Damas Gruska. Probabilistic Opacity
Abstract: We define a security concept  "probabilistic opacity" in a probabilistic
timed process algebra framework. A process is opaque with respect to
a given property over its traces (represented by predicate $\Phi$) if an
observer (represented by an observational function) cannot decide whether
the property has been satisfied. In general, opacity is undecidable even
for finite state systems so we express both the security predicate and
the observation function by means of finite state processes. The resulting
security properties can be used for specifications and verifications of
concurrent systems.
Joost-Pieter Katoen, Mani Swaminathan and Martin Fränzle. Symbolic Robustness Analysis of Probabilistic Timed Systems
Abstract: We propose a symbolic algorithm that attempts to address \emph{robustness} w.r.t the interplay of non-deterministic and probabilistic behaviour in the quantitative analysis of real-time systems, modelled as Probabilistic Timed Automata (PTA). We consider enhanced non-deterministic behaviour by accounting for model-imprecisions such as drifting clocks, unlike the existing analysis technqiues for PTA that consider perfect clocks.
Erika Abraham, Immo Grabe, Andreas Gruener and Martin Steffen. Abstract interface behavior of  an object-oriented language with futures and promises
Abstract: This paper describes the observable interface behavior of a simple
  object-oriented language with futures, promises, and active objects,
  which captures the core of \Creol's concurrency.  The operational
  semantics is written in such a way that it highlights the commonalities
  and the (few, but crucial) differences to the more familiar
  multi-threaded concurrency model of languages like Java and C-sharp. In
  addition, we extend the language and the result by \emph{promises}.
  \textbf{Keywords:} oo languages, formal semantics, concurrency, futures
  and  promises, open systems, observable behavior%
Eva Suci and Magne Haveraaen. A Hardware Independent Parallel Programming Model
Abstract: Programming a highly parallel machine or chip can be formulated
as finding an embedding of the computation's data dependency into the underlying
hardware architecture. With the data dependency pattern of a computation
extracted as a separate entity in a programming language, one has a powerful tool to
code parallel programs.
Pavel Krcal, Leonid Mokrushin and Wang Yi. Compositional Analysis of Timed Systems by Abstraction
Abstract: We present a new technique for compositional timing
and performance analysis of real-time systems
modeled using timed automata and the real-time calculus
\cite{tcgmg-emsoft01}. It is an over-approximation technique
in which a component of a system, modeled as a timed automaton
is abstracted as a transducer of event streams described
by arrival curves from the real-time calculus.
This allows us to characterize the semantics of a system as
a set of equations over streams. Many interesting properties
such as schedulability and buffer boundedness can be checked
in solving the equations. Based on UPPAAL and the real-time
calculus, a prototype tool has been implemented, that can
be used to check the schedulability of a system and to
estimate the best and worst case response times of its
computation tasks.
Kai Trojahner and Clemens Grelck. Dependently Typed Array Programs Don't Go Wrong
Abstract: The array programming paradigm adopts arrays as the fundamental data structures
of computation.
Array operations work on entire arrays instead of just single elements.
This makes array programs highly expressive and introduces data-parallelism in a natural way.
In this paper, we present a special type system for static verification of array programs.
The system uses families of array types that do not only reflect the type of an array's elements but also contain an expression describing its shape.
For specific arrays such as shape vectors, singleton types are employed to capture a vector's value in its type.
The type system is based on a new variant of dependent types:
Vectors of integers are used to index into the family of array types.
Jens Schoenborn, Heiko Schmidt and Harald Fecher. UML state machines: Fairness Conditions specify the Event Pool
Abstract: The communication between different instances of UML state machines is handled by using underlying event pools but the UML standard leaves the behavior completely unspecified. Thus, in general, liveness properties cannot be verified. We give semantics of Streett fairness constraints for the event pool and present an algorithm that turns a set of fairness constraints into an abstract event pool. Since common fairness suffers from the drawback that the time until something good happens may be unbounded the presented algorithm allows the modeler to specify such a bound. The resulting abstract event pool can be further refined, justified by an example where a priority scheme on events is introduced.
