Specification and Verification of Policy Using RAISE and ... - IEEE Xplore

0 downloads 0 Views 592KB Size Report
requirements engineering, this paper takes policy as research object of domain engineering, and proposes a method of specification and verification of policy.
2011 4th International Conference on Biomedical Engineering and Informatics (BMEI)

Specification and Verification of Policy Using RAISE and ModelChecking Tao Zhang, Shaobin Huang, Tianyang Lv and Hongtao Huang College of Computer Science and Technology Harbin Engineering University Harbin, Heilongjiang Province, China, 150001 [email protected];[email protected]; [email protected];[email protected] Abstract—In order to understand and describe the domain of system applications, and provide a good formal basis for requirements engineering, this paper takes policy as research object of domain engineering, and proposes a method of specification and verification of policy. Firstly, we construct policy model in which the entity, function, event and action in policy are specified with RAISE Specification Language, and the properties of policy are specified with LTL formula. Secondly, we translate RSL specifications automatically into the input language PROMELA of the SPIN model checker for verifying the correctness of the policy model. For this purpose, we define a syntactic translation between RSL and PROMELA, and show the correctness of the translation. Finally, we give a case study which automatically translates the RSL specifications of the policy of social insurance into PROMELA, and verifies the correctness of policy model with SPIN. Keywords-RSL; PROMELA; SPIN; Model checking; policy verification

I.

INTRODUCTION

Changes in requirements will always lead to changes in system design and implementation, and result in the enormous cost of system development [1, 2]. In new software engineering definition, Domain Engineering is performed before requirement engineering and is based on formal methods for enhancing software reliability [3, 4]. Policy is a set of knowledge about the domain of application. In some research of software engineering, policy can be viewed as a high-level “requirements specification” [5], it is both the basis of requirements analysis and the specific constraint of the system behavior. Once there are various errors and inconsistencies in the policy, it may lead to the corresponding errors and inconsistencies exist in the requirements engineering and system design. Since there have been some policy analysis methods in the social sciences, which include quantitative analysis methods [6] and qualitative analysis methods [7], those methods are not suitable for analyzing the policy which constraints the transactional operation, and not as a formal basis for software engineering. For this problem, this paper takes the policy as a research object in Domain Engineering, and combines RAISE and model checking to analyze and verify policy.

978-1-4244-9352-4/11/$26.00 ©2011 IEEE

The rest of the paper is organized as follows: Section 2 presents a definition of Domain Engineering, RSL and model checking including their characterization. In Section 3 we present the formal modeling methods of policy using RSL specification language. Section 4 gives a translation approach from RSL model to PROMELA model. To prove the validity of these methods, a case study which specifies and verifies the basic endowment insurance policy is given. Finally, the conclusions and future work are presented in Section 6. II. BACKGROUND A. Domain Engineering Domain engineering is a process which analyzes several systems in the application domain, identifies the shared requirements, develops and organizes reusable components [8]. Domain engineering consists of three phases: 1) domain analysis, which gets the domain model for describing the common requirements between the systems in domain. 2) domain design, which derives the software architecture by domain model. 3) domain implementation, which develops and organizes reusable components based on domain model and software architecture. B. RAISE Formal Method RAISE [9] (Rigorous Approach to Industrial Software Engineering) gives its name to a wide spectrum specification and design language, the RAISE Specification Language (RSL), a method, and a set of tools. RSL [10] is a formal specification language which unifies the features of VDM, CSP, and ACTONE specification languages. RSL provides a wide range of specification styles [11] (axiomatic and model-based; applicative and imperative; sequential and concurrent) where specifications are in general collections of modules. C. Model Checking Model Checking [12] is an automatic analysis and verification technology towards finite state concurrent system in the formal verification process, which uses State transition system (TS) model System behavior and uses temporal logic formula ϕ represent modal/temporal property,

2082

and verify whether the system meets the property by calculate TS |= ϕ ? There are many model checking tools, such as SMV [13] and SPIN [14].

