About
169
Publications
16,303
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,733
Citations
Introduction
Eerke Boiten currently works at the School of Computer Science and Informatics, De Montfort University. Eerke does research in Computer Security, Privacy and Formal Methods. One of his current projects is 'EMPHASIS: EconoMical, PsycHologicAl and Societal Impact of RanSomware'.
Additional affiliations
March 1995 - present
March 1993 - March 1995
July 2012 - present
Publications
Publications (169)
This paper presents a thematic analysis of an expert focus group considering smart toilets that record health data. The themes that arise indicate risks, many of which could be mitigated but currently are not, suggesting health benefits for the moment override other concerns only in specific application contexts.
Based on Article 35 of the EU (European Union) General Data Protection Regulation, a Data Protection Impact Assessment (DPIA) is necessary whenever there is a possibility of a high privacy and data protection risk to individuals caused by a new project under development. A similar process to DPIA had been previously known as Privacy Impact Assessme...
The simulation of a modern railway system on the cyber range will investigate the supple behavior of cyber-attacks in a modern digital railway system. The contemporary digital railway simulation architecture will focus on the railway's signaling system and the control command system, which is a classic SCADA system. With the introduction of IoT tec...
Most research into anti-phishing defence assumes that the mal-actor is attempting to harvest end-users' personally identifiable information or login credentials and, hence, focuses on detecting phishing websites. The defences for this type of attack are usually activated after the end-user clicks on a link, at which point the link is checked. This...
The use of unified communication; video conferencing, audio conferencing, and instant messaging has skyrocketed during the COVID-19 pandemic. However, security and privacy considerations have often been neglected. This article provides a comprehensive survey of security and privacy in Unified Communication (UC). We systematically analyze security a...
In recent years, data-enabled technologies have intensified the rate and scale at which organisations collect and analyse data. Data mining techniques are applied to realise the full potential of large-scale data analysis. These techniques are highly efficient in sifting through big data to extract hidden knowledge and assist evidence-based decisio...
Data mining techniques are highly efficient in sifting through big data to extract hidden knowledge and assist evidence-based decisions. However, it poses severe threats to individuals’ privacy because it can be exploited to allow inferences to be made on sensitive data. Researchers have proposed several privacy-preserving data mining techniques to...
Sharing Cyber Threat Intelligence (CTI) is advocated to get better defence against new sophisticated cyber-attacks. CTI may contain critical information about the victim infrastructure, existing vulnerabilities and business processes so sharing CTI may carry a risk. However, evaluating the risk of sharing CTI datasets is challenging due to the natu...
This article presents the cyber security progress in Greece since the creation of the Greek National Cyber Security Authority as a nationwide cybersecurity coordination and policy making unit. During this period, Greece issued a Ministerial Decree that established the National Cyber Security Authority, issued the National Cybersecurity strategy, tr...
As organisations are vulnerable to cyber attacks, their protection becomes a significant issue. 1 Capability Maturity Models can enable organisations to benchmark current maturity levels against best practices. 2 Although many maturity models have been already proposed in the literature, a need for models that integrate 3 several regulations exists...
Much of what drove us in over twenty years of research in refinement, starting with Z in particular, was the desire to understand where refinement rules came from. The relational model of refinement provided a solid starting point which allowed the derivation of Z refinement rules. Not only did this explain and verify the existing rules—more import...
Data protection impact assessments (DPIAs) aim to identify, rank, and mitigate privacy risks. Even though DPIAs are legally mandated in some cases and privacy professionals perform DPIAs on a daily basis, facilitating the systematic measurement of privacy risks is an open problem. Research on privacy risk measurement often does not take into accoun...
The deployment of Connected Autonomous Vehicles (CAVs) in Vehicular Ad Hoc Networks (VANETs) requires secure wireless communication in order to ensure reliable connectivity and safety. However, this wireless communication is vulnerable to a variety of cyber atacks such as spoofing or jamming attacks. In this paper, we describe an Intrusion Detectio...
Sharing Cyber Threat Intelligence (CTI) is a key strategy for improving cyber defense, but there are risks of breaching regulations and laws regarding privacy. With regulations such as the General Data Protection Regulation (GDPR) that are designed to protect citizens' data privacy, the managers of CTI datasets need clear guidance on how and when i...
Privacy risk assessments aim to analyze and quantify the privacy risks associated with new systems. As such, they are critically important in ensuring that adequate privacy protections are built in. However, current methods to quantify privacy risk rely heavily on experienced analysts picking the “correct” risk level on e.g. a five-point scale. In...
