IFIP WG 2.2 Meeting Torino

September 12-14, 2008

Titles and abstracts for talks

(in chronological order)



Speaker: Andrzej Tarlecki
Title: Heterogeneous Logical Environments: an Institutional View

We work within the theory of institutions as a framework where the theory of specification and formal software development may be presented in an adequately general and abstract way. As differentlogical systems may be appropriate or most convenient for specification of different modules of the same system, of different aspects of system behaviour, or of different stages of system development, we need a number of logical systems to be used in the same specification and development project. This motivates the presented research on heterogeneous logical environments and specifications built in such environments.

We formalise logical systems as institutions. To enable a sensible use of a number of institutions together, in heterogeneous logical environments we link them with each other by institution morphisms or other maps between institutions, like institution comorphisms. Using them together with other standard (intra-institutional) specification-building operations, one builds heterogeneous structured specifications, which may involve a number of institutions to specify some aspects or some parts of the system, but ultimately focus at one institution of interest.

One family of logical systems is suggested by UML, where system specifications typically involve a number of diagrams of different kinds, each capturing a different aspect of the system. Each kind of UML diagrams leads to a separate logical system which, at least in principle, can be formalised as an institution. Expected relationships between system properties specified by different kinds of UML diagrams may now be captured using appropriate institution maps. UML specifications, however, are quite different from focused heterogeneous specifications mentioned above. They just form a collection of specifications residing in different institutions of UML diagrams.

We present a general abstract concept of a distributed heterogeneous specifcations that consist of a collection of specifications focused at various institutions in an underlying heterogeneous logical environment, linked by specification morphisms generalised by involving institution maps.  Distributed heterogeneous specifications come equipped with a rather natural semantics, given in terms of compatible families of models of component specifications. This yields in the standard way a number of usual concepts: consistency, semantic consequence, and perhaps most importantly, implementation of one distributed specification by another.

Each basic concept of a map between institutions can be captured by institution (co)morphisms --- as a span of (co)morphisms.  Replacing a map between institutions by an appropriate span of (co)morphisms allows one to represent exactly the same relationship between institutions and their components.  However, the categories of specifications that emerge in each case are different. Nevertheless, we argue that the expressive power of distributed specicfications built over them does not essentially differ.


                    based on joint work with
                     TILL MOSSAKOWSKI
                       ADAM WARSKI



Speaker: Ernst Ruediger Olderog
Title: Explicit Fair Scheduling for Dynamic Control

In explicit fair schedulers, auxiliary integer-valued scheduling variables with non-deterministic assignments and with decrements keep track of each processor's relative urgency.

Every scheduled execution is fair and yet, the scheduler is sufficiently permissive (every fair run can be scheduled).  

We investigate whether explicit fair scheduling also works with dynamic control, i.e., when new processes may be created dynamically.

We give a positive and a negative answer.



Speaker: Marcelo Frias
Title: Distributed Analysis of Relational Models

In this talk I present ParAlloy, a tool for the distributed analysis of relational models that allows us to analyze models that largely exceed the current capabilities of the sequential tools available.

            Joint work with Nicolas Rosner and Carlos Lopez Pombo



Speaker: Herbert Wiklicky
Title: Leaks: How to Avoid, Fix and/or Measure

We present an overview over approaches in language-based security related to the problem of covert channels, i.e. unauthorised information flow. This concerns the work by Volpano, Smith et.al. on types for secure information flow analysis and Agat's program transformation for fixing so-called timing-leaks which is based on the Volpano-Smith type system. We then describe a new notion of security against timing attacks where the attacker is able to simultaneously observe the execution time of a program and the probability of the values of low variables. Finally, we introduce a probabilistic version of Agat's transformation which we use to analyse the trade-off between gain in (approximate) security and additional (running time) costs.



D.Volpano, G.Smith and C.Irvine: A Sound Type System for Secure Flow Analysis, JCS 4(3), 1996.

J.Agat: Transforming Out Timing Leaks, POPL'00.

A. Di Pierro, C. Hankin, and H. Wiklicky: Quantifying Timing Leaks and Cost Optimisation, ICICS 2008, LNCS 5308 (cf also arXiv:0807.3879).

                joint work with A. Di Pierro and C. Hankin



Speaker: Naoki Kobayashi
Title: Type Systems for Program Analysis

Since linear logic was proposed by Girard, a number of type systems inspired by linear logic (or substructural logics in general) have been proposed.  Examples include linear type systems, where the weakening and contraction rules are restricted, and ordered type systems, where the exchange rule is also restricted.  Those type systems turned out to be very useful for reasoning about temporal properties of programs, like a memory cell is deallocated only once, or a memory cell is never read or written after it is deallocated.  In this talk, I will focus on substructural type systems for program analysis, and review their principles and applications.  I will also discuss some emerging techniques and future directions of substructural-type-based program analysis.



