Browse Books

Reviewer: R. Clayton

What happens once a software system has been formally specified__?__ This book provides one answer: the specification can be refined through decreasing abstraction levels until it's reduced to code, or something close to code. The book can be partitioned into two pairs of chapters, preceded by an introductory chapter and followed by a concluding chapter. The first pair of chapters describes informally (chapter 2) and then formally (chapter 3) a simple embedded real-time operating system kernel. The second pair of chapters describes informally (chapter 4) and then formally (chapter 5) a separation kernel designed to provide complete temporal and spatial isolation among processes. The separation kernel is intended to be a microkernel for secure systems. (The adjective "cryptographic" is frequently mentioned relative to systems for the separation kernel, but "cryptographic system" isn't defined, and I could discern no cryptography in the kernel development.) Each kernel is divided into 12 or so pieces, along functional lines (process table and semaphores), and each piece is formally defined at a top level, and then refined in one or two (or sometimes no) steps. With this structure, a cagey reader might anticipate having some control over presentation detail, by reading the development horizontally, skipping from top-level definition to top-level definition, and then, once the top-level definitions were read, repeating for the first-level refinements. In this, the cagey reader would be wrong. Most specifications and refinements have an inverted pyramid shape, with a majority of the detail introduced at the top level, and successive refinement steps focusing on specific details. I was excited when I initially opened the book to the bibliography and saw a citation for Morgan's book [1], but the presentation in this book does not correspond to Morgan's presentation of program development by refinement. The index is pedestrian, consigned to the end of the book and containing only Z-entity definitions. The indexing standard set by Fraser and Hanson's book [2] should be the minimum for works of this kind. The bibliography is small, and covers the necessary citations in the text. The systems are specified using Z [3]; the book assumes knowledgeable readers, and contains no expository material about Z. Except for some comments in the first and last chapters, Z is used unselfconsciously, making the book less valuable for nascent Z specifiers looking to hone their skills on the strop of practical application. Only basic operating system knowledge is needed; familiarity with this book's predecessor [4] is helpful, but not necessary. The microkernel assumes generic hardware, and is refined down to a simple sequential language. The separation kernel assumes Intel hardware for segmentation capabilities, and is mostly refined to the same language as the microkernel, although in some places the refinement is carried down to suggest x86 assembly code. Formal proofs are sprinkled throughout, but not at every opportunity. In many cases, the proofs are compressed into paragraph-sized bricks rather than being laid out more expansively. This may save space, but it invites the eye (or at least my eye) to skate lightly down the page. There is no validation or verification. On the whole, this book doesn't make a practical case for formal methods, because I can't imagine it influencing people who don't know about formal methods, don't care about them, or have dismissed them as impractical. The author may wish to object that the book wasn't written for those kinds of readers, and that objection is certainly valid and consistent with the book. However, if you're going to do all this work, why not amortize your effort by slanting it toward a slightly (or perhaps much) larger audience__?__ The formal methods adepts are going to accept it anyway, and you may create a few converts with clear and plausible demonstrations (formal methods adepts may appreciate it too; the ability to plow through page after page of detail doesn't imply the desire to do so). More to the point, the book does meet its objective of demonstrating system development through specification refinement, and can stand as yet another marker for the power and utility of formal methods. While students (as opposed to practitioners and researchers) of formal methods, and Z in particular, may not find the book directly helpful, it can be a spur for further activity, such as exploring alternative specification-to-code transformations [5], or as a basis for using alternative techniques (such as in Lamport's book [6]) to develop specifications for comparison to Z. Online Computing Reviews Service