240 likes | 495 Views
Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems. Peter Geer. Introduction. Stereotype: Formal methods = critical systems How can they be applied to typical non-critical information systems? Approach Examine literature and case studies
 
                
                E N D
Formal Methods in Practice: Analysis and Application of Formal Modeling to Information Systems Peter Geer
Introduction • Stereotype: Formal methods = critical systems • How can they be applied to typical non-critical information systems? • Approach • Examine literature and case studies • Extract lessons • Apply to a sample system
History • Formal methods • Allow programmers to manage increasing complexity of systems • Increase quality and reliability • Formal program meaning • Hoare triple: P {Q} R [Hoare 1969] • Use inference rules to prove P => R • Weakest precondition semantics [Gries 1981] • Predicate transformer: wp(“x:= y”, R) = P • Full axiomatic semantics of ALGOL-like language
Formal Modeling • Focus on general system modeling, not code verification • Early notations: Z (Oxford), Vienna Development Method (IBM) • Based on pre- and post-conditions, predicate logic, set theory • Variations: VDM++, Object-Z, TCOZ, etc. • Different specialties: object-orientation, timing, etc.
Ways to Apply FM • Full formalism • Refinement with formal justification/proof of steps • Formal specification/design • Apply to specs/design, no formal relation to code • Light-weight formal methods • No large scale proof • Targeted application • Apply as needed to selected areas • System review • Retrospective analysis of already built system • Code verification
Case Studies • CICS redevelopment [Finney 1996] • Z and Djikstra’s guarded command language • 268K lines of CDL, 37K based on Z specs, 11K partial Z spec • Queen’s award, 2.5x fewer defects, 9% cost saving • Pondagepower plant [Ciapessoni 1999] • TRIO formal specification language, refinement • Total costs 15% lower than conventional methods. • Specification was twice the cost, but all other stages lower.
Case Studies • SSADM CASE tools [Craigen 1993] • Z specs, only tool a prototype parser/type-checker • 2718 man-days actual vs. 6400 man-days estimate • Productivity 17 LOC/day vs. 11 predicted • Darlington Nuclear Generator [Craigen 1993] • Post hoc formalization using function tables. • Obtained license, cost: $4 million, 25% of project • Lockheed C130J [Amey 2002] • Semi-formal spec, implemented in SPARK • Developer productivity up 4x, costs half normal • Code quality up 10x, SPARK code had only 10% errors of standard Ada
Lessons From Industry • Expensive to start • Training, tools, lost productivity while learning • Long-term investment • Best when integrated into process • Need on-site expertise • Hard to bootstrap FM from nothing • Tools helpful, not necessary • Can get helpful results without powerful proof tools • Right method for the job • Methods differ in focus, not one-size-fits all
Sample Application • Goals: • Demonstrate application of FM to typical small project, learning material • Demonstrate use of formal modeling with a modern dynamic programming language • Base framework for future expansion • Web-based document management system • Technology: • LAMP stack (Linux, Apache, MySQL, PHP) • VDM++ for formal models • Modeling tools: VDM++ Toolkit, Overture IDE
Development Approach • Light-weight formal modeling • Models as analysis and design tool • Refinement • Requirements model • High-level design model • Detailed design model • Implementation • Keep the models “live” documents
Requirements specification • Determine major entities and operations required, map to VDM++ classes • User • Properties: username, password • Operations: login, logout • Document • Properties: owner, content • Operations: create, edit, delete read • Security • Considered some variations, added support for group permissions
Security Specification AccessType = <read> | <edit> | <delete>; AccessObject= User | Group; Permission = map (AccessObject * Document) to (map AccessTypeto bool); PermissionCheck(u: User, d: Document, t: AccessType) r: bool ext rd permissions, groups post r = if mk_(u, d) in set dom permissions then permissions(mk_(u, d))(t) else exists g in set groups & mk_(g, d) in set dompermissions and u in set g.members and permissions(mk_(g, d))(t)