Speaker: Einar Broch Johnsen
Title: Lazy Behavioural Subtyping

Late binding allows flexible code reuse but complicates formal reasoning significantly, as a method call's receiver class is not statically known. This is especially true when programs are incrementally developed by extending class hierarchies.  This paper develops a novel method to reason about late bound method calls.  In contrast to traditional behavioral subtyping, reverification is avoided without restricting method overriding to fully behavior-preserving redefinition.  The approach ensures that when analyzing the methods of a class, it suffices to consider that class and its superclasses.  Thus, the full class hierarchy is not needed, and incremental reasoning is supported.  We formalize this approach as a calculus which lazily imposes context-dependent subtyping constraints on method definitions.  The calculus ensures that all method specifications required by late bound calls remain satisfied when new classes extend a class hierarchy.  The calculus does not depend on a specific program logic, but the examples use a Hoare-style proof system. We show soundness of the analysis method.

The talk builds on the paper

Johan Dovland, Einar Broch Johnsen, Olaf Owe, and Martin Steffen
Lazy Behavioral Subtyping
Proc. 15th Intl. Symposium on Formal Methods (FM'08), pp. 52-67.
LNCS 5014. Springer 2008.




Speaker: Simona Ronchi della Rocca
Title: Languages with bounded computational complexity

Starting from Soft Linear Logic, characterizing polynomial time complexity, we design
three type assignment systems for (extensions of) the lambda calculus, where the existence of a typing for a term guarantees a bound on the complexity of its reduction to normal form. The considered complexity classes are (F)PTIME, PSPACE and NPSPACE. The type assignments are also complete for the related complexity class, in the sense that every function with the given complexity is representable by a well typed term. A discussion will follow on the open problems and future work.



Speaker: Masahiko Sato
Title: External and Internal Syntax of Lambda Calculus

It is well known that defining the substitution operation on $\lambda$-terms appropriately and establish basic properties like the substitution lemma is a subtle task if we wish to do it formally. The main obstacle here comes from the fact that unsolicited capture of free variables may occur during the substitution if one defines the operation naively. We argue that although there are several approaches to cope with this problem, they are all unsatisfactory since each of them defines the $\lambda$-terms in terms of a single fixed syntax. We propose a new way of defining $\lambda$-terms which uses an external syntax to be used mainly by humans and an internal syntax which is used to implement $\lambda$-terms on computers. The $\lambda$-terms of both the internal and the external syntax will be defined as subsets of a same set of symbolic expressions. We introduce a new algebraic structure called {\it B-algebra} and the set of symbolic expressions will be defined as a free B-algebra. In this setting, we will show that we can define $\lambda$-terms and the substitution operation naturally and can establish basic properties of terms easily. A draft of the paper is available at: (http://www.sato.kuis.kyoto-u.ac.jp/~masahiko/research-e.html )



Speaker: Willem-Paul de Roever
Title: A Perspective on Program Verification

The talk describes how I look back on being active for 38 years in the field of Program Verification. In its first part I describe how I have filled in my professional activities, namely,

(I) By promoting research and giving courses in Program Verification and Program Semantics, including the writing of two textbooks: (1)  Data Refinement (which will be published in pocket version this year), and (2) Concurrency Verification, both published by Cambridge  University Press.
(II) By organizing Conferences, Workshops,  and Schools, in order to help establishing a community.
(III) By organizing approximately 25 International and national Third-  Party Projects, of which 7 supported by the EU, in order to establish a critical mass of active researchers in Europe in the field of Program Verification.

In its second part I analyze which obstacles have to be overcome before software verified upon its correctness is an accepted product.

Finally, in its third part I make a prediction,  based on an analogy with the development of reliable steam engines, reliable cars, reliable airplanes and reliable computers (i.e., the four driving forces behind man's  technological revolution), of when reliable software will become an accepted commodity: 2035, and explain why I am that optimistic.



Speaker: Naoki Kobayashi
Title: Type-Based Analysis of Concurrent Programs

In this talk, I give a general overview of type systems for concurrency. After a short survey of the history and state-of-the-art of type systems for concurrency, I demonstrate TyPiCal, a type-based static analyzer for the pi-calculus.I conclude the talk with discussion on emerging and future research issues in this research field.


