Research overview

My research interests are in the field of model-based software development as well as quality assurence by validation and verification. In particular, my research is focussed on the integration of formal foundations and proof techniques into the model-driven software engineering and model-based testing techniques. This comprises work on the semantic foundation of specification and programming languages, the development of calculi for refinement and test-generation as well as the construction of correct tools in order to support these activities during design, verification and systematic test.

Particular application fields of these techniques have been models of security mechanisms and (more recently) operating systems.

Philosophically, I believe in Unity within Computer Science - we should strive for a few principles and tools to solve the problems ahead instead diving into a myriad of local techniques. On the other hand, I believe in the importance of experiments, case studies and prototypical tool implementations: Otherwise, we will never know when theoretical principles are really well-chosen. There are enough impressing theoretical stunts out there, nicely published, but without any value...

Ongoing research projects


  • The EU-Project EUROMILS (Use Firefox!) (Oct. 2012 - Sept. 2015 ). The projects cornerstone is MILS (Multiple Independent Levels of Security), a high-assurance security operating system that supports the coexistence of untrusted and trusted components, based on verifiable separation mechanisms and controlled information flow. For the first time in Europe, EURO-MILS does a complete Common Criteria security evaluation of a MILS system to its highest levels of assurance, including formal verification engineering. Hardware dependencies are addressed from the beginning by prototype development on two hardware platforms in automotive and avionics.
  • The ANR-project Paral-ITP (Nov. 2011 - Apr. 2015) with the Project Partners are INRIA Roquencourt (Hugo Herbelin), INRIA Saclay (Bruno Barras) and U-PSud/LRI (B.Wolff, Project Leader).
    Interactive theorem proving is a technology of fundamental importance for mathematics and computer-science. It is based on expressive logical foundations and implemented in a highly-trustable way. Applications include huge mathematical proofs and semi-automated test-case generation procedures for complex software systems. Interactive development of larger and larger proofs increases the demand for computing power, which means explicit parallelism on current multi-core hardware.
    Both Coq and Isabelle have elaborated the prover architecture over the years, driven by the demands of sophisticated proof procedures, derived specification principles, large theory libraries etc. Despite this success, the operational model of interactive proof checking is largely limited by sequential ML evaluation and the sequential read-eval-print loop, as inherited from LCF.
    The proposed project intends to overcome the sequential model both for Coq and Isabelle, to make the resources of multi-core hardware available for even larger proof developments. Beyond traditional processing of proof scripts as sequence of proof commands, and batch-loading of theory modules, there is a large space of possibilities and challenges for pervasive parallelism. This affects many layers of each prover system: basic computational structures, inference kernel, tactical programming, proof command language, and interactive front-ends.

Past research projects

  • The HOL-TestGen-XT project (2009-2012) was accepted as part of the "Chair d'excellence" program of the University Paris-Sud. (See also the "official" project web page). The ultimate goal of this research proposal was to extend the realm of feasible state-spaces for HOL-TestGen system (see below) by several orders of magnitude - thus offering even more potential for industrial applications in realistic model-based test-scenarios. We suggest a combination of 5 techniques, namely SMT-solver integration for test-data selection, the use of new code-generators, the exploit of parallel execution of normal-form computations in multi-core architectures, domain-specific technologies.We engage in the development of a new GUI for HOL-TestGen in order to meet increasing demands for usability of model-based testing tools. We actively engaged in the PIDE project. Here is the final project report
  • I was initiator of the project MBT-SEC, funded by British-Telecom (2007-2010; see Project Page). The goal was to use Security policies as model-based specifications for system behaviour and to derive test-cases for them. Currently, the approach has been used to automatically generate test-cases from firewall policies; at present, we were investigating security policies for the core-componants (the "spine") of the patient data-management system for the British-Healthcare-System. I served as senior researcher and co-supervisor of Lukas Brügger (ETH Zürich). Budget 360000 CHF.
  • I was invited researcher in the FSE group (headed by Dr. Wolfram Schulte) at Microsoft Research, Redmond, USA. I investigated ways of an extension of the existing Boogie-Codeverification Tool for the programming language C with interactive proof techniques supported by Isabelle/HOL. With the new Isabelle/HOL backend of Boogie, I was able to prove some challenge problems that could not be proven automatically. I was able to integrate a verified C memory model into an automated prover used for the discharge of verification conditions generated from annotated C code. The system is used in the Verisoft/HyperVisor project (also funded by the BMBF). I partly continued this work as senior researcher within this project at the University of Saarbrücken. 2007 - 2008.
  • As leader of the project "Formal Testing Techniques" (ETH 17301), I developed (together with Achim Brucker) a test-case generation system (HOL-TestGen) which derives from formal specifications in higher-order logic (HOL) concrete test-drivers (in SML) performing black-box, grey-boy and sequence test. Our tool has been applied in quite substantial such as firewall-tests.(See also section "Talks/Tutorials".) 2004 - 2007.
  • As project leader of the "Modelling and Verification in UML/OCL" project (ETH 17305), I developed a formal semantics of the object-oriented specification modelling language UML/OCL and implemented it in Isabelle/HOL. This includes the development of first proof calculi and decision procedures for OCL. The overall goal of the project is to ge?nerate from class-diagrams annotated with OCL test cases for compo?nents and subsystems. As local project leader of the EU-IP TrustCoM (ETH13581), I developed (together with Jürgen Doser) a model-driven engineering approach for security in web-based services. 2005 - 2007.
  • I co-initiated the FSA-project (funded by the Deutsche Forschungsgemeinschaft (DFG)), where the modelling and verification of security architectures and their implementation via concrete security technologies in distributed Client-Server Software systems. As a contribution to the project, I developed a tool (HOL-Z, a conservative embedding of the Z-language in Isabelle/HOL together with special proof support for refinement proofs) and performed a substantial case study on it, namely CVS-Server. Recently, I used HOL-Z for an industrial verification case study in the field of applied computer security. 1999 - 2002

