% $Id: fmde.bib 6539 2010-01-29 10:33:20Z brucker $
@InProceedings{ zhang.ea:dynamic:2003, author = {Guangsen Zhang and Manish Parashar}, title = {Dynamic Context-aware Access Control for Grid
Applications}, booktitle = {GRID '03: Proceedings of the Fourth International Workshop
on Grid Computing}, year = 2003, pages = 101, address = {Washington, DC, USA}, publisher = pub-ieee,
isbn = {0-7695-2026-X},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ thomas:role-based:1996, author = {Roshan Thomas}, title = {Role-based access control and distributed object-based
enterprise computing}, booktitle = {RBAC '95: Proceedings of the first ACM Workshop on
Role-based access control}, year = 1996, pages = 21, address = pub-acm:adr, publisher = pub-acm,
isbn = {0-89791-759-6},
location = {Gaithersburg, Maryland, United States},
doi = {10.1145/270152.270194},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ harrison.ea:protection:1976, author = {Michael A. Harrison and Walter L. Ruzzo and Jeffrey D.
Ullman}, title = {Protection in operating systems}, journal = j-cacm, year = 1976, volume = 19, number = 8, pages = {461--471},
issn = {0001-0782},
doi = {10.1145/360303.360333}, publisher = pub-acm, address = pub-acm:adr,
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ hafner.ea:modeling:2007, author = {Michael Hafner and Mukhtiar Memon and Muhammad Alam}, title = {Modeling and Enforcing Advanced Access Control Policies in
Healthcare Systems with \textsc{Sectet}}, booktitle = {MoDELS Workshops}, year = 2007, pages = {132--144},
doi = {10.1007/978-3-540-69073-3_15},
crossref = {giese:models:2007}
}
@Proceedings{ giese:models:2007, editor = {Holger Giese}, title = {Models in Software Engineering, Workshops and Symposia at
MoDELS 2007, Nashville, TN, USA, September 30 - October 5, 2007, Reports and Revised Selected Papers}, booktitle = {MoDELS Workshops}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5002, year = 2008,
isbn = {978-3-540-69069-6}
}
@InProceedings{ hu.ea:dynamic:2004, author = {Junzhe Hu and Alfred C. Weaver}, title = {Dynamic, Context-Aware Access Control for Distributed
Healthcare Applications}, booktitle = PROC # { the First Workshop on Pervasive Security,
Privacy and Trust (\acs{pspt})}, year = 2004,
tags = {SoKNOS, AccessControl}, abstract = {The rapid worldwide deployment of the Internet and Web is
the enabler of a new generation of e-healthcare
applications, but the provision of a security architecture
that can ensure the privacy and security of sensitive
healthcare data is still an open question. Current
solutions to this problem (mostly built on static RBAC
models) are application-dependent and do not address the
intricate security requirements of healthcare applications.
The healthcare industry requires flexible, on-demand
authentication, extensible context-aware access control,
and dynamic authorization enforcement. With on-demand
authentication, users are authenticated according to their
task-specific situations. Extensible context-aware access
control enables administrators to specify more precise and
fine-grain authorization polices for any application.
Dynamic authorization enforcement makes authorization
decisions based upon runtime parameters rather than simply
the role of the user. In this paper we describe a dynamic,
context-aware security infrastructure that can fulfill the
security requirements of healthcare applications and that
can also be easily adapted to offer security support for
similar enterprise applications.},
clearance = {unclassified},
timestap = {2008-05-26}
}
@TechReport{ spc:break-glass:2004, title = {Break-Glass: An Approach to Granting Emergency Access to
Healthcare Systems}, year = 2004, abstract = {This white paper discusses a simple yet effective
emergency-access solution, sometimes called
``break-glass.'' The purpose of break-glass is to allow
operators emergency access to the system in cases where the
normal authentication cannot be successfully completed or
is not working properly. The systems include medical data
acquisition devices as well as information systems which
are collectively referred to as Medical Information Systems
(MedIS).},
institution = {Joint \acs{nema}/\acs{cocir}/\acs{jira} Security and
Privacy Committee (\acs{spc})},
type = {White paper},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ ferreira.ea:how:2006, author = {A. Ferreira and R. Cruz-Correia and L. Antunes and P.
Farinha and E. Oliveira-Palhares and D.W. Chadwick and A.
Costa-Pereira}, title = {How to Break Access Control in a Controlled Manner}, booktitle = PROC # {\acs{ieee} International Symposium
on Computer-Based Medical Systems (\acs{cbms})}, year = 2006, pages = {847--854}, abstract = {The electronic medical record (EMR) integrates
heterogeneous information within a healthcare institution
stressing the need for security and access control. The
Biostatistics and Medical Informatics Department from Porto
Faculty of Melsdicine has recently implemented a virtual
EMR (VEMR) in order to integrate patient information and
clinical reports within a university hospital. With more
than 500 medical doctors using the system on a daily basis,
an access control policy and model were implemented.
However, the healthcare environment has unanticipated
situations (i.e. emergency situations) where access to
information is essential. Most traditional policies do not
allow for overriding. A policy that allows for "Break-The-Glass (BTG)" was implemented in order to
override access control whilst providing for
non-repudiation mechanisms for its usage. The policy was
easily integrated within the model confirming its
modularity and the fact that user intervention in defining
security procedures is crucial to its successful
implementation and use}, keywords = {access control, medical administrative data processing,
security of dataaccess control, clinical reports,
electronic medical record, healthcare institution, patient
information, university hospital},
doi = {10.1109/CBMS.2006.95},
issn = {1063-7125},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ basin.ea:model:2006, author = {David A. Basin and J\"{u}rgen Doser and Torsten
Lodderstedt}, title = {Model driven security: From {UML} models to access control
infrastructures}, journal = j-tosem, year = 2006, volume = 15, number = 1, pages = {39--91},
issn = {1049-331X},
doi = {10.1145/1125808.1125810}, publisher = pub-acm, address = pub-acm:adr,
tags = {ReadingList, SoKNOS, AccessControl, SecureUML, MDS},
clearance = {unclassified}, abstract = {We present a new approach to building secure systems. In
our approach, which we call Model Driven Security,
designers specify system models along with their security
requirements and use tools to automatically generate system
architectures from the models including complete,
configured access control infrastructures. Rather than
fixing one particular modeling language for this process,
we propose a general schema for constructing such languages
that combines languages for modeling systems with languages
for modeling security. We present several instances of this
schema thatcombine (both syntactically and semantically)
different UML modeling languages with a security modeling language for formalizing access control requirements. From
models in the combined languages, we automatically generate
access control infrastructures for server-based
applications, built from declarative and programmatic
access control mechanisms. The modeling languages and
generation process are semantically well-founded and are
based on an extension of Role-Based Access Control. We have
implemented this approach ina UML-based CASE-tool and report on experiments.},
timestap = {2008-05-26}
}
@InProceedings{ schaad.ea:role-based:2001, author = {Andreas Schaad and Jonathan Moffett and Jeremy Jacob}, title = {The role-based access control system of a European bank: a
case study and discussion}, booktitle = PROC # { the sixth \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2001, pages = {3--9}, address = pub-acm:adr, publisher = pub-acm,
isbn = {1-58113-350-2},
location = {Chantilly, Virginia, United States},
doi = {10.1145/373256.373257},
tags = {ReadingList, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ beznosov:requirements:1998, author = {Konstantin Beznosov}, title = {Requirements for access control: \acs{us} Healthcare
domain}, booktitle = PROC # { the third \acs{acm} workshop on Role-based
access control (\acs{rbac})}, year = 1998, pages = 43, address = pub-acm:adr, publisher = pub-acm,
isbn = {1-58113-113-5},
location = {Fairfax, Virginia, United States},
doi = {10.1145/286884.286892},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ etalle.ea:posteriori:2007, author = {Sandro Etalle and William H. Winsborough}, title = {A posteriori compliance control}, booktitle = PROC # { the 12th \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2007, pages = {11--20}, address = pub-acm:adr, publisher = pub-acm,
isbn = {978-1-59593-745-2},
location = {Sophia Antipolis, France},
doi = {10.1145/1266840.1266843},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ lupu.ea:policy:1996, author = {Emil C. Lupu and Damian A. Marriott and Morris S. Sloman
and Nicholas Yialelis}, title = {A policy based role framework for access control}, booktitle = {RBAC '95: Proceedings of the first ACM Workshop on
Role-based access control}, year = 1996, pages = 11, address = pub-acm:adr, publisher = pub-acm,
isbn = {0-89791-759-6},
location = {Gaithersburg, Maryland, United States},
doi = {10.1145/270152.270171},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ wainer.ea:dw-rbac:2007, author = {Jacques Wainer and Akhil Kumar and Paulo Barthelmess}, title = {DW-RBAC: A formal security model of delegation and
revocation in workflow systems}, journal = {Inf. Syst.}, year = 2007, volume = 32, number = 3, pages = {365--384}, abstract = {One reason workflow systems have been criticized as being
inflexible is that they lack support for delegation. This
paper shows how delegation can be introduced in a workflow
system by extending the role-based access control (RBAC)
model. The current RBAC model is a security mechanism to
implement access control in organizations by allowing users
to be assigned to roles and privileges to be associated
with the roles. Thus, users can perform tasks based on the
privileges possessed by their own role or roles they
inherit by virtue of their organizational position.
However, there is no easy way to handle delegations within
this model. This paper tries to treat the issues
surrounding delegation in workflow systems in a
comprehensive way. We show how delegations can be
incorporated into the RBAC model in a simple and
straightforward manner. The new extended model is called
RBAC with delegation in a workflow context (DW-RBAC). It
allows for delegations to be specified from a user to
another user, and later revoked when the delegation is no
longer required. The implications of such specifications
and their subsequent revocations are examined. Several
formal definitions for assertion, acceptance, execution and
revocation are provided, and proofs are given for the
important properties of our delegation framework.},
issn = {0306-4379},
doi = {http://dx.doi.org/10.1016/j.is.2005.11.008}, publisher = pub-elsevier, address = {Oxford, UK, UK},
tags = {ReadingList, SoKNOS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ bertino.ea:flexible:1997, author = {Elisa Bertino and Elena Ferrari and Vijayalakshmi Atluri}, title = {A flexible model supporting the specification and
enforcement of role-based authorization in workflow
management systems}, booktitle = {RBAC '97: Proceedings of the second ACM workshop on
Role-based access control}, year = 1997, pages = {1--12}, address = pub-acm:adr, publisher = pub-acm,
isbn = {0-89791-985-8},
location = {Fairfax, Virginia, United States},
doi = {10.1145/266741.266746},
tags = {ReadingList, SoKNOS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ bracha.ea:mixin-based:1990, author = {Gilad Bracha and William Cook}, title = {Mixin-based inheritance}, booktitle = {OOPSLA/ECOOP '90: Proceedings of the European conference
on object-oriented programming on Object-oriented
programming systems, languages, and applications}, year = 1990, pages = {303--311}, address = pub-acm:adr, publisher = pub-acm,
isbn = {0-201-52430-X},
location = {Ottawa, Canada},
doi = {10.1145/97945.97982},
tags = {ReadingList, OOP},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ park.ea:towards:2002, author = {Jaehong Park and Ravi Sandhu}, title = {Towards usage control models: beyond traditional access
control}, booktitle = {SACMAT '02: Proceedings of the seventh ACM symposium on
Access control models and technologies}, year = 2002, pages = {57--64}, address = pub-acm:adr, publisher = pub-acm,
isbn = {1-58113-496-7},
location = {Monterey, California, USA},
doi = {10.1145/507711.507722},
tags = {ReadingList, AccessControl, SoKNOS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ graham.ea:associations:1997, author = {Ian Graham and Julia Bischof and Brian Henderson-Sellers}, title = {Associations Considered a Bad Thing}, journal = {JOOP}, year = 1997, volume = 9, number = 9, pages = {41--48},
tags = {ReadingList, OOP},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ scharli.ea:traits:2003, author = {Nathanael Sch{\"a}rli and St{\'e}phane Ducasse and Oscar
Nierstrasz and Andrew P. Black}, title = {Traits: Composable Units of Behaviour}, booktitle = {ECOOP}, year = 2003, pages = {248--274},
ee = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=2743{\&}spage=248}
,
crossref = {cardelli:ecoop:2003},
tags = {ReadingList, OOP},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ cardelli:ecoop:2003, title = {ECOOP 2003 - Object-Oriented Programming, 17th European
Conference, Darmstadt, Germany, July 21-25, 2003,
Proceedings}, year = 2003, editor = {Luca Cardelli}, volume = 2743,
series = s-lncs, publisher = pub-springer, booktitle = {ECOOP},
isbn = {3-540-40531-3},
tags = {ReadingList, OOP},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ wolter.ea:modelling:2008, author = {Christian Wolter and Michael Menzel and Christoph Meinel}, title = {Modelling Security Goals in Business Processes}, booktitle = {Modellierung}, year = 2008, pages = {197--212},
crossref = {kuhne.ea:modellierung:2008},
tags = {ReadingList, MDS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ kuhne.ea:modellierung:2008, title = {Modellierung 2008, 12.-14. M{\"a}rz 2008, Berlin}, year = 2008, editor = {Thomas K{\"u}hne and Wolfgang Reisig and Friedrich
Steimann}, volume = 127,
series = {LNI}, publisher = {GI}, booktitle = {Modellierung},
isbn = {978-3-88579-221-5},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ wolter.ea:deriving:2007, author = {Christian Wolter and Andreas Schaad and Christoph Meinel}, title = {Deriving XACML Policies from Business Process Models}, booktitle = {WISE Workshops}, year = 2007, pages = {142--153},
ee = {http://dx.doi.org/10.1007/978-3-540-77010-7_15},
crossref = {weske.ea:web:2007},
tags = {ReadingList, SoKNOS, MDS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ weske.ea:web:2007, title = {Web Information Systems Engineering - WISE 2007 Workshops,
WISE 2007 International Workshops, Nancy, France, December 3, 2007, Proceedings}, year = 2007, editor = {Mathias Weske and Mohand-Said Hacid and Claude Godart}, volume = 4832,
series = s-lncs, publisher = pub-springer, booktitle = {WISE Workshops},
isbn = {978-3-540-77009-1},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ sandhu.ea:nist:2000, author = {Ravi S. Sandhu and David F. Ferraiolo and D. Richard
Kuhn}, title = {The NIST model for role-based access control: towards a
unified standard}, booktitle = {ACM Workshop on Role-Based Access Control}, year = 2000, pages = {47--63},
doi = {10.1145/344287.344301},
tags = {ReadingList, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ ferraiolo.ea:proposed:2001, author = {David F. Ferraiolo and Ravi S. Sandhu and Serban I.
Gavrila and D. Richard Kuhn and Ramaswamy Chandramouli}, title = {Proposed \acs{nist} standard for role-based access
control}, journal = j-tissec, year = 2001,
pub = pub-acm, address = pub-acm:adr, volume = 4, number = 3, pages = {224--274},
doi = {10.1145/501978.501980},
tags = {ReadingList, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ drouineaud.ea:first:2004, author = {Michael Drouineaud and Maksym Bortin and Paolo Torrini and
Karsten Sohr}, title = {A First Step Towards Formal Verification of Security
Policy Properties for \acs{rbac}}, booktitle = {QSIC}, year = 2004, pages = {60--67},
doi = {10.1109/QSIC.2004.1357945},
crossref = {anonymous:qsic:2004},
tags = {AccessControl, FormalMethods, TheoremProving}, abstract = {Considering the current expansion of IT-infrastructure the
security of the data inside this infrastructure becomes
increasingly important. Therefore assuring certain security
properties of IT-systems by formal methods is desirable. So
far in security formal methods have mostly been used to
prove properties of security protocols. However, access
control is an indispensable part of security inside a given
IT-system, which has not yet been sufficiently examined
using formal methods. The paper presents an example of a
RBAC security policy having the dual control property. This
is proved in a first-order linear temporal logic (LTL) that
has been embedded in the theorem prover Isabelle/HOL by the
authors. Thus the correctness of the proof is assured by
Isabelle/HOL. The authors consider first-order LTL a good
formalism for expressing RBAC authorisation constraints and
deriving properties from given RBAC security policies.
Furthermore it might also be applied to safety-related
issues in similar manner.},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ anonymous:qsic:2004, title = {4th International Conference on Quality Software (QSIC 2004), 8-10 September 2004, Braunschweig, Germany}, year = 2004, address = pub-ieee:adr, publisher = pub-ieee, booktitle = {QSIC},
isbn = {0-7695-2207-6},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ sohr.ea:specification:2005, author = {Karsten Sohr and Gail-Joon Ahn and Martin Gogolla and Lars
Migge}, title = {Specification and Validation of Authorisation Constraints
Using UML and OCL}, booktitle = {ESORICS}, year = 2005, pages = {64--79},
ee = {http://dx.doi.org/10.1007/11555827_5},
crossref = {vimercati.ea:computer:2005},
abstracts = {Abstract. Authorisation constraints can help the policy
architect design and express higher-level security policies
for organisations such as financial institutes or
governmental agencies. Although the importance of
constraints has been addressed in the literature, there
does not exist a systematic way to validate and test
authorisation constraints. In this paper, we attempt to
specify non-temporal constraints and history-based
constraints in Object Constraint Language (OCL) which is a
constraint specification language of Unified Modeling Language (UML) and describe how we can facilitate the USE
tool to validate and test such policies. We also discuss
the issues of identification of conflicting constraints and
missing constraints. },
tags = {AccessControl, SecureUML},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ vimercati.ea:computer:2005, title = {Computer Security - ESORICS 2005, 10th European Symposium
on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings}, year = 2005, editor = {Sabrina De Capitani di Vimercati and Paul F. Syverson and
Dieter Gollmann}, volume = 3679,
series = s-lncs, publisher = pub-springer, booktitle = {ESORICS},
isbn = {3-540-28963-1},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ wolter.ea:modeling:2007, author = {Christian Wolter and Andreas Schaad}, title = {Modeling of Task-Based Authorization Constraints in BPMN}, booktitle = {BPM}, year = 2007, pages = {64--79},
ee = {http://dx.doi.org/10.1007/978-3-540-75183-0_5},
crossref = {alonso.ea:business:2007},
tags = {ReadingList, SoKNOS, MDS, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ alonso.ea:business:2007, title = {Business Process Management, 5th International Conference,
BPM 2007, Brisbane, Australia, September 24-28, 2007,
Proceedings}, year = 2007, editor = {Gustavo Alonso and Peter Dadam and Michael Rosemann}, volume = 4714,
series = s-lncs, publisher = pub-springer, booktitle = {BPM},
isbn = {978-3-540-75182-3},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ sohr.ea:analyzing:2008, author = {Karsten Sohr and Michael Drouineaud and Gail-Joon Ahn and
Martin Gogolla}, title = {Analyzing and Managing Role-Based Access Control
Policies}, journal = j-tkde, year = 2008,
doi = {10.1109/TKDE.2008.28}, abstract = {Today more and more security-relevant data is stored on
computer systems; security-critical business processes are
mapped to their digital counterparts. This situation
applies to various domains such as health care industry,
digital government, and financial service institutes
requiring that different security requirements must be
fulfilled. Authorisation constraints can help the policy
architect design and express higher-level organisational
rules. Although the importance of authorisation constraints
has been addressed in the literature, there does not exist
a systematic way to verify and validate authorisation
constraints. In this paper, we specify both non-temporal
and history-based authorisation constraints in the Object
Constraint Language (OCL) and first-order linear temporal
logic (LTL). Based upon these specifications, we attempt to
formally verify role-based access control policies with the
help of a theorem prover and to validate policies with the
USE system, a validation tool for OCL constraints. We also
describe an authorisation engine, which supports the
enforcement of authorisation constraints.},
tags = {ReadingList, AccessControl},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ samuel.ea:context-aware:2008, author = {Samuel, A. and Ghafoor, A. and Bertino, E.}, title = {Context-Aware Adaptation of Access-Control Policies}, journal = {Internet Computing, IEEE}, year = 2008, volume = 12, number = 1, pages = {51--54}, abstract = {Today, public-service delivery mechanisms such as
hospitals, police, and fire departments rely on digital
generation, storage, and analysis of vital information. To
protect critical digital resources, these organizations
employ access-control mechanisms, which define rules under
which authorized users can access the resources they need
to perform organizational tasks. Natural or man-made
disasters pose a unique challenge, whereby previously
defined constraints can potentially debilitate an
organization's ability to act. Here, the authors propose
employing contextual parameters - specifically, activity
context in the form of emergency warnings - to adapt
access-control policies according to a priori
configuration.}, keywords = {authorisation, disasters, organisational
aspectsaccess-control policy, context-aware adaptation,
digital resource protection, natural disaster,
organizational task, public-service delivery mechanism},
doi = {10.1109/MIC.2008.6},
issn = {1089-7801},
tags = {ReadingList, AccessControl, SoKNOS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ adam.ea:secure:2007, author = {Nabil Adam and Ahmet Kozanoglu and Aabhas Paliwal and
Basit Shafiq}, title = {Secure Information Sharing in a Virtual Multi-Agency Team
Environment}, journal = j-entcs, year = 2007, volume = 179, pages = {97--109},
issn = {1571-0661}, abstract = {This paper proposes a two tier RBAC approach for secure
and selective information sharing among virtual
multi-agency response team (VMART) and allows expansion of
the VMART by admitting new collaborators (government
agencies or NGOs) as need arise. A coordinator Web Service
for each member agency is proposed. The coordinator Web
Service is responsible for authentication, information
dissemination, information acquisition, role creation and
enforcement of predefined access control policies. Secure,
selective and fine-grained information sharing is realized
through the encryption of XML documents according to RBAC
policies defined for the corresponding XML schema.},
doi = {http://dx.doi.org/10.1016/j.entcs.2006.08.034}, publisher = pub-elsevier, address = pub-elsevier:adr,
tags = {ReadingList, SoKNOS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ alam.ea:framework:2006, author = {Muhammad Alam and Michael Hafner and Ruth Breu and Stefan
Unterthiner}, title = {A Framework for Modeling Restricted Delegation in Service
Oriented Architecture}, booktitle = {TrustBus}, year = 2006, pages = {142--151},
ee = {http://dx.doi.org/10.1007/11824633_15},
crossref = {fischer-hubner.ea:trust:2006},
tags = {ReadingList, SoKNOS},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ fischer-hubner.ea:trust:2006, title = {Trust and Privacy in Digital Business, Third International
Conference, TrustBus 2006, Krakow, Poland, September 4-8, 2006, Proceedings}, year = 2006, editor = {Simone Fischer-H{\"u}bner and Steven Furnell and Costas
Lambrinoudakis}, volume = 4083,
series = s-lncs, publisher = pub-springer, booktitle = {TrustBus},
isbn = {3-540-37750-6},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ el-atawy.ea:policy:2005, author = {Adel El-Atawy and K. Ibrahim and H. Hamed and Ehab
Al-Shaer}, title = {Policy segmentation for intelligent firewall testing}, booktitle = {NPSec 05}, year = 2005, pages = {67--72}, month = nov, publisher = pub-ieee,
day = 6, keywords = {computer networks, intelligent networks, telecommunication
security, telecommunication traffic intelligent firewall
testing, network security, network traffic, packet
filtering algorithms, policy segmentation},
acknowledgement={none},
tags = {ReadingList, Testing, FWTesting},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ el-atawy.ea:automated:2007, author = {Adel El-Atawy and Taghrid Samak and Zein Wali and Ehab
Al-Shaer and Frank Lin and Christopher Pham and Sheng Li}, title = {An Automated Framework for Validating Firewall Policy
Enforcement}, booktitle = {\acs{policy} '07}, year = 2007, pages = {151--160}, publisher = pub-ieee,
acknowledgement={none},
tags = {ReadingList, Testing, FWTesting},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ bishop.ea:engineering:2006, author = {Steve Bishop and Matthew Fairbairn and Michael Norrish and
Peter Sewell and Michael Smith and Keith Wansbrough}, title = {Engineering with logic: \acs{hol} specification and
symbolic-evaluation testing for \acs{tcp} implementations}, booktitle = {\acs{popl}}, year = 2006, pages = {55--66},
crossref = {morrisett.ea:proceedings:2006},
acknowledgement={none},
tags = {ReadingList, FWTesting, Testing},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ morrisett.ea:proceedings:2006, title = {\acs{popl}}, year = 2006, editor = {J. Gregory Morrisett and Simon L. Peyton Jones}, publisher = pub-acm, booktitle = {\acs{popl}},
adress = pub-acm:adr,
acknowledgement={none},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ marmorstein.ea:firewall:2006, author = {Robert Marmorstein and Phil Kearns}, title = {Firewall analysis with policy-based host classification}, booktitle = {\acs{lisa}'06}, year = 2006, pages = {4--4}, publisher = {\acs{usenix} Association},
location = {Washington, \acs{dc}},
acknowledgement={none},
tags = {ReadingList, FWTesting, Testing},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ richters.ea:formalizing:1998, abstract = {We present a formal semantics for the Object Constraint Language (OCL) which is part of the Unified Modeling Language (UML) - an emerging standard language and notation
for object-oriented analysis and design. In context of
information systems modeling, UML class diagrams can be
utilized for describing the overall structure, whereas
additional integrity constraints and queries are specified
with OCL expressions. By using OCL, constraints and queries
can be specified in a formal yet comprehensible way.
However, the OCL itself is currently defined only in a
semi-formal way. Thus the semantics of constraints is in
general not precisely defined. Our approach gives precise
meaning to OCL concepts and to some central aspects of UML
class models. A formal semantics facilitates verification,
validation and simulation of models and helps to improve
the quality of models and software designs.},
bibkey = {richters.ea:formalizing:1998}, author = {Mark Richters and Martin Gogolla}, title = {On Formalizing the \acs{uml} Object Constraint Language \acs{ocl}}, pages = {449--464},
doi = {10.1007/b68220},
crossref = {ling.ea:conceptual:1998},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ ling.ea:conceptual:1998, language = {USenglish}, editor = {Tok Wang Ling and Sudha Ram and Mong-Li Lee}, booktitle = {Conceptual Modeling---{ER} '98}, title = {Conceptual Modeling---{ER} '98}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1507,
doi = {10.1007/b68220}, year = 1998,
isbn = {978-3-540-65189-5},
acknowledgement={brucker, 2007-02-19},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ cook.ea::amsterdam:2002, abstract = {In November 1998 the authors participated in a two-day
workshop on the Object Constraint Language (OCL) in
Amsterdam. The focus was to clarify issues about the
semantics and the use of OCL, and to discuss useful and
necessary extensions of OCL. Various topics have been
raised and clarified. This manifesto contains the results
of that workshop and the following work on these topics.
Overview of OCL.}, author = {Steve Cook and Anneke Kleppe and Richard Mitchell and
Bernhard Rumpe and Jos Warmer and Alan Wills}, title = {The Amsterdam Manifesto on \acs{ocl}}, pages = {115--149},
crossref = {clark.ea:object:2002},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ gogolla.ea:expressing:2001, author = {Martin Gogolla and Mark Richters},
bibkey = {gogolla.ea:expressing:2001}, abstract = {The Unified Modeling Language\acs{uml} is a complex language offering many modeling features. Especially the
description of static structures with class diagrams is
supported by a rich set of primitives. This paper shows how
to transfrom \acs{uml} class diagrams involving cardinality
constraints, qualifiers, association classes, aggregations,
compositions, and generalizations into equivalent \acs{uml}
class diagrams employing only binary associations and \acs{ocl} constraints. Thus we provide a better
understanding of \acs{uml} features. By reducing more
complex features in terms of basic ones, we suggest an easy
way users can gradually extend the set of \acs{uml}
elements they commonly apply in the modeling process.}, title = {Expressing \acs{uml} Class Diagrams Properties with \acs{ocl}}, pages = {85--114},
crossref = {clark.ea:object:2002},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ richters.ea:ocl:2001, abstract = {{The Object Constraint Language\acs{ocl} allows to
formally specify constraints on a \acs{uml} model. We
present a formal syntax and semantics for \acs{ocl} based
on set theory including expressions, invariants and pre-
and postconditions. A formal foundation for \acs{ocl} makes
the meaning of constraints precise and helps to eliminate
ambiguities and inconsistencies. A precise language de
nition is also a prerequisite for implementing CASE tools
providing enhanced support for \acs{uml} models and \acs{ocl} constraints. We give a survey of some \acs{ocl}
tools and discuss one of the tools in some more detail. The
design and implementation of the USE tool supporting the
validation of \acs{uml} models and \acs{ocl} constraints is
based on the formal approach presented in this paper.}},
bibkey = {richters.ea:ocl:2001}, author = {Mark Richters and Martin Gogolla}, title = {\acs{ocl}: Syntax, Semantics, and Tools.}, pages = {42--68},
crossref = {clark.ea:object:2002},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ hennicker.ea:precise:2002, author = {Rolf Hennicker and Heinrich Hu{\ss}mann and Michel Bidoit}, title = {On the Precise Meaning of \acs{ocl} Constraints}, pages = {69--84},
crossref = {clark.ea:object:2002}, abstract = {When OCL is applied in concrete examples, many questions
arise about the precise meaning of OCL constraints. The
same kind of difficulties appears when automatic support
tools for OCL are designed. These questions are due to the
lack of a precise semantics of OCL constraints in the
context of a UML model. The aim of this paper is to
contribute to a clarification of several issues, like
interpretation of invariants and pre- and postconditions,
treatment of undefined values, inheritance of constraints,
transformation rules for OCL constraints and computation of
proof obligations. Our study is based on a formal, abstract
semantics of OCL.},
bibkey = {hennicker.ea:precise:2002},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ clark.ea:object:2002, editor = {Tony Clark and Jos Warmer}, booktitle = {Object Modeling with the \acs{ocl}: The Rationale behind
the Object Constraint Language}, title = {Object Modeling with the \acs{ocl}: The Rationale behind
the Object Constraint Language}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2263, year = 2002,
isbn = {3-540-43169-1},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ cengarle.ea:formal:2001, author = {Mar\'{\i}a Victoria Cengarle and Alexander Knapp}, title = {A Formal Semantics for \acs{ocl} 1.4}, year = 2001, abstract = {The OCL 1.4 specification introduces let-declarations for
adding auxiliary class features in static structures of the
UML. We provide a type inference system and a big-step
operational semantics for the OCL 1.4 that treat UML static
structures and UML object models and accommodate for
additional declarations; the operational semantics
satisfies a subject reduction property with respect to the
type inference system. We also discuss an alternative,
non-operational interpretation of let-declarations as
constraints.}, pages = {118--133},
crossref = {gogolla.ea:uml:2001},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ gogolla.ea:uml:2001, editor = {Martin Gogolla and Cris Kobryn}, booktitle = {\acs{uml} 2001---The Unified Modeling Language. Modeling
Languages, Concepts, and Tools}, title = {\acs{uml} 2001---The Unified Modeling Language. Modeling
Languages, Concepts, and Tools}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2185, year = 2001,
isbn = {3-540-42667-1},
location = {Toronto, Canada},
acknowledgement={brucker, 2007-02-19},
tags = {MDE},
clearance = {unclassified},
timestap = {2008-05-26}
}
@TechReport{ balzer.ea:objects:2008, author = {Stephanie Balzer and Alexandra Burns and Thomas R. Gross}, title = {Objects in Context: An Empirical Study of Object
Relationships},
institution = {\acs{eth} Zurich}, year = 2008, abstract = {Object collaborations are at the core of all
object-oriented programming, yet current class-based
objectoriented programming languages do not provide an
explicit construct to capture the relationships between
objects. This paper reports on an empirical study that
investigates the occurrence of object collaborations to
assess the need of intrinsic support for relationships in a
programming language. We introduce a categorization of
possible forms of object collaborations and their
corresponding implementation patterns when using a
traditional class-based object-oriented language (Java) and
analyze 25 Java programs (ranging from 4 to 6275 classes)
with the Relationship Detector for Java (RelDJ) to identify
occurrences of these patterns. The empirical results show
that object collaborations are indeed a frequent phenomenon
and reveal that collaborationrelated code does not remain
encapsulated in a single class. These observations strongly
support efforts to define language constructs to express
object relationships: relationships allow the encapsulation
of a frequently occurring phenomenon and increase program
expressiveness. }, keywords = {Relationship-based Programming Languages, First-class
Relationships, Object Collaborations, Java, Bytecode
Analysis},
tags = {ReadingList, OOP},
clearance = {unclassified},
timestap = {2008-05-28}, number = 594
}
@InProceedings{ owre.ea:pvs:1996, author = {Sam Owre and S. Rajan and John M. Rushby and Natarajan
Shankar and Mandayam K. Srivas}, title = {\acs{pvs}: Combining Specification, Proof Checking, and
Model Checking}, year = 1996,
bibkey = {owre.ea:pvs:1996}, pages = {411--414},
crossref = {alur.ea:computer:1996},
doi = {10.1007/3-540-61474-5_91},
acknowledgement={brucker, 2007-02-19},
tags = {TheoremProving, FormalMethods},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ alur.ea:computer:1996, editor = {Rajeev Alur and Thomas A. Henzinger}, booktitle = {Computer Aided Verification (\acs{cav})}, title = {Computer Aided Verification (\acs{cav})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1102, year = 1996,
location = {New Brunswick, \acs{nj}, \acs{usa}},
doi = {10.1007/3-540-61474-5},
isbn = {3-540-61474-5},
acknowledgement={brucker, 2007-02-19},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ naraschewski.ea:object-oriented:1998, author = {Wolfgang Naraschewski and Markus Wenzel}, title = {Object-Oriented Verification Based on Record Subtyping in
Higher-Order Logic.}, pages = {349--366},
doi = {10.1007/BFb0055146},
crossref = {grundy.ea:theorem:1998}, abstract = {We show how extensible records with structural subtyping
can be represented directly in Higher-Order Logic
(\acs{hol}). Exploiting some specific properties of \acs{hol}, this encoding turns out to be extremely simple.
In particular, structural subtyping is subsumed by naive
parametric polymorphism, while overridable generic
functions may be based on overloading. Taking \acs{hol}
plus extensible records as a starting point, we then set
out to build an environment for object-oriented
specification and verification (HOOL). This framework
offers several well-known concepts like classes, objects,
methods and late-binding. All of this is achieved by very
simple means within \acs{hol}. }, keywords = {Isabelle/\acs{hol}, extensible records,
object-orientation, verification},
bibkey = {naraschewski.ea:object-oriented:1998},
acknowledgement={brucker, 2007-02-19},
tags = {TheoremProving, FormalMethods},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ grundy.ea:theorem:1998, editor = {Jim Grundy and Malcolm C. Newey}, title = {Theorem Proving in Higher Order Logics (\acs{tphols})}, booktitle = {Theorem Proving in Higher Order Logics (\acs{tphols})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1479, year = 1998,
doi = {10.1007/BFb0055125},
isbn = {3-540-64987-5},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ oheimb.ea:hoare:2002, author = {David von Oheimb and Tobias Nipkow}, title = {Hoare Logic for {NanoJava}: Auxiliary Variables, Side
Effects, and Virtual Methods Revisited}, pages = {89--105},
doi = {10.1007/3-540-45614-7_6},
crossref = {eriksson.ea:fme:2002},
acknowledgement={brucker, 2007-02-19}, abstract = {We define NanoJava, a kernel of Java tailored to the
investigation of Hoare logics. We then introduce a Hoare
logic for this language featuring an elegant new approach
for expressing auxiliary variables: by universal
quantification on the outer logical level. Furthermore, we
give simple means of handling side-effecting expressions
and dynamic binding within method calls. The logic is
proved sound and (relatively) complete using
Isabelle/\acs{hol}.}, keywords = {Languages, Reliability, Theory, Verification},
tags = {OOP, FormalMethods},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Proceedings{ eriksson.ea:fme:2002, editor = {Lars-Henrik Eriksson and Peter Alexander Lindsay}, booktitle = {\acs{fme} 2002: Formal Methods---Getting {IT} Right}, title = {\acs{fme} 2002: Formal Methods---Getting {IT} Right}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2391,
doi = {10.1007/3-540-45614-7}, year = 2002,
isbn = {3-540-43928-5},
acknowledgement={brucker, 2007-02-19},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-26}
}
@Article{ rudnicki:obvious:1987, author = {Piotr Rudnicki},
key = {Rudnicki}, journal = j-ar, title = {Obvious Inferences}, year = 1987, month = dec, volume = 3,
doi = {10.1007/BF00247436}, number = 4, abstract = {The notion of 'obvious' inference in predicate logic is
discussed from the viewpoint of proof- checker applications
in logic and mathematics education. A class of inferences
in predicate logic is defined and it is proposed to
identify it with the class of 'obvious' logical inferences.
The definition is compared with other approaches. The
algorithm for implementing the "obviousness' decision
procedure follows directly from the definition.}, pages = {383--394}, publisher = pub-springer-netherlands, address = pub-springer-netherlands:adr,
tags = {noTAG},
timestap = {2008-05-26}
}
@InProceedings{ stroustrup:what:1987, author = {Bjarne Stroustrup}, title = {What is "Object-Oriented Programming?"}, booktitle = {ECOOP}, year = 1987, pages = {51--70}, abstract = {"Object-Oriented Programming" and "Data ion" have become
very common terms. Unfortunately, few people agree on what
they mean. I will offer informal definitions that appear to
make sense in the context of languages like Ada, C++,
Modula-2, Simula67, and Smalltalk. The general idea is to
equate "support for data abstraction" with the ability to
define and use new types and equate "support for
object-oriented programming" with the ability to express
type hierarchies. Features necessary to support these
programming styles in a general purpose programming language will be discussed. The presentation centers around
C++ but is not limited to facilities provided by that language.},
crossref = {bezivin.ea:ecoop87:1987}
}
@Proceedings{ bezivin.ea:ecoop87:1987, editor = {Jean B{\'e}zivin and Jean-Marie Hullot and Pierre Cointe
and Henry Lieberman}, title = {ECOOP'87 European Conference on Object-Oriented
Programming, Paris, France, June 15-17, 1987, Proceedings}, booktitle = {ECOOP}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 276, year = 1987,
isbn = {3-540-18353-1},
location = {Paris, France}
}
@Book{ nipkow.ea:isabelle:2002, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {Isabelle/\acs{hol}---A Proof Assistant for Higher-Order
Logic}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2283,
doi = {10.1007/3-540-45949-9}, abstract = {This book is a self-contained introduction to interactive
proof in higher-order logic (\acs{hol}), using the proof
assistant Isabelle2002. It is a tutorial for potential
users rather than a monograph for researchers. The book has
three parts.
1. Elementary Techniques shows how to model functional
programs in higher-order logic. Early examples involve
lists and the natural numbers. Most proofs are two steps
long, consisting of induction on a chosen variable followed
by the auto tactic. But even this elementary part covers
such advanced topics as nested and mutual recursion. 2.
Logic and Sets presents a collection of lower-level tactics
that you can use to apply rules selectively. It also
describes Isabelle/\acs{hol}'s treatment of sets, functions
and relations and explains how to define sets inductively.
One of the examples concerns the theory of model checking,
and another is drawn from a classic textbook on formal
languages. 3. Advanced Material describes a variety of
other topics. Among these are the real numbers, records and
overloading. Advanced techniques are described involving
induction and recursion. A whole chapter is devoted to an
extended example: the verification of a security protocol. }, year = 2002,
acknowledgement={brucker, 2007-02-19},
bibkey = {nipkow.ea:isabelle:2002},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-26}
}
@InProceedings{ kerber.ea:mechanization:1994, author = {Manfred Kerber and Michael Kohlhase}, title = {A Mechanization of Strong Kleene Logic for Partial
Functions}, pages = {371--385},
crossref = {bundy:automated:1994}, abstract = {Even though it is not very often admitted, partial
functions do play a significant role in many practical
applications of deduction systems. Kleene has already given
a semantic account of partial functions using three-valued
logic decades ago, but there has not been a satisfactory
mechanization. Recent years have seen a thorough
investigation of the framework of many-valued
truth-functional logics. However, strong Kleene logic,
where quantification is restricted and therefore not
truth-functional, does not fit the framework directly. We
solve this problem by applying recent methods from sorted
logics. This paper presents a resolution calculus that
combines the proper treatment of partial functions with the
efficiency of sorted calculi.},
doi = {10.1007/3-540-58156-1_26},
acknowledgement={brucker, 2007-02-19},
bibkey = {kerber.ea:mechanization:1994}
}
@Proceedings{ bundy:automated:1994, editor = {Alan Bundy}, booktitle = {Automated Deduction---\acs{cade}-12}, title = {Automated Deduction---\acs{cade}-12}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs,
location = {Nancy, France}, volume = 814, year = 1994,
isbn = {3-540-58156-1},
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/3-540-58156-1}
}
@InProceedings{ hahnle:towards:1991, author = {Reiner H{\"a}hnle}, title = {Towards an Efficient Tableau Proof Procedure for
Multiple-Valued Logics}, pages = {248--260},
crossref = {borger.ea:computer:1991},
doi = {10.1007/3-540-54487-9_62}, abstract = {One of the obstacles against the use of tableau-based
theorem provers for non-standard logics is the inefficiency
of tableau systems in practical applications, though they
are highly intuitive and extremely flexible from a proof
theoretical point of view. We present a method for
increasing the efficiency of tableau systems in the case of
multiple-valued logics by introducing a generalized notion
of signed formulas and give sound and complete tableau
systems for arbitrary propositional finite-valued logics.},
acknowledgement={brucker, 2007-02-19},
bibkey = {hahnle:towards:1991}
}
@Proceedings{ borger.ea:computer:1991, editor = {Egon B{\"o}rger and Hans Kleine B{\"u}ning and Michael M.
Richter and Wolfgang Sch{\"o}nfeld}, title = {Computer Science Logic (\acs{csl})}, booktitle = {Computer Science Logic (\acs{csl})},
series = s-lncs, volume = 533, year = 1991,
doi = {10.1007/3-540-54487-9},
isbn = {978-3-540-54487-6},
acknowledgement={brucker, 2007-02-19}, publisher = pub-springer, address = pub-springer:adr
}
@InProceedings{ berghofer.ea:inductive:1999, author = {Stefan Berghofer and Markus Wenzel}, title = {Inductive datatypes in \acs{hol}---lessons learned in
Formal-Logic Engineering}, pages = {19--36},
crossref = {bertot.ea:theorem:1999},
bibkey = {berghofer.ea:inductive:1999}, month = sep,
doi = {10.1007/3-540-48256-3_3},
acknowledgement={brucker, 2007-02-19}
}
@Proceedings{ bertot.ea:theorem:1999, editor = {Yves Bertot and Gilles Dowek and Andr{\'e} Hirschowitz and
C. Paulin and Laurent Th{\'e}ry}, title = {Theorem Proving in Higher Order Logics (\acs{tphols})}, booktitle = {Theorem Proving in Higher Order Logics (\acs{tphols})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1690,
acknowledgement={brucker, 2007-02-19},
location = {Nice, France}, year = 1999,
isbn = {3-540-66463-7}
}
@Proceedings{ geuvers.ea:types:2003, editor = {Herman Geuvers and Freek Wiedijk}, title = {Types for Proofs and Programs (\acs{types})}, booktitle = {Types for Proofs and Programs (\acs{types})}, publisher = pub-springer,
location = {Nijmegen}, address = pub-springer:adr,
series = s-lncs, volume = 2646, language = {USenglish}, year = 2003,
isbn = {3-540-14031-X},
acknowledgement={brucker, 2007-02-19}
}
@InProceedings{ angelo.ea:degrees:1994, author = {Catia M. Angelo and Luc J. M. Claesen and Hugo De Man}, title = {Degrees of Formality in Shallow Embedding Hardware
Description Languages in \acs{hol}}, pages = {89--100},
doi = {10.1007/3-540-57826-9_127},
crossref = {joyce.ea:higher:1994},
bibkey = {angelo.ea:degrees:1994},
acknowledgement={brucker, 2007-02-19}
}
@Proceedings{ joyce.ea:higher:1994, editor = {Jeffrey J. Joyce and Carl-Johan H. Seger}, title = {Higher Order Logic Theorem Proving and Its Applications
(\acs{hug})}, booktitle = {Higher Order Logic Theorem Proving and Its Applications
(\acs{hug})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, abstract = {Theorem proving based techniques for formal hardware
verification have been evolving constantly and researchers
are getting able to reason about more complex issues than
it was possible or practically feasible in the past. It is
often the case that a model of a system is built in a
formal logic and then reasoning about this model is carried
out in the logic. Concern is growing on how to consistently
interface a model built in a formal logic with an informal
CAD environment. Researchers have been investigating how to
define the formal semantics of hardware description
languages so that one can formally reason about models
informally dealt with in a CAD environment. At the
University of Cambridge, the embedding of hardware
description languages in a logic is classified in two
categories: deep embedding and shallow embedding. In this
paper we argue that there are degrees of formality in
shallow embedding a language in a logic. The choice of the
degree of formality is a trade-off between the security of
the embedding and the amount and complexity of the proof
effort in the logic. We also argue that the design of a language could consider this verifiability issue. There are
choices in the design of a language that can make it easier
to improve the degree of formality, without implying
serious drawbacks for the CAD environment.}, volume = 780, year = 1994,
doi = {10.1007/3-540-57826-9},
isbn = {3-540-57826-9},
acknowledgement={brucker, 2007-02-19}
}
@InProceedings{ huffman.ea:axiomatic:2005, author = {Brian Huffman and John Matthews and Peter White}, title = {Axiomatic Constructor Classes in {Isabelle}/\acs{holcf}.}, pages = {147--162},
doi = {10.1007/11541868_10},
crossref = {hurd.ea:theorem:2005},
acknowledgement={brucker, 2007-02-19},
bibkey = {huffman.ea:axiomatic:2005}, abstract = {We have definitionally extended Isabelle/HOLCF to support
axiomatic Haskell-style constructor classes. We have
subsequently defined the functor and monad classes,
together with their laws, and implemented state and
resumption monad transformers as generic constructor class
instances. This is a step towards our goal of giving
modular denotational semantics for concurrent lazy
functional programming languages, such as GHC Haskell.}
}
@InProceedings{ marche.ea:reasoning:2005, author = {Claude March{\'e} and Christine Paulin-Mohring}, title = {Reasoning About {Java} Programs with Aliasing and Frame
Conditions}, pages = {179--194},
crossref = {hurd.ea:theorem:2005}, abstract = {Several tools exist for reasoning about Java programs
annotated with JML specifications. A main issue is to deal
with possible aliasing between objects and to handle
correctly the frame conditions limiting the part of memory
that a method is allowed to modify. Tools designed for
automatic use (like ESC/Java) are not complete and even not
necessarily correct. On the other side, tools which offer a
full modeling of the program require a heavy user
interaction for discharging proof obligations. In this
paper, we present the modeling of Java programs used in the
Krakatoa tool, which generates proof obligations expressed
in a logic language suitable for both automatic and
interactive reasoning. Using the Simplify automatic theorem
prover, we are able to establish automatically more
properties than static analysis tools, with a method which
is guaranteed to be sound, assuming only the correctness of
our logical interpretation of programs and
specifications.},
doi = {10.1007/11541868_12},
acknowledgement={brucker, 2007-02-19},
bibkey = {marche.ea:reasoning:2005}
}
@Proceedings{ hurd.ea:theorem:2005, editor = {Joe Hurd and Thomas F. Melham}, title = {Theorem Proving in Higher Order Logics (\acs{tphols})}, booktitle = {Theorem Proving in Higher Order Logics (\acs{tphols})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3603,
doi = {10.1007/11541868}, year = 2005,
isbn = {978-3-540-28372-0},
acknowledgement={brucker, 2007-02-19}
}
@InProceedings{ leino.ea:modular:2005, author = {K. Rustan M. Leino and Peter M{\"u}ller}, title = {Modular Verification of Static Class Invariants.}, pages = {26--42},
doi = {10.1007/11526841_4}, abstract = {Object invariants describe the consistency of
object-oriented data structures and are central to
reasoning about the correctness of object-oriented
software. But object invariants are not the only
consistency conditions on which a program may depend. The
data in object-oriented programs consists not just of
object fields, but also of static fields, which hold data
that is shared among objects. The consistency of static
fields is described by static class invariants, which are
enforced at the class level. Static class invariants can
also mention instance fields, describing the consistency of
dynamic data structures rooted in static fields. Sometimes
there are even consistency conditions that relate the
instance fields of many or all objects of a class; static
class invariants describe these relations, too, since they
cannot be enforced by any one object in isolation. This
paper presents a systematic way (a methodology) for
specifying and verifying static class invariants in
object-oriented programs. The methodology supports the
three major uses of static fields and invariants in the
Java library. The methodology is amenable to static,
modular verification and is sound.},
crossref = {fitzgerald.ea:fm:2005},
acknowledgement={brucker, 2007-02-19}
}
@InProceedings{ basin.ea:verification:2005, author = {David A. Basin and Hironobu Kuruma and Kazuo Takaragi and
Burkhart Wolff}, abstract = {We report on a case study in using \holz, an embedding of
Z in higher-order logic, to specify and verify a security
architecture for administering digital signatures. We have
used \holz{} to formalize and combine both data-oriented
and process-oriented architectural views. Afterwards, we
formalized temporal requirements in Z and carried out
verification in higher-order logic. The same architecture
has been previously verified using the SPIN model checker.
