Gerardo Schneider's Publications: Workshops and Conferences (peer-reviewed)

[1] Piergiuseppe Mallozzi, Raúl Pardo, Vincent Duplessis, Patrizio Pelliccione, and Gerardo Schneider. MoVEMo: A Structured Approach for Engineering Reward Functions. In Second IEEE International Conference on Robotic Computing (IRC'18), pages 250-257. IEEE Computer Society, 2018. [ bib | DOI | http | .pdf ]
Reinforcement learning (RL) is a machine learning technique that has been increasingly used in robotic systems. In reinforcement learning, instead of manually pre-program what action to take at each step, we convey the goal a software agent in terms of reward functions. The agent tries different actions in order to maximize a numerical value, i.e. the reward. A misspecified reward function can cause problems such as reward hacking, where the agent finds out ways that maximize the reward without achieving the intended goal. As RL agents become more general and autonomous, the design of reward functions that elicit the desired behaviour in the agent becomes more important and cumbersome. In this paper, we present a technique to formally express reward functions in a structured way; this stimulates a proper reward function design and as well enables the formal verification of it. We start by defining the reward function using state machines. In this way, we can statically check that the reward function satisfies certain properties, e.g., high-level requirements of the function to learn. Later we automatically generate a runtime monitor-which runs in parallel with the learning agent-that provides the rewards according to the definition of the state machine and based on the behaviour of the agent. We use the UPPAAL model checker to design the reward model and verify the TCTL properties that model high-level requirements of the reward function and LARVA to monitor and enforce the reward model to the RL agent at runtime.

[2] Raúl Pardo, César Sánchez, and Gerardo Schneider. Timed Epistemic Knowledge Bases for Social Networks. In Formal Methods (FM'18), volume 10951 of LNCS, pages 185-202. Springer, 2018. [ bib | DOI | http | .pdf ]
We present an epistemic logic equipped with time-stamps in atoms and epistemic operators, which enables reasoning about the moments at which events happen and knowledge is acquired or deduced. Our logic includes both an epistemic operator K and a belief operator B, to capture the disclosure of inaccurate information. Our main motivation is to describe rich privacy policies in online social networks (OSNs). Most of today's privacy policy mechanisms in existing OSNs allow only static policies. In our logic it is possible to express rich dynamic policies in terms of the knowledge available to the different users and the precise time of actions and deductions. Our framework can be instantiated for different OSNs by specifying the effect of the actions in the evolution of the social network and in the knowledge disclosed to each user. We present an algorithm for deducing knowledge and propagating beliefs, which can also be instantiated with different variants of how the epistemic information is preserved through time. Policies are modelled as formulae in the logic, which are interpreted over timed traces. Finally, we show that the model checking problem for this logic, and in consequence policy conformance, is decidable.

[3] Mauricio Chimento, Wolfgang Ahrendt, and Gerardo Schneider. Testing Meets Static and Runtime Verification. In 6th Conference on Formal Methods in Software Engineering (FormaliSE@ICSE'18), pages 30-39. ACM, 2018. [ bib | DOI | http | .pdf ]
Test driven development (TDD) is a technique where test cases are used to guide the development of a system. This technique introduces several advantages at the time of developing a system, e.g. writing clean code, good coverage for the features of the system, and evolutionary development. In this paper we show how the capabilities of a testing focused development methodology based on TDD and model-based testing, can be enhanced by integrating static and runtime verification into its workflow. Considering that the desired system properties capture data- as well as control-oriented aspects, we integrate TDD with (static) deductive verification as an aid in the development of the data-oriented aspects, and we integrate model-based testing with runtime verification as an aid in the development of the control-oriented aspects. As a result of this integration, the proposed development methodology features the benefits of TDD and model-based testing, enhanced with, for instance, early detection of bugs which may be missed by TDD, regarding data aspects, and the validation of the overall system with respect to the model, regarding the control aspects.

[4] Srinivas Pinisetty, David Sands, and Gerardo Schneider. Runtime Verification of Hyperproperties for Deterministic Programs. In 6th Conference on Formal Methods in Software Engineering (FormaliSE@ICSE'18), pages 20-29. ACM, 2018. [ bib | DOI | http | .pdf ]
In this paper, we consider the runtime verification problem of safety hyperproperties for deterministic programs. Several security and information-flow policies such as data minimality, non-interference, integrity, and software doping are naturally expressed formally as safety hyperproperties. Although there are monitoring results for hyperproperties, the algorithms are very complex since these are properties over set of traces, and not over single traces. For the deterministic input-output programs that we consider, and the specific safety hyperproperties we are interested in, the problem can be reduced to monitoring of trace properties. In this paper, we present a simpler monitoring approach for safety hyperproperties of deterministic programs. The approach involves transforming the given safety hyperproperty into a trace property, extracting a characteristic predicate for the given hyperproperty, and providing a parametric monitor taking such predicate as parameter. For any hyperproperty in the considered subclass, we show how runtime verification monitors can be synthesised. We have implemented our approach in the form of a parameterised monitor for the given class, and have applied it to a number of hyperproperties including data minimisation, non-interference, integrity and software doping. We show results concerning both offline and online monitoring.

[5] Thibaud Antignac, Riccardo Scandariato, and Gerardo Schneider. Privacy Compliance via Model Transformations. In International Workshop on Privacy Engineering (IWPE'18) at IEEE EuroS&P Workshops, pages 120-126. IEEE, 2018. [ bib | DOI | http | .pdf ]
Due to the upcoming, more restrictive regulations (like the European GDPR), designing privacy preserving architectures for information systems is becoming a pressing concern for practitioners. In particular, verifying that a design is compliant with the regulations might be a challenging task for engineers. This work presents an approach based on model transformations, which guarantee that an architectural design encompasses regulation-oriented principles such as purpose limitation, or accountability of the data controller. Our work improves the state of the art along two main dimensions. The approach we propose (i) embeds privacy principles coming from regulations, thus helping to bridge the gap between the technical and the legal worlds, (ii) systematize the embedding of the privacy principles coming from regulations, thus enabling a constructive approach to privacy by design.

[6] John J. Camilleri, Mohammad Reza Haghshenas, and Gerardo Schneider. A Web-Based Tool for Analysing Normative Documents in English. In The 33rd ACM/SIGAPP Symposium On Applied Computing -Software Verification and Testing track (SAC-SVT'18), pages 1865-1872. ACM, 2018. [ bib | DOI | http | .pdf ]
Our goal is to use formal methods to analyse normative documents written in English, such as privacy policies and regulations. This requires the combination of a number of different elements, including information extraction from natural language, formal languages for model representation, and an interface for property specification and verification. A number of components for performing these tasks have separately been developed: a natural language extraction tool, a suitable formalism for representing such documents, an interface for building models in this formalism, and methods for answering queries asked of a given model. In this work, each of these concerns is brought together in a web-based tool, providing a single interface for analysing normative texts in English. Through the use of a running example, we describe each component and demonstrate the workflow established by our tool.

[7] Raúl Pardo and Gerardo Schneider. Model Checking Social Network Models. In Eighth International Symposium on Games, Automata, Logics and Formal Verification (GandALF'17), volume 256 of EPTCS, pages 238-252, September 2017. [ bib | DOI | http | .pdf ]
A social network service is a platform to build social relations among people sharing similar interests and activities. The underlying structure of a social networks service is the social graph, where nodes represent users and the arcs represent the users' social links and other kind of connections. One important concern in social networks is privacy: what others are (not) allowed to know about us. The “logic of knowledge” (epistemic logic) is thus a good formalism to define, and reason about, privacy policies. In this paper we consider the problem of verifying knowledge properties over social network models (SNMs), that is social graphs enriched with knowledge bases containing the information that the users know. More concretely, our contributions are: i) We prove that the model checking problem for epistemic properties over SNMs is decidable; ii) We prove that a number of properties of knowledge that are sound w.r.t. Kripke models are also sound w.r.t. SNMs; iii) We give a satisfaction-preserving encoding of SNMs into canonical Kripke models, and we also characterise which Kripke models may be translated into SNMs; iv) We show that, for SNMs, the model checking problem is cheaper than the one based on standard Kripke models. Finally, we have developed a proof-of-concept implementation of the model-checking algorithm for SNMs.

