We discuss usage protocols for iterator objects that prevent concurrent modifications of the unde... more We discuss usage protocols for iterator objects that prevent concurrent modifications of the underlying collection while iterators are in progress. We formalize these protocols in Java-like object interfaces, enriched with separation logic contracts. We present examples of iterator clients and proofs that they adhere to the iterator protocol, as well as examples of iterator implementations and proofs that they implement the iterator interface. 0 This is an extended version of a paper at the International Workshop on Aliasing, Ownership and Confinement (IWACO 2008).
Page 1. Scheduler-related Confidentiality for Multi-threaded Programs Marieke Huisman and Tri Min... more Page 1. Scheduler-related Confidentiality for Multi-threaded Programs Marieke Huisman and Tri Minh Ngo University of Twente, Netherlands Marike.Huisman@ ewi.utwente.nl tringominh@gmail.com Abstract. Observational ...
We present the first results of a project called LOOP, on formal methods for the object-oriented ... more We present the first results of a project called LOOP, on formal methods for the object-oriented language Java. It aims at verification of program properties, with support of modern tools. We use our own front-end tool (which is still partly under construction) for translating Java classes into higher order logic, and a back-end theorem prover (namely PVS, developed at SRI)
Jensen et al. present a simple and elegant program model, within a speci cation and veri cation f... more Jensen et al. present a simple and elegant program model, within a speci cation and veri cation framework for checking control ow based security properties by model checking techniques. We generalise this model and framework to allow for compositional speci cation and veri cation of security properties of multi-application programs. The framework contains a program model for multi-application programs, and a temporal logic to specify security properties about such programs.
This paper explains the details of the memory model underlying the verification of sequential Jav... more This paper explains the details of the memory model underlying the verification of sequential Java programs in the "LOOP" project ([14,20]). The building blocks of this memory are cells, which are untyped in the sense that they can store the contents of the fields of an arbitrary Java object. The main memory is modeled as three infinite series of such cells, one for storing instance variables on a heap, one for local variables and parameters on a stack, and and one for static (or class) variables. Verification on the basis of this memory model is illustrated both in PVS and in Isabelle/HOL, via several examples of Java programs, involving various subtleties of the language (wrt. memory storage).
In this paper we present a source transformation-based framework to support model checking of sou... more In this paper we present a source transformation-based framework to support model checking of source code written with languages belonging to Microsoft's .NET platform. The framework includes a set of source transformation rules to guide the transformation, tools to support assertion checking, as well as a tool for the automation of deadlock detection. The framework results in both executable and formally verifiable artifacts. We provide details of the tools in the framework, and evaluate the framework on a few small case studies.
This paper proposes a method to factorise the verification of temporal properties for multi-threa... more This paper proposes a method to factorise the verification of temporal properties for multi-threaded programs over groups of different threads. Essentially, the method boils down to showing that there exists a group of threads that establishes the property of interest, while the remaining threads do not affect it. We fine-tune the method by identifying for each property particular conditions under which the preservation is necessary. As a specification language we use the so-called specification patterns developed as part of the Bandera project at Kansas State University. For each specification pattern we propose a decomposition rule. We have shown the soundness of each rule using the pattern mappings as defined for LTL. The proofs have been formalised using the theorem prover Isabelle.
Multithreading is the next challenge for program verification. To support modular verification of... more Multithreading is the next challenge for program verification. To support modular verification of multithreaded programs, one should know when data might be accessed or updated by the different threads in the system. We propose a permission-based annotation system that is designed to do exactly this, i.e. it specifies when a thread can read or write a variable. The annotation system ensures that threads have exclusive access to a variable whenever they have the possibility to write it, thus avoiding data races. Moreover, the annotation system allows to change permissions dynamically throughout the execution. The information from the permission annotations can be used for further verification of the program. This paper shows how the annotation system can be used to specify variable access in several typical multithreaded programming patterns.
Modular static verification of concurrent object-oriented programs remains a challenge. This pape... more Modular static verification of concurrent object-oriented programs remains a challenge. This paper discusses the impact of concurrency on the use and meaning of behavioural specifications, and in particular on method contracts and class invariants. Atomicity of methods is often advocated as a solution to the problem of verification of multithreaded programs. However, in a design-by-contract framework atomicity in itself is not sufficient, because it does not consider specifications. Instead, we propose to use the notion of stability of method contracts to allow sound modular reasoning about method calls. A contract is stable if it cannot be broken by interferences from concurrent threads. We explain why stability of contracts cannot always be shown directly, and we speculate about different approaches to prove stability. Finally, we outline how a proof obligation generator for sequential programs can be extended to one for concurrent programs by using stability information. This paper does not present a full technical solution to the problem, but instead shows how it can be decomposed into several smaller subproblems. For each subproblem, a solution is sketched, but the technical details still need to be worked out.