One central distinction in formal methods is between those based on state, and those based on behaviour. In most applications it is essential or at least practical to have both. State based systems need behavioural elements in order to consider aspects of interaction with an environment, for example to record which changes of state are due to the s...
Chapter 9 introduced the general approach to relating process refinement and relational refinement by developing a relational framework general enough that we could embed some of the concurrent refinement relations into it. Chapter 10 built on this by looking in depth at the relationship between failures-divergences refinement and data refinement....
This chapter defines refinement in Z, and shows how it derives from the relational model in Chap. 4. It discusses the similarities and differences with refinement in B. The approach taken in a state-based specification language is very different in emphasis from that in a process algebra. Process algebras stress the interaction between independent...
In this chapter we consider two further state-based notations, specifically Event-B and the ASM notation. Both have similarities to Z and B, and indeed as the name suggests Event-B grew out of the B notation. Both offer more flexibility in their approach to refinement than Z and B – by adopting models closer to those in Chap. 3. One aspect of this...
In going from the relational semantics of CSMATs in Chap. 3 to the abstract data types of Chap. 4 we made a number of radical changes. We labelled individual transitions with the name of an operation, much as we had been doing in LTS and automata in Chaps. 1 and 2, and removed transitivity from the transition relation as we were now able to observe...
This chapter looks at these issues in process algebras. As a canonical example we look at CSP, but we also discuss CCS and LOTOS. The link to the semantics is made to Chap. 1 as well as elements of Chap. 5.
Chapter 9 discussed the general approach to relating process refinement and relational refinement by developing a relational framework general enough that we could embed some of the refinement relations we discussed in Chap. 1. This included a brief discussion of the simulation rules that arise in the context of failures refinement (see Sect. 9.3.3...
In Chap. 1 we introduced differing notions of refinement in the LTS setting - each one based upon a different notion of observation. In Chap. 2 we focused on simulations as a means to verify trace refinements in an Automata context, and we discussed both finite trace refinement as well as trace refinement in the presence of infinite traces. In Chap...
An alternative semantic model is that provided by automata, and here we explore how refinement is defined in that setting, introducing the idea of forward and backward simulations. This causes us to consider the role of infinite behaviour in more depth. We discuss completeness results, that is whether the use of simulations is sufficient to verify...
In the previous parts of the book, basic refinement relations were introduced semantically and for a variety of specification languages. This chapter starts the task of relating these different refinement relations by defining corresponding processes for ADT specifications, as well as process semantics for ADT specifications, and providing theorems...
On purpose we start with one of the simplest models of computation, that given by labeled transition systems. After introducing the reader to this simple set up we start to explore what refinement might mean, beginning with trace refinement, then adding in various notions such as refusals, so that each refinement relation we introduce is more discr...
Refinement is one of the cornerstones of a formal approach to software engineering. Refinement is all about turning an abstract description (of a soft or hardware system) into something closer to implementation. It provides that essential bridge between higher level requirements and an implementation of those requirements.
This book provides a com...
Incident information sharing is being encouraged and mandated as a way of improving overall cyber intelligence and defense, but its take up is slow. Organisations may well be justified in perceiving risks in sharing and disclosing cyber incident information, but they tend to express such worries in broad and vague terms. This paper presents a speci...
Privacy risk assessments aim to analyze and quantify the privacy risks associated with new systems. As such, they are critically important in ensuring that adequate privacy protections for individual users are built in. However, current methods to quantify privacy risk rely heavily on experienced analysts who pick the "correct" risk level on a five...
p>In order to frame discussions on data privacy in varied contexts, this paper introduces a categorisation of personal data along two dimensions. Each of the nine resulting categories offers a significantly different flavour of issues in data privacy. Some issues can also be perceived as a tension along a boundary between different categories.
The...
"Big data" has become a major area of research and associated funding, as well as a focus of utopian thinking. In the still growing research community, one of the favourite optimistic analogies for data processing is that of the oil refinery, extracting the essence out of the raw data. Pessimists look for their imagery to the other end of the petro...
"Big data" has become a major area of research and associated funding, as well as a focus of utopian thinking. In the still growing research community, one of the favourite optimistic analogies for data processing is that of the oil refinery, extracting the essence out of the raw data. Pessimists look for their imagery to the other end of the petro...
We are proud to present the papers from the 17th Refinement Workshop, co-located with FM 2015 held in Oslo, Norway on June 22nd, 2015. Refinement is one of the cornerstones of a formal approach to software engineering: the process of developing a more detailed design or implementation from an abstract specification through a sequence of mathematica...