… Scheme PM_name := class variable V object p1:Class_Name,… channel C value p1.op(parameter_list)||… assert A end

III. POLICY MODEL A. Formal Modeling In this paper, policy is modeled as a scenario-based concurrent system (as shown in Fig.1). Scene [15] is a series of purposeful actions among several objects, each action presents the interaction between an object and other objects.

B. The Operatonal Semantic of PM This paper uses the program graph (PG) and channel system (CS) [16] to define the operational semantic of PM, PG is mainly used to characterize the dynamic implementation of behavior of the system. Every object in the PM can be defined by a corresponding PG: for ∀oi ∈O, i ; 0 , there is PGi = (Loci , Acti , Effecti , 6i , loc0i , g0i ) over

the set of variables Var (oi ) , where: z

Loci is a set of all locations of oi . In addition to

the initial location, each send or receive message action of oi generates a location. z

τ indicates an internal action.

Figure 1. Scenario-based policy analysis

The process of modeling policy is as follows: firstly, we abstract the object, event, channel and the set of variables in the policy document. The object abstracts the stable and static things in policy and contains fixed set of attributes and operations. All the values of the attributes of the object at certain time present the state of the object at that time. The feature of the object can be characterized by the attributes set and the state of object can be changed by the operation. Event abstracts the occurrence of something which triggers some operations of object. Action is an alternate sequence of events and operations. Variables and channel abstract the environment in which several processes run concurrently and interact with each other. Finally, we use RSL to specify the various components of the policy model. Policy model is formally defined as follows: Definition 1. Policy Model. A policy model is a four tuple: PM = ( P, V, C, A ), where: P is a set of concurrent processes which abstract the dynamic execution of operation of the object in the policy model and expressed as p1.op (parameter_list)||…||pn.op (parameter_list), where pi ∈ P , 1 ≤ i ≤ n , op is a operation of object and || is a commutative and associative operator in the RSL sublanguage RSL/CSP. V is the set of global variables which abstract the operating environment of processes in the policy. C is a set of global channel and A is a set of assertion which contains the LTL formulas that PM need to meet. The RSL syntax expression of PM is defined as follows: Scheme Class_Name = class …end

Acti = {c ? m, c ! m, τ } is s set of actions of oi ,where

z

Effect : Acti × Eval (Var (oi )) → Eval (Var (oi )) is the

effect function of oi . z

6 i : Loci × Cond (Var ( oi )) × Acti × Loc i is

z

set of the conditional transition relation. loc0i ⊆ Loci is a set of initial location of oi .

z

g 0i

∈ Cond (Var ( o

i

the

)) is the initial condition of

oi .

The operational semantic of PM is channel system which consists of program graphs PGi of object oi : Definition 2. Operational semantic of PM. The operational semantic of PM which has n objects is a channel system (CS) : CS = [ PG1 || ... || PGn ] .

IV. TRANSLATE RSL TO PROMELA For model checking the RSL model of policy by SPIN, we need to translate the RSL model to PROMELA. Although the aims of both languages are different, it is possible to define some syntactic equivalence in order to make the translation possible. A. Syntactic translation The type of variables. In the imperative RSL model, the definition of variables is similar to the one in the PROMELA, but the type of variable may be inconsistent. The built-in types --Bool, Int, Real and Char in RSL-- are translated to the types bool, int, real and byte in PROMELA

2083

respectively, the Nat in RSL can be translated to the enumerate type in PROMELA . The definition of channel. The definitions of channel in RSL model like channel id:type are translate to the form like chan id[0]={type} in PROMELA model, where type can be bool, int, byte or user-defined data type defined by keyword typedef, and as RSL only models synchronous communication, the capacity of channel is zero after translation. The structure of model. The specification of variables and channels in RSL model are translated to the definition of global variables and channels in PROMELA model. The specifications of concurrent operation of objects are translated to the definition of processes in PROMELA model. Therefore, the specification of PM scheme in RSL corresponds the definition of initial process in which the global variables and channels are initialized. The specification of class in RSL model is translated to definition of structure and process in PROMELA, where the name and variables of class are translated to the name and variables of structure, the specification of operation of object is translated to the definition of process, the channel, the parameter list and local variables of operation of object are translated to the local channel, parameter list and local variables of the definition of process. Imperative statements. RSL/CSP statements are used to specify the operation of object in PM model, and translated to the subset of PROMELA which concentrates on the basic elements of PROMELA, but skips several “advanced” concepts like abstract data types or dynamic process creation. The translation rules from RSL/CSP statements to PROMELA statements as shown in table 1. TABLE I.

