Bernhard Steffen

• TU Dortmund University

This paper illustrates the power of extending Language Driven Engineering (LDE) with Domain-Specific Natural Languages (DSNLs) through a case study on two levels. Both cases benefit from the characteristic decomposition feature of LDE, resulting in tasks tailored to the application of domain-specific languages, here with a focus on the application...

This paper introduces Malwa, a web-based tool implementing our new method of learnability by design that is designed to significantly reduce the main entry hurdle, the design of learning alphabets, for lifelong learning of web applications. Technically, Malwa is based on iHTML, a domain-specific extension of HTML, tailored to instrument the web ser...

Explaining a classification made by tree-ensembles is an inherently hard problem that is traditionally solved approximately, without guaranteeing sufficiency or necessity. Abductive explanations were the first attempt to provide concise sufficient information: Given a sample, they consist of the minimal set of features that are relevant for the out...

In this paper, we introduce novel voting-based pruning strategies for the aggregation of Random Forests into decision tree-like explainable models. These strategies are designed to mitigate the enormous explosion in size during the aggregation process while minimizing the loss of accuracy. We explore four strategies ranging from strict semantics-pr...

Background: In biomedical imaging research, experimental biologists generate vast amounts of data that require advanced computational analysis. Breakthroughs in experimental techniques, such as multiplex immunofluorescence tissue imaging, enable detailed proteomic analysis, but most biomedical researchers lack the programming and Artificial Intelli...

In this paper we show how our approach of extending Language Driven Engineering (LDE) with natural language-based code generation supports system migration: The characteristic decomposition of LDE into tasks that are solved with dedicated domain-specific languages divides the migration tasks into portions adequate to apply LLM-based code generation...

This paper presents an approach to no-code development based on the interplay of formally defined (graphical) Domain-Specific Languages and informal, intuitive Natural Language which is enriched with contextual information to enable referencing of formally defined entities. The paper focuses on the use and automated integration of these enriched in...

In this paper, we present the envisioned style and scope of the new topic “Explanation Paradigms Leveraging Analytic Intuition” (ExPLAIn) with the International Journal on Software Tools for Technology Transfer (STTT). Intention behind this new topic is to (1) explicitly address all aspects and issues that arise when trying to, if possible, reveal...

In this paper, we present an algebraic approach to the precise and global verification and explanation of Rectifier Neural Networks, a subclass of Piece-wise Linear Neural Networks (PLNNs), i.e., networks that semantically represent piece-wise affine functions. Key to our approach is the symbolic execution of these networks that allows the construc...

In this paper, we present Forest GUMP (for Generalized, Unifying Merge Process) a tool for verification and precise explanation of Random forests. Besides pre/post-condition-based verification and equivalence checking, Forest GUMP also supports three concepts of explanation, the well-known model explanation and outcome explanation, as well as class...

TADS are a novel, concise white-box representation of neural networks. In this paper, we apply TADS to the problem of neural network verification, using them to generate either proofs or concise error characterizations for desirable neural network properties. In a case study, we consider the robustness of neural networks to adversarial attacks, i.e...

TADS are a novel, concise white-box representation of neural networks. In this paper, we apply TADS to the problem of neural network verification, using them to generate either proofs or concise error characterizations for desirable neural network properties. In a case study, we consider the robustness of neural networks to adversarial attacks, i.e...

In this paper we present an algebraic approach to the precise and global verification and explanation of \emph{Rectifier Neural Networks}, a subclass of \emph{Piece-wise Linear Neural Networks} (PLNNs), i.e., networks that semantically represent piece-wise affine functions. Key to our approach is the symbolic execution of these networks that allows...

This article provides an introduction to the Dime Days, organized by Tiziana Margaria and Bernhard Steffen as part of ISoLA 2022. Dime is in active development since 2015 and from that time on, the tool has been applied successfully in educational contexts, international workshops and multiple industrial projects. Since then, the tool grew continuo...

In this paper, we illustrate the role of quality assurance in Language-Driven Engineering (LDE) which exploits the observation that the more specific a programming/modeling language is, the better it can be controlled. In fact, well-tailored domain-specific languages (DSLs) allow one to (1) syntactically express a number of semantic properties with...

