1 / 22

Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems

Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems. Peter Geer. Introduction. Stereotype: Formal methods = critical systems How can they be applied to typical non-critical information systems? Approach Examine literature and case studies

ama
Download Presentation

Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems Peter Geer

  2. Introduction • Stereotype: Formal methods = critical systems • How can they be applied to typical non-critical information systems? • Approach • Examine literature and case studies • Extract lessons • Apply to a sample system

  3. History • Formal methods • Allow programmers to manage increasing complexity of systems • Increase quality and reliability • Formal program meaning • Hoare triple: P {Q} R [Hoare 1969] • Use inference rules to prove P => R • Weakest precondition semantics [Gries 1981] • Predicate transformer: wp(“x:= y”, R) = P • Full axiomatic semantics of ALGOL-like language

  4. Formal Modeling • Focus on general system modeling, not code verification • Early notations: Z (Oxford), Vienna Development Method (IBM) • Based on pre- and post-conditions, predicate logic, set theory • Variations: VDM++, Object-Z, TCOZ, etc. • Different specialties: object-orientation, timing, etc.

  5. Ways to Apply FM • Full formalism • Refinement with formal justification/proof of steps • Formal specification/design • Apply to specs/design, no formal relation to code • Light-weight formal methods • No large scale proof • Targeted application • Apply as needed to selected areas • System review • Retrospective analysis of already built system • Code verification

  6. Case Studies • CICS redevelopment [Finney 1996] • Z and Djikstra’s guarded command language • 268K lines of CDL, 37K based on Z specs, 11K partial Z spec • Queen’s award, 2.5x fewer defects, 9% cost saving • Pondagepower plant [Ciapessoni 1999] • TRIO formal specification language, refinement • Total costs 15% lower than conventional methods. • Specification was twice the cost, but all other stages lower.

  7. Case Studies • SSADM CASE tools [Craigen 1993] • Z specs, only tool a prototype parser/type-checker • 2718 man-days actual vs. 6400 man-days estimate • Productivity 17 LOC/day vs. 11 predicted • Darlington Nuclear Generator [Craigen 1993] • Post hoc formalization using function tables. • Obtained license, cost: $4 million, 25% of project • Lockheed C130J [Amey 2002] • Semi-formal spec, implemented in SPARK • Developer productivity up 4x, costs half normal • Code quality up 10x, SPARK code had only 10% errors of standard Ada

  8. Lessons From Industry • Expensive to start • Training, tools, lost productivity while learning • Long-term investment • Best when integrated into process • Need on-site expertise • Hard to bootstrap FM from nothing • Tools helpful, not necessary • Can get helpful results without powerful proof tools • Right method for the job • Methods differ in focus, not one-size-fits all

  9. Sample Application • Goals: • Demonstrate application of FM to typical small project, learning material • Demonstrate use of formal modeling with a modern dynamic programming language • Base framework for future expansion • Web-based document management system • Technology: • LAMP stack (Linux, Apache, MySQL, PHP) • VDM++ for formal models • Modeling tools: VDM++ Toolkit, Overture IDE

  10. Development Approach • Light-weight formal modeling • Models as analysis and design tool • Refinement • Requirements model • High-level design model • Detailed design model • Implementation • Keep the models “live” documents

  11. Requirements specification • Determine major entities and operations required, map to VDM++ classes • User • Properties: username, password • Operations: login, logout • Document • Properties: owner, content • Operations: create, edit, delete read • Security • Considered some variations, added support for group permissions

  12. Security Specification AccessType = <read> | <edit> | <delete>; AccessObject= User | Group; Permission = map (AccessObject * Document) to (map AccessTypeto bool); PermissionCheck(u: User, d: Document, t: AccessType) r: bool ext rd permissions, groups post r = if mk_(u, d) in set dom permissions then permissions(mk_(u, d))(t) else exists g in set groups & mk_(g, d) in set dompermissions and u in set g.members and permissions(mk_(g, d))(t)