We are proud to present the papers from the 17th Refinement Workshop, co-located with FM 2015 held in Oslo, Norway on June 22nd, 2015. Refinement is one of the cornerstones of a formal approach to software engineering: the process of developing a more detailed design or implementation from an abstract specification through a sequence of mathematica...
This paper takes an axiomatic and calculational view of diversity (or
"N-version programming"), where multiple implementations of the same
specification are executed in parallel to increase dependability. The central
notion is "adjudication": once we have multiple, potential different, outcomes,
how do we come to a single result? Adjudication opera...
Physical means of securing information, such as sealed envelopes and scratch cards, can be used to achieve cryptographic objectives. Reasoning about this has so far been informal.
We give a model of distinguishable sealed envelopes in Z, exploring design decisions and further analysis and development of such models.
The Internet has now become central to the way people live their lives – transforming businesses and providing new tools for everyday communication.1 It is estimated that around 80% of households in the UK had an Internet connection in 2012.2 Internet users are spending increasing amounts of time online, undertaking a greater range of online and so...
Refinement is one of the cornerstones of the formal approach to software engineering, and its use in various domains has led to research on new applications and generalisation. This book brings together this important research in one volume, with the addition of examples drawn from different application areas. It covers four main themes: • Data ref...
This chapter starts the discussion of formal notations that combine state-based modelling as in (Object-)Z, with the modelling of behaviour. Our particular choice for a behavioural notation is CSP, thus this chapter includes a short introduction to CSP first. Then we show how component specifications can be given in Object-Z, and then combined usin...
In this chapter we discuss a technique for structuring Z specifications known as promotion. The purpose of promotion is to provide an elegant way of composing specifications in order to build multiple indexed instances of a single component. To do so the component is described as a local state together with operations acting on that state, a global...
As formal development steps are concerned with changes of abstraction level, it is natural to also apply such changes to the inputs and outputs of a system. Indeed, many previous textbooks on Z and refinement had included subtle manipulations of inputs and outputs in refinement steps in their examples, without considering formal justifications. Thi...
This chapter explores the relationship between testing and refinement. In particular, it looks at how tests for a refinement can be derived from tests for the abstract system. We discuss both how to derive tests from a formal specification, and also how tests can be refined for use with an implementation. We also consider how concrete tests can be...
Chapter 4 translates the relational refinement rules for upward and downward simulation into rules for specifications consisting of Z schemas. Particular attention is given to the role of inputs and outputs in Z.
In this chapter, we formulate the theory of data refinement for Z. This is done systematically: a relational interpretation will be given...
This chapter starts the discussion of refinement in an object oriented setting. To do so it introduces the Object-Z specification language as a canonical example, focusing on the additional features in Object-Z and the differences between Z and Object-Z that impact on the theory of refinement in subsequent chapters.
The 16th BCS-FACS Refinement Workshop was co-located with iFM 2013 held in
Turku, Finland on June 11th, 2013. This volume contains the 6 papers selected
for presentation at the workshop following a peer review process. The papers
cover a wide range of topics in the theory and application of refinement.
Refinement is one of the cornerstones of a for...
The 16th BCS-FACS Refinement Workshop was co-located with iFM 2013 held in Turku, Finland on June 11th, 2013. This volume contains the 6 papers selected for presentation at the workshop following a peer review process. The papers cover a wide range of topics in the theory and application of refinement. Refinement is one of the cornerstones of a for...
Questions asked by research into ODP viewpoint consistency led to fundamental questions in refinement and contributed greatly to insights and interest in Integrated Formal Methods; research in those areas is still ongoing, while the answers provided remain largely unincorporated into model driven development.In this paper we survey some of the work...
Data refinement in a state-based language such as Z is defined using a relational model in terms of the behaviour of abstract programs. Downward and upward simulation conditions form a sound and jointly complete methodology to verify relational data refinements, which can be checked on an event-by-event basis rather than per trace. In models of con...
This paper reconsiders refinements which introduce actions on the concrete level which were not present at the abstract level. It considers a range of different basic refinement relations, covering the standard ones for formalisms like Event-B, Z, action systems, and CSP. It also describes a number of ways in which new operations may be introduced:...
Reynolds' abstraction theorem (Reynolds, J. C. (1983) Types, abstraction and parametric polymorphism, Inf. Process.83(1), 513-523) shows how a typing judgement in System F can be translated into a relational statement (in second-order predicate ...