Based on this, we provide a detailed comparison of these
two di erent approaches to formalization (infinite state
with rich data types versus finite state) and verification
(theorem proving versus model checking). Contrary to common
belief, our case study suggests that Z is well suited for
temporal reasoning about process models with rich data.
Moreover, our comparison highlights the advantages of this
approach and provides evidence that, in the hands of
experienced users, theorem proving is neither substantially
more time-consuming nor more complex than model checking.}, title = {Verification of a Signature Architecture with \holz}, pages = {269--285},
crossref = {fitzgerald.ea:fm:2005}, language = {USenglish},
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/11526841_19},
bibkey = {basin.ea:verification:2005}
}
@Proceedings{ fitzgerald.ea:fm:2005, editor = {John Fitzgerald and Ian J. Hayes and Andrzej Tarlecki}, booktitle = {{FM} 2005: Formal Methods}, title = {{FM} 2005: Formal Methods}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3582, year = 2005,
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/11526841},
isbn = {978-3-540-27882-5},
location = {Newcastle, UK}
}
@InProceedings{ barnett.ea:spec:2004, author = {Mike Barnett and K. Rustan M. Leino and Wolfram Schulte}, abstract = "Spec# is the latest in a long line of work on programming
languages and systems aimed at improving the development of
correct software. This paper describes the goals and
architecture of the Spec# programming system, consisting of
the object-oriented Spec# programming language, the Spec#
compiler, and the Boogie static program verifier. The language includes constructs for writing specifications
that capture programmer intentions about how methods and
data are to be used, the compiler emits run-time checks to
enforce these specifications, and the verifier can check
the consistency between a program and its specifications.", language = {USenglish}, title = {The {\Specsharp} programming system: An overview}, pages = {49--69},
crossref = {barthe.ea:construction:2005},
bibkey = {barnett.ea:spec:2004},
doi = {10.1007/b105030},
acknowledgement={brucker, 2007-02-19}, month = may # {~25}
}
@Proceedings{ barthe.ea:construction:2005, editor = {Gilles Barthe and Lilian Burdy and Marieke Huisman and
Jean-Louis Lanet and Traian Muntean}, title = {Construction and Analysis of Safe, Secure, and
Interoperable Smart Devices (\acs{cassis})}, booktitle = {Construction and Analysis of Safe, Secure, and
Interoperable Smart Devices (\acs{cassis})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3362, year = 2005,
isbn = {978-3-540-24287-1},
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/b105030}
}
@InProceedings{ jacobs.ea:java:2004, author = {Bart Jacobs and Erik Poll}, title = {{Java} Program Verification at {Nijmegen}: Developments
and Perspective.},
doi = {10.1007/b102118}, pages = {134--153},
acknowledgement={brucker, 2007-02-19}, abstract = {This paper presents a historical overview of the work on
Java program verification at the University of Nijmegen
(the Netherlands) over the past six years (1997-2003). It
describes the development and use of the LOOP tool that is
central in this work. Also, it gives a perspective on the
field.},
crossref = {futatsugi.ea:software:2004}
}
@Proceedings{ futatsugi.ea:software:2004, editor = {Kokichi Futatsugi and Fumio Mizoguchi and Naoki Yonezaki}, title = {Software Security---Theories and Systems (\acs{isss})}, booktitle = {Software Security---Theories and Systems (\acs{isss})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs,
acknowledgement={brucker, 2007-02-19}, volume = 3233, year = 2004,
doi = {10.1007/b102118},
isbn = {978-3-540-23635-1}
}
@InProceedings{ meyer.ea:architecture:2000, author = {J{\"o}rg Meyer and Arnd Poetzsch-Heffter}, title = {An Architecture for Interactive Program Provers}, abstract = {Formal specification and verification techniques can
improve the quality of programs by enabling the analysis
and proof of semantic program properties. This paper
describes the modular architecture of an interactive
program prover that we are currently developing for a Java
subset. In particular, it discusses the integration of a
programming language-specific prover component with a
general purpose theorem prover.}, pages = {63--77},
crossref = {graf.ea:tools:2000}
}
@Proceedings{ graf.ea:tools:2000, editor = {Susanne Graf and Michael I. Schwartzbach}, booktitle = {Tools and Algorithms for the Construction and Analysis of
Systems (\acs{tacas})}, title = {Tools and Algorithms for the Construction and Analysis of
Systems (\acs{tacas})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1785, year = 2000,
isbn = {3-540-67282-6}
}
@InProceedings{ markovic.ea:ocl:2006, author = {Sali{\v s}a Markovi{\'c} and Thomas Baar}, language = {USenglish},
doi = {10.1007/11880240_46},
acknowledgement={brucker, 2007-02-19}, pages = {661--675}, title = {An {\acs{ocl}} Semantics Specified with {\textsc{qvt}}},
crossref = {nierstrasz.ea:model:2006}, abstract = {Metamodeling became in the last decade a widely accepted
tool to describe the (abstract) syntax of modeling
languages in a concise, but yet precise way. For the
description of the language's semantics, the situation is
less satisfactory and formal semantics definitions are
still seen as a challenge. In this paper, we propose an
approach to specify the semantics of modeling languages in
a graphical way. As an example, we describe the evaluation
semantics of OCL by transformation rules written in the
graphical formalism QVT. We believe that the graphical
format of our OCL semantics has natural advantages with
respect to understandability compared to existing
formalizations of OCL's semantics. Our semantics can also
be seen as a reference implementation of an OCL evaluator,
because the transformation rules can be executed by any QVT
compliant transformation engine.}
}
@InProceedings{ pons.ea:ocl-based:2006, author = {Claudia Pons and Diego Garcia}, title = {An {OCL}-Based Technique for Specifying and Verifying
Refinement-Oriented Transformations in {MDE}}, booktitle = {MoDELS}, year = 2006, pages = {646--660},
doi = {10.1007/11880240_45},
crossref = {nierstrasz.ea:model:2006}
}
@InProceedings{ kosiuczenko:specification:2006, author = {Piotr Kosiuczenko}, title = {Specification of Invariability in \acs{ocl}}, pages = {676--691},
doi = {10.1007/11880240_47},
crossref = {nierstrasz.ea:model:2006}, abstract = {The paradigm of contractual specification provides a
transparent way of specifying systems. It clearly
distinguishes between client and implementer obligations.
One of the best known languages used for this purpose is
OCL. Nevertheless, OCL does not provide primitives for a
compact specification of what remains unchanged when a
method is executed. In this paper, problems with specifying
invariability are listed and some weaknesses of existing
solutions are pointed out. The question of specifying
invariability in OCL is studied and a simple but expressive
and flexible extension is proposed. It is shown that this
extension has a simple OCL based semantics.}
}
@Proceedings{ nierstrasz.ea:model:2006, editor = {Oscar Nierstrasz and Jon Whittle and David Harel and
Gianna Reggio}, title = {Model Driven Engineering Languages and Systems
(\acs{models})}, booktitle = {Model Driven Engineering Languages and Systems
(\acs{models})}, address = pub-springer:adr,
location = {Genova, Italy}, publisher = pub-springer,
series = s-lncs,
acknowledgement={brucker, 2007-02-19}, volume = 4199, year = 2006,
doi = {10.1007/11880240},
isbn = {978-3-540-45772-5}
}
@InProceedings{ syme:proving:1999, author = {Don Syme}, title = {Proving {Java} Type Soundness}, pages = {83--118},
crossref = {alves-foss:formal:1999},
acknowledgement={brucker, 2007-02-19}, abstract = {This chapter describes a machine checked proof of the type
soundness of a subset of Java (we call this subset
Javatex2html_wrap_inline102). In Chapter 3, a formal
semantics for approximately the same subset was presented
by Drossopoulou and Eisenbach. The work presented here
serves two roles: it complements the written semantics by
correcting and clarifying some details; and it demonstrates
the utility of formal, machine checking when exploring a
large and detailed proof based on operational semantics.},
bibkey = {syme:proving:1999}
}
@InProceedings{ flatt.ea:programmers:1999, author = {Matthew Flatt and Shriram Krishnamurthi and Matthias
Felleisen}, title = {A Programmer's Reduction Semantics for Classes and
Mixins.},
doi = {10.1007/3-540-48737-9_7}, pages = {241--269},
crossref = {alves-foss:formal:1999},
acknowledgement={brucker, 2007-02-19}, abstract = {While class-based object-oriented programming languages
provide a flexible mechanism for re-using and managing
related pieces of code, they typically lack linguistic
facilities for specifying a uniform extension of many
classes with one set of fields and methods. As a result,
programmers are unable to express certain abstractions over
classes. In this paper we develop a model of class-to-class
functions that we refer to as mixins. A mixin function maps
a class to an extended class by adding or overriding fields
and methods. Programming with mixins is similar to
programming with single inheritance classes, but mixins
more directly encourage programming to interfaces. The
paper develops these ideas within the context of Java. The
results are an intuitive model of an essential Java subset;
an extension that explains and models mixins; and type
soundness theorems for these languages.}
}
@InProceedings{ drossopoulou.ea:describing:1999, author = {Sophia Drossopoulou and Susan Eisenbach}, title = {Describing the Semantics of {Java} and Proving Type
Soundness}, pages = {41--82},
doi = {10.1007/3-540-48737-9_2},
crossref = {alves-foss:formal:1999},
acknowledgement={brucker, 2007-02-19}, abstract = {Java combines the experience from the development of
several object oriented languages, such as C++, Smalltalk
and CLOS. The philosophy of the language designers was to
include only features with already known semantics, and to
provide a small and simple language.
Nevertheless, we feel that the introduction of some new
features in Java, as well as the specific combination of
features, justifies a study of the Java formal semantics.
The use of interfaces, reminiscent of [6,10] is a
simplification of the signatures extension for C++ [4] and
is - to the best of our knowledge - novel. The mechanism
for dynamic method binding is that of C++, but we know of
no formal definition. Java adopts the Smalltalk [15]
approach whereby all object variables are implicitly
pointers.
Furthermore, although there are a large number of studies
of the semantics of isolated programming language features
or of minimal programming languages [1,31,34] there have
not been many studies of the formal semantics of actual
programming languages. In addition, the interplay of
features which are very well understood in isolation, might
introduce unexpected effects. }
}
@InProceedings{ oheimb.ea:machine-checking:1999, author = {David von Oheimb and Tobias Nipkow}, title = {Machine-Checking the {Java} Specification: Proving
Type-Safety}, pages = {119--156},
crossref = {alves-foss:formal:1999},
acknowledgement={brucker, 2007-02-19},
bibkey = {oheimb.ea:machine-checking:1999}
}
@Proceedings{ alves-foss:formal:1999, editor = {Jim Alves-Foss}, title = {Formal Syntax and Semantics of {Java}}, booktitle = {Formal Syntax and Semantics of {Java}}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1523, year = 1999,
isbn = {3-540-66158-1},
acknowledgement={brucker, 2007-02-19},
bibkey = {alves-foss:formal:1999}
}
@InProceedings{ smith.ea:encoding:2002, author = {Graeme Smith and Florian Kamm{\"u}ller and Thomas Santen}, title = {Encoding {Object-Z} in {Isabelle}/{\acs{hol}}.}, pages = {82--99},
doi = {10.1007/3-540-45648-1_5},
crossref = {bert.ea:zb:2002}, abstract = {In this paper, we present a formalization of the reference
semantics of Object-Z in the higher-order logic (HOL)
instantiation of the generic theorem prover Isabelle,
Isabelle/HOL. This formalization has the effect of both
clarifying the semantics and providing the basis for a
theorem prover for Object-Z. The work builds on an earlier
encoding of a value semantics for object-oriented Z in
Isabelle/HOL and a denotational semantics of Object-Z based
on separating the internal and external effects of class
methods.}, keywords = {Object-Z, reference semantics, higher-order logic,
Isabelle},
acknowledgement={brucker, 2007-02-19}
}
@Proceedings{ bert.ea:zb:2002, editor = {Didier Bert and Jonathan P. Bowen and Martin C. Henson and
Ken Robinson}, title = {{ZB} 2002: Formal Specification and Development in {Z} and
{B}}, booktitle = {{ZB} 2002: Formal Specification and Development in {Z} and
{B}},
location = {Grenoble, France}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2272, year = 2002,
isbn = {3-540-43166-7},
acknowledgement={brucker, 2007-02-19},
bibkey = {bert.ea:zb:2002}
}
@InProceedings{ paulson:formulation:1990, author = {Lawrence C. Paulson}, title = {A formulation of the simple theory of types (for
{Isabelle})}, pages = {246--274},
doi = {10.1007/3-540-52335-9_58},
crossref = {martin-lof.ea:colog-88:1990},
acknowledgement={brucker, 2007-02-19}, abstract = {Simple type theory is formulated for use with the generic
theorem prover Isabelle. This requires explicit type
inference rules. There are function, product, and subset
types, which may be empty. Descriptions (the eta-operator)
introduce the Axiom of Choice. Higher-order logic is
obtained through reflection between formulae and terms of
type bool. Recursive types and functions can be formally
constructed. Isabelle proof procedures are described. The
logic appears suitable for general mathematics as well as
computational problems. }
}
@Proceedings{ martin-lof.ea:colog-88:1990, editor = {Per Martin-L{\"o}f and Grigori Mints}, title = {\acs{colog}-88}, booktitle = {\acs{colog}-88},
location = {Tallinn, USSR}, publisher = pub-springer,
acknowledgement={brucker, 2007-02-19}, address = pub-springer:adr,
doi = {10.1007/3-540-52335-9},
series = s-lncs, volume = 417, year = 1990,
isbn = {3-540-52335-9}
}
@InProceedings{ beckert.ea:dynamic:2006, author = {Bernhard Beckert and Andr{\'e} Platzer}, title = {Dynamic Logic with Non-rigid Functions.}, pages = {266--280},
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/11814771_23}, abstract = {We introduce a dynamic logic that is enriched by non-rigid
functions, i.e., functions that may change their value from
state to state (during program execution), and we present a
(relatively) complete sequent calculus for this logic. In
conjunction with dynamically typed object enumerators,
non-rigid functions allow to embed notions of
object-orientation in dynamic logic, thereby forming a
basis for verification of object-oriented programs. A
semantical generalisation of substitutions, called state
update, which we add to the logic, constitutes the central
technical device for dealing with object aliasing during
function modification. With these few extensions, our
dynamic logic captures the essential aspects of the complex
verification system KeY and, hence, constitutes a
foundation for object-oriented verification with the
principles of reasoning that underly the successful KeY
case studies.},
crossref = {furbach.ea:automated:2006}
}
@Proceedings{ furbach.ea:automated:2006, editor = {Ulrich Furbach and Natarajan Shankar},
doi = {10.1007/11814771}, title = {Automated Reasoning (\acs{ijcar})}, booktitle = {Automated Reasoning (\acs{ijcar})},
location = {Seattle, WA}, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={brucker, 2007-02-19},
series = s-lncs, volume = 4130, year = 2006,
isbn = {978-3-540-37187-8}
}
@InProceedings{ yatake.ea:implementing:2005, author = {Kenro Yatake and Toshiaki Aoki and Takuya Katayama}, title = {Implementing Application-Specific Object-Oriented Theories
in {\acs{hol}}},
acknowledgement={brucker, 2007-02-19},
doi = {10.1007/11560647_33}, pages = {501--516}, abstract = {This paper presents a theory of Object-Oriented concepts
embedded shallowly in HOL for the verification of OO
analysis models. The theory is application-specific in the
sense that it is automatically constructed depending on the
type information of the application. This allows objects to
have attributes of arbitrary types, making it possible to
verify models using not only basic types but also highly
abstracted types specific to the target domain. The theory
is constructed by definitional extension based on the
operational semantics of a heap memory model, which
guarantees the soundness of the theory. This paper mainly
focuses on the implementation details of the theory.},
crossref = {hung.ea:theoretical:2005}
}
@Proceedings{ hung.ea:theoretical:2005, editor = {Dang Van Hung and Martin Wirsing}, title = {Theoretical Aspects of Computing---\acs{ictac} 2005}, booktitle = {Theoretical Aspects of Computing---\acs{ictac} 2005},
location = {Hanoi, Vietnam}, publisher = pub-springer, address = pub-springer:adr,
doi = {10.1007/11560647},
series = s-lncs,
acknowledgement={brucker, 2007-02-19}, volume = 3722, year = 2005,
isbn = {3-540-29107-5}
}
@InProceedings{ aspinall:proof:2000, author = {David Aspinall}, title = {{P}roof {G}eneral: A Generic Tool for Proof Development},
acknowledgement={brucker, 2007-02-19}, pages = {38--42},
crossref = {graf.ea:tools:2000-b}, abstract = {This note describes Proof General, a tool for developing
machine proofs with an interactive proof assistant.
Interaction is based around a proof script, which is the
target of a proof development. Proof General provides a
powerful user-interface with relatively little effort,
alleviating the need for a proof assistant to provide its
own GUI, and providing a uniform appearance for diverse
proof assistants.
Proof General has a growing user base and is currently used
for several interactive proof systems, including Coq, LEGO,
and Isabelle. Support for others is on the way. Here we
give a brief overview of what Proof General does and the
philosophy behind it; technical details are available
elsewhere. The program and user documentation are available
on the web at http://www.dcs.ed.ac.uk/home/proofgen.}
}
@InProceedings{ beckert.ea:many-valued:1992, author = {Bernhard Beckert and Stefan Gerberding and Reiner
H{\"a}hnle and Werner Kernig}, title = {The Many-Valued Tableau-Based Theorem Prover {\threeTAP}},
acknowledgement={brucker, 2007-02-19}, pages = {758--760},
bibkey = {beckert.ea:many-valued:1992},
crossref = {kapur:automated:1992},
doi = {10.1007/3-540-55602-8_219}
}
@Proceedings{ kapur:automated:1992, editor = {Deepak Kapur}, title = {Automated Deduction---\acs{cade}-11}, booktitle = {Automated Deduction---\acs{cade}-11},
location = {Saratoga Springs, \acs{ny}, \acs{usa}}, publisher = pub-springer, address = pub-springer:adr,
doi = {10.1007/3-540-55602-8},
series = s-lncs, volume = 607, year = 1992,
acknowledgement={brucker, 2007-02-19},
isbn = {978-3-540-55602-2}
}
@Article{ ahrendt.ea:key:2005,
bibkey = {ahrendt.ea:key:2005}, author = {Wolfgang Ahrendt and Thomas Baar and Bernhard Beckert and
Richard Bubel and Martin Giese and Reiner H\"ahnle and
Wolfram Menzel and Wojciech Mostowski and Andreas Roth and
Steffen Schlager and Peter H. Schmitt}, title = {The {\KeY} Tool},
doi = {10.1007/s10270-004-0058-x}, publisher = pub-springer, address = pub-springer:adr, journal = j-sosym, volume = 4, number = 1, year = 2005, pages = {32--54},
acknowledgement={brucker, 2007-04-23}
}
@Article{ cengarle.ea:ocl:2004, journal = j-sosym, volume = 3, pages = {9--30}, number = 1, year = 2004, publisher = pub-springer, address = pub-springer:adr,
issn = {1619-1366},
doi = {10.1007/s10270-003-0035-9}, title = {{\acs{ocl}} 1.4/5 vs. 2.0 Expressions Formal semantics and
expressiveness}, author = {Mar{\`\i}a Victoria Cengarle and Alexander Knapp},
acknowledgement={brucker, 2007-04-23},
bibkey = {cengarle.ea:ocl:2004}
}
@Article{ toval.ea:emerging:2003, journal = j-sosym, pages = {248--261}, volume = 2, number = 4, year = 2003, publisher = pub-springer,
doi = {10.1007/s10270-003-0031-0}, address = pub-springer:adr,
issn = {1619-1366}, month = dec, title = {Emerging {\acs{ocl}} tools}, author = {Jos{\'e} Ambrosio Toval and V{\`\i}ctor Requena and
Jos{\'e} Luis Fern{\'a}ndez},
acknowledgement={brucker, 2007-04-23},
bibkey = {toval.ea:emerging:2003}
}
@Article{ bubel.ea:formal:2005, author = {Richard Bubel and Reiner H\"{a}hnle}, title = {Integration of informal and formal development of
object-oriented safety-critical software.}, year = 2005, journal = j-sttt, publisher = pub-springer, address = pub-springer:adr,
issn = {1433-2779}, volume = 7, number = 3, language = {USenglish},
doi = {10.1007/s10009-004-0166-5}, pages = {197--211},
acknowledgement={brucker, 2007-04-23},
bibkey = {bubel.ea:formal:2005}
}
@Proceedings{ stepney.ea:object:1992, abstract = {This collection of papers draws together a variety of
approaches for adding OO concepts and structuring
capability to the Z formal specification language. Each
approach is used to specify the same two problems, to allow
a comparison. }, editor = {Susan Stepney and Rosalind Barden and David Cooper},
isbn = {3-540-19778-8}, language = {USenglish},
public = {yes}, publisher = pub-springer, address = pub-springer:adr,
series = {Workshops in Computing},
topic = {formalism}, title = {Object Orientation in {Z}}, year = 1992, keywords = {Object Orientation, Z},
acknowledgement={brucker, 2007-04-23},
bibkey = {stepney.ea:object:1992}
}
@InProceedings{ hamie.ea:reflections:1998,
bibkey = {hamie.ea:reflections:1998}, author = {Ali Hamie and Franco Civello and John Howse and Stuart
Kent and Richard Mitchell}, title = {{Reflections on the Object Constraint Language}}, year = 1998,
doi = {10.1007/b72309},
topic = {formalism},
acknowledgement={brucker, 2007-04-23}, pages = {162--172},
crossref = {bezivin.ea:unified:1999}, abstract = {The \acf{ocl}, which forms part of the \acs{uml} set of
modelling notations, is a precise, textual language for
expressing constraints that cannot be shown
diagrammatically in \acs{uml}. This paper reflects on a number of aspects of the syntax and semantics of the \acs{ocl}, and makes proposals for clarification or
extension. Specifically, the paper suggests that: the
concept of flattening collections of collections is
unnecessary, state models should be connectable to class
models, defining object creation should be made more
convenient, \acs{ocl} should be based on a 2-valued logic,
set subtraction should be covered more fully, and a "let"
feature should be introduced. }
}
@Proceedings{ bezivin.ea:unified:1999, editor = {Jean B{\'e}zivin and Pierre-Alain Muller},
doi = {10.1007/b72309}, booktitle = {The Unified Modeling Language. \guillemotleft \acs{uml}\guillemotright'98: Beyond the Notation}, title = {The Unified Modeling Language. \guillemotleft \acs{uml}\guillemotright'98: Beyond the Notation}, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={brucker, 2007-04-23},
series = s-lncs, volume = 1618, year = 1999,
isbn = {3-540-66252-9}
}
@Book{ guttag.ea:larch:1993, author = {John V. Guttag and James J. Horning}, title = {{Larch}: Languages and Tools for Formal Specification}, publisher = pub-springer-ny, address = pub-springer-ny:adr,
series = {Texts and Monographs in Computer Science}, year = 1993,
isbn = {0-387-94006-5},
acknowledgement={brucker, 2007-04-23}
}
@Article{ beckert.ea:refinement:2005, title = {Refinement and Retrenchment for Programming Language Data
Types}, author = {Bernhard Beckert and Steffen Schlager}, journal = j-fac, volume = 17, number = 4,
acknowledgement={brucker, 2007-04-23}, pages = {423--442}, year = 2005,
doi = {10.1007/s00165-005-0073-x}, publisher = pub-springer, address = pub-springer:adr
}
@Article{ nipkow:winskel:1998, author = {Tobias Nipkow}, title = {Winskel is (almost) Right: Towards a Mechanized Semantics
Textbook}, publisher = pub-springer, journal = j-fac, volume = 10, number = 2,
doi = {10.1007/s001650050009}, pages = {171--186}, abstract = {We present a formalization of the first 100pages of
Winskel's textbook `The Formal Semantics of Programming
Languages' in the theorem prover Isabelle/\acs{hol}: 2
operational, 2 denotational, 2 axiomatic semantics, a
verification condition generator, and the necessary
soundness, completeness and equivalence proofs, all for a
simple imperative programming language.},
acknowledgement={brucker, 2007-04-23}, year = 1998,
bibkey = {nipkow:winskel:1998}
}
@InCollection{ dupuy.ea:using:2000, author = {Sophie Dupuy and Ang{\`e}s Front-Conte and Christophe
Saint-Marcel},
chapter = 6, title = {Using \acs{uml} with a Behaviour-Driven Method},
page = {97--112},
acknowledgement={brucker, 2007-04-23},
crossref = {frappier.ea:software:2000}
}
@Book{ frappier.ea:software:2000, editor = {Marc Frappier and Henri Habrias}, title = {Software Specification Methods: An Overview Using a Case
Study},
acknowledgement={brucker, 2007-04-23}, publisher = pub-springer-london, address = pub-springer-london:adr, year = 2000,
isbn = {1-85233-353-7},
series = {Formal Approaches to Computing and Information
Technology}
}
@InProceedings{ hamie.ea:interpreting:1998,
bibkey = {hamie.ea:interpreting:1998}, author = {Ali Hamie and John Howse and Stuart Kent}, title = {Interpreting the {Object Constraint Language}}, abstract = {The \acf{ocl}, which forms part of the \acs{uml} 1.1. set
of modelling notations is a precise, textual language for
expressing constraints that cannot be shown in the standard
diagrammatic notation used in \acs{uml}. A semantics for \acs{ocl} lays the foundation for building CASE tools that
support integrity checking of the whole \acs{uml} models,
not just the component expressed using \acs{ocl}. This
paper provides a semantics for \acs{ocl}, at the same time
providing a semantics for classes, associations, attributes
and states. }, pages = {288--295},
ee = {http://csdl.computer.org/comp/proceedings/apsec/1998/9183/00/91830288abs.htm}
,
doi = {10.1109/apsec.1998.733731}, keywords = {OCL},
acknowledgement={brucker, 2007-04-23},
topic = {formalism},
crossref = {ieee:apsec:1998}
}
@Proceedings{ ieee:apsec:1998,
bibkey = {ieee:apsec:1998}, booktitle = PROC # { Asia Pacific Conference in Software
Engineering (\acs{apsec})}, title = PROC # { Asia Pacific Conference in Software
Engineering (\acs{apsec})}, publisher = pub-ieee, address = pub-ieee:adr,
acknowledgement={brucker, 2007-04-23}, year = 1998,
isbn = {0-8186-9183-2}
}
@InProceedings{ mandel.ea:ocl:1999, author = {Luis Mandel and Mar{\`i}a Victoria Cengarle},
bibkey = {mandel.ea:ocl:1999}, language = {USenglish},
topic = {formalism},
public = {yes}, title = {On the expressive power of {\acs{ocl}}},
acknowledgement={brucker, 2007-04-23}, timestamp = 962971498, abstract = {This paper examines the expressive power of \acs{ocl} in
terms of navigability and computability. First the
expressive power of \acs{ocl} is compared with the
relational calculus; it is showed that \acs{ocl} is not
equivalent to the relational calculus. Then an algorithm
computing the transitive closure of a binary relation
operation that cannot be encoded in the relational calculus
is expressed in \acs{ocl}. Finally the equivalence of \acs{ocl} with a Turing machine is pondered.}, pages = {854--874},
crossref = {wing.ea:world:1999},
ee = {http://link.springer.de/link/service/series/0558/bibs/1708/17080854.htm}
}
@Proceedings{ wing.ea:world:1999, editor = {Jeannette M. Wing and Jim Woodcock and Jim Davies}, booktitle = {World Congress on Formal Methods in the Development of
Computing Systems (FM)}, title = {World Congress on Formal Methods in the Development of
Computing Systems (FM)}, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={brucker, 2007-04-23},
series = s-lncs, volume = 1708, year = 1999,
isbn = {3-540-66587-0}
}
@Book{ spivey:z-notation:1992,
bibkey = {spivey:z-notation:1992}, author = {J. M. Spivey}, title = {The {Z} Notation: A Reference Manual}, publisher = pub-prentice, address = pub-prentice:adr,
edition = {2nd},
length = 150, year = 1992,
isbn = {0-139-78529-9},
acknowledgement={brucker, 2007-04-23}, abstract = {This is a revised edition of the first widely available
reference manual on Z originally published in 1989. The book provides a complete and definitive guide to the use of
Z in specifying information systems, writing specifications
and designing implementations. \parContents: Tutorial
introduction; Background; The Z language; The mathematical
tool-kit; Sequential systems; Syntax summary; Changes from
the first edition; Glossary.}
}
@Book{ jones:vdm:1990,
bibkey = {jones:vdm:1990}, author = {Cliff B.\ Jones}, title = {Systematic Software Development Using \acs{vdm}}, publisher = pub-prentice, address = pub-prentice:adr, year = 1990,
size = 333,
edition = {2nd},
note = {0-13-880733-7}, abstract = {This book deals with the Vienna Development Method. The
approach explains formal (functional) specifications and
verified design with an emphasis on the study of proofs in
the development process.},
acknowledgement={brucker, 2007-04-23}
}
@Article{ liskov.ea:behavioral:1994,
bibkey = {liskov.ea:behavioral:1994}, abstract = {The use of hierarchy is an important component of
object-oriented design.Hierarchy allows the use of type
families, in whichhigher level supertypes capture the
behavior that all of their subtypes havein common. For this
methodology to be effective,it is necessary to have a clear
understanding of how subtypes and supertypesare related.
This paper takes the position thatthe relationship should
ensure that any property proved about supertypeobjects also
holds for its subtype objects. It presentstwo ways of
defining the subtype relation, each of which meets this
criterion,and each of which is easy for programmers touse.
The subtype relation is based on the specifications of the
sub- and supertypes; the paper presents a way of
specifyingtypes that makes it convenient to define the
subtype relation. The paper alsodiscusses the ramifications
of this notion ofsubtyping on the design of type
families.}, author = {Barbara H. Liskov and Jeannette M. Wing}, journal = j-toplas, month = nov, pages = {1811--1841},
issn = {0164-0925}, keywords = {languages, verficiation}, language = {USenglish}, number = 6, publisher = pub-acm, address = pub-acm:adr,
doi = {10.1145/197320.197383},
public = {yes}, title = {A behavioral notion of subtyping}, volume = 16, year = 1994,
acknowledgement={brucker, 2007-04-23}
}
@Book{ winskel:semantics:1993,
bibkey = {winskel:semantics:1993}, author = {Glynn Winskel}, title = {The Formal Semantics of Programming Languages}, publisher = pub-mit, address = pub-mit:adr,
isbn = {0-262-23169-7}, pages = 384, year = 1993,
acknowledgement={brucker, 2007-04-23}
}
@Book{ andrews:introduction:2002, author = {Peter B. Andrews}, title = {Introduction to Mathematical Logic and Type Theory: To
Truth through Proof}, year = 2002,
isbn = {1-402-00763-9},
edition = {2nd}, publisher = pub-kluwer, address = pub-kluwer:adr,
acknowledgement={brucker, 2007-04-23},
bibkey = {andrews:introduction:2002}
}
@PhDThesis{ santen:mechanized:1999, author = {Thomas Santen}, title = {A Mechanized Logical Model of {Z} and Object-Oriented
Specification}, school = {Technical University Berlin}, year = 1999, month = jun,
annote = {Also available as book: Shaker Verlag, Aachen. ISBN: 3826576500},
bibkey = {santen:mechanized:1999},
acknowledgement={brucker, 2007-04-23}
}
@Book{ kleene:mathematics:1971,
bibkey = {kleene:mathematics:1971}, author = {Stephen C. Kleene}, title = {Introduction to Meta Mathematics}, publisher = {Wolters-Noord\-hoff Publishing}, address = {Amsterdam},
isbn = {0-7204-2103-9}, year = 1971,
note = {Originally published by Van Nostrand, 1952},
acknowledgement={brucker, 2007-04-23}
}
@Book{ gordon.ea:hol:1993,
bibkey = {gordon.ea:hol:1993}, author = {Mike J. C. Gordon and Tom F. Melham}, title = {Introduction to \acs{hol}: a theorem proving environment
for higher order logic}, publisher = pub-cup, address = pub-cup:adr, year = 1993, pages = 472,
isbn = {0-521-44189-7}, month = jul, abstract = {Currently being applied to a wide variety of problems,
Higher-Order Logic (\acs{hol}) is a proof development
system intended for applications to both hardware and
software. This self-contained description contains a
tutorial introduction and most of the material needed for
day-to-day work.},
acknowledgement={brucker, 2007-04-23}
}
@PhDThesis{ richters:precise:2002, author = {Mark Richters}, title = {A Precise Approach to Validating {\acs{uml}} Models and
{\acs{ocl}} Constraints}, school = {Universit{\"a}t Bremen}, year = 2002, address = {Logos Verlag, Berlin, \acs{biss} Monographs, No. 14},
isbn = {3-89722-842-4}, abstract = {We present a precise approach that allows an analysis and
validation of \acs{uml} models and OCL constraints. We
focus on models and constraints specified in the analysis
and early design stage of a software development process.
For this purpose, a suitable subset of \acs{uml}
corresponding to information that is usually represented in
class diagrams is identified and formally defined. This
basic modeling language provides a context for all OCL
constraints. We define a formal syntax and semantics of OCL
types, operations, expressions, invariants, and
pre-/postconditions. We also give solutions for problems
with the current OCL definition and discuss possible
extensions. A metamodel for OCL is introduced that defines
the abstract syntax of OCL expressions and the structure of
types and values. The metamodel approach allows a seamless
integration with the \acs{uml} metamodeling architecture
and makes the benefits of a precise OCL definition easier
accessible. The OCL metamodel also allows to define
context-sensitive conditions for well-formed OCL
expressions more precisely. These conditions can now be
specified with OCL whereas they previously were specified
only informally. In order to demonstrate the practical
applicability of our work, we have realized substantial
parts of it in a tool supporting the validation of models
and constraints. Design specifications can be ``executed''
and animated thus providing early feedback in an iterative
development process. Our approach offers novel ways for
checking user data against specifications, for automating
test procedures, and for checking CASE tools for standards
conformance. Therefore, this work contributes to the goal
of improving the overall quality of software systems by
combining theoretical and practical techniques.},
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ cc:cc-part3:2006,
bibkey = {cc:cc-part3:2006},
key = {Common Criteria},
institution = {Common Criteria}, language = {USenglish}, month = sep, year = 2006,
public = {yes}, title = {Common Criteria for Information Technology Security
Evaluation (Version 3.1), {Part} 3: Security assurance
components},
note = {Available as document \href{http://www.commoncriteriaportal.org/public/files/CCPART3V3.1R1.pdf}
{CCMB-2006-09-003}}, number = {CCMB-2006-09-003},
acknowledgement={brucker, 2007-04-24}
}
@Booklet{ omg:ocl:1997,
bibkey = {omg:ocl:1997},
key = omg, abstract = {This document introduces and defines the Object Constraint Language (\acs{ocl}), a formal language to express side
effect-free constraints. Users of the Unified Modeling Language and other languages can use \acs{ocl} to specify
constraints and other expressions attached to their models. \acs{ocl} was used in the \acs{uml} Semantics document to
specify the well-formedness rules of the \acs{uml}
metamodel. Each well-formedness rule in the static
semantics sections in the \acs{uml} Semantics document
contains an \acs{ocl} expression, which is an invariant for
the involved class. The grammar for \acs{ocl} is specified
at the end of this document. A parser generated from this
grammar has correctly parsed all the constraints in the \acs{uml} Semantics document, a process which improved the
correctness of the specifications for \acs{ocl} and \acs{uml}.},
institution = omg, language = {USenglish}, month = sep,
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?ad/97-08-08}
{ad/97-08-08}}, keywords = {\acs{uml}, OCL},
topic = {formalism},
public = {yes}, title = {Object Constraint Language Specification (Version 1.1)}, year = 1997,
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ omg:xmi:2000,
bibkey = {omg:xmi:2000},
key = omg, abstract = {The main purpose of XMI is to enable easy interchange of
metadata between modeling tools (based on the \acs{omg}-\acs{uml}) and metadata repositories
(\acs{omg}-MOF based) in distributed heterogeneous
environments. XMI integrates three key industry standards:
XML, \acs{uml}, MOF.}, publisher = omg, language = {USenglish}, month = nov, year = 2000, keywords = {\acs{uml}, XML, XMI},
topic = {formalism},
public = {yes}, title = {\acs{omg} \acs{xml} Metadata Interchange (\acs{xmi})
Specification (Version 1.1)},
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?formal/00-11-02}
{formal/00-11-02}},
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ omg:ocl:2003,
bibkey = {omg:ocl:2003},
key = omg, abstract = {This document introduces and defines the Object Constraint Language (OCL), a formal language to express side
effect-free constraints. Users of the Unified Modeling Language and other languages can use OCL to specify
constraints and other expressions attached to their models.
OCL was used in the \acs{uml} Semantics document to specify
the well-formedness rules of the \acs{uml} metamodel. Each
well-formedness rule in the static semantics sections in
the \acs{uml} Semantics document contains an OCL
expression, which is an invariant for the involved class.
The grammar for OCL is specified at the end of this
document. A parser generated from this grammar has
correctly parsed all the constraints in the \acs{uml}
Semantics document, a process which improved the
correctness of the specifications for OCL and \acs{uml}.}, publisher = omg, language = {USenglish}, month = oct, keywords = {\acs{uml}, OCL},
topic = {formalism},
public = {yes},
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?ptc/03-10-14}
{ptc/03-10-14}}, title = {\acs{uml} 2.0\acs{ocl} Specification}, year = 2003,
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ omg:uml:2003,
bibkey = {omg:uml:2003},
key = omg, abstract = {The Unified Modeling Language (\acs{uml}) provides system
architects working on object analysis and design with one
consistent language for specifying, visualizing,
constructing, and documenting the artifacts of software
systems, as well as for business modeling.This
specification represents the convergence of best practices
in the object-technology industry. \acs{uml} is the proper
successor to the object modeling languages of three
previouslyleading object-oriented methods (Booch, OMT, and
OOSE). The \acs{uml} is the union of thesemodeling
languages and more, since it includes additional
expressiveness to handle modelingproblems that these
methods did not fully address.One of the primary goals of \acs{uml} is to advance the state of the industry by
enabling objectvisual modeling tool interoperability.
However, in order to enable meaningful exchange ofmodel
information between tools, agreement on semantics and
notation is required. \acs{uml} meets the following
requirements: \begin{enumerate} \item Formal definition of
a common object analysis and design (OA\&D) metamodel to
representthe semantics of OA\&D models, which include
static models, behavioral models, usagemodels, and
architectural models. \item IDL specifications for
mechanisms for model interchange between OA\&D tools.
Thisdocument includes a set of IDL interfaces that support
dynamic construction and traversal ofa user model. \item
readable notation for representing OA\&D models. \end{enumerate} This document defines the \acs{uml}
notation, an elegant graphic syntax for consistently
expressing the \acs{uml}'s richsemantics. Notation is an
essential part of OA\&D modeling and the \acs{uml}.}, publisher = omg, language = {USenglish}, month = mar, year = 2003,
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?formal/03-03-01}
{formal/03-03-01}}, keywords = {\acs{uml}, OCL},
topic = {formalism},
public = {yes}, title = {Unified Modeling Language Specification (Version 1.5)},
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ omg:ocl:2006,
bibkey = {omg:ocl:2006},
key = omg, abstract = {This document introduces and defines the Object Constraint Language (OCL), a formal language to express side
effect-free constraints. Users of the Unified Modeling Language and other languages can use OCL to specify
constraints and other expressions attached to their models.
OCL was used in the \acs{uml} Semantics document to specify
the well-formedness rules of the \acs{uml} metamodel. Each
well-formedness rule in the static semantics sections in
the \acs{uml} Semantics document contains an OCL
expression, which is an invariant for the involved class.
The grammar for OCL is specified at the end of this
document. A parser generated from this grammar has
correctly parsed all the constraints in the \acs{uml}
Semantics document, a process which improved the
correctness of the specifications for OCL and \acs{uml}.}, publisher = omg, language = {USenglish}, month = apr, keywords = {\acs{uml}, OCL},
topic = {formalism},
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?formal/06-05-01}
{formal/06-05-01}},
public = {yes}, title = {\acs{uml} 2.0\acs{ocl} Specification}, year = 2006,
acknowledgement={brucker, 2007-04-23}
}
@Booklet{ omg:uml:2005,
bibkey = {omg:uml:2005},
key = omg, publisher = omg, language = {USenglish},
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?formal/05-07-04}
{formal/05-07-04}}, keywords = {\acs{uml}},
topic = {formalism},
public = {yes}, title = {\acs{uml} 2.0 Superstructure Specification}, year = 2005, month = jul,
acknowledgement={brucker, 2007-04-23}
}
@PhDThesis{ oheimb:analyzing:2001, author = {David von Oheimb}, title = {Analyzing {J}ava in {Isabelle/\acs{hol}}: Formalization,
Type Safety and {H}oare Logic}, school = {Technische Universit\"{a}t M\"{u}nchen}, year = 2001,
crclassification={D.2.4, D.3.1, F.3.1},
crgenterms = {Languages, Verification, Theory}, keywords = {Java, formalization, operational semantics, type
soundness, axiomatic semantics, Isabelle/HOL}, abstract = {This thesis deals with machine-checking a large
sublanguage of sequential Java, covering nearly all
features, in particular the object-oriented ones. It shows
that embedding such a language in a theorem prover and
deducing practically important properties is meanwhile
possible and explains in detail how this can be achieved.
We formalize the abstract syntax, and the static semantics
including the type system and well-formedness conditions,
as well as an operational (evaluation) semantics of the language. Based on these definitions, we can express
soundness of the type system, an important design goal
claimed to be reached by the designers of Java, and prove
that type safety holds indeed. Moreover, we give an
axiomatic semantics of partial correctness for both
statements and (side-effecting) expressions. We prove the
soundness of this semantics relative to the operational
semantics, and even prove completeness. We further give a
small but instructive application example. A direct outcome
of this work is the confirmation that the design and
specification of Java (or at least the subset considered)
is reasonable, yet some omissions in the language
specification and possibilities for generalizing the design
can be pointed out. The second main contribution is a sound
and complete Hoare logic, where the soundness proof for our
Hoare logic gives new insights into the role of type
safety. To our knowledge, this logic is the first one for
an object-oriented language that has been proved complete.
By-products of this work are a new general technique for
handling side-effecting expressions and their results, the
discovery of the strongest possible rule of consequence,
and a new rule for flexible handling of mutual recursion.
All definitions and proofs have been done fully formally
with the interactive theorem prover Isabelle/HOL,
representing one of its major applications. This approach
guarantees not only rigorous definitions, but also gives
maximal confidence in the results obtained. Thus this
thesis demonstrates that machine-checking the design of an
important non-trivial programming language and conducting
meta-theory on it entirely within a theorem proving system
has become a reality. },
acknowledgement={brucker, 2007-04-23},
bibkey = {oheimb:analyzing:2001}
}
@Article{ chiarada.ea:improving:2006,
bibkey = {chiarada.ea:improving:2006}, language = {USenglish},
public = {yes}, title = {Improving the {\acs{ocl}} Semantics Definition by Applying
Dynamic Meta Modeling and Design Patterns}, author = {Juan Mart{\'\i}n Chiarad{\'\i}a and Claudia Pons}, editor = {Birgith Demuth and Dan Chiorean and Martin Gogolla and Jos
Warmer},
issn = {1863-2122}, volume = 5, year = 2006,
acknowledgement={brucker, 2007-04-23}, journal = j-eceasst
}
@PhDThesis{ schirmer:verification:2006, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in
{I}sabelle/{\acs{hol}}}, school = {Technische Universit\"at M\"unchen}, year = 2006,
acknowledgement={brucker, 2007-04-23}, abstract = {The purpose of this thesis is to create a verification
environment for sequential imperative programs. First a
general language model is proposed, which is independent of
a concrete programming language but expressive enough to
cover all common language features: mutually recursive
procedures, abrupt termination and exceptions, runtime
faults, local and global variables, pointers and heap,
expressions with side effects, pointers to procedures,
partial application and closures, dynamic method invocation
and also unbounded nondeterminism.
For this language a Hoare logic for both partial and total
correctness is developed and on top of it a verification
condition generator is implemented. The Hoare logic is
designed to allow the integration of program analysis or
software model checking into the verification.
To demonstrate the continuity to a real programming language a subset of C is embedded into the verification
environment.
The whole work is developed in the theorem prover Isabelle.
Therefore the correctness is machine-checked and in
addition the rich infrastructure of the general purpose
theorem prover Isabelle can be employed for the
verification of imperative programs.
