the rodin platform for incremental modelling in event b
play

The Rodin Platform for Incremental Modelling in Event-B Stefan - PowerPoint PPT Presentation

The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deployproject.eu Outline Complex Systems Modelling in Event-B Interplay of proof and modelling Worked


  1. The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deploy‐project.eu

  2. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 2

  3. Design of complex systems • Need for rigorous modelling • The main purpose of modelling is reasoning – to improve our understanding of the system – to clarify assumptions about the system – to increase quality of system model • Need for refinement – Too many details to address final system directly 3

  4. Reasoning about complex systems • Requires rigorous reasoning – Formal notation – Formal reasoning • This is offered by formal proof – Why prove? • To incrementally improve a model • To take advantage of failing proofs – What to prove? • Proof obligations associated with each model 4

  5. List of core Event-B proof obligations • Feasibility of events • Invariant preservation by events • Refinement of events • Introduction of new events • Convergence of events • Enabledness of events 5

  6. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 6

  7. Example of an Event-B machine Invariant properties: • inv1 : A user is authorised to be in certain rooms parameters • inv2 : A user can be guards at most in one room ac3ons • inv3 : A user can only be in rooms where he is authorised to be 7

  8. Preservation of in ⊆ auth by event enter • Proof obligation: invariant in ⊆ auth guards u / ∈ dom( in ) u �→ r ∈ auth modified invariant ⊢ in ∪ { u �→ r } ⊆ auth 8

  9. Use of proof obligations for modelling • Modelling is an incremental activity Modelling Proof Obligations Proving • Proof obligations are automatically generated 9

  10. Creating a model incrementally • What does this mean? • We do not demonstrate the actual tool “Rodin” – But focus on essential features – Removed everything that could distract • Aim: – To illustrate method and tool – Not to get distracted by features of the Rodin tool • By way of an example – Access to a secure building 10

  11. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 11

  12. Description of the secure access model • Abstract model – Users , Rooms – Entering/leaving rooms; adding/removing authorisations • Refined model – Tokens – Data-refinement of abstract model • The model itself is not of importance – But the way we create it is important 12

  13. Focus on three modelling scenarios • Adding events 1. Reasoning about guards and invariants • Refining an event 2. Reasoning about parameters 3. Reasoning about guards and invariants 13

  14. Layout of the modelling canvas Model Proof ☐ ☐ � ☐ Mode ☐ Proof ☐ Obliga3ons ☐ ☐ ☐ proof obliga3on: ☐ ☐ proof succeeded: � ☐ proof failed:  ☐ ☐ ☐ 14

  15. Colouring conventions for formulas Model Proof ☐ ☐ � constants are blue‐green parameters are red ☐ ☐ ☐ ☐ utok ( t ) �→ rtok ( t ) ∈ auth ☐ ☐ ☐ ☐ ☐ variables are blue ☐ ☐ 15

  16. Creation of the abstract model Model Proof Summary: ☐ ☐ � ☐ • Variables: in , auth ☐ ☐ • Events: ☐ ☐ – enter – enter building ☐ ☐ – leave – leave building ☐ ☐ – addAuth – add authorisation ☐ ☐ – remAuth – remove authorisation 16

  17. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ 17

  18. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 18

  19. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 19

  20. Location and authorisation of users Model Proof  invariants � inv 1 : auth ∈ User ↔ Room  inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 20

  21. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 21

  22. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ Proof obliga3on: then ☐ act 1 : in := in ∪ { u �→ r } ☐ Preserva3on of end invariant inv3 ☐ ☐ ☐ 22

  23. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth ☐ ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 23

  24. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth  ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 24

  25. Entering a room Model Proof  event enter � any  u, r ☐ when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 25

  26. Entering a room Model Proof  event enter � any  u, r � when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 26

  27. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 27

  28. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 28

  29. Leaving a room Model Proof  event leave � any  u � when  � grd 1 : u ∈ dom( in )  then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 29

  30. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 30

  31. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 31

  32. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 32

  33. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 33

  34. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 34

  35. Removing an authorisation Model Proof  event remAuth � any  u, r � when  Proof obliga3on: � grd 1 : u ∈ User  grd 2 : r ∈ Room Preserva3on of  then invariant inv3  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 35

  36. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User Possible remedies: � r ∈ Room • Modify ac3on:  ➞ Remove user u from building � ⊢  • Modify guard:  in ⊆ auth \ { u �→ r } ➞ Require user u not in building   • Modify guard:  ➞ Require user u not in room r ☐ u �→ r �∈ in ☐ 36

  37. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 37

  38. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : u �→ r �∈ in  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 38

  39. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User � u �→ r / ∈ in  � ⊢   in ⊆ auth \ { u �→ r }    ☐ ☐ 39

Recommend


More recommend