Top-level System Specification class System types PageSpecifier= <list_documents> | <read_document> | <list_groups> | <show_group> | <login>; instance variables security : Security:= new Security(); users : set of User:= {}; documents: set of Document:= {}; current_user: [User]:= nil; next_page: PageSpecifier:= <list_documents>; operations public Login(username: seq of char, password: seq of char) r: bool ext rd userswrcurrent_user, next_pagepre current_user = nilpost next_page = <list_documents> and if exists u in set users & u.username = username and u.password = password thencurrent_userin set users and current_user.username = username and r = true else current_user= nil and r = false; public CreateGroup(name: seq of char) ext wr security, next_page pre current_user in set security.administrators post next_page = <show_group> and exists g in set security.groups & g.name = name;
Component-Level Specification • Refinement of requirements specification • Model-View-Controller (MVC) pattern • Separation of operation types • UserController • GroupConroller • DocumentController • Introduce implementation-related classes • ActiveRecord • View • Database
Detailed Design • Explicit specification of controller operations • Basic control-flow modeling • Expand domain model classes • User, Document, Group • Operations implementing ActiveRecord interface • Add class for global state/runtime • PHP class – standard types, global data • Detailed database modeling • Tables modeled as sets of tuples
Database Design • Constraints • Type and class invariants public UserTable = set of UserRow inv usrtbl == forall r, s in set usrtbl & r.username = s.username => r = s; public Documents: DocumentTable; inv (forall d in set Documents & exists u in set Users & d.owner = u.username); • Data access layer • SelectUser(key: String) r: UserRowext rd Userspost r = iota u in set Users & u.username = key; • SelectDocumentByOwner(owner: String) r: set of DocumentRowext rd Documentspost r = {d | d in set Documents & d.owner = owner};
Explicit Controller Action public Edit: nat ==> Response Edit(id) == ( dcl doc: [Document]:= Document`GetById(id), acl: ACL:= new ACL(); if acl.HasPermission(current_user, doc, <edit>) then ( if {"title", "body"} subset dom POST then ( doc.title:= POST("title"); doc.content:= POST("body"); doc.Update(); return self.Redirect("/document/view/", doc) ) else ( view.Load("document_edit"); return view.Render() ) ) else return self.Redirect("/error/denied/"); );
Implementation • Approach • Code as refinement of model • Keep implementation similar to low-level design • Architecture • Same MVC pattern as model • Most of the same classes as detailed model • Classes representing runtime and database not needed
Variations from model • Addition of view logic • Dynamic behavior • Controller instantiation • Modeled with static mapping • Additional management/listing pages • Group and permission listing pages • Added to model and then implemented • Permission list population • Operation added to model and implementation
Results • High-level models • Useful in general, but not more so than less formal approaches, e.g. UML diagrams • More useful where more detail was used, e.g. security analysis. • Detailed design • Easy to translate, helped reduce coding time • Controller classes and database – direct mapping • Very helpful during delay in implementation
Conclusion • Literature and case studies • Cost saving and quality increase • Meaningful gains without large scale formalism • Sample project • Useful as design tool • Helped reduce effort in implementation • Areas for further research • Sample models using animation to prototype • Alternate modeling approaches, derivation/proof • Abstraction into fully reusable framework
References • [Amey2002] Peter Amey. Correctness by construction: Better can also be cheaper. Crosstalk Magazine, 2002. • [Ciapessoni 1999] EmanueleCiapessoni, PiergiorgioMirandola, Alberto Coen-Porisini, Dino Mandrioli, and Angelo Morzenti. From formal models to formally based methods: an industrial experience. ACM Trans. Softw. Eng. Methodol., 8(1):79{113, 1999. • [Hoare1969] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576{580, 1969. • [Gries1981] David B. Gries. The Science of Programming. Texts and Monographs in Computer Science. Springer-Verlag, 1981. • [Finney1996] Kate Finney and Norman Fenton. Evaluating the effectiveness of Z: the claims made about CICS and where we go from here. J. Syst. Softw., 35(3):209-216, 1996. • [Craigen1993] D. Craigen, S. Gerhart, and T.J. Ralston. An international survey of industrial applications of formal methods (volume 1: Purpose, approach, analysis and conclusions, volume 2: Case studies). Technical Report NIST GCR 93/626-V1 & NIST GCR 93-626-V2 (Order numbers: PB93-178556/AS & PB93-178564/AS), National Inst. of Standards and Technology, Gaithersburg, MD., National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161, USA, 1993.