}
}
@Article{ harel.ea:meaningful:2004, author = {David Harel and Bernhard Rumpe}, title = {Meaningful Modeling: What's the Semantics of
``Semantics''?}, journal = {\acs{ieee} Computer}, year = 2004, pages = {64--72}, volume = 37,
issn = {0018-9162}, number = 10, month = oct, publisher = pub-ieee, address = pub-ieee:adr,
doi = {10.1109/MC.2004.172},
acknowledgement={brucker, 2007-04-23}
}
@Book{ hahnle:automated:1994, author = {Reiner H{\"a}hnle}, title = {Automated Deduction in Multiple-valued Logics}, publisher = pub-oxford, address = pub-oxford:adr,
disvolume = 10,
disseries = {International Series of Monographs on Computer Science}, year = 1994,
acknowledgement={brucker, 2007-04-23},
isbn = {0-19-853989-4},
bibkey = {hahnle:automated:1994}
}
@Book{ vigano:labelled:2000, author = {Luca Vigan{\`o}}, title = {Labelled Non-Classical Logics}, year = 2000, language = {USenglish}, publisher = pub-kluwer, address = pub-kluwer:adr,
isbn = {0-7923-7749-4},
cover = {2000/lncl.png}, abstract = {The subject of the book is the development and
investigation of a framework for the modular and uniform
presentation and implementation of non-classical logics, in
particular modal and relevance logics. Logics are presented
as labelled deduction systems, which are proved to be sound
and complete with respect to the corresponding Kripke-style
semantics. We investigate the proof theory of our systems,
and show them to possess structural properties such as
normalization and the subformula property, which we exploit
not only to establish advantages and limitations of our
approach with respect to related ones, but also to give, by
means of a substructural analysis, a new proof-theoretic
method for investigating decidability and complexity of
(some of) the logics we consider. All of our deduction
systems have been implemented in the generic theorem prover
Isabelle, thus providing a simple and natural environment
for interactive proof development.},
acknowledgement={brucker, 2007-04-23},
bibkey = {vigano:labelled:2000}
}
@Book{ gabbay:labelled:1997, author = {Dov M. Gabbay}, title = {Labelled Deductive Systems}, publisher = pub-oxford, address = pub-oxford:adr,
series = {Oxford Logic Guides}, year = 1997,
isbn = {978-0-198-53833-2}, volume = 1,
acknowledgement={brucker, 2007-04-23},
bibkey = {gabbay:labelled:1997}
}
@Book{ warmer.ea:ocl2:2003,
bibkey = {warmer.ea:ocl2:2003}, author = {Jos Warmer and Anneke Kleppe}, abstract = {This book covers \acs{ocl} 2.0}, keywords = {OCL, \acs{uml}},
isbn = {0-321-17936-6},
edition = {2nd}, language = {USenglish},
public = {yes},
topic = {formalism}, publisher = pub-awl, address = pub-awl:adr, title = {The Object Constraint Language: Getting Your Models Ready
for \acs{mda}}, year = 2003, month = aug,
num_pages = 240,
price = {39.99},
cover = {2003/ocl2.png},
currency = {USD},
acknowledgement={brucker, 2007-04-23}
}
@Book{ smith:object:2000, author = {Graeme Smith}, title = {The Object {Z} Specification Language}, publisher = pub-kluwer, address = pub-kluwer:adr, year = 2000,
isbn = {0-7923-8684-1}, pages = 160, abstract = {bject-Z is an object-oriented extension of the formal
specification language Z. It adds, to Z, notions of classes
and objects, and inheritance and polymorphism. By extending
Z's semantic basis, it enables the specification of systems
as collections of independent objects in which self and
mutual referencing are possible.
The Object-Z Specification Language presents a
comprehensive description of Object-Z including discussions
of semantic issues, definitions of all language constructs,
type rules and other rules of usage, specification
guidelines, and a full concrete syntax. It will enable you
to confidently construct Object-Z specifications and is
intended as a reference manual to keep by your side as you
use and learn to use Object-Z.
The Object-Z Specification Language is suitable as a
textbook or as a secondary text for a graduate level
course, and as a reference for researchers and
practitioners in industry.},
series = {Advances in Formal Methods Series},
acknowledgement={brucker, 2007-04-23}
}
@Article{ meyer.ea:interactive:1999, title = {Interactive Verification Environments for Object-Oriented
Languages }, author = {J{\"o}rg Meyer and Arnd Poetzsch-Heffter }, journal = j-ucs, volume = 5,
url = {http://www.jucs.org/jucs_5_3/interactive_verification_environments_for}
, number = 3, pages = {208--225 }, year = 1999,
doi = {10.1007/3-540-46419-0_6},
acknowledgement={brucker, 2007-04-23}, abstract = {Formal specification and verification techniques can
improve the quality of object-oriented software by enabling
semantic checks and certification of properties. To be
applicable to object-oriented programs, they have to cope
with subtyping, aliasing via object references, as well as abstract and recursive methods. For mastering the resulting
complexity, mechanical aid is needed. The article outlines
the specific technical requirements for the specification
and verification of object-oriented programs. Based on
these requirements, it argues that verification of
OO-programs should be done interactively and develops an
modular architecture for this task. In particular, it shows
how to integrate interactive program verification with
existing universal interactive theorem provers, and
explains the new developed parts of the architecture. To
underline the general approach, we describe interesting
features of our prototype implementation.}
}
@Article{ church:types:1940, author = {Church, Alonzo}, title = {A formulation of the simple theory of types}, journal = j-sl, year = 1940, volume = 5, number = 2, month = jun, pages = {56--68},
acknowledgement={brucker, 2007-04-23},
bibkey = {church:types:1940}
}
@Article{ muller.ea:holcf:1999, author = {Olaf M\"uller and Tobias Nipkow and David von Oheimb and
Oskar Slotosch}, title = {\acs{holcf} = \acs{hol} + \acs{lcf}}, journal = j-fp, number = 2,
doi = {10.1017/S095679689900341X}, volume = 9, pages = {191--223}, year = 1999, abstract = {HOLCF is the definitional extension of Church's
Higher-Order Logic with Scott's Logic for Computable
Functions that has been implemented in the theorem prover
Isabelle. This results in a flexible setup for reasoning
about functional programs. HOLCF supports standard domain
theory (in particular fixedpoint reasoning and recursive
domain equations) but also coinductive arguments about lazy
datatypes. This paper describes in detail how domain theory
is embedded in HOL and presents applications from
functional programming, concurrency and denotational
semantics. },
acknowledgement={brucker, 2007-04-23},
bibkey = {muller.ea:holcf:1999}
}
@Article{ huet:programtransformations:1978, author = {G{\'e}rard Huet and Bernard Lang}, title = {Proving and Applying Program Transformations Expressed
with Second Order Patterns}, journal = {Acta Informatica}, volume = 11, year = 1978, pages = {31--55}, number = 1,
doi = {10.1007/BF00264598},
acknowledgement={brucker, 2007-04-23},
bibkey = {huet:programtransformations:1978}
}
@PhDThesis{ kyas:verifying:2006, author = {Marcel Kyas}, title = {Verifying {\acs{ocl}} Specifications of {\acs{uml}}
Models: Tool Support and Compositionality}, school = {University of Leiden}, year = 2006,
acknowledgement={brucker, 2007-04-23}, abstract = {The Unified Modelling Language (\acs{uml}) and the Object
Constraint Language (OCL) serve as specification languages
for embedded and real-time systems used in a
safety-critical environment. In this dissertation class
diagrams, object diagrams, and OCL constraints are
formalised. The formalisation serves as foundation for a
translation of class diagrams, state machines, and
constraints into the theorem prover PVS. This enables the
formal verification of models defined in a subset of \acs{uml} using the interactive theorem prover. The type
system of OCL makes writing specifications difficult while
the model is still under development. To overcome this
difficulty a new type system is proposed, based on
intersection types, union types, and bounded operator
abstraction. To reduce the complexity of the model and to
increase the structure of the specification, compositional
reasoning is used. The introduction of history variables
allows compositional specifications. Proof rules support
compositional reasoning. The feasibility of the presented
approach is demonstrated by two case-studies. The first one
is the "Sieve of Eratosthenes" and the second one is a part
of the medium altitude reconnaissance system (MARS)
deployed in F-16 fighters of the Royal Dutch Air Force.},
isbn = {3-86541-142-8}, publisher = {Lehmanns Media}, address = {Berlin},
file = {papers/2006/kyas-verifying-2006.tgz}
}
@Article{ bertino.ea:object-oriented:1992, author = {Elisa Bertino and Mauro Negri and Giuseppe Pelagatti and
Licia Sbattella}, title = {Object-Oriented Query Languages: The Notion and the
Issues}, journal = j-tkde, volume = 4, number = 3,
doi = {10.1109/69.142014},
library = {DINF-K}, year = 1992, pages = {223--237}, abstract = {The authors describe how the characteristics of an
object-oriented data model, such as object identity,
complex object structure, methods, and class hierarchies,
have an impact on the design of a query language. They also
point out major differences with respect to relational
query languages. The discussion is supported through the
definition of OOPC, a formal object-oriented query language
based on predicate calculus, which incorporates in a
consistent formal notation most features of existing
object-oriented query languages.},
acknowledgement={brucker, 2007-04-23},
bibkey = {bertino.ea:object-oriented:1992}
}
@Article{ beckert.ea:leant-ap:1995, author = {Bernhard Beckert and Joachim Posegga}, title = {{\leanTAP}: Lean Tableau-based Deduction}, journal = j-ar, volume = 15, number = 3, pages = {339--358}, year = 1995, publisher = pub-springer, address = pub-springer:adr,
doi = {10.1007/BF00881804},
acknowledgement={brucker, 2007-04-23},
bibkey = {beckert.ea:leant-ap:1995}
}
@Article{ jackson:alloy:2002, author = {Daniel Jackson}, title = {{Alloy}: a lightweight object modelling notation}, journal = j-tosem, volume = 11, number = 2, year = 2002,
issn = {1049-331X}, pages = {256--290},
doi = {10.1145/505145.505149}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={brucker, 2007-04-23}, abstract = {Alloy is a little language for describing structural
properties. It offers a declaration syntax compatible with
graphical object models, and a set-based formula syntax
powerful enough to express complex constraints and yet
amenable to a fully automatic semantic analysis. Its
meaning is given by translation to an even smaller
(formally defined) kernel. This paper presents the language
in its entirety, and explains its motivation, contributions
and deficiencies. }
}
@Article{ kobryn:uml:1999, author = {Cris Kobryn}, title = {{\acs{uml}} 2001: a standardization odyssey}, journal = j-cacm, volume = 42, number = 10, year = 1999,
issn = {0001-0782}, pages = {29--37},
doi = {10.1145/317665.317673}, publisher = pub-acm, address = pub-acm:adr, language = {USEnglish},
acknowledgement={brucker, 2007-04-23}
}
@Article{ basin.ea:natural:1998, author = {David A. Basin and Se{\'a}n Matthews and Luca Vigan{\`o}}, title = {Natural Deduction for Non-Classical Logics}, journal = {Studia Logica},
doi = {10.1023/A:1005003904639}, year = 1998, volume = 60, number = 1, publisher = pub-springer, address = pub-acm:adr,
issn = {0039-3215},
acknowledgement={brucker, 2007-04-23}, pages = {119--160}, language = {USenglish},
note = {Special issue on \emph{Natural Deduction} edited by Frank
Pfenning and Wilfried Sieg}, abstract = {We present a framework for machine implementation of
families of non-classical logics with Kripke-style
semantics. We decompose a logic into two interacting parts,
each a natural deduction system: a base logic of labelled
formulae, and a theory of labels characterizing the
properties of the Kripke models. By appropriate
combinations we capture both partial and complete fragments
of large families of non-classical logics such as modal,
relevance, and intuitionistic logics. Our approach is
modular and supports uniform proofs of correctness and
proof normalization. We have implemented our work in the
Isabelle Logical Framework. }
}
@InProceedings{ nipkow.ea:java-light:1998, author = {Tobias Nipkow and David von Oheimb}, title = {{Java$_{{\ell}ight}$} is Type-Safe---Definitely}, booktitle = {\acs{acm} Symp.\ Principles of Programming Languages
(\acs{popl})}, publisher = pub-acm,
isbn = {0-89791-979-3}, address = pub-acm:adr, year = 1998, pages = {161--170},
doi = {10.1145/268946.268960},
location = {San Diego, California, United States},
acknowledgement={brucker, 2007-04-23},
bibkey = {nipkow.ea:java-light:1998}
}
@Article{ bierman.ea:mj:2003, author = {Gavin M. Bierman and Matthew J. Parkinson}, title = {Effects and effect inference for a core {Java} calculus}, journal = j-entcs, volume = 82, number = 7, year = 2003,
doi = {10.1016/S1571-0661(04)80803-X}, pages = {1--26}, booktitle = {WOOD2003, Workshop on Object Oriented Developments
(Satellite Event of ETAPS 2003)},
acknowledgement={brucker, 2007-04-23},
bibkey = {bierman.ea:mj:2003}, publisher = pub-elsevier, address = pub-elsevier:adr
}
@Article{ chiorean.ea:ensuring:2004, author = {Dan Chiorean and Mihai Pasca and Adrian C{\^a}rcu and
Cristian Botiza and Sorin Moldovan}, title = {Ensuring \acs{uml} Models Consistency Using the \acs{ocl}
Environment.}, journal = j-entcs, volume = 102, booktitle = PROC # { the Workshop, \acs{ocl} 2.0 -- Industry
Standard or Scientific Playground?}, year = 2004,
acknowledgement={brucker, 2007-04-24}, pages = {99--110},
doi = {10.1016/j.entcs.2003.09.005}, publisher = pub-elsevier, address = pub-elsevier:adr
}
@Article{ rauch.ea:formalizing:2003, abstract = {We present a formal model of the Java two's-complement
integral arithmetics. The model directly formalizes the
arithmetic operations as given in the Java Language
Specification (JLS). The algebraic properties of these
definitions are derived. Underspecifications and
ambiguities in the JLS are pointed out and clarified. The
theory is formally analyzed in Isabelle/HOL, that is,
machine-checked proofs for the ring properties and
divisor/remainder theorems etc. are provided. This work is
suited to build the framework for machine-supported
reasoning over arithmetic formulae in the context of Java
source-code verification.}, author = {Nicole Rauch and Burkhart Wolff}, journal = j-entcs,
doi = {10.1016/S1571-0661(04)80808-9},
acknowledgement={brucker, 2007-04-24}, publisher = pub-elsevier, address = pub-elsevier:adr, title = {Formalizing {Java}'s Two's-Com\-ple\-ment Integral Type in
{Isabelle}/\acs{hol}}, volume = 80, year = 2003, pages = {1--18}, booktitle = {International Workshop on Formal Methods for Industrial
Critical Systems (\ac{fmics})}
}
@Article{ kyas.ea:formalizing:2004, journal = j-entcs, author = {Kyas, Marcel and Fecher, Harald and de Boer, Frank S. and
van der Zwaag, Mark and Hooman, Jozef and Arons, Tamarah
and Kugler, Hillel}, title = {Formalizing {\acs{uml}} Models and {\acs{ocl}} Constraints
in {\acs{pvs}}}, booktitle = {Workshop on Semantic Foundations of Engineering Design
Languages (\acs{sfedl})}, year = 2004,
doi = {10.1016/j.entcs.2004.09.027 }, pages = {39--47},
acknowledgement={brucker, 2007-04-24}, publisher = pub-elsevier, address = pub-elsevier:adr
}
@Proceedings{ grabowski.ea:formal:2005, editor = {Jens Grabowski and Brian Nielsen}, title = {Formal Approaches to Software Testing (\textsc{fates})}, booktitle = {Formal Approaches to Software Testing (\textsc{fates})},
series = s-lncs, volume = 3395, year = 2005,
isbn = {3-540-25109-X},
doi = {10.1007/b106767},
acknowledgement={brucker, 2007-04-24}, publisher = pub-springer, address = pub-springer:adr
}
@InCollection{ kerber.ea:tableau:1996, author = {Manfred Kerber and Michael Kohlhase}, title = {A Tableau Calculus for Partial Functions}, pages = {21--49}, abstract = {Even though it is not very often admitted, partial
functions do play a significant role in many practical
applications of deduction systems. Kleene has already given
a semantic account of partial functions using a
three-valued logic decades ago, but there has not been a
satisfactory mechanization. Recent years have seen a
thorough investigation of the framework of many-valued
truth-functional logics. However, strong Kleene logic,
where quantification is restricted and therefore not
truth-functional, does not fit the framework directly. We
solve this problem by applying recent methods from sorted
logics. This paper presents a tableau calculus that
combines the proper treatment of partial functions with the
efficiency of sorted calculi.},
acknowledgement={brucker, 2007-04-24},
bibkey = {kerber.ea:tableau:1996}, booktitle = {Collegium Logicum---Annals of the Kurt-G{\"o}del-Society}, volume = 2, publisher = pub-springer-ny, address = pub-springer-ny:adr,
isbn = {3-211-82796-X}, year = 1996
}
@InCollection{ paulson:generic:1996, author = {Lawrence C. Paulson}, title = {Generic automatic proof tools}, pages = {23--47}, abstract = {This paper explores a synthesis between two distinct
traditions in automated reasoning: resolution and
interaction. In particular it discusses Isabelle, an
interactive theorem prover based upon a form of resolution.
It aims to demonstrate the value of proof tools that,
compared with traditional resolution systems, seem absurdly
limited. Isabelle's classical reasoner searches for proofs
using a tableau approach. The reasoner is generic: it
accepts rules proved in applied theories, involving defined
connectives. New constants are not reduced to first-order
logic; the reasoner},
acknowledgement={brucker, 2007-04-24},
bibkey = {paulson:generic:1996}, booktitle = {Automated reasoning and its applications: essays in honor
of {Larry Wos}}, year = 1997, editor = {Robert Veroff}, publisher = pub-mit, address = pub-mit:adr,
isbn = {978-0-262-22055-2}
}
@InCollection{ nipkow:order-sorted:1993, author = {Tobias Nipkow}, title = {Order-Sorted Polymorphism in {Isabelle}}, booktitle = {Workshop on Logical Environments}, editor = {G\'erard Huet and Gordon Plotkin}, publisher = pub-cup, address = pub-cup:adr, year = 1993,
location = {Edinburgh, Scotland}, pages = {164--188},
acknowledgement={brucker, 2007-04-24},
isbn = {0-521-43312-6},
bibkey = {nipkow:order-sorted:1993}
}
@InCollection{ hahnle:tableaux:1999, author = {Reiner H\"ahnle}, booktitle = {Handbook of Tableau Methods}, editor = {Marcello D'Agostino and Dov Gabbay and Reiner H\"ahnle and
Joachim Posegga},
isbn = {978-0-792-35627-1}, publisher = pub-kluwer, address = pub-kluwer:adr, title = {Tableaux for Many-Valued Logics}, pages = {529--580}, year = 1999,
public = {no},
mynote = {Postscript-File nicht weitergeben!}, abstract = {This article reports on research done in the intersection
between many-valued logics and logical calculi related to
tableaux. A lot of important issues in many-valued logic,
such as algebras arising from many-valued logic,
many-valued function minimization, philosophical topics, or
applications are not discussed here; for these, we refer
the reader to general monographs and overviews such as
[Rosser and Turquette, 1952; Rescher, 1969; Urquhart, 1986;
Bolc and Borowik, 1992; Malinowski, 1993; Hahnle, 1994;
Panti, to appear] . More questionable, perhaps, than the
omissions is the need for a handbook chapter on tableaux
for many-valued logics in the first place.},
bibkey = {hahnle:tableaux:1999},
acknowledgement={brucker, 2007-04-24}
}
@InCollection{ leavens.ea:jml:1999, author = {Gary T. Leavens and Albert L. Baker and Clyde Ruby}, title = {{JML}: A Notation for Detailed Design}, booktitle = {Behavioral Specifications of Businesses and Systems}, publisher = pub-kluwer, address = pub-kluwer:adr, editor = {Haim Kilov and Bernhard Rumpe and Ian Simmonds}, pages = {175--188}, year = 1999,
isbn = {978-0-7923-8629-2},
acknowledgement={brucker, 2007-04-24}
}
@InCollection{ paulson:fixedpoint:2000, author = {Lawrence C. Paulson}, pages = {187--211}, title = {A fixedpoint approach to (co)inductive and (co)datatype
definitions},
acknowledgement={brucker, 2007-04-24}, abstract = {This paper presents a fixedpoint approach to inductive
definitions. In- stead of using a syntactic test such as
``strictly positive,'' the approach lets definitions
involve any operators that have been proved monotone. It is
conceptually simple, which has allowed the easy
implementation of mutual recursion and iterated
definitions. It also handles coinductive definitions:
simply replace the least fixedpoint by a greatest
fixedpoint. The method has been implemented in two of
Isabelle's logics, zf set theory and higher-order logic. It
should be applicable to any logic in which the
Knaster-Tarski theorem can be proved. Examples include
lists of n elements, the accessible part of a relation and
the set of primitive recursive functions. One example of a
coinductive definition is bisimulations for lazy lists.
Recursive datatypes are examined in detail, as well as one
example of a codatatype: lazy lists. The Isabelle package
has been applied in several large case studies, including
two proofs of the Church-Rosser theorem and a coinductive
proof of semantic consistency. The package can be trusted
because it proves theorems from definitions, instead of
asserting desired properties as axioms. },
bibkey = {paulson:fixedpoint:2000},
crossref = {plotkin.ea:proof:2000}
}
@InCollection{ gordon:from:2000, author = {Mike Gordon}, title = {From \acs{lcf} to {\acs{hol}}: a short history}, pages = {169--185},
acknowledgement={brucker, 2007-04-24}, abstract = {The original LCF system was a proof-checking program
developed at Stanford University by Robin Milner in 1972.
Descendents of LCF now form a thriving paradigm in computer
assisted reasoning. Many of the developments of the last 25
years have been due to Robin Milner, whose influence on the
field of automated reasoning has been diverse and profound.
One of the descendents of LCF is HOL, a proof assistant for
higher order logic originally developed for reasoning about
hardware. The multi-faceted contribution of Robin Milner to
the development of HOL is remarkable. Not only did he
invent the LCF-approach to theorem proving, but he also
designed the ML programming language underlying it and the
innovative polymorphic type system used both by ML and the
LCF and HOL logics. Code Milner wrote is still in use
today, and the design of the hardware verification system
LCF_LSM (a now obsolete stepping stone from LCF to HOL) was
inspired by Milner's Calculus of Communicating Systems
(CCS). },
crossref = {plotkin.ea:proof:2000}
}
@Book{ plotkin.ea:proof:2000, booktitle = {Proof, Language, and Interaction: Essays in Honour of
{Robin Milner}}, title = {Proof, Language, and Interaction: Essays in Honour of
{Robin Milner}}, publisher = pub-mit, address = pub-mit:adr, year = 2000,
isbn = {978-0-262-16188-6},
acknowledgement={brucker, 2007-04-24}, editor = {Gordon Plotkin and Colin Stirling and Mads Tofte}
}
@InCollection{ pfenning:logical:2001, author = {Frank Pfenning}, title = {Logical Frameworks}, booktitle = {Handbook of Automated Reasoning}, editor = {Alan Robinson and Andrei Voronkov},
chapter = 17, volume = 2,
isbn = {0-444-50812-0}, pages = {1063--1147}, publisher = pub-elsevier, address = pub-elsevier:adr, year = 2001,
acknowledgement={brucker, 2007-04-24}, abstract = {The specification of a deductive system usually proceeds
in two stages: first we define the syntax of an object language and then the axioms and rules of inference. In
order to concentrate on the meanings of expressions we
ignore issues of concrete syntax and parsing and
concentrate on specifying abstract syntax. Di#erent
framework implementations provide di#erent means for
customizing the parser in order to embed the desired
object-language syntax. As an example throughout this
chapter we consider formulations of intuitionistic and
classical first-order logic. In order to keep this chapter
to a manageable length, we restrict ourselves to the
fragment containing implication, negation, and universal
quantification. The reader is invited to test his or her
understanding by extending the development to include a
more complete set of connectives and quantifiers. }
}
@InProceedings{ pfenning:hoas:1988, author = {Frank Pfenning and Conal Elliot}, title = {Higher-Order Abstract Syntax}, year = 1988,
isbn = {0-89791-269-1},
location = {Atlanta, Georgia, United States},
doi = {10.1145/53990.54010}, pages = {199--208},
acknowledgement={brucker, 2007-04-24}, publisher = pub-acm, address = pub-acm:adr, booktitle = {Conference on Programming Language Design and
Implementation (\acs{pldi})},
bibkey = {pfenning:hoas:1988}
}
@InProceedings{ boulton.ea:experience:1993,
crossref = {stavridou.ea:international:1993}, author = {Richard Boulton and Andrew Gordon and Michael J. C. Gordon
and John Harrison and John Herbert and John Van Tassel}, title = {Experience with embedding hardware description languages
in {\acs{hol}}},
bibkey = {boulton.ea:experience:1993}, abstract = {The semantics of hardware description languages can be
represented in higher order logic. This provides a formal
definition that is suitable for machine processing.
Experiments are in progress at Cambridge to see whether
this method can be the basis of practical tools based on
the HOL theorem-proving assistant. Three languages are
being investigated: ELLA, Silage and VHDL. The approaches
taken for these languages are compared and current progress
on building semantically-based theorem-proving tools is
discussed.},
acknowledgement={brucker, 2007-04-24}, pages = {129--156}
}
@Proceedings{ stavridou.ea:international:1993, editor = {Victoria Stavridou and Thomas F. Melham and Raymond T.
Boute}, booktitle = PROC # { the International Conference on Theorem
Provers in Circuit Design: Theory, Practice and
Experience}, title = {International Conference on Theorem Provers in Circuit
Design: Theory, Practice and Experience (\acs{tpcd})},
series = {\acs{ifip} Transactions}, volume = {A-10},
isbn = {0-444-89686-4}, publisher = pub-north, address = pub-north:adr,
date = {22--24 June 1993},
acknowledgement={brucker, 2007-04-24}, year = 1993
}
@InProceedings{ khoshafian.ea:object:1986, author = {Setrag N. Khoshafian and George P. Copeland}, title = {Object identity}, booktitle = {Object-oriented programming systems, languages and
applications (\acs{oopsla})}, year = 1986,
isbn = {0-89791-204-7}, pages = {406--416},
location = {Portland, Oregon, United States},
doi = {10.1145/28697.28739}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={brucker, 2007-04-24}
}
@InProceedings{ melham:package:1992, author = {Thomas F. Melham}, title = {A Package for Inductive Relation Definitions in {\HOL}}, pages = {350--357},
isbn = {0-8186-2460-4}, editor = {Myla Archer and Jennifer J. Joyce and Karl N. Levitt and
Phillip J. Windley}, booktitle = {International Workshop on the {\HOL} Theorem Proving
System and its Applications (\acs{tphols})}, month = aug, publisher = pub-ieee, address = pub-ieee:adr, year = 1992,
acknowledgement={brucker, 2007-04-24},
location = {Davis, California, \acs{usa}},
bibkey = {melham:package:1992}
}
@InProceedings{ hahnle:efficient:1994,
doi = {10.1109/ismvl.1994.302195}, author = {Reiner H\"{a}hnle}, booktitle = {International Symposium on Multiple-Valued Logics
(\acs{ismvl})},
location = {Boston/MA, \acs{usa}}, pages = {240--249},
isbn = {0-8186-5650-6}, publisher = pub-ieee, address = pub-ieee:adr, title = {Efficient Deduction in Many-Valued Logics}, year = 1994, abstract = {This paper tries to identify the basic problems
encountered in automated theorem proving in many-valued
logics and demonstrates to which extent they can be
currently solved. To this end a number of recently
developed techniques are reviewed. We list the avenues of
research in many-valued theorem proving that are in our
eyes the most promising.},
acknowledgement={brucker, 2007-04-24},
bibkey = {hahnle:efficient:1994}
}
@InProceedings{ nipkow.ea:java:2000, author = {Tobias Nipkow and David von Oheimb and Cornelia Pusch}, title = {{$\mu$Java}: Embedding a Programming Language in a Theorem
Prover}, booktitle = {Foundations of Secure Computation},
series = {\acs{nato} Science Series F: Computer and Systems
Sciences}, volume = 175, year = 2000, publisher = pub-ios, address = pub-ios:adr,
isbn = {978-1-58603-015-5}, editor = {Friedrich L. Bauer and Ralf Steinbr{\"u}ggen}, abstract = {This paper introduces the subset $micro$Java of Java,
essentially by omitting everything but classes. The type
system and semantics of this language (and a corresponding abstract Machine $micro$JVM) are formalized in the theorem
prover Isabelle/\acs{hol}. Type safety both of $micro$Java
and the $micro$JVM are mechanically verified.
To make the paper self-contained, it starts with
introductions to Isabelle/\acs{hol} and the art of
embedding languages in theorem provers.}, pages = {117--144},
acknowledgement={brucker, 2007-04-24},
bibkey = {nipkow.ea:java:2000}
}
@InProceedings{ beckert.ea:translating:2002, editor = {Serge Autexier and Heiko Mantel}, pages = {113--123}, booktitle = {Verification Workshop (\acs{verify})},
location = {Copenhagen, Denmark}, author = {Bernhard Beckert and Uwe Keller and Peter H. Schmitt}, title = {Translating the {O}bject {C}onstraint {L}anguage into
First-order Predicate Logic}, year = 2002, abstract = {In this paper, we define a translation of \acs{uml} class
diagrams with OCL constraints into first-order predicate
logic. The goal is logical reasoning about \acs{uml} models.
We put an emphasis on usability of the formulas resulting
from the translation, and we have developed optimisations
and heuristics to enhance the efficiency of the theorem
proving process.
The translation has been implemented as part of the KeY
system, but our implementation can also be used
stand-alone. },
acknowledgement={brucker, 2007-04-24},
bibkey = {beckert.ea:translating:2002}
}
@InProceedings{ demuth.ea:generation:2005, author = {Birgit Demuth and Heinrich Hussmann and Ansgar Konermann}, title = {Generation of an {\acs{ocl}} 2.0 Parser}, booktitle = {Workshop on Tool Support for \acs{ocl} and Related
Formalisms---Needs and Trends},
location = {Montego Bay, Jamaica, October 4, 2005}, pages = {38--52}, publisher = {\acs{epfl}}, year = 2005, editor = {Thomas Baar},
series = {Technical Report LGL-REPORT-2005-001},
acknowledgement={brucker, 2007-04-24}
}
@InProceedings{ aredo:formalizing:1999, author = {Demissie B. Aredo}, booktitle = {\acs{oopsla}'99 Workshop on Rigorous Modeling and Analysis
with the \acs{uml}: Challenges and Limitations, Denver,
Colorado}, title = {Formalizing {\acs{uml}} Class Diagrams in {\acs{pvs}}}, year = 1999, month = nov, address = {Denver, Colorado, \acs{usa}},
acknowledgement={brucker, 2007-04-24}
}
@InProceedings{ jackson.ea:alcoa:2000, abstract = {Alcoa is a tool for analyzing object models. It has a
range of uses. At one end, it can act as a support tool for
object model diagrams, checking for consistency of
multiplicities and generating sample snapshots. At the
other end, it embodies a lightweight formal method in which
subtle properties of behaviour can be investigated. Alcoa's inputlanguage, Alloy, is a new notation based on Z. Its
development was motivated by the need for a notation that
is more closely tailored to object models (in the style of \acs{uml}), and more amenable to automatic analysis. Like
Z, Alloy supports the description of systems whose state
involves complex relational structure. State and
behavioural properties are described declaratively, by
conjoining constraints. This makes it possible to develop
and analyze a model incrementally, with Alcoa investigating
the consequences of whatever constraints are given. Alcoa
works by translating constraints to boolean formulas, and
then applying state-of-the-art SAT solvers. It can analyze
billions of states in seconds. }, author = {Daniel Jackson and Ian Schechter and Ilya Shlyakhter }, booktitle = {International Conference on Software Engineering
(\acs{icse})}, language = {USenglish}, month = jun,
public = {yes},
doi = {10.1109/ICSE.2000.870482},
location = {Limerick, Ireland},
isbn = {1-58113-206-9}, pages = {730--733},
topic = {formalism}, keywords = {Aloca, Alloy}, title = {{A}lcoa: the {A}lloy Constraint Analyzer }, year = 2000, timestamp = 962701274,
acknowledgement={none}, publisher = pub-acm, address = pub-acm:adr
}
@Article{ hahnle:many-valued:2005, author = {Reiner H\"{a}hnle}, title = {Many-Valued Logic, Partiality, and Abstraction in Formal
Specification Languages}, journal = {Logic Journal of the \textsc{igpl}}, year = 2005, volume = 13, pages = {415--433}, month = jul,
doi = {10.1093/jigpal/jzi032}, number = 4,
acknowledgement={brucker, 2007-05-04}
}
@Booklet{ levens.ea:jml:2007,
bibkey = {levens.ea:jml:2007}, author = {Gary T. Leavens and Erik Poll and Curtis Clifton and
Yoonsik Cheon and Clyde Ruby and David R. Cok and Peter
M\"{u}ller and Joseph Kiniry and Patrice Chalin}, title = {{\acs{jml}} Reference Manual (Revision 1.2)}, month = feb, year = 2007,
organization = {Department of Computer Science, Iowa State University.},
note = {Available from \url{http://www.jmlspecs.org}},
acknowledgement={brucker, 2007-04-23}
}
@InProceedings{ broy.ea:uml2:2006,
bibkey = {broy.ea:uml2:2006}, author = {Manfred Broy and Michelle L. Crane and J{\"u}rgen Dingel
and Alan Hartman and Bernhard Rumpe and Bran Selic}, title = {2nd \acs{uml} 2 Semantics Symposium: Formal Semantics for
{\acs{uml}}},
doi = {10.1007/978-3-540-69489-2_39}, pages = {318--323}, abstract = {The purpose of this symposium, held in conjunction with \acs{models} 2006, was to present the current state of
research of the UML 2 Semantics Project. Equally important
to receiving feedback from an audience of experts was the
opportunity to invite researchers in the field to discuss
their own work related to a formal semantics for the
Unified Modeling Language. This symposium is a follow-on to
our first workshop, held in conjunction with ECMDA 2005.},
acknowledgement={brucker, 2007-04-23},
crossref = {kuhne:models:2006}
}
@InProceedings{ hafner.ea:towards:2006, author = {Michael Hafner and Muhammad Alam and Ruth Breu}, title = {Towards a {MOF/QVT}-Based Domain Architecture for Model
Driven Security}, booktitle = {MoDELS}, year = 2006, pages = {275--290},
ee = {10.1007/11880240_20},
crossref = {nierstrasz.ea:model:2006}
}
@Proceedings{ kuhne:models:2006,
doi = {10.1007/978-3-540-69489-2}, booktitle = {Models in Software Engineering---Workshops and Symposia at \acs{models} 2006}, title = {Models in Software Engineering---Workshops and Symposia at \acs{models} 2006},
isbn = {978-3-540-69488-5}, publisher = pub-springer,
paddress = pub-springer:adr, address = {Genua, Italy}, volume = 4364,
series = s-lncs, year = 2006,
acknowledgement={brucker, 2007-04-23}, editor = {Thomas K{\"u}hne}
}
@Book{ russell:introduction:1919, author = {Bertrand Russell}, title = {Introduction to Mathematical Philosophy}, publisher = {George Allen \& Unwin}, year = 1919,
acknowledgement={brucker, 2007-04-23}, address = {London}
}
@Article{ bertino.ea:trbac:2001, author = {Elisa Bertino and Piero Andrea Bonatti and Elena Ferrari}, title = {TRBAC: A temporal role-based access control model}, journal = {ACM Trans. Inf. Syst. Secur.}, volume = 4, number = 3, year = 2001,
issn = {1094-9224}, pages = {191--233},
doi = {10.1145/501978.501979}, publisher = pub-acm, address = pub-acm:adr,
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-29}
}
@Article{ moyer.ea:generalized:2001, title = {Generalized role-based access control}, author = {Moyer, M.J. and Abamad, M.}, journal = {Distributed Computing Systems, 2001. 21st International
Conference on.}, year = 2001, month = {Apr}, pages = {391--398}, keywords = {authorisation, distributed processing, transaction
processingGRBAC, JPEG, RBAC, access control, access control
decisions, access control models, environment roles,
environmental information, expressive power, generalized
role based access control, object roles, object type, rich
access control policies, security policy, security-relevant
characteristics, sensitivity level, subject roles},
doi = {10.1109/ICDSC.2001.918969}, abstract = {Generalized Role-Based Access Control (GRBAC) is a new
paradigm for creating and maintaining rich access control
policies. GRBAC leverages and extends the power of
traditional role based access control (RBAC) by
incorporating subject roles, object roles and environment
roles into access control decisions. Subject roles are like
traditional RBAC roles: they abstract the security-relevant
characteristics of subjects into categories that can be
used in defining a security policy. Similarly, object roles abstract the various properties of objects, such as object
type (e.g., text, JPEG, executable) or sensitivity level
(e.g., classified, top secret) into categories. Environment
roles capture environmental information, such as time of
day or system load so it can be used to mediate access
control. Together, these three types of roles offer
flexibility and expressive power, as well as a degree of
usability not found in current access control models},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-29}
}
@InProceedings{ zhang.ea:role-based:2002, author = {Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu}, title = {A role-based delegation framework for healthcare
information systems}, booktitle = PROC # { the seventh \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2002,
isbn = {1-58113-496-7}, pages = {125--134},
location = {Monterey, California, \acs{usa}},
doi = {10.1145/507711.507731}, publisher = pub-acm, address = pub-acm:adr, abstract = {As organizations implement information strategies that
call for sharing access to resources in the networked
environment, mechanisms must be provided to protect the
resources from adversaries. The proposed delegation
framework addresses the issue of how to advocate selective
information sharing in role-based systems while minimizing
the risks of unauthorized access. We introduce a systematic
approach to specify delegation and revocation policies
using a set of rules. We demonstrate the feasibility of our
framework through policy specification, enforcement, and a
proof-of-concept implementation on specific domains, e.g.
the healthcare environment. We believe that our work can be
applied to organizations that rely heavily on collaborative
tasks.},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-29}
}
@InProceedings{ wilikens.ea:context-related:2002, author = {Marc Wilikens and Simone Feriti and Alberto Sanna and
Marcelo Masera}, title = {A context-related authorization and access control method
based on \acs{rbac}: A case study from the health care
domain}, booktitle = PROC # { the seventh \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2002,
isbn = {1-58113-496-7}, pages = {117--124},
location = {Monterey, California, USA},
doi = {10.1145/507711.507730}, publisher = pub-acm, address = pub-acm:adr, abstract = {This paper describes an application of authorization and
access control based on the Role Based Access Control
(RBAC) method and integrated in a comprehensive trust
infrastructure of a health care application. The method is
applied to a health care business process that involves
multiple actors accessing data and resources needed for
performing clinical and logistics tasks in the application.
The notion of trust constituency is introduced as a concept
for describing the context of authorisation. In addition,
the applied RBAC covers time constraints, hierarchies and
multi-level authorization rules for coping with the
multi-actor nature and the complexity of the application
domain. The DRIVE RBAC model clearly distinguishes between
static role assignment to users and dynamic allocation of
roles at session time. The paper, while focusing on the
authorization and access control approach, also describes
how the RBAC functions have been integrated in a trust
infrastructure including smart cards.},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-29}
}
@InProceedings{ ahn.ea:towards:2007, author = {Gail-Joon Ahn and Hongxin Hu}, title = {Towards realizing a formal \acs{rbac} model in real
systems}, booktitle = PROC # { the seventh \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2007,
isbn = {978-1-59593-745-2}, pages = {215--224},
location = {Sophia Antipolis, France},
doi = {10.1145/1266840.1266875}, publisher = pub-acm, address = pub-acm:adr, abstract = {There still exists an open question on how formal models
can be fully realized in the system development phase. The
Model Driven Development (MDD) approach has been recently
introduced to deal with such a critical issue for building
high assurance software systems.
There still exists an open question on how formal models
can be fully realized in the system development phase. The
Model Driven Development (MDD) approach has been recently
introduced to deal with such a critical issue for building
high assurance software systems.
The MDD approach focuses on the transformation of
high-level design models to system implementation modules.
However, this emerging development approach lacks an
adequate procedure to address security issues derived from
formal security models. In this paper, we propose an
empirical framework to integrate security model
representation, security policy specification, and
systematic validation of security model and policy, which
would be eventually used for accommodating security
concerns during the system development. We also describe
how our framework can minimize the gap between security
models and the development of secure systems. In addition,
we overview a proof-of-concept prototype of our tool that
facilitates existing software engineering mechanisms to
achieve the above-mentioned features of our framework.},
tags = {noTAG},
clearance = {unclassified},
timestap = {2008-05-29}
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%% un-checked entries %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@Book{ woodcock.ea:using:1996, abstract = {This book contains enough material for three complete
courses of study. It provides an introduction to the world
of logic, sets and relations. It explains the use of the
Znotation in the specification of realistic systems. It
shows how Z specifications may be refined to produce
executable code; this is demonstrated in a selection of
casestudies.This book is both authoritative and
comprehensive. It strikes the right balance between the
formality of mathematics and the practical needs of
industrial softwaredevelopment. It is faithful to the draft
ISO standard for Z. It covers the essentials of
specification, refinement, and proof, revealing techniques
never previouslypublished.}, author = {Jim Woodcock and Jim Davies},
price = {\$37.95},
length = 391,
isbn = {0-13-948472-8}, language = {USenglish},
public = {yes}, publisher = {Prentice Hall}, title = {Using {Z}: {S}pecification, {R}efinement, and {P}roof},
series = {Prentice Hall International Series in Computer Science},
topic = {formalism}, keywords = {formal methods, Z},
library = {FAW (25/91): 91: CD/3.2/125},
url = {http://softeng.comlab.ox.ac.uk/usingz/}, year = 1996, timestamp = 962966715,
acknowledgement={none},
bibkey = {woodcock.ea:using:1996}
}
@InProceedings{ dick.ea:testing:1993,
bibkey = {dick.ea:testing:1993}, author = {Jeremy Dick and Alain Faivre}, title = {Automating the Generation and Sequencing of Test Cases
from Model-Based Specications}, pages = {268--284}, booktitle = {Formal Methods Europe 93: Industrial-Strength Formal
Methods}, editor = {J.C.P. Woodcock and P.G. Larsen}, month = apr, year = 1993, volume = 670,
series = s-lncs, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={none}
}
@Article{ grieskamp.ea:instrumenting:2004, author = {Wolfgang Grieskamp and Nikolai Tillmann and Margus
Veanes}, booktitle = {Third International Conference on Quality Software: QSIC 2003}, title = {Instrumenting scenarios in a model-driven development
environment}, journal = {Information and Software Technology}, year = 2004, number = 15, volume = 46, pages = {1027--1036},
doi = {10.1016/j.infsof.2004.07.007}, abstract = {SpecExplorer is an integrated environment for model-driven
development of .NET software. In this paper we discuss how
scenarios can be described in SpecExplorer's modeling language, Spec#, and how the SpecExplorer tool can be used
to validate those scenarios by various means.},
acknowledgement={none},
bibkey = {grieskamp.ea:instrumenting:2004}
}
@Book{ abrial:event-b:2009,
bibkey = {abrial:event-b:2009}, title = {Modeling in Event-B: System and Software Design}, publisher = {Cambridge University Press}, year = 2009, author = {Jean-Raymond Abrial},
acknowledgement={none}, address = {New York, \acs{ny}, \acs{usa}}
}
@Book{ abrial:b-book:1996,
bibkey = {abrial:b-book:1996}, author = {Jean-Raymond Abrial}, title = {The {B-Book}: assigning programs to meanings}, year = 1996,
isbn = {0-521-49619-5}, publisher = {Cambridge University Press},
acknowledgement={none}, address = {New York, \acs{ny}, \acs{usa}}
}
@TechReport{ leino.ea:escjava:2000, abstract = {The Compaq Extended Static Checker for Java (ESC/Java) is
a programming tool that attempts to find common run-time
errors in Java programs by static analysis of the program
text. Users can control the amount and kinds of checking
that ESC/Java performs by annotating their programs with
specially formatted comments called pragmas. This manual is
designed to serve both as an introduction to ESC/Java and
as a reference manual. It starts by providing an overview
of ESC/Java through an illustrative example of its use and
a summary of its features, and then goes on to document all
the pragmas supported by ESC/Java and all the kinds of
warnings that it generates. Appendices provide a brief
sketch of ESC/Java's implementation, information about
obtaining ESC/Java, and some discussion of its
limitations}, author = {K. Rustan M. Leino and Greg Nelson and James B. Saxe},
institution = {Compaq Systems Research Center}, language = {USenglish}, month = oct,
public = {yes}, title = {{\acs{esc}}/{Java} User's Manual},
url = {http://gatekeeper.dec.com/pub/DEC/SRC/technical-notes/abstracts/src-tn-2000-002.html}
, number = {SRC-2000-002}, year = 2000, keywords = {Java},
topic = {tools},
acknowledgement={none},
bibkey = {leino.ea:escjava:2000}
}
@Book{ kleppe.ea:mda:2003,
bibkey = {kleppe.ea:mda:2003}, title = {\acs{mda} Explained. The Model Driven Architecture:
Practice and Promise},
acknowledgement={none}, publisher = {Addison-Wesley}, year = 2003, author = {Anneke Kleppe and Jos Warmer and Wim Bast}
}
@Article{ schmidt:mde:2006, author = {Douglas C. Schmidt}, title = {Guest Editor's Introduction: Model-Driven Engineering}, journal = {Computer}, volume = 39, number = 2,
acknowledgement={none}, year = 2006,
issn = {0018-9162}, pages = {25--31},
doi = {10.1109/MC.2006.58}, publisher = {IEEE Computer Society}, address = {Los Alamitos, \acs{ca}, \acs{usa}}
}
@InCollection{ gaudel:testing:1995, author = {Marie Claude Gaudel}, title = {Testing can be formal, too}, year = 1995, booktitle = {\textsc{tapsoft}'95: Theory and Practice of Software
Development},
isbn = {3-540-59293-8}, address = pub-springer:adr,
paddress = {Heidelberg, Germany}, pages = {82--96}, publisher = pub-springer,
series = s-lncs, number = 915, editor = {Peter D. Mosses and Mogens Nielsen and Michael I.
Schwartzbach},
acknowledgement={none},
bibkey = {gaudel:testing:1995}
}
@InProceedings{ jurjens.ea:specification-based:2001, author = {Jan J{\"u}rjens and Guido Wimmel}, title = {Specification-Based Testing of Firewalls}, booktitle = {Ershov Memorial Conference}, year = 2001, pages = {308--316},
crossref = {bjorner.ea:perspectives:2001},
acknowledgement={none}
}
@Proceedings{ bjorner.ea:perspectives:2001, editor = {Dines Bj{\o}rner and Manfred Broy and Alexandre V.