In this paper, we present Cinco Cloud, a holistic web-based language engineering environment that seamlessly aligns the entire process from the meta modeling of domain-specific languages, via application modeling in corresponding integrated modeling environments, to the deployment of the final product through CI/CD pipelines using Git repository pl...

The field of machine learning focuses on computationally efficient, yet approximate algorithms. On the contrary, the field of formal methods focuses on mathematical rigor and provable correctness. Despite their superficial differences, both fields offer mutual benefit. Formal methods offer methods to verify and explain machine learning systems, aid...

Regarding documentation as anything that supports understanding, we present two test-first scenarios of executable documentation that involve and support different roles during program development through concrete data visualizations. The first is a teaching scenario. Within classical programming, different stages of executable documentation provid...

We present executable documentation as a natural continuation of a long-term trend of documentation/code alignment that started with self-documenting code in the seventies (choice of meaningful naming), followed by literate programming (documentation embedded in code) and the dual where documentation embeds code as provided by Jupyter notebooks in...

The article provides an introduction to the track Programming - What is Next?: The Role of Documentation, organized by Klaus Havelund and Bernhard Steffen as part of ISoLA 2022: the 11th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation. Software has to run on machines, but it also has to be understoo...

We present two formalisms for describing behaviors of procedural systems, i.e., systems that consist of multiple procedures that can mutually call each other. Systems of procedural transition systems (SPTSs) provide a fine-grained formalism for the step-wise semantics of reactive systems whereas the equally expressive systems of behavioral automata...

We present a unifying formalization of active automata learning algorithms in the MAT model, including a new, efficient, and simple technique for the analysis of counterexamples during learning: Lλ is the first active automata learning algorithm that does not add sub-strings of counterexamples to the underlying data structure for observations but i...

This paper presents our lifelong learning framework for continuous quality control. The framework integrates automata learning, model checking, and monitoring into a six-phase continuous improvement cycle which is designed to capture entire system life-cycles. The technical backbone of our framework is ALEX, an open source, web-based learning tool...

In this paper, we present Forest GUMP (for Generalized, Unifying Merge Process) a tool for providing tangible experience with three concepts of explanation. Besides the well-known model explanation and outcome explanation, Forest GUMP also supports class characterization, i.e., the precise characterization of all samples with the same classificatio...

This paper (1) summarizes the history of the RERS challenge for the analysis and verification of reactive systems, its profile and intentions, its relation to other competitions, and, in particular, its evolution due to the feedback of participants, and (2) presents the most recent development concerning the synthesis of hard benchmark problems. In...

IN “Towards Explainability in Machine Learning: The Formal Methods Way,”1 we illustrated last year how Explainable AI can profit by formal methods in terms of its explainability. In fact, Explainable AI is a new branch of AI, directed to a finer granular understanding of how the fancy heuristics and experimental fine tuning of hyperparameters influ...

This paper proposes a simplicity-oriented approach and framework for language-to-language transformation of, in particular, graphical languages. Key to simplicity is the decomposition of the transformation specification into sub-rule systems that separately specify purpose-specific aspects. We illustrate this approach by employing a variation of Pl...

We discuss how to overcome the often fatal impact of violating integral quality constraints: seemingly successful (software) development projects turn into failures because of a mismatch with the business context. We investigate the similarities and differences between the today popular DevOps scenarios for aligning development and operations and t...

The paper provides an introduction to the track: “Programming - What is Next?”, organized by the authors as part of ISoLA 2021: the 9th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation. A total of 14 papers were presented in the track, with responses to the question: what are the trends in current mo...

Collaborative system development requires a three-dimensional alignment: in space, in time, and in mindset: Traditionally, different developers typically have their own, local development environments, each of which may change over time due to updates and other version changes. The third dimension concerns so-called semantic gaps, which we proposed...

We present Pyrus, a domain-specific online modeling environment for building graphical processes for data analysis, machine learning and artificial intelligence. Pyrus aims at bridging the gap between de facto (often Python-based) standards as established by the Jupyter platform, and the tradition to model data analysis workflows in a dataflow-driv...

