Assume-Guarantee Reasoning for Safe Component Behaviours

Chilton, Chris; Jönsson, Bengt; Kwiatkowska, Marta

doi:10.1007/978-3-642-35861-6_6

Cited by 11 publications

(12 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We define the operations of parallel composition, conjunction, disjunction, hiding and quotient, and prove that the induced equivalence is a congruence for these operations, allowing us to provide full abstraction results. The simplicity of our formalism facilitates compositional reasoning about the temporal ordering of interactions needed for assume-guarantee inference (contracts), both for safety [8] and (progress-sensitive) liveness properties [9], as well as timed contracts [7].…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

An algebraic theory of interface automata

Chilton

Jönsson

Kwiatkowska

2014

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

We formulate a compositional specification theory for interface automata, where a component model specifies the allowed sequences of input and output interactions with the environment. A trace-based linear-time refinement is provided, which is the weakest preorder preserving substitutivity of components, and is weaker than the classical alternating simulation defined on interface automata. Since our refinement allows a component to be refined by refusing to produce any output, we also define a refinement relation that guarantees safety and progress. The theory includes the operations of parallel composition to support the structural composition of components, logical conjunction and disjunction for independent development, hiding to support abstraction of interfaces, and quotient for incremental synthesis of components. Our component formulation highlights the algebraic properties of the specification theory for both refinement preorders, and is shown to be fully abstract with respect to observation of communication mismatches. Examples of independent and incremental component development are provided.

show abstract

Section: Discussionmentioning

confidence: 99%

“…To demonstrate the applicability of the theory to component-based design, the quotient operation was used to synthesise mediator components in [18] and [3]. Furthermore, the flexibility and expressiveness of the theory has been shown through a compositional assume-guarantee reasoning framework [8,9] and a real-time extension [10,7].…”

Section: Introductionmentioning

confidence: 99%

An algebraic theory of interface automata

Chilton

Jönsson

Kwiatkowska

2014

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The more recent approach of [17] deals with specifications in the form of sets of I/O traces and handles the signature refinement in contract satisfaction although only for untimed specifications. Working directly on traces without an intermediate operational specification is delicate since system engineering teams are not necessarily experts in behavior formalization.…”

Section: Contract-based Meta-theories and Their Implementationsmentioning

confidence: 99%

Contract-based modeling and verification of timed safety requirements within SysML

2015

View full text Add to dashboard Cite

In order to cope with the growing complexity of critical real-time embedded systems, systems engineering has adopted a component-based design technique driven by requirements. Yet, such an approach raises several issues since it does not explicitly prescribe how system requirements can be decomposed on components nor how components contribute to the satisfaction of requirements. The envisioned solution is to design, with respect to each requirement and for each involved component, an abstract specification, tractable at each design step, that models how the component is concerned by the satisfaction of the requirement and that can be further refined toward a correct implementation. In this paper, we consider such specifications in the form of contracts. A contract for a component consists in a pair (assumption, guarantee) where the assumption models an abstract behavior of the component's environment and the guarantee models an abstract behavior of the component given that the environment behaves according to the assumption. Therefore, contracts are a valuable asset for the correct design of systems, but also for mapping and tracing requirements to components, for tracing the evolution of requirements during design and, most importantly, for compositional verification of requirements. The aim of this paper is to introduce contract-based reasoning for the design of critical real-time systems made of reactive components modeled with UML and/or SysML. We propose an extension of UML and SysML languages with a syntax and semantics for contracts and the refinement relations that they must satisfy. The semantics of components and contracts is formalized by a variant of timed input/output automata on top of which we build a formal contract-based theory. We prove that the contract-based theory is sound and can be applied for a relatively large class of SysML system models. Finally, we show on a case study extracted from the automated transfer vehicle (http://www.esa.int/ATV) that our contract-based theory allows to verify requirement satisfaction for previously intractable models.

show abstract

“…We propose an approach, where the VNF call flow is attached to the VNF definition as a behavioral contract and we define the SDN behavior using the NetKAT formalism [4] [5] [6]. Then, on the basis of a deployment model of VNF micro-services on a real network infrastructure, we check the consistency between the VNF network assumption and the SDN guarantees [7].…”

Section: Introductionmentioning

confidence: 99%

Verifying the configuration of virtualized network functions in software defined networks

Pelay¹,

Guillemin

Barais

2017

2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)

View full text Add to dashboard Cite

Abstract-The deployment of modular virtual network functions (VNFs) in software defined infrastructures (SDI) enables cloud and network providers to deploy integrated network services across different resource domains. It leads to a large interleaving between network configuration through software defined network controllers and VNF deployment within this network. Most of the configuration management tools and network orchestrators used to deploy VNF lack of an abstraction to express Assume-Guarantee contracts between the VNF and the SDN configuration. Consequently, VNF deployment can be inconsistent with network configurations. To tackle this challenge, in this paper, we present an approach to check the consistency between the VNF description described from a set of structural models and flow-chart models and a proposed deployment on a real SDN infrastructure with its own configuration manager. We illustrate our approach on virtualized Evolved Packet Core function.

show abstract

Assume-Guarantee Reasoning for Safe Component Behaviours

Cited by 11 publications

References 23 publications

An algebraic theory of interface automata

An algebraic theory of interface automata

Contract-based modeling and verification of timed safety requirements within SysML

Verifying the configuration of virtualized network functions in software defined networks

Contact Info

Product

Resources

About