[8] Bjørnar Luteberget, John J. Camilleri, Christian Johansen, and Gerardo Schneider. Participatory Verification of Railway Infrastructure by Representing Regulations in RailCNL. In 15th International Conference on Software Engineering and Formal Methods, (SEFM'17), volume 10469 of LNCS, pages 87-103. Springer, 2017. [ bib | DOI | http | .pdf ]
Designs of railway infrastructure (tracks, signalling and control systems, etc.) need to comply with comprehensive sets of regulations describing safety requirements, engineering conventions, and design heuristics. We have previously worked on automating the verification of railway designs against such regulations, and integrated a verification tool based on Datalog reasoning into the CAD tools of railway engineers. This was used in a pilot project at Norconsult AS (formerly Anacon AS). In order to allow railway engineers with limited logic programming experience to participate in the verification process, in this work we introduce a controlled natural language, RailCNL, which is designed as a middle ground between informal regulations and Datalog code. Phrases in RailCNL correspond closely to those in the regulation texts, and can be translated automatically into the input language of the verifier. We demonstrate a prototype system which, upon detecting regulation violations, traces back from errors in the design through the CNL to the marked-up original text, allowing domain experts to examine the correctness of each translation step and better identify sources of errors. We also describe our design methodology, based on CNL best practices and previous experience with creating verification front-end languages.

[9] Thibaud Antignac, Mukelabai Mukelabai, and Gerardo Schneider. Specification, Design, and Verification of an Accountability-aware Surveillance Protocol. In The 32nd ACM/SIGAPP Symposium On Applied Computing -Software Verification and Testing track (SAC-SVT'17), pages 1372-1378. ACM, 2017. [ bib | DOI | http | .pdf ]
Though controversial, surveillance activities are more and more performed for security reasons. However, such activities are extremely privacy-intrusive. This is seen as a necessary side-effect to ensure the success of such operations. In this paper, we propose an accountability-aware protocol designed for surveillance purposes. It relies on a strong incentive for a surveillance organisation to register its activity to a data protection authority. We first elicit a list of accountability requirements, we provide an architecture showing the interaction of the different involved parties, and we propose an accountability-aware protocol which is formally specified in the applied pi calculus. We use the ProVerif tool to automatically verify that the protocol respects confidentiality, integrity and authentication properties.

[10] Pablo Picazo-Sánchez, Raúl Pardo, and Gerardo Schneider. Secure Photo Sharing in Social Networks. In IFIP Information Security & Privacy Conference (IFIP SEC'17), volume 502 of IFIP Advances in Information and Communication Technology (AICT), pages 79-92, Rome, Italy, 2017. Springer Science and Business Media. [ bib | DOI | .pdf ]
Nowadays, in an ubiquitous world where everything is connected to the Internet and where social networks play an important role in our lives, security and privacy is a must. Billions of pictures are uploaded daily to social networks and, with them, parts of our private life are disclosed. In this work, we propose a practical solution for secure photo sharing on social network with independence of its architecture which can be either centralised or distributed. This solution solves the inconsistencies that appear in distributed social network as a consequence of treating photos and access policies separately. Specifically, we solve this open problem by attaching an access policy to the images and thus, each time a photo is re-shared, the access policy will travel together with the image.

[11] Thibaud Antignac, David Sands, and Gerardo Schneider. Data Minimisation: A Language-Based Approach. In IFIP Information Security & Privacy Conference (IFIP SEC'17), volume 502 of IFIP Advances in Information and Communication Technology (AICT), pages 442-456, Rome, Italy, 2017. Springer Science and Business Media. [ bib | DOI | .pdf ]
Data minimisation is a privacy-enhancing principle considered as one of the pillars of personal data regulations. This principle dictates that personal data collected should be no more than necessary for the specific purpose consented by the user. In this paper we study data minimisation from a programming language perspective. We assume that a given program embodies the purpose of data collection, and define a data minimiser as a pre-processor for the input which reduces the amount of information available to the program without compromising its functionality. We give formal definitions, and provide a procedure to synthesise a correct data minimiser for a given program.

[12] Raúl Pardo, Ivana Kellyérová, César Sánchez, and Gerardo Schneider. Specification of Evolving Privacy Policies for Online Social Networks. In 23rd International Symposium on Temporal Representation and Reasoning (TIME'16), pages 70-79. IEEE CPS, 2016. [ bib | DOI | .pdf ]
Online Social Networks are ubiquitous,bringing not only numerous new possibilities but also big threats and challenges. Privacy is one of them. Most social networks today offer a limited set of (static) privacy settings, not being able to express dynamic policies. For instance, users might decide to protect their location during the night, or share information with difference audiences depending on their current position. In this paper we introduce TFPPF, a formal framework to express, and reason about, dynamic (and recurrent) privacy policies that are activated or deactivated by context (events) or time. Besides a formal policy language (TPPL), the framework includes a knowledge-based logic extended with (linear) temporal operators and a learning modality (TKBL). Policies, and formulae in the logic, are interpreted over (timed) traces representing the evolution of the social network. We prove that checking privacy policy conformance, and the model-checking problem for TKBL, are both decidable.

[13] Raúl Pardo, Christian Colombo, Gordon Pace, and Gerardo Schneider. An Automata-based Approach to Evolving Privacy Policies for Social Networks. In The 16th International Conference on Runtime Verification (RV'16), volume 10012 of LNCS, pages 285-301. Springer, 2016. [ bib | DOI | .pdf ]
Online Social Networks (OSNs) are ubiquitous, with more than 70% of Internet users being active users of such networking services. This widespread use of OSNs brings with it big threats and challenges, privacy being one of them. Most OSNs today offer a limited set of (static) privacy settings and do not allow for the definition, even less enforcement, of more dynamic privacy policies. In this paper we are concerned with the specification and enforcement of dynamic (and recurrent) privacy policies that are activated or deactivated by context (events). In particular, we present a novel formalism of policy automata, transition systems where privacy policies may be defined per state. We further propose an approach based on runtime verification techniques to define and enforce such policies. We provide a proof-of-concept implementation for the distributed social network Diaspora, using the runtime verification tool LARVA to synthesise enforcement monitors.

[14] Wolfgang Ahrendt, Gordon Pace, and Gerardo Schneider. StaRVOOrS - Episode II, Strengthen and Distribute the Force. In 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation - ISoLA'16 (1); Track: Static and Runtime Verification: Competitors or Friends?, volume 9952 of LNCS, pages 402-415. Springer, 10-14 October 2016. [ bib | DOI | .pdf ]
Static and runtime techniques for the verification of programs are complementary. They both have their advantages and disadvantages, and a natural question is whether they may be combined in such a way as to get the advantages of both without inheriting too much from their disadvantages. In a previous contribution to ISoLA'12, we have proposed StaRVOOrS (`Static and Runtime Verification of Object-Oriented Software'), a unified framework for combining static and runtime verification in order to check data- and control-oriented properties. Returning to ISoLA here, we briefly report on advances since then: a unified specification language for data- and control-oriented properties, a tool for combined static and runtime verification, and experiments. On that basis, we discuss two future research directions to strengthen the power, and broaden the scope, of combined static and runtime verification: (i) to use static analysis techniques to further optimise the runtime monitor, and (ii) to extend the framework to the distributed case.