In this paper, we illustrate the impact of simple Why questions as a means to reveal global aspects that may easily be forgotten during traditional requirement analysis. For illustration we use the introduction of the General Data Protection Regulations (GDPR), a prime example to observe that adequate solutions may require to think out of the box,...

We present an introduction to the usage of Rig, our Cinco product for the graphical modeling of CI/CD workflows. While CI/CD has become a de facto standard in modern software engineering (e.g. DevOps) and the benefits of its practice are without a doubt, developers are still facing inconvenient solutions. We will briefly outline the basic concept o...

We present an approach for efficient life-long learning of systems modeled in terms of our recently developed formalism of systems of procedural automata (SPAs). SPAs describe context-free/procedural systems in which entering and exiting procedures is observable. Key to the efficiency of our life-long learning approach is an SPA-based monitor that...

Random Forests are one of the most popular classifiers in machine learning. The larger they are, the more precise the outcome of their predictions. However, this comes at a cost: it is increasingly difficult to understand why a Random Forest made a specific choice, and its running time for classification grows linearly with the size (number of tree...

In this paper, we show how to automatically generate hard verification tasks in order to support events like the Model Checking Contest or the Rigorous Examination of Reactive Systems Challenge with tailored benchmark problems for analyzing the validity of linear-time properties in parallel systems. Characteristic of the generated benchmarks are tw...

This paper presents a compositional approach to active automata learning of Systems of Procedural Automata (SPAs), an extension of Deterministic Finite Automata (DFAs) to systems of DFAs that can mutually call each other. SPAs are of high practical relevance, as they allow one to efficiently learn intuitive recursive models of recursive programs af...

The use of low- and no-code modeling tools is today an established way in practice to give non-programmers an opportunity to master their digital challenges independently, using the means of model-driven software development. However, the existing tools are limited to a very small number of different domains such as mobile app development, which ca...

In this paper we position Linear Time Temporal Logic (LTL), structural operational semantics (SOS), and a graphical generalization of BNF as central DSLs for program analysis and verification tasks in order to illustrate the impact of language to the mindset: (1) Specifying program analyses in LTL changes the classical algorithmic ‘HOW’ thinking in...

This book constitutes contributions of the ISoLA 2021 associated events. Altogether, ISoLA 2021 comprises contributions from the proceedings originally foreseen for ISoLA 2020 collected in 4 volumes, LNCS 12476: Verification Principles, LNCS 12477: Engineering Principles, LNCS 12478: Applications, and LNCS 12479: Tools and Trends. The contribution...

In this paper, we revisit the concept of never-stop learning, a combination of active automata learning and runtime monitoring. Published research focuses on regular systems and became practical with the development of the TTT algorithm and its redundancy-free approach of storing information. With the recent development of our active learning algor...

Reliability is a central concern of software system development. It can be approached in three ways, in a post-mortem fashion via verification of an unknown artefact, by construction applying correctness preserving steps, and via testing of the final product. In this paper, we introduce the nine contributions to the Festschrift dedicated to Bengt J...

This Festschrift, dedicated to Bengt Jonsson on the occasion of his 60th birthday, contains papers written by many of his friends and collaborators. Bengt has made major contributions covering a wide range of topics including verification and learning. His works on verification, in finite state systems, learning, testing, probabilistic systems, tim...

Quantitative knowledge of intracellular fluxes in metabolic networks is invaluable for inferring metabolic system behavior and the design principles of biological systems. However, intracellular reaction rates can not often be calculated directly but have to be estimated; for instance, via 13C-based metabolic flux analysis, a model-based interpreta...

Collective adaptive systems whose entities are loosely coupled by their exchange of complex data structures became a very common architecture for distributed web-based systems. As HTTP-based APIs transfer data as plain text, this exchange is very error prone: API changes and malicious data modifications may remain unnoticed. GraphQL addresses this...

In this paper, we prove that Hennessy–Milner Logic (HML), despite its structural limitations, is sufficiently expressive to specify an initial property \(\varphi _0\) and a characteristic invariant \(\upchi _{_I}\) for an arbitrary finite-state process P such that \(\varphi _0 \wedge \mathbf{AG }(\upchi _{_I})\) is a characteristic formula for P. T...

