Section: New Results

Formal Methods for Developing and Analyzing Algorithms and Systems

Participants : Noran Azmy, Gabriel Corona, Margaux Duroeulx, Marie Duflot-Kremer, Souad Kherroubi, Dominique Méry, Stephan Merz, Nicolas Schnepf, Christoph Weidenbach.

Making explicit domain knowledge in formal system development

Joint work with partners of the IMPEX project.

Modeling languages are concerned with providing techniques and tool support for the design, synthesis and analysis of the models resulting from a given modeling activity, and this activity is usually part of a system development model or process. These languages quite successfully focus on the analysis of the designed system, exploiting the semantic features of the underlying modeling language. These semantics are well understood by the system designers and/or the users of the modeling language, that is why we speak of implicit semantics.

In general, modeling languages are not equipped with resources, concepts or entities handling explicitly domain engineering features and characteristics (domain knowledge) in which the modeled systems evolve.

We posit that designers should explicitly handle the knowledge resulting from an analysis of the application domain, i.e. explicit semantics. As of today, making explicit the domain knowledge inside system design models does not follow any methodological rule; instead, features of domain knowledge are introduced in an ad-hoc way through types, constraints, profiles, etc.

Our claim [11] is that ontologies are good candidates for handling explicit domain knowledge. They define domain theories and provide resources for uniquely identifying concepts of domain knowledge. Therefore, allowing models to make references to ontologies is a modular solution for models to explicitly handle domain knowledge. Overcoming the absence of explicit semantics expression in the modeling languages used to specify systems models will increase the robustness of the designed system models. Indeed, references to the axioms and theorems resulting from the ontologies can be used to strengthen the properties of the designed models. The objective is to offer rigorous mechanisms for handling domain knowledge in design models. We also show how these mechanisms are set up in the cases of formal system models, both for static and dynamic aspects.

Incremental Development of Systems and Algorithms

Joint work with Andriamiarina, Manamiary Bruno, with Neeraj Kumar Singh from IRIT, Toulouse, with Rosemary Monahan, NUI Maynooth, Ireland, and with Zheng Cheng, LINA, Nantes.

The development of distributed algorithms and, more generally, of distributed systems, is a complex, delicate, and challenging process. The approach based on refinement applies a design methodology that starts from the most abstract model and leads, in an incremental way, to a distributed solution. The use of a proof assistant gives a formal guarantee on the conformance of each refinement with the model preceding it.

Our main results during 2016 are:

• An extension [18] for handling the verification of concurrent programs. In a second step, we show the importance of the concept of refinement, and how it can be used to found a methodology for designing concurrent programs using the coordination paradigm.

• A fully mechanized proof [36] of correctness of self-$*$ systems along with an interesting case study related to P2P-based self-healing protocols.

• We report on our progress in implementing a software development environment that integrates two formal software engineering techniques: program refinement as supported by Event-B, and program verification as supported by the Spec# programming system. We improve the usability of formal verification tools by providing a general framework for integrating these two approaches to software verification. We show how the two approaches, based respectively on correctness by construction and on post-hoc verification, can be used in a productive way. In [32], we focus on the final steps in this process where the final concrete specification is transformed into an executable algorithm. We present EB2RC , a plug-in for the Rodin platform that reads in an Event-B model and uses the control framework introduced during its refinement to generate a graphical representation of the executable algorithm. EB2RC also generates a recursive algorithm that is easily translated into executable code. We illustrate our technique through case studies and their analysis.

Verification of the Pastry routing protocol

In her PhD thesis, Noran Azmy develops a formal proof in TLA⁺ of the routing protocol used in the Pastry protocol [51] for maintaining a distributed hash table over a peer-to-peer network. In a previous thesis [47], Tianxiang Lu had found problems with all published versions of the original protocol, introduced a variant of Pastry, and given a first correctness proof of that protocol, assuming that no node ever disconnects. Due to limitations of TLAPS at that time, Lu's proof relied on many unchecked assumptions on arithmetic and on the underlying data structures, and it was later discovered that several of these assumptions were not valid.

Noran Azmy simplified the proof by introducing intermediate abstractions that allowed her to avoid low-level arithmetic reasoning in the main proof steps, and she proved lemmas corresponding to those assumptions that were actually used in the proof. As a result, she obtained a complete machine-checked proof of Lu's variant of the Pastry protocol, still under the assumption that no node leaves the network. Moreover, a close analysis of the invariant used in her simplified proof revealed that the protocol could be simplified by leaving out the final “lease exchange” protocol. The results were published at ABZ 2016 [22], and an extended article was invited for publication in Science of Computer Programming.

Proof of Determinacy of PharOS

Joint work with Selma Azaiez and Matthieu Lemerre (CEA Saclay), and Damien Doligez (Inria Paris).

As the main contribution of our group to the ADN4SE project funded by PIA, in cooperation with colleagues from CEA LIST, we wrote a high-level TLA⁺ specification of the real-time operating system PharOS [46] and proved its executions to be deterministic. Roughly speaking, determinacy means that the sequence of local states of any process during a computation does not depend on the order in which processes are scheduled. The proof assumes that no deadlines are missed (which in practice is ensured by schedulability analysis of the particular applications). This property greatly simplifies the analysis and verification of programs that are executed within PharOS. The results were published at ABZ 2016 [21].

Formal Verification of Chains of Security Functions

Joint work with Rémi Badonnel and Abdelkader Lahmadi of the Madynes research group of Inria Nancy.

During his Master's thesis, Nicolas Schnepf studied formal techniques for the automatic verification of chains of security functions in a setting of software-defined networks (SDN). Concretely, he defined an extension of the Pyretic language [44] taking into account the data plane of SDN controllers and implemented a translation of that extension to the input languages of the nuXmv model checker and of SMT solvers. The approach and its scalability was validated over crafted security chains, and a conference paper describing the results is under preparation. Nicolas Schnepf started a PhD thesis in October 2016, jointly supervised by members of the Madynes and VeriDis groups.

Auditing hybrid systems for compliance

There is a huge gap in complexity between the actual analysis of a complex hybrid system and the analysis of the eventual control needed for safe operation. For example, for the combustion process of an engine there is not even a closed formal model, but the eventual control can be represented in a finite domain language. Such a language can then in particular be used for run-time control of a system through an auditor, providing the detection of faulty components or compliance violations. We have studied the consequences of such an approach if applied to the overall life time process of a technical system [29].