  13. Top-level System Specification class System types PageSpecifier= <list_documents> | <read_document> | <list_groups> | <show_group> | <login>; instance variables security : Security:= new Security(); users : set of User:= {}; documents: set of Document:= {}; current_user: [User]:= nil; next_page: PageSpecifier:= <list_documents>; operations public Login(username: seq of char, password: seq of char) r: bool ext rd userswrcurrent_user, next_pagepre current_user = nilpost next_page = <list_documents> and if exists u in set users & u.username = username and u.password = password thencurrent_userin set users and current_user.username = username and r = true else current_user= nil and r = false; public CreateGroup(name: seq of char) ext wr security, next_page pre current_user in set security.administrators post next_page = <show_group> and exists g in set security.groups & g.name = name;

  14. Component-Level Specification • Refinement of requirements specification • Model-View-Controller (MVC) pattern • Separation of operation types • UserController • GroupConroller • DocumentController • Introduce implementation-related classes • ActiveRecord • View • Database

  15. Detailed Design • Explicit specification of controller operations • Basic control-flow modeling • Expand domain model classes • User, Document, Group • Operations implementing ActiveRecord interface • Add class for global state/runtime • PHP class – standard types, global data • Detailed database modeling • Tables modeled as sets of tuples

  16. Database Design • Constraints • Type and class invariants public UserTable = set of UserRow inv usrtbl == forall r, s in set usrtbl & r.username = s.username => r = s; public Documents: DocumentTable; inv (forall d in set Documents & exists u in set Users & d.owner = u.username); • Data access layer • SelectUser(key: String) r: UserRowext rd Userspost r = iota u in set Users & u.username = key; • SelectDocumentByOwner(owner: String) r: set of DocumentRowext rd Documentspost r = {d | d in set Documents & d.owner = owner};

  17. Explicit Controller Action public Edit: nat ==> Response Edit(id) == ( dcl doc: [Document]:= Document`GetById(id), acl: ACL:= new ACL(); if acl.HasPermission(current_user, doc, <edit>) then ( if {"title", "body"} subset dom POST then ( doc.title:= POST("title"); doc.content:= POST("body"); doc.Update(); return self.Redirect("/document/view/", doc) ) else ( view.Load("document_edit"); return view.Render() ) ) else return self.Redirect("/error/denied/"); );

  18. Implementation • Approach • Code as refinement of model • Keep implementation similar to low-level design • Architecture • Same MVC pattern as model • Most of the same classes as detailed model • Classes representing runtime and database not needed

  19. Variations from model • Addition of view logic • Dynamic behavior • Controller instantiation • Modeled with static mapping • Additional management/listing pages • Group and permission listing pages • Added to model and then implemented • Permission list population • Operation added to model and implementation

  20. Results • High-level models • Useful in general, but not more so than less formal approaches, e.g. UML diagrams • More useful where more detail was used, e.g. security analysis. • Detailed design • Easy to translate, helped reduce coding time • Controller classes and database – direct mapping • Very helpful during delay in implementation

  21. Conclusion • Literature and case studies • Cost saving and quality increase • Meaningful gains without large scale formalism • Sample project • Useful as design tool • Helped reduce effort in implementation • Areas for further research • Sample models using animation to prototype • Alternate modeling approaches, derivation/proof • Abstraction into fully reusable framework

  22. References • [Amey2002] Peter Amey. Correctness by construction: Better can also be cheaper. Crosstalk Magazine, 2002. • [Ciapessoni 1999] EmanueleCiapessoni, PiergiorgioMirandola, Alberto Coen-Porisini, Dino Mandrioli, and Angelo Morzenti. From formal models to formally based methods: an industrial experience. ACM Trans. Softw. Eng. Methodol., 8(1):79{113, 1999. • [Hoare1969] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576{580, 1969. • [Gries1981] David B. Gries. The Science of Programming. Texts and Monographs in Computer Science. Springer-Verlag, 1981. • [Finney1996] Kate Finney and Norman Fenton. Evaluating the effectiveness of Z: the claims made about CICS and where we go from here. J. Syst. Softw., 35(3):209-216, 1996. • [Craigen1993] D. Craigen, S. Gerhart, and T.J. Ralston. An international survey of industrial applications of formal methods (volume 1: Purpose, approach, analysis and conclusions, volume 2: Case studies). Technical Report NIST GCR 93/626-V1 & NIST GCR 93-626-V2 (Order numbers: PB93-178556/AS & PB93-178564/AS), National Inst. of Standards and Technology, Gaithersburg, MD., National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161, USA, 1993.

More Related