Tools

Currently, I am actively developping or maintaining the following tools stemmong from former projects. Sources, examples, documentation and specialized publication lists can be received from the corresponding tool web-sites:

Former, no longer supported sources can be found on the tool web-sites:

Work in Program Committees

  • International Conference of Testing Software and Systems (PC: 10, 12; PC-chair 11, Steering: >11).
  • Test and Proof (PC 10,12; PC-chair: 11).
  • OCL 2011 (PC 10, 11, 12).
  • THedu 2011 (PC 11)
  • FeVeOOS (PC 10 11)
  • International Conference on International Conference on Testing Software and Systems (PC 10).
  • Intl. Conference on Theorem Proving in Higher-Order Logics' (TPHOLs): (Co-Chair 03; PC-member 04-08)
  • International Conference on Testing of Communicating Systems and Formal Approaches to Testing of Software (TestCom-Fates): (PC 05 - 09)
  • International Conference on Test and Proof (TAP 2008): (PC 08, 09, 10, 12: PC Chair 11)
  • Formal Approaches to Testing and Runtime Verification (Co-Chair 06)
  • International Workshop on Formal Methods in Education and Teaching (FMET 08): (PC-member 08)
  • OCL Workshop at the UML/MoDELS Conferences: (PC-member 06, 08, 09)
  • User Interfaces for Theorem Provers (UITP) (PC-member 05, 06, 10)
  • GI-Fachgruppe "Formale Methoden und Software Engineering für Sichere Systeme" (FomSESS): (STC-member 02-08)

  • International Conference on Functional Programming (ICFP 2008): (Ref)
  • International Joint Conference on Automated Reasoning (IJCAR 2008): (Ref)
  • Journal STVR 2008: (Ref)
  • Conference of Automated Deduction (CADE 2007): (Ref)
  • Formal Methods Europe (FME 2000, 2002, 2005): (Ref)
  • 12th International Conference on Logic for Programming Artificial Intelligence?and Reasoning (LPAR 05): (Ref)
  • Foundations of Software Science and Computation Structures (FOSSACS 05: (Ref)
  • 2nd IEEE International Conference on Software Engineering and Formal Methods (SEFM 04): (Ref)
  • 3rd International Conference on Quality Software (QSIC 2003): (Ref)
  • Frontieres in Combining Systems (FroCoS 1998, 2000): (Ref)
  • ... and refereeing in numerous workshops.

Collaborations

  1. Project "MBTSEC" with ETH Zürich (Computer Security headed by David Basin) and British Telecom (contact: Dr. Paul Kearney). See above.
  2. Collaboration with the Verisoft-Project (Universität Saaarbrücken, Computer Architecture Group headed by Wolfgang Paul) on Verification and Test of Operating Systems.
  3. PIDE Task-Force with TU-München (Isabelle-Group headed by Tobias Nipkow) and University Tübingen, Germany, on future GUI designs for massive parallel formal development tools.

Phd (co)-supervisions

  • Abdou Felliachi (Uni Paris-Sud, started Sept. 2010)
  • Matthias Krieger (Uni Paris-Sud, started Sept. 2009)
  • Lukas Brügger (ETH Zürich, started Sept. 2007, finished June 2012). A Framework for Modelling and Testing of Security Policies.
  • Achim Brucker (ETH Zürich, finished Feb. 2007): An Interactive Proof Environment for Object-Oriented Specifications.
  • Thomas Meyer (Universität Bremen, finished 2005): A Framework for Formal Representation and Transformational Optimization of Executable Specifications.
  • Rimvydas Rukas (Abo Akademi University, Finland, 2004): Formal Development of Concurrent Components. (Role: External Referee).
  • Haykal Tej (Universität Bremen, finished 2003): CSP in Isabelle/HOL.
  • Kolyang (Universität Bremen, finished 1997): An Integrated Formal Support Environment for Z in Isabelle/HOL.