Zamulin}, title = {Perspectives of System Informatics, 4th International
Andrei Ershov Memorial Conference, PSI 2001, Akademgorodok,
Novosibirsk, Russia, July 2-6, 2001, Revised Papers}, booktitle = {Ershov Memorial Conference}, publisher = pub-springer,
adress = pub-springer:adr,
series = s-lncs, volume = 2244, year = 2001,
isbn = {3-540-43075-X},
acknowledgement={none}
}
@InProceedings{ bishop.ea:rigorous:2005, author = {Steve Bishop and Matthew Fairbairn and Michael Norrish and
Peter Sewell and Michael Smith and Keith Wansbrough}, title = {Rigorous specification and conformance testing techniques
for network protocols, as applied to TCP, UDP, and
sockets}, booktitle = {SIGCOMM}, year = 2005, pages = {265--276},
doi = {10.1145/1080091.1080123},
crossref = {guerin.ea:proceedings:2005},
acknowledgement={none}
}
@Proceedings{ guerin.ea:proceedings:2005, editor = {Roch Gu{\'e}rin and Ramesh Govindan and Greg Minshall}, title = PROC # { the ACM SIGCOMM 2005 Conference on
Applications, Technologies, Architectures, and Protocols
for Computer Communications, Philadelphia, Pennsylvania, \acs{usa}, August 22-26, 2005}, booktitle = {SIGCOMM}, publisher = pub-acm,
adress = pub-acm:adr, year = 2005,
isbn = {1-59593-009-4},
acknowledgement={none}
}
@InProceedings{ senn.ea:firewall:2005, abstract = {Firewalls are widely used to protect networks from
unauthorised access. To ensure that they implement an
organisation's security policy correctly, they need to be
tested. We present an approach that addresses this problem.
Namely, we show how an organisation's network security
policy can be formally specified in a high-level way, and
how this specification can be used to automatically
generate test cases to test a deployed system. In contrast
to other firewall testing methodologies, such as
penetration testing, our approach tests conformance to a
specified policy. Our test cases are organisation-specific
--- i.e.~they depend on the security requirements and on
the network topology ofan organisation --- and can uncover
errors both in the firewall products themselves and in
their configuration.}, author = {Diana Senn and David A. Basin and Germano Caronni}, booktitle = {TestCom 2005}, editor = {Ferhat Khendek and Rachida Dssouli},
isbn = {3-540-26054-4}, language = {UKenglish}, month = {May}, pages = {226--241}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, title = {Firewall Conformance Testing}, volume = 3502, year = 2005,
acknowledgement={none}
}
@PhDThesis{ bidder:specification:2007, author = {Diana von Bidder}, title = {Specification-based Firewall Testing}, school = {ETH Zurich}, year = 2007,
public = {yes},
type = {Ph.D. Thesis},
acknowledgement={none},
classification= {thesis},
note = {\acs{eth} Dissertation No. 17172. Diana von Bidder's
maiden name is Diana Senn.}
}
@InCollection{ wenzel.ea:building:2007, abstract = {We present the generic system framework of
Isabelle/Isarunderlying recent versions of Isabelle. Among
other things, Isar provides an infrastructure for Isabelle
plug-ins, comprising extensible state components and
extensible syntax that can be bound to tactical ML
programs. Thus the Isabelle/Isar architecture may be
understood as an extension and refinement of the
traditional LCF approach, with explicit infrastructure for
building derivative systems. To demonstrate the technical
potential of the framework, we apply it to a concrete
formalmethods tool: the HOL-Z 3.0 environment, which is
geared towards the analysis of Z specifications and formal
proof of forward-refinements.}, author = {Makarius Wenzel and Burkhart Wolff}, booktitle = {\acs{tphols} 2007}, editor = {Klaus Schneider and Jens Brandt}, language = {USenglish},
acknowledgement={none}, pages = {352--367}, publisher = pub-springer, address = pub-springer:adr, number = 4732,
series = s-lncs, title = {Building Formal Method Tools in the {Isabelle}/{Isar}
Framework},
doi = {10.1007/978-3-540-74591-4_26}, year = 2007
}
@Article{ igarashi.ea:featherweight:2001, author = {Atsushi Igarashi and Benjamin C. Pierce and Philip
Wadler}, title = {{Featherweight Java}: a minimal core calculus for {Java}
and {\acs{gj}}}, journal = j-toplas, volume = 23, number = 3, year = 2001,
issn = {0164-0925}, pages = {396--450},
doi = {10.1145/503502.503505}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}, abstract = {Several recent studies have introduced lightweight
versions of Java: reduced languages in which complex
features like threads and reflection are dropped to enable
rigorous arguments about key properties such as type
safety. We carry this process a step further, omitting
almost all features of the full language (including
interfaces and even assignment) to obtain a small calculus,
Featherweight Java, for which rigorous proofs are not only
possible but easy. Featherweight Java bears a similar
relation to Java as the lambda-calculus does to languages
such as ML and Haskell. It offers a similar computational "feel," providing classes, methods, fields, inheritance,
and dynamic typecasts with a semantics closely following
Java's. A proof of type safety for Featherweight Java thus
illustrates many of the interesting features of a safety
proof for the full language, while remaining pleasingly
compact. The minimal syntax, typing rules, and operational
semantics of Featherweight Java make it a handy tool for
studying the consequences of extensions and variations. As
an illustration of its utility in this regard, we extend
Featherweight Java with generic classes in the style of GJ
(Bracha, Odersky, Stoutamire, and Wadler) and give a
detailed proof of type safety. The extended system
formalizes for the first time some of the key features of
GJ. },
bibkey = {igarashi.ea:featherweight:2001}
}
@Article{ zhu.ea:software:29-4, title = {Software Unit Test Coverage and Adequacy}, author = {Hong Zhu and Patrick A.V. Hall and John H. R. May}, journal = {ACM Computing Surveys},
issn = {0360-0300}, volume = 29,
url = {http://www.cs.bris.ac.uk/Tools/Reports/Abstracts/1997-zhu.html}
, number = 4, language = {USenglish}, pages = {366--427}, month = dec, keywords = {Safety_Critical_Systems}, year = 1997, abstract = {Objective measurement of test quality is one of the key
issues in software testing. It has been a major research
focus for the last two decades. Many test criteria have
been proposed and studied for this purpose. Various kinds
of rationale have been presented in support of one
criterion or another. This paper surveys the research work
in this area. The notion of adequacy criteria is examined
together with its role in software dynamic testing. A
review of criteria classification is followed by a summary
of the methods for comparison and assessment of criteria.},
acknowledgement={none},
bibkey = {zhu.ea:software:29-4}
}
@PhDThesis{ wenzel:isabelleisar:2002, author = {Markus M. Wenzel}, title = {Isabelle/Isar --- a versatile environment for
human-readable formal proof documents}, school = {TU M{\"u}nchen}, year = 2002,
url = {http://tumb1.biblio.tu-muenchen.de/publ/diss/in/2002/wenzel.html}
, abstract = {The basic motivation of this work is to make formal theory
developments with machine-checked proofs accessible to a
broader audience. Our particular approach is centered
around the Isar formal proof language that is intended to
support adequate composition of proof documents that are
suitable for human consumption. Such primary proofs written
in Isar may be both checked by the machine and read by
human-beings; final presentation merely involves trivial
pretty printing of the sources. Sound logical foundations
of Isar are achieved by interpretation within the generic
Natural Deduction framework of Isabelle, reducing all
high-level reasoning steps to primitive inferences.
The resulting Isabelle/Isar system is generic with respect
to object-logics and proof tools, just as pure Isabelle
itself. The full Isar language emerges from a small core by
means of several derived elements, which may be combined
freely with existing ones. This results in a very rich
space of expressions of formal reasoning, supporting many
viable proof techniques. The general paradigms of Natural
Deduction and Calculational Reasoning are both covered
particularly well. Concrete examples from logic,
mathematics, and computer-science demonstrate that the Isar
concepts are indeed sufficiently versatile to cover a broad
range of applications.}, address = {M{\"u}nchen}, month = feb,
acknowledgement={none},
bibkey = {wenzel:isabelleisar:2002}
}
@InProceedings{ frantzen.ea:test:2004, author = {L. Frantzen and J. Tretmans and T.A.C. Willemse}, title = {Test Generation Based on Symbolic Specifications}, booktitle = {FATES 2004}, year = 2004, month = sep, abstract = {Classical state-oriented testing approaches are based on
sim- ple machine models such as Labelled Transition Systems
(LTSs), in which data is represented by concrete values. To
implement these theories, data types which have infinite
universes have to be cut down to infinite vari- ants, which
are subsequently enumerated to fit in the model. This leads
to an explosion of the state space. Moreover, exploiting
the syntactical and/or semantical information of the
involved data types is non-trivial after enumeration. To
overcome these problems, we lift the family of test- ing
relations iocoF to the level of Symbolic Transition Systems
(STSs). We present an algorithm based on STSs, which
generates and executes tests on-the-fly on a given system.
It is sound and complete for the ioco F testing
relations.},
acknowledgement={none},
bibkey = {frantzen.ea:test:2004}
}
@Book{ dagostino.ea:handbook:1996, title = {Handbook of Tableau Methods}, editor = {Marcello D'Agostino and Dov Gabbay and Reiner H\"ahnle and
Joachim Posegga}, publisher = {Kluwer, Dordrecht}, year = 1996,
isbn = {0-7923-5627-6},
acknowledgement={none},
bibkey = {dagostino.ea:handbook:1996}
}
@Article{ visser.ea:test:2004, author = {Willem Visser and Corina S. P\u{a}s\u{a}reanu and Sarfraz
Khurshid}, title = {Test input generation with {Java} {PathFinder}}, journal = {SIGSOFT Softw. Eng. Notes}, volume = 29, number = 4, year = 2004,
issn = {0163-5948}, pages = {97--107},
doi = {10.1145/1013886.1007526}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {visser.ea:test:2004}
}
@InProceedings{ pons.ea:practical:2006, author = {Claudia Pons and Diego Garcia}, title = {Practical Verification Strategy for Refinement Conditions
in \acs{uml} Models}, booktitle = {IFIP Workshop on Advanced Software Engineering}, year = 2006, pages = {47--61},
doi = {10.1007/978-0-387-34831-5_4},
crossref = {ochoa.ea:ifip:2006}
}
@Proceedings{ ochoa.ea:ifip:2006, editor = {Sergio F. Ochoa and Gruia-Catalin Roman}, title = {IFIP 19th World Computer Congress, First International
Workshop on Advanced Software Engineering, Expanding the
Frontiers of Software Technology, August 25, 2006,
Santiago, Chile}, booktitle = {IFIP Workshop on Advanced Software Engineering}, publisher = pub-springer, address = pub-springer:adr,
series = {IFIP}, volume = 219, year = 2006,
isbn = {978-0-387-34828-5}
}
@Misc{ clearsy:atelier-b:2008, author = {{Clearsy Inc.}}, title = {{Atelier B}}, year = 2008,
note = {\url{http://www.atelierb.eu/}}
}
@Book{ beckert.ea:key:2007, editor = {Bernhard Beckert and Reiner H\"ahnle and Peter H. Schmitt}, title = {Verification of Object-Oriented Software: The {\KeY}
Approach}, volume = 4334,
series = s-lncs,
doi = {10.1007/978-3-540-69061-0}, publisher = pub-springer, address = pub-springer:adr, year = 2007
}
@InProceedings{ rudich.ea:checking:2008, author = {Arsenii Rudich and {\'A}d{\'a}m Darvas and Peter M{\"u}ller}, title = {Checking Well-Formedness of Pure-Method Specifications}, booktitle = {FM}, year = 2008, pages = {68--83},
ee = {http://dx.doi.org/10.1007/978-3-540-68237-0_7},
crossref = {cuellar.ea:fm:2008}
}
@Proceedings{ cuellar.ea:fm:2008, editor = {Jorge Cu{\'e}llar and T. S. E. Maibaum and Kaisa Sere}, title = {FM 2008: Formal Methods, 15th International Symposium on
Formal Methods, Turku, Finland, May 26-30, 2008,
Proceedings}, booktitle = {FM},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = 5014, year = 2008,
isbn = {978-3-540-68235-6}
}
@InProceedings{ ledang:b-based:2004, author = {Hung Ledang}, title = {B-based Conistency Checking of UML Diagrams}, booktitle = PROC # { ICT/RDA2004 : the 2nd National Symposium on
Research, Development and Application of Information and
Communication TechnologyAIR'2005}, year = 2004, publisher = {Science and Techniques Publisher}
}
@InProceedings{ krieger.ea:executing, author = {Matthias P. Krieger and Alexander Knapp.}, title = {Executing Underspecified OCL Operation Contracts with a
SAT Solver}, booktitle = PROC # { the OCL 2008 Workshop}, editor = {to appear},
note = {\url{http://www.fots.ua.ac.be/events/ocl2008/}}
}
@InProceedings{ tretmans.ea:cote:2002, author = {Jan Tretmans and Edsgar Brinksma}, title = {C\^ote de Resyste --- Automated Model Based Testing}, booktitle = {Progress 2002 --- 3rd Workshop on Embedded Systems}, pages = {246--255}, year = 2002
}
@Article{ tretmans:test:1996, author = {Jan Tretmans}, title = {Test Generation with Inputs, Outputs and Repetitive
Quiescence}, journal = {Software --- Concepts and Tools}, year = 1996, volume = 17, number = 3, pages = {103--120}
}
@Article{ jard.ea:tgv:2005, author = {C. Jard and T. J\'eron}, title = {TGV: Theory, Principles and Algorithms}, journal = {Software Tools for Technology Transfer}, year = 2005, volume = 7, number = 4, pages = {297--315}
}
@InProceedings{ clarke.ea:stg:2002, author = {D. Clarke and T. J\'eron and V. Rusu and E. Zinovieva}, title = {STG: A Symbolic Test Generation Tool}, pages = {470--475}, year = 2002,
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = {2280}
}
@InProceedings{ koch.ea:autolink:1998, author = {B. Koch and J. Grabowski and D. Hogrefe and M. Schmitt}, title = {AutoLink --- a Tool for Automatic Test Generation from SDL
Specifications}, booktitle = {Proc. IEEE Intl. Workshop on Industrial Strength Formal
Specification Techniques (WIFT 1998)}, pages = {114--127}, year = 1998
}
@InProceedings{ bouquet.ea:mastering:2004, author = {F. Bouquet and B. Legeard and F. Peureux and E.
Torreborre}, title = {Mastering Test Generation from Smart Card Software Formal
Models}, booktitle = {Proc. Intl. Workshop on Construction and Analysis of Safe,
Secure and Interoperable Smart devices}, pages = {70--85}, year = 2004,
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = {3362}
}
@InProceedings{ prowell:tool:2003, author = {S. Prowell}, title = {A Tool for Model-based Statistical Testing}, booktitle = {Proc. HICSS'03, IEEE}, pages = {337.3}, year = 2003
}
@Article{ walton.ea:generating:2000, author = {G. Walton and J. Poore}, title = {Generating transition probabilities to support model-based
software testing}, journal = {Software: Practice and Experience}, year = 2000, volume = 30, number = 10, pages = {1095--1106}
}
@Article{ cohen.ea:aetg:1997, author = {D. Cohen and S. Dalal and M. Fredman and G. Patton}, title = {The AETG System: An approach to testing Based on
Combinatorial Design}, journal = {IEEE Transactions on Software Engineering}, year = 1997, volume = 23, number = 7
}
@InProceedings{ bohme.ea:hol-boogie:2008, author = {Sascha B{\"o}hme and K. Rustan M. Leino and Burkhart
Wolff}, title = {{\acs{hol}-Boogie}---An Interactive Prover for the
{Boogie} Program-Verifier}, booktitle = {Theorem Proving in Higher Order Logics}, year = 2008, pages = {150--166},
doi = {10.1007/978-3-540-71067-7_15},
crossref = {otmane.ea:tphols:2008}
}
@Proceedings{ otmane.ea:tphols:2008, editor = {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and
Sofi{\`e}ne Tahar}, title = {Theorem Proving in Higher Order Logics (\acs{tphols})}, booktitle = {Theorem Proving in Higher Order Logics (\acs{tphols})},
location = {Montreal, Canada}, month = aug, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5170, year = 2008,
isbn = {978-3-540-71065-3}
}
@InProceedings{ huisman.ea:inheritance:2000, author = {Marieke Huisman and Bart Jacobs}, title = {Inheritance in Higher Order Logic: Modeling and
Reasoning},
doi = {10.1007/3-540-44659-1_19}, year = 2000, pages = {301--319},
crossref = {aagaard.ea:tphols:2000}
}
@Proceedings{ aagaard.ea:tphols:2000, editor = {Mark Aagaard and John Harrison},
location = {Portland, Oregon, USA}, month = aug, title = {Theorem Proving in Higher Order Logics (\acs{tphols})}, booktitle = {Theorem Proving in Higher Order Logics (\acs{tphols})}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1869, year = 2000,
isbn = {3-540-67863-8}
}
@Book{ roscoe:csp:1998, author = {A.W. Roscoe}, title = {Theory and Practice of Concurrency}, publisher = {Prentice Hall}, year = 1998,
isbn = {0-13-674409-5}
}
@Article{ foster:error:1980, title = {Error Sensitive Test Cases Analysis (ESTCA)}, author = {Foster, K.A.}, journal = {Software Engineering, IEEE Transactions on}, year = 1980, month = {May}, volume = {SE-6}, number = 3, pages = {258--264}, abstract = {A hardware failure analysis technique adapted to software
yielded three rules for generating test cases sensitive to
code errors. These rules, and a procedure for generating
these cases, are given with examples. Areas for further
study are recommended.}, keywords = {null Program correctness, progran testing, software
errors, software reliability, test data generation},
issn = {0098-5589}
}
@Book{ myers.ea:art:2004, author = {Glenford J. Myers and Corey Sandler}, title = {The Art of Software Testing}, year = 2004,
isbn = 0471469122, publisher = {John Wiley \& Sons}
}
@InProceedings{ tillmann.ea:pex:2008, author = {Nikolai Tillmann and Jonathan de Halleux}, title = {{Pex}---White Box Test Generation for {.NET}}, booktitle = {TAP}, year = 2008, pages = {134-153},
doi = {10.1007/978-3-540-79124-9_10},
crossref = {beckert.ea:tests:2008}, abstract = {Pex automatically produces a small test suite with high
code coverage for a .NET program. To this end, Pex performs
a systematic program analysis (using dynamic symbolic
execution, similar to path-bounded model-checking) to
determine test inputs for Parameterized Unit Tests. Pex
learns the program behavior by monitoring execution traces.
Pex uses a constraint solver to produce new test inputs
which exercise different program behavior. The result is an
automatically generated small test suite which often
achieves high code coverage. In one case study, we applied
Pex to a core component of the .NET runtime which had
already been extensively tested over several years. Pex
found errors, including a serious issue.}
}
@InProceedings{ halleux.ea:parameterized:2008, author = {Jonathan de Halleux and Nikolai Tillmann}, title = {Parameterized Unit Testing with {Pex}}, booktitle = {TAP}, year = 2008, pages = {171--181},
doi = {10.1007/978-3-540-79124-9_12},
crossref = {beckert.ea:tests:2008}, abstract = {This hands-on tutorial will teach the principles of
Parameterized Unit Testing [5,4] with Pex [2], an automatic
test input generator for .NET which performs a systematic
program analysis, similar to path bounded model-checking. A
parameterized unit test is simply a method that takes
parameters, calls the code under test, and states
assertions.}
}
@Proceedings{ beckert.ea:tests:2008, editor = {Bernhard Beckert and Reiner H{\"a}hnle}, title = {Tests and Proofs, Second International Conference, TAP 2008, Prato, Italy, April 9-11, 2008. Proceedings}, booktitle = {TAP},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = 4966, year = 2008,
isbn = {978-3-540-79123-2}
}
%%%%%%
@InProceedings{ povey:enforcing:1999, author = {Dean Povey}, title = {Enforcing well-formed and partially-formed transactions
for {Unix}}, booktitle = PROC # { the 8th conference on \acs{usenix} Security
Symposium}, volume = 8, year = 1999, publisher = {\acs{usenix} Association},
location = {Berkeley, \acs{ca}}, pages = {5--5}
}
@InProceedings{ longstaff.ea:model:2000, author = {J.J. Longstaff and M.A. Lockyer and M.G. Thick}, title = {A Model of Accountability, Confidentiality and Override
for Healthcare and other Applications}, booktitle = PROC # { the fifth \acs{acm} workshop on Role-based
access control}, year = 2000,
isbn = {1-58113-259-X}, pages = {71--76}, publisher = pub-acm, address = pub-acm:adr,
doi = {10.1145/344287.344304}
}
@InProceedings{ rissanen.ea:towards:2004, author = {Erik Rissanen}, title = {Towards a Mechanism for Discretionary Overriding of Access
Control (Transcript of Discussion)}, booktitle = PROC # { the 12th International Workshop on Security
Protocols}, year = 2004, pages = {320--323}, month = mar,
doi = {10.1007/11861386_39}, abstract = {Last year, the Swedish Prime Minister was stabbed to death
in a shopping mall in Stockholm, and of course the police
thoroughly investigated it. They had some privacy problems
during the investigation: many policemen just looked at the
case, because there was no access control on the police
system. They didn{\^a}��t have a whole system on-line,
because they cannot really predict the needs of individual
policemen, and they cannot really audit the whole thing
either because there were so many accesses. In the case of
the prime minister we suspect that something was going on
because he was a famous person, and they know from
experience that this tends to happen with famous people,
but in the case of a policemen accessing his
neighbour{\^a}��s data, or something like that, then there
is little reason to notice that something is going on.},
crossref = {bruce.ea:security:2006}
}
@Proceedings{ bruce.ea:security:2006,
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, editor = {Bruce Christianson and Bruno Crispo and James A. Malcolm
and Michael Roe}, title = {Security Protocols, 12th International Workshop,
Cambridge, UK, April 26-28, 2004. Revised Selected Papers}, booktitle = {Security Protocols Workshop}, volume = 3957, year = 2006,
isbn = {3-540-40925-4}
}
@InProceedings{ rissanen.ea:discretionary:2004, author = {Erik Rissanen and Babak Sadighi Firozabadi and Marek J.
Sergot}, title = {Discretionary Overriding of Access Control in the
Privilege Calculus}, booktitle = PROC # { the Workshop on Formal Aspects Security and
Trust (\acs{fast})}, year = 2004, pages = {219--232},
doi = {10.1007/0-387-24098-5_16},
crossref = {dimitrakos.ea:formal:2005}, abstract = {We extend a particular access control framework, the
Privilege Calculus, with a possibility to override denied
access for increased flexibility in hard to define or
unanticipated situations. We require the overrides to be
audited and approved by appropriate managers. In order to
automatically find the authorities who are able to approve
an override, we present an algorithm for authority
resolution. We are able to calculate from the access
control policy who can approve an override without the need
for any additional information.}
}
@Proceedings{ dimitrakos.ea:formal:2005, editor = {Theodosis Dimitrakos and Fabio Martinelli}, title = {Formal Aspects in Security and Trust: Second IFIP TC1
WG1.7 Workshop on Formal Aspects in Security and Trust
(FAST), an event of the 18th IFIP World Computer Congress,
August 22-27, 2004, Toulouse, France}, booktitle = {Formal Aspects in Security and Trust}, publisher = pub-springer, volume = 173, address = pub-springer:adr, year = 2005,
isbn = {0-387-24050-0}
}
@InProceedings{ alqatawna.ea:overriding:2007, author = {Ja'far Alqatawna and Erik Rissanen and Babak Sadighi}, title = {Overriding of Access Control in \textsc{XACML}}, booktitle = PROC # { the Eighth \acs{ieee} International
Workshop on Policies for Distributed Systems and Networks
(\acs{policy})}, year = 2007,
isbn = {0-7695-2767-1}, pages = {87--95},
doi = {10.1109/POLICY.2007.31}, address = pub-ieee:adr, publisher = pub-ieee
}
@InProceedings{ stevens.ea:new:2002, author = {Gunnar Stevens and Volker Wulf}, title = {A new dimension in access control: studying maintenance
engineering across organizational boundaries}, booktitle = PROC # { the \acs{acm} conference on Computer
supported cooperative work (\acs{cscw})}, year = 2002,
isbn = {1-58113-560-2}, pages = {196--205},
location = {New Orleans, Louisiana, USA},
doi = {10.1145/587078.587106}, publisher = pub-acm, address = pub-acm:adr
}
@InProceedings{ jaeger.ea:managing:2002, author = {Trent Jaeger and Antony Edwards and Xiaolan Zhang}, title = {Managing access control policies using access control
spaces}, booktitle = PROC # { the seventh \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2002,
isbn = {1-58113-496-7}, pages = {3--12},
location = {Monterey, California, USA},
doi = {10.1145/507711.507713}, publisher = pub-acm, address = pub-acm:adr
}
@Article{ joshi.ea:generalized:2005, author = {James B.D. Joshi and Elisa Bertino and Usman Latif and
Arif Ghafoor}, title = {A Generalized Temporal Role-Based Access Control Model}, journal = j-tkde, volume = 17, number = 1,
issn = {1041-4347}, year = 2005, pages = {4--23},
doi = {10.1109/TKDE.2005.1}, publisher = pub-ieee, address = pub-ieee:adr
}
@InProceedings{ bell.ea:secure:1996, author = {D. Elliott Bell and Leonard J. LaPadula}, title = {Secure Computer Systems: A Mathematical Model, Volume
{II}}, booktitle = {Journal of Computer Security 4}, year = 1996, pages = {229--263},
note = {An electronic reconstruction of \emph{Secure Computer
Systems: Mathematical Foundations}, 1973}
}
@InProceedings{ bell:looking:2005, title = {Looking Back at the Bell-La Padula Model}, author = {D. Elliott Bell}, journal = PROC # { the 21st Annual Computer Security
Applications Conference}, year = 2005,
isbn = {1063-9527},
doi = {10.1109/CSAC.2005.37}, publisher = {pub-ieee}, address = pub-ieee:adr, pages = {337--351}
}
@Booklet{ oasis:xacml:2005, title = {{eXtensible Access Control Markup Language (XACML)},
Version 2.0}, year = 2005,
url = {http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip}
,
bibkey = {oasis:xacml:2005}, publisher = {\acs{oases}},
key = {OASIS}, language = {USenglish},
public = {yes}
}
@InProceedings{ barka.ea:framework:2000, author = {Ezedin Barka and Ravi Sandhu}, title = {Framework for Role-based Delegation Models}, year = 2000, booktitle = PROC # { the 16th Annual Computer Security
Applications Conference},
doi = {10.1109/ACSAC.2000.898870},
isbn = {0-7695-0859-6}, pages = {168--176}, publisher = pub-ieee, address = pub-ieee:adr
}
@InProceedings{ cheng.ea:fuzzy:2007, author = {Pau-Chen Cheng and Pankaj Rohatgi and Claudia Keser and
Paul A. Karger and Grant M. Wagner and Angela Schuett
Reninger}, title = {Fuzzy Multi-Level Security: An Experiment on Quantified
Risk-Adaptive Access Control}, booktitle = {IEEE Symposium on Security and Privacy}, year = 2007, pages = {222--230},
ee = {http://dx.doi.org/10.1109/SP.2007.21},
crossref = {ieee:security-privacy:2007}
}
@Proceedings{ ieee:security-privacy:2007, title = {2007 IEEE Symposium on Security and Privacy (S{\&}P 2007), 20-23 May 2007, Oakland, California, USA}, booktitle = {IEEE Symposium on Security and Privacy}, publisher = {IEEE Computer Society}, year = 2007
}
@InProceedings{ zhang.ea:toward:2006, author = {Lei Zhang and Alexander Brodsky and Sushil Jajodia}, title = {Toward Information Sharing: Benefit And Risk Access
Control (BARAC)}, booktitle = {POLICY}, year = 2006, pages = {45--53},
doi = {10.1109/POLICY.2006.36},
crossref = {ieee:policy:2006}
}
@Proceedings{ ieee:policy:2006, title = {7th IEEE International Workshop on Policies for
Distributed Systems and Networks (POLICY 2006), 5-7 June 2006, London, Ontario, Canada}, booktitle = {POLICY}, publisher = {IEEE Computer Society}, year = 2006,
isbn = {0-7695-2598-9}
}
@InProceedings{ nissanke.ea:risk:2004, author = {Nimal Nissanke and Etienne J. Khayat}, title = {Risk Based Security Analysis of Permissions in RBAC}, booktitle = {WOSIS}, year = 2004, pages = {332--341},
crossref = {fernandez-medina.ea:security:2004}
}
@Proceedings{ fernandez-medina.ea:security:2004, editor = {Eduardo Fern{\'a}ndez-Medina and Julio C{\'e}sar
Hern{\'a}ndez Castro and L. Javier Garc\'{\i}a-Villalba}, title = {Security In Information Systems, Proceedings of the 2nd
International Workshop on Security In Information Systems,
WOSIS 2004, In conjunction with ICEIS 2004, Porto,
Portugal, April 2004}, booktitle = {WOSIS}, publisher = {INSTICC Press}, year = 2004,
isbn = {972-8865-07-4}
}
@InProceedings{ fisler.ea:verification:2005, author = {Kathi Fisler and Shriram Krishnamurthi and Leo A.
Meyerovich and Michael Carl Tschantz}, title = {Verification and change-impact analysis of access-control
policies}, booktitle = {ICSE}, year = 2005, pages = {196--205},
doi = {10.1145/1062455.1062502},
crossref = {roman.ea:27th:2005}
}
@Proceedings{ roman.ea:27th:2005, editor = {Gruia-Catalin Roman and William G. Griswold and Bashar
Nuseibeh}, title = {27th International Conference on Software Engineering
(ICSE 2005), 15-21 May 2005, St. Louis, Missouri, USA}, booktitle = {ICSE}, address = pub-acm:adr, publisher = pub-acm, year = 2005
}
@InProceedings{ lin.ea:approach:2007, author = {Dan Lin and Prathima Rao and Elisa Bertino and Jorge
Lobo}, title = {An approach to evaluate policy similarity}, booktitle = {SACMAT}, year = 2007, pages = {1--10},
doi = {10.1145/1266840.1266842},
crossref = {lotz.ea:sacmat:2007}
}
@InProceedings{ backes.ea:efficient:2004, author = {Michael Backes and G{\"u}nter Karjoth and Walid Bagga and
Matthias Schunter}, title = {Efficient comparison of enterprise privacy policies}, booktitle = {SAC}, year = 2004, pages = {375--382},
doi = {10.1145/967900.967983},
crossref = {haddad.ea:proceedings:2004}
}
@Proceedings{ haddad.ea:proceedings:2004, editor = {Hisham Haddad and Andrea Omicini and Roger L. Wainwright
and Lorie M. Liebrock}, title = PROC # { the 2004 ACM Symposium on Applied Computing
(SAC), Nicosia, Cyprus, March 14-17, 2004}, booktitle = {SAC}, address = pub-acm:adr, publisher = pub-acm, year = 2004,
isbn = {1-58113-812-1}
}
@InProceedings{ warner.ea:using:2007, author = {Janice Warner and Vijayalakshmi Atluri and Ravi Mukkamala
and Jaideep Vaidya}, title = {Using semantics for automatic enforcement of access
control policies among dynamic coalitions}, booktitle = {SACMAT}, year = 2007, pages = {235--244},
doi = {10.1145/1266840.1266877},
crossref = {lotz.ea:sacmat:2007}
}
@Proceedings{ lotz.ea:sacmat:2007, editor = {Volkmar Lotz and Bhavani M. Thuraisingham}, title = {SACMAT 2007, 12th ACM Symposium on Access Control Models
and Technologies, Sophia Antipolis, France, June 20-22, 2007, Proceedings}, booktitle = {SACMAT}, address = pub-acm:adr, publisher = pub-acm, year = 2007,
isbn = {978-1-59593-745-2}
}
@InProceedings{ povey:optimistic:1999, author = {Dean Povey}, title = {Optimistic Security: A New Access Control Paradigm}, booktitle = PROC # { the 1999 workshop on New security
paradigms}, year = 1999,
isbn = {1-58113-149-6}, pages = {40--45},
doi = {10.1145/335169.335188}, publisher = pub-acm, address = pub-acm:adr, abstract = {Despite the best efforts of security researchers,
sometimes the static nature of authorisation can cause
unexpected risks for users work- ing in a dynamically
changing environment. Disasters, medical emergencies or
time-critical events can all lead to situations where the
ability to relax normal access rules can become critically
impor- tant.
This paper presents an optimistic access control scheme
where en- forcement of rules is retrospective. The system
administrator is re- lied on to ensure that the system is
not misused, and compensating transactions are used to
ensure that the system integrity can be re- covered in the
case of a breach. It is argued that providing an opti-
mistic scheme alongside a traditional access control
mechanism can provide a useful means for users to exceed
their normal privileges on the rare occasion that the
situation warrants it.
The idea of a partially-formed transaction is introduced to
show how accesses in an optimistic system might be
constrained. This model is formally described and related
to the Clark-Wilson in- tegrity model.}
}
@Article{ sandhu.ea:role-based:1996, author = {Ravi S. Sandhu and Edward J. Coyne and Hal L. Feinstein
and Charles E. Youman}, title = {Role-Based Access Control Models}, journal = j-computer, year = 1996, volume = 29, number = 2, address = pub-ieee:adr, publisher = pub-ieee, pages = {38--47},
url = {http://ite.gmu.edu/list/journals/computer/pdf_ver/i94rbac(org).pdf}
, abstract = {Abstract This article introduces a family of reference
models for rolebased acce ss control (RBAC) in which
permissions are associated with roles, and users are made
members of appropriate roles. This greatly simplifies
management of permiss ions. Roles are closely related to
the concept of user groups in access control. However, a
role brings together a set of users on one side and a set
of permiss ions on the other, whereas user groups are
typically defined as a set of users o nly.
The basic concepts of RBAC originated with early multi-user
computer systems. Th e resurgence of interest in RBAC has
been driven by the need for general-purpose customizable
facilities for RBAC and the need to manage the
administration of R BAC itself. As a consequence RBAC
facilities range from simple to complex. This article
describes a novel framework of reference models to
systematically addres s the diverse components of RBAC, and
their interactions.},
issn = {0018-9162}, keywords = {Computational linguistics; Computer control systems;
Computer simulation; Computer software; Data abstraction;
Database systems; Discretionary access control; Encoding
(symbols); Integration; Mandator access control; Role based
access control; Semantics; Software encoding; User
interfaces},
acknowledgement={none},
bibkey = {sandhu.ea:role-based:1996}
}
@Booklet{ sarbanes.ea:sox:2002, title = {{Sarbanes-Oxley} {Act} of 2002}, author = {P. Sarbanes and G. Oxley and others},
howpublished = {107th Congress Report, House of Representatives, 2nd
Session, 107--610}, year = 2002
}
@TechReport{ bcbs:baselii:2004, author = {{Basel Committee on Banking Supervision}}, title = {{Basel II}: International Convergence of Capital
Measurement and Capital Standards}, year = 2004,
url = {http://www.bis.org/publ/bcbsca.htm}, address = {Basel, Switzerland},
institution = {Bank for International Settlements}
}
@Book{ dahl.ea:structured:1972, author = {O.-J. Dahl and E. W. Dijkstra and C. A. R. Hoare}, title = {Structured Programming}, publisher = {Academic Press}, year = 1972,
edition = {3rd}, volume = 8,
series = {A.P.I.C. Studies in Data Processing}, address = {London},
isbn = {0-12-200550-3}
}
@InProceedings{ bryans:reasoning:2005, author = {Jery Bryans}, title = {Reasoning about {XACML} policies using {CSP}}, booktitle = {SWS '05: Proceedings of the 2005 workshop on Secure web
services}, year = 2005,
isbn = {1-59593-234-8}, pages = {28--35},
location = {Fairfax, VA, USA},
doi = {10.1145/1103022.1103028}, address = pub-acm:adr, publisher = pub-acm
}
@InProceedings{ chadwick.ea:permis:2002, author = {David W. Chadwick and Alexander Otenko}, title = {The \acs{permis} {X.509} role based privilege management
infrastructure}, booktitle = PROC # { the seventh \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2002,
isbn = {1-58113-496-7}, pages = {135--140},
location = {Monterey, California, USA},
doi = {10.1145/507711.507732}, address = pub-acm:adr, publisher = pub-acm
}
@InProceedings{ ye.ea:using:2005, author = {Chunxiao Ye and Zhongfu Wu}, title = {Using \acs{xml} and \acs{xacml} to Support Attribute Based
Delegation}, booktitle = {CIT '05: Proceedings of the The Fifth International
Conference on Computer and Information Technology}, year = 2005,
isbn = {0-7695-2432-X}, pages = {751--756},
doi = {10.1109/CIT.2005.196}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}
}
@Book{ fox.ea:it-sox:2006, author = {Christopher Fox and Paul Zonneveld}, abstract = {This publication provides CIOs, IT managers, and control
and assurance professionals with scoping and assessment
ideas, approaches and guidance in support of the IT-related
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) internal control objectives for financial
reporting.
A streamlined road map is provided to help turn compliance
into a competitive challenge. Lessons learned and
sustaining ideas are also included.
The second edition is updated for recent US Securities and
Exchange Commission (SEC) and Public Company Accounting and
Oversight Board (PCAOB) guidance related to entity-level
controls, a risk-based/top-down approach, application
controls and the evaluation of deficiencies.}, title = {\acs{it} Control Objectives for Sarbanes-Oxley: The Role
of \acs{it} in the Design and Implementation of Internal
Control Over Financial Reporting}, year = 2006, month = sep,
bibkey = {fox.ea:it-sox:2006},
num_pages = 128,
edition = {2nd}, publisher = {IT Governance Institute},
isbn = {1-933284-76-5}, address = {Rolling Meadows, IL, USA}
}
@Article{ basin.ea:automated:2009, title = {Automated analysis of security-design models}, journal = j-ist, volume = 51, number = 5,
issn = {0950-5849}, year = 2009, pages = {815--831},
doi = {10.1016/j.infsof.2008.05.011}, author = {David Basin and Manuel Clavel and J{\"u}rgen Doser and
Marina Egea}, keywords = {Metamodels}, abstract = {We have previously proposed SecureUML, an expressive
UML-based language for constructing security-design models,
which are models that combine design specifications for
distributed systems with specifications of their security
policies. Here, we show how to automate the analysis of
such models in a semantically precise and meaningful way.
In our approach, models are formalized together with
scenarios that represent possible run-time instances.
Queries about properties of the security policy modeled are
expressed as formulas in UML's Object Constraint Language.
The policy may include both declarative aspects, i.e.,
static access-control information such as the assignment of
users and permissions to roles, and programmatic aspects,
which depend on dynamic information, namely the
satisfaction of authorization constraints in a given
scenario. We show how such properties can be evaluated,
completely automatically, in the context of the metamodel
of the security-design language. We demonstrate, through
examples, that this approach can be used to formalize and
check non-trivial security properties. The approach has
been implemented in the SecureMOVA tool and all of the
examples presented have been checked using this tool.},
note = {Special Issue on Model-Driven Development for Secure
Information Systems}, publisher = pub-elsevier, address = pub-elsevier:adr
}
@InProceedings{ dong.ea:flexible:2008, author = {Changyu Dong and Giovanni Russello and Naranker Dulay}, title = {Flexible Resolution of Authorisation Conflicts in
Distributed Systems}, booktitle = {DSOM}, year = 2008, pages = {95--108},
doi = {10.1007/978-3-540-87353-2_8},
crossref = {turck.ea:managing:2008}, abstract = {Managing security in distributed systems requires flexible
and expressive authorisation models with support for
conflict resolution. Models need to be hierarchical but
also non-monotonic supporting both positive and negative
authorisations. In this paper, we present an approach to
resolve the authorisation conflicts that inevitably occur
in such models, with administrator specified conflict
resolution strategies (rules). Strategies can be global or
applied to specific parts of a system and dynamically
loaded for different applications. We use Courteous Logic
Programs (CLP) for the specification and enforcement of
strategies. Authorisation policies are translated into
labelled rules in CLP and prioritised. The prioritisation
is regulated by simple override rules specified or selected
by administrators. We demonstrate the capabilities of the
approach by expressing the conflict resolution strategy for
a moderately complex authorisation model that organises
subjects and objects hierarchically.}
}
@Proceedings{ turck.ea:managing:2008, editor = {Filip De Turck and Wolfgang Kellerer and George
Kormentzas}, title = {Managing Large-Scale Service Deployment, 19th IFIP/IEEE
International Workshop on Distributed Systems: Operations
and Management, DSOM 2008, Samos Island, Greece, September 22-26, 2008. Proceedings}, booktitle = {DSOM},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = 5273, year = 2008,
isbn = {978-3-540-85999-4}
}
@InProceedings{ russello.ea:consent-based:2008, author = {Giovanni Russello and Changyu Dong and Naranker Dulay}, title = {Consent-Based Workflows for Healthcare Management}, booktitle = {9th IEEE International Workshop on Policies for
Distributed Systems and Networks (POLICY 2008), 2-4 June 2008, Palisades, New York, USA}, year = 2008, publisher = {IEEE Computer Society}, pages = {153--161},
isbn = {978-0-7695-3133-5},
doi = {10.1109/POLICY.2008.22}, abstract = {n this paper, we describe a new framework for healthcare
systems where patients are able to control the disclosure
of their medical data. In our framework, the patient's
consent has a pivotal role in granting or removing access
rights to subjects accessing patient's medical data.
Depending on the context in which the access is being
executed, different consent policies can be applied.
Context is expressed in terms of workflows. The execution
of a task in a given workflow carries the necessary
information to infer whether the consent can be implicitly
retrieved or should be explicitly requested from a patient.
However, patients are always able to enforce their own
decisions and withdraw consent if necessary. Additionally,
the use of workflows enables us to apply the need-to-know
principle. Even when the patient's consent is obtained, a
subject should access medical data only if it is required
by the actual situation. For example, if the subject is
assigned to the execution of a medical diagnosis workflow
requiring access to the patient's medical record. We also
provide a complex medical case study to highlight the
design principles behind our framework. Finally, the
implementation of the framework is outlined.}
}
@InProceedings{ mitchell-wong.ea:social:2008, author = {Juliana Mitchell-Wong and Ryszard Kowalczyk and Bao Quoc
Vo}, title = {Social Network Profile and Policy}, booktitle = {9th IEEE International Workshop on Policies for
Distributed Systems and Networks (POLICY 2008), 2-4 June 2008, Palisades, New York, USA}, year = 2008, publisher = {IEEE Computer Society},
isbn = {978-0-7695-3133-5}, pages = {207--210},
doi = {10.1109/POLICY.2008.41}, abstract = {n this paper, we describe a new framework for healthcare
systems where patients are able to control the disclosure
of their medical data. In our framework, the patient's
consent has a pivotal role in granting or removing access
rights to subjects accessing patient's medical data.
Depending on the context in which the access is being
executed, different consent policies can be applied.
Context is expressed in terms of workflows. The execution
of a task in a given workflow carries the necessary
information to infer whether the consent can be implicitly
retrieved or should be explicitly requested from a patient.
However, patients are always able to enforce their own
decisions and withdraw consent if necessary. Additionally,
the use of workflows enables us to apply the need-to-know
principle. Even when the patient's consent is obtained, a
subject should access medical data only if it is required
by the actual situation. For example, if the subject is
assigned to the execution of a medical diagnosis workflow
requiring access to the patient's medical record. We also
provide a complex medical case study to highlight the
design principles behind our framework. Finally, the
implementation of the framework is outlined.}
}
@Book{ paulson:ml:1996, author = {Lawrence C. Paulson}, title = {\acs{ml} for the Working Programmer}, publisher = {Cambridge Press}, year = 1996,
acknowledgement={none}
}
@InProceedings{ kohler.ea:proactive:2008, title = {Pro Active Access Control for Business Process-driven
Environments}, author = {Mathias Kohler and Andreas Schaad}, booktitle = {Annual Computer Security Applications Conference}, year = 2008
}
@InProceedings{ dewin:importance:2002, author = {Bart De Win and Frank Piessens and Wouter Joosen and Tine
Verhanneman}, title = {On the importance of the separation-of-concerns principle
in secure software engineering}, booktitle = {ACSA Workshop on the Application of Engineering Principles
to System Security Design - Final Report (Serban, C.,
ed.)}, year = 2003, pages = {1--10}
}
@InProceedings{ priebe:towards:2000, author = {Torsten Priebe and G\"{u}nther Pernul}, title = {Towards \textsc{olap} security design --- survey and
research issues}, booktitle = {DOLAP '00: Proceedings of the 3rd ACM international
workshop on Data warehousing and OLAP}, year = 2000,
isbn = {1-58113-323-5}, pages = {33--40},
location = {McLean, Virginia, United States},
doi = {10.1145/355068.355313}, publisher = {ACM}, address = {New York, NY, USA}
}
@InProceedings{ atluri:supporting:2005, author = {Vijayalakshmi Atluri and Janice Warner}, title = {Supporting conditional delegation in secure workflow
management systems}, booktitle = PROC # { the tenth \acs{acm} symposium on Access
control models and technologies (\acs{sacmat})}, year = 2005,
isbn = {1-59593-045-0}, pages = {49--58},
location = {Stockholm, Sweden},
doi = {10.1145/1063979.1063990}, publisher = pub-acm, address = pub-acm:adr
}
@InProceedings{ dimmock:using:2004, author = {Nathan Dimmock and Andr{\'a} Belokosztolszki and David
Eyers and Jean Bacon and Ken Moody}, title = {Using trust and risk in role-based access control
policies}, booktitle = PROC # { the ninth ACM symposium on Access control
models and technologies (\acs{sacmat})}, year = 2004,
isbn = {1-58113-872-5}, pages = {156--162},
location = {Yorktown Heights, New York, USA},
doi = {10.1145/990036.990062}, publisher = pub-acm, address = pub-acm:adr, abstract = {Emerging trust and risk management systems provide a
framework for principals to determine whether they will
exchange resources, without requiring a complete definition
of their credentials and intentions. Most distributed
access control architectures have far more rigid policy
rules, yet in many respects aim to solve a similar problem.
This paper elucidates the similarities between trust
management and distributed access control systems by
demonstrating how the OASIS access control system and its
role-based policy language can be extended to make
decisions on the basis of trust and risk analyses rather
than on the basis of credentials alone. We apply our new
model to the prototypical example of a file storage and
publication service for the Grid, and test it using our
Prolog-based OASIS implementation.}
}
@Article{ barnett.ea:verification:2004, author = {Michael Barnett and Robert DeLine and Manuel F{\"a}hndrich
and K. Rustan M. Leino and Wolfram Schulte}, title = {Verification of Object-Oriented Programs with Invariants}, journal = {Journal of Object Technology}, volume = 3, number = 6, year = 2004, pages = {27--56}, abstract = {An object invariant defines what it means for an object's
data to be in a consistent state. Object invariants are
central to the design and correctness of object-oriented
programs. This paper defines a programming methodology for
using object invariants. The methodology, which enriches a
program's state space to express when each object invariant
holds, deals with owned object components, ownership
transfer, and subclassing, and is expressive enough to
allow many interesting object-oriented programs to be
specified and verified. Lending itself to sound modular
verification, the methodology also provides a solution to
the problem of determining what state a method is allowed
to modify. },
url = {http://www.jot.fm/issues/issue_2004_06/article2/article2.pdf}
}
@Article{ harms.ea:copying:1991, author = {Douglas E. Harms and Bruce W. Weide}, title = {Copying and Swapping: Influences on the Design of Reusable
Software Components}, journal = j-tse, volume = 17, number = 5, year = 1991, pages = {424--435},
doi = {10.1109/32.90445 }, abstract = {The authors argue that a simple alternative to copying as
a data movement primitive-swapping (exchanging) the values
of two variables-has potentially significant advantages in
the context of the design of generic reusable software
components. Specifically, the authors claim that generic
module designs based on a swapping style are superior to
designs based on copying, both in terms of execution-time
efficiency and with respect to the likelihood of
correctness of client programs and module implementations.