Speaker: Ahmed Bouajjani
Title: On the Automatic Verification of Dynamic / Parametrized Systems

We give an overview on automatic verification of infinite-state systems in general and in particular of dynamic/parametrized networks of processes. We present (some of) the main existing approaches based on symbolic techniques with automata/logic based formalisms for the representation of infinite sets of configurations, and methods and techniques for ensuring/helping termination of the analysis. We show the application of the presented techniques in the verification of various classes of systems/programs (such as concurrent programs with dynamic creation of processes, networks of timed systems, programs with dynamic heaps,programs with arrays, etc.).



Speaker: Luis Caires
Title: Concurrency Control Types for Object-Oriented Programming

We discuss programming language abstractions and types for statically enforcing safe concurrency in object-oriented programs. More precisely, our types express dynamic concurrency control constraints by freely combining parallel / sequential / sharing / ownership operators. We show through a sequence of simple yet illuminating examples how our type system may statically ensure absence of common errors in general concurrent / distributed programs. To conclude, we will argue that our encourages the programmer to think in terms of behavioral, separation, and
ownership invariants, rather than in (naive) terms of lock acquisition and control flow.



Speaker: Sophia Drossopoulou
Title: Design and Formalization of Object Oriented Language Features

I presented some of my work on oo programming language specification and design, as well as the lessons learnt on the way. I started with the formalization and proof of type soundness of large subsets of Java, in particular intricacies wrt to overloading,
I then discussed issues around Java dynamic lining, binary compatibility, and the very weak guarantees made by separate compilation.
Ownership and universe types characterize objects in terms of "boxes", a hierarchical heap topology,
which may be used for memory management, garbage collection, and program verification. Interestingly, the meaning of types in such systems is relative to some observer object, or to a stack (the current this). More recently, work on soundness of Java wildcards
has thrown interesting questions about models for types and subtyping.

List of papers at    http://pubs.doc.ic.ac.uk/authors/scd/



Speaker: Antonin Kucera
Title: Properties of Stochastic Games with Branching-Time Objectives

Stochastic games are directed binary graphs where each vertex belongs either to Player-I, Player-II, and it is stochastic. The talk surveys recent results about stochastic games with branching-time winning objectives that are specified as formulae of probabilistic branching-time logics such as PCTL or PCTL*. The goal of Player-I is to satisfy a given formula, while Player-II aims at the opposite. Such games are generally not determined, and winning strategies (if they exist) may require both memory and randomization. Still, the winner in such games can be determined effectively in some cases.


T. Brázdil, V. Forejt, and A. Kučera.
Controller Synthesis and Verification for Markov Decision Processes with
Qualitative Branching Time Objectives.
In Proceedings of 35th International Colloquium on Automata, Languages and
Programming (ICALP 2008), pages 148-159, volume 5126 of LNCS. Springer,

T. Brázdil, V. Brožek, V. Forejt, and A. Kučera.
Stochastic Games with Branching-Time Winning Objectives.
In Proceedings of 21st Annual IEEE Symposium on Logic in Computer
Science (LICS 2006),
pages 349-358, IEEE Computer Society, 2006.

       (a joint work with Tomáš Brázdil and Vojtěch Forejt)



Speaker: Luke Ong
Title: Model-checking multithreaded programs: an automata-theoretic approach

We survey the model-checking approach to the verification of multithreaded programs. Each thread is assumed to be the computation of a WHILE program. We consider a number of computational scenarios in which one or more of the following features are present:

(R) Each thread is a generalized Boolean program i.e. it has recursively defined procedures

(D) A thread may spawn other threads - call it Dynamic

(C) Threads may communicate by shared resources (i.e. global variables)

In general the key analysis problem of Reachability is undecidable. We survey different approaches to approximating Reachability.



Speaker: Eike Best
Title: A Decomposition Theorem for Finite Persistent Transition Systems

We consider finite labelled transition systems and show that if such transition systems are deterministic, persistent, and weakly periodic, then they can be decomposed in the sense that there exists a finite set of label-disjoint cycles such that any other cycle is Parikh-equivalent
to a multiset of cycles from this set. We also show that as a consequence, bounded, persistent and reversible Petri nets are amenable to modular verification.