[15] Thibaud Antignac, Riccardo Scandariato, and Gerardo Schneider. A Privacy-Aware Conceptual Model for Handling Personal Data. In 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation - ISoLA'16 (1); Track: Privacy and Security Issues in Information Systems, volume 9952 of LNCS, pages 942-957. Springer, 10-14 October 2016. [ bib | DOI | .pdf ]
Handling personal data adequately is one of the biggest challenges of our era. Consequently, law and regulations are in the process of being released, like the European General Data Protection Regulation (GDPR), which attempt to deal with these challenging issue early on. The core question motivating this work is how software developers can validate their technical design vis-a-vis the prescriptions of the privacy legislation. In this paper, we outline the technical concepts related to privacy that need to be taken into consideration in a software design. Second, we extend a popular design notation in order to support the privacy concepts illustrated in the previous point. Third, we show how some of the prescriptions of the privacy legislation and standards may be related to a technical design that employs our enriched notation, which would facilitate reasoning about compliance.

[16] Gerardo Schneider. On the Specification and Enforcement of Privacy-Preserving Contractual Agreements. In 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation - ISoLA'16 (2); Track: Runtime Verification and Enforcement, the (industrial) application perspective, volume 9953 of LNCS, pages 413-419. Springer, 10-14 October 2016. [ bib | DOI | .pdf ]
We are here concerned with the enforcement at runtime of contractual agreements (e.g., Terms of Service) that respect users' privacy policies. We do not provide a technical solution to the problem but rather give an overview of a framework for such an enforcement, and briefly discuss related work and ideas on how to address part of the framework.

[17] Gordon Pace, Raúl Pardo, and Gerardo Schneider. On the Runtime Enforcement of Evolving Privacy Policies in Online Social Networks. In 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation - ISoLA'16 (2); Track: Runtime Verification and Enforcement, the (industrial) application perspective, volume 9953 of LNCS, pages 407-412. Springer, 10-14 October 2016. [ bib | DOI | .pdf ]
Online Social Networks have increased the need to understand well and extend the expressiveness of privacy policies. In particular, the need to be able to define and enforce dynamic (and recurrent) policies that are activated or deactivated by context (events) or timeouts. We propose an automaton-based approach to define and enforce such policies using runtime verification techniques. In this paper we discuss how our proposed solution addresses this problem without focussing on concrete technical details.

[18] John J. Camilleri, Normunds Gruzitis, and Gerardo Schneider. Extracting Formal Models from Normative Texts. In 21st International Conference on Applications of Natural Language to Information Systems (NLDB'16), volume 9612 of LNCS, pages 403-408. Springer, 22-24 June 2016. [ bib | DOI ]
Normative texts are documents based on the deontic notions of obligation, permission, and prohibition. Our goal is model such texts using the formalism, making them amenable to formal analysis, in particular verifying that a text satisfies properties concerning causality of actions and timing constraints. We present an experimental, semi-automatic aid to bridge the gap between a normative text and its formal representation. Our approach uses dependency trees combined with our own rules and heuristics for extracting the relevant components. The resulting tabular data can then be converted into a C-O Diagram.

[19] Jesús Mauricio Chimento, Wolfgang Ahrendt, Gordon Pace, and Gerardo Schneider. STARVOORS: A Tool for Combined Static and Runtime Verification of Java. In The 15th International Conference on Runtime Verification (RV'15), volume 9333 of LNCS, pages 297-305, Vienna, Austria, September 22-25 2015. Springer. [ bib | DOI | .pdf ]
We present the tool StaRVOOrS (Static and Runtime Verification of Object-Oriented Software), which combines static and runtime verification (RV) of Java programs. The tool automates a framework which uses partial results extracted from static verification to optimise the runtime monitoring process. StaRVOOrs combines the deductive theorem prover KeY and the RV tool LARVA, and uses properties written using the ppDATE specification language which combines the control-flow property language DATE used in LARVA with Hoare triples assigned to states. We demonstrate the effectiveness of the tool by applying it to the electronic purse application Mondex.

[20] Wolfgang Ahrendt, Mauricio Chimento, Gordon Pace, and Gerardo Schneider. A specification language for static and runtime verification of data and control properties. In Formal Methods (FM'15), volume 9109 of LNCS, pages 108-125, Oslo, Norway, June 24-26 2015. Springer. [ bib | DOI | .pdf ]
Static verification techniques can verify properties across all executions of a program, but powerful judgements are hard to achieve automatically. In contrast, runtime verification enjoys full automation, but cannot judge future and alternative runs. In this paper we present a novel approach in which data-centric and control-oriented properties may be stated in a single formalism, amenable to both static and dynamic verification techniques. We develop and formalise a specification notation, ppDATE, extending the control-flow property language used in the runtime verification tool LARVA with pre/post-conditions and show how specifications written in this notation can be analysed both using the deductive theorem prover KeY and the runtime verification tool LARVA. Verification is performed in two steps: KeY first partially proves the data-oriented part of the specification, simplifying the specification which is then passed on to LARVA to check at runtime for the remaining parts of the specification including the control-centric aspects. We apply the approach to Mondex, an electronic purse application.

[21] Gordon J. Pace, Fernando Schapachnik, and Gerardo Schneider. Conditional Permissions in Contracts. In The 28th International Conference on Legal Knowledge and Information Systems (JURIX'15), volume 279 of Frontiers in Artificial Intelligence and Applications, pages 61-70. IOS Press, 2015. [ bib | DOI | .pdf ]
Defining and characterising conditional permissions has never been easy. Part of the problem, we believe, comes from the fact that there is not one but a whole family of possible deontic operators, all of them distinct and reasonable, that can be labelled as conditional permissions. In this article, rather than disputing the correct interpretation, we revisit a number of different interpretations the term has received in the literature, and propose appropriate formalisations for these interpretations within the context of contract automata.

[22] Hamid Ebadi, David Sands, and Gerardo Schneider. Differential Privacy: Now it's Getting Personal. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'15), pages 69-81, Mumbai, India, 12-18 January 2015. ACM. [ bib | DOI | .pdf ]
Differential privacy provides a way to get useful information about sensitive data without revealing much about any one individual. It enjoys many nice compositionality properties not shared by other approaches to privacy, including, in particular, robustness against side-knowledge. Designing differentially private mechanisms from scratch can be a challenging task. One way to make it easier to construct new differential private mechanisms is to design a system which allows more complex mechanisms (programs) to be built from differentially private building blocks in principled way, so that the resulting programs are guaranteed to be differentially private by construction. This paper is about a new accounting principle for building differentially private programs. It is based on a simple generalisation of classic differential privacy which we call Personalised Differential Privacy (PDP). In PDP each individual has its own personal privacy level. We describe ProPer, a interactive system for implementing PDP which maintains a privacy budget for each individual. When a primitive query is made on data derived from individuals, the provenance of the involved records determines how the privacy budget of an individual is affected: the number of records derived from Alice determines the multiplier for the privacy decrease in Alice's budget. This offers some advantages over previous systems, in particular its fine-grained character allows better utilisation of the privacy budget than mechanisms based purely on the concept of global sensitivity, and it applies naturally to the case of a live database where new individuals are added over time. We provide a formal model of the ProPer approach, prove that it provides personalised differential privacy, and describe a prototype implementation based on McSherry's PINQ system.

[23] John J. Camilleri, Gabrielle Paganelli, and Gerardo Schneider. A cnl for contract-oriented diagrams. In Fourth Workshop on Controlled Natural Language (CNL 2014), volume 8625 of LNCS, pages 135-146. Springer, 2014. [ bib | DOI | .pdf ]
We present a first step towards a framework for defining and manipulating normative documents or contracts described as Contract-Oriented (C-O) Diagrams.These diagrams provide a visual representation for such texts, giving the possibility to express a signatory's obligations, permissions and prohibitions, with or without timing constraints, as well as the penalties resulting from the non-fulfilment of a contract. This work presents a CNL for verbalising C-O Diagrams, a web-based tool allowing editing in this CNL, and another for visualising and manipulating the diagrams interactively. We then show how these proof-of-concept tools can be used by applying them to a small example.