Furthermore, designs based on swapping are more reusable
than traditional designs. Specific arguments and examples
to support these positions are presented}, publisher = pub-ieee, address = pub-ieee:adr
}
@InProceedings{ albano.ea:relationship:1991, author = {Antonio Albano and Giorgio Ghelli and Renzo Orsini}, title = {A Relationship Mechanism for a Strongly Typed
Object-Oriented Database Programming Language}, booktitle = {VLDB}, year = 1991, pages = {565--575},
crossref = {lohman.ea:17th:1991}
}
@Proceedings{ lohman.ea:17th:1991, editor = {Guy M. Lohman and Am\'{\i}lcar Sernadas and Rafael Camps}, title = {17th International Conference on Very Large Data Bases,
September 3-6, 1991, Barcelona, Catalonia, Spain,
Proceedings}, publisher = {Morgan Kaufmann}, year = 1991,
isbn = {1-55860-150-3}
}
@InProceedings{ ernst.ea:predicate:1998, author = {Michael D. Ernst and Craig S. Kaplan and Craig Chambers}, title = {Predicate Dispatching: A Unified Theory of Dispatch}, booktitle = {ECOOP}, year = 1998, pages = {186--211},
doi = {10.1007/BFb0054092}, abstract = {Predicate dispatching generalizes previous method dispatch
mechanisms by permitting arbitrary predicates to control
method applicability and by using logical implication
between predicates as the overriding relationship. The
method selected to handle a message send can depend not
just on the classes of the arguments, as in ordinary
object-oriented dispatch, but also on the classes of
subcomponents, on an argument's state, and on relationships
between objects. This simple mechanism subsumes and extends
object-oriented single and multiple dispatch, ML-style
pattern matching, predicate classes, and classifiers, which
can all be regarded as syntactic sugar for predicate
dispatching. This paper introduces predicate dispatching,
gives motivating examples, and presents its static and
dynamic semantics. An implementation of predicate
dispatching is available.},
crossref = {jul:eccop98:1998}
}
@Proceedings{ jul:eccop98:1998, editor = {Eric Jul}, title = {ECCOP'98 - Object-Oriented Programming, 12th European
Conference, Brussels, Belgium, July 20-24, 1998,
Proceedings}, booktitle = {ECOOP}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1445, year = 1998,
isbn = {3-540-64737-6}
}
@Misc{ garbani:future:2009, author = {Jean-Pierre Garbani}, title = {Future Trends In The Enterprise Software Market},
howpublished = {http://www.forrester.com/Research/Document/Excerpt/0,7211,53493,00.html}
, month = mar # {~9}, year = 2009, publisher = {Forrester Research, Inc.}, address = {Cambridge, USA}, abstract = {Hardware, software, and people are the three basic
ingredients of enterprise business technology. They provide
the enterprise with an economic advantage through automated
and improved business processes, increased employee
productivity, and more accurate and precise information.
The relationship between these three components has evolved
over time: Initially, hardware reigned supreme; software
was a mere adjunct and free to the mainframe buyer.
Decreasing hardware costs then led to software "unbundling." In the present era of information technology,
hardware's ever-decreasing costs make it an enabler of
software functions. In the business technology (BT) era, we
predict that managing the third part of the equation --
people -- will emerge as the dominant focus. As software
applications become business services, the cost of human
resources producing, operating, and managing software will
soon be prohibitive and the new focal point. In this
regard, the current economic downturn, if it persists, may
prove to be a driver that accelerates the shift toward the
BT era.}
}
@Article{ klein:operating:2009, author = {Gerwin Klein}, title = {Operating System Verification --- An Overview}, journal = {S\={a}dhan\={a}}, publisher = pub-springer, year = 2009, volume = 34, number = 1, month = feb, pages = {27--69}, abstract = {This paper gives a high-level introduction to the topic of
formal, interactive, machine-checked software verification
in general, and the verification of operating systems code
in particular. We survey the state of the art, the
advantages and limitations of machine-checked code proofs,
and describe two specific ongoing larger-scale verification
projects in more detail.}
}
@Article{ edwards.ea:resolve:1994,
bibkey = {edwards.ea:resolve:1994}, author = {Stephen H. Edwards and Wayne D. Heym and Timothy J. Long
and Murali Sitaramanand Bruce W. Weide}, title = {Part II: specifying components in {RESOLVE}}, journal = {SIGSOFT Softw. Eng. Notes}, volume = 19, number = 4, year = 1994,
issn = {0163-5948}, pages = {29--39},
doi = {10.1145/190679.190682}, publisher = pub-acm, address = pub-acm:adr
}
@PhDThesis{ kassios:theory:2006, author = {Ioannis T. Kassios}, title = {A Theory of Object Oriented Refinement}, school = {University of Toronto}, abstract = {This thesis introduces a formal theory of object oriented
refinement. The formal design of the theory is based on the
design principles of unification and decoupling, which we
believe have not been adequately used in other object
oriented refinement theories.
Thanks to the use of these principles, the semantics of the
theory is mathematically simpler than other approaches: the
formalization of most features uses very primitive
mathematical entities. Furthermore, the constructs of the
theory are more general than other approaches. There are
specification constructs more general than classes.
Features that are typically coupled with classes, like
reuse and polymorphism, now apply to these more general
specifications. Finally, our solution to the frame problem
is the only modular approach that we know of that does not
impose any aliasing control policy.
To demonstrate that the extra generality offers real
advantages to the specifier, we use the theory in some
specification examples that would be impossible with other
approaches. These examples, mainly inspired by Design
Patterns, represent realistic and common software design
situations.}, year = 2006
}
@TechReport{ dewar:setl:1979, author = {Robert B. K. Dewar}, title = {The {SETL} Programming Language}, year = 1979
}
@InBook{ chun.ea:risk-based:2008, author = {Soon Ae Chun and Vijay Atluri}, editor = {Bhargab B. Bhattacharya and Susmita Sur-Kolay and Subhas
C. Nandy and Aditya Bagchi}, booktitle = {Algorithms, Architecture and Information Systems
Security}, title = {Risk-based Access Control for Personal Data Services}, publisher = {World Scientific Press}, year = 2008, volume = 3,
series = {Statistical Science and Interdisciplinary Research},
isbn = 9789812836236
}
@Unpublished{ clark.ea:survey:1997, author = {John Clark and Jeremy Jacob}, title = {A Survey of Authentication Protocol: Literature: Version 1.0}, year = 1997
}
@Unpublished{ dierks.ea:tls:1999, author = {T. Dierks and C. Allen}, title = {The TLS Protocol Version 1.0}, year = 1999, publisher = {RFC Editor}, address = {United States},
note = {RFC 2246}
}
@InProceedings{ fontaine.ea:expressiveness:2006, author = {Pascal Fontaine and Jean-Yves Marion and Stephan Merz and
Leonor Prensa Nieto and Alwen Fernanto Tiu}, title = {Expressiveness + Automation + Soundness: Towards Combining
SMT Solvers and Interactive Proof Assistants}, booktitle = {TACAS}, year = 2006, pages = {167--181},
doi = {10.1007/11691372_11},
crossref = {hermanns.ea:tools:2006}
}
@Proceedings{ hermanns.ea:tools:2006, editor = {Holger Hermanns and Jens Palsberg}, title = {Tools and Algorithms for the Construction and Analysis of
Systems, 12th International Conference, TACAS 2006 Held as
Part of the Joint European Conferences on Theory and
Practice of Software, ETAPS 2006, Vienna, Austria, March 25
- April 2, 2006, Proceedings}, booktitle = {TACAS}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3920, year = 2006,
isbn = {3-540-33056-9}
}
@InProceedings{ amjad:lcf-style:2008, author = {Hasan Amjad}, title = {LCF-Style Propositional Simplification with BDDs and SAT
Solvers}, booktitle = {TPHOLs}, year = 2008, pages = {55--70},
doi = {10.1007/978-3-540-71067-7_9},
crossref = {mohamed.ea:theorem:2008}
}
@Proceedings{ mohamed.ea:theorem:2008, editor = {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and
Sofi{\`e}ne Tahar}, title = {Theorem Proving in Higher Order Logics, 21st International
Conference, TPHOLs 2008, Montreal, Canada, August 18-21, 2008. Proceedings}, booktitle = {TPHOLs}, publisher = pub-springer, address = pub-springer:adr, volume = 5170,
series = s-lncs, year = 2008,
isbn = {978-3-540-71065-3}
}
@Article{ weber:integrating:2006, author = {Tjark Weber}, title = {Integrating a {SAT} Solver with an {LCF}-style Theorem
Prover}, editor = {Alessandro Armando and Alessandro Cimatti}, journal = j-entcs, month = jan, year = 2006, publisher = pub-elsevier, address = pub-elsevier:adr, pages = {67--78},
doi = {10.1016/j.entcs.2005.12.007},
issn = {1571-0661}, volume = 144, number = 2,
note = PROC # { the Third Workshop on Pragmatics of
Decision Procedures in Automated Reasoning (PDPAR 2005)},
clearance = {unclassified}, abstract = {This paper describes the integration of a leading SAT
solver with Isabelle/HOL, a popular interactive theorem
prover. The SAT solver generates resolution-style proofs
for (instances of) propositional tautologies. These proofs
are verified by the theorem prover. The presented approach
significantly improves Isabelle's performance on
propositional problems, and furthermore exhibits
counterexamples for unprovable conjectures.}
}
@Article{ weber.ea:efficiently:2009, title = {Efficiently checking propositional refutations in HOL
theorem provers}, journal = {Journal of Applied Logic}, volume = 7, number = 1, pages = {26 -- 40}, year = 2009,
note = {Special Issue: Empirically Successful Computerized
Reasoning},
issn = {1570-8683},
doi = {10.1016/j.jal.2007.07.003}, author = {Tjark Weber and Hasan Amjad}, abstract = {This paper describes the integration of zChaff and
MiniSat, currently two leading SAT solvers, with Higher
Order Logic (HOL) theorem provers. Both SAT solvers
generate resolution-style proofs for (instances of)
propositional tautologies. These proofs are verified by the
theorem provers. The presented approach significantly
improves the provers' performance on propositional
problems, and exhibits counterexamples for unprovable
conjectures. It is also shown that LCF-style theorem
provers can serve as viable proof checkers even for large
SAT problems. An efficient representation of the
propositional problem in the theorem prover turns out to be
crucial; several possible solutions are discussed.}
}
@Article{ wendling:german:2009, title = {The German {eHealth} programme}, journal = {Card Technology Today}, volume = 21, number = 1, pages = {10--11}, year = 2009,
issn = {0965-2590},
doi = {10.1016/S0965-2590(09)70018-0}, author = {Dietmar Wendling}, abstract = {Germany was one of the first countries in the world to use
smart cards for healthcare. Now it is at the starting gate
to roll out a new generation of cards. Dietmar Wendling,
vice president of the eGovernment market sector at SCM
Microsystems reports.}
}
@Article{ meng.ea:translating:2008, author = {Jia Meng and Lawrence C. Paulson}, title = {Translating Higher-Order Clauses to First-Order Clauses}, journal = j-jar, volume = 40, number = 1, year = 2008, pages = {35--60},
doi = {10.1007/s10817-007-9085-y}
}
@InProceedings{ paulson.ea:source-level:2007, author = {Lawrence C. Paulson and Kong Woei Susanto}, title = {Source-Level Proof Reconstruction for Interactive Theorem
Proving}, booktitle = {TPHOLs}, year = 2007, pages = {232--245},
doi = {10.1007/978-3-540-74591-4_18},
crossref = {schneider.ea:theorem:2007}
}
@Proceedings{ schneider.ea:theorem:2007, editor = {Klaus Schneider and Jens Brandt}, title = {Theorem Proving in Higher Order Logics, 20th International
Conference, TPHOLs 2007, Kaiserslautern, Germany, September 10-13, 2007, Proceedings}, booktitle = {TPHOLs}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4732, year = 2007,
isbn = {978-3-540-74590-7}
}
@Article{ meng.ea:automation:2006, author = {Jia Meng and Claire Quigley and Lawrence C. Paulson}, title = {Automation for interactive proof: First prototype}, journal = {Inf. Comput.}, volume = 204, number = 10, year = 2006, pages = {1575--1596},
doi = {10.1016/j.ic.2005.05.010}
}
@InProceedings{ erkok.ea:using:2008,
location = {Princeton, New Jersey, USA}, author = {Levent Erk{\"o}k and John Matthews}, booktitle = {Automated Formal Methods (AFM'08)}, title = {Using Yices as an Automated Solver in Isabelle/{HOL}}, year = 2008
}
@Article{ jurjens.ea:model-based:2008, author = {Jan J{\"u}rjens and Rumm, R.}, title = {Model-based security analysis of the German health card
architecture.}, journal = {Methods Inf Med}, year = 2008, volume = 47, number = 5, pages = {409--416}, keywords = {Patient Identification Systems}, abstract = {OBJECTIVES: Health-care information systems are
particularly security-critical. In order to make these
applications secure, the security analysis has to be an
integral part of the system design and IT management
process for such systems. METHODS: This work presents the
experiences and results from the security analysis of the
system architecture of the German Health Card, by making
use of an approach to model-based security engineering that
is based on the UML extension UMLsec. The focus lies on the
security mechanisms and security policies of the
smart-card-based architecture which were analyzed using the
UMLsec method and tools. RESULTS: Main results of the paper
include a report on the employment of the UMLsec method in
an industrial health information systems context as well as
indications of its benefits and limitations. In particular,
two potential security weaknesses were detected and
countermeasures discussed. CONCLUSIONS: The results
indicate that it can be feasible to apply a model-based
security analysis using UMLsec to an industrial health
information system like the German Health Card
architecture, and that doing so can have concrete benefits
(such as discovering potential weaknesses, and an increased
confidence that no further vulnerabilities of the kind that
were considered are present).},
issn = {0026-1270}
}
@InProceedings{ miseldine:automated:2008, author = {Philip Miseldine}, title = {Automated {XACML} policy reconfiguration for evaluation
optimisation}, booktitle = {SESS}, year = 2008, pages = {1--8},
doi = {10.1145/1370905.1370906},
crossref = {win.ea:proceedings:2008}, abstract = {We present a programmatic approach to the optimisation of
XACML policies that specifies how a set of access control
rules should be best represented for optimised evaluation.
The work assumes no changes to the current XACML
specification and methods of interpretation shall be made,
so that those who consume XACML are unaffected
structurally, and those that generate XACML can provide
optimised output. Discussion regarding the flexibility of
the XACML specification to describe the same access rules
with different policy configurations is presented, and is
used to formulate a comprehensive analysis of the
evaluation costs the possible policy configurations will
produce. This leads to the specification of methods that
can be employed to produce optimal forms of policy
description. These are implemented and evaluated to show
the benefits of the approach proposed.}
}
@Proceedings{ win.ea:proceedings:2008, editor = {Bart De Win and Seok-Won Lee and Mattia Monga}, title = PROC # { the Fourth International Workshop on
Software Engineering for Secure Systems, SESS 2008,
Leipzig, Germany, May 17-18, 2008}, booktitle = {SESS}, publisher = {ACM}, year = 2008,
isbn = {978-1-60558-042-5}
}
@InProceedings{ liu.ea:firewall:2008, author = {Alex X. Liu and Eric Torng and Chad Meiners}, title = {Firewall Compressor: An Algorithm for Minimizing Firewall
Policies}, booktitle = PROC # { the 27th Annual IEEE Conference on Computer
Communications (Infocom)}, year = 2008, address = {Phoenix, Arizona}, month = {April}
}
@InProceedings{ liu.ea:xengine:2008, author = {Alex X. Liu and Fei Chen and JeeHyun Hwang and Tao Xie}, title = {{XEngine}: A Fast and Scalable {XACML} Policy Evaluation
Engine}, booktitle = PROC # { the International Conference on Measurement
and Modeling of Computer Systems (Sigmetrics)}, year = 2008, address = {Annapolis, Maryland}, month = {June}
}
@InProceedings{ goubault-larrecq:towards:2008, address = {Pittsburgh, PA, USA}, author = {Goubault{-}Larrecq, Jean}, booktitle = {{P}roceedings of the 21st {IEEE} {C}omputer {S}ecurity
{F}oundations {S}ymposium ({CSF}'08)},
doi = {10.1109/CSF.2008.21}, month = jun, pages = {224--238}, publisher = {{IEEE} Computer Society Press}, title = {Towards Producing Formally Checkable Security Proofs,
Automatically}, year = 2008
}
@InProceedings{ weidenbach.ea:spass:2007, author = {Christoph Weidenbach and Renate A. Schmidt and Thomas
Hillenbrand and Rostislav Rusev and Dalibor Topic}, title = {System Description: Spass Version 3.0}, booktitle = {CADE}, year = 2007, pages = {514--520},
doi = {10.1007/978-3-540-73595-3_38},
crossref = {pfenning:automated:2007}
}
@Proceedings{ pfenning:automated:2007, editor = {Frank Pfenning}, title = {Automated Deduction - CADE-21, 21st International
Conference on Automated Deduction, Bremen, Germany, July 17-20, 2007, Proceedings}, booktitle = {CADE},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = 4603, year = 2007,
isbn = {978-3-540-73594-6}
}
@Article{ paulson:tls:1999, author = {Lawrence C. Paulson}, title = {Inductive Analysis of the Internet Protocol {TLS}}, journal = {ACM Trans. Inf. Syst. Secur.}, volume = 2, number = 3, year = 1999, pages = {332--351},
doi = {10.1145/322510.322530}
}
@Article{ harman.ea:testability:2004, author = {Mark Harman and Lin Hu and Rob Hierons and Joachim Wegener
and Harmen Sthamer and Andr{\'e} Baresel and Marc Roper}, title = {Testability Transformation}, journal = {IEEE Trans. Softw. Eng.}, volume = 30, number = 1, year = 2004,
issn = {0098-5589}, pages = {3--16},
doi = {10.1109/TSE.2004.1265732}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}
}
@Article{ dssouli.ea:communications:1999, title = {Communications software design for testability:
specification transformations and testability measures}, journal = {Information and Software Technology}, volume = 41, number = {11-12}, pages = {729--743}, year = 1999,
issn = {0950-5849},
doi = {10.1016/S0950-5849(99)00033-6},
url = {http://www.sciencedirect.com/science/article/B6V0B-3X3TD3J-4/2/0efca94003ffe88571f8aa2d346a1289}
, author = {R. Dssouli and K. Karoui and K. Saleh and O. Cherkaoui}, keywords = {Testing}
}
@Article{ baker:equal:1993, author = {Henry G. Baker}, title = {Equal rights for functional objects or, the more things
change, the more they are the same}, journal = {OOPS Messenger}, volume = 4, number = 4, year = 1993, pages = {2--27}, abstract = {We argue that intensional object identity in
object-oriented programming languages and databases is best
defined operationally by side-effect semantics. A corollary
is that "functional" objects have extensional semantics.
This model of object identity, which is analogous to the
normal forms of relational algebra, provides cleaner
semantics for the value-transmission operations and
built-in primitive equality predicate of a programming language, and eliminates the confusion surrounding "call-by-value" and "call-by-reference" as well as the
confusion of multiple equality predicates.Implementation
issues are discussed, and this model is shown to have
significant performance advantages in persistent, parallel,
distributed and multilingual processing environments. This
model also provides insight into the "type equivalence"
problem of Algol-68, Pascal and Ada.}
}
@Article{ hierons.ea:branch-coverage:2005, author = {Robert M. Hierons and Mark Harman and Chris Fox}, title = {Branch-Coverage Testability Transformation for
Unstructured Programs}, journal = {Comput. J.}, volume = 48, number = 4, year = 2005, pages = {421--436},
doi = {10.1093/comjnl/bxh093}, abstract = {Test data generation by hand is a tedious, expensive and
error-prone activity, yet testing is a vital part of the
development process. Several techniques have been proposed
to automate the generation of test data, but all of these
are hindered by the presence of unstructured control flow.
This paper addresses the problem using testability
transformation. Testability transformation does not
preserve the traditional meaning of the program, rather it
deals with preserving test-adequate sets of input data.
This requires new equivalence relations which, in turn,
entail novel proof obligations. The paper illustrates this
using the branch coverage adequacy criterion and develops a
branch adequacy equivalence relation and a testability
transformation for restructuring. It then presents a proof
that the transformation preserves branch adequacy.}
}
@InProceedings{ harman:open:2008, title = {Open Problems in Testability Transformation}, author = {Harman, M.}, booktitle = {Software Testing Verification and Validation Workshop, 2008. ICSTW '08. IEEE International Conference on}, year = 2008, month = {April}, pages = {196--209}, keywords = {data analysis, program testingsearch-based test data
generation, test adequacy criterion, testability
transformation},
doi = {10.1109/ICSTW.2008.30},
issn = {978-0-7695-3388-9}, abstract = {Testability transformation (tetra) seeks to transform a
program in order to make it easier to generate test data.
The test data is generated from the transformed version of
the program, but it is applied to the original version for
testing purposes. A transformation is a testability
transformation with respect to a test adequacy criterion if
all test data that is adequate for the transformed program
is also adequate for the untransformed program. Testability
transformation has been shown to be effective at improving
coverage for search based test data generation. However,
there are many interesting open problems. This paper
presents some of these open problems. The aim is to show
how testability transformation can be applied to a wide
range of testing scenarios.}
}
@InProceedings{ harman.ea:testability:2008, author = {Mark Harman and Andr{\'e} Baresel and David Binkley and
Robert M. Hierons and Lin Hu and Bogdan Korel and Phil
McMinn and Marc Roper}, title = {Testability Transformation - Program Transformation to
Improve Testability}, booktitle = {Formal Methods and Testing}, year = 2008, pages = {320--344},
doi = {10.1007/978-3-540-78917-8_11},
crossref = {hierons.ea:formal:2008}
}
@InProceedings{ veanes.ea:model-based:2008, author = {Margus Veanes and Colin Campbell and Wolfgang Grieskamp
and Wolfram Schulte and Nikolai Tillmann and Lev
Nachmanson}, title = {Model-Based Testing of Object-Oriented Reactive Systems
with Spec Explorer}, booktitle = {Formal Methods and Testing}, year = 2008, pages = {39--76},
doi = {10.1007/978-3-540-78917-8_2}, abstract = {},
crossref = {hierons.ea:formal:2008}
}
@Proceedings{ hierons.ea:formal:2008, editor = {Robert M. Hierons and Jonathan P. Bowen and Mark Harman}, title = {Formal Methods and Testing, An Outcome of the FORTEST
Network, Revised Selected Papers}, booktitle = {Formal Methods and Testing}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4949, year = 2008,
isbn = {978-3-540-78916-1}
}
@Booklet{ omg:uml-infrastructure:2009,
bibkey = {omg:uml-infrastructure:2009},
key = omg, publisher = omg, language = {USenglish},
note = {Available as \acs{omg} document \href{http://www.omg.org/cgi-bin/doc?formal/2009-02-04}
{formal/2009-02-04}}, keywords = {\acs{uml}},
topic = {formalism},
public = {yes}, title = {\acs{uml} 2.2 Infrastructure Specification}, year = 2009
}
@InProceedings{ pirretti.ea:secure:2006, author = {Matthew Pirretti and Patrick Traynor and Patrick McDaniel
and Brent Waters}, title = {Secure attribute-based systems}, booktitle = PROC # {ACM conference on
Computer and communications security (CCS)}, year = 2006,
isbn = {1-59593-518-5}, pages = {99--112},
location = {Alexandria, Virginia, USA},
doi = {10.1145/1180405.1180419}, address = pub-acm:adr, publisher = pub-acm, abstract = {Attributes define, classify, or annotate the datum to
which they are assigned. However, traditional attribute
architectures and cryptosystems are ill-equipped to provide
security in the face of diverse access requirements and
environments. In this paper, we introduce a novel secure
information management architecture based on emerging
attribute-based encryption (ABE) primitives. A policy
system that meets the needs of complex policies is defined
and illustrated. Based on the needs of those policies, we
propose cryptographic optimizations that vastly improve
enforcement efficiency. We further explore the use of such
policies in two example applications: a HIPAA compliant
distributed file system and a social network. A performance
analysis of our ABE system and example applications
demonstrates the ability to reduce cryptographic costs by
as much as 98\% over previously proposed constructions.
Through this, we demonstrate that our attribute system is
an efficient solution for securely managing information in
large, loosely-coupled, distributed systems.}
}
@Article{ milicev:semantics:2007,
bibkey = {milicev:semantics:2007}, title = {On the Semantics of Associations and Association Ends in
UML}, author = {Dragan Milicev}, journal = {IEEE Transactions on Software Engineering}, year = 2007, month = apr, volume = 33, number = 4, pages = {238--251}, keywords = {Unified Modeling Language, entity-relationship modelling,
formal specification, object-oriented programming,
programming language semanticsUML, Unified Modeling Language, association end, conceptual modeling, formal
semantics, formal specification, intentional
interpretation, object-oriented modeling},
doi = {10.1109/TSE.2007.37},
issn = {0098-5589}
}
@InProceedings{ bierman.ea:first-class:2005, author = {Gavin M. Bierman and Alisdair Wren}, title = {First-Class Relationships in an Object-Oriented Language}, booktitle = {ECOOP}, year = 2005, pages = {262--286},
doi = {10.1007/11531142_12},
crossref = {black:ecoop:2005}
}
@Proceedings{ black:ecoop:2005, editor = {Andrew P. Black}, title = {ECOOP 2005 - Object-Oriented Programming, 19th European
Conference, Glasgow, UK, July 25-29, 2005, Proceedings}, booktitle = {ECOOP}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3586, year = 2005,
isbn = {3-540-27992-X}
}
@Article{ shafiq.ea:secure:2005, title = {Secure interoperation in a multidomain environment
employing RBAC policies}, author = {Basit Shafiq and James B.D. Joshi and Elisa Bertino and
Arif Ghafoor}, journal = j-tkde, year = 2005, month = nov, volume = 17, number = 11, pages = {1557--1577}, keywords = {Internet, authorisation, integer programming, open systems
Internet-based enterprise, heterogeneous role-based access
control, integer programming, multidomain application
environment, optimality criterion, policy integration
framework, secure interoperation},
doi = {10.1109/TKDE.2005.185},
issn = {1041-4347}
}
@Article{ aedo.ea:rbac:2006, volume = 11, number = 4, month = dec, year = 2006, title = {An {RBAC} Model-Based Approach to Specify the Access
Policies of Web-Based Emergency Information Systems}, author = {Ignacio Aedo and Paloma D{\'i}az and Daniel Sanz}, journal = {The International Journal of Intelligent Control and
Systems},
page = {272--283}, abstract = {One of the main design challenges of any Web-based
Emergency Management Information System (WEMIS) is the
diversity of users and responsibilities to be considered.
Modelling the access capabilities of different communities
of users is a most relevant concern for which the RBAC
(Role-Based Access Control) paradigm provides flexible and
powerful constructs. In this paper we describe how we used
an RBAC model-based approach to specify at different levels
of abstraction the access policy of a specific WEMIS called
ARCE (Aplicaci{\`o}n en Red para Casos de Emergencia). This
approach made possible to face access modelling at earlier
development stages, so that stakeholders got involved in
analytical and empirical evaluations to test the
correctness and completeness of the access policy.
Moreover, since the RBAC meta-model is embedded into a web
engineering method, we put in practice a holistic process
addressing different design perspectives in an integrated
way. }
}
@InProceedings{ phillips.ea:information:2002, author = {Charles E. Phillips, Jr. and T.C. Ting and Steven A.
Demurjian}, title = {Information sharing and security in dynamic coalitions}, booktitle = {SACMAT '02: Proceedings of the seventh ACM symposium on
Access control models and technologies}, year = 2002,
isbn = {1-58113-496-7}, pages = {87--96},
location = {Monterey, California, USA},
doi = {10.1145/507711.507726}, address = pub-acm:adr, publisher = pub-acm
}
@InProceedings{ martino.ea:multi-domain:2008, title = {Multi-domain and privacy-aware role based access control
in eHealth}, author = {Lorenzo D. Martino and Qun Ni and Dan Lin and Elisa
Bertino}, booktitle = {Second International Conference on Pervasive Computing
Technologies for Healthcare (PervasiveHealth 2008)}, year = 2008, month = {302008-Feb. 1}, pages = {131--134}, keywords = {authorisation, data privacy, health care, medical
information systemseHealth, electronic medical/health
records, healthcare professionals, multidomain
privacy-aware role based access control, patient safety,
privacy preserving,},
doi = {10.1109/PCTHEALTH.2008.4571050}
}
@InProceedings{ kamath.ea:user-credential:2006, author = {Ajith Kamath and Ramiro Liscano and Abdulmotaleb El
Saddik}, title = {User-credential based role mapping in multi-domain
environment}, booktitle = {PST '06: Proceedings of the 2006 International Conference
on Privacy, Security and Trust}, year = 2006,
isbn = {1-59593-604-1}, pages = {1--1},
location = {Markham, Ontario, Canada},
doi = {10.1145/1501434.1501507}, address = pub-acm:adr, publisher = pub-acm
}
@Article{ geethakumari.ea:cross:2009, journal = {International Journal of Computer Science \& Applications}, title = {A Cross -- Domain Role Mapping and Authorization Framework
for {RBAC} in Grid Systems.}, year = 2009, volume = {VI},
issue = {I}, author = {G. Geethakumari and Atul Negi and V. N. Sastry},
issn = {0972-9038}
}
@InProceedings{ gogolla.ea:benchmark:2008, author = {Martin Gogolla and Mirco Kuhlmann and Fabian B{\"u}ttner}, title = {A Benchmark for \acs{ocl} Engine Accuracy,
Determinateness, and Efficiency}, booktitle = {MoDELS}, year = 2008, pages = {446--459},
doi = {10.1007/978-3-540-87875-9_32},
crossref = {czarnecki.ea:models:2008}, abstract = {The Object Constraint Language (OCL) is a central element
in modeling and transformation languages like UML, MOF, and
QVT. Consequently approaches for MDE (Model-Driven
Engineering) depend on OCL. However, OCL is present not
only in these areas influenced by the OMG but also in the
Eclipse Modeling Framework (EMF). Thus the quality of OCL
and its realization in tools seems to be crucial for the
success of model-driven development. Surprisingly, up to
now a benchmark for OCL to measure quality properties has
not been proposed. This paper puts forward in the first
part the concepts of a comprehensive OCL benchmark. Our
benchmark covers (A) OCL engine accuracy (e.g., for the
undefined value and the use of variables), (B) OCL engine
determinateness properties (e.g., for the collection
operations any and flatten), and (C) OCL engine efficiency
(for data type and user-defined operations). In the second
part, this paper empirically evaluates the proposed
benchmark concepts by examining a number of OCL tools. The
paper discusses several differences in handling particular
OCL language features and underspecifications in the OCL
standard.}
}
@InProceedings{ gessenharter:mapping:2008, author = {Dominik Gessenharter}, title = {Mapping the {UML2} Semantics of Associations to a {Java}
Code Generation Model}, booktitle = {MoDELS}, year = 2008, pages = {813--827},
doi = {10.1007/978-3-540-87875-9_56},
crossref = {czarnecki.ea:models:2008}
}
@Proceedings{ czarnecki.ea:models:2008, editor = {Krzysztof Czarnecki and Ileana Ober and Jean-Michel Bruel
and Axel Uhl and Markus V{\"o}lter}, title = {Model Driven Engineering Languages and Systems, 11th
International Conference, MoDELS 2008, Toulouse, France,
September 28 - October 3, 2008. Proceedings}, booktitle = {MoDELS}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5301, year = 2008,
isbn = {978-3-540-87874-2}
}
@Article{ aalst.ea:workflow:2003, author = {Wil M. P. van der Aalst and Arthur H. M. ter Hofstede and
Bartek Kiepuszewski and Alistair P. Barros}, title = {Workflow Patterns}, journal = {Distributed and Parallel Databases}, volume = 14, number = 1, year = 2003, pages = {5--51},
doi = {10.1023/A:1022883727209}, abstract = {Differences in features supported by the various
contemporary commercial workflow management systems point
to different insights of suitability and different levels
of expressive power. The challenge, which we undertake in
this paper, is to systematically address workflow
requirements, from basic to complex. Many of the more
complex requirements identified, recur quite frequently in
the analysis phases of workflow projects, however their
implementation is uncertain in current products.
Requirements for workflow languages are indicated through
workflow patterns. In this context, patterns address
business requirements in an imperative workflow style
expression, but are removed from specific workflow
languages. The paper describes a number of workflow
patterns addressing what we believe identify comprehensive
workflow functionality. These patterns provide the basis
for an in-depth comparison of a number of commercially
availablework flow management systems. As such, this paper
can be seen as the academic response to evaluations made by
prestigious consulting companies. Typically, these
evaluations hardly consider the workflow modeling language
and routing capabilities, and focus more on the purely
technical and commercial aspects.}
}
@InProceedings{ chalin.ea:non-null:2005, author = {Patrice Chalin and Fr\'{e}d\'{e}ric Rioux}, title = {Non-null references by default in the {Java} modeling language}, booktitle = {SAVCBS '05: Proceedings of the 2005 conference on
Specification and verification of component-based systems}, year = 2005,
isbn = {1-59593-371-9}, pages = 9,
location = {Lisbon, Portugal},
doi = {10.1145/1123058.1123068}, address = pub-acm:adr, publisher = pub-acm, abstract = {Based on our experiences and those of our peers, we
hypothesized that in Java code, the majority of
declarations that are of reference types are meant to be
non-null. Unfortunately, the Java Modeling Language (JML),
like most interface specification and object-oriented
programming languages, assumes that such declarations are
possibly-null by default. As a consequence, developers need
to write specifications that are more verbose than
necessary in order to accurately document their module
interfaces. In practice, this results in module interfaces
being left incompletely and inaccurately specified. In this
paper we present the results of a study that confirms our
hypothesis. Hence, we propose an adaptation to JML that
preserves its language design goals and that allows
developers to specify that declarations of reference types
are to be interpreted as non-null by default. We explain
how this default is safer and results in less writing on
the part of specifiers than null-by-default. The paper also
reports on an implementation of the proposal in some of the
JML tools.}
}
@Article{ ekman.ea:pluggable:2007, author = {Torbj{\"o}rn Ekman and G{\"o}rel Hedin}, title = {Pluggable checking and inferencing of nonnull types for
{Java}}, journal = {Journal of Object Technology}, volume = 6, number = 9, year = 2007, pages = {455--475},
ee = {http://www.jot.fm/issues/issue_2007_10/paper23/index.html}
}
@InProceedings{ fahndrich.ea:declaring:2003, author = {Manuel F{\"a}hndrich and K. Rustan M. Leino}, title = {Declaring and checking non-null types in an
object-oriented language}, booktitle = {OOPSLA}, year = 2003, pages = {302--312},
doi = {10.1145/949305.949332},
crossref = {crocker.ea:proceedings:2003}
}
@Proceedings{ crocker.ea:proceedings:2003, editor = {Ron Crocker and Guy L. Steele Jr.}, title = PROC # { the 2003 ACM SIGPLAN Conference on
Object-Oriented Programming Systems, Languages and
Applications, OOPSLA 2003, October 26-30, 2003, Anaheim,
CA, USA}, booktitle = {OOPSLA}, year = 2003,
isbn = {1-58113-712-5}, address = pub-acm:adr, publisher = pub-acm
}
@InProceedings{ lee.ea:lightweight:2007, author = {Hannah K. Lee and Heiko and Luedemann}, title = {lightweight decentralized authorization model for
inter-domain collaborations}, booktitle = {SWS '07: Proceedings of the 2007 ACM workshop on Secure
web services}, year = 2007,
isbn = {978-1-59593-892-3}, pages = {83--89},
location = {Fairfax, Virginia, USA},
doi = {10.1145/1314418.1314431}, address = pub-acm:adr, publisher = pub-acm
}
@InProceedings{ freudenthal.ea:drbac:2002, title = {{dRBAC}: distributed role-based access control for dynamic
coalition environments}, author = {Freudenthal, E. and Pesin, T. and Port, L. and Keenan, E.
and Karamcheti, V.}, journal = {Distributed Computing Systems, 2002. Proceedings. 22nd
International Conference on}, year = 2002, pages = {411--420}, keywords = {authorisation, distributed processing PKI identities,
continuous monitoring, controlled activities, credential
discovery, credential validation, dRBAC, distributed
role-based access control, dynamic coalition environments,
graph approach, long-lived interactions, multiple
administrative domains, namespaces, policy roots, role
delegation, scalable decentralized access control
mechanism, scalable decentralized trust-management
mechanism, scalar valued attributes, third-party
delegation, transferred permissions, trust domains, trust
relationships},
doi = {10.1109/ICDCS.2002.1022279},
issn = {1063-6927 }, abstract = {distributed role-based access control (dRBAC) is a
scalable, decentralized trust-management and access-control
mechanism for systems that span multiple administrative
domains. dRBAC utilizes PKI identities to define trust
domains, roles to define controlled activities, and role
delegation across domains to represent permissions to these
activities. The mapping of controlled actions to roles
enables their namespaces to serve as policy roots. dRBAC
distinguishes itself from previous approaches by providing
three features: (1) third-party delegation of roles from
outside a domain's namespace, relying upon an explicit
delegation of assignment; (2) modulation of transferred
permissions using scalar valued attributes associated with
roles; and (3) continuous monitoring of trust relationships
over long-lived interactions. The paper describes the dRBAC
model and its scalable implementation using a graph
approach to credential discovery and validation.}
}
@Article{ liu.ea:role-based:2004, author = {Duen-Ren Liu and Mei-Yu Wu and Shu-Teng Lee}, title = {Role-based authorizations for workflow systems in support
of task-based separation of duty}, journal = {Journal of Systems and Software}, volume = 73, number = 3, year = 2004, pages = {375--387},
doi = {10.1016/S0164-1212(03)00175-4}, abstract = {Role-based authorizations for assigning tasks of workflows
to roles/users are crucial to security management in
workflow management systems. The authorizations must
enforce separation of duty (SoD) constraints to prevent
fraud and errors. This work analyzes and defines several
duty-conflict relationships among tasks, and designs
authorization rules to enforce SoD constraints based on the
analysis. A novel authorization model that incorporates
authorization rules is then proposed to support the
planning of assigning tasks to roles/users, and the
run-time activation of tasks. Different from existing work,
the proposed authorization model considers the AND/XOR
split structures of workflows and execution dependency
among tasks to enforce separation of duties in assigning
tasks to roles/users. A prototype system is developed to
realize the effectiveness of the proposed authorization
model.}
}
@Booklet{ nipkow.ea:isabelle-hol:2009, title = {{Isabelle's} Logic: {HOL}}, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, year = 2009,
misc = {\url{http://isabelle.in.tum.de/library/HOL/}}
}
@InProceedings{ garson.ea:security:2008, author = {Garson, Kathryn and Adams, Carlisle}, title = {Security and privacy system architecture for an e-hospital
environment}, booktitle = {IDtrust '08: Proceedings of the 7th symposium on Identity
and trust on the Internet}, year = 2008,
isbn = {978-1-60558-066-1}, pages = {122--130},
location = {Gaithersburg, Maryland},
doi = {10.1145/1373290.1373306}, address = pub-acm:adr, publisher = pub-acm
}
@Article{ kambourakis.ea:pki-based:2005, author = {G. Kambourakis and I. Maglogiannis and A. Rouskas}, title = {PKI-based secure mobile access to electronic health
services and data}, journal = {Technology and Health Care Journal}, volume = 13, number = 6, year = 2005,
issn = {0928-7329}, pages = {511--526}, publisher = pub-ios, address = pub-ios:adr, abstract = {Recent research works examine the potential employment of
public-key cryptography schemes in e-health environments.
In such systems, where a Public Key Infrastructure (PKI) is
established beforehand, Attribute Certificates (ACs) and
public key enabled protocols like TLS, can provide the
appropriate mechanisms to effectively support
authentication, authorization and confidentiality services.
In other words, mutual trust and secure communications
between all the stakeholders, namely physicians, patients
and e-health service providers, can be successfully
established and maintained. Furthermore, as the recently
introduced mobile devices with access to computer-based
patient record systems are expanding, the need of
physicians and nurses to interact increasingly with such
systems arises. Considering public key infrastructure
requirements for mobile online health networks, this paper
discusses the potential use of Attribute Certificates (ACs)
in an anticipated trust model. Typical trust interactions
among doctors, patients and e-health providers are
presented, indicating that resourceful security mechanisms
and trust control can be obtained and implemented. The
application of attribute certificates to support medical
mobile service provision along with the utilization of the
de-facto TLS protocol to offer competent confidentiality
and authorization services is also presented and evaluated
through experimentation, using both the 802.11 WLAN and
General Packet Radio Service (GPRS) networks.}
}
@InProceedings{ sahai.ea:fuzzy:2005, author = {Amit Sahai and Brent Waters}, title = {Fuzzy Identity-Based Encryption}, year = 2005, pages = {457--473},
doi = {10.1007/11426639_27},
crossref = {cramer:advances:2005}, abstract = {We introduce a new type of Identity-Based Encryption (IBE)
scheme that we call Fuzzy Identity-Based Encryption. In
Fuzzy IBE we view an identity as set of descriptive
attributes. A Fuzzy IBE scheme allows for a private key for
an identity, ohgr, to decrypt a ciphertext encrypted with
an identity, ohgr prime, if and only if the identities ohgr
and ohgr prime are close to each other as measured by the
ldquoset overlaprdquo distance metric. A Fuzzy IBE scheme
can be applied to enable encryption using biometric inputs
as identities; the error-tolerance property of a Fuzzy IBE
scheme is precisely what allows for the use of biometric
identities, which inherently will have some noise each time
they are sampled. Additionally, we show that Fuzzy-IBE can
be used for a type of application that we term
ldquoattribute-based encryptionrdquo. In this paper we
present two constructions of Fuzzy IBE schemes. Our
constructions can be viewed as an Identity-Based Encryption
of a message under several attributes that compose a
(fuzzy) identity. Our IBE schemes are both error-tolerant
and secure against collusion attacks. Additionally, our
basic construction does not use random oracles. We prove
the security of our schemes under the Selective-ID security
model. }
}
@Proceedings{ cramer:advances:2005, editor = {Ronald Cramer}, booktitle = PROC # {International Conference on the Theory and Applications of
Cryptographic Techniques (EUROCRYPT)},
location = {Advances in Cryptology - EUROCRYPT 2005, 24th Annual
International Conference on the Theory and Applications of
Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005,
Proceedings}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3494, year = 2005,
isbn = {3-540-25910-4}
}
@InProceedings{ goyal.ea:attribute-based:2006, author = {Vipul Goyal and Omkant Pandey and Amit Sahai and Brent
Waters}, title = {Attribute-based encryption for fine-grained access control
of encrypted data}, booktitle = {CCS '06: Proceedings of the 13th ACM conference on
Computer and communications security}, year = 2006,
isbn = {1-59593-518-5}, pages = {89--98},
location = {Alexandria, Virginia, USA},
doi = {10.1145/1180405.1180418}, address = pub-acm:adr, publisher = pub-acm, abstract = {As more sensitive data is shared and stored by third-party
sites on the Internet, there will be a need to encrypt data
stored at these sites. One drawback of encrypting data, is
that it can be selectively shared only at a coarse-grained
level (i.e., giving another party your private key). We
develop a new cryptosystem for fine-grained sharing of
encrypted data that we call Key-Policy Attribute-Based
Encryption (KP-ABE). In our cryptosystem, ciphertexts are
labeled with sets of attributes and private keys are
associated with access structures that control which
ciphertexts a user is able to decrypt. We demonstrate the
applicability of our construction to sharing of audit-log
information and broadcast encryption. Our construction
supports delegation of private keys which
subsumesHierarchical Identity-Based Encryption (HIBE).}
}
@InProceedings{ li.ea:privacy-aware:2009, author = {Jin Li and Kui Ren and Bo Zhu and Zhiguo Wan}, title = {Privacy-aware Attribute-based Encryption with User
Accountability}, booktitle = {The 12th Information Security Conference (ISC'09)},
location = {September 7-9, 2009, Pisa}, year = 2009, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, abstract = {As a new public key primitive, attribute-based encryption
(ABE) is envisioned to be a promising tool for implementing
fine-grained access control. To further address the concern
of user access privacy, privacy-aware ABE schemes are being
developed to achieve hidden access policy recently. For the
purpose of secure access control, there is, how- ever,
still one critical functionality missing in the existing
ABE schemes, which is user accountability. Currently, no
ABE scheme can completely prevent the problem of illegal
key sharing among users. In this paper, we tackle this
problem by firstly proposing the notion of accountable,
anonymous, and ciphertext-policy ABE (CP-A3 BE, in short)
and then giving out a concrete construction. We start by
improving the state-of-the-art of anonymous CP-ABE to
obtain shorter public parameters and ciphertext length. In
the proposed CP-A3 BE construction, user accountability can
be achieved in black-box model by embedding additional
user-specific information into the attribute private key
issued to that user, while still maintaining hidden access
policy. The proposed constructions are provably secure.}
}
@InProceedings{ bobba.ea:pbes:2009, author = {Rakesh Bobba and and Himanshu Khurana and Musab AlTurki
and Farhana Ashraf}, title = {PBES: a policy based encryption system with application to
data sharing in the power grid}, booktitle = {ASIACCS '09: Proceedings of the 4th International
Symposium on Information, Computer, and Communications
Security}, year = 2009,
isbn = {978-1-60558-394-5}, pages = {262--275},
location = {Sydney, Australia},
doi = {10.1145/1533057.1533093}, address = pub-acm:adr, publisher = pub-acm, abstract = {In distributed systems users need the ability to share
sensitive content with multiple other recipients based on
their ability to satisfy arbitrary policies. One such
system is electricity grids where finegrained sensor data
sharing holds the potential for increased reliability and
efficiency. However, effective data sharing requires
technical solutions that support flexible access policies,
for example, sharing more data when the grid is unstable.
In such systems, both the messages and policies are
sensitive and, therefore, they need to kept be secret.