THE TRANSLATION RULES

TYPE

RSL/CSP

PROMELA

primitives

skip|stop

skip|stop

assignment

v:=expr

v=expr

channel opration

v:=c?|c!expr

c?v|c!expr

sequential composition

stmt1;stmt2

stm1;stm2

conditional choice

if expr then stmt1 else stmt2 end

if ::expr-> stm1 ::else ->stm2 fi

iteration

while expr do stmt end

do ::expr1-stm:: else ->break od

stmt1[]stmt2 |stmt1[*]stmt2

if ::stm1 ::stm2 fi

choice operators

B. Semantic Equivalence Our goal is to use PROMELA to model RSL, and verify the LTL properties by SPIN. Therefore, we need to show that those properties which hold for PROMELA model also hold for the original RSL model. For this purpose, we use semantic equivalence to illustrate the correctness of the translation. Reference [16] shows that the operational semantic of PROMELA model consisted by statements (as shown in table1) also is a channel system defined as definition 2. This paper defines the translation from RSL to PROMELA according to semantic equivalence, which can ensure the correctness of the translation. Furthermore, PROMELA statements have process algebraic semantic which is similar to CSP. The translation defined in this paper refers partly to the rules which translate RSL to CSP defined in [17], the difference is that the CSP is applicative language and PROMELA is more complex imperative language. Reference [17] shows that the translation is in fact a strong bisimulation which preserves various properties such as traces and deadlock, this conclusion can also ensure the correctness of translation proposed in this paper.

V.

A CASE STUDY

Taking the newly enacted law regarding to the transfer continuity of basic endowment insurance (TCoBEI) [18] as an example, the paper analyzes the background and the keypoints of the new policy and points out the interest game relation behind the policy based on RAISE and model checking. TCoBEI specifies the scopes of its application and the perform approach of basic endowment insurance and individual account in the migration process of insured person. We formalize the policy TCoBEI according to the PM model and obtain the RSL model of policy as shown in Fig. 2, where the class PI specifies the personal information such as the name, age, the type of work , payment radix, work status etc. , the class PB specifies the process of migration, when the insured person wants to migrate (the bool variable twill is true ), the personal information will be sent to the class of social insurance business (SSB) to determine whether the transfer request is allowed, and the class of OUTPLACE and INTOPLACE calculates the number of fund respectively in the original location and new location of insured relationship. In the class Migartion_policy, the property assertion is a LTL formula which asserts if the migrate requesting of insured person is allowed, then the insured person will eventually enjoy the benefits. After modeling the policy TCoBEI with RSL, we automatically translate the RSL specification to the PROMELA model (as shown in Fig.3) for formal verification by SPIN, the verification results as shown in the Fig. 4.

2084

Figure 2. The RSL model of TCoBEI

Figure 3. The PROMELA model of TCoBEI

Figure 4. The results of verification

2085

In the Fig.4, SPIN shows that the policy model violates the constrains of property which is specified by LTL formula and gives a counter example. Analyzing running track provided by counter example, we found a flaw in the policy : According to the term VI of TCoBEI, insured person can enjoy the benefits unless they have to pay endowment insurance for ten years, this means that the insured person whose age over fifty and the years they pay for endowment insurance less than one year for various reasons cannot enjoy the benefits of endowment insurance. They also cannot quit the endowment insurance according to the third term of TCoBEI, this embarrassing situation will bring insured person huge economic losses. VI.