Explainable Al is a new direction aiming at the maturation of a fi eld that has experienced a boost in particular because of its fancy heuristics and corresponding breakthroughs in specific applications like the AlphaGo program for the game Go. In this context, the typical concept of "explanation" is still comparatively weak. For example, highlight...

We present an approach that provides automatic or semi-automatic support for evolution and change management in heterogeneous legacy landscapes where (1) legacy heterogeneous, possibly distributed platforms are integrated in a service oriented fashion, (2) the coordination of functionality is provided at the service level, through orchestration, (3...

Background: PCR primer design is an everyday, but not trivial task requiring state-of-the-art software. We describe the popular tool GeneFisher and explain its recent restructuring using workflow techniques. We apply a service-oriented approach to model and implement GeneFisher-P, a process-based version of the GeneFisher web application, as a part...

Background: With Bio-jETI, we introduce a service platform for interdisciplinary work on biological application domains and illustrate its use in a concrete application concerning statistical data processing in R and xcms for an LC/MS analysis of FAAH gene knockout. Methods: Bio-jETI uses the jABC environment for service-oriented modeling and desig...

The three-volume set LNCS 12476 - 12478 constitutes the refereed proceedings of the 9th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2020, which was planned to take place during October 20–30, 2020, on Rhodes, Greece. The event itself was postponed to 2021 due to the COVID-19 pandemic. The papers presented were carefu...

The three-volume set LNCS 12476 - 12478 constitutes the refereed proceedings of the 9th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2020, which was planned to take place during October 20–30, 2020, on Rhodes, Greece. The event itself was postponed to 2021 due to the COVID-19 pandemic. The papers presented were carefu...

The three-volume set LNCS 12476 - 12478 constitutes the refereed proceedings of the 9th International Symposium on Leveraging Applications of Formal Methods, ISoLA 2020, which was planned to take place during October 20–30, 2020, on Rhodes, Greece. The event itself was postponed to 2021 due to the COVID-19 pandemic. The papers presented were carefu...

In this paper, we propose a new paradigm for program optimization which is based on aggressive aggregation, i.e., on a partial evaluation-based decomposition of acyclic program fragments into a pair of computationally optimal structures: an Algebraic Decision Diagram (ADD) to capture conditional branching and a parallel assignment that refers to an...

In the paper, we present the ADD-Lib, our efficient and easy to use framework for Algebraic Decision Diagrams (ADDs). The focus of the ADD-Lib is not so much on its efficient implementation of individual operations, which are taken by other established ADD frameworks, but its ease and flexibility, which arise at two levels: the level of individual...

Random Forests are one of the most popular classifiers in machine learning. The larger they are, the more precise is the outcome of their predictions. However, this comes at a cost: their running time for classification grows linearly with the number of trees, i.e. the size of the forest. In this paper, we propose a method to aggregate large Random...

Modal Meta Model Checking (M3C) is a method and tool supporting meta-level product lining and evolution that comprises both context-free system structure and modal refinement. The underlying Context-Free Modal Transition Systems (CFMTSs) can be regarded as loose specifications of meta models, and modal refinement as a way to increase the specificit...

Language design for simplifying programming, analysis/verification methods and tools for guaranteeing, for example, security and real-time constraints, and validation environments for increasing automation during quality assurance can all be regarded as means to factor out and generically solve specific concerns of the software development process...

In this paper, we present the paradigm of Language-Driven Engineering (LDE), which is characterized by its unique support for division of labour on the basis of Domain-Specific Languages (DSLs) targeting different stakeholders. LDE allows the involved stakeholders, including the application experts, to participate in the system development and evol...

In this paper, we propose a method to automatically generate arbitrarily complex benchmark problems for bisimulation checking. Technically, this method is a variant of an incremental generation approach for model checking benchmarks where given benchmark scenarios of controllable size are expanded to arbitrarily complex benchmark problems. This exp...

This paper covers the Rigorous Examination of Reactive Systems (RERS) Challenge 2019. For the first time in the history of RERS, the challenge features industrial tracks where benchmark programs that participants need to analyze are synthesized from real-world models. These new tracks comprise LTL, CTL, and Reachability properties. In addition, we...

