Upload
ama
View
47
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems. Peter Geer. Introduction. Stereotype: Formal methods = critical systems How can they be applied to typical non-critical information systems? Approach Examine literature and case studies - PowerPoint PPT Presentation
Citation preview
Formal Methods in Practice: Analysis and Application of
Formal Modeling to Information SystemsPeter Geer
Stereotype: Formal methods = critical systems
How can they be applied to typical non-critical information systems?
Approach◦ Examine literature and case studies◦ Extract lessons◦ Apply to a sample system
Introduction
Formal methods◦ Allow programmers to manage increasing
complexity of systems◦ Increase quality and reliability
Formal program meaning◦ Hoare triple: P {Q} R [Hoare 1969]
Use inference rules to prove P => R◦ Weakest precondition semantics [Gries 1981]
Predicate transformer: wp(“x:= y”, R) = P Full axiomatic semantics of ALGOL-like language
History
Focus on general system modeling, not code verification
Early notations: Z (Oxford), Vienna Development Method (IBM)◦ Based on pre- and post-conditions, predicate
logic, set theory Variations: VDM++, Object-Z, TCOZ, etc.
◦ Different specialties: object-orientation, timing, etc.
Formal Modeling
Full formalism◦ Refinement with formal justification/proof of steps
Formal specification/design◦ Apply to specs/design, no formal relation to code
Light-weight formal methods◦ No large scale proof
Targeted application◦ Apply as needed to selected areas
System review◦ Retrospective analysis of already built system
Code verification
Ways to Apply FM
CICS redevelopment [Finney 1996]◦ Z and Djikstra’s guarded command language◦ 268K lines of CDL, 37K based on Z specs, 11K
partial Z spec◦ Queen’s award, 2.5x fewer defects, 9% cost saving
Pondage power plant [Ciapessoni 1999] ◦ TRIO formal specification language, refinement◦ Total costs 15% lower than conventional methods. ◦ Specification was twice the cost, but all other
stages lower.
Case Studies
SSADM CASE tools [Craigen 1993]◦ Z specs, only tool a prototype parser/type-checker◦ 2718 man-days actual vs. 6400 man-days estimate◦ Productivity 17 LOC/day vs. 11 predicted
Darlington Nuclear Generator [Craigen 1993]◦ Post hoc formalization using function tables.◦ Obtained license, cost: $4 million, 25% of project
Lockheed C130J [Amey 2002]◦ Semi-formal spec, implemented in SPARK◦ Developer productivity up 4x, costs half normal◦ Code quality up 10x, SPARK code had only 10% errors
of standard Ada
Case Studies
Expensive to start◦ Training, tools, lost productivity while learning
Long-term investment◦ Best when integrated into process
Need on-site expertise◦ Hard to bootstrap FM from nothing
Tools helpful, not necessary◦ Can get helpful results without powerful proof
tools Right method for the job
◦ Methods differ in focus, not one-size-fits all
Lessons From Industry
Goals:◦ Demonstrate application of FM to typical small
project, learning material◦ Demonstrate use of formal modeling with a
modern dynamic programming language◦ Base framework for future expansion
Web-based document management system Technology:
◦ LAMP stack (Linux, Apache, MySQL, PHP)◦ VDM++ for formal models◦ Modeling tools: VDM++ Toolkit, Overture IDE
Sample Application
Light-weight formal modeling◦ Models as analysis and design tool
Refinement◦ Requirements model◦ High-level design model◦ Detailed design model◦ Implementation
Keep the models “live” documents
Development Approach
Determine major entities and operations required, map to VDM++ classes◦ User
Properties: username, password Operations: login, logout
◦ Document Properties: owner, content Operations: create, edit, delete read
◦ Security Considered some variations, added support for group
permissions
Requirements specification
AccessType = <read> | <edit> | <delete>;AccessObject = User | Group;Permission = map (AccessObject * Document) to
(map AccessType to bool);PermissionCheck(u: User, d: Document, t: AccessType) r: bool
ext rd permissions, groups post r = if mk_(u, d) in set dom permissions then permissions(mk_(u, d))(t) else exists g in set groups & mk_(g, d) in set dom permissions and u in set g.members and permissions(mk_(g, d))(t)
Security Specification
class System types PageSpecifier = <list_documents> | <read_document> | <list_groups> | <show_group> | <login>; instance variables security : Security:= new Security(); users : set of User:= {}; documents: set of Document:= {}; current_user: [User]:= nil; next_page : PageSpecifier:= <list_documents>; operations public Login(username: seq of char, password: seq of char) r: bool ext rd users
