goals and software vulnerabilities. This language is more general and can be used instead of earlier languages such as attack trees, vulner- ability cause graphs, security activity graphs, and security goal indicator trees. The authors define two variants of their language, basic and extended, the latter being more expressive than the earlier model- ling languages. Chapter 10 A Method for Model-Driven Information Flow Security...... 199 Fredrik Seehusen, SINTEF, Norway Ketil Stølen, SINTEF, University of Oslo, Norway

In this chapter, the authors present a software development method that takes into account the security requirements throughout the development lifecycle. Their method is based on formally defined UML- inspired state machines. Each software component is modelled with such a state machine and can be transformed or refined so that the security requirements that the abstract specification adhered to are still satisfied in the concrete specification.

Chapter 11 Security of Dependable Systems...... 230 Naveed Ahmed, Technical University of Denmark, Denmark Christian Damsgaard Jensen, Technical University of Denmark, Denmark

This chapter proposes an operational definition of dependability that incorporates the notion of security. The authors argue that such integration is necessary due to the fact that security attacks are a major cause for failures in many dependable systems. The integration of the two notions is difficult due to the difference in nature between the two concepts. In particular, the concept of security is linked to (and, hence measured in regard to) that of an adversary, which cannot be measured using the same means as dependability properties.

Section 4 Applied Security

Chapter 12 Application Security for Mobile Devices...... 266 Gabriele Costa, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy Aliaksandr Lazouski, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy Fabio Martinelli, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy Paolo Mori, Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Italy

This chapter discusses three kinds of approaches proposed for ensuring the security of mobile devices. This is a highly relevant topic, due to the widespread use of mobile devices in our society. They are quite popular and powerful, thus enabling the development and consequent deployment of dedicated applications. However, the security of these applications has not developed at the same fast pace.

Chapter 13 Supporting Software Evolution for Open Smart Cards by Security-by-Contract...... 285 Nicola Dragoni, Technical University of Denmark, Denmark Olga Gadyatskya, University of Trento, Italy Fabio Massacci, University of Trento, Italy Open multi-application smart cards that allow post-issuance loading of applets offer a very attractive platform. However, their implementation is problematic especially due to the problems of ensuring the security of applications added after the issuance of the card. In this chapter the authors propose an extension of the Security-by-Contract approach to smart cards that can address this type of problems.

Chapter 14 SecInvest: Balancing Security Needs with Financial and Business Constraints...... 306 Siv Hilde Houmb, Secure-NOK AS, Norway Indrajit Ray, Colorado State University, USA Indrakshi Ray, Colorado State University, USA

This chapter addresses the problem of quantifying the benefits of security investments. The authors present not only the methodology for risk analysis, but also the tool support for it. Additionally, the risk factors are assessed in a cost versus asset manner, which makes the topic attractive from the financial, economical, and industrial point of view. The presentation of the material benefits from the use of a comparative case study.

Section 5 Analysis of Risks and Dependability

Chapter 15 Using Model-Driven Risk Analysis in Component-Based Development...... 330 Gyrd Brændeland, University of Oslo, Norway Ketil Stølen, University of Oslo, Norway

The advantages of component-based design are very important when the separated upgrading of the components does not pose a risk for the safety and security of the entire system. In this chapter, the authors propose an extension of a model-based risk analysis method towards addressing modularity. The obtained component-based risk analysis method is then stepwise integrated into a component-based development process.

Chapter 16 Uncertainty Handling in Weighted Dependency Trees: A Systematic Literature Review...... 381 Aida Omerovic, SINTEF & University of Oslo, Norway Amela Karahasanovic, SINTEF & University of Oslo, Norway Ketil Stølen, SINTEF & University of Oslo, Norway

This chapter presents a literature review on methodologies for modeling uncertainty in the context of system analysis based on weighted dependency trees. The authors indicate that the main properties that characterize and differentiate the various methodologies are precision, expressiveness, predictive ac- curacy, scalability on real-life systems, and comprehensibility. This review can serve as a resource for identifying the most suitable approach for a developer, given a certain context. Chapter 17 Measuring the Progress of a System Development...... 417 Marta (Pląska) Olszewska, Åbo Akademi University, Finland & Turku Centre for Computer Science (TUCS), Finland Marina Waldén, Åbo Akademi University, Finland & Turku Centre for Computer Science (TUCS), Finland

This chapter addresses complexity in system development using a combination of formal methods and graphical notation. The formalism enables the developers to precisely specify system functionality, while the graphical notation enables them to maintain an overview and understanding of the complexity and size of the system. In particular, the graphical notation can be used to identify and remove potential conflicts with the project schedule and budget.

Chapter 18 Dependability Assessment of Two Network Supported Automotive Applications...... 442 Ossama Hamouda, Université de Toulouse, France Mohamed Kaâniche, Université de Toulouse, France Karama Kanoun, Université de Toulouse, France

In this chapter, the authors model and evaluate two dependability attributes, safety and availability, in the context of application running on mobile ad-hoc networks. The chapter provides detailed simula- tions and an analysis based on stochastic activity networks for two specific such applications running on wireless devices communicating in the context of traffic congestion. A dependability assessment of such applications is a very interesting study, given the negative connotation of traffic congestion.

Chapter 19 Quantitative Reasoning About Dependability in Event-B: Probabilistic Model Checking Approach...... 459 Anton Tarasyuk, Åbo Akademi University, Finland & Turku Centre for Computer Science, Finland Elena Troubitsyna, Åbo Akademi University, Finland Linas Laibinis, Åbo Akademi University, Finland

It this chapter, the authors propose an extension to the correct-by-construction development paradigm promoted by various formal methods, such as Event-B. The extension is motivated by the need to also evaluate quantitatively the desired dependability level of a system in addition to its functional correctness. In practice, Event-B specifications are shown to be translatable to the PRISM symbolic model checker input format. This provides sufficient support for reasoning about reliability, while the correctness of the design refinement steps has already been verified.

Compilation of References...... 473

About the Contributors...... 500

Index...... 510