We present Pyro, a framework for enabling domain-specific modeling via the internet. Provided with an adequate metamodel specification, Pyro turns your browser into a collaborative, domain-specific, graphical development environment with features reminiscent of desktop IDEs for textual programming languages. The required metamodeling is supported i...

Functional and technical cyber-resilience gain increasing relevance for the health and integrity of connected and interoperating systems. In this chapter we demonstrate the power and flexibility of extreme model-driven design to provide holistic security to security-agnostic applications. Using C-IME, our integrated modelling environment for C/C++,...

The paper considers domain-specific tool support as a means to turn descriptive into prescriptive models, and to blur the difference between models and programs, and even between developers and users. Conceptual underlying key is to view the system development as a decision process which increasingly constraints the range of possible system impleme...

In this paper we sketch a transformation-oriented framework for establishing system characteristics like model-checkability, learnability, or performance. Backbone of our framework is Cinco, our meta tooling suite for generating DSL-specific development environments on the basis of specifications in terms of metamodels. Cinco is used here to specif...

We present a tutorial introduction to the usage of Cinco, our framework for the generation of graphical development environments, highlighting two recent additions: the possibility to bringing any Cinco-based graphical modeling language into the web, and a graphical editor for meta modeling. All the discussed features are illustrated step by step a...

This paper presents a new technique for the generation of verification benchmarks that are automatically guaranteed to be hard, or as we say, to contain subtle bugs/property violations: (i) Identifying a bug requires to match many computation steps and (ii) corresponding counterexamples are sparse among all feasible executions. Key idea is to itera...

This paper is dedicated to the Rigorous Examination of Reactive Systems (RERS) Challenge 2018. We focus on changes and improvements compared to previous years. RERS again provided a large variety of verification benchmarks that foster the comparison of validation tools while featuring both sequential and parallel programs. In addition to reachabili...

Language-Driven Engineering (LDE) is a new paradigm that aims at involving stakeholders, including the application experts, in the system development and evolution process using dedicated domains-specific languages (DSLs) tailored to match the stakeholders' mindsets. The interplay between the involved DSLs is realized in a service-oriented fashion,...

Agility at the customer, user, and application level has proved to be a key to aligning and linking business and IT. This new cooperation between the customer and the contractor/developer reduces the need for complex and expensive specification documents, but it still happens mostly at the code level. Continuous Engineering can only take off if all...

Exponential organizations (S. Ismail, M. Malone, Y. van Geest (2014) Exponential Organizations: Why New Organizations are Ten Times Better, Faster, and Cheaper than Yours (and What to Do About It), Diversion Publishing, ISBN 978‐1626814233) are the most radical witnesses of simplicity‐based agile innovation, colorfully illustrating what we mean by...

M3C is a method and tool supporting meta-level product lining and evolution that comprises both context free system structure and modal refinement. The underlying Context-Free Modal Transition Systems can be regarded as loose specifications of meta models, and modal refinement as a way to increase the specificity of allowed DSLs by constraining the...

Predicate abstraction is only a facet of Susanne Graf’s work, but an important and characteristic one. Aiming for the essence without being disrupted by ‘syntactic sugar’ appears like a red thread in her career, and it explains also her current vision for a contract-based composition of viewpoints. This paper sketches her accompanying associated ke...

In this paper, we present the application of our active learning algorithm for Systems of Procedural Automata (SPAs) for inferring Document Type Definitions (DTDs) via testing of corresponding document validators. The point of this specification mining approach is to reveal unknown (lost or hidden) syntactic document constraints that are automatica...

Over the years, schedulability of Cyber-Physical Systems (CPS) has mainly been performed by analytical methods. These techniques are known to be effective but limited to a few classes of scheduling policies. In a series of recent work, we have shown that schedulability analysis of CPS could be performed with a model-based approach and extensions of...

Any complex software system exhibits a tension between the technical perspective required for its realization and the user-level perspective. We term this the “how-what gap”, represented by the questions “how is a system implemented” vs. “what is its functionality/usage”. The normative, anticipated behavior of a software system as envisaged during...