[5]

[6]

[7]

CONCLUSIONS

This paper proposes an automated, tool-supported approach to analyze and verify the policy. We take policy as research object of domain engineering, and use RSL to specify the policy model. In order to verify the correctness of the policy model, the RSL specification is translated to the PROMELA model according to the predefined rules, finally, we successfully use the above methods to find a defect of the endowment insurance policy. However, some elements of RSL cannot be translated during the predefined conversion process in our method, in the future research we will study how to translate these elements formally. In addition, some policies may contain time or performance constraints, we will study how to model those policies with RSL, and model checking the correctness of those policies. ACKNOWLEDGMENT This work is sponsored by the National Natural Science Foundation of China under grant number 60873038 and 60903080, the Fundamental Research Funds for the Central Universities of China under grant number HEUCF100603 and the National Science & Technology Pillar Program under grant number 2009BAH42B02.

[8]

[9]

[10] [11]

[12] [13] [14] [15]

REFERENCES [1]

[2]

[3]

[4]

C. Lescher, “Global Requirements Engineering: Decision Support for Globally Distributed Projects,” Proceedings of the 2009 Fourth IEEE International Conference on Global Software Engineering-Volume 00, 2009, pp. 277–280. I.G. Song, S.U. Jeon, and D.H. Bae, “A Graph Based Approach to Detecting Causes of Implied Scenarios under the Asynchronous and Synchronous Communication Styles,” 2009 16th Asia-Pacific Software Engineering Conference, 2009, pp. 53–60. Narayan Debnath, Laura Felice, Germán Montejano, Daniel Riesco. A Feature model of E-Government Systems Integrated with Formal Specifications. Fifth International Conference on Information Technology: New Generations. 2008 , Page(s): 27 – 31 D. Bjorner, Domain Engineering: A Software Engineering

[16]

[17]

[18]

2086

Discipline in Need of Research, In Lecture Notes in Computer Science, Springer-Verlag, volume 1963, November 2000, pp. 1-17. Daskalopulu, A.: Model Checking Contractual Protocols. In Breuker, L., R. Leenesand R. Winkels, eds.: Legal Knowledge and Information Systems, JURIX 2000. Frontiers in Arti_cial Intelligence and Applications 48, IOS Press 2000: 35-47 Wade L. Griffin, Richard T. Woodward. Determining policyefficient management strategies in fisheries using data envelopment analysis (DEA). In Press, Corrected Proof, 19 January 2011. Stelios Grafakos, Alexandros Flamos, Vlasis Oikonomou and Dimitrios Zevgolis. Multi-criteria analysis weighting methodology to incorporate stakeholders' preferences in energy and climate policy interactions. International Journal of Energy Sector Management, Vol. 4 No. 3, 2010 , pp. 434461. George, C., Haxthausen, A., Hughes, S., Milne, R., Prehn, S. and Pedersen, J. (1995). The RAISE Development Method, BCS Practitioner Series. Denmark. Prentice Hall. WANG Qian-xiang, WU Qiong, LI Ke-qin, YANG Fu-qing. An Object-Oriented Method for Domain Engineering. Journal of Software, 2002, 13(10), 1977-1844 T. R. L. Group. The RAISE Specification Language. BCS Practitioner Series. Prentice Hall, 1992. Nami M.R., Malekpour A. Formal specification of a particular banking domain with RAISE specification language. IEEE Symposium on Computers and Communications, 2008. ISCC 2008. 695 – 699. E.M. Clarke, O. Grumberg, D.A. Peled. Model Checking. Cambridge, MA: MIT Press. 1999. McMillan L. Symbolic model checking [Ph.D. Thesis]. Carnegie Mellon University, 1992. Holzmann J. The model checker SPIN. IEEE Trans. on Software Engineering, 1997, 23(5):279−295. Sutcliffer A. Scenario-Based Requirements Engineering. In: Proceedings of the 11th IEEE International Requirements Engineering Conference. Los Alamitos: IEEE Computer Society Press, 2003. 320-329. Christel Baier, Joost-Pieter Katoen, Kim Guldstrand Larsen. Principles of Model Checking. The MIT Press. May 31, 2008. Vargas Abigail Parisaca, Tapia Lizeth, George Chris. A translation from RSL to CSP. 27th International Conference of the Chilean Computer Science Society, SCCC 2008. 2008:119-126. http://baike.baidu.com/view/3104112.htm.