Furthermore, to allow for such a system to be secure and
usable in the presence of untrusted object stores and
relays it must be resilient in the presence of active
adversaries and provide efficient key management. While
several of these properties have been studied in the past
we address a new problem in the area of policy based
encryption in that we develop a solution with all of these
capabilities. We develop a Policy and Key Encapsulation
Mechanism -- Data Encapsulation Mechanism (PKEM-DEM)
encryption scheme that is a generic construction secure
against adaptive chosen ciphertext attacks and develop a
Policy Based Encryption System (PBES) using this scheme
that provides these capabilities. We provide an
implementation of PBES and measure its performance.}
}
@InProceedings{ shanqing.ea:attribute-based:2008, author = {Guo Shanqing and Zeng Yingpei}, title = {Attribute-based Signature Scheme},
doi = {10.1109/ISA.2008.111}, booktitle = {International Conference on Information Security and
Assurance, 2008 (ISA 2008)}, year = 2008, pages = {509--511}, month = apr, address = pub-ieee:adr, publisher = pub-ieee, abstract = {In real life, one requires signatures from people who
satisfy certain criteria like that they should possess some
specific attributes. For example, Alice wants a document to
be signed by some employee in Bob's company. This employee
must have certain attributes such as being part of the IT
staff and at least a junior manager in the cryptography
team or a senior manager in the biometrics team. In order
to satisfy these kinds of needs, we defined a common
Attribute-based signature scheme where the signing member
has to have certain attributes or belong to a certain
group, and we also proved our scheme to be secure.}
}
@Article{ huang.ea:aspe:2009, title = {ASPE: attribute-based secure policy enforcement in
vehicular ad hoc networks}, journal = {Ad Hoc Networks}, volume = 7, number = 8, pages = {1526--1535}, year = 2009,
mynote = {Privacy and Security in Wireless Sensor and Ad Hoc
Networks},
issn = {1570-8705},
doi = {10.1016/j.adhoc.2009.04.011}, author = {Dijiang Huang and Mayank Verma}, keywords = {Security, Vehicular networks, Secure group communications,
Key management, Attribute based encryption}, publisher = pub-elsevier, address = pub-elsevier:adr, abstract = {Vehicular ad hoc networks (VANETs) are usually operated
among vehicles moving at high speeds, and thus their
communication relations can be changed frequently. In such
a highly dynamic environment, establishing trust among
vehicles is difficult. To solve this problem, we propose a
flexible, secure and decentralized attribute based secure
key management framework for VANETs. Our solution is based
on attribute based encryption (ABE) to construct an
attribute based security policy enforcement (ASPE)
framework. ASPE considers various road situations as
attributes. These attributes are used as encryption keys to
secure the transmitted data. ASPE is flexible in that it
can dynamically change encryption keys depending on the
VANET situations. At the same time, ASPE naturally
incorporates data access control policies on the
transmitted data. ASPE provides an integrated solution to
involve data access control, key management, security
policy enforcement, and secure group formation in highly
dynamic vehicular communication environments. Our
performance evaluations show that ASPE is efficient and it
can handle large amount of data encryption/decryption flows
in VANETs.}
}
@InProceedings{ weber:securing:2009, author = {Stefan G. Weber}, title = {Securing First Response Coordination With Dynamic
Attribute-Based Encryption}, booktitle = {World Congress on Privacy, Security, Trust and the
Management of e-Business (CONGRESS)}, year = 2009, pages = {58--69},
isbn = {978-0-7695-3805-1}, address = pub-ieee:adr, publisher = pub-ieee, abstract = {Every minute saved in emergency management processes can
save additional lives of affected victims. Therefore, an
effective coordination of the incident reactions of mobile
first responders is very important, especially in the face
of rapidly changing situations of large scale disasters.
However, tactical communication and messaging between the
headquarter and mobile first responders, initiated for
coordination purposes, has to meet a strong security
requirements: it must preserve confidentiality in order to
prevent malicious third parties from disrupting the
reactions. This paper presents concepts to support the
secure coordination of mobile first responders by providing
means for secure ubiquitous tactical communication. Our
concept harnesses ciphertext-policy attribute-based
encryption (CP-ABE) techniques. We extend current CP-ABE
proposals by additionally taking into account dynamic
factors: our proposed system is able to handle dynamic
attributes, like current status of duty and location of
mobile first responders, in a secure fashion, in order to
support flexible specification of receiver groups of
tactical messages, while end-to-end encryption in the
messaging process is still satisfied.}
}
@InProceedings{ cardoso:approaches:2006, author = {Jorge Cardoso}, title = {Approaches to Compute Workflow Complexity}, booktitle = {The Role of Business Processes in Service Oriented
Architectures}, year = 2006,
ee = {http://drops.dagstuhl.de/opus/volltexte/2006/821},
crossref = {leymann.ea:role:2006}, abstract = {During the last 20 years, complexity has been an
interesting topic that has been investigated in many fields
of science, such as biology, neurology, software
engineering, chemistry, psychology, and economy. A survey
of the various approaches to understand complexity has lead
sometimes to a measurable quantity with a rigorous but
narrow definition and other times as merely an ad hoc
label. In this paper we investigate the complexity concept
to avoid a vague use of the term `complexity' in workflow
designs. We present several complexity metrics that have
been used for a number of years in adjacent fields of
science and explain how they can be adapted and use to
evaluate the complexity of workflows. }
}
@Proceedings{ leymann.ea:role:2006, editor = {Frank Leymann and Wolfgang Reisig and Satish R. Thatte and
Wil M. P. van der Aalst}, title = {The Role of Business Processes in Service Oriented
Architectures, 16.07. - 21.07.2006}, booktitle = {The Role of Business Processes in Service Oriented
Architectures}, publisher = {Internationales Begegnungs- und Forschungszentrum fuer
Informatik (IBFI), S chloss Dagstuhl, Germany},
series = {Dagstuhl Seminar Proceedings}, volume = 06291, year = 2006
}
@Article{ parnas:stop:2007, author = {David Lorge Parnas}, title = {Stop the numbers game}, journal = j-cacm, volume = 50, number = 11, year = 2007,
issn = {0001-0782}, pages = {19--21},
doi = {10.1145/1297797.1297815}, address = pub-acm:adr, publisher = pub-acm
}
@InBook{ gentry:ibe:2006, author = {Craig Gentry},
chapter = {IBE (Identity-Based Encryption)}, title = {Handbook of Information Security}, editor = {Hossein Bidgoli}, volume = 2,
isbn = {0-471-64833-7}, publisher = {John Wiley \& Sons}, pages = {575--592}, month = jan, year = 2006
}
@InProceedings{ bethencourt.ea:ciphertext-policy:2007, author = {John Bethencourt and Amit Sahai and Brent Waters}, title = {Ciphertext-Policy Attribute-Based Encryption}, booktitle = {IEEE Symposium on Security and Privacy}, pages = {321--334}, year = 2007,
doi = {10.1109/SP.2007.11}, abstract = {In several distributed systems a user should only be able
to access data if a user posses a certain set of
credentials or attributes. Currently, the only method for
enforcing such policies is to employ a trusted server to
store the data and mediate access control. However, if any
server storing the data is compromised, then the
confidentiality of the data will be compromised. In this
paper we present a system for realizing complex access
control on encrypted data that we call ciphertext-policy
attribute-based encryption. By using our techniques
encrypted data can be kept confidential even if the storage
server is untrusted; moreover, our methods are secure
against collusion attacks. Previous attribute-based
encryption systems used attributes to describe the
encrypted data and built policies into user's keys; while
in our system attributes are used to describe a user's
credentials, and a party encrypting data determines a
policy for who can decrypt. Thus, our methods are
conceptually closer to traditional access control methods
such as role-based access control (RBAC). In addition, we
provide an implementation of our system and give
performance measurements.}, publisher = pub-ieee, address = pub-ieee:adr
}
@Article{ karedla.ea:caching:1994, author = {Ramakrishna Karedla and J. Spencer Love and Bradley G.
Wherry}, title = {Caching strategies to improve disk system performance}, journal = j-computer, volume = 27, number = 3,
issn = {0018-9162}, year = 1994, pages = {38--46},
doi = {10.1109/2.268884}, publisher = pub-ieee, address = pub-ieee:adr, abstract = {I/O subsystem manufacturers attempt to reduce latency by
increasing disk rotation speeds, incorporating more
intelligent disk scheduling algorithms, increasing I/O bus
speed, using solid-state disks, and implementing caches at
various places in the I/O stream. In this article, we
examine the use of caching as a means to increase system
response time and improve the data throughput of the disk
subsystem. Caching can help to alleviate I/O subsystem
bottlenecks caused by mechanical latencies. This article
describes a caching strategy that offers the performance of
caches twice its size. After explaining some basic caching
issues, we examine some popular caching strategies and
cache replacement algorithms, as well as the advantages and
disadvantages of caching at different levels of the
computer system hierarchy. Finally, we investigate the
performance of three cache replacement algorithms: random
replacement (RR), least recently used (LRU), and a
frequency-based variation of LRU known as segmented LRU
(SLRU). }
}
@InProceedings{ megiddo.ea:arc:2003, author = {Nimrod Megiddo and Dharmendra S. Modha}, title = {{ARC}: A Self-Tuning, Low Overhead Replacement Cache}, booktitle = {FAST '03: Proceedings of the 2nd USENIX Conference on File
and Storage Technologies}, year = 2003, pages = {115--130},
location = {San Francisco, CA}, publisher = {\acs{usenix} Association}, address = {Berkeley, CA, USA}
}
@InProceedings{ chou.ea:evaluation:1985, author = {Hong-Tai Chou and David J. DeWitt}, title = {An evaluation of buffer management strategies for
relational database systems}, booktitle = {VLDB '1985: Proceedings of the 11th international
conference on Very Large Data Bases}, year = 1985, pages = {127--141},
location = {Stockholm, Sweden}, publisher = {VLDB Endowment}
}
@InProceedings{ yu.ea:fdac:2009, author = {Shucheng Yu and Kui Ren and Wenjing Lou}, title = {{FDAC}: Toward fine-grained distributed data access
control in wireless sensor networks}, booktitle = PROC # { \acs{ieee} Conference on Computer
Communications (INFOCOM)}, year = 2009, address = pub-ieee:adr, publisher = pub-ieee, abstract = {Distributed sensor data storage and retrieval has gained
increasing popularity in recent years for supporting
various applications. While distributed architecture enjoys
a more robust and fault-tolerant wireless sensor network
(WSN), such architecture also poses a number of security
challenges especially when applied in mission-critical
applications such as battle field and e-healthcare. First,
as sensor data are stored and maintained by individual
sensors and unattended sensors are easily subject to strong
attacks such as physical compromise, it is significantly
harder to ensure data security. Second, in many
mission-critical applications, fine-grained data access
control is a must as illegal access to the sensitive data
may cause disastrous result and/or prohibited by the law.
Last but not least, sensors usually are resource-scarce,
which limits the direct adoption of expensive cryptographic
primitives. To address the above challenges, we propose in
this paper a distributed data access control scheme that is
able to fulfill fine-grained access control over sensor
data and is resilient against strong attacks such as sensor
compromise and user colluding. The proposed scheme exploits
a novel cryptographic primitive called attribute-based
encryption (ABE), tailors, and adapts it for WSNs with
respect to both performance and security requirements. The
feasibility of the scheme is demonstrated by experiments on
real sensor platforms. To our best knowledge, this paper is
the first to realize distributed fine-grained data access
control for WSNs.}
}
@InProceedings{ traynor.ea:massive-scale:2008, author = {Patrick Traynor and Kevin R. B. Butler and William Enck
and Patrick McDaniel}, title = {Realizing Massive-Scale Conditional Access Systems Through
Attribute-Based Cryptosystems}, booktitle = PROC # { 15th Annual Network and Distributed System
Security Symposium (NDSS 2008)}, year = 2008, abstract = {The enormous growth in the diversity of content services
such as IPtv has highlighted the inadequacy of the
accompanying content security: existing security mechanisms
scale poorly, require complex and often costly dedicated
hardware, or fail to meet basic security requirements. New
security methods are needed. In this paper, we explore the
ability of attribute-based encryption (ABE) to meet the
unique performance and security requirements of conditional
access systems such as subscription radio and payper- view
television. We show through empirical study that costs of
ABE make its direct application inappropriate, but present
constructions that mitigate its incumbent costs. We develop
an extensive simulation that allows us to explore the
performance of a number of virtual hardware configurations
and construction parameters over workloads developed from
real subscription and television audiences. These
simulations show that we can securely deliver high quality
content to viewerships of the highest rated shows being
broadcast today, some in excess of 26,000,000 viewers. It
is through these experiments that we expose the viability
of not only ABE-based content delivery, but applicability
of ABE systems to large-scale distributed systems.},
url = {http://www.isoc.org/isoc/conferences/ndss/08/papers/06_realizing_massive-scale_conditional.pdf}
,
location = {San Diego, California, USA}, month = feb, publisher = {The Internet Society}
}
@Article{ alpern.ea:defining:1985, author = {Bowen Alpern and Fred B. Schneider}, title = {Defining Liveness}, journal = j-ipl, volume = 21, number = 4, year = 1985, pages = {181--185}
}
@Article{ lamport:proving:1977, title = {Proving the Correctness of Multiprocess Programs}, author = {Leslie Lamport}, journal = j-tse, year = 1977, month = {March}, volume = {SE-3}, number = 2, pages = {125--143}, abstract = {The inductive assertion method is generalized to permit
formal, machine-verifiable proofs of correctness for
multiprocess programs. Individual processes are represented
by ordinary flowcharts, and no special synchronization
mechanisms are assumed, so the method can be applied to a
large class of multiprocess programs. A correctness proof
can be designed together with the program by a hierarchical
process of stepwise refinement, making the method practical
for larger programs. The resulting proofs tend to be
natural formalizations of the informal proofs that are now
used.}, keywords = {null Assertions, concufrent programming, correctness,
multiprocessing, synchronization},
doi = {10.1109/TSE.1977.229904},
issn = {0098-5589}
}
@InProceedings{ goodenough.ea:toward:1975, author = {John B. Goodenough and Susan L. Gerhart}, title = {Toward a theory of test data selection}, booktitle = PROC # { the international conference on Reliable
software}, year = 1975, pages = {493--510},
url = {http://portal.acm.org/citation.cfm?id=808473&dl=ACM&coll=GUIDE#}
,
location = {Los Angeles, California}, abstract = {This paper examines the theoretical and practical role of
testing in software development. We prove a fundamental
theorem showing that properly structured tests are capable
of demonstrating the absence of errors in a program. The
theorem's proof hinges on our definition of test
reliability and validity, but its practical utility hinges
on being able to show when a test is actually reliable. We
explain what makes tests unreliable (for example, we show
by example why testing all program statements, predicates,
or paths is not usually sufficient to insure test
reliability), and we outline a possible approach to
developing reliable tests. We also show how the analysis
required to define reliable tests can help in checking a
program's design and specifications as well as in
preventing and detecting implementation errors. },
acknowledgement={none}
}
@InCollection{ aczel:introduction:1977, author = {Peter Aczel}, title = {An Introduction to Inductive Definitions}, booktitle = {Handbook of Mathematical Logic}, editor = {Jon Barwise},
series = {Studies in Logic and the Foundations of Mathematics}, volume = 90,
chapter = {C.7}, pages = {739--782}, publisher = {North-Holland}, address = {Amsterdam}, year = 1977
}
@InProceedings{ cousot.ea:abstract:1977, author = {Patrick Cousot and Radhia Cousot}, title = {Abstract interpretation: a unified lattice model for
static analysis of programs by construction or
approximation of fixpoints}, booktitle = PROC # { the 4th ACM SIGACT-SIGPLAN symposium on
Principles of programming languages}, year = 1977, pages = {238--252},
location = {Los Angeles, California},
doi = {10.1145/512950.512973}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}
}
@Article{ cardelli.ea:understanding:1985, author = {Luca Cardelli and Peter Wegner}, title = {On understanding types, data abstraction, and
polymorphism}, journal = {ACM Computing Surveys}, volume = 17, number = 4, year = 1985,
issn = {0360-0300},
acknowledgement={none}, pages = {471--523},
doi = {10.1145/6041.6042}, publisher = pub-acm, address = pub-acm:adr, abstract = {Our objective is to understand the notion of type in
programming languages, present a model of typed,
polymorphic programming languages that reflects recent
research in type theory, and examine the relevance of
recent research to the design of practical programming
languages. Object-oriented languages provide both a
framework and a motivation for exploring the interaction
among the concepts of type, data abstraction, and
polymorphism, since they extend the notion of type to data
abstraction and since type inheritance is an important form
of polymorphism. We develop a &lgr;-calculus-based model
for type systems that allows us to explore these
interactions in a simple setting, unencumbered by
complexities of production programming languages. The
evolution of languages from untyped universes to
monomorphic and then polymorphic type systems is reviewed.
Mechanisms for polymorphism such as overloading, coercion,
subtyping, and parameterization are examined. A unifying
framework for polymorphic type systems is developed in
terms of the typed &lgr;-calculus augmented to include
binding of types by quantification as well as binding of
values by abstraction. The typed &lgr;-calculus is
augmented by universal quantification to model generic
functions with type parameters, existential quantification
and packaging (information hiding) to model abstract data
types, and bounded quantification to model subtypes and
type inheritance. In this way we obtain a simple and
precise characterization of a powerful type system that
includes abstract data types, parametric polymorphism, and
multiple inheritance in a single consistent framework. The
mechanisms for type checking for the augmented
&lgr;-calculus are discussed. The augmented typed
&lgr;-calculus is used as a programming language for a
variety of illustrative examples. We christen this language
Fun because fun instead of &lgr; is the functional
abstraction keyword and because it is pleasant to deal
with. Fun is mathematically simple and can serve as a basis
for the design and implementation of real programming
languages with type facilities that are more powerful and
expressive than those of existing programming languages. In
afsyped object-oriented languages. }
}
@InProceedings{ wadler:listlessness:1985, author = {Philip Wadler}, title = {Listlessness is better than laziness II: composing
listless functions}, booktitle = {on Programs as data objects}, year = 1985,
isbn = {0-387-16446-4}, pages = {282--305},
location = {Copenhagen, Denmark}, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={none}
}
@InProceedings{ clement.ea:simple:1986, author = {Dominique Cl\'ement and Thierry Despeyroux and Gilles Kahn
and Jo\"elle Despeyroux}, title = {A simple applicative language: {mini-ML}}, booktitle = {LFP '86: Proceedings of the 1986 ACM conference on LISP
and functional programming}, year = 1986,
isbn = {0-89791-200-4}, pages = {13--27},
location = {Cambridge, Massachusetts, United States},
doi = {10.1145/319838.319847}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}
}
@InProceedings{ hamlet:theoretical:1989, author = {R. Hamlet}, title = {Theoretical comparison of testing methods}, booktitle = PROC # { the ACM SIGSOFT '89 third symposium on
Software testing, analysis, and verification}, year = 1989,
isbn = {0-89791-342-6}, pages = {28--37},
location = {Key West, Florida, United States},
doi = {10.1145/75308.75313}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}
}
@Article{ frankl.ea:applicable:1988, author = {P. G. Frankl and E. J. Weyuker}, title = {An Applicable Family of Data Flow Testing Criteria}, journal = j-ieee-tse, volume = 14, number = 10, year = 1988, month = oct,
issn = {0098-5589}, pages = {1483--1498},
doi = {http://dx.doi.org/10.1109/32.6194}, publisher = pub-ieee, abstract = {he authors extend the definitions of the previously
introduced family of data flow testing criteria to apply to
programs written in a large subset of Pascal. They then
define a family of adequacy criteria called feasible data
flow testing criteria, which are derived from the data-flow
testing criteria. The feasible data flow testing criteria
circumvent the problem of nonapplicability of the data flow
testing criteria by requiring the test data to exercise
only those definition-use associations which are
executable. It is shown that there are significant
differences between the relationships among the data flow
testing criteria and the relationships among the feasible
data flow testing criteria. The authors discuss a
generalized notion of the executability of a path through a
program unit. A script of a testing session using their
data flow testing tool, ASSET, is included.},
acknowledgement={none}
}
@InProceedings{ teo.ea:use:1988, author = {Ghee S. Teo and M\'{\i}che{\'a}l Mac an Airchinnigh}, title = {The Use of VDM in the Specification of Chinese
Characters.}, booktitle = {VDM Europe}, year = 1988, pages = {476--499},
crossref = {bloomfield.ea:vdm:1988},
acknowledgement={none}
}
@Proceedings{ bloomfield.ea:vdm:1988, editor = {Robin E. Bloomfield and Lynn S. Marshall and Roger B.
Jones}, title = {VDM '88, VDM - The Way Ahead, 2nd VDM-Europe Symposium,
Dublin, Ireland, September 11-16, 1988, Proceedings}, booktitle = {VDM Europe}, publisher = pub-springer,
series = lncs, volume = 328, year = 1988,
isbn = {3-540-50214-9},
acknowledgement={none},
bibkey = {bloomfield.ea:vdm:1988}
}
@InProceedings{ cook.ea:inheritance:1990, author = {William R. Cook and Walter Hill and Peter S. Canning}, title = {Inheritance is not subtyping}, booktitle = {POPL '90: Proceedings of the 17th ACM SIGPLAN-SIGACT
symposium on Principles of programming languages}, year = 1990,
isbn = {0-89791-343-4}, pages = {125--135},
location = {San Francisco, California, United States},
doi = {10.1145/96709.96721}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}, abstract = {In typed object-oriented languages the subtype relation is
typically based on the inheritance hierarchy. This
approach, however, leads either to insecure type-systems or
to restrictions on inheritance that make it less flexible
than untyped Smalltalk inheritance. We present a new typed
model of inheritance that allows more of the flexibility of
Smalltalk inheritance within a statically-typed system.
Significant features of our analysis are the introduction
of polymorphism into the typing of inheritance and the
uniform application of inheritance to objects, classes and
types. The resulting notion of type inheritance allows us
to show that the type of an inherited object is an
inherited type but not always a subtype. },
bibkey = {cook.ea:inheritance:1990}
}
@Article{ lynch.ea:forward:1996, author = {Nancy Lynch and Frits Vaandrager}, title = {Forward and backward simulations II.: timing-based
systems}, journal = {Inf. Comput.}, volume = 128, number = 1, year = 1996,
issn = {0890-5401}, pages = {1--25},
doi = {10.1006/inco.1996.0060}, publisher = {Academic Press, Inc.},
acknowledgement={none},
bibkey = {lynch.ea:forward:1996}
}
@Article{ lamport.ea:should:1999, author = {Leslie Lamport and Lawrence C. Paulson}, title = {Should your specification language be typed.}, journal = {ACM Trans. Program. Lang. Syst.}, volume = 21, number = 3, year = 1999,
acknowledgement={none}, pages = {502--526}, publisher = pub-acm, address = pub-acm:adr,
issn = {0164-0925},
doi = {10.1145/319301.319317}
}
@InProceedings{ muller.ea:formal:1997, title = {Formal Specification Techniques for Object-Oriented
Programs }, author = {Peter M{\"u}ller and Arnd Poetzsch-Heffter }, editor = {Jarke, M. and Pasedach, K. and Pohl, K. }, booktitle = {Informatik 97: Informatik als Innovationsmotor },
series = {Informatik Aktuell }, publisher = pub-springer, address = pub-springer:adr,
acknowledgement={none}, year = 1997, abstract = {Specification techniques for object-oriented programs
relate the operational world of programs to the declarative
world of specifications. We present a formal foundation of
interface specification languages. Based on the formal
foundation, we develop new specification techniques to
describe functional behavior, invariants, and side-effects.
Furthermore, we discuss the influence of program extensions
on program correctness.}
}
@Article{ wolper:meaning:1997, author = {Pierre Wolper}, title = {The Meaning of ``Formal'': From Weak to Strong Formal
Methods.}, journal = j-sttt, volume = 1, publisher = pub-springer, address = pub-springer:adr, number = {1-2}, year = 1997, pages = {6--8},
doi = {10.1007/s100090050002},
acknowledgement={none}
}
@TechReport{ aredo.ea:towards:1999, title = {Towards a formalization of {UML} Class Structure in
{PVS}}, author = {Demissie B. Aredo and I. Traore and K. St{\o}len},
institution = {Department of Informatics, University of Oslo}, year = 1999, month = aug, number = 272,
acknowledgement={none}
}
@Book{ derrick.ea:refinement:2001, author = {John Derrick and Eerke Boiten}, title = {Refinement in {Z} and {Object-Z}},
library = {ETH-BIB}, publisher = pub-springer, address = pub-springer:adr,
isbn = {1-85233-245-X},
url = {http://www.cs.kent.ac.uk/people/staff/jd1/books/refine/}, year = 2001,
acknowledgement={none},
bibkey = {derrick.ea:refinement:2001}
}
@TechReport{ boer.ea:towards:2003, author = {Frank S. de Boer and Cees Pierik}, year = 2003, title = {Towards an environment for the verification of annotated
object-oriented programs}, number = {UU-CS-2003-002},
institution = {Institute of Information and Computing Sciences, Utrecht
University},
acknowledgement={none}
}
@Article{ dybjer.ea:verifying:2004, author = {Peter Dybjer and Qiao Haiyana and Makoto Takeyama}, booktitle = {Third International Conference on Quality Software: QSIC 2003}, title = {Verifying Haskell programs by combining testing, model
checking and interactive theorem proving}, journal = {Information and Software Technology}, year = 2004, number = 15, volume = 46, pages = {1011--1025},
doi = {10.1016/j.infsof.2004.07.002}, abstract = {We propose a program verification method that combines
random testing, model checking and interactive theorem
proving. Testing and model checking are used for debugging
programs and specifications before a costly interactive
proof attempt. During proof development, testing and model
checking quickly eliminate false conjectures and generate
counterexamples which help to correct them. With an
interactive theorem prover we also ensure the correctness
of the reduction of a top level problem to subproblems that
can be tested or proved. We demonstrate the method using
our random testing tool and binary decision diagrams-based
(BDDs) tautology checker, which are added to the Agda/Alfa
interactive proof assistant for dependent type theory. In
particular we apply our techniques to the verification of
Haskell programs. The first example verifies the BDD
checker itself by testing its components. The second uses
the tautology checker to verify bitonic sort together with
a proof that the reduction of the problem to the checked
form is correct.},
acknowledgement={none}
}
@PhDThesis{ kopylov:type:2004, author = {Alexei Pavlovich Kopylov}, title = {Type Theoretical Foundations for Data Structures, Classes,
and Objects}, school = {Cornell University}, year = 2004, abstract = {In this thesis we explore the question of how to represent
programming data structures in a constructive type theory.
The basic data structures in programing languages are
records and objects. Most known papers treat such data
structure as primitive. That is, they add new primitive
type constructors and sup- porting axioms for records and
objects. This approach is not satisfactory. First of all it
complicates a type theory a lot. Second, the validity of
the new axioms is not easily established. As we will see
the naive choice of axioms can lead to contradiction even
in the simplest cases. We will show that records and
objects can be defined in a powerful enough type theory. We
will also show how to use these type constructors to define abstract data structure. },
acknowledgement={none}, month = jan
}
@InProceedings{ kyas.ea:message:2004, author = {Marcel Kyas and Frank S. de Boer}, title = {On Message Specification in {OCL}}, booktitle = {Compositional Verification in UML}, year = 2004, editor = {Frank S. de Boer and Marcello Bonsangue},
acknowledgement={none},
series = entcs, volume = 101, pages = {73--93}, publisher = elsevier, address = elsevier:adr, abstract = {The object constraint language (OCL) is the established language for specifying of properties of objects and object
structures. Recently an extension of OCL has been proposed
for the specification of messages sent between objects. In
this paper we present a generalization of this extension
which allows addition- ally to specify causality
constraints. From a pragmatic point of view, such causality
constraints are needed to express, for example, that each
acknowledgment must be preceded by a matching request,
which is frequently required by communication protocols.
Our generalization is based on the introduction of
histories into OCL. Histories describe the external
behavior of objects and groups of objects. Moreover, to
reason compositionally about the behavior of a complex
system we distinguish between local specifications of a
single object and global specifications describing the
interaction between objects. These two types of
specifications are expressed in syntactically difierent
dialects of OCL. Our notion of compositionality, which is
formalized in this paper by a compatibility predicate on
histories, allows the verification of models during the
early stages of a design. }
}
@InProceedings{ kyas.ea:extended:2004, author = {Marcel Kyas and Harald Fecher}, title = {An Extended Type System for {OCL} supporting Templates and
Transformations}, booktitle = {Formal Methods for Open Object-Based Distributed Systems, 7th {IFIP} {WG} 6.1 International Conference, {FMOODS} 2005, Athens, Greece, June 15-17, 2005, Proceedings},
acknowledgement={none}, publisher = pub-springer, address = pub-springer:adr, year = 2004, volume = 3535, editor = {Martin Steffen and Gianluigi Zavattaro},
isbn = {3-540-26181-8}, pages = {83--98},
series = llncs,
doi = {10.1007/11494881_6}
}
@InProceedings{ giese.ea:simplifying:2005, author = {Martin Giese and Daniel Larsson}, title = {Simplifying Transformations of {OCL} Constraints}, booktitle = {Proceedings, Model Driven Engineering Languages and
Systems (MoDELS) Conference 2005, Montego Bay, Jamaica}, editor = {Lionel Briand and Clay Williams}, pages = {309--323}, volume = 3713,
acknowledgement={none}, month = oct,
series = lncs, year = 2005
}
@InCollection{ okeefe:improving:2006,
paddress = {Heidelberg}, address = pub-springer:adr, author = {Greg O'Keefe}, booktitle = {{MoDELS} 2006: Model Driven Engineering Languages and
Systems}, language = {USenglish}, publisher = pub-springer,
acknowledgement={none},
series = lncs,
doi = {10.1007/11880240_4}, number = 4199, year = 2006, pages = {42--56}, editor = {Oscar Nierstrasz and Jon Whittle and David Harel and
Gianna Reggio}, title = {Improving the Definition of {UML}}, abstract = {The literature on formal semantics for UML is huge and
growing rapidly. Most contributions open with a brief
remark motivating the work, then quickly move on to the
technical detail. How do we decide whether more rigorous
semantics are needed? Do we currently have an adequate
definition of the syntax? How do we evaluate proposals to
improve the definition? We provide criteria by which these
and other questions can be answered. The growing role of
UML is examined. We compare formal language definition
techniques with those currently used in the definition of
UML. We study this definition for both its content and
form, and conclude that improvements are required. Finally,
we briefly survey the UML formalisation literature,
applying our criteria to determine which of the existing
approaches show the most potential.}
}
@TechReport{ wasserrab.ea:operational:2005, author = {Daniel Wasserrab and Tobias Nipkow and Gregor Snelting and
Frank Tip}, title = {An Operational Semantics and Type Safety Proof for
{\Cpp}-Like Multiple Inheritance},
institution = {IBM Yorktown Heights}, number = {RC 23709}, month = aug, year = 2005, abstract = {We present, for the first time, an operational semantics
and a type system for a \Cpp-like object-oriented language
with both shared and repeated multiple inheritance,
together with a machine-checked proof of type safety. The
formalization uncovered several subtle ambiguities in \Cpp,
which \Cpp compilers resolve by ad-hoc means or which even
result in uncontrolled run-time errors. The semantics is
formalized in Isabelle/HOL.},
acknowledgement={none}
}
@Unpublished{ crane.ea:class:2006, author = {Michelle L. Crane and Juergen Dingel and Zinovy Diskin}, title = {Class Diagrams: Abstract Syntax and Mapping to System
Model},
note = {Version 1.7.4},
url = {http://www.cs.queensu.ca/~stl/internal/uml2/documents.htm}
,
pdf = {papers/2006/crane.ea-class-2006.pdf},
acknowledgement={none}, year = 2006
}
@Article{ henning:rise:2006, author = {Michi Henning}, title = {The rise and fall of {CORBA}}, journal = {Queue}, volume = 4, number = 5, year = 2006,
issn = {1542-7730}, pages = {28--34},
doi = {10.1145/1142031.1142044}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}, abstract = {Depending on exactly when one starts counting, CORBA is
about 10-15 years old. During its lifetime, CORBA has moved
from being a bleeding-edge technology for early adopters,
to being a popular middleware, to being a niche technology
that exists in relative obscurity. It is instructive to
examine why CORBA---despite once being heralded as the
{\^a}��next-generation technology for e-commerce---suffered
this fate. CORBA{\^a}��s history is one that the computing
industry has seen many times, and it seems likely that
current middleware efforts, specifically Web services, will
reenact a similar history.}
}
@InProceedings{ briggs.ea:effective:1994, author = {Preston Briggs and Keith D. Cooper}, title = {Effective partial redundancy elimination}, booktitle = PROC # { the ACM SIGPLAN 1994 conference on
Programming language design and implementation}, year = 1994,
isbn = {0-89791-662-X}, pages = {159--170},
location = {Orlando, Florida, United States},
doi = {10.1145/178243.178257}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {briggs.ea:effective:1994}, abstract = {Partial redundancy elimination is a code optimization with
a long history of literature and implementation. In
practice, its effectiveness depends on issues of naming and
code shape. This paper shows that a combination of global
reassociation and global value numbering can increase the
effectiveness of partial redundancy elimina- tion. By
imposing a discipline on the choice of names and the shape
of expressions, we are able to expose more redundancies, As
part of the work, we introduce a new algorithm for global
reassociation of expressions. It uses global in- formation
to reorder expressions, creating opportunities for other
optimization. The new algorithm generalizes earlier work
that ordered FORTRAN array address ex- pressions to improve
optimization.}
}
@Article{ binder:design:1994, author = {Robert V. Binder}, title = {Design for testability in object-oriented systems}, journal = j-cacm, publisher = pub-acm, address = pub-acm:adr, volume = 37, number = 9, pages = {87--101}, month = sep, year = 1994,
issn = {0001-0782},
acknowledgement={none}, keywords = {design; reliability},
bibkey = {binder:design:1994}
}
@InProceedings{ bernot.ea:theory:1997, author = {Gilles Bernot and Laurent Bouaziz and Pascale {Le Gall}}, title = {A theory of probabilistic functional testing}, booktitle = PROC # { the 19th international conference on
Software engineering}, year = 1997,
isbn = {0-89791-914-9}, pages = {216--226},
pdf = {papers/1997/p216-bernot.pdf},
location = {Boston, Massachusetts, United States},
doi = {10.1145/253228.253273}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none}
}
@InProceedings{ ntafos:random:1998, author = {Simeon Ntafos}, title = {On random and partition testing}, booktitle = PROC # { ACM SIGSOFT international symposium on
Software testing and analysis}, year = 1998,
isbn = {0-89791-971-8}, pages = {42--48},
location = {Clearwater Beach, Florida, United States},
doi = {10.1145/271771.271785}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {ntafos:random:1998}
}
@InProceedings{ hackett.ea:modular:2006, author = {Brian Hackett and Manuvir Das and Daniel Wang and Zhe
Yang}, title = {Modular checking for buffer overflows in the large}, booktitle = {ICSE '06: Proceeding of the 28th international conference
on Software engineering}, year = 2006,
acknowledgement={none},
isbn = {1-59593-375-1}, pages = {232--241},
location = {Shanghai, China}, publisher = pub-acm, address = pub-acm:adr,
doi = {10.1145/1134285.1134319}
}
@InProceedings{ biere.ea:sat-model-checking:1999, author = {A. Biere and A. Cimatti and E. M. Clarke and M. Fujita and
Y. Zhu}, title = {Symbolic model checking using SAT procedures instead of
{BDDs}}, booktitle = PROC # { the 36th ACM/IEEE conference on Design
automation conference}, year = 1999,
isbn = {1-58133-109-7}, pages = {317--320},
location = {New Orleans, Louisiana, United States},
doi = {10.1145/309847.309942}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {biere.ea:sat-model-checking:1999}
}
@Article{ france:problem-oriented:34-10, author = {Robert France}, title = {A problem-oriented analysis of basic {UML} static
requirements modeling concepts}, journal = {ACM SIG-PLAN Notices}, volume = 34, number = 10, pages = {57--69}, year = 1999, abstract = {The Unified Modeling Language (UML) is a standard modeling language in which some of the best object-oriented (OO)
modeling experiences are embedded. In this paper we
illustrate the role formal specification techniques can
play in developing a precise semantics for the UML. We
present a precise characterization of requirements-level
(problem-oriented) Class Diagrams and outline how the
characterization can be used to semantically analyze
requirements Class Diagrams.},
acknowledgement={none},
bibkey = {france:problem-oriented:34-10}
}
@InProceedings{ claessen.ea:quickcheck:2000, author = {Koen Claessen and John Hughes}, title = {{QuickCheck}: a lightweight tool for random testing of
{Haskell} programs}, booktitle = PROC # { the fifth ACM SIGPLAN international
conference on Functional programming}, year = 2000,
isbn = {1-58113-202-6}, pages = {268--279},
doi = {10.1145/351240.351266}, publisher = pub-acm, address = pub-acm:adr, abstract = {Quick Check is a tool which aids the Haskell programmer in
formulating and testing properties of programs. Properties
are described as Haskell functions, and can be
automatically tested on random input, but it is also
possible to define custom test data generators. We present
a number of case studies, in which the tool was
successfully used, and also point out some pitfalls to
avoid. Random testing is especially suitable for functional
programs because properties can be stated at a fine grain.
When a function is built from separately tested components,
then random testing suffices to obtain good coverage of the
definition under test. },
acknowledgement={none},
bibkey = {claessen.ea:quickcheck:2000}
}
@Article{ kozen:hoare:2000, author = {Dexter Kozen}, title = {On Hoare logic and Kleene algebra with tests}, journal = {ACM Transactions on Computational Logic}, volume = 1, number = 1, year = 2000,
issn = {1529-3785}, pages = {60--76},
doi = {10.1145/343369.343378}, publisher = pub-acm, address = pub-acm:adr, abstract = {We show that Kleene algebra with tests (KAT) subsumes
propositional Hoare logic (PHL). Thus the specialized
syntax and deductive apparatus of Hoare logic are
inessential and can be replaced by simple equational
reasoning. In addition, we show that all relationally valid
inference rules are derivable in KAT and that deciding the
relational validity of such rules is PSPACE-complete. },
acknowledgement={none},
bibkey = {kozen:hoare:2000}
}
@InProceedings{ chen.ea:semi-proving:2002, author = {T. Y. Chen and T. H. Tse and Zhiquan Zhou}, title = {Semi-proving: an integrated method based on global
symbolic evaluation and metamorphic testing}, booktitle = PROC # { the international symposium on Software
testing and analysis}, year = 2002,
isbn = {1-58113-562-9}, pages = {191--195},
location = {Roma, Italy},
doi = {10.1145/566172.566202}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {chen.ea:semi-proving:2002}
}
@InProceedings{ naumovich.ea:static:2004, author = {Gleb Naumovich and Paolina Centonze}, title = {Static Analysis of Role-Based Access Control in {J2EE}
Applications}, abstract = {This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such
applications, Enterprise Java Beans (EJBs) are commonly
used to encapsulate the core computations performed on Web
servers. Access to EJBs is protected by application
servers, according to role-based access control policies
that may be created either at development or deployment
time. These policies may prohibit some types of users from
accessing specific EJB methods. We present a static
technique for analyzing J2EE access control policies with
respect to security-sensitive fields of EJBs and other
server-side objects. Our technique uses points-to analysis
to determine which object fields are accessed by which EJB
methods, directly or indirectly. Based on this information,
J2EE access control policies are analyzed to identify
potential inconsistencies that may lead to security holes.
}, volume = 29, number = 5, month = sep, year = 2004, booktitle = {TAV-WEB Proceedings}, publisher = pub-acm, address = pub-acm:adr,
acknowledgement={none},
bibkey = {naumovich.ea:static:2004}
}
@InProceedings{ altenhofen.ea:high-level:2005, author = {Michael Altenhofen and Egon B{\"o}rger and Jens Lemcke}, title = {A High-Level Specification for Mediators(Virtual
Providers)}, booktitle = {Business Process Management Workshops}, year = 2005, pages = {116--129},
doi = {10.1007/11678564_11},
crossref = {bussler.ea:business:2006}
}
@Proceedings{ bussler.ea:business:2006, editor = {Christoph Bussler and Armin Haller}, title = {Business Process Management Workshops, BPM 2005
International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM,
BPS, Nancy, France, September 5, 2005, Revised Selected
Papers}, booktitle = {Business Process Management Workshops}, volume = 3812, year = 2006,
isbn = {3-540-32595-6}
}
@Article{ grieskamp.ea:generating:2002, author = {Wolfgang Grieskamp and Yuri Gurevich and Wolfram Schulte
and Margus Veanes}, title = {Generating finite state machines from abstract state
machines}, journal = {SIGSOFT Softw. Eng. Notes}, volume = 27, number = 4, year = 2002,
issn = {0163-5948}, pages = {112--122},
doi = {10.1145/566171.566190}, publisher = pub-acm, address = pub-acm:adr
}
@InProceedings{ paulson:isabelle:1988, author = {Lawrence C. Paulson}, title = {Isabelle: The Next Seven Hundred Theorem Provers}, booktitle = {CADE}, year = 1988, pages = {772--773},
crossref = {lusk.ea:cade:1988}
}
@Proceedings{ lusk.ea:cade:1988, editor = {Ewing L. Lusk and Ross A. Overbeek}, title = {9th International Conference on Automated Deduction,
Argonne, Illinois, USA, May 23-26, 1988, Proceedings}, booktitle = {CADE}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 310, year = 1988,
isbn = {3-540-19343-X}
}
@Article{ ntafos:comparison:1988, author = {S. C. Ntafos}, title = {A Comparison of Some Structural Testing Strategies}, journal = j-ieee-tse, volume = 14, number = 6, year = 1988,
pdf = {papers/1988/e0868.pdf},
issn = {0098-5589}, pages = {868--874},
doi = {http://csdl.computer.org/comp/trans/ts/1988/06/e0868abs.htm}
, publisher = pub-ieee, address = pub-ieee:adr, abstract = {Several structural testing strategies are compared in
terms of their relative coverage of the program's structure
and also in terms of the number of test cases needed to
satisfy each strategy. Some of the deficiencies of such
comparisons are discussed},
acknowledgement={none}
}
@InProceedings{ lange.ea:flyspeck:2008, author = {Christoph Lange and Sean McLaughlin and Florian Rabe}, title = {Flyspeck in a Semantic {Wiki}}, booktitle = {SemWiki}, year = 2008,
url = {http://ceur-ws.org/Vol-360/paper-21.pdf},
crossref = {lange.ea:semwiki:2008}
}
@Proceedings{ lange.ea:semwiki:2008, editor = {Christoph Lange and Sebastian Schaffert and Hala
Skaf-Molli and Max V{\"o}lkel}, title = PROC # {the 3rd Semantic Wiki Workshop (SemWiki 2008) at the 5th European Semantic Web Conference (ESWC 2008), Tenerife, Spain, June 2nd, 2008}, booktitle = {SemWiki}, publisher = {CEUR-WS.org},
series = {CEUR Workshop Proceedings}, volume = 360, year = 2008
}
@Book{ matouvsek.ea:invitation:2008, author = {Ji{\v}r{\'\i} Matou{\v}sek, and Jaroslav Ne{\v}set{\v}ril}, title = {Invitation to discrete mathematics.}, language = {English},
edition = {2nd}, publisher = pub-oxford, address = pub-oxford:adr, pages = 443, year = 2008,
isbn = {978-0198570431}, abstract = {This is the second edition of a delightful textbook, see
[Invitation to discrete mathematics. (Oxford): Clarendon
Press. (1998; Zbl 0901.05001)]. Besides the usual
elimination of a few typos there are some additions, namely
a chapter on partially ordered sets, a section on
Tur\'{a}n's theorem on the number of edges in a
triangle-free graph and a chapter on Ramsey's theorem.\par
New to the second edition are also several proofs of the
Cauchy-Schwarz inequality, a very attractive elegant new
proof of Cayley's theorem on the number of labeled trees on
$n$ vertices via PARTs (Plans of Assembly of a Rooted
Tree), which the authors attribute to Jim Pitman, and
another proof of the determinant formula for counting
spanning trees of a given graph. The newly added geometric
interpretation of the construction of the real projective
plane is aided by the beautiful artistic rendering in the
figure with the caption ``The real projective plane in
moonlight''.}, keywords = {discrete mathematics; problem solving; counting
techniques; graph theory; trees; algorithms; planar graphs;
Sperner's theorem; finite projective planes; probabilistic
method; generating functions; partially ordered sets; Turan
theorem; Ramsey theorem; Cauchy Schwartz inequality; Cayley
theorem; geometric interpretation; real projective plane}
}
@Book{ syme.ea:expert-f:2007, author = {Don Syme and Adam Granicz and Antonio Cisternino}, title = {Expert F\# (Expert's Voice in {.Net})},
isbn = 9781590598504, publisher = {Apress}, pages = 609, year = 2007
}
@Book{ baier.ea:principles:2008, abstract = {Our growing dependence on increasingly complex computer
and software systems necessitates the development of
formalisms, techniques, and tools for assessing functional
properties of these systems. One such technique that has
emerged in the last twenty years is model checking, which
systematically (and automatically) checks whether a model
of a given system satisfies a desired property such as
deadlock freedom, invariants, or request-response
properties. This automated technique for verification and
debugging has developed into a mature and widely used
approach with many applications. \_Principles of Model
Checking\_ offers a comprehensive introduction to model
checking that is not only a text suitable for classroom use
but also a valuable reference for researchers and
practitioners in the field.
The book begins with the basic principles for modeling
concurrent and communicating systems, introduces different
classes of properties (including safety and liveness),
presents the notion of fairness, and provides automata-
based algorithms for these properties. It introduces the
temporal logics LTL and CTL, compares them, and covers
algorithms for verifying these logics, discussing real-time
systems as well as systems subject to random phenomena.
Separate chapters treat such efficiency-improving
techniques as abstraction and symbolic manipulation. The book includes an extensive set of examples (most of which
run through several chapters) and a complete set of basic
results accompanied by detailed proofs. Each chapter
concludes with a summary, bibliographic notes, and an
extensive list of exercises of both practical and
theoretical nature.}, author = {Christel Baier and Joost-Pieter Katoen},
howpublished = {Hardcover},
isbn = {026202649X}, month = may, publisher = pub-mit, address = pub-mit:adr, title = {Principles of Model Checking}, year = 2008
}
@Book{ bertot.ea:interactive:2004, author = {Yves Bertot and Pierre Cast{\'e}ran}, keywords = {theorem-proving, type-theory, verification}, title = {Interactive Theorem Proving and Program Development.
Coq'Art: The Calculus of Inductive Constructions}, pages = 500, publisher = pub-springer, address = pub-springer:adr,
isbn = {978-3540208549}, year = 2004, abstract = {Coq is an interactive proof assistant for the development
of mathematical theories and formally certified software.