Gyrd Br�ndeland and Ketil St�len. A probabilistic semantic paradigm for component-based security risk analysis
Abstract: We propose a probabilistic semantic paradigm for component-based security risk analysis. By security risk, we mean behaviour that constitutes a risk with regard to ICT security aspects, such as confidentiality, integrity and availability. The purpose of this work is to investigate the nature of security risk in the setting of component-based system development. A better understanding of security risk at the level of components facilitates the prediction of risks related to introducing a new component into a system. The semantic paradigm provides a first step towards integrating security risk analysis into component-based system development.
Fritz Henglein. What is a sorting function?
Abstract: We exhibit intrinsic definitions of inequality tests, sorting functions
and comparators as isomorphic presentations of total preorders
� Inequality tests are functions of type T � T ! Bool that are
reflexive, transitive and total.
� Sorting functions are functions of type T ! T (mapping finite
sequences of elements of type T) that permute their input and
do so consistently for each pair of elements.
� Comparators are functions of type T � T ! T � T that are
permutative, transitive and idempotent.
The definitions are intrinsic in the sense that they do not refer to predefined
orders or to each other. Furthermore the isomorphisms can
be defined parametrically polymorphically: the mapping from inequality
tests to sorting functions is the class of stable comparator-based
sorting algorithms; from comparators to sorting functions it is sorting
networks (comparator-based sorting algorithms); the other mappings
are trivial. So defining any one concrete presentation of an order automatically
provides all three presentations.
Whilst mathematically elementary and pleasingly simple, we believe
our definitions of sorting functions and comparators as isomorphic
characterizations of orders to be novel and of interest in themselves.
We investigate a number of variations on the definition of sorting functions
to illustrate that some care must be exercised in formulating their
Adrian Rutle, Yngve Lamo and Uwe Wolter. Generalized Sketches and Model Driven Architectrue
Abstract: Software developers increasingly recognize the need for portable,
scalable and distributed applications which are reliable, secure and
run at high performance. These applications are also required to be
produced both faster and at a lower cost. An approach to achieve
this is the Object Management Group's Model Driven Architecture
which involves automatic development processes and model management
in addition to executable models. This makes the importance of
formal modeling languages more recognizable since the automatization
of processes requires formal models. However, current modeling
languages are either semi-formal, ambiguous, or both, therefore, a
generic framework for formal, diagrammatic software specification is
inevitable. In this presentation, Generalized Sketches will be
introduced as a generic framework for the specification of modeling
languages and transformations between them. Then an example will be
presented to show how Generalized Sketches may be used in Model
Driven Architecture.
Frank de Boer and Immo Grabe. Finite-State Call-Chain Abstractions for Deadlock Detection in Multithreaded Object-Oriented Languages
Abstract: We present an algorithm to model check deadlock freedom for an automaton model of a Java program. For the sake of this paper, we introduce method automata and thread automata. Classes and objects are abstracted by method automata. Based on these automata thread automata are constructed to represent the calling behaviour of the program. Thread automata have no notion of history. This provides us with a finite-state model for model checking. The imprecision introduced by this abstraction is addressed by a refinement leading to a more precise model with respect to the calling behaviour of the program.
David Frutos Escrig and Carlos Gregorio-Rodr�guez. Algebraic and Coinductive Characterizations of Semantics Provide General Results for Free
Abstract: There have been quite a number of proposals for behavioural
equivalences for concurrent processes, and many of them are
presented in van Glabbeek's linear time-branching time spectrum,
where in particular an axiomatization for each one of these
semantics is provided. Recently we have been able of presenting
also a coinductive characterization of these semantics by means of
\emph {bisimulations up-to}, which give us the possibility to
apply coinductive technique to their study. The most important
property of these two approaches is their generality: once we have
captured the essence of many different semantics in the same way
we are able to get quite general results, which can be proved once
for all, covering not only the semantics that have just been
considered, but any other that could be defined in those
frameworks having some quite general properties that  are the only
ones used when proving our results. We illustrate these asserts by
means of a new and quite interesting result by Aceto, Fokkink and
Ingolfsdottir, where they prove how to get for free an
axiomatization of the equivalence induced by a behaviour preorder
coarser than the ready simulation from that of the given preorder.