[24] Raúl Pardo and Gerardo Schneider. A formal privacy policy framework for social networks. In 12th International Conference on Software Engineering and Formal Methods (SEFM'14), volume 8702 of LNCS, pages 378-392. Springer, 2014. [ bib | DOI | .pdf ]
Social networks (SN) provide a great opportunity to help people interact with each other in different ways depending on the kind of relationship that links them. One of the aims of SN is to be flexible in the way one shares information, being as permissive as possible in how people communicate and disseminate information. While preserving the spirit of SN, users would like to be sure that their privacy is not compromised. One way to do so is by providing users with means to define their own privacy policies and give guarantees that they will be respected. In this paper we present a privacy policy framework for SN, consisting of a formal model of SN, a knowledge-based logic, and a formal privacy policy language. The framework may be tailored by providing suitable instantiations of the different relationships, the events, the propositions representing what is to be known, and the additional facts or rules a particular social network should satisfy. Besides, models of Facebook and Twitter are instantiated in our formalism, and we provide instantiations of a number of richer privacy policies.

[25] Antonio Cerone, Markus Roggenbach, Holger Schlingloff, Gerardo Schneider, and Siraj Shaikh. Teaching formal methods for software engineering - ten principles. In Fun with Formal Methods Workshop, July 2013. [ bib | .pdf ]
In this paper we report and reflect about the didactic principles underlying our endeavour to write a book on `Formal Methods for Software Engineering - Languages, Methods, Application Domains”, and to teach its contents at international summer schools`. Target audience for the book are taught master students, possibly striving for a career in industry, and doctoral students in their early years, possibly in search of a suitable topic for their dissertation. We outline ten principles underlying the design of the book, coin a recommendation from each principle, and give appropriate examples. We report about the feedback from participants to the schools and lectures, and relate our principles to other pedagogical suggestions for teaching Formal Methods.

[26] Pavel Rabetski and Gerardo Schneider. Migration of an on-premise application to the cloud: Experience report. In European Conference on Service-Oriented and Cloud Computing (ESOCC'13), volume 8135 of LNCS, pages 227-241, Malaga, Spain, 2013. Springer. [ bib | DOI | .pdf ]
As of today it is still not clear how and when cloud computing should be used. Developers very often write applications in a way that does not really fit a cloud environment, and in some cases without taking into account how quality attributes (like performance, security or portability) are affected. In this paper we share our experience and observations from adopting cloud computing for an on-premise enterprise application in a context of a small software company. We present experimental results concerning a comparative evaluation (w.r.t. performance and cost) of the behavior of the original system both on-premise and on the Cloud, considering different scenarios in the Cloud.

[27] Robert Nagy, Gerardo Schneider, and Aram Timofeitchik. Automatic testing of real-time graphics systems. In 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'13), volume 7795 of LNCS, pages 465-479, Rome, Italy, 2013. Springer. [ bib | DOI | .pdf ]
In this paper we deal with the general topic of verification of real-time graphic systems. In particular we present the Runtime Graphics Verification Framework (RUGVEF), where we combine techniques from runtime verification and image analysis to automate testing of graphic systems. We provide a proof of concept in the form of a case study, where RUGVEF is evaluated in an industrial setting to verify an on-air graphics playout system used by the Swedish Broadcasting Corporation. We report on experimental results from the evaluation, in particular the discovery of five previously unknown defects not been detected before.

[28] Gerardo Schneider. Towards a framework for analyzing normative texts in controlled natural language. In 6th International Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS'12), EPTCS, Bertinoro, Italy, 19 September 2012. [ bib ]
[29] Wolfgang Ahrendt, Gordon J. Pace, and Gerardo Schneider. A Unified Approach for Static and Runtime Verification: Framework and Applications. In 5th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (ISoLA'12) - Part I, volume 7609 of LNCS, pages 312-326, Heraclion, Crete, 15-18 October 2012. Springer. [ bib | DOI | .pdf ]
Static verification of software is becoming ever more effective and efficient. Still, static techniques either have high precision, in which case powerful judgements are hard to achieve automatically, or they use abstractions supporting increased automation, but possibly losing important aspects of the concrete system in the process. Runtime verification has complementary strengths and weaknesses. It combines full precision of the model (including the real deployment environment) with full automation, but cannot judge future and alternative runs. Another drawback of runtime verification can be the computational overhead of monitoring the running system which, although typically not very high, can still be prohibitive in certain settings. In this paper we propose a framework to combine static analysis techniques and runtime verification with the aim of getting the best of both techniques. In particular, we discuss an instantiation of our framework for the deductive theorem prover KeY, and the runtime verification tool LARVA. Apart from combining static and dynamic verification, this approach also combines the data centric analysis of KeY with the control-centric analysis of LARVA. An advantage of the approach is that, through the use of a single specification which can be used by both analysis techniques, expensive parts of the analysis could be moved to the static phase, allowing the runtime monitor to make significant assumptions, dropping parts of expensive checks at runtime. We also discuss specific applications of our approach.

[30] Hallstein A. Hansen, Gerardo Schneider, and Martin Steffen. Reachability analysis of non-linear planar autonomous systems. In Fourth International Conference on Fundamentals of Software Engineering (FSEN'11), volume 7141 of LNCS, pages 206-220, Teheran, Iran, 20-22 April 2012. Springer. [ bib | DOI | .pdf ]
Many complex continuous systems are modeled as non-linear autonomous systems, i.e., by a set of differential equations with one independent variable. Exact reachability, i.e., whether a given configuration can be reached by starting from an initial configuration of the system, is undecidable in general, as one needs to know the solution of the system of equations under consideration. In this paper we address the reachability problem of planar autonomous systems approximatively. We use an approximation technique which "hybridizes" the state space in the following way: the original system is partitioned into a finite set of polygonal regions where the dynamics on each region is approximated by constant differential inclusions. Besides proving soundness, completeness, and termination of our algorithm, we present an implementation, and its application into (classical) examples taken from the literature.

[31] Seyed M. Montazeri, Nivir Roy, and Gerardo Schneider. From Contracts in Structured English to CL Specifications. In 5th International Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS'11), volume 68 of EPTCS, pages 55-69, Málaga, Spain, 22-23 September 2011. [ bib | DOI | .pdf ]
In this paper we present a framework to analyze conflicts of contracts written in structured English. A contract that has manually been rewritten in a structured English is automatically translated into a formal language using the Grammatical Framework (GF). In particular we use the contract language CL as a target formal language for this translation. In our framework CL specifications could then be input into the tool CLAN to detect the presence of conflicts (whether there are contradictory obligations, permissions, and prohibitions. We also use GF to get a version in (restricted) English of CL formulae. We discuss the implementation of such a framework.

[32] Enrique Martínez, María E. Cambronero, Gregorio Díaz, and Gerardo Schneider. Timed Automata Semantics for Visual e-Contracts. In 5th International Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS'11), volume 68 of EPTCS, pages 7-21, Málaga, Spain, 22-23 September 2011. [ bib | DOI | .pdf ]
C-O Diagrams have been introduced as a means to have a more visual representation of electronic contracts, where it is possible to represent the obligations, permissions and prohibitions of the different signatories, as well as what are the penalties in case of not fulfillment of their obligations and prohibitions. In such diagrams we are also able to represent absolute and relative timing constraints. In this paper we present a formal semantics for C-O Diagrams based on timed automata extended with an ordering of states and edges in order to represent different deontic modalities.

[33] Enrique Martinez and Gerardo Schneider. Automated Analysis of Conflicts in Software Product Lines. In SPLC Workshops - 1st International Workshop on Formal Methods in Software Product Line Engineering (FMSPLE'10), volume 2, pages 75-82. Lancaster University, September 2010. [ bib | .pdf ]
In this paper we propose a framework where the behaviour of features can be modelled using a visual model language for contracts (C-O Diagrams). We present a partial translation from C-O Diagrams into the deontic contract language CL allowing to detect whether there are contradicting features, using the tool CLAN. We aim at handling conflicts arising from software evolution and variability. As a proof of concept we apply our technique to a trading system case study.