wr current_user, next_pagepre current_user = nilpost next_page = <list_documents> and if exists u in set users & u.username = username and u.password = password then current_user in set users and current_user.username = username and r = true else current_user = nil and r = false;
public CreateGroup(name: seq of char) ext wr security, next_page pre current_user in set security.administrators post next_page = <show_group> and exists g in set security.groups & g.name = name;
Top-level System Specification
Refinement of requirements specification◦ Model-View-Controller (MVC) pattern
Separation of operation types◦ UserController◦ GroupConroller◦ DocumentController
Introduce implementation-related classes◦ ActiveRecord◦ View◦ Database
Component-Level Specification
Explicit specification of controller operations◦ Basic control-flow modeling
Expand domain model classes◦ User, Document, Group◦ Operations implementing ActiveRecord interface
Add class for global state/runtime◦ PHP class – standard types, global data
Detailed database modeling◦ Tables modeled as sets of tuples
Detailed Design
Constraints◦ Type and class invariants
public UserTable = set of UserRow inv usrtbl == forall r, s in set usrtbl & r.username = s.username => r = s; public Documents: DocumentTable; inv (forall d in set Documents & exists u in set Users & d.owner = u.username);
Data access layer◦ SelectUser(key: String) r: UserRow
ext rd Userspost r = iota u in set Users & u.username = key;
◦ SelectDocumentByOwner(owner: String) r: set of DocumentRowext rd Documentspost r = {d | d in set Documents & d.owner = owner};
Database Design
public Edit: nat ==> ResponseEdit(id) == (dcl doc: [Document]:= Document`GetById(id), acl: ACL:= new ACL(); if acl.HasPermission(current_user, doc, <edit>) then ( if {"title", "body"} subset dom POST then ( doc.title:= POST("title"); doc.content:= POST("body"); doc.Update(); return self.Redirect("/document/view/", doc) ) else ( view.Load("document_edit"); return view.Render() ) ) else return self.Redirect("/error/denied/"););
Explicit Controller Action
Approach◦ Code as refinement of model◦ Keep implementation similar to low-level design
Architecture◦ Same MVC pattern as model◦ Most of the same classes as detailed model
Classes representing runtime and database not needed
Implementation
Addition of view logic Dynamic behavior
◦ Controller instantiation◦ Modeled with static mapping
Additional management/listing pages◦ Group and permission listing pages◦ Added to model and then implemented
Permission list population◦ Operation added to model and implementation
Variations from model
High-level models◦ Useful in general, but not more so than less
formal approaches, e.g. UML diagrams◦ More useful where more detail was used, e.g.
security analysis. Detailed design
◦ Easy to translate, helped reduce coding time◦ Controller classes and database – direct mapping◦ Very helpful during delay in implementation
Results
Literature and case studies◦ Cost saving and quality increase◦ Meaningful gains without large scale formalism
Sample project◦ Useful as design tool◦ Helped reduce effort in implementation
Areas for further research◦ Sample models using animation to prototype◦ Alternate modeling approaches, derivation/proof ◦ Abstraction into fully reusable framework
Conclusion
[Amey2002] Peter Amey. Correctness by construction: Better can also be cheaper. Crosstalk Magazine, 2002.
[Ciapessoni 1999] Emanuele Ciapessoni, Piergiorgio Mirandola, Alberto Coen-Porisini, Dino Mandrioli, and Angelo Morzenti. From formal models to formally based methods: an industrial experience. ACM Trans. Softw. Eng. Methodol., 8(1):79{113, 1999.
[Hoare1969] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576{580, 1969.
[Gries1981] David B. Gries. The Science of Programming. Texts and Monographs in Computer Science. Springer-Verlag, 1981.
[Finney1996] Kate Finney and Norman Fenton. Evaluating the effectiveness of Z: the claims made about CICS and where we go from here. J. Syst. Softw., 35(3):209-216, 1996.
[Craigen1993] D. Craigen, S. Gerhart, and T.J. Ralston. An international survey of industrial applications of formal methods (volume 1: Purpose, approach, analysis and conclusions, volume 2: Case studies). Technical Report NIST GCR 93/626-V1 & NIST GCR 93-626-V2 (Order numbers: PB93-178556/AS & PB93-178564/AS), National Inst. of Standards and Technology, Gaithersburg, MD., National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161, USA, 1993.
References