It is based on a theory called the calculus of inductive
constructions, a variant of type theory. This book provides
a pragmatic introduction to the development of proofs and
certified programs using Coq. With its large collection of
examples and exercises it is an invaluable tool for
researchers, students, and engineers interested in formal
methods and the development of zero-fault software.}
}
@Article{ korel:automated:1990, author = {Bogdan Korel}, title = {Automated Software Test Data Generation}, journal = j-ieee-tse, volume = 16, number = 8, year = 1990,
issn = {0098-5589}, pages = {870--879},
doi = {10.1109/32.57624}, publisher = pub-ieee, address = pub-ieee:adr,
acknowledgement={none},
bibkey = {korel:automated:1990}
}
@Article{ hamlet.ea:partition:1990, author = {Dick Hamlet and Ross Taylor}, title = {Partition Testing Does Not Inspire Confidence (Program
Testing)}, journal = j-ieee-tse, volume = 16, number = 12, year = 1990,
issn = {0098-5589}, pages = {1402--1411},
doi = {10.1109/32.62448}, publisher = pub-ieee, address = pub-ieee:adr,
acknowledgement={none},
bibkey = {hamlet.ea:partition:1990}
}
@TechReport{ sharangpani.ea:statistical:1994, language = {USenglish}, author = {H. P. Sharangpani and Ph. D. M. I. Barton }, title = {Statistical Analysis of Floating Point Flaw in the
Pentium$^{TM}$ Processor},
institution = {Intel Corporation}, month = nov, year = 1994, keywords = {pentium; flaw; FDIV; bug},
url = {http://www.intel.com/support/processors/pentium/fdiv/wp/}, abstract = {A subtle flaw in the hardware divide unit of the Pentium
TM Processor was discovered by Intel. Subsequently, a
characterization of its impact to the end-user application
base was conducted. The flaw is rare and data-dependent,
and causes a reduction in precision of the divide
instruc-tion and certain other operations in certain cases.
The significance of the flaw depends upon (a) the rate of
use of specific FP instructions in the Pentium TM CPU, (b)
the data fed to them, (c) the way in which the results of
these instructions are propagated into further computation
in the application; and (d) the way in which the final
results of the application are interpreted. The thorough
and detailed characterization of the flaw and the
subsequent investigations of its impact on applications
through elaborate surveys, analyses and empirical
observation lead us to the overall conclusion that the flaw
is of no concern to the vast majority of users of Pentium
processor based systems. A few users of applications in the
scientific/engineering and financial engineering fields who
require unusual precision and invoke millions of divides
per day may need t o employ either an updated Pen t ium
processor without the flaw or a software workaround.},
acknowledgement={none},
bibkey = {sharangpani.ea:statistical:1994}
}
@InProceedings{ paulson:formulation:1988, author = {Lawrence C. Paulson}, title = {A formulation of the simple theory of types (for
Isabelle).}, booktitle = {Conference on Computer Logic}, year = 1988,
acknowledgement={none}, pages = {246--274},
doi = {10.1007/3-540-52335-9_58},
crossref = {martin-lof.ea:international:1990}
}
@Proceedings{ martin-lof.ea:international:1990, editor = {Per Martin-L{\"o}f and Grigori Mints}, title = {International Conference on Computer Logic, Tallinn, USSR,
December 1988, Proceedings}, booktitle = {Conference on Computer Logic}, publisher = pub-springer,
series = lncs, address = pub-springer:adr,
acknowledgement={none}, volume = 417, year = 1990,
isbn = {3-540-52335-9}
}
@Article{ bernot.ea:software:1991, author = {Gilles Bernot and Marie Claude Gaudel and Bruno Marre}, title = {Software testing based on formal specifications: a theory
and a tool}, journal = {Softw. Eng. J.}, volume = 6, number = 6, year = 1991,
issn = {0268-6961}, pages = {387--405}, publisher = {Michael Faraday House}, address = {Herts, UK, UK}
}
@Article{ chadwick.ea:permis:2008, author = {David Chadwick and Gansen Zhao and Sassa Otenko and Romain
Laborde and Linying Su and Tuan Anh Nguyen}, title = {{PERMIS}: a modular authorization infrastructure}, journal = {Concurrency and Computation: Practice \& Experience}, volume = 20, number = 11, year = 2008,
issn = {1532-0626}, pages = {1341--1357},
doi = {10.1002/cpe.v20:11}, publisher = pub-wiley, address = pub-wiley:adr, abstract = {Authorization infrastructures manage privileges and render
access control decisions, allowing applications to adjust
their behavior according to the privileges allocated to
users. This paper describes the PERMIS role-based
authorization infrastructure along with its conceptual
authorization, access control, and trust models. PERMIS has
the novel concept of a credential validation service, which
verifies a user's credentials prior to access control
decision-making and enables the distributed management of
credentials. PERMIS also supports delegation of authority;
thus, credentials can be delegated between users, further
decentralizing credential management. Finally, PERMIS
supports history-based decision-making, which can be used
to enforce such aspects as separation of duties and
cumulative use of resources. Details of the design and the
implementation of PERMIS are presented along with details
of its integration with Globus Toolkit, Shibboleth, and
GridShib. A comparison of PERMIS with other authorization
and access control implementations is given, along with
suggestions where future research and development are still
needed.}
}
@Article{ altenhofen.ea:asms:2008, author = {Michael Altenhofen and Andreas Friesen and Jens Lemcke}, title = {{ASMs} in Service Oriented Architectures}, journal = j-ucs, volume = 14, number = 12, year = 2008, pages = {2034--2058}, abstract = {We give a survey on work we did in the past where we have
successfully applied the ASM methodology to provide abstract models for a number of problem areas that are
commonly found in Service Oriented Architectures (SOA). In
particular, we summarize our work on (1) service behavior
mediation, (2) service discovery, and (3) service
composition, showing that the corresponding solutions can
be described as variations of a fundamental abstract
processing model{\^a}the Virtual Provider.}, keywords = {process mediation, service discovery, workflow composition
}
}
@Book{ borger.ea:abstract:2003, author = {Egon B{\"o}rger and Robert F. St{\"a}rk}, title = {Abstract State Machines: A Method for High-Level System
Design and Analysis}, publisher = pub-springer, address = pub-springer:adr,
isbn = {3-540-00702-4}, abstract = {This book introduces into a new software engineering
method which guides the development of systems seamlessly
from requirements capture to coding. The method bridges the
gap between understanding and formulating real-world
problems by humans and the deployment of their solutions by
code-executing machines on changing platforms.It covers
design and analysis for both hardware and software
systems.It has a scientific foundation and improves current
industrial practice by linking the descriptions at the
successive stages of the system development cycle in a
coherent conceptual framework to keep the system models at
related levels synchronized.The method supports the
integration of standard design, analysis and documentation
techniques for model reuse (by abstraction), validation (by
simulation and high-level testing), verification (by
reasoning) and maintenance (by structured documentation).
}, year = 2003
}
@InProceedings{ altenhofen.ea:concurrent:2009, author = {Michael Altenhofen and Egon B{\"o}rger}, title = {Concurrent Abstract State Machines and {$^+\mathit{CAL}$}
Programs}, pages = {1--17},
doi = {10.1007/978-3-642-03429-9_1}, abstract = {We apply the ASM semantics framework to define the await
construct in the context of concurrent ASMs. We link
{$^+\mathit{CAL}$} to concurrent control state ASMs with
turbo ASM submachines.}, booktitle = {Recent Trends in Algebraic Development Techniques},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, year = 2009
}
@Article{ farahbod.ea:coreasm:2007, author = {Roozbeh Farahbod and Vincenzo Gervasi and Uwe Gl{\"a}sser}, title = {{CoreASM}: An Extensible {ASM} Execution Engine}, journal = {Fundamenta Informaticae}, publisher = {IOS Press}, volume = 77, number = {1-2}, year = 2007,
issn = {0169-2968}, pages = {71--103},
ee = {http://iospress.metapress.com/openurl.asp?genre=article{\&}issn=0169-2968{\&}volume=77{\&}issue=1{\&}spage=71}
, abstract = {In this paper we introduce a new research effort in making abstract state machines (ASMs) executable. The aim is to
specify and implement an execution engine for a language
that is as close as possible to the mathematical definition
of pure ASMs. The paper presents the general architecture
of the engine, together with a high-level description of
the extensibility mechanisms that are used by the engine to
accommodate arbitrary backgrounds, scheduling policies, and
new rule forms.}, keywords = {CoreASM, Abstract state machines, Specification languages,
Executable specification}
}
@Article{ knuth:literate:1984, author = {Donald E. Knuth}, title = {Literate Programming}, journal = {The Computer Journal}, volume = 27, number = 2, year = 1984, pages = {97--111},
doi = {10.1093/comjnl/27.2.97}, publisher = {Oxford University Press}, address = {Oxford, UK},
issn = {0010-4620}, abstract = {The author and his associates have been experimenting for
the past several years with a programming language and
documentation system called WEB. This paper presents WEB by
example, and discusses why the new system appears to be an
improvement over previous ones.}
}
@Article{ forgy:rete:1982, author = {Charles L. Forgy}, title = {Rete: A Fast Algorithm for the Many Patterns/Many Objects
Match Problem}, journal = {Artificial Intelligence}, volume = 19, number = 1, year = 1982, pages = {17--37},
issn = {0004-3702}, abstract = {The Rete Match Algorithm is an efficient method for
comparing a large collection of patterns to a large
collection of objects. It finds all the objects that match
each pattern. The algorithm was developed for use in
production system interpreters, and it has been used for
systems containing from a few hundred to more than a
thousand patterns and objects. This article presents the
algorithm in detail. It explains the basic concepts of the
algorithm, it describes pattern and object representations
that are appropriate for the algorithm, and it describes
the operations performed by the pattern matcher. },
doi = {10.1016/0004-3702(82)90020-0}
}
@InProceedings{ burrows:chubby:2006, author = {Mike Burrows}, title = {The Chubby lock service for loosely-coupled distributed
systems}, booktitle = {OSDI '06: Proceedings of the 7th symposium on Operating
systems design and implementation}, year = 2006,
isbn = {1-931971-47-1}, pages = {335--350}, publisher = {\acs{usenix} Association},
location = {Seattle, Washington}, address = {Berkeley, CA, USA}, abstract = {We describe our experiences with the Chubby lock service,
which is intended to provide coarse-grained locking as well
as reliable (though low-volume) storage for a
loosely-coupled distributed system. Chubby provides an
interface much like a distributed file system with advisory
locks, but the design emphasis is on availability and
reliability, as opposed to high performance. Many instances
of the service have been used for over a year, with several
of them each handling a few tens of thousands of clients
concurrently. The paper describes the initial design and
expected use, compares it with actual use, and explains how
the design had to be modified to accommodate the
differences.}
}
@InProceedings{ mccarthy.ea:architecture:1989, author = {Dennis McCarthy and Umeshwar Dayal}, title = {The architecture of an active database management system}, booktitle = {SIGMOD '89: Proceedings of the 1989 ACM SIGMOD
international conference on Management of data}, year = 1989,
isbn = {0-89791-317-5}, pages = {215--224},
location = {Portland, Oregon, United States},
doi = {10.1145/67544.66946}, publisher = pub-acm, address = pub-acm:adr, abstract = {he HiPAC project is investigating active, time-constrained
database management. An active DBMS is one which
automatically executes specified actions when specified
conditions arise. HiPAC has proposed Event-Condition-Action
(ECA) rules as a formalism for active database
capabilities. We have also developed an execution model
that specifies how these rules are processed in the context
of database transactions. The additional functionality
provided by ECA rules makes new demands on the design of an
active DBMS. In this paper we propose an architecture for
an active DBMS that supports ECA rules. This architecture
provides new forms of interaction, in support of ECA rules,
between application programs and the DBMS. This leads to a
new paradigm for constructing database applications.}
}
@InProceedings{ carioni.ea:scenario-based:2008, author = {Alessandro Carioni and Angelo Gargantini and Elvinia
Riccobene and Patrizia Scandurra}, title = {A Scenario-Based Validation Language for {ASMs}}, booktitle = {ABZ}, year = 2008, pages = {71--84},
doi = {10.1007/978-3-540-87603-8_7}, abstract = {This paper presents the AValLa language, a domain-specific
modelling language for scenario-based validation of ASM
models, and its supporting tool, the AsmetaV validator.
They have been developed according to the model-driven
development principles as part of the asmeta (ASM
mETAmodelling) toolset, a set of tools around ASMs. As a
proof-of-concepts, the paper reports the results of the
scenario-based validation for the well-known LIFT control
case study.},
crossref = {borger.ea:abstract:2008}
}
@Proceedings{ borger.ea:abstract:2008, editor = {Egon B{\"o}rger and Michael J. Butler and Jonathan P.
Bowen and Paul Boca}, title = {Abstract State Machines, B and Z, First International
Conference, ABZ 2008, London, UK, September 16-18, 2008.
Proceedings}, booktitle = {ABZ}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5238, year = 2008,
isbn = {978-3-540-87602-1}
}
@Article{ decandia.ea:dynamo:2007, author = {Giuseppe DeCandia and Deniz Hastorun and Madan Jampani and
Gunavardhan Kakulapati and Avinash Lakshman and Alex
Pilchin and Swaminathan Sivasubramanian and Peter Vosshall
and Werner Vogels}, title = {{Dynamo}: {Amazon's} highly available key-value store}, journal = {ACM SIGOPS Operating Systems Review}, volume = 41, number = 6, year = 2007,
issn = {0163-5980}, pages = {205--220},
doi = {10.1145/1323293.1294281}, publisher = pub-acm, address = pub-acm:adr, abstract = {Reliability at massive scale is one of the biggest
challenges we face at Amazon.com, one of the largest
e-commerce operations in the world; even the slightest
outage has significant financial consequences and impacts
customer trust. The Amazon.com platform, which provides
services for many web sites worldwide, is implemented on
top of an infrastructure of tens of thousands of servers
and network components located in many datacenters around
the world. At this scale, small and large components fail
continuously and the way persistent state is managed in the
face of these failures drives the reliability and
scalability of the software systems.
This paper presents the design and implementation of
Dynamo, a highly available key-value storage system that
some of Amazon's core services use to provide an "always-on" experience. To achieve this level of
availability, Dynamo sacrifices consistency under certain
failure scenarios. It makes extensive use of object
versioning and application-assisted conflict resolution in
a manner that provides a novel interface for developers to
use.}
}
@InProceedings{ crampton.ea:secondary:2006, author = {Jason Crampton and Wing Leung and Konstantin Beznosov}, title = {The secondary and approximate authorization model and its
application to {Bell-LaPadula} policies}, booktitle = {SACMAT '06: Proceedings of the eleventh ACM symposium on
Access control models and technologies}, year = 2006,
isbn = {1-59593-353-0}, pages = {111--120},
location = {Lake Tahoe, California, USA},
doi = {10.1145/1133058.1133075}, publisher = pub-acm, address = pub-acm:adr, abstract = {We introduce the concept, model, and policy-specific
algorithms for inferring new access control decisions from
previous ones. Our secondary and approximate authorization
model (SAAM) defines the notions of primary vs. secondary
and precise vs. approximate authorizations. Approximate
authorization responses are inferred from cached primary
responses, and therefore provide an alternative source of
access control decisions in the event that the
authorization server is unavailable or slow. The ability to
compute approximate authorizations improves the reliability
and performance of access control sub-systems and
ultimately the application systems themselves.The operation
of a system that employs SAAM depends on the type of access
control policy it implements. We propose and analyze
algorithms for computing secondary authorizations in the
case of policies based on the Bell-LaPadula model. In this
context, we define a dominance graph, and describe its
construction and usage for generating secondary responses
to authorization requests. Preliminary results of
evaluating SAAM BLP algorithms demonstrate a 30\% increase
in the number of authorization requests that can be served
without consulting access control policies.}
}
@InProceedings{ turkmen.ea:performance:2008, author = {Fatih Turkmen and Bruno Crispo}, title = {Performance evaluation of {XACML} {PDP} implementations}, booktitle = {SWS '08: Proceedings of the 2008 ACM workshop on Secure
web services}, year = 2008,
isbn = {978-1-60558-292-4}, pages = {37--44},
location = {Alexandria, Virginia, USA},
doi = {10.1145/1456492.1456499}, publisher = pub-acm, address = pub-acm:adr, abstract = {eXtensible Access Control Markup Language (XACML), an
OASIS standard, is the most widely used policy specifica-
tion language for access control. Its simplicity in syntax
and strength in coverage makes it suitable for diverse en-
vironments such as Service Oriented Architectures (SOAs)
and P2P systems. There are different implementations of
XACML available. Some of these implementations are open
source and some others are proprietary. In this work we
intended to shed some lights to the performance issues of
XACML engines. We tested 3 open source XACML
implementations with different policy/request settings. Our
experiments revealed some important points to be taken into
consideration when deploying an XACML based access control
system. Besides, our results can be used as hints by policy
writers and system developers for deploying efficient
authorization services.}
}
@InProceedings{ chen.ea:constraint:2006, author = {Hong Chen and Ninghui Li}, title = {Constraint generation for separation of duty}, booktitle = {SACMAT '06: Proceedings of the eleventh ACM symposium on
Access control models and technologies}, year = 2006,
isbn = {1-59593-353-0}, pages = {130--138},
location = {Lake Tahoe, California, USA},
doi = {10.1145/1133058.1133077}, publisher = pub-acm, address = pub-acm:adr, abstract = {Separation of Duty (SoD) is widely recognized to be a
fundamental principle in computer security. A Static SoD
(SSoD) policy states that in order to have all permissions
necessary to complete a sensitive task, the cooperation of
at least a certain number of users is required. In
Role-Based Access Control (RBAC), Statically Mutually
Exclusive Role (SMER) constraints are used to enforce SSoD
policies. This paper studies the problem of generating sets
of constraints that (a) enforce a set of SSoD policies, (b)
are compatible with the existing role hierarchy, and (c)
are minimal in the sense that there is no other constraint
set that is less restrictive and satisfies (a) and (b).}
}
@InProceedings{ schaad.ea:case:2005, author = {Andreas Schaad and Pascal Spadone and Helmut Weichsel}, title = {A case study of separation of duty properties in the
context of the Austrian {``eLaw''} process.}, booktitle = {SAC '05: Proceedings of the 2005 ACM symposium on Applied
computing}, year = 2005,
isbn = {1-58113-964-0}, pages = {1328--1332},
location = {Santa Fe, New Mexico},
doi = {10.1145/1066677.1066976}, publisher = pub-acm, address = pub-acm:adr, abstract = {Over the last few years rapid progress has been made in
moving from conceptual studies, "whitepapers" and
initiatives to the actual deployment of e-Government
systems [13]. In this paper we present the case study of an
existing e-Government system (eLaw) which already supports
key legislative processes in the country of Austria1. The
study has been performed in the context of the EU FP6
project "eJustice".We present a detailed system and
workflow representation referring to the example process of
changing a federal law in Austria. Since such processes and
their results, i.e. the laws of a country, have an enormous
impact on society, they need to be secured against external
and internal alteration, be it inadvertent or malicious.
This is even more important in the electronic world.Instead
of discussing the obvious security requirements like virus
protection or network-level access control, our focus is on
an often neglected form of organisational security and
control properties called separation of duties. We will
analyse and discuss a set of these in terms of the
described eLaw process.}
}
@InProceedings{ evered.ea:case:2004, author = {Mark Evered and Serge B{\"o}geholz}, title = {A case study in access control requirements for a Health
Information System}, booktitle = {ACSW Frontiers '04: Proceedings of the second workshop on
Australasian information security, Data Mining and Web
Intelligence, and Software Internationalisation}, year = 2004, pages = {53--61},
location = {Dunedin, New Zealand}, publisher = {Australian Computer Society, Inc.}, address = {Darlinghurst, Australia, Australia}, abstract = {We present a detailed examination of the access
constraints for a small real-world Health Information
System with the aim of achieving minimal access rights for
each of the involved principals. We show that, even for
such a relatively simple system, the resulting constraints
are very complex and cannot be expressed easily or clearly
using the static per-method access control lists generally
supported by component-based software. We derive general
requirements for the expressiveness of access constraints
and propose criteria for a more suitable access control
mechanism in the context of component-based systems. We
describe a two-level mechanism which can fulfil these
criteria.}
}
@Article{ kapsalis.ea:dynamic:2006, title = {A dynamic context-aware access control architecture for
e-services}, journal = {Computers \& Security}, volume = 25, number = 7, pages = {507--521}, year = 2006,
issn = {0167-4048},
doi = {10.1016/j.cose.2006.05.004}, author = {Vassilis Kapsalis and Loukas Hadellis and Dimitris Karelis
and Stavros Koubias}, keywords = {e-Services, Access control, Web services, Context-aware,
Authorization, UML}, abstract = { The universal adoption of the Internet and the emerging
web services technologies constitutes the infrastructure
that enables the provision of a new generation of
e-services and applications. However, the provision of
e-services through the Internet imposes increased risks,
since it exposes data and sensitive information outside the
client premises. Thus, an advanced security mechanism has
to be incorporated, in order to protect this information
against unauthorized access. In this paper, we present a
context-aware access control architecture, in order to
support fine-grained authorizations for the provision of
e-services, based on an end-to-end web services
infrastructure. Access permissions to distributed web
services are controlled through an intermediary server, in
a completely transparent way to both clients and protected
resources. The access control mechanism is based on a
Role-Based Access Control (RBAC) model, which incorporates
dynamic context information, in the form of context
constraints. Context is dynamically updated and provides a
high level of abstraction of the physical environment by
using the concepts of simple and composite context
conditions. Also, the paper deals with implementation
issues and presents a system that incorporates the proposed
access control mechanism in a web services infrastructure
that conform to the OPC XML-DA specification.}
}
@InProceedings{ anderson:comparison:2006, author = {Anne H. Anderson}, title = {A comparison of two privacy policy languages: {EPAL} and
{XACML}}, booktitle = {SWS '06: Proceedings of the 3rd ACM workshop on Secure web
services}, year = 2006,
isbn = {1-59593-546-0}, pages = {53--60},
location = {Alexandria, Virginia, USA},
doi = {10.1145/1180367.1180378}, publisher = pub-acm, address = pub-acm:adr, abstract = {Current regulatory requirements in the U.S. and other
countries make it increasingly important for Web Services
to be able to enforce and verify their compliance with
privacy policies. Structured policy languages can play a
major role by supporting automated enforcement of policies
and auditing of access decisions. This paper compares two
policy languages that have been developed for use in
expressing directly enforceable privacy policies -- the
Enterprise Privacy Authorization Language (EPAL) and the
OASIS Standard eXtensible Access Control Markup Language
(XACML), together with its standard privacy profile.}
}
@Book{ rankl.ea:smart-card:2003, author = {Wolfgang Rankl and Wolfgang Effing}, title = {Smart Card Handbook}, year = 2003,
isbn = 9780470856680,
doi = {10.1002/047085670X}, publisher = pub-wiley, address = pub-wiley:adr, abstract = {The boom in smart card technology reflects the medium's
broad solutions potential. Embedded with a sophisticated
microprocessor, smart cards offer unparalleled memory
capacity and data encryption capability. From providing
secure access to the Internet and mobile radio networks to
performing security-sensitive financial transactions in
credit card schemes, the Electronic Purse and Pay TV
systems, smart card technology is now a multi-billion
dollar industry. The Smart Card Handbook presents a
state-of-the-art overview of the technology from
fundamental information processing through design,
manufacture and operation of smart card schemes. Written in
a highly accessible style the Smart Card Handbook meets the
needs of both novice and expert. This is an essential
reference for computer and electronics engineers and
students in microchip design and security system
development. For professionals developing smart card
products, this unique reference will provide an invaluable
insight to all the facets of this sophisticated
technology.}
}
@Book{ graham.ea:concrete:1989, title = {Concrete Mathematics}, author = {Roland L. Graham and Donald E. Knuth and Oren Patashnik},
isbn = {0-201-14236-8}, publisher = pub-aw, address = pub-aw:adr, pages = 578, year = 1989
}
@Manual{ iso:ansi-cpp:1998,
bibkey = {iso:ansi-cpp:1998}, abstract = {Specifies requirements for implementations of the C++
programming language. This International Standard also
defines C++. Other requirements and relaxations of the
first requirement appear at various places within this
standard.},
note = {Doc. No. ISO/IEC 14882-1998}, title = {International Standard: Programming languages -C++ },
organization = {ANSI/ISO}, year = 1998, month = sep, publisher = {The American National Standards Institute}, address = {New York}
}
@Book{ reid:thinking:1990, abstract = {The book is a result of Glenn Reid's years trying to teach
people to write PostScript programs, during which he
discovered that people tended to try to make PostScript "look like" other programming languages they already knew.
There is even a chapter in this book entitled "PostScript
Is Not Like C", because it is really a very different language, and one must learn to "think" in PostScript in
order to be a good programmer. }, author = {Glenn C. Reid}, title = {Thinking in Postscript}, publisher = pub-aw, address = pub-aw:adr, month = sep, year = 1990, language = {USenglish}, keywords = {Postscript},
public = {yes},
isbn = {0-201-52372-8},
url = {http://www.rightbrain.com/download/books/ThinkingInPostScript.pdf}
}
@Book{ knuth:seminumerical:1981, author = {Donald E. Knuth},
series = {The Art of Computer Programming}, volume = 2, title = {Seminumerical Algorithms},
edition = {second},
isbn = {0-201-03822-6}, year = 1981, publisher = pub-aw, address = pub-aw:adr
}
@Book{ wegener:complexity:1987, address = {Stuttgart}, author = {Ingo Wegener}, language = {USenglish},
public = {yes}, publisher = {John Wiley \& Sons Ltd., and B.G. Teubner}, title = {The Complexity of Boolean Functions},
url = {\url{http://ls2-www.informatik.uni-dortmund.de/monographs/bluebook/}}
, year = 1987,
cover = {1987/wegener:complexity:1987.png}, timestamp = 948019205
}
@Article{ stallman:societal:1997, author = {Richard Stallman}, title = {Societal Dimensions: The Right to Read}, journal = j-cacm, volume = 40, number = 2, pages = {85--87}, month = feb, year = 1997,
coden = {CACMA2},
issn = {0001-0782},
url = {http://www.acm.org/pubs/citations/journals/cacm/1997-40-2/p85-stallman/}
,
localurl = {papers/1997/p85-stallman.pdf},
note = {\url{http://www.gnu.org/}},
acknowledgement=ack-nhfb,
classification= {C0230 (Economic, social and political aspects of
computing); C0310D (Computer installation management)}, keywords = {Clinton administration; Clipper chip; computer crime;
design; industrial property; key-escrow proposals; legal
aspects; management; pirates; right to read; security;
Software Protection Authority; Software Publisher's
Association},
subject = {{\bf K.1} Computing Milieux, THE COMPUTER INDUSTRY. {\bf
K.5.0} Computing Milieux, LEGAL ASPECTS OF COMPUTING,
General. {\bf K.4.0} Computing Milieux, COMPUTERS AND
SOCIETY, General.},
treatment = {G General Review}
}
@Article{ stallman:societal:1997-b, author = {Richard Stallman}, title = {Societal Dimensions: The Right to Read}, journal = j-cacm, volume = 40, number = 2, pages = {85--87}, month = feb, year = 1997,
issn = {0001-0782},
classification= {C0230 (Economic, social and political aspects of
computing); C0310D (Computer installation management)}, keywords = {Clinton administration; Clipper chip; computer crime;
design; industrial property; key-escrow proposals; legal
aspects; management; pirates; right to read; security;
Software Protection Authority; Software Publisher's
Association},
subject = {{\bf K.1} Computing Milieux, THE COMPUTER INDUSTRY. {\bf
K.5.0} Computing Milieux, LEGAL ASPECTS OF COMPUTING,
General. {\bf K.4.0} Computing Milieux, COMPUTERS AND
SOCIETY, General.},
treatment = {G General Review}
}
@Article{ dalton.ea:securing:2001,
bibkey = {dalton.ea:securing:2001}, author = {Chris Dalton and Tse Huong Choo}, title = {An operating system approach to securing e--services}, journal = j-cacm, volume = 44, number = 2, pages = {58--64}, month = feb, abstract = {This article looks at some of the problems surrounding
application compromise in more detail and puts forward our
approach to solving these problems. We do not attempt to
guarantee that the application services are bug-free (a
difficult problem). Instead, we have found that the effects
of this type of attack, and quite a few others, can be
usefully mitigated by adding specific properties to the OSs
used to host those applications.
Specifically, we look at Trusted Linux, HP Laboratories'
implementation of a secure version of Linux, which we
believe is an ideal platform for e-service application
hosting.}, year = 2001,
issn = {0001-0782}
}
@Article{ cornea-hasegan:proving:1998, language = {USenglish}, abstract = {The work presented in this paper was initiated as part of
a study on software alternatives to the hardware
implementations of floating-point operations such as divide
and square root. The results of the study proved the
viability of software implementations, and showed that
certain proposed algorithms are comparable in performance
to current hardware implementations. This paper discusses
two components of that study:
(1) A methodology for proving the IEEE correctness of the
result of iterative algorithms that implement the
floating-point square root, divide, or remainder operation.
(2) Identification of operands for the floating-point
divide and square root operations that lead to results
representing difficult cases for IEEE rounding.
Some general properties of floating-point computations are
presented first. The IEEE correctness of the floating-point
square root operation is discussed next. We show how
operands for the floating-point square root that lead to
difficult cases for rounding can be generated, and how to
use this knowledge in proving the IEEE correctness of the
result of iterative algorithms that calculate the square
root of a floating-point number. Similar aspects are
analyzed for the floating-point divide operation, and we
present a method for generating difficult cases for
rounding. In the case of the floating-point divide
operation, however, it is more difficult to use this
information in proving the IEEE correctness of the result
of an iterative algorithm than it is for the floating-point
square root operation. We examine the restrictions on the
method used for square root. Finally, we present possible
limitations due to the finite exponent range.}, journal = {Intel Technology Journal}, volume = {Q2}, year = 1998, title = {Proving the {IEEE} Correctness of Iterative Floating-Point
Square Root, Divide, and Remainder Algorithms }, author = {Marius Cornea-Hasegan}, keywords = {floating-point, IEEE correctness, divide, square root,
remainder},
url = {\url{http://developer.intel.com/technology/itj/q21998/articles/art_3.htm}}
}
@Article{ edelman:mathematics:1997, author = {Alan Edelman}, abstract = {Despite all of the publicity surrounding the Pentium bug
of 1994, the mathematical details of the bug are poorly
understood. We discuss these details and supply a new proof
of the Coe--Tang result that the at-risk divisors have six
consecutive ones in positions 5 through 10. Also, we prove
that the worst-case absolute error for arguments in [1,2)
is on the order of 1e--5. }, journal = {SIAM}, title = {The Mathematics of the Pentium Division Bug}, keywords = {Pentium, SRT division, floating point operations }, year = 1997,
url = {\url{http://epubs.siam.org/sam-bin/dbq/article/29395}}, pages = {54--67}, volume = 39, number = 1,
public = {yes}
}
@Article{ oleary.ea:formally:1999, language = {USenglish}, abstract = {This paper describes the formal specification and
verification of floating-point arithmetic hardware at the
level of IEEE Standard 754. Floating-point correctness is a
crucial problem: the functionality of Intel's
floating-point hardware is architecturally visible and,
once discovered, floating-point bugs are easily reproduced
by the consumer. We have formally specified and verified
IEEE-compliance of the Pentium{\textregistered} Pro
processor's FADD, FSUB, FMUL, FDIV, FSQRT, and FPREM
operations, as well as the correctness of various
miscellaneous operations including conversion to and from
integers. Compliance was verified against the gate-level
descriptions from which the actual silicon is derived and
on which all traditional pre-silicon dynamic validation is
performed. Our results demonstrate that formal functional
verification of gate-level floating-point designs against
IEEE-level specifications is both feasible and practical.
As far as the authors are aware, this is the first such
demonstration. }, journal = {Intel Technology Journal}, volume = {Q1}, year = 1999, title = {Formally Verifying {IEEE} Compliance of Floating-Point
Hardware}, author = {John O'Leary and Xudong Zhao and Rob Gerth and Carl-Johan
H. Seger},
url = {\url{http://developer.intel.com/technology/itj/q11999/articles/art_5.htm}}
, keywords = {verification; pentium; FDIV bug; flaw;
floating-point-hardware; floating-point; IEEE compliance;
formal verification; model checking; theorem proving }
}
@Article{ szpiro:mathematics:2003, author = {George Szpiro},
url = {http://www.nature.com/cgi-taf/DynaPage.taf?file=/nature/journal/v424/n6944/full/424012a_fs.html}
, journal = {Nature}, pages = {12--13}, month = jul, year = 2003, number = 424, title = {Mathematics: Does the proof stack up?},
acknowledgement={none},
bibkey = {szpiro:mathematics:2003}
}
@Article{ venet:practical:2008, author = {Arnaud Venet}, title = {A practical approach to formal software verification by
static analysis}, journal = {Ada Lett.}, volume = {XXVIII}, number = 1, year = 2008,
issn = {1094-3641}, pages = {92--95},
doi = {10.1145/1387830.1387836}, address = pub-acm:adr, publisher = pub-acm, abstract = {Static analysis by Abstract Interpretation is a promising
way for conducting formal verification of large software
applications. In spite of recent successes in the
verification of aerospace codes, this approach has limited
industrial applicability due to the level of expertise
required to engineer static analyzers. In this paper we
investigate a pragmatic approach that consists of focusing
on the most critical components of the application first.
In this approach the user provides a description of the
usage of functionalities in the critical component via a
simple specification language, which is used to drive a
fully automated static analysis engine. We present
experimental results of the application of this approach to
the verification of absence of buffer overflows in a
critical library of the OpenSSH distribution.}
}
@InProceedings{ balser.ea:formal:2000, author = {Michael Balser and Wolfgang Reif and Gerhard Schellhorn
and Kurt Stenzel and Andreas Thums}, title = {Formal System Development with {KIV}}, booktitle = {FASE}, year = 2000, pages = {363--366},
doi = {10.1007/3-540-46428-X_25},
crossref = {maibaum:fundamental:2000}, abstract = {KIV is a tool for formal systems development. It can be
employed, e.g., 1) for the development of safety critical
systems from formal requirements specifications to
executable code, including the verification of safety
requirements and the correctness of implementations, 2) for
semantical foundations of programming languages from a
specification of the semantics to a verified compiler, 3)
for building security models and architectural models as
they are needed for high level ITSEC [7] or CC [1]
evaluations. }
}
@Proceedings{ maibaum:fundamental:2000, editor = {T. S. E. Maibaum}, title = {Fundamental Approaches to Software Engineering, Third
Internationsl Conference, FASE 2000, Held as Part of the
European Joint Conferences on the Theory and Practice of
Software, ETAPS 2000, Berlin, Germany, March 25 - April 2, 2000, Proceedings}, booktitle = {FASE}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1783, year = 2000,
isbn = {3-540-67261-3}
}
@InProceedings{ castillo:asm:2001, author = {Giuseppe Del Castillo}, title = {The {ASM} Workbench: A Tool Environment for Computer-Aided
Analysis and Validation of Abstract State Machine Models
Tool Demonstration}, booktitle = {TACAS}, year = 2001, pages = {578--581},
doi = {10.1007/3-540-45319-9_40}, abstract = {Gurevich{\^a}s Abstract State Machines (ASMs) constitute a
high-level state-based modelling language, which has been
used in a wide range of applications. The ASM Workbench is
a comprehensive tool environment supporting the development
and computer-aided analysis and validation of ASM models.
It is based on a typed version of the ASM language, called
ASM-SL, and includes features for type-checking,
simulation, debugging, and verification of ASM models.},
crossref = {margaria.ea:tools:2001}
}
@Proceedings{ margaria.ea:tools:2001, editor = {Tiziana Margaria and Wang Yi}, title = {Tools and Algorithms for the Construction and Analysis of
Systems, 7th International Conference, TACAS 2001 Held as
Part of the Joint European Conferences on Theory and
Practice of Software, ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings}, booktitle = {TACAS}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 2031, year = 2001,
isbn = {3-540-41865-2}
}
@Article{ gurevich.ea:semantic:2005, title = {Semantic essence of {AsmL}}, journal = {Theoretical Computer Science}, volume = 343, number = 3, pages = {370--412}, year = 2005,
note = {Formal Methods for Components and Objects},
issn = {0304-3975},
doi = {10.1016/j.tcs.2005.06.017}, author = {Yuri Gurevich and Benjamin Rossman and Wolfram Schulte}, keywords = {Abstract state machine,Executable specification language}, abstract = { The Abstract State Machine Language, AsmL, is a novel
executable specification language based on the theory of Abstract State Machines. AsmL is object-oriented, provides
high-level mathematical data-structures, and is built
around the notion of synchronous updates and finite choice.
AsmL is fully integrated into the .NET framework and
Microsoft development tools. In this paper, we explain the
design rationale of AsmL and provide static and dynamic
semantics for a kernel of the language.}
}
@Article{ gargantini.ea:metamodel-based:2008, author = {Angelo Gargantini and Elvinia Riccobene and Patrizia
Scandurra}, title = {A Metamodel-based Language and a Simulation Engine for Abstract State Machines}, journal = j-ucs, volume = 14, number = 12, year = 2008, pages = {1949--1983}, abstract = {In this paper, we present a concrete textual notation,
called AsmetaL, and a general-purpose simulation engine,
called AsmetaS, for Abstract State Machine (ASM)
specifications. They have been developed as part of the
ASMETA (ASMs mETAmodelling) toolset, which is a set of
tools for ASMs based on the metamodelling approach of the
Model-driven Engineering. We briefly present the ASMETA
framework, and we discuss how the language and the
simulator have been developed exploiting the advantages
offered by the metamodelling approach. We introduce the language AsmetaL used to write ASM specifications, and we
provide the AsmetaL encoding of ASM specifications of
increasing complexity. We explain the AsmetaS architecture,
its kernel engine, and how the simulator works within the
ASMETA tool set. We discuss the features currently
supported by the simulator and how it has been validated.}
}
@Manual{ schmid:introduction:2001, author = {Joachim Schmid}, title = {Introduction to {AsmGofer}}, year = 2001
}
@InProceedings{ miller.ea:czt:2005, author = {Tim Miller and Leo Freitas and Petra Malik and Mark
Utting}, title = {{CZT} Support for {Z} Extensions}, year = 2005, pages = {227--245},
doi = {10.1007/11589976_14},
crossref = {romijn.ea:integrated:2005}, abstract = {Community Z Tools (CZT) is an integrated framework for the
Z formal specification language. In this paper, we show how
it is also designed to support extensions of Z, in a way
that minimises the work required to build a new Z
extension. The goals of the framework are to maximise
extensibility and reuse, and minimise code duplication and
maintenance effort. To achieve these goals, CZT uses a
variety of different reuse mechanisms, including generation
of Java code from a hierarchy of XML schemas, XML templates
for shared code, and several design patterns for maximising
reuse of Java code. The CZT framework is being used to
implement several integrated formal methods, which add
object-orientation, real-time features and process algebra
extensions to Z. The effort required to implement such
extensions of Z has been dramatically reduced by using the
CZT framework.}
}
@Proceedings{ romijn.ea:integrated:2005, editor = {Judi Romijn and Graeme Smith and Jaco van de Pol}, booktitle = {Integrated Formal Methods (IFM)},
location = {Eindhoven, The Netherlands}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 3771, year = 2005,
isbn = {3-540-30492-4}
}
@TechReport{ ashley.ea:enterprise:2003, author = {Paul Ashley and Satoshi Hada and G{\"u}nter Karjoth and
Calvin Powers and Matthias Schunter}, editor = {Calvin Powers and Matthias Schunter}, title = {Enterprise Privacy Authorization Language ({EPAL} 1.2)},
institution = {IBM}, year = 2003,
url = {http://www.zurich.ibm.com/security/enterprise-privacy/epal}
}
@TechReport{ cisc:securing:2008, title = {Securing Cyberspace for the 44th Presidency},
institution = {Center for Strategic and International Studies (CSIS)}, month = dec, year = 2008
}
@InProceedings{ wei.ea:authorization:2008, author = {Qiang Wei and Jason Crampton and Konstantin Beznosov and
Matei Ripeanu}, title = {Authorization recycling in {RBAC} systems}, booktitle = {ACM symposium on Access control models and technologies
(SACMAT)}, year = 2008,
isbn = {978-1-60558-129-3}, pages = {63--72},
location = {Estes Park, CO, USA},
doi = {10.1145/1377836.1377848}, publisher = pub-acm, address = pub-acm:adr, abstract = {As distributed applications increase in size and
complexity, traditional authorization mechanisms based on a
single policy decision point are increasingly fragile
because this decision point represents a single point of
failure and a performance bottleneck. Authorization
recycling is one technique that has been used to address
these challenges.
This paper introduces and evaluates the mechanisms for
authorization recycling in RBAC enterprise systems. The
algorithms that support these mechanisms allow precise and
approximate authorization decisions to be made, thereby
masking possible failures of the policy decision point and
reducing its load. We evaluate these algorithms
analytically and using a prototype implementation. Our
evaluation results demonstrate that authorization recycling
can improve the performance of distributed access java.lang.StringIndexOutOfBoundsException: Index 61 out of bounds for length 61
mechanisms.}
}
@Article{ karjoth:access:2003, author = {G{\"u}nter Karjoth}, title = {Access control with {IBM} {Tivoli} access manager}, journal = j-tissec, publisher = pub-acm, address = pub-acm:adr, volume = 6, number = 2, year = 2003, pages = {232--257},
doi = {10.1145/762476.762479}, abstract = {Web presence has become a key consideration for the
majority of companies and other organizations. Besides
being an essential information delivery tool, the Web is
increasingly being regarded as an extension of the
organization itself, directly integrated with its operating
processes. As this transformation takes place, security
grows in importance. IBM Tivoli Access Manager offers a
shared infrastructure for authentication and access
management, technologies that have begun to emerge in the
commercial marketplace. This paper describes the
Authorization Service provided by IBM Tivoli Access Manager
for e-business (AM) and its use by AM family members as
well as third-party applications. Policies are defined over
a protected object namespace and stored in a database,
which is managed via a management console and accessed
through an Authorization API. The protected object
namespace abstracts from heterogeneous systems and thus
enables the definition of consistent policies and their
centralized management. ACL inheritance and delegated
management allow these policies to be managed efficiently.
The Authorization API allows applications with their own
access control requirements to decouple authorization logic
from application logic. Policy checking can be externalized
by using either a proxy that sits in front of the Web
servers and application servers or a plug-in that examines
the request. Thus, AM familiy members establish a single
entry point to enforce enterprise policies that regulate
access to corporate data.}
}
@Book{ heijenoort:from:2002, abstract = {The fundamental texts of the great classical period in
modern logic, some of them never before available in
English translation, are here gathered together for the
first time. Modern logic, heralded by Leibniz, may be said
to have been initiated by Boole, De Morgan, and Jevons, but
it was the publication in 1879 of Gottlob Frege's
Begriffsschrift that opened a great epoch in the history of
logic by presenting, in full-fledged form, the
propositional calculus and quantification theory. Frege's book, translated in its entirety, begins the present volume. The emergence of two new fields, set theory and
foundations of mathematics, on the borders of logic,
mathematics, and philosophy, is depicted by the texts that
follow. Peano and Dedekind illustrate the trend that led to
Principia Mathematica. Burali-Forti, Cantor, Russell,
Richard, and K\"{o}nig mark the appearance of the modern
paradoxes. Hilbert, Russell, and Zermelo show various ways
of overcoming these paradoxes and initiate, respectively,
proof theory, the theory of types, and axiomatic set
theory. Skolem generalizes L\"{o}wenheim's theorem, and he
and Fraenkel amend Zermelo's axiomatization of set theory,
while von Neumann offers a somewhat different system. The
controversy between Hubert and Brouwer during the twenties
is presented in papers of theirs and in others by Weyl,
Bernays, Ackermann, and Kolmogorov. The volume concludes
with papers by Herbrand and by G\"{o}del, including the
latter's famous incompleteness paper. Of the forty-five
contributions here collected all but five are presented in
extenso. Those not originally written in English have been
translated with exemplary care and exactness; the
translators are themselves mathematical logicians as well
as skilled interpreters of sometimes obscure texts. Each
paper is introduced by a note that sets it in perspective,
explains its importance, and points out difficulties in
interpretation. Editorial comments and footnotes are
interpolated where needed, and an extensive bibliography is
included.}, author = {Jean van Heijenoort},
howpublished = {Paperback},
isbn = 0674324498, keywords = {frege, godel, logic}, month = {January},
posted-at = {2006-05-0722:17:38},
priority = 2, publisher = {{Harvard University Press}}, title = {From Frege to G{\"o}del : A Source Book in Mathematical
Logic, 1879-1931 (Source Books in the History of the
Sciences)}, year = 2002
}
@InProceedings{ kohler.ea:avoiding:2008, author = {Mathias Kohler and Andreas Schaad}, title = {Avoiding Policy-based Deadlocks in Business Processes}, year = 2008, pages = {709--716},
doi = {10.1109/ARES.2008.131}, address = pub-ieee:adr, publisher = pub-ieee, abstract = {In the field of business process management, deadlocks
describe a situation where a workflow execution is blocked
and cannot be completed. We speak of policy-based deadlocks
if such a situation is caused by unsatisfiable resource
requirements due to security constraints specified as part
of the business process. In this paper we propose a method
to avoid policy-based deadlocks by analyzing a workflow's
security constraints, determine the minimal required number
of users, and provide an optimal user-activity assignment
for a deadlock-free workflow execution. We will finally
validate our proposed approach by applying it to a
real-world scenario. }, booktitle = {Third International Conference on Availability,
Reliability and Security (ARES 2008)},
location = {Technical University of Catalonia, Barcelona , Spain}, month = mar
}
@InProceedings{ modersheim.ea:open-source:2009, author = {Sebastian M{\"o}dersheim and Luca Vigan{\`o}}, title = {The Open-Source Fixed-Point Model Checker for Symbolic
Analysis of Security Protocols}, booktitle = {FOSAD}, year = 2009, pages = {166--194},
doi = {10.1007/978-3-642-03829-7_6},
crossref = {aldini.ea:foundations:2009}
}
@Proceedings{ aldini.ea:foundations:2009, editor = {Alessandro Aldini and Gilles Barthe and Roberto Gorrieri}, title = {Foundations of Security Analysis and Design V, FOSAD 2007/2008/2009 Tutorial Lectures}, booktitle = {FOSAD}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5705, year = 2009,
isbn = {978-3-642-03828-0},
doi = {10.1007/978-3-642-03829-7}
}
@Article{ dolev.ea:security:1981, author = {D. Dolev and A. C. Yao}, title = {On the security of public key protocols}, journal = {Symposium on Foundations of Computer Science}, volume = 0, year = 1981,
issn = {0272-5428}, pages = {350--357},
doi = {10.1109/SFCS.1981.32}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}
}
@InProceedings{ levin.ea:securing:2009, author = {Timothy E. Levin and Jeffrey S. Dwoskin and Ganesha
Bhaskara and Thuy D. Nguyen and Paul C. Clark and Ruby B.