[34] Enrique Martinez, Emilia Cambronero, Gregorio Diaz, and Gerardo Schneider. A Model for Visual Specification of e-Contracts. In The 7th IEEE International Conference on Services Computing (IEEE SCC'10), pages 1-8, Los Alamitos, USA, July 5-10 2010. IEEE Computer Society. [ bib | DOI | .pdf ]
In a web service composition, an electronic contract (e-contract) regulates how the services participating in the composition should behave, including the restrictions that these services must fulfill, such as real-time constraints. In this work we present a visual model that allows us to specify e-contracts in a user friendly way, including conditional behavior and realtime constraints. A case study is presented to illustrate how this visual model defines e-contracts and a preliminary evaluation of the model is also done.

[35] Hallstein A. Hansen and Gerardo Schneider. Reachability Analysis of GSPDIs: Theory, Optimization, and Implementation. In 25th Annual ACM Symposium on Applied Computing -Software Verification and Testing track (SAC-SVT'10), pages 2511-2516, Sierre, Switzerland, March 22-26 2010. ACM. [ bib | DOI | .pdf ]
Analysis of systems containing both discrete and continuous dynamics, hybrid systems, is a difficult issue. Most problems have been shown to be undecidable, with the exception of a few classes where the dynamics are restricted and/or the dimension is low. In this paper we present some theoretical results concerning the decidability of the reachability problem for a class of planar hybrid systems called Generalized Polygonal Hybrid Systems (GSPDI). These new results provide means to optimize a previous reachability algorithm, making the implementation feasible. We also discuss the implementation of the algorithm into a tool.

[36] Stephen Fenech, Gordon J. Pace, and Gerardo Schneider. Clan: A tool for contract analysis and conflict discovery. In 7th International Symposium on Automated Technology for Verification and Analysis (ATVA'09), volume 5799 of LNCS, pages 90-96, Macao, China, October 2009. Springer. [ bib | DOI | .pdf ]
As Service-Oriented Architectures are more widely adopted, it becomes more important to adopt measures for ensuring that the services satisfy functional and non-functional requirements. One approach is the use of contracts based on deontic logics, expressing obligations, permissions and prohibitions of the different actors. The use of explicit contracts enables various analysis techniques to be used when using services. A challenging aspect is that of service composition, in which the contracts composed together may result in conflicting situations. Especially in a context where services may be dynamically composed, the need for automated techniques to analyse contracts and ensure their soundness are crucial. In this paper, we present CLAN, a tool for automatic analysis of conflicting clauses of contracts written in the contract language CL. We present a small case study of an airline check-in desk illustrating the use of the tool.

[37] Christian Colombo, Gordon J. Pace, and Gerardo Schneider. Dynamic event-based runtime monitoring of real-time and contextual properties. In 13th International Workshop on Formal Methods for Industrial Critical Systems (FMICS'08), volume 5596 of LNCS, pages 135-149, L'Aquila, Italy, September 2009. Springer-Verlag. [ bib | DOI | .pdf ]
Given the intractability of exhaustively verifying software, the use of runtime-verification, to verify single execution paths at runtime, is becoming popular. Although the use of runtime verification is increasing in industrial settings, various challenges still are to be faced to enable it to spread further. We present dynamic communicating automata with timers and events to describe properties of systems, implemented in LARVA, an event-based runtime verification tool for monitoring temporal and contextual properties of Java programs. The combination of timers with dynamic automata enables the straightforward expression of various properties, including replication of properties, as illustrated in the use of LARVA for the runtime monitoring of a real life case study - an online transaction system for credit card. The features of LARVA are also benchmarked and compared to a number of other runtime verification tools, to assess their respective strengths in property expressivity and overheads induced through monitoring.

[38] Stephen Fenech, Gordon J. Pace, and Gerardo Schneider. Automatic Conflict Detection on Contracts. In 6th International Colloquium on Theoretical Aspects of Computing (ICTAC'09), volume 5684 of LNCS, pages 200-214, Kuala Lumpur, Malaysia, August 2009. Springer. [ bib | DOI | .pdf ]
Industry is currently pushing towards Service-Oriented Architectures, where code execution is not limited to the organisational borders but may be extended beyond, to sources typically not accessible. Contracts, expressing obligations, permissions and prohibitions of the different actors, can be used to protect the interests of the organisations engaged in such service exchange. The, potentially dynamic, composition of different services with different contracts, and the combination of service contracts with local contracts can give rise to unexpected conflicts, exposing the need for automatic techniques for contract analysis. In this paper we look at automatic analysis techniques for contracts written in the contract language CL. We present a trace semantics of CL suitable for conflict analysis, and a decision procedure for detecting conflicts (together with its proof of soundness, completeness and termination). We also discuss its implementation and look into the applications of the contract analysis approach we present. These techniques are applied to a small case study of an airline check-in desk.

[39] Hallstein A. Hansen and Gerardo Schneider. GSPeeDI - A Verification Tool for Generalized Polygonal Hybrid Systems. In 6th International Colloquium on Theoretical Aspects of Computing (ICTAC'09), volume 5684 of LNCS, pages 336-342, Kuala Lumpur, Malaysia, August 2009. Springer. [ bib | DOI | .pdf ]
The GSPeeDI tool implements a decision procedure for the reachability analysis of GSPDIs, planar hybrid systems whose dynamics is given by differential inclusions, and that are not restricted by the goodness assumption from previous work on the so-called SPDIs. Unlike SPeeDI (a tool for reachability analysis of SPDI) the underlying analysis of GSPeeDI is based on a breadth-first search algorithm, and it can handle more general systems.

[40] Cristian Prisacariu and Gerardo Schneider. Abstract specification of legal contracts (research abstract). In 12th International Conference on Artificial Intelligence and Law (ICAIL'09), pages 218-219, Barcelona, Spain, June 2009. ACM. [ bib | DOI | .pdf ]
The paper presents an action-based formal language called CL for abstract specification of legal contracts. The purpose of the language is to be used to reason about electronic contracts, and as an abstract language for legal contracts. CL combines the legal notions of obligation, permission, and prohibition from deontic logic with the action modality of propositional dynamic logic. The deontic modalities are applied only over actions, thus following the ought-to-do approach. The language includes a synchrony operator to model actions performed at the same time, and a special complementation operation to encode the violation of obligations. The language has a formal semantics in terms of normative structures, specially defined to capture several natural properties of legal contracts. We focus on the informal discussion of the choices made for designing CL, both syntactically and semantically.

[41] Cristian Prisacariu and Gerardo Schneider. CL: An Action-based Logic for Reasoning about Contracts. In 16th Workshop on Logic, Language, Information and Computation (WOLLIC'09), volume 5514 of LNCS, pages 335-349, Tokyo, Japan, June 2009. Springer. [ bib | DOI | .pdf ]
This paper presents a new version of the CL contract specification language. CL combines deontic logic with propositional dynamic logic but it applies the modalities exclusively over structured actions. CL features synchronous actions, conflict relation, and an action negation operation. The CL version that we present here is more expressive and has a cleaner semantics than its predecessor. We give a direct semantics for CL in terms of normative structures. We show that CL respects several desired properties from legal contracts and is decidable. We relate this semantics with a trace semantics of CL which we used for run-time monitoring contracts.

[42] Stephen Fenech, Joseph Okika, Gordon J. Pace, Anders P. Ravn, and Gerardo Schneider. On the specification of full contracts. In 6th International Workshop on Formal Engineering approaches to Software Components and Architectures (FESCA'09), volume 253 of ENTCS, pages 39-55, York, UK, March 2009. [ bib | DOI | .pdf ]
Contracts are specifications of properties of an interface to a software component; in this paper we focus on behavioural properties. We consider the problem of giving a full contract that specifies not only the normal behaviour, but also special cases and tolerated exceptions. We conjecture that operational specifications are well suited for normal cases, but are less easily extended for exceptional cases. Logic based specifications are essentially compositional, helping in some cases the specification of exceptional cases. This hypothesis is investigated by comparing specifications in CSP (operational) with specifications in LTL, CTL and a deontic logic based language CL. The specifications give successive extensions to a contract for a Cash Desk example. The outcome of the experiment supports the conjecture and demonstrates clear differences in the basic descriptive power of the formalisms.