Background: An important gap in our knowledge of social inequalities in health is the former Yugo... more Background: An important gap in our knowledge of social inequalities in health is the former Yugoslavia, a region of culturally and historically diverse countries, with recent conflict. The aim of the present paper is to investigate relative and absolute inequalities in self-assessed health in former ) by sex and education. Methods: The data source is the South-East European Social Survey Project fielded in December 2003 to Winter 2004, covering the former Yugoslavia with a total sample of 18 481 respondents. Data from Slovenia were obtained from the 2004-wave of the European Social Survey. The health outcome variables were self-reported general health (SRH) and limiting longstanding illness (LLI). Results: Both absolute and relative educational health inequalities were present throughout the former Yugoslavia to a larger or lesser extent, although odds ratios (ORs) for LLI and SRH were not significant for Montenegrin women [LLI OR = 1.12, 95% confidence interval (CI): 0.92-1.37; SRH OR = 1.16, 95% CI: 0.96-1.40] and with respect to the reporting of LLI among Slovenian men (OR = 1.16, 95% CI: 0.96-1.44). Overall, Montenegro held the best position. Conclusions: The prevalence of poor health and the degree of relative inequality in self-assessed health in the former Yugoslavian countries were similar in order to one another, and to other East European countries during the same period. Influences on subjective health require further elucidation. Further research should study a wider range of health outcomes using larger survey samples and a wider range of cultural and other predictor variables.
Security automata are a convenient way to describe security policies. Their typical use is to mon... more Security automata are a convenient way to describe security policies. Their typical use is to monitor the execution of an application, and to interrupt it as soon as the security policy is violated. However, run-time adherence checking is not always convenient. Instead, we aim at developing a technique to verify adherence to a security policy statically. To do this, we consider a security automaton as specification, and we generate JML annotations that inline the monitor -as a specificationinto the application. We describe this translation and prove preservation of program behaviour, i.e., if monitoring does not reveal a security violation, the generated annotations are respected by the program. The correctness proofs are formalised using the PVS theorem prover. This reveals several subtleties to be considered in the definition of the translation algorithm and in the program requirements.
... Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA ... more ... Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA DirDRI, France University de la Mediterranee, Marseille, France Rajeev Joshi Judi Romijn Florian Kammuller Vlad Rusu Laurent Lagosanto Peter Ryan Yassine Lakhnech David ...
We discuss usage protocols for iterator objects that prevent concurrent modifications of the unde... more We discuss usage protocols for iterator objects that prevent concurrent modifications of the underlying collection while iterators are in progress. We formalize these protocols in Java-like object interfaces, enriched with separation logic contracts. We present examples of iterator clients and proofs that they adhere to the iterator protocol, as well as examples of iterator implementations and proofs that they implement the iterator interface. 0 This is an extended version of a paper at the International Workshop on Aliasing, Ownership and Confinement (IWACO 2008).
Page 1. Scheduler-related Confidentiality for Multi-threaded Programs Marieke Huisman and Tri Min... more Page 1. Scheduler-related Confidentiality for Multi-threaded Programs Marieke Huisman and Tri Minh Ngo University of Twente, Netherlands Marike.Huisman@ ewi.utwente.nl tringominh@gmail.com Abstract. Observational ...
We present the first results of a project called LOOP, on formal methods for the object-oriented ... more We present the first results of a project called LOOP, on formal methods for the object-oriented language Java. It aims at verification of program properties, with support of modern tools. We use our own front-end tool (which is still partly under construction) for translating Java classes into higher order logic, and a back-end theorem prover (namely PVS, developed at SRI)
Jensen et al. present a simple and elegant program model, within a speci cation and veri cation f... more Jensen et al. present a simple and elegant program model, within a speci cation and veri cation framework for checking control ow based security properties by model checking techniques. We generalise this model and framework to allow for compositional speci cation and veri cation of security properties of multi-application programs. The framework contains a program model for multi-application programs, and a temporal logic to specify security properties about such programs.
This paper explains the details of the memory model underlying the verification of sequential Jav... more This paper explains the details of the memory model underlying the verification of sequential Java programs in the "LOOP" project ([14,20]). The building blocks of this memory are cells, which are untyped in the sense that they can store the contents of the fields of an arbitrary Java object. The main memory is modeled as three infinite series of such cells, one for storing instance variables on a heap, one for local variables and parameters on a stack, and and one for static (or class) variables. Verification on the basis of this memory model is illustrated both in PVS and in Isabelle/HOL, via several examples of Java programs, involving various subtleties of the language (wrt. memory storage).
In this paper we present a source transformation-based framework to support model checking of sou... more In this paper we present a source transformation-based framework to support model checking of source code written with languages belonging to Microsoft's .NET platform. The framework includes a set of source transformation rules to guide the transformation, tools to support assertion checking, as well as a tool for the automation of deadlock detection. The framework results in both executable and formally verifiable artifacts. We provide details of the tools in the framework, and evaluate the framework on a few small case studies.