Active automata learning is slowly becoming a standard tool in the toolbox of the software engineer. As systems become ever more complex and development becomes more distributed, inferred models of system behavior become an increasingly valuable asset for understanding and analyzing a system’s behavior. Five years ago (in 2011) we have surveyed the...

Automata learning is an established class of techniques for inferring automata models by observing how they respond to a sample of input words. Recently, approaches have been presented that extend these techniques to infer extended finite state machines (EFSMs) by dynamic black-box analysis. EFSMs model both data flow and control behavior, and thei...

Even with the help of powerful metamodeling frameworks, the development of domain-specific graphical modeling tools is usually a complex, repetitive, and tedious task, which introduces substantial upfront costs often prohibiting such approaches in practice. In order to reduce these costs, the presented Cinco meta tooling suite is designed to provid...

Foreword The 20th International Conference on Human-Computer Interaction, HCI International 2018, was held in Las Vegas, NV, USA, during July 15–20, 2018. The event incorporated the 14 conferences/thematic areas listed on the following page. A total of 4,373 individuals from academia, research institutes, industry, and governmental agencies from 76...

In this paper, we present the paradigm of Language-Driven Engineering (LDE), which is characterized by its unique support for division of labour on the basis of Domain-Specific Languages (DSLs) targeting different stakeholders. LDE allows the involved stakeholders, including the application experts, to participate in the system development and evol...

The four-volume set LNCS 11244, 11245, 11246, and 11247 constitutes the refereed proceedings of the 8th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, ISoLA 2018, held in Limassol, Cyprus, in October/November 2018. The papers presented were carefully reviewed and selected for inclusion in the pro...

The four-volume set LNCS 11244, 11245, 11246, and 11247 constitutes the refereed proceedings of the 8th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, ISoLA 2018, held in Limassol, Cyprus, in October/November 2018. The papers presented were carefully reviewed and selected for inclusion in the pro...

The four-volume set LNCS 11244, 11245, 11246, and 11247 constitutes the refereed proceedings of the 8th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, ISoLA 2018, held in Limassol, Cyprus, in October/November 2018. The papers presented were carefully reviewed and selected for inclusion in the pro...

The four-volume set LNCS 11244, 11245, 11246, and 11247 constitutes the refereed proceedings of the 8th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, ISoLA 2018, held in Limassol, Cyprus, in October/November 2018. The papers presented were carefully reviewed and selected for inclusion in the pro...

Web applications define the interface to many of the businesses and services that we interact with and use on a daily basis. The technology stack enabling these applications is constantly changing and applications are accessed from a plethora of different devices. Automated testing of the behavior of applications is a promising strategy for reducin...

We propose a systematic approach to generate highly parallel benchmark systems with guaranteed temporal properties. Key to our approach is the iterative property-preserving parallel decomposition of an initial Modal Transition System, which is based on lightweight assumption commitment. Property preservation is guaranteed on the basis of Modal Cont...

RERS is an annual verification challenge that focuses on LTL and reachability properties of reactive systems. In 2017, RERS was extended to a one day workshop that in addition to the original challenge program also featured an invited talk about possible future developments. As a satellite of ISSTA and SPIN, the 2017 RERS Challenge itself increased...

In this paper we demonstrate the power and flexibility of extreme model-driven design using C-IME, our integrated modelling environment for C/C++ by showing how easily an application modelled in C-IME can be enhanced with hardware security features. In fact, our approach does not require any changes of the application model. Rather, C-IME provides...

This book constitutes the refereed proceedings of the 43rd International Conference on Current Trends in Theory and Practice of Computer Science, SOFSEM 2017, held in Limerick, Ireland, in January 2017. The 34 papers presented in this volume were carefully reviewed and selected from 41 submissions. They were organized in topical sections named: fou...

In this paper, we discuss partition refinement as an algorithmic pattern for explicating semantic properties of a system directly in the corresponding model structure in a co-inductive fashion. In particular, we review a landscape of analysis and verification approaches under this unifying perspective, which enables us to highlight their mutual pro...

In this paper we present learning-based cross-platform conformance testing (LCCT), an approach specifically designed to validate successful system migration. Key to our approach is the combination of (1) adequate user-level system abstraction, (2) higher-order integration of executable test-blocks, and (3) learning-based automatic model inference a...