[43] Olaf Owe and Gerardo Schneider. Wrap your objects safely. In 6th International Workshop on Formal Engineering approaches to Software Components and Architectures (FESCA'09), volume 253 of ENTCS, pages 127-143, York, UK, March 2009. [ bib | DOI | .pdf ]
Despite the effort of researchers on distributed systems, programming languages, and security, there is still no good solution offering basic constructs for guaranteeing minimal security at the programming language level. In particular, the notion of a wrapper around an object controlling its interaction with the environment has not properly been addressed at the programming language level. This kind of “local firewall” may play two different roles: (1) The untrusted part is the object inside the wrapper; (2) The untrusted part is the environment. In this paper we propose the addition of a language primitive for creating wrapped objects, and sketch a formalization based on a minimal object-oriented language for distributed systems, based on asynchronous communication.

[44] Gordon J. Pace and Gerardo Schneider. Challenges in the specification of full contracts. In Integrated Formal Methods (iFM'09), volume 5423 of LNCS, pages 292-306, Düseldorf, Germany, February 2009. [ bib | DOI | .pdf ]
The complete specification of full contracts -contracts which include tolerated exceptions, and which enable reasoning about the contracts themselves, can be achieved using a combination of temporal and deontic concepts. In this paper we discuss the challenges in combining deontic and other relevant logics, in particular focusing on operators for choice, obligations over sequences, contrary-to-duty obligations, and how internal and external decisions may be incorporated in an action-based language for specifying contracts. We provide different viable interpretations and approaches for the development of such a sound logic and outline challenges for the future.

[45] Christian Colombo, Gordon J. Pace, and Gerardo Schneider. Safe runtime verification of real-time properties. In The 7th International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS'09), volume 5813 of LNCS, pages 103-117, Budapest, Hungary, 13-16 September 2009. Springer. [ bib | DOI | .pdf ]
Introducing a monitor on a system typically changes the system's behaviour, whether it is slowing the system down, and increasing memory consumption. This may possibly result in creating bugs not in the original system, or possibly even "fixing" bugs, only to reappear as the monitor is removed. Properties written in a real-time logic, such as duration calculus, can be particularly sensitive to such changes induced through monitoring. In this paper, we identify a class of real-time properties, in duration calculus, which are monotonic under the slowing down (speeding up) of the underlying system. We apply this approach to the real-time runtime monitoring tool LARVA, where we use duration calculus as a monitoring property specification language, so we automatically identify properties which can be shown to be monotonic with respect to system re-timing.

[46] Christian Colombo, Gordon J. Pace, and Gerardo Schneider. LARVA - Safer Monitoring of Real-Time Java Programs (Tool Paper). In 7th IEEE International Conference on Software Engineering and Formal Methods (SEFM'09), pages 33-37, Hanoi, Vietnam, 23-27 November 2009. IEEE Computer Society. [ bib | DOI | .pdf ]
The use of runtime verification, as a lightweight approach to guarantee properties of systems, has been increasingly employed on real-life software. In this paper, we present a tool LARVA, for the runtime verification of real-time properties of Java programs. Properties can be expressed in a number of notations, including timed-automata enriched with stopwatches, Lustre, and a subset of duration calculus. The tool has been successfully used on a number of case-studies, including an industrial system handling financial transactions. LARVA also performs analysis of real-time properties, to calculate, if possible, an upper-bound on the memory and temporal overheads induced by monitoring. Moreover, it gives other useful information, as for instance what is the impact of monitoring the system with respect to the monitored properties.

[47] Marcel Kyas, Cristian Prisacariu, and Gerardo Schneider. Run-time monitoring of electronic contracts. In 6th International Symposium on Automated Technology for Verification and Analysis (ATVA'08), volume 5311 of LNCS, pages 397-407, Seoul, South Korea, October 2008. Springer-Verlag. [ bib | DOI | .pdf ]
Electronic inter-organizational relationships are governed by contracts regulating their interaction. It is necessary to run-time monitor the contracts, as to guarantee their fulfillment as well as the enforcement of penalties in case of violations. The present work shows how to obtain a run-time monitor for contracts written in CL, a specification language that allows writing conditional obligations, permissions and prohibitions. We first give a trace semantics for CL which formalises that a trace fulfills a contract. We show how to obtain, for a given contract, a linear-size alternating Büchi automaton accepting exactly the traces which fulfill the contract. This automaton is the basis for obtaining a finite state machine which acts as a run-time monitor for CL contracts.

[48] Gordon J. Pace and Gerardo Schneider. Relaxing goodness is still good. In 5th International Colloquium on Theoretical Aspects of Computing (ICTAC'08), volume 5160 of LNCS, pages 274-289, Istanbul, Turkey, September 2008. [ bib | DOI | .pdf ]
Polygonal hybrid systems (SPDIs) are planar hybrid systems, whose dynamics are defined in terms of constant differential inclusions, one for each of a number of polygonal regions partitioning the plane. The reachability problem for SPDIs is known to be decidable, but depends on the goodness assumption - which states that the dynamics do not allow a trajectory to both enter and leave a region through the same edge. In this paper we extend the decidability result to generalised SPDIs (GSPDI), SPDIs not satisfying the goodness property, and give an algorithmic solution to decide reachability of such systems.

[49] Gordon Pace and Gerardo Schneider. Computation and visualisation of phase portraits for model checking spdis. In 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08), volume 4963 of LNCS, pages 341-345, Budapest, Hungary, March 2008. Springer-Verlag. [ bib | DOI | .pdf ]
Hybrid systems combining discrete and continuous dynamics arise as mathematical models of various artificial and natural systems, and as an approximation to complex continuous systems. We present the tool SPeeDI+, that extends SPeeDI (a tool that implements a reachability algorithm for polygonal hybrid systems) with the computation of viability, controllability and invariance kernels.

[50] Gerardo Schneider. Reachability analysis of Generalized Polygonal Hybrid Systems. In 23rd Annual ACM Symposium on Applied Computing -Software Verification track (SAC-SV'08), pages 327-332, Fortaleza, Brazil, March 2008. ACM. [ bib | DOI | .pdf ]
A polygonal hybrid system (SPDIs) is a planar hybrid system, whose dynamics is defined by constant differential inclusions, for which the reachability problem is decidable. The decidability result is based, among other things, on the fact that a trajectory cannot enter and leave a given region through the same edge (the so-called goodness assumption). SPDIs without such an assumption are called Generalized SPDIs (GSPDIs). In this paper we show that it is not possible to reduce GSPDI reachability to SPDI reachability. Furthermore, we show that the reachability algorithm for SPDIs can be used to semi-decide GSPDI reachability, for which we give a sound algorithm.

[51] Gordon Pace, Cristian Prisacariu, and Gerardo Schneider. Model checking contracts -a case study. In 5th International Symposium on Automated Technology for Verification and Analysis (ATVA'07), volume 4762 of LNCS, pages 82-97, Tokyo, Japan, October 2007. Springer-Verlag. [ bib | DOI | .pdf ]
Contracts are agreements between distinct parties that determine rights and obligations on their signatories, and have been introduced in order to reduce risks and to regulate inter-business relationships. In this paper we show how a conventional contract can be written in the contract language CL, how to model the contract, and finally how to verify properties of the model using the NuSMV model checking tool.