              (joint work with Philippe Darondeau)



Speaker: Roland Meyer
Title: A Structural Petri Net Semantics for the Pi Calculus

Automata-theoretic representations have proven useful in the automatic and exact analysis of computing systems. We propose a new semantical mapping of $\pi$-Calculus processes into place/transition Petri nets. Our translation reflects the structure of processes, which is induced by the use of restricted names. The property of structural stationarity characterises the processes mapped to finite nets. Different from our approach, classical Petri net semantics reflect the concurrency of sequential processes. They finitely represent a class of processes that is incomparable with structurally stationary processes. By typing restricted names, the structural and the concurrency semantics can be combined. This combination gives rise to a hierarchy of processes into which we sort the related work of Dam, Engelfriet, Montanari, Caires, Koutny, Busi, Gorrieri, Amadio, and Meyssonnier.



Speaker: Igor Walukiewicz
Title: Some remarks on expressing tree properties

We see trees in almost any part of computer science. Traditionally, ranked trees, that are nothing else but terms, captured most attention, although exceptions could have been found in graph theory or linguistics. Recently, unranked trees are a subject of renewed interest.

We discuss two curious topics concerning formalism expressing tree properties. The first is order invariance: what properties can be expressed with order between siblings but cannot be expressed without it. In case of monadic second-order logic, we known that these are  precisely counting modulo properties. The first-order case is open. The other topic is that of finite base. Kamp's theorem says that over words first-order logic is equivalent to linear time temporal logic. The later is a modal logic with a finite number of additional operators. It turns out that one cannot have the same result for trees. To capture a reasonably simple class of first-order definable 
languages we need an infinite number of operators, or backward  modalities.


Speaker: Rocco De Nicola
Title: Session Centered Calculi for Service-Oriented Computing

Within the European project SENSORIA, we are developing formalisms for service description that lay the mathematical basis for analysing and experimenting with components interactions, for combining services and
formalising crucial aspects of service level agreement. One of the outcome is CaSPiS, a name passing process calculus with explicit notions of service definition, service invocation and bi-directional sessioning that supports explicit modeling of sessions both on client- and on service-side Sessions permit describing and reasoning about interaction modalities more structured than the simple one-way and request-response modalities and typical of a producer / consumer pattern. The calculus is also equipped with operators for handling (unexpected) session closures that permit programming smooth propagation of session closures to partners and subsessions, so as to avoid states with dangling or orphan sessions. In the talk we have presented CaSPiS and discuss other alternatives that are (have been) considered within the project.


Speaker: Wojciech Penczek
Title: Model checking security protocols: a multi-agent system approach

We present a formalism for the automatic verification of security protocols based on multi-agent systems semantics. We give the syntax and semantics of a temporal-epistemic security specialised logic and provide a lazy-intruder model for the protocol rules that we argue to be particularly suitable for verification purposes. We exemplify the technique by finding a (known) bug in the traditional NSPK protocol.

Availalbe from http://www.ipipan.waw.pl/~penczek/Slajdy/wg22-2008.pdf
Published in Fundamenta Informaticae Volume 85, Number 1-4, pp. 359-375, 2008.



Speaker: Ugo Montanari

Title: Symbolic Semantics Revisited
Symbolic bisimulations were introduced as a mean to define value-passing process calculi using smaller, possibly finite labelled transition systems, equipped with symbolic actions. Similar ideas have been used for modeling with fewer transitions the input behavior
of open and asynchronous pi-calculus. In this paper we generalize the symbolic technique and apply the resulting theory to these two cases, re-deriving existing results. We also apply our approach to new settings, i.e. open Petri nets and cc-pi (concurrent constraint
pi-calculus), with the usual result of reducing input transitions.

                     (Joint work with Filippo Bonchi)



Speaker: Paola Giannini
Title: Type Safe Oriented Languages Supporting Dynamic Software Evolution

In the presentation I outline recent work on providing a foundation for expressing dynamic object oriented language features such as: multidimensional dispatch (dispatch not only on receiver, but also sender, contextual information, etc.), context oriented programming
fine grain (static and dynamic) extension of class behaviour with traits. Such work will be compared with similar ideas that have been used in more  applicative areas.



Speaker: Maciej Koutny
Title: Steps and Coverability in Inhibitor Nets

For Petri nets with inhibitor arcs, properties like reachability and boundedness are undecidable and hence constructing a coverability tree is not feasible. In recent work we investigated to what extent the coverability tree construction might be adapted for Petri nets with inhibitor arcs. Emphasis was given to the (a priori) step sequence semantics which cannot always be simulated by firing sequences. All this led to the notion of a step coverability tree which may be of use for the analysis of the step behaviour of certain subclasses of Petri nets with  inhibitor arcs.

                         (joint work with Jetty Kleijn)