09381 Extended Abstract Collection Renement Based Methods for the Construction of Dependable Systems Dagstuhl Seminar Jean-Raymond Abrial1, Michael Butler2, Rajeev Joshi3, Elena Troubitsyna4 and Jim C. P. Woodcock5 1 ETH Zürich, CH 2 University of Southampton, GB [email protected] 3 Jet Propulsion Laboratory, USA [email protected] 4 Aabo Akademi University - Turku, FIN [email protected] 5 University of York, GB [email protected] Abstract. With our growing reliance on computers, the total societal costs of their failures are hard to underestimate. Nowadays computers control critical systems from various domains such as aerospace, auto- motive, railway, business etc. Obviously, such systems must have a high degree of dependability a degree of trust that can be justiably placed on them. Although the currently operating systems do have an acceptable level of dependability, we believe that they development process is still rather immature and ad-hoc. The constantly growing system complex- ity poses an increasing challenge on the system developers and requires signicant improvement on the existing developing practice. To address this problem, we investigated how to establish a set of renement-based engineering methods that can provide the designers with a systematic methodology for development of complex systems. Keywords. Specication, renement, verication, modelling, depend- able systems Executive summary The seminar brought together academicians that are experts in the area of dependability and formal methods and industry practitioners that are working on developing dependable systems. The industry practitioners have described their experience and challenges posed by formal modeling and verication. The academicians tried to address these challenges while describing their research Dagstuhl Seminar Proceedings 09381 Renement Based Methods for the Construction of Dependable Systems http://drops.dagstuhl.de/opus/volltexte/2010/2374 2 Jean-Raymond Abrial, Michael Butler, Rajeev Joshi, Elena Troubitsyna and Jim C. P. Woodcock work. We seminar proceeded in a highly interactive manner and provided us with an excellent opportunity to share experience. One of the outcomes of that seminar was the identication of the following list of challenging issues faced by industrial users of formal methods: Team-based development Dealing with heavy model re-factoring Linking requirements engineering and FMs Abstraction is dicult Renement strategies are dicult to develop Guidelines for method and tool selection Keeping models and code in sync Real-time modelling Supporting reuse and variants Proof automation Proof reuse Handling complex data structures Code generation Test case generation Handling assumptions about the environment The seminar has encouraged knowledge transfer between several major ini- tiatives in the area of formal engineering of computer-based systems. We have got a good understanding of the advances made within the EU-funded project Deploy "Industrial deployment of system engineering methods providing high dependability and productivity". The project aims at integration of formal engi- neering methods into the existing development practice in such areas as automo- tive industry, railways, space and business domains. The participants described advantages and problems of renement-based development using Event-B and Rodin tool platform. The advances made within the Grand Challenge in Veried Software initiative have been described by the researchers working on the Mon- dex system and a veried le store. Several large-scale experiments on system development and software verication were presented by the various researchers working in the software industry. Discussions of such topics as foundations of program renement, verication, theorem proving, techniques for ensuring dependability, automatic tool support for system development and verication, modeling concurrency and many others resulted in several new joint research initiatives and collaborative works. This document consists of two parts: the rst is a collection of short abstracts of talks and the second is the collection of extended abstracts. Renement Based Methods for the Construction of Dependable Systems 3 . Part 1. Short Abstracts 4 Jean-Raymond Abrial, Michael Butler, Rajeev Joshi, Elena Troubitsyna and Jim C. P. Woodcock Renement of programs of distributed agents Egon Boerger (University of Pisa, IT) We present a notion of program renement and renement correctness that works for stepwise rening programs to be used in runs of distributed agents. As case study we investigate an implementation of synchronous message passing by semaphores together with its correctness proof. This is ongoing joint work with Iain Craig (Birmingham) and part of a larger project to model and verify operating system kernels. Security specication: completeness, feasibility, renement Eerke Boiten (University of Kent, GB) The formal methods and renement community should be able to contribute to the specication and verication of security protocols. This talk describes a few of the essential dierences, or problems. First, security properties go beyond functional correctness, and are fundamentally dierent for dierent applications. Moreover, tomorrow's attacks may not be anticipated by yesterday's security properties. Second, notions of security may not be absolute: it may be good enough if guessing our secret is merely hard rather than impossible and in some cases that may be provably the best we can get. Where does that leave us in wanting to provide security protocols "correct by construction"? An overview of the Rodin toolset Michael Butler (University of Southampton, GB) Rodin is a toolset for the Event-B language and renement method. The core functionality includes support for for static checking of models, generation of con- sistency and renement proof obligations, and automatic and interactive proof. A key design consideration is support for the interaction between modellinig and proof. A further key design consideration is open architecture that enables ex- tension to support additional modelling and analysis functionality. The toolset is implemented on Eclipse and is open source. A roadmap for the Rodin toolset Michael Butler (University of Southampton, GB) Event-B is a formal method for system-level modelling and analysis. Key features of Event-B are the use of set theory as a modelling notation, the use of renement to represent systems at dierent abstraction levels and the use of mathematical proof to verify consistency between renement levels. Renement Based Methods for the Construction of Dependable Systems 5 The Rodin Platform6 is an Eclipse-based toolset for Event-B that provides eective support for renement and mathematical proof. Keep aspects of the are support for abstract modelling in Event-B; support for renement proof; extensibility; open source. To support modelliing and renement proofs Rodin contains a modelling database surrounded by various plug-ins: a static checker, a proof obligation generator, automated and interactive provers. The extensibility of the platform has allowed for the integration of various plug-ins such as a model-checker (ProB), animators, a UML-B transformer and a LATEX generator. The database approach provides great exibility, allowing the tool to be extended and adapted easily. It also facilitates incremental develop- ment and analysis of models. The platform is open source, contributes to the Eclipse framework and uses the Eclipse extension mechanisms to enable the integration of plug-ins. Joint work of: Abrial, Jean-Raymond; Butler, Michael; Hallerstede, Stefan; Voisin, Laurent Challenges in Applying Formal Methods - SME view Mathieu Clabaut (SYSTEREL Aix en Provence, FR) This paper outlines past and foreseen challenges in applying both classical B and event B to design safety related systems in an SME. On Proving with Event-B that a Pipelined Processor Model Implements its ISA Specication John Colley (University of Southampton, GB) Microprocessor pipelining is a well-established technique that improves perfor- mance and reduces power consumption by overlapping instruction execution. Verifying, however, that an implementation meets this ISA specication is com- plex and time-consuming. One of the key verication issues that must be addressed is that of overlapping instruction execution. This can introduce hazards where, for instance, a new instruction reads the value from a register which will be written by an earlier instruction that has not yet completed. Using Event-B's support for renement with automated proof, a method is explored where the abstract machine represents directly an instruction from the ISA that species the eect that the instruction has on the microprocessor reg- ister le. Renement is then used systematically to derive a concrete, pipelined execution of that instruction. 6 Available from www.event-b.org 6 Jean-Raymond Abrial, Michael Butler, Rajeev Joshi, Elena Troubitsyna and Jim C. P. Woodcock Microarchitectural considerations are raised to the specication level and design choices can be veried much earlier in the ow. The method proposed therefore has the potential to be integrated into an existing high-level synthesis methodology, providing an automated design and verication ow from high-level specication to hardware. Joint work of: Colley, John; Butler, Michael Mechanising a correctness proof for a lock-free stack John Derrick (Sheeld University, GB) Concurrent objects are inherently complex