We have got much simpler and shorter proofs of the main results in
their paper that besides are valid not only for the semantics in
the spectrum that they need to consider one by one, but for any
other semantics fulfilling the quite general and simple properties
that we need in our general proofs.
Aslan Askarov and Andrei Sabelfeld. Gradual Release: Unifying Declassification, Encryption and Key Release Policies (Extended Abstract)
Abstract: Information security has a challenge to address: enabling
information-flow controls with expressive information
release (or declassification) policies. Existing approaches
tend to address some aspects of information release,
exposing the other aspects for possible attacks. It
is striking that these approaches fall into two mostly separate
categories: revelation-based (as in information purchase,
aggregate computation, moves in a game, etc.) and
encryption-based declassification (as in sending encrypted
secrets over an untrusted network, storing passwords, etc.).

This paper introduces gradual release, a policy that unifies
declassification, encryption, and key release policies.
We model an attacker�s knowledge by the sets of possible secret
inputs as functions of publicly observable outputs. The
essence of gradual release is that this knowledge must remain
constant between releases. Gradual release turns out
to be a powerful foundation for release policies, which we
demonstrate by formally connecting revelation-based and
encryption-based declassification. Furthermore, we show
that gradual release can be provably enforced by security
types and effects.
Alejandro Russo. Controlling Timing Channels in Multithreaded Programs
Abstract: The problem of controlling information flow in multithreaded programs remains an important open challenge. A major difficulty for tracking information flow in concurrent programs is due to the internal timing covert channel. Information is leaked via this channel when secrets affect the timing behavior of a thread, which, via the scheduler, affects the interleaving of public events. Volpano and Smith propose a special primitive called protect. By definition, protect(c) takes one atomic step in the semantics with the effect of executing c to the end. Internal timing leaks are removed if every computation that branches on secrets is wrapped by protect() commands. However, implementing protect imposes a major challenge.

This work introduces a novel treatment of the interaction between threads and the scheduler. As a result, a permissive security specification and a compositional security type system are obtained. The type system guarantees security for a wide class of schedulers and provides a flexible treatment of dynamic thread creation. While this approach allows the implementation of a generalized version of protect, it relies on the modification of the scheduler in the run-time environment.

In some scenarios, the modification of the run-time environment might not be an acceptable requirement. For such scenarios, we also present two transformations that eliminate the need for protect or interactions with the scheduler while avoiding internal timing leaks. The first transformation is given for programs running under cooperative schedulers. It states that threads must not yield control inside of computations that branch on secrets. The second transformation closes internal timing channel when the scheduler is preemptive and behaves as round-robin. It spawns dedicated threads, whenever computation may affect secrets, and carefully synchronizes them.

To evaluate some of the ideas described above, we implement a library in Haskell  that provides information-flow security for multithreaded code. The implementation includes an online-shopping case study. The case study reveals that exploiting concurrency to leak secrets is feasible and dangerous in practice and shows how the library can help avoiding internal timing leaks. Up to the publication date, this is the first tool that guarantees information-flow security in multithreaded programs and the first implementation of a case study that involves concurrency and information-flow policies.
H�rmel Nestra. Transfinite Semantics in the form of Greatest Fixpoint
Abstract: In some applications like program slicing, it is useful to imagine program runs as they were able to overcome non-termination. According to this view, a computation that falls into an infinite loop or infinitely deep recursion continues after completing the infinite subcomputation.

Program semantics that follow this view may be called transfinite but the word "transfinite" actually fails to characterize the whole variety of computation processes. In the case where only iterative loops can be non-terminating, the sequence of execution steps is really transfinite in the sense that the steps can be enumerated by ordinals so that their execution order corresponds to the natural order of ordinals. But in the case of infinitely deep recursion, the sequence is more like a fractal structure.

Defining such semantics even for rather simple programs with infinitely deep recursion has not succeeded so far. We show some possible definitions via greatest fixpoints of monotone operators. In order to achieve this, usual traces are replaced by either fractional traces where steps are enumerated by rational numbers from some fixed interval or trees.
