Formal Methods in Practice: Analysis and Application of

Formal Modeling to Information SystemsPeter Geer

Stereotype: Formal methods = critical systems

How can they be applied to typical non-critical information systems?

Approach◦ Examine literature and case studies◦ Extract lessons◦ Apply to a sample system

Introduction

Formal methods◦ Allow programmers to manage increasing

complexity of systems◦ Increase quality and reliability

Formal program meaning◦ Hoare triple: P {Q} R [Hoare 1969]

Use inference rules to prove P => R◦ Weakest precondition semantics [Gries 1981]

Predicate transformer: wp(“x:= y”, R) = P Full axiomatic semantics of ALGOL-like language

History

Focus on general system modeling, not code verification

Early notations: Z (Oxford), Vienna Development Method (IBM)◦ Based on pre- and post-conditions, predicate

logic, set theory Variations: VDM++, Object-Z, TCOZ, etc.

◦ Different specialties: object-orientation, timing, etc.

Formal Modeling

Full formalism◦ Refinement with formal justification/proof of steps

Formal specification/design◦ Apply to specs/design, no formal relation to code

Light-weight formal methods◦ No large scale proof

Targeted application◦ Apply as needed to selected areas

System review◦ Retrospective analysis of already built system

Code verification

Ways to Apply FM

CICS redevelopment [Finney 1996]◦ Z and Djikstra’s guarded command language◦ 268K lines of CDL, 37K based on Z specs, 11K

partial Z spec◦ Queen’s award, 2.5x fewer defects, 9% cost saving

Pondage power plant [Ciapessoni 1999] ◦ TRIO formal specification language, refinement◦ Total costs 15% lower than conventional methods. ◦ Specification was twice the cost, but all other

stages lower.

Case Studies

SSADM CASE tools [Craigen 1993]◦ Z specs, only tool a prototype parser/type-checker◦ 2718 man-days actual vs. 6400 man-days estimate◦ Productivity 17 LOC/day vs. 11 predicted

Darlington Nuclear Generator [Craigen 1993]◦ Post hoc formalization using function tables.◦ Obtained license, cost: $4 million, 25% of project

Lockheed C130J [Amey 2002]◦ Semi-formal spec, implemented in SPARK◦ Developer productivity up 4x, costs half normal◦ Code quality up 10x, SPARK code had only 10% errors

of standard Ada

Case Studies

Expensive to start◦ Training, tools, lost productivity while learning

Long-term investment◦ Best when integrated into process

Need on-site expertise◦ Hard to bootstrap FM from nothing

Tools helpful, not necessary◦ Can get helpful results without powerful proof

tools Right method for the job

◦ Methods differ in focus, not one-size-fits all

Lessons From Industry

Goals:◦ Demonstrate application of FM to typical small

project, learning material◦ Demonstrate use of formal modeling with a

modern dynamic programming language◦ Base framework for future expansion

Web-based document management system Technology:

◦ LAMP stack (Linux, Apache, MySQL, PHP)◦ VDM++ for formal models◦ Modeling tools: VDM++ Toolkit, Overture IDE

Sample Application

Light-weight formal modeling◦ Models as analysis and design tool

Refinement◦ Requirements model◦ High-level design model◦ Detailed design model◦ Implementation

Keep the models “live” documents

Development Approach

Determine major entities and operations required, map to VDM++ classes◦ User

Properties: username, password Operations: login, logout

◦ Document Properties: owner, content Operations: create, edit, delete read

◦ Security Considered some variations, added support for group

permissions

Requirements specification

AccessType = <read> | <edit> | <delete>;AccessObject = User | Group;Permission = map (AccessObject * Document) to

(map AccessType to bool);PermissionCheck(u: User, d: Document, t: AccessType) r: bool

ext rd permissions, groups post r = if mk_(u, d) in set dom permissions then permissions(mk_(u, d))(t) else exists g in set groups & mk_(g, d) in set dom permissions and u in set g.members and permissions(mk_(g, d))(t)