This paper proposes a method to factorise the verification of temporal properties for multi-threa... more This paper proposes a method to factorise the verification of temporal properties for multi-threaded programs over groups of different threads. Essentially, the method boils down to showing that there exists a group of threads that establishes the property of interest, while the remaining threads do not affect it. We fine-tune the method by identifying for each property particular conditions under which the preservation is necessary. As a specification language we use the so-called specification patterns developed as part of the Bandera project at Kansas State University. For each specification pattern we propose a decomposition rule. We have shown the soundness of each rule using the pattern mappings as defined for LTL. The proofs have been formalised using the theorem prover Isabelle.
Multithreading is the next challenge for program verification. To support modular verification of... more Multithreading is the next challenge for program verification. To support modular verification of multithreaded programs, one should know when data might be accessed or updated by the different threads in the system. We propose a permission-based annotation system that is designed to do exactly this, i.e. it specifies when a thread can read or write a variable. The annotation system ensures that threads have exclusive access to a variable whenever they have the possibility to write it, thus avoiding data races. Moreover, the annotation system allows to change permissions dynamically throughout the execution. The information from the permission annotations can be used for further verification of the program. This paper shows how the annotation system can be used to specify variable access in several typical multithreaded programming patterns.
Modular static verification of concurrent object-oriented programs remains a challenge. This pape... more Modular static verification of concurrent object-oriented programs remains a challenge. This paper discusses the impact of concurrency on the use and meaning of behavioural specifications, and in particular on method contracts and class invariants. Atomicity of methods is often advocated as a solution to the problem of verification of multithreaded programs. However, in a design-by-contract framework atomicity in itself is not sufficient, because it does not consider specifications. Instead, we propose to use the notion of stability of method contracts to allow sound modular reasoning about method calls. A contract is stable if it cannot be broken by interferences from concurrent threads. We explain why stability of contracts cannot always be shown directly, and we speculate about different approaches to prove stability. Finally, we outline how a proof obligation generator for sequential programs can be extended to one for concurrent programs by using stability information. This paper does not present a full technical solution to the problem, but instead shows how it can be decomposed into several smaller subproblems. For each subproblem, a solution is sketched, but the technical details still need to be worked out.
Background: An important gap in our knowledge of social inequalities in health is the former Yugo... more Background: An important gap in our knowledge of social inequalities in health is the former Yugoslavia, a region of culturally and historically diverse countries, with recent conflict. The aim of the present paper is to investigate relative and absolute inequalities in self-assessed health in former ) by sex and education. Methods: The data source is the South-East European Social Survey Project fielded in December 2003 to Winter 2004, covering the former Yugoslavia with a total sample of 18 481 respondents. Data from Slovenia were obtained from the 2004-wave of the European Social Survey. The health outcome variables were self-reported general health (SRH) and limiting longstanding illness (LLI). Results: Both absolute and relative educational health inequalities were present throughout the former Yugoslavia to a larger or lesser extent, although odds ratios (ORs) for LLI and SRH were not significant for Montenegrin women [LLI OR = 1.12, 95% confidence interval (CI): 0.92-1.37; SRH OR = 1.16, 95% CI: 0.96-1.40] and with respect to the reporting of LLI among Slovenian men (OR = 1.16, 95% CI: 0.96-1.44). Overall, Montenegro held the best position. Conclusions: The prevalence of poor health and the degree of relative inequality in self-assessed health in the former Yugoslavian countries were similar in order to one another, and to other East European countries during the same period. Influences on subjective health require further elucidation. Further research should study a wider range of health outcomes using larger survey samples and a wider range of cultural and other predictor variables.
Security automata are a convenient way to describe security policies. Their typical use is to mon... more Security automata are a convenient way to describe security policies. Their typical use is to monitor the execution of an application, and to interrupt it as soon as the security policy is violated. However, run-time adherence checking is not always convenient. Instead, we aim at developing a technique to verify adherence to a security policy statically. To do this, we consider a security automaton as specification, and we generate JML annotations that inline the monitor -as a specificationinto the application. We describe this translation and prove preservation of program behaviour, i.e., if monitoring does not reveal a security violation, the generated annotations are respected by the program. The correctness proofs are formalised using the PVS theorem prover. This reveals several subtleties to be considered in the definition of the translation algorithm and in the program requirements.
... Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA ... more ... Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA Sophia Antipolis, France INRIA DirDRI, France University de la Mediterranee, Marseille, France Rajeev Joshi Judi Romijn Florian Kammuller Vlad Rusu Laurent Lagosanto Peter Ryan Yassine Lakhnech David ...
Uploads
Papers by Marieke Huisman