Chapter 17

Assertions State Assertion – predicate intended to express that a descriptive or prescriptive property holds in an arbitrarily chose current state. Temporal Assertion – built from state assertions, temporal operators, logical connectives and quantifiers. Preceding state assertions should always hold in future states.

Temporal Operators Future Operators: Sooner or later Always Always until Past Operators: Some time in the past Has always been Always in the past since Always in the past back to Previous

Real-Time Temporal Constructs Relative time bounds: confines temporal distance immediately before / immediately after Example: always in the future up to deadline d; always back to at least _____

Real-Time Temporal Constructs Absolute time bounds: Uses clock function Clock must be defined Example: always in the future before clock time ct

Real-Time Temporal Constructs Variable-dependent time bounds: Bound by use of variables and clocks/relative bounds

Goal Specifications Achieve [TargetCondition] Cease [TargetCondition] Maintain [TargetCondition] Avoid [TargetCondition] Obstacles Anti-Goals

Specifying descriptive properties in the object model Initializations Domain properties and hypotheses Definitions

Specifying operationalizations in the operation model Domain pre- and post-conditions Required pre-and trigger conditions Required post-conditions Examples p. 595

Semantics: Pruning semantics and frame axioms pruning semantics – every state transition is allowed except those specifically forbidden (blacklist) generative semantics – every state transition is forbidden except the ones explicitly required by the specification (whitelist)

Chapter 18 Formal Reasoning for Specification Construction and Analysis

Checking Goal Refinements Using a theorem prover Formal refinement patterns – Exploring refinements – Hidden proofs – Realizability-driven patterns – First-order patterns

Checking Goal Refinements Using bounded SAT solvers 1. Ask the user to instantiate the formula to selected object instances (get a propositional formula) 2. Translate the result into the input format required by the selected SAT solver. 3. Ask the user to determine a maximal length to bound counterexample histories. 4. Run the SAT solver 5. Translate the output back to the level of abstraction of the graphical input model.

Deriving goal operationalizations Using bounded SAT solvers Formal operationalization patterns A catalog of operationalization patterns

Generating obstacles for risk analysis Regressing obstructions through domain properties p. 614 Using formal obstruction patterns

Generating anti-goals from security analysis Specifying security goals – Specification constructs on agent knowledge – Specification patterns for security goals – Identifying security goals and initial anti-goals 1. Instantiate security specification pattern and negate the instantiated specification 2. Check the converse of asset-related Achieve goals – Refining anti-goals

Formal Conflict Analysis Deriving boundary conditions for conflict – Regression-based derivation of boundary conditions – Formal divergence patterns

Formal Conflict Analysis Formal resolution of divergences – Avoid boundary conditions – Restore divergent goals – Anticipate conflict – Goal weakening

Formal Conflict Analysis Synthesizing behavior models for animation and model checking – Goal-driven model synthesis – Scenario-driven model synthesis Event-oriented state machines Scenarios and LTS (labeled transition system) LTS Synthesis using grammar induction Representing the input scenario collection as a PTA (prefix tree acceptor) (Figure 18.15)

Formal Conflict Analysis – Scenario-driven model synthesis through scenario questions asked by synthesizer Constraining generalization by prorogation of fluents through the PTA Constraining generalization by injecting goals and domain properties in the synthesis