Gift Samuel, Yoshinao Isobe and Markus Roggenbach. Reasoning on Responsiveness  -- Extending CSP-Prover by the model R
Abstract: We report on the instantiation of CSP-Prover with the model R. CSP-Prover is an interactive theorem prover for CSP based on Isabelle/HOL. The model R is the latest development in the realm of CSP models. The model R is dedicated to the study of responsiveness.
Joseph Morris and Malcolm Tyrrell. Higher-Order Data Type Refinement
Abstract: We show data refinement and nondeterminacy are intimately related, and that a strong theory of data refinement can be elegantly constructed on a sufficiently rich theory of nondeterminacy.
Bj�rnar Solhaug and Ketil Stoelen. Refinement, Compliance and Adherence of Policies in the Setting of UML Interactions
Abstract: The UML is the de facto standard for information system specification, but offers little support for policy specification. We introduce extensions to the sequence diagram notation suitable for expressing policy rules. A formal semantics is defined which gives a precise meaning to the specifications and allows the formalization of the notions of refinement and compliance of policies. The relation between a policy and systems for which the policy applies is formalized, defining what it means for a system to adhere to the policy.
Mohammad Mahdi Jaghoori, Frank de Boer and Marjan Sirjani. Task Scheduling in Rebeca
Abstract: In this paper, we add real time constraints to Rebeca and present a compositional approach based on task automata for schedulability analysis of timed Rebeca models. In this approach, instead of just best-case and worst-case execution times, the behavior of each task is given (in terms of timed automata) and used in the schedulability analysis. These timed automata may in turn generate new tasks. Task automata, as introduced in \cite{FersmanYi07acc}, cannot model tasks generated {\em during} the execution of another task.
Marta Plaska, Marina Wald�n and Colin Snook. Visualising program transformations in a stepwise manner
Abstract: For designing and developing complex, correct and reliable systems formal methods are the most beneficial approach. However, a formal methodology could be difficult for industry practitioners due to its mathematical notation. Hence it needs to be supported by more approachable platform, which would give guidance both for industry and research world representatives. The Unified Modelling Language
(UML) with its semi-formal notation gives the intuitive image of the system and is commonly used within the industry. In the stepwise development of our system we combine UML with the formal methods approach and refinement patterns.
  For a formal top-down approach we use the Event B formalism and associated proof tool to develop the system and prove its correctness. Event-B is based on Action Systems as well as the B Method. It is related to B Action Systems for developing distributed systems in B. With the Event-B formalism we have tool support for proving the correctness of the development. In order to translate UML models into Event B, the UML-B tool is used. UML-B is a specialisation of UML that defines a formal modelling notation combining UML and B.
  The first phase of the design approach is to state the goals that the system needs to satisfy. Afterwards the functional requirements of the system are specified using natural language and illustrated by various UML diagrams, such as statechart diagrams that depict the behaviour of the system. The system is built up gradually in small steps using superposition refinement. We strongly rely on patterns in the
refinement process, since these are the cornerstones for creating reusable and robust software. UML diagrams and corresponding Event B code are developed for each step simultaneously. To get a better overview of the design process, we benefit from the progress diagrams that illustrate only the refinement-affected parts of the system. These diagrams are based on well-known and widely-used UML statechart diagrams. In our previous research we introduced progress diagrams, which were illustrated by a case study. Here we focus on exploring refinement patterns in view of progress diagrams, as their combination supports constructing large software systems in an incremental and layered fashion. Moreover, this combination facilitates to master the complexity of the project and to reason about the
properties of the system.
Aske Brekling, Michael R. Hansen and Jan Madsen. Hardware Modelling Language and Verification of Design Properties
Abstract: We give a semantics domain that can be used for hardware design languages like Gezel. With this semantics, we believe that a new Gezel-like language could be defined where the syntax reflects the semantics in a direct manner. We also show how the semantics can be used in connection with verification by relating the semantical domain to timed-automata. We have experimented with verification of some examples, e.g. the Simplified Data Encryption Standard Algorithm, using the UPPAAL system.