[52] Olaf Owe, Gerardo Schneider, and Martin Steffen. Components, objects, and contracts. In 6th Workshop on Specification And Verification of Component-Based Systems (SAVCBS'07), ACM Digital Library, pages 95-98, Dubrovnik, Croatia, September 2007. [ bib | DOI | .pdf ]
Being a composite part of a larger system, a crucial feature of a component is its interface, as it describes the component's interaction with the rest of the system in an abstract manner. It is now commonly accepted that simple, functional interfaces are not expressive enough for components, and the trend is towards behavioral interfaces. We propose to go a step further and enhance components with contracts, i.e., agreements between two or more components on what they are obliged, permitted and forbidden when interacting. This way, contracts are modelled after legal contracts from conventional business or judicial arenas. Indeed, our work aims at a framework for e-contracts, i.e., “electronic” versions of legal documents describing the parties' respective duties. We take the object-oriented, concurrent programming language Creol as starting point and extend it with a notion of components. We then discuss a framework where components are accompanied by contracts and we sketch some ideas on how analysis of compatibility and compositionality could be done in such a setting.

[53] Johs H. Hammer and Gerardo Schneider. On the definition and policies of confidentiality. In 3rd International Symposium on Information Assurance and Security (IAS'07), pages 337-342, Manchester, UK, August 2007. IEEE Computer Society Press. [ bib | DOI | .pdf ]
In this paper we propose a more general definition of confidentiality, as an aspect of information security including information flow control. We discuss central aspects of confidentiality and their relation with norms and policies, and we introduce a language, with a deontic flavor, to express such norms and policies. Our language may be regarded as a first step towards a formal specification of security policies for confidentiality. We provide a number of examples of useful norms on confidentiality, and we discuss confidentiality policies from real scenarios.

[54] Cristian Prisacariu and Gerardo Schneider. A formal language for electronic contracts. In 9th IFIP International Conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS'07), volume 4468 of LNCS, pages 174-189, Paphos, Cyprus, June 2007. Springer. [ bib | DOI | .pdf ]
In this paper we propose a formal language for writing electronic contracts, based on the deontic notions of obligation, permission, and prohibition. We take an ought-to-do approach, where deontic operators are applied to actions instead of state-of-affairs. We propose an extension of the mu-calculus in order to capture the intuitive meaning of the deontic notions, and to express concurrent actions. We provide a translation of the contract language into the logic, the semantics of which faithfully captures the meaning of obligation, permission and prohibition. We also show how our language captures most of the intuitive desirable properties of electronic contracts, as well as how it avoids most of the classical paradoxes of deontic logic. We finally show its applicability on a contract example.

[55] Olaf Owe, Gerardo Schneider, and Arild Torjusen. Towards integration of XML in the Creol object-oriented language. In NIK'07 proceedings, pages 107-111. Tapir Akademisk Forlag, 2007. [ bib | .pdf ]
The integration of XML documents in object-oriented programming languages is becoming paramount with the advent of the use of Internet in new applications like web services. Such an integration is not easy in general and demands a careful language design. In this paper we propose an extension to Creol, a high level object-oriented modeling language for distributed systems, for handling XML documents.

[56] Gordon J. Pace and Gerardo Schneider. A compositional algorithm for parallel model checking of polygonal hybrid systems. In 3rd International Colloquium on Theoretical Aspects of Computing (ICTAC'06), volume 4281 of LNCS, pages 168-182, Tunis, Tunisia, November 2006. Springer-Verlag. [ bib | DOI | .pdf ]
The reachability problem as well as the computation of the phase portrait for polygonal hybrid systems (SPDI) has been shown to be decidable. The existing reachability algorithm is based on the exploitation of topological properties of the plane which are used to accelerate certain kind of cycles. The exponential nature of the algorithm makes the analysis of large systems generally unfeasible. In this paper we present a compositional parallel algorithm for reachability analysis of SPDIs. The parallelization is based on the qualitative information obtained from the phase portrait of an SPDI, in particular the controllability kernel.

[57] Pablo Giambiagi, Olaf Owe, Anders P. Ravn, and Gerardo Schneider. Language-based support for service oriented architectures: Future directions. In International Conference on Software and Data Technologies (ICSOFT'06), pages 339-344, Setúbal, Portugal, September 2006. INSTICC Press. [ bib | .pdf ]
The fast evolution of the Internet has popularized service-oriented architectures (SOA) with their promise of dynamic IT-supported inter-business collaborations. Yet this popularity does not reflect on the number of actual applications using the architecture. Programming models in use today make a poor match for the distributed, loosely-coupled, document-based nature of SOA. The gap is actually increasing. For example, interoperability between different organizations, requires contracts to reduce risks. Thus, high-level models of contracts are making their way into service-oriented architectures, but application developers are still left to their own devices when it comes to writing code that will comply with a contract. This paper surveys existing and future directions regarding language-based solutions to the above problem.

[58] Einar B. Johnsen, Gerardo Schneider, and Øystein Torget. Runtime validation of communication histories. In IEEE 2nd International Conference on Intelligent Computer Communication and Processing (ICCP'06), pages 161-168, Cluj-Napoca, Romania, September 2006. U.T.Press. [ bib | .pdf ]
Component based software development techniques are becoming increasingly popular, as they improve the software development process through component reuse. However component based development poses a challenge to software verification: How can we assert the correctness of a black-box component without having access to the internal logic of its implementation? In this paper, we propose an approach to this challenge by validating a component's communication history with respect to a specification of its observable behaviour using runtime verification techniques. For this purpose we present a simple specification language for describing component behaviour in terms of communication protocols, a language extension to support error handling at the communication level, and a prototype tool to monitor components and assert that they satisfy their protocol specification at runtime. The prototype is implemented for Java components, supports multithreaded access to the monitored components, and is demonstrated on two examples.

[59] Gordon Pace and Gerardo Schneider. Static analysis for state-space reduction of polygonal hybrid systems. In 4th International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS'06), volume 4202 of LNCS, pages 306-321, Paris, France, September 2006. Springer-Verlag. [ bib | DOI | .pdf ]
Polygonal hybrid systems (SPDI) are a subclass of planar hybrid automata which can be represented by piecewise constant differential inclusions. The reachability problem as well as the computation of certain objects of the phase portrait, namely the viability, controllability and invariance kernels, for such systems is decidable. In this paper we show how to compute another object of an SPDI phase portrait, namely semi-separatrix curves and show how the phase portrait can be used for reducing the state-space for optimizing the reachability analysis.

[60] Pablo Giambiagi and Gerardo Schneider. Memory consumption analysis of java smart cards. In Proceedings of CLEI'05, Cali, Colombia, October 2005. [ bib | .pdf ]
Memory is a scarce resource in Java smart cards. Developers and card suppliers alike would want to make sure, at compile- or load-time, that a Java Card applet will not overflow memory when performing dynamic class instantiations. Although there are good solutions to the general problem, the challenge is still out to produce a static analyser that is certified and could execute on-card. We provide a constraint-based algorithm which determines potential loops and (mutually) recursive methods. The algorithm operates on the bytecode of an applet and is written as a set of rules associating one or more constraints to each bytecode instruction. The rules are designed so that a certified analyser could be extracted from their proof of correctness. By keeping a clear separation between the rules dealing with the inter- and intra-procedural aspects of the analysis we are able to reduce the space-complexity of a previous algorithm.

[61] Gilles Barthe, Mariela Pavlova, and Gerardo Schneider. Precise analysis of memory consumption using program logics. In 3rd IEEE International Conference on Software Engineering and Formal Methods (SEFM'05), pages 86-95, Koblenz, Germany, September 2005. IEEE Computer Society. [ bib | DOI | .pdf ]
Memory consumption policies provide a means to control resource usage on constrained devices, and play an important role in ensuring the overall quality of software systems, and in particular resistance against resource exhaustion attacks. Such memory consumption policies have been previously enforced through static analysis, which yield automatic bounds at the cost of precision, or run-time analysis, which incur an overhead that is not acceptable for constrained devices. In this paper, we study the use of logical methods to specify and statically verify precise memory consumption policies for Java bytecode programs. First, we demonstrate how the Bytecode Specification Language (a variant of the Java Modelling Language tailored to bytecode) can be used to specify precise memory consumption policies for (sequential) Java applets, and how verification tools can be used to enforce such memory consumption policies. Second, we consider the issue of inferring some of the annotations required to express the memory consumption policy, and report on an inference algorithm. Our broad conclusion is that logical methods provide a suitable means to specify and verify expressive memory consumption policies, with an acceptable overhead.