Security Specification

class System types PageSpecifier = <list_documents> | <read_document> | <list_groups> | <show_group> | <login>; instance variables security : Security:= new Security(); users : set of User:= {}; documents: set of Document:= {}; current_user: [User]:= nil; next_page : PageSpecifier:= <list_documents>; operations public Login(username: seq of char, password: seq of char) r: bool ext rd users

wr current_user, next_pagepre current_user = nilpost next_page = <list_documents> and if exists u in set users & u.username = username and u.password = password then current_user in set users and current_user.username = username and r = true else current_user = nil and r = false;

public CreateGroup(name: seq of char) ext wr security, next_page pre current_user in set security.administrators post next_page = <show_group> and exists g in set security.groups & g.name = name;

Top-level System Specification

Refinement of requirements specification◦ Model-View-Controller (MVC) pattern

Separation of operation types◦ UserController◦ GroupConroller◦ DocumentController

Introduce implementation-related classes◦ ActiveRecord◦ View◦ Database

Component-Level Specification

Explicit specification of controller operations◦ Basic control-flow modeling

Expand domain model classes◦ User, Document, Group◦ Operations implementing ActiveRecord interface

Add class for global state/runtime◦ PHP class – standard types, global data

Detailed database modeling◦ Tables modeled as sets of tuples

Detailed Design

Constraints◦ Type and class invariants

public UserTable = set of UserRow inv usrtbl == forall r, s in set usrtbl & r.username = s.username => r = s; public Documents: DocumentTable; inv (forall d in set Documents & exists u in set Users & d.owner = u.username);

Data access layer◦ SelectUser(key: String) r: UserRow

ext rd Userspost r = iota u in set Users & u.username = key;

◦ SelectDocumentByOwner(owner: String) r: set of DocumentRowext rd Documentspost r = {d | d in set Documents & d.owner = owner};

Database Design

public Edit: nat ==> ResponseEdit(id) == (dcl doc: [Document]:= Document`GetById(id), acl: ACL:= new ACL(); if acl.HasPermission(current_user, doc, <edit>) then ( if {"title", "body"} subset dom POST then ( doc.title:= POST("title"); doc.content:= POST("body"); doc.Update(); return self.Redirect("/document/view/", doc) ) else ( view.Load("document_edit"); return view.Render() ) ) else return self.Redirect("/error/denied/"););

Explicit Controller Action

Approach◦ Code as refinement of model◦ Keep implementation similar to low-level design

Architecture◦ Same MVC pattern as model◦ Most of the same classes as detailed model

Classes representing runtime and database not needed

Implementation

Addition of view logic Dynamic behavior

◦ Controller instantiation◦ Modeled with static mapping

Additional management/listing pages◦ Group and permission listing pages◦ Added to model and then implemented

Permission list population◦ Operation added to model and implementation

Variations from model

High-level models◦ Useful in general, but not more so than less

formal approaches, e.g. UML diagrams◦ More useful where more detail was used, e.g.

security analysis. Detailed design

◦ Easy to translate, helped reduce coding time◦ Controller classes and database – direct mapping◦ Very helpful during delay in implementation

Results

Literature and case studies◦ Cost saving and quality increase◦ Meaningful gains without large scale formalism

Sample project◦ Useful as design tool◦ Helped reduce effort in implementation

Areas for further research◦ Sample models using animation to prototype◦ Alternate modeling approaches, derivation/proof ◦ Abstraction into fully reusable framework

Conclusion

[Amey2002] Peter Amey. Correctness by construction: Better can also be cheaper. Crosstalk Magazine, 2002.

[Ciapessoni 1999] Emanuele Ciapessoni, Piergiorgio Mirandola, Alberto Coen-Porisini, Dino Mandrioli, and Angelo Morzenti. From formal models to formally based methods: an industrial experience. ACM Trans. Softw. Eng. Methodol., 8(1):79{113, 1999.

[Hoare1969] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576{580, 1969.

[Gries1981] David B. Gries. The Science of Programming. Texts and Monographs in Computer Science. Springer-Verlag, 1981.

[Finney1996] Kate Finney and Norman Fenton. Evaluating the effectiveness of Z: the claims made about CICS and where we go from here. J. Syst. Softw., 35(3):209-216, 1996.

[Craigen1993] D. Craigen, S. Gerhart, and T.J. Ralston. An international survey of industrial applications of formal methods (volume 1: Purpose, approach, analysis and conclusions, volume 2: Case studies). Technical Report NIST GCR 93/626-V1 & NIST GCR 93-626-V2 (Order numbers: PB93-178556/AS & PB93-178564/AS), National Inst. of Standards and Technology, Gaithersburg, MD., National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161, USA, 1993.

References