Fredrik Degerlund, Mats Neovius and Kaisa Sere. A Framework for Formal Reasoning about Distributed Webs of Trust
Abstract: Information technology is rapidly developing towards pervasive and ubiquitous applications assisting us in making our everyday decisions. As such, they need to be reliable. Technical reliability can already be achieved by traditional formal methods, but modelling human interaction demands new perspectives. We are developing a coordination language for use within the Action Systems formalism in order to mimic human perception of trust. This language allows for componentization by separating trust, as well as for reasoning about trust in a fully distributed manner. We believe that this will dramatically extend the applicable areas for mathematically verified applications, and that it will make us comfortable relying on microprocessors making critical decisions in our favour.
Juri Vain, Kullo Raiend, Andres Kull and Juhan Ernits. Test Purpose Directed Reactive Planning Tester for Nondeterministic Systems
Abstract: We describe a model-based construction of an online tester for black-box testing of the implementation under test
(IUT). The external behaviour of the IUT is modelled as an output observable nondeterministic EFSM with the
assumption that all transition paths are feasible. A test purpose is attributed to the IUT model by a set of
Boolean variables called traps that are used to measure the progress of the test run. These variables are
associated with the transitions of the IUT model. The situation where all traps have been reached means that the
test purpose has been achieved. We present a way to construct a tester that at runtime selects a suboptimal
test path from trap to trap by finding the shortest path to the next unvisited trap. The
principles of reactive planning are implemented in the form of the decision rules of selecting the shortest paths at
runtime. The decision rules are constructed in advance from the IUT model and the test purpose. Preliminary experimental results confirm that this
method clearly outperforms random choice and is better than the anti-ant algorithm in terms of resultant test sequence length to achieve the test purpose.
Steffen van Bakel and Maria Grazia Vigliotti. Note on a simple type system for non-interference
Abstract: We consider  CCS with value
passing  and elaborate a notion of noninterference for the process calculi,
which matches closely that of the programming language.
The idea is to view channels as information carriers rather than as
``events'', so that emitting a secret  on output channel can  considered   safe, while inputting a secret may lead to some kind of leakage.
This is in contrast with the standard notion of noninterference for the process calculi where any causal dependency of low-level action from any high-level action is forbidden.
Stefan Bygde. Analysis of Arithmetical Congruences on Low-Level Code
Abstract: Abstract Interpretation is a well known formal framework for abstracting programming language semantics. It provides a systematic way of building static analyses which can be used for optimisation and debugging purposes. Different semantic properties can be captured by so-called abstract domains which then easily can be combined in various ways to yield more precise analyses. The most known abstract domain is probably the one of intervals. An analysis using the interval domain yields bindings of each integer-valued program variable to an interval at each program point. The interval is the smallest interval that contains the set of integers possible for that particular variable to assume at that program point during execution. Abstract interpretation can be used in many contexts, such as in debugging, program transformation, correctness proving, Worst Case Execution Time analysis etc.

In 1989 Philippe Granger introduced a static analysis of arithmetical congruences. The analysis is formulated as an abstract interpretation computing the smallest (wrt. inclusion) congruence (residue) class that includes the set of possible values that that variable may assume during execution. The result of the analysis is a binding of each integer-valued variable at each program point to a congruence class. Applications for this analysis include automatic vectorisation, pointer analysis (for determining pointer strides) and loop-bound analysis (for detecting loops with non-unit strides). However, in the original presentation, the analysis is not well suited to use on realistic low-level code. By low-level code we mean either compiled and linked object code where high-level constructions has been replaced with target-specific assembly code, or code in a higher-level language written in a fashion close to the hardware. A good example of low-level code is code written for embedded systems which often is using advantages of the target hardware and/or using a lot of bit-level operations. Code for embedded systems is an increasingly important target for analysis, since it is often safety-critical. The reason that the congruence domain in its original presentation is not suitable for low-level code is mainly due to the three following properties of low-level code: A) Bit-level operations are commonly used in low-level code. Programs that contain bit-operations are not supported in the original presentation. For any computation of an expression which contain operations that has not been defined in the analysis, it has to assume that nothing is known about the result and assign the result to the largest congruence class (equal to Z). This can potentially lead to very imprecise analysis results.
