Guillaume Dupont

Guillaume Dupont, Jun Sun

Real-time systems require the careful handling of timing aspects in their models. For critical applications, this entails the use of time-aware formal methods. Currently, most of these formal methods express their semantics by reduction to timed automata or timed transition systems, and are associated with model-checking-based verification techniques. In this regard, they are intended to be used as a posteriori analysis methods, on systems that have already been developed. In contrast, methods such as Event-B have been designed to build systems incrementally using a correct-by-construction approach, but are not equipped with the ability to express timing aspects and constraints. We propose a non-intrusive, tool-supported embedding of time and clocks in Event-B inspired by the features and semantics of timed automata, that enables the design of complex real-time systems while benefiting from the entire ecosystem and tooling support of the method. Refinement is extended to also take time into account, making it possible to design complex systems gradually in a correct-by-construction manner while integrating timing aspects from the top level. The embedding and associated methodology are illustrated on a case study, showcasing both how timed Event-B models may be derived from timed automata, and also how the extended expressivity of first-order logic and set theory at the core of Event-B enables finer modelling.

Klaus-Dieter Schewe, Flavio Ferrarotti, Peter Rivière et al.

The verification of liveness conditions is an important aspect of state-based rigorous methods. This article addresses the extension of the logic of Event-B to a powerful logic, in which properties of traces of an Event-B machine can be expressed. However, all formulae of this logic are still interpreted over states of an Event-B machine rather than traces. The logic exploits that for an Event-B machine $M$ a state $S$ determines all traces of $M$ starting in $S$. We identify a fragment called TREBL of this logic, in which all liveness conditions of interest can be expressed, and define a set of sound derivation rules for the fragment. We further show relative completeness of these derivation rules in the sense that for every valid entailment of a formula $φ$ one can find a derivation, provided the machine $M$ is sufficiently refined. The decisive property is that certain variant terms must be definable in the refined machine. We show that such refinements always exist. Throughout the article several examples from the field of security are used to illustrate the theory.

Sadaf Mustafiz, Omar Hassane, Guillaume Dupont et al.

The Network Functions Virtualization (NFV) advent is making way for the rapid deployment of network services (NS) for telecoms. Automation of network service management is one of the main challenges currently faced by the NFV community. Explicitly defining a process for the design, deployment, and management of network services and automating it is therefore highly desirable and beneficial for NFV systems. The use of model-driven orchestration means has been advocated in this context. As part of this effort to support automated process execution, we propose a process enactment approach with NFV systems as the target application domain. Our process enactment approach is megamodel-based. An integrated process modelling and enactment environment, MAPLE, has been built into Papyrus for this purpose. Process modelling is carried out with UML activity diagrams. The enactment environment transforms the process model to a model transformation chain, and then orchestrates it with the use of megamodels. In this paper we present our approach and environment MAPLE, its recent extension with new features as well as application to an enriched case study consisting of NS design and onboarding process.

Guillaume Dupont, Jerry den Hartog, Sandro Etalle et al.

Modern vehicles are complex safety critical cyber physical systems, that are connected to the outside world, with all security implications that brings. To enhance vehicle security several network intrusion detection systems (NIDS) have been proposed for the CAN bus, the predominant type of in-vehicle network. The in-vehicle CAN bus, however, is a challenging place to do intrusion detection as messages provide very little information; interpreting them requires specific knowledge about the implementation that is not readily available. In this technical report we collect how existing solutions address this challenge by providing an organized inventory of various CAN NIDSs present in the literature, categorizing them based on what information they extract from the network and how they build their model.