A Unified Approach for Static and Runtime Verification: Framework and Applications

FM 2015: Formal Methods

et al. 2015

Self Cite

Abstract. Static verification techniques can verify properties across all executions of a program, but powerful judgements are hard to achieve automatically. In contrast, runtime verification enjoys full automation, but cannot judge future and alternative runs. In this paper we present a novel approach in which data-centric and control-oriented properties may be stated in a single formalism, amenable to both static and dynamic verification techniques. We develop and formalise a specification notation, ppDATE, extending the control-flow property language used in the runtime verification tool Larva with pre/post-conditions and show how specifications written in this notation can be analysed both using the deductive theorem prover KeY and the runtime verification tool Larva. Verification is performed in two steps: KeY first partially proves the data-oriented part of the specification, simplifying the specification which is then passed on to Larva to check at runtime for the remaining parts of the specification including the control-centric aspects. We apply the approach to Mondex, an electronic purse application.

Section: The Starvoors Frameworkmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Specification Language for Static and Runtime Verification of Data and Control Properties

Ahrendt

Chimento

FM 2015: Formal Methods

et al. 2015

Self Cite

“…At a most basic level, one takes conjuncts and sees which of these can be verified statically e.g., [2,4], leaving the rest to be verified at runtime:…”

Section: Combining Static and Dynamic Verification Techniquesmentioning

confidence: 99%

A Model-Based Approach to Combining Static and Dynamic Verification Techniques

Azzopardi

Colombo

Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques

2016

Abstract. Given the complementary nature of static and dynamic analysis, there has been much work on identifying means of combining the two. In particular, the use of static analysis as a means of alleviating the overheads induced by dynamic analysis, typically by trying to prove parts of the properties, which would then not need to be verified at runtime. In this paper, we propose a novel framework which combines static with dynamic verification using a model-based approach. The approach allows the support of applications running on untrusted devices whilst using centralised sensitive services whose use is to be tightly regulated. In particular, we discuss how this approach is being adopted in the context of the Open Payments Ecosystem (OPE) -an ecosystem meant to support the development of payment and financial transaction applications with strong compliance verification to enable adoption by payment institutions.

“…2. We envisage adopting techniques from recent work combining these two forms of verification [1,2,8,4]. One of the major challenges is the diverse nature of compliance it attempts to address.…”

Section: Compliance Enginementioning

confidence: 99%

Compliance Checking in the Open Payments Ecosystem

Azzopardi

Colombo

Software Engineering and Formal Methods

et al. 2016

Self Cite

Abstract. Given the strict legal frameworks which regulate the movements and management of funds, building financial applications typically proves to be prohibitively expensive for small companies. Not only is it the case that understanding legal requirements and building a framework of compliance checks to ensure that such legislation is adhered to is a complex process, but also, service providers such as banks require certification and reporting before they are willing to take on the risks associated with the adoption of applications from small application developers. In this paper, we propose a solution which provides a centralised Open Payments Ecosystem which supports compliance checking and allows for the matching of financial applications with service providers and programme managers, automatically providing risk analysis and reporting. The solution proposed combines static and dynamic verification in a real-life use case, which can shed new insights on the use of formal methods on large complex systems. We also report on the software engineering challenges encountered when analysing formal requirements arising from the needs of compliance to applicable legislation.