[62] David Cachera, Thomas Jensen, David Pichardie, and Gerardo Schneider. Certified memory usage analysis. In Formal Methods (FM'05), volume 3582 of LNCS, pages 91-106, Newcastle Upon Tyne, UK, July 2005. Springer-Verlag. [ bib | DOI | .pdf ]
We present a certified algorithm for resource usage analysis, applicable to languages in the style of Java byte code. The algorithm verifies that a program executes in bounded memory. The algorithm is destined to be used in the development process of applets and for enhanced byte code verification on embedded devices. We have therefore aimed at a low-complexity algorithm derived from a loop detection algorithm for control flow graphs. The expression of the algorithm as a constraint-based static analysis of the program over simple lattices provides a link with abstract interpretation that allows to state and prove formally the correctness of the analysis with respect to an operational semantics of the program. The certification is based on an abstract interpretation framework implemented in the Coq proof assistant which has been used to provide a complete formalisation and formal verification of all correctness proofs.

[63] Pablo Giambiagi, Gerardo Schneider, and Frank D. Valencia. On the expressiveness of infinite behavior and name scoping in process calculi. In Foundations of Software Science and Computation Structures (FOSSACS'04), volume 2987 of LNCS, pages 226-240, Barcelone, Spain, March 2004. Springer-Verlag. [ bib | DOI | .pdf ]
In the literature there are several CCS-like process calculi differing in the constructs for the specification of infinite behavior and in the scoping rules for channel names. In this paper we study various representatives of these calculi based upon both their relative expressiveness and the decidability of divergence. We regard any two calculi as being equally expressive iff for every process in each calculus, there exists a weakly bisimilar process in the other. By providing weak bisimilarity preserving mappings among the various variants, we show that in the context of relabeling-free and finite summation calculi: (1) CCS with parameterless (or constant) definitions is equally expressive to the variant with parametric definitions. (2) The CCS variant with replication is equally expressive to that with recursive expressions and static scoping. We also state that the divergence problem is undecidable for the calculi in (1) but decidable for those in (2). We obtain this from (un)decidability results by Busi, Gabbrielli and Zavattaro, and by showing the relevant mappings to be computable and to preserve divergence and its negation. From (1) and the well-known fact that parametric definitions can replace injective relabelings, we show that injective relabelings are redundant (i.e., derived) in CCS (which has constant definitions only).

[64] Gordon Pace and Gerardo Schneider. Model checking polygonal differential inclusions using invariance kernels. In 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'04), number 2937 in LNCS, pages 110-121, Venice, Italy, December 2003. Springer Verlag. [ bib | DOI | .pdf ]
Polygonal hybrid systems are a subclass of planar hybrid automata which can be represented by piecewise constant differential inclusions. Here, we identify and compute an important object of such systems' phase portrait, namely invariance kernels. An invariant set is a set of initial points of trajectories which keep rotating in a cycle forever and the invariance kernel is the largest of such sets. We show that this kernel is a non-convex polygon and we give a non-iterative algorithm for computing the coordinates of its vertices and edges. Moreover, we present a breadth-first search algorithm for solving the reachability problem for such systems. Invariance kernels play an important role in the algorithm.

[65] Eugene Asarin and Gerardo Schneider. Widening the boundary between decidable and undecidable hybrid systems. In 13th International Conference on Concurrency Theory (CONCUR'02), volume 2421 of LNCS, pages 193-208, Brno, Czech Republic, August 2002. Springer-Verlag. [ bib | DOI | .pdf ]
We revisited decidability of the reachability problem for low dimensional hybrid systems. Even though many attempts have been done to draw the boundary between decidable and undecidable hybrid systems there are still many open problems in between. In this paper we show that the reachability question for some two dimensional hybrid systems are undecidable and that for other 2-dim systems this question remains unanswered, showing that it is as hard as the reachability problem for Piecewise Affine Maps, that is a well known open problem.

[66] Eugene Asarin, Gordon Pace, Gerardo Schneider, and Sergio Yovine. SPeeDI: a verification tool for polygonal hybrid systems. In Computer Aided Verification (CAV'02), volume 2404 of LNCS, pages 354-358, Copenhagen, Denmark, July 2002. Springer-Verlag. [ bib | DOI | .pdf ]
We present SPeeDI, a tool for reachability analysis of Polygonal Hybrid Systems (SPDIs)

[67] Eugene Asarin, Gerardo Schneider, and Sergio Yovine. Towards computing phase portraits of polygonal differential inclusions. In 5th International Workshop on Hybrid Systems: Computation and Control (HSCC'02), number 2289 in LNCS, pages 49-61, Stanford, USA, March 2002. Springer-Verlag. [ bib | DOI | .pdf ]
Polygonal hybrid systems are a subclass of planar hybrid automata which can be represented by piecewise constant differential inclusions. Here, we study the problem of defining and constructing the phase portrait of such systems. We identify various important elements of it, such as viability and controllability kernels, and propose an algorithm for computing them all. The algorithm is based on a geometric analysis of trajectories.

[68] Eugene Asarin, Gerardo Schneider, and Sergio Yovine. On the decidability of the reachability problem for planar differential inclusions. In 4th International Workshop on Hybrid Systems: Computation and Control (HSCC'01), number 2034 in LNCS, pages 89-104, Rome, Italy, 2001. Springer-Verlag. [ bib | DOI | .pdf ]
In this paper we develop an algorithm for solving the reachability problem of two-dimensional piece-wise rectangular differential inclusions. Our procedure is not based on the computation of the reach-set but rather on the computation of the limit of individual trajectories. A key idea is the use of one-dimensional affine Poincaré maps for which we can easily compute the fixpoints. As a first step, we show that between any two points linked by an arbitrary trajectory there always exists a trajectory without self-crossings. Thus, solving the reachability problem requires considering only those. We prove that, indeed, there are only finitely many “qualitative types” of those trajectories. The last step consists in giving a decision procedure for each of them. These procedures are essentially based on the analysis of the limits of extreme trajectories. We illustrate our algorithm on a simple model of a swimmer spinning around a whirlpool.

[69] Gerardo Lafferriere, George J. Pappas, Gerardo Schneider, and Sergio Yovine. Parameter synthesis in robot motion planning using symbolic reachability computation. In Proceedings of 8th IEEE Mediterranean Conference on Control and Automation, Rio, Greece, July 2000. [ bib | .pdf ]
A well known problem in robotics is the motion planning problem in the presence of static obstacles. The trajectory of the robot must satisfy a linear differential equation as well as possbile input and state constraints. In this paper, we explore the use of symbolic reachability algorithms to decide whether the motion planning problem is feasible or not. In the case where it is feasible, it computes a feasible nominal input profile satisfying all system constraints. Our algorithm is based on quantifier elimination techniques in the ordered field of the reals, which have been recently applied to compute the reachable space for classes of linear hybrid systems.

[70] Gerardo Schneider and Xu Qiwen. Towards a formal semantics of verilog using duration calculus. In 5th International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT'98), number 1486 in LNCS, pages 282-293, Lyngby, Denmark, September 1998. Springer Verlag. [ bib | DOI | .pdf ]
We formalise the semantics of V-, a simple version of Verilog hardware description language using an extension of Duration Calculus. The language is simple enough for experimenting formalisation, but contains sufficient features for being practically relevant. V- programs can exhibit a rich variety of computations, and it is therefore necessary to extend Duration Calculus with several features, including Weakly Monotonic Time, infinite intervals and fixed point operators. The semantics is compositional and can be used as the formal basis of a formal theory of Verilog.

This file was generated by bibtex2html 1.97.