B) The interpretation of the values of integer-valued variables is not obvious (e.g. they can be signed or unsigned), the original presentation assumes that values has unambiguous representations. C) The value-domain is limited by its representation (integers are often represented by a fixed number of bits). In Grangers presentation integer-valued variables are assumed to take values in the infinite set of integers. Our contribution is to extend the theory of the analysis of arithmetical congruences to be able to handle low-level or assembly code, still in the framework of abstract interpretation.

This paper provides accurate definitions to the abstract bit-operations AND,NOT,XOR, left- and right shifting and truncation for the congruence domain in order to make the domain support these operations. We provide definitions for the operations together with proofs of their correctness. In these definitions care has been taken to the finite, fixed representation of integers as well as their sometimes ambiguous interpretations as signed or unsigned. With these definitions, congruence analysis can efficiently be performed on low-level code. The paper illustrates the usefulness of the new analysis by an example which shows that variables keep important parity information after executing a XOR-swap.
Sebastian Hunt and David Sands. Forget about it
Abstract: Sometimes programs are supposed to forget information. A typical
  example is an on-line credit card transaction. Credit card data is
  required to complete a financial transaction. While in use, the
  credit card information should only flow to the intended processing
  agent -- not the merchant. But once the transaction is complete the
  credit card information should be erased -- or at least only be
  available to the user.

  This information flow problem was recently described by Chong and
  Myers [CSFW'05]. Chong and Myers studied a semantics of erasure in
  combination with declassification. This combination gives rise to a
  complex semantic model, and no enforcement (verification) mechanism
  is described.

  In this work aim to give a simple semantics to \emph{pure}
  information erasure policies. By relating erasure to flow-sensitive
  information flow properties (Hunt and Sands [POPL'06]) we show that
  erasure policies can be enforced by recasting erasure policies as a
  standard noninterference problem. This enables erasure to be
  verified statically using any flow sensitive noninterference tool.
Tobias Gedell and Daniel Hedin. A Method for Parameterizing Type Systems over Relational Information
Abstract: We present a method for parameterizing type systems over relational information and demonstrate its applicability via two examples.
Ando Saabas and Tarmo Uustalu. Relational Soundness and Optimality Proofs for Simple Partial Redundancy Elimination
Abstract: Type systems are a useful and compact way of describing dataflow analyses. They can explain analyses and optimizations well, they can be used for transformation of functional correctness proofs as soundness of the optimization is straightforward by structural induction on type derivations.
In this work in progress, we investigate the type-systematic approach further on the example of partial redundancy elimination and describe how this approach can also be used to show certain optimality results.
Frank de Boer, Marcello Bonsangue, Andreas Gruener and Martin Steffen. Test Driver Generation from Object-Oriented Interaction Traces
Abstract: We formalize a specification language for object-oriented class-based
concurrent components which specifies a component's behavior based on
its interface trace and which, at the same time, has a similar
look-and-feel as the target language. Moreover, we propose a
transformation algorithm which synthesizes a tester program from a
given specification, such that the tester and the component under test
form an executable closed program.
Wang Yi and Simon Tschirner. Validating QoS Properties in Biomedical Sensor Networks
Abstract: In this paper, we present a formal model of a Biomedical Sensor Network
whose sensor nodes are constructed based on the IEEE 802.15.4 ZigBee
standard for wireless communication. We have used the UPPAAL tool to
tune and validate the temporal configuration parameters of
the network in order to guarantee the desired QoS properties
for a medical application scenario. The case study shows that
even though the main feature of UPPAAL is model checking,
it is also a promising and competitive tool for efficient simulation.
Tarmo Uustalu and Varmo Vene. Guarded and Mendler-Style Structured (Co)Recursion in Circular Proofs
Abstract: Inspired by circular sequent calculi for classical predicate and modal
logics with inductive and coinductive definitions, we study two
wellfounded reformulations of a similar intuitionistic propositional
sequent calculus as total functional programming languages. We arrive
at interesting novel typed lambda calculi with guarded and
Mendler-style (co)recursion.