Lee and Cynthia E. Irvine and Terry Benzel}, title = {Securing the Dissemination of Emergency Response Data with
an Integrated Hardware-Software Architecture}, year = 2009, pages = {133--152},
doi = {10.1007/978-3-642-00587-9_9},
crossref = {chen.ea:trusted:2009}, abstract = {During many crises, access to sensitive emergency-support
information is required to save lives and property. For
example, for effective evacuations first responders need
the names and addresses of non-ambulatory residents. Yet,
currently, access to such information may not be possible
because government policy makers and third-party data
providers lack confidence that today{\^a}s IT systems will
protect their data. Our approach to the management of
emergency information provides first responders with
temporary, transient access to sensitive information, and
ensures that the information is revoked after the
emergency. The following contributions are presented: a
systematic analysis of the basic forms of trusted
communication supported by the architecture; a
comprehensive method for secure, distributed emergency
state management; a method to allow a userspace application
to securely display data; a multifaceted system analysis of
the confinement of emergency information and the secure and
complete revocation of access to that information at the
closure of an emergency.}
}
@Proceedings{ chen.ea:trusted:2009, editor = {Liqun Chen and Chris J. Mitchell and Andrew Martin}, booktitle = PROC # {International Conference on Trusted
Computing (Trust)},
location = {Trusted Computing, Second International Conference, Trust 2009, Oxford, UK, April 6-8, 2009, Proceedings},
series = s-lncs, publisher = pub-springer, address = pub-springer:adr, volume = 5471, year = 2009,
isbn = {978-3-642-00586-2},
doi = {10.1007/978-3-642-00587-9}
}
@Book{ wunder.ea:verteilte:2009, editor = {Michael Wunder and J{\"u}rgen Grosche}, title = {Verteilte F{\"u}hrungsinformationssysteme}, abstract = {R{\"u}ckblick und Sachstand der technologischen Aspekte
bei der Entwicklung verteilter
F{\"u}hrungsinformationssysteme, einer zentralen Aufgabe in
der Bundeswehr sowie bei Beh{\"o}rden und Organisationen
mit Sicherheitsaufgeben (z.B. Polizei, Rettungskr{\"a}fte).
Vornehmlich Wissenschaftler der Abteilung
Informationstechnik f{\"u}r F{\"u}hrungssysteme des
Forschungsinstituts f{\"u}r Kommunikation,
Informationsverarbeitung und Ergonomie beschreiben
basierend auf einer 40-j{\"a}hrigen Erfahrung in diesem
Anwendungsgebiet Konzepte und Einzelaspekte bei der
Gestaltung von F{\"u}hrungsinformationssystemen.
Reflektiert werden aktuelle Problembereiche bei der
Vernetzung unterschiedlicher Systeme, einer der derzeit
gr{\"o}{\ss}ten Herausforderungen bei der Neugestaltung der
Abl{\"a}ufe und Systeme in der Bundeswehr und in verwandten
Einrichtungen. Dazu werden Informationsstrukturen und
Prozesse untersucht, Systemarchitekturen ausgewertet und
kombiniert sowie Laborstudien und Feldversuche beschrieben.
In ca. 25 Beitr{\"a}gen wird eine L{\"u}cke in der
verf{\"u}gbaren Literatur geschlossen, die der Vielzahl von
Entwicklern und Anwendern einen Einblick in die aktuelle
Lage und die zuk{\"u}nftigen Gestaltungsm{\"o}glichkeiten bietet.},
isbn = {978-3-642-00508-4}, language = {German},
doi = {10.1007/978-3-642-00509-1}, year = 2009, publisher = pub-springer, address = pub-springer:adr
}
@InProceedings{ levin.ea:idea:2009, author = {Timothy E. Levin and Cynthia E. Irvine and Terry Benzel
and Thuy D. Nguyen and Paul C. Clark and Ganesha Bhaskara}, title = {Idea: Trusted Emergency Management}, booktitle = {ESSoS}, year = 2009, pages = {32--36},
doi = {10.1007/978-3-642-00199-4_3}, abstract = {Through first-responder access to sensitive information
for which they have not been pre-vetted, lives and property
can be saved. We describe enhancements to a trusted
emergency information management (EIM) system that securely
allows for extraordinary access to sensitive information
during a crisis. A major component of the architecture is
the end-user device, the security of which is enhanced with
processor-level encryption of memory. This paper introduces
an approach to more efficiently use the
processor-encryption feature for secure data storage, as
well as ISA instructions for the management of emergency
state.},
crossref = {massacci.ea:engineering:2009}
}
@Proceedings{ massacci.ea:engineering:2009, editor = {Fabio Massacci and Samuel T. Redwine Jr. and Nicola
Zannone}, title = {Engineering Secure Software and Systems, First
International Symposium ESSoS 2009, Leuven, Belgium,
February 4-6, 2009. Proceedings}, booktitle = {ESSoS}, volume = 5429, year = 2009,
isbn = {978-3-642-00198-7}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs,
doi = {10.1007/978-3-642-00199-4}
}
@Article{ phan.ea:survey:2008, author = {Tan Phan and Jun Han and Jean-Guy Schneider and Tim
Ebringer and Tony Rogers}, title = {A Survey of Policy-Based Management Approaches for Service
Oriented Systems}, journal = {Australian Software Engineering Conference}, volume = 0, year = 2008,
issn = {1530-0803}, pages = {392--401},
doi = {10.1109/ASWEC.2008.56}, address = pub-ieee:adr, publisher = pub-ieee, abstract = {Policy based management in Service Oriented Architecture
(SOA) allows organizations to apply rules and regulations
on their business processes. Policy has long been employed
in the management of traditional distributed systems and
many policy frameworks have been proposed. However,SOA
differs in several aspects to traditional systems; thus,
there is a unique set of requirements for an effective SOA
policy system. In this paper, we evaluate five popular
policy frameworks which are IETF, Ponder, KAoS, Rei and
WS-Policy against a number of general and SOA-specific
criteria to identify what features of these existing
systems can be adopted for SOA and what are not. We then,
based on their feature sets, discuss the applicability of
the frameworks for SOA management.}
}
@InProceedings{ sevinc.ea:securing:2007, author = {Paul E. Sevin\c{c} and Mario Strasser and David A. Basin}, title = {Securing the Distribution and Storage of Secrets with
Trusted Platform Modules}, booktitle = {WISTP}, year = 2007, pages = {53--66},
doi = {10.1007/978-3-540-72354-7_5},
crossref = {sauveron.ea:information:2007}, abstract = {We present a protocol that allows servers to securely
distribute secrets to trusted platforms. The protocol
maintains the confidentiality of secrets in the face of
eavesdroppers and careless users. Given an ideal
(tamper-proof) trusted platform, the protocol can even
withstand attacks by dishonest users. As an example of its
use, we present an application to secure document
processing.}
}
@Proceedings{ sauveron.ea:information:2007, editor = {Damien Sauveron and Constantinos Markantonakis and Angelos
Bilas and Jean-Jacques Quisquater}, title = {Information Security Theory and Practices. Smart Cards,
Mobile and Ubiquitous Computing Systems, First IFIP TC6 /
WG 8.8 / WG 11.2 International Workshop, WISTP 2007,
Heraklion, Crete, Greece, May 9-11, 2007, Proceedings}, booktitle = {WISTP}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4462, year = 2007,
isbn = {978-3-540-72353-0}
}
@InProceedings{ liu.ea:fabric:2009, author = {Jed Liu and Michael D. George and K. Vikram and Xin Qi and
Lucas Waye and Andrew C. Myers}, title = {Fabric: a platform for secure distributed computation and
storage}, booktitle = {SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on
Operating systems principles}, year = 2009,
isbn = {978-1-60558-752-3}, pages = {321--334},
location = {Big Sky, Montana, USA},
doi = {10.1145/1629575.1629606}, address = pub-acm:adr, publisher = pub-acm, abstract = {Fabric is a new system and language for building secure
distributed information systems. It is a decentralized
system that allows heterogeneous network nodes to securely
share both information and computation resources despite
mutual distrust. Its high-level programming language makes
distribution and persistence largely transparent to
programmers. Fabric supports data-shipping and
function-shipping styles of computation: both computation
and information can move between nodes to meet security
requirements or to improve performance. Fabric provides a
rich, Java-like object model, but data resources are
labeled with confidentiality and integrity policies that
are enforced through a combination of compile-time and
run-time mechanisms. Optimistic, nested transactions ensure
consistency across all objects and nodes. A peer-to-peer
dissemination layer helps to increase availability and to
balance load. Results from applications built using Fabric
suggest that Fabric has a clean, concise programming model,
offers good performance, and enforces security.}
}
@InProceedings{ ferreira.ea:how:2009, author = {Ana Ferreira and David Chadwick and Pedro Farinha and
Gansen Zhao and Rui Chilro and Ricardo Cruz-Correia and
Luis Antunes}, title = {How to securely break into RBAC: the BTG-RBAC model}, booktitle = {Annual Computer Security Applications Conference (ACSAC)}, year = 2009, abstract = {Access control models describe frameworks that dictate how
subjects (e.g. users) access resources. In the Role-Based
Access Control (RBAC) model access to resources is based on
the role the user holds within the organization. Although
flexible and easier to manage within large-scale
authorization frameworks, RBAC is usually a static model
where access control decisions have only two output
options: Grant or Deny. Break The Glass (BTG) policies can
be provided in order to break or override the access
controls within an access control policy but in a
controlled and justifiable manner. The main objective of
this paper is to integrate BTG within the NIST/ANSI RBAC
model in a transparent and secure way so that it can be
adopted generically in any domain where unanticipated or
emergency situations may occur. The new proposed model,
called BTG-RBAC, provides a third decision option BTG. This
allows break the glass policies to be implemented in any
application without any major changes to either the
application or the RBAC authorization infrastructure, apart
from the decision engine. Finally, in order to validate the
model, we discuss how the BTG-RBAC model is being
introduced within a Portuguese healthcare institution where
the legislation requires that genetic information must be
accessed by a restricted group of healthcare professionals.
These professionals, advised by the ethical committee, have
required and asked for the implementation of the BTG
concept in order to comply with the said legislation.}
}
@Article{ moggi:notions:1991, author = {Eugenio Moggi}, title = {Notions of Computation and Monads}, journal = {Information and Computation}, volume = 93, number = 1, year = 1991, pages = {55--92}
}
@InProceedings{ wadler:monads:1995, author = {Philip Wadler}, title = {Monads for Functional Programming}, booktitle = {Advanced Functional Programming}, year = 1995, pages = {24--52},
crossref = {jeuring.ea:advanced:1995}
}
@Proceedings{ jeuring.ea:advanced:1995, editor = {Johan Jeuring and Erik Meijer}, title = {Advanced Functional Programming, First International
Spring School on Advanced Functional Programming
Techniques, B{\aa}stad, Sweden, May 24-30, 1995, Tutorial
Text}, booktitle = {Advanced Functional Programming}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 925, year = 1995,
isbn = {3-540-59451-5}
}
@InProceedings{ grieskamp.ea:model-based:2008, author = {Wolfgang Grieskamp and Nicolas Kicillof and Dave MacDonald
and Alok Nandan and Keith Stobie and Fred L. Wurden}, title = {Model-Based Quality Assurance of Windows Protocol
Documentation}, booktitle = {Software Testing, Verification, and Validation (ICST)}, year = 2008, pages = {502--506},
doi = {10.1109/ICST.2008.50}, abstract = {Microsoft is producing high-quality documentation for
Windows client-server and server-server protocols. Our
group in the Windows organization is responsible for
verifying the documentation to ensure it is of the highest
quality. We are applying various test-driven methods
including, when appropriate, a model-based approach. This
paper describes certain aspects of the quality assurance
process we put in place, and specifically focuses on
model-based testing (MBT). Our experiences so far confirm
that MBT works and that it scales, provided it is
accompanied by sound tool support and clear methodological
guidance.},
location = {Lillehammer, Norway, April 9-11, 2008}, volume = 0,
isbn = {978-0-7695-3127-4}, publisher = pub-ieee, address = pub-ieee:adr
}
@InProceedings{ berghofer.ea:random:2004, author = {Stefan Berghofer and Tobias Nipkow}, title = {Random Testing in Isabelle/HOL}, booktitle = {Software Engineering and Formal Methods (SEFM)}, year = 2004, pages = {230--239},
doi = {10.1109/SEFM.2004.36}, abstract = {When developing non-trivial formalizations in a theorem
prover, a considerable amount of time is devoted to "debugging" specifications and conjectures by failed proof
attempts. To detect such problems early in the proof and
save development time, we have extended the Isabelle
theorem prover with a tool for testing specifications by
evaluating propositions under an assignment of random
values to free variables. Distribution of the test data is
optimized via mutation testing. The technical contributions
are an extension of earlier work with inductive definitions
and a generic method for randomly generating elements of
recursive datatypes.},
location = {28-30 September 2004, Beijing, China}, publisher = pub-ieee, address = pub-ieee:adr,
isbn = {0-7695-2222-X}
}
@TechReport{ gallaher.ea:economic:2002,
institution = {National Institute of Standards \& Technology}, number = {Planning Report02-03}, year = 2002, month = may, author = {M.P. Gallaher and B.M. Kropp}, title = {The Economic Impacts of Inadequate Infrastructure for
Software Testing}, abstract = {Software has become an intrinsic part of business over the
last decade. Virtually every business in the U.S. in every
sector depends on it to aid in the development, production,
marketing, and support of its products and services.
Advances in computers and related technology have provided
the building blocks on which new industries have evolved.
Innovations in the fields of robotic manufacturing,
nanotechnologies, and human genetics research all have been
enabled by low cost computational and control capabilities
supplied by computers and software. In 2000, total sales of
software reached approximately \$180 billion. Rapid growth
has created a significant and high-paid workforce, with 697,000 employed as software engineers and an additional 585,000 as computer programmers. Reducing the cost of
software development and improving software quality are
important objectives of the U.S. software industry.
However, the complexity of the underlying software needed
to support the U.S.'s computerized economy is increasing at
an alarming rate. The size of software products is no
longer measured in terms of thousands of lines of code, but
millions of lines of code. This increasing complexity along
with a decreasing average market life expectancy for many
software products has heightened concerns over software
quality.}
}
@InProceedings{ tej.ea:corrected:1997, author = {Haykal Tej and Burkhart Wolff}, title = {A Corrected Failure Divergence Model for {CSP} in
{Isabelle/HOL}}, year = 1997, pages = {318--337},
doi = {10.1007/3-540-63533-5_17}, abstract = {We present a failure-divergence model for CSP following
the concepts of [BR 85]. Its formal representation within
higher order logic in the theorem prover Isabelle/HOL [Pau 94] revealed an error in the basic definition of CSP
concerning the treatment of the termination symbol tick. A
corrected model has been formally proven consistent with
Isabelle/HOL. Moreover, the changed version maintains the
essential algebraic properties of CSP. As a result, there
is a proven correct implementation of a ldquoCSP
workbenchrdquo within Isabelle.},
crossref = {fitzgerald.ea:formal:1997}
}
@Proceedings{ fitzgerald.ea:formal:1997, editor = {John S. Fitzgerald and Cliff B. Jones and Peter Lucas}, booktitle = {Formal Methods Europe (FME)},
location = {Graz, Austria, September 15-19, 1997, Proceedings}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 1313, year = 1997,
isbn = {3-540-63533-5}
}
@InProceedings{ bentakouk.ea:formal:2009, author = {Lina Bentakouk and Pascal Poizat and Fatiha Za\"{\i}di}, title = {A Formal Framework for Service Orchestration Testing Based
on Symbolic Transition Systems}, year = 2009, pages = {16--32},
doi = {10.1007/978-3-642-05031-2_2},
crossref = {nunez.ea:testing:2009}, abstract = {The pre-eminent role played by software composition, and
more particularly service composition, in modern software
development, together with the complexity of workflow
languages such as WS-BPEL have made composite service
testing a topical issue. In this article we contribute to
this issue with an automatic testing approach for WS-BPEL
orchestrations. Compared to related work, we support
WS-BPEL data computations and exchanges, while overcoming
the consequential state explosion problem. This is achieved
through the use of symbolic transition system models and
their symbolic execution. Throughout the article, we
illustrate our approach on a realistic medium-size example.
}
}
@Proceedings{ nunez.ea:testing:2009, editor = {Manuel N{\'u}{\~n}ez and Paul Baker and Mercedes G. Merayo}, title = {Testing of Software and Communication Systems, 21st IFIP
WG 6.1 International Conference, TESTCOM 2009 and 9th
International Workshop, FATES 2009, Eindhoven, The
Netherlands, November 2-4, 2009. Proceedings}, booktitle = {TestCom/FATES}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5826, year = 2009,
isbn = {978-3-642-05030-5},
doi = {10.1007/978-3-642-05031-2}
}
@InProceedings{ anand.ea:demand-driven:2008, author = {Saswat Anand and Patrice Godefroid and Nikolai Tillmann}, title = {Demand-Driven Compositional Symbolic Execution}, booktitle = {TACAS}, year = 2008, pages = {367--381},
doi = {10.1007/978-3-540-78800-3_28},
crossref = {ramakrishnan.ea:tools:2008}, abstract = {We discuss how to perform symbolic execution of large
programs in a manner that is both compositional (hence more
scalable) and demand-driven. Compositional symbolic
execution means finding feasible interprocedural program
paths by composing symbolic executions of feasible
intraprocedural paths. By demand-driven, we mean that as
few intraprocedural paths as possible are symbolically
executed in order to form an interprocedural path leading
to a specific target branch or statement of interest (like
an assertion). A key originality of this work is that our
demand-driven compositional interprocedural symbolic
execution is performed entirely using first-order logic
formulas solved with an off-the-shelf SMT
(Satisfiability-Modulo-Theories) solver {\^a} no procedure
in-lining or custom algorithm is required for the
interprocedural part. This allows a uniform and elegant way
of summarizing procedures at various levels of detail and
of composing those using logic formulas. We have
implemented a prototype of this novel symbolic execution
technique as an extension of Pex, a general automatic
testing framework for .NET applications. Preliminary
experimental results are encouraging. For instance, our
prototype was able to generate tests triggering assertion
violations in programs with large numbers of program paths
that were beyond the scope of non-compositional test
generation. }
}
@Proceedings{ ramakrishnan.ea:tools:2008, editor = {C. R. Ramakrishnan and Jakob Rehof}, title = {Tools and Algorithms for the Construction and Analysis of
Systems, 14th International Conference, TACAS 2008, Held as
Part of the Joint European Conferences on Theory and
Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings}, booktitle = {TACAS}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4963, year = 2008,
isbn = {978-3-540-78799-0}
}
@InProceedings{ boyapati.ea:korat:2002, author = {Chandrasekhar Boyapati and Sarfraz Khurshid and Darko
Marinov}, title = {{Korat}: automated testing based on {Java} predicates}, booktitle = {ISSTA}, year = 2002, pages = {123--133},
doi = {10.1145/566172.566191}, abstract = {This paper presents Korat, a novel framework for automated
testing of Java programs. Given a formal specification for
a method, Korat uses the method precondition to
automatically generate all (nonisomorphic) test cases up to
a given small size. Korat then executes the method on each
test case, and uses the method postcondition as a test
oracle to check the correctness of each output.To generate
test cases for a method, Korat constructs a Java predicate
(i.e., a method that returns a boolean) from the method's
pre-condition. The heart of Korat is a technique for
automatic test case generation: given a predicate and a
bound on the size of its inputs, Korat generates all
(nonisomorphic) inputs for which the predicate returns
true. Korat exhaustively explores the bounded input space
of the predicate but does so efficiently by monitoring the
predicate's executions and pruning large portions of the
search space.This paper illustrates the use of Korat for
testing several data structures, including some from the
Java Collections Framework. The experimental results show
that it is feasible to generate test cases from Java
predicates, even when the search space for inputs is very
large. This paper also compares Korat with a testing
framework based on declarative specifications. Contrary to
our initial expectation, the experiments show that Korat
generates test cases much faster than the declarative
framework.}
}
@Article{ visser.ea:model:2003, author = {Willem Visser and Klaus Havelund and Guillaume P. Brat and
Seungjoon Park and Flavio Lerda}, title = {Model Checking Programs}, journal = {Autom. Softw. Eng.}, volume = 10, number = 2, year = 2003, pages = {203--232},
doi = {10.1023/A:1022920129859}, abstract = {The majority of work carried out in the formal methods
community throughout the last three decades has (for good
reasons) been devoted to special languages designed to make
it easier to experiment with mechanized formal methods such
as theorem provers, proof checkers and model checkers. In
this paper we will attempt to give convincing arguments for
why we believe it is time for the formal methods community
to shift some of its attention towards the analysis of
programs written in modern programming languages. In
keeping with this philosophy we have developed a
verification and testing environment for Java, called Java
PathFinder (JPF), which integrates model checking, program
analysis and testing. Part of this work has consisted of
building a new Java Virtual Machine that interprets Java
bytecode. JPF uses state compression to handle big states,
and partial order and symmetry reduction, slicing,
abstraction, and runtime analysis techniques to reduce the
state space. JPF has been applied to a real-time avionics
operating system developed at Honeywell, illustrating an
intricate error, and to a model of a spacecraft controller,
illustrating the combination of abstraction, runtime
analysis, and slicing with model checking.}
}
@InProceedings{ bjorner.ea:path:2009, author = {Nikolaj Bj{\o}rner and Nikolai Tillmann and Andrei
Voronkov}, title = {Path Feasibility Analysis for String-Manipulating
Programs}, booktitle = {TACAS}, year = 2009, pages = {307--321},
doi = {10.1007/978-3-642-00768-2_27},
crossref = {kowalewski.ea:tools:2009}, abstract = {We discuss the problem of path feasibility for programs
manipulating strings using a collection of standard string
library functions. We prove results on the complexity of
this problem, including its undecidability in the general
case and decidability of some special cases. In the context
of test-case generation, we are interested in an efficient
finite model finding method for string constraints. To this
end we develop a two-tier finite model finding procedure.
First, an integer abstraction of string constraints are
passed to an SMT (Satisfiability Modulo Theories) solver.
The abstraction is either unsatisfiable, or the solver
produces a model that fixes lengths of enough strings to
reduce the entire problem to be finite domain. The
resulting fixed-length string constraints are then solved
in a second phase. We implemented the procedure in a
symbolic execution framework, report on the encouraging
results and discuss directions for improving the method
further.}
}
@Proceedings{ kowalewski.ea:tools:2009, editor = {Stefan Kowalewski and Anna Philippou}, title = {Tools and Algorithms for the Construction and Analysis of
Systems, 15th International Conference, TACAS 2009, Held as
Part of the Joint European Conferences on Theory and
Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings}, booktitle = {TACAS}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 5505, year = 2009,
isbn = {978-3-642-00767-5},
doi = {10.1007/978-3-642-00768-2}
}
@InProceedings{ huima:implementing:2007, author = {Antti Huima}, title = {Implementing Conformiq Qtronic}, booktitle = {TestCom/FATES}, year = 2007, pages = {1--12},
doi = {10.1007/978-3-540-73066-8_1},
crossref = {petrenko.ea:testing:2007}, abstract = {Conformiq Qtronic is a commercial tool for model driven
testing. It derives tests automatically from behavioral
system models. These are black-box tests [1] by nature,
which means that they depend on the model and the
interfaces of the system under test, but not on the
internal structure (e.g. source code) of the
implementation. In this essay, which accompanies my invited
talk, I survey the nature of Conformiq Qtronic, the main
implementation challenges that we have encountered and how
we have approached them.}
}
@Proceedings{ petrenko.ea:testing:2007, editor = {Alexandre Petrenko and Margus Veanes and Jan Tretmans and
Wolfgang Grieskamp}, title = {Testing of Software and Communicating Systems, 19th IFIP
TC6/WG6.1 International Conference, TestCom 2007, 7th
International Workshop, FATES 2007, Tallinn, Estonia, June 26-29, 2007, Proceedings}, booktitle = {TestCom/FATES}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4581, year = 2007,
isbn = {978-3-540-73065-1}
}
@InProceedings{ tretmans.ea:torx:2003,
howpublished = {http://eprints.eemcs.utwente.nl/9475/}, month = {December}, author = {G. J. Tretmans and H. Brinksma}, booktitle = {First European Conference on Model-Driven Software
Engineering, Nuremberg, Germany}, editor = {A. Hartman and K. Dussa-Ziegler}, abstract = {Systematic testing is very important for assessing and
improving the quality of software systems. Yet, testing
turns out to be expensive, laborious, time-consuming and
error-prone. The Dutch research and development project
C\^ote de Resyste worked on methods, techniques and tools
for automating specification based testing using formal
methods. The main achievement of the project is a test
tool, baptized TorX, which integrates automatic test
generation, test execution, and test analysis in an
on-the-fly manner. On the one hand, TorX is based on
well-defined theory, viz. the ioco-test theory, which has
its roots in the theory of testing- and
refusal-equivalences for transition systems. On the other
hand, the applicability of TorX has been demonstrated by
testing several academic and industrial case studies. This
paper summarizes the main results of the project C\^ote de
Resyste.}, title = {TorX: Automated Model-Based Testing}, year = 2003, pages = {31--43},
location = {Nuremberg, Germany},
trnumber = 9475,
event_dates = {December 11-12, 2003},
num_pages = 13
}
@InProceedings{ jaffuel.ea:leirios:2007, author = {Eddie Jaffuel and Bruno Legeard}, title = {LEIRIOS Test Generator: Automated Test Generation from B
Models}, booktitle = {B}, year = 2007, pages = {277--280},
doi = {10.1007/11955757_29},
crossref = {julliand.ea:b:2006}, abstract = {Since 2003, automated test generation from B abstract
machines has been trying out in the smart card industry,
using LEIRIOS Test Generator (LTG) for SmartCard tool. Now
the major card manufacturers, such as Gemalto and Giesecke
& Devrient, are regularly deploying model-based testing in
their validation processes. The purpose is black-box
functional testing: from the specifications (a standard or
specific requirements), a B formal model is developed which
is the basis for test generation. Generated test cases are
then translated into executable test scripts and then run
on the application.}
}
@Proceedings{ julliand.ea:b:2006, editor = {Jacques Julliand and Olga Kouchnarenko}, title = {B 2007: Formal Specification and Development in B, 7th
International Conference of B Users, Besan\c{c}on, France,
January 17-19, 2007, Proceedings}, booktitle = {B}, publisher = pub-springer, address = pub-springer:adr,
series = s-lncs, volume = 4355, year = 2006,
isbn = {3-540-68760-2}
}
@InProceedings{ hu.ea:enabling:2008, author = {Hongxin Hu and Gail-Joon Ahn}, title = {Enabling verification and conformance testing for access
control model}, booktitle = {ACM symposium on Access control models and technologies
(SACMAT)}, year = 2008,
isbn = {978-1-60558-129-3},
pages = {195--204},
location = {Estes Park, CO, USA},
doi = {10.1145/1377836.1377867},
address = pub-acm:adr,
publisher = pub-acm,
abstract = {Verification and testing are the important step for
software assurance. However, such crucial and yet
challenging tasks have not been widely adopted in building
access control systems. In this paper we propose a
methodology to support automatic analysis and conformance
testing for access control systems, integrating those
features to Assurance Management Framework (AMF). Our
methodology attempts to verify formal specifications of a
role-based access control model and corresponding policies
with selected security properties. Also, we systematically
articulate testing cases from formal specifications and
validate conformance to the system design and
implementation using those cases. In addition, we
demonstrate feasibility and effectiveness of our
methodology using SAT and Alloy toolset.}
}
@Article{ grindal.ea:combination:2005,
author = {Mats Grindal and Jeff Offutt and Sten F. Andler},
title = {Combination testing strategies: a survey},
journal = {Softw. Test., Verif. Reliab.},
volume = 15,
number = 3,
year = 2005,
pages = {167--199},
doi = {10.1002/stvr.319},
abstract = {Combination strategies are test case selection methods
that identify test cases by combining values of the
different test object input parameters based on some
combinatorial strategy. This survey presents 16 different
combination strategies, covering more than 40 papers that
focus on one or several combination strategies. This
collection represents most of the existing work performed
on combination strategies. This survey describes the basic
algorithms used by the combination strategies. Some
properties of combination strategies, including coverage
criteria and theoretical bounds on the size of test suites,
are also included in this description. This survey paper
also includes a subsumption hierarchy that attempts to
relate the various coverage criteria associated with the
identified combination strategies.}
}
@InProceedings{ goga:comparing:2001,
author = {Nicolae Goga},
title = {Comparing TorX, Autolink, TGV and UIO Test Algorithms},
booktitle = {SDL Forum},
year = 2001,
pages = {379--402},
doi = {10.1007/3-540-48213-X},
crossref = {reed.ea:sdl:2001},
abstract = {This paper presents a comparison of four algorithms for
test derivation: TorX, TGV, Autolink and UIO algorithms.
The algorithms are classified according to the detection
power of their conformance rela- tions. Because Autolink
does not have an explicit conformance relation, a
conformance relation is reconstructed for it. The
experimental results obtained by applying TorX, Autolink,
UIO and TGV to the Conference Protocol case study are
consistent with the theoretical results of this paper.}
}
@Proceedings{ reed.ea:sdl:2001,
editor = {Rick Reed and Jeanne Reed},
title = {SDL 2001: Meeting UML, 10th International SDL Forum
Copenhagen, Denmark, June 27-29, 2001, Proceedings},
booktitle = {SDL Forum},
publisher = pub-springer,
address = pub-springer:adr,
series = s-lncs,
volume = 2078,
year = 2001,
isbn = {3-540-42281-1}
}
@InProceedings{ belinfante.ea:tools:2004,
author = {Axel Belinfante and Lars Frantzen and Christian
Schallhart},
title = {Tools for Test Case Generation},
booktitle = {Model-Based Testing of Reactive Systems},
year = 2004,
pages = {391--438},
doi = {10.1007/11498490_18},
crossref = {broy.ea:model-based:2005}
}
@Proceedings{ broy.ea:model-based:2005,
editor = {Manfred Broy and Bengt Jonsson and Joost-Pieter Katoen and
Martin Leucker and Alexander Pretschner},
title = {Model-Based Testing of Reactive Systems, Advanced Lectures
[The volume is the outcome of a research seminar that was
held in Schloss Dagstuhl in January 2004]},
booktitle = {Model-Based Testing of Reactive Systems},
volume = 3472,
year = 2005,
isbn = {3-540-26278-4},
publisher = pub-springer,
address = pub-springer:adr,
series = s-lncs
}
@InProceedings{ gardner.ea:securing:2009,
author = {Ryan W. Gardner and Sujata Garera and Matthew W. Pagano
and Matthew Green and Aviel D. Rubin},
title = {Securing medical records on smart phones},
booktitle = {ACM workshop on Security and privacy in medical and
home-care systems (SPIMACS)},
year = 2009,
isbn = {978-1-60558-790-5},
pages = {31--40},
location = {Chicago, Illinois, USA},
doi = {10.1145/1655084.1655090},
address = pub-acm:adr,
publisher = pub-acm,
abstract = {There is an inherent conflict between the desire to
maintain privacy of one's medical records and the need to make those records available during an emergency. To
satisfy both objectives, we introduce a flexible
architecture for the secure storage of medical records on
smart phones. In our system, a person can view her records
at any time, and emergency medical personnel can view the
records as long as the person is present (even if she is
unconscious). Our solution allows for efficient revocation
of access rights and is robust against adversaries who can
access the phone's storage offline.}
}
@Article{ govaerts.ea:formal:2008,
author = {John Govaerts and Arosha K. Bandara and Kevin Curran},
title = {A formal logic approach to firewall packet filtering
analysis and generation},
journal = {Artif. Intell. Rev.},
volume = 29,
number = {3-4},
year = 2008,
pages = {223--248},
doi = {10.1007/s10462-009-9147-0},
publisher = pub-springer,
address = pub-springer:adr,
abstract = {Recent years have seen a significant increase in the usage
of computers and their capabilities to communicate with
each other. With this has come the need for more security
and firewalls have proved themselves an important piece of
the overall architecture, as the body of rules they
implement actually realises the security policy of their
owners. Unfor- tunately, there is little help for their
administrators to understand the actual meaning of the
firewall rules. This work shows that formal logic is an
important tool in this respect, because it is particularly
apt at modelling real-world situations and its formalism is
conductive to reason about such a model. As a consequence,
logic may be used to prove the properties of the models it
represents and is a sensible way to go in order to create
those models on com- puters to automate such activities. We
describe here a prototype which includes a description of a
network and the body of firewall rules applied to its
components. We were able to detect a number of anomalies
within the rule-set: inexistent elements (e.g. hosts or
services on destination components), redundancies in rules
defining the same action for a network and hosts belonging
to it, irrelevance as rules would involve traffic that
would not pass through a filtering device, and
contradiction in actions applied to elements or to a
network and its hosts. The prototype produces actual
firewall rules as well, generated from the model and
expressed in the syntax of IPChains and Cisco's PIX. }
}
@InProceedings{ jalili.ea:specification:2002,
author = {Rasool Jalili and Mohsen Rezvani},
title = {Specification and Verification of Security Policies in
Firewalls},
booktitle = {EurAsia-ICT},
year = 2002,
pages = {154--163},
doi = {10.1007/3-540-36087-5_18},
crossref = {shafazand.ea:eurasia-ict:2002},
abstract = {Rules are used as a way of managing and configuring
firewalls to fulfill security requirements in most cases.
Managers have to specify their organizational security
policies using low level and order-dependent rules.
Furthermore, dependency of firewalls to the network
topology, frequent changes in network topology (specially
in dynamic networks), and lack of a method for analysis and
verification of specified security policy may reduce to
inconsistencies and security holes. Existence of a higher
level environment for security policy specification can
rectify part of the problems. In this paper we present a
language for high level and formal specification of
security policy in firewalls. Using the language, a
security manager can configure its firewall based on his
required security policy independent of the network
topology. The language is used as a framework for analysis
and verification of security policies. We designed and
implemented a tool based on theorem proving for detecting
inconsistencies, coverage, as well as applying a query on
the specified policy. Results of analysis can be used to
detect security vulnerabilities.}
}
@Proceedings{ shafazand.ea:eurasia-ict:2002,
editor = {Hassan Shafazand and A. Min Tjoa},
title = {EurAsia-ICT 2002: Information and Communication
Technology, First EurAsian Conference, Shiraz, Iran,
October 29-31, 2002, Proceedings},
booktitle = {EurAsia-ICT},
publisher = pub-springer,
address = pub-springer:adr,
series = s-lncs,
volume = 2510,
year = 2002,
isbn = {3-540-00028-3}
}
@Article{ sutter:free:2005,
author = {Herb Sutter},
journal = {Dr. Dobb{\^a}s Journal},
number = 3,
pages = {202--210},
title = {The Free Lunch Is Over: A Fundamental Turn Toward
Concurrency in Software},
url = {http://www.gotw.ca/publications/concurrency-ddj.htm},
volume = 30,
year = 2005
}
@InProceedings{ lachner.ea:information:2008,
author = {Janine Lachner and Hermann Hellwagner},
title = {Information and Communication Systems for Mobile Emergency
Response},
year = 2008,
pages = {213--224},
doi = {10.1007/978-3-540-78942-0_22},
crossref = {kaschek.ea:information:2008},
abstract = {This discussion paper attempts to propose emergency
response and disaster management as worthwhile areas of
applied research for the information system community. The
typical requirements, entities and activities involved in
specifically mobile emergency response operations are
summarized. Recent research contributions in this area are
exemplarily reviewed in order to give a deeper insight into
the role and use of mobile information and communication
systems. Finally, the major challenges and research needs
regarding information systems are summarized, with a view
to draw the attention of information systems researchers to
this interesting and important field.}
}
@Proceedings{ kaschek.ea:information:2008,
editor = {Roland Kaschek and Christian Kop and Claudia Steinberger
and G{\"u}nther Fliedl},
title = {Information Systems and e-Business Technologies, 2nd
International United Information Systems Conference,
UNISCON 2008, Klagenfurt, Austria, April 22-25, 2008,
Proceedings},
booktitle = {Information Systems and e-Business Technologies (UNISCON)},
series = s-lnbip,
volume = 5,
year = 2008,
publisher = pub-springer,
address = pub-springer:adr,
isbn = {978-3-540-78941-3},
}
@InProceedings{ johnson:complexity:2008,
author = {Chris W. Johnson},
title = {Complexity, Structured Chaos and the Importance of
Information Management for Mobile Computing in the {UK}
Floods of 2007},
booktitle = {Mobile Response},
year = 2008,
pages = {1--11},
doi = {10.1007/978-3-642-00440-7_1},
crossref = {loffler.ea:mobile:2009},
abstract = {Many research teams have developed mobile computing
architectures to support the emergency and rescue services
in a range of civil contingencies. These proposals are
based on innovative technologies and show considerable
creativity in the design of their user interfaces. In
contrast, this paper presents lessons learned from the 2007
UK floods. Mobile telecommunications failed in many
different ways and from many different causes, including
physical damage to handsets, as well as the loss of base
stations and UPSs. The insights gained from the floods are
being used to inform the design of next generation mobile
digital communications systems for UK responders. However,
the technical problems are arguably less important than the
insights that were obtained about {\^a}systemic{\^a}
failures in the interfaces between local government,
emergency services and the variety of agencies that must
cooperate in major civil contingencies. Problems in
information management led to inconsistencies and
incompatibilities. In consequence, the output from one
application could not easily be used as input to systems
operated by other agencies. These issues must be addressed
before we are overwhelmed by the increased bandwidth
afforded by new mobile devices and novel sensing
technologies. It is concluded that unless we understand the
chaos, complexity and the contextual issues that
characterise previous emergency situations then there is
little prospect that we will be able to design effective
mobile technologies for future incidents.}
}
@Proceedings{ loffler.ea:mobile:2009,
editor = {Jobst L{\"o}ffler and Markus Klann},
location = {Mobile Response, Second International Workshop on Mobile
Information Technology for Emergency Response,
MobileResponse 2008. Bonn, Germany, May 29-30, 2008,
Revised Selected Papers},
title = {Mobile Information Technology for Emergency Response,
(MobileResponse)},
booktitle = {Mobile Information Technology for Emergency Response,
(MobileResponse)},
publisher = pub-springer,
address = pub-springer:adr,
series = s-lncs,
volume = 5424,
year = 2009,
isbn = {978-3-642-00439-1},
doi = {10.1007/978-3-642-00440-7}
}
@book{Hoare:1985:CSP:3921,
author = {Hoare, C. A. R.},
title = {Communicating Sequential Processes},
year = {1985},
isbn = {0-13-153271-5},
publisher = {Prentice-Hall, Inc.},
address = {Upper Saddle River, NJ, USA},
}
@InProceedings{brookes-roscoe85,
author="Brookes, S. D. and Roscoe, A. W.",
editor="Brookes, Stephen D. and Roscoe, Andrew William and Winskel, Glynn",
title="An improved failures model for communicating processes",
booktitle="Seminar on Concurrency",
year="1985",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="281--305",
abstract="We extend the failures model of communicating processes to allow a more satisfactory treatment of divergence in addition to deadlock. The relationship between the revised model and the old model is discussed, and we make some connections with various models proposed by other authors.",
isbn="978-3-540-39593-5"
}
@techreport{KriegBrueckner95,
author = {Krieg-Br\"uckner, B. and Peleska, J. and Olderog, E.-R. and Balzer, D. and Baer, A.},
title = "Uniform Workbench --- Universelle Entwicklungsumgebung f{\"u}r formale Methoden",
institution = "Technischer Bericht 8/95",
year=1995,
address="Univ. Bremen",
note="\url{http://www.informatik.uni-bremen.de/~uniform}"
}
@InProceedings{Camilleri91,
author="Camilleri, Albert J.",
editor="Birtwistle, Graham",
title="A Higher Order Logic Mechanization of the CSP Failure-Divergence Semantics",
booktitle="IV Higher Order Workshop, Banff 1990",
year="1991",
publisher="Springer London",
address="London",
pages="123--150",
abstract="Reasoning using process algebras often involves doing complex proofs, and computer-based support to facilitate the task is therefore desirable. In this paper we show how a general-purpose theorem prover based on higher order logic provides a natural framework for mechanizing the process algebra CSP. This is done by defining the semantics of the CSP operators in the logic and proving the high-level algebraic laws from the definitions as theorems. We mechanize a variation on the failure-divergence semantics that does not use alphabets at the syntactic level, but embeds them in the semantics. Our approach abstracts further from the explicit use of alphabets by modelling them as type variables. The result is a mechanized theory for a polymorphic formalization of CSP.",
isbn="978-1-4471-3182-3"
}
@InProceedings{FDRTutorial2000,
author="Broadfoot, Philippa
and Roscoe, Bill",
editor="Havelund, Klaus
and Penix, John
and Visser, Willem",
title="Tutorial on FDR and Its Applications",
booktitle="SPIN Model Checking and Software Verification",
year="2000",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="322--322",
abstract="FDR [1] is a refinement checker for the process algebra CSP [2,4], based on that language's well-established semantic models. FDR stands for Failures-Divergences Refinement, after the premier model. In common with many other model checkers, it works by ``determinising'' (or normalising) a specification and enumerating states in the cartesian product of this and the implementation. Unlike most, the specification and implementation are written in the same language. Under development by its creators, Formal Systems (a spin-off of the Computing Laboratory) since 1991, it now offers a range of state compression methods. On current workstations it can work at up to 20M states/hour with only a small degradation on moving to disc-based storage.",
isbn="978-3-540-45297-3"
}
@article{IsobeRoggenbach2010,
title={CSP-Prover: a Proof Tool for the Verification of Scalable Concurrent Systems},
author={Yoshinao Isobe and Markus Roggenbach},
journal={Information and Media Technologies},
volume={5},
number={1},
pages={32-39},
year={2010},
doi={10.11185/imt.5.32}
}
@article{Noninterference_CSP-AFP,
author = {Pasquale Noce},
title = {Noninterference Security in Communicating Sequential Processes},
journal = {Archive of Formal Proofs},
month = may,
year = 2014,
note = {\url{http://isa-afp.org/entries/Noninterference_CSP.html},
Formal proof development},
ISSN = {2150-914x},
}
@article{Noninterference_Sequential_Composition-AFP,
author = {Pasquale Noce},
title = {Conservation of CSP Noninterference Security under Sequential Composition},
journal = {Archive of Formal Proofs},
month = apr,
year = 2016,
note = {\url{http://isa-afp.org/entries/Noninterference_Sequential_Composition.html},
Formal proof development},
ISSN = {2150-914x},
}
@article{Noninterference_Concurrent_Composition-AFP,
author = {Pasquale Noce},
title = {Conservation of CSP Noninterference Security under Concurrent Composition},
journal = {Archive of Formal Proofs},
month = jun,
year = 2016,
note = {\url{http://isa-afp.org/entries/Noninterference_Concurrent_Composition.html},
Formal proof development},
ISSN = {2150-914x},
}
@article{Feliachi-Wolff-Gaudel-AFP12,
author = {Abderrahmane Feliachi and Burkhart Wolff and Marie-Claude Gaudel},
title = {Isabelle/Circus},
journal = {Archive of Formal Proofs},
month = jun,
year = 2012,
note = {\url{http://afp.sourceforge.net/entries/Circus.shtml},
Formal proof development},
area = {logical_representations},
abstract = {The Circus specification language combines elements for
complex data and behavior specifications, using an integration of Z and CSP
with a refinement calculus. Its semantics is based on Hoare and He's
Unifying Theories of Programming (UTP). Isabelle/Circus is a formalization of
the UTP and the Circus language in Isabelle/HOL. It contains proof rules and
tactic support that allows for proofs of refinement for Circus processes
(involving both data and behavioral aspects).
The Isabelle/Circus environment supports a syntax for the semantic
definitions which is close to textbook presentations of Circus. This
article contains an extended version of corresponding VSTTE Paper together
with the complete formal development of its underlying commented theories.},
issn = {2150-914x}
}
@inproceedings{feliachigw12,
author = {Abderrahmane Feliachi and
Marie-Claude Gaudel and
Burkhart Wolff},
title = {Isabelle/{C}ircus: A Process Specification and Verification Environment},
booktitle = {VSTTE},
year = {2012},
pages = {243-260},
series = {Lecture Notes in Computer Science},
volume = {LNCS 7152},
isbn = {978-3-642-27704-7},
ee = {http://dx.doi.org/10.1007/978-3-642-27705-4_20},
doi = {10.1007/978-3-642-27705-4_20},
abstract = {The Circus specification language combines elements for complex data and behavior specifications,
using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and
He's unifying theories of programming (UTP). We develop a machine-checked, formal semantics based
on a "shallow embedding" of Circus in Isabelle/UTP (our semantic theory of UTP based on Isabelle/HOL).
We derive proof rules from this semantics and imple- ment tactic support that finally allows for
proofs of refinement for Circus processes (involving both data and behavioral aspects).
This proof environment supports a syntax for the semantic definitions which is close to textbook
presentations of Circus. },
pdf = {http://www.lri.fr/~wolff/papers/conf/VSTTE-IsabelleCircus11.pdf},
classification = {conference},
area = {logical_representations},
bibsource = {DBLP, http://dblp.uni-trier.de}
}
@article{feliachi-wolff:SymbTestgenCirta:2013,
author = {Abderrahmane Feliachi and Marie-Claude Gaudel and Burkhart Wolff},
title = {Symbolic Test-generation in {HOL}-{T}est{G}en/{C}irTA: A Case Study},
journal = {Int. J. Software Informatics},
volume = {9},
number = {2},
year = {2015},
pages = {177--203},
abstract = {HOL-TestGen/CirTA is a theorem-prover based test generation
environment for specifications written in Circus, a
process-algebraic specification language in the tradition
of CSP. HOL-TestGen/CirTA is based on a formal embedding of
its semantics in Isabelle/HOL, allowing to derive rules over
specification constructs in a logically safe way.
Beyond the derivation of algebraic laws and calculi for
process refinement, the originality of HOL-TestGen/ CirTA
consists in an entire derived theory for the generation of
symbolic test-traces, including optimized rules for test-generation
as well as rules for symbolic execution. The deduction process
is automated by Isabelle tactics, allowing to protract the
state-space explosion resulting from blind enumeration of data.
The implementation of test-generation procedures in CirTA is
completed by an integrated tool chain that transforms the
initial Circus specification of a system into a set of
equivalence classes (or ⤽symbolic tests⤝), which were compiled
to conventional JUnit test-drivers.
This paper describes the novel tool-chain based on prior
theoretical work on semantics and test-theory and attempts
an evaluation via a medium-sized case study performed on a
component of a real-world safety-critical medical monitoring
system written in Java. We provide experimental measurements
of the kill-capacity of implementation mutants.},
public = yes,
url = {https://www.lri.fr/~wolff/papers/journals/2015-cirta-case-study.pdf}
}
Messung V0.5 in Prozent
¤ Diese beiden folgenden Angebotsgruppen bietet das Unternehmen0.528Angebot
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