ASM refinements are verified using generalized forward simulations which allow us to refine m abstract operations to n concrete operations with arbitrary m and n. One main difference from data refinement is that ASM refinement considers infinite runs ...
This paper reconsiders refinements which introduce actions on the concrete
level which were not present at the abstract level. It draws a distinction
between concrete actions which are "perspicuous" at the abstract level, and
changes of granularity of actions between different levels of abstraction.
The main contribution of this paper is in explori...
Refinement is one of the cornerstones of a formal approach to software engineering: the process of developing a more detailed design or implementation from an abstract specification through a sequence of mathematically-based steps that maintain correctness with respect to the original specification. The aim of this BCS FACS Refinement Workshop, is...
Refinement is one of the cornerstones of a formal approach to software
engineering: the process of developing a more detailed design or implementation
from an abstract specification through a sequence of mathematically-based steps
that maintain correctness with respect to the original specification.
The aim of this BCS FACS Refinement Workshop, is...
Data refinement in a state-based language such as Z is defined using a relational model in terms of the behaviour of abstract
programs. Downward and upward simulation conditions form a sound and jointly complete methodology to verify relational data
refinements, which can be checked on an event-by-event basis rather than per trace. In models of co...
Refinement is the notion of development between formal specifications For specifications given in a relational formalism downward and upward simulations are the standard method to verify that a refinement holds their usefulness based upon their soundness and joint completeness This is known to be true for total relational specifications and has bee...
In this paper we explore the “for large enough” quantifier, also known as “all but finitely many”, which plays a central role
in asymptotic reasoning, as used for example in complexity theory and cryptography. We investigate calculational properties
of this quantifier, and show their application in reasoning about limits of functions.
Data refinement in a state-based language such as Z is defined using a relational model in terms of the behaviour of abstract programs. Downward and upward simulation conditions form a sound and jointly complete methodology to verify relational data refinements. In models of concurrency, refinement takes a number of different forms depending on the...
An integration of state-based and behavioural formalisms can be obtained by imposing a concurrency semantics on a relational
formalism. The data refinement theory for relational languages then provides a method for verifying the concurrent refinement
relation. In this paper we investigate how divergence can be modelled relationally, and in particul...
Two styles of description arise naturally in formal specification: state-based and behavioural. In state-based notations, a system is characterised by a collection of variables, and their values determine which actions may occur throughout a system history. Behavioural specifications describe the chronologies of actions—interactions between a syste...
Three Steps from the Ideal
Ideally correctness is by construction; post-hoc verification is second choice; verification of proofs is the next step down. In the application area of modern cryptographic protocol verification, the latter would be viewed as serious progress.
Modern Cryptographic Protocols and Security
A modern cryptographic protocol ma...
Data refinement in a state-based language such as Z is defined using a relational model in terms of the behaviour of abstract programs. Downward and upward simulation conditions form a sound and jointly complete methodology to verify relational data refinements. On the other hand, refinement in a process algebra takes a number of different forms de...
In this paper we explore the relation between refinement and reduction, especially as it is used in the context of cryptography. We show how refinement is a special case of reduction, and more interestingly, how reduction is an instance of a novel generalisation, “refinement with context”.
Data refinement in a state-based language such as Z is defined using a relational model in terms of the input-output behaviour of abstract programs. Downward and upward simulations form a sound and jointly complete methodology for verifying relational data refinements.Refinement in a concurrent context, for example, as found in a process semantics,...
We describe a method for combining formal program development with a disciplined and documented way of introducing realistic
compromises, for example necessitated by resource bounds. Idealistic specifications are identified with the limits of sequences
of more “realistic” specifications, and such sequences can then be refined in their entirety. Com...
In this work we study the unification of heterogeneous partial specifications using category theory. We propose an alternative
to institution morphisms, which we call (abstract) correspondences carrying specifications. Our methodology is illustrated
using a categorical specification style inspired by the state-and-operations style of Z as well as a...
Refinement in a concurrent context, as typified by a process algebra, takes a number of different forms depending on what is considered observable. Observations record, for example, which events a system is prepared to accept or refuse. Concurrent refinement relations include trace refinement, failures–divergences refinement, readiness refinement a...
In this paper we survey recent work on generalising refinement in a state-based setting. Such generalisations challenge a
number of assumptions embedded in the standard formalisation of Refinement in a language such as Z, and lead to simulation
conditions that allow one to verify a refinement in a number of different contexts.
We describe a framework for viewpoint specification using formal specification languages. In order to establish consistency and to further develop specifications, specifications need to be integrated ("unified"). This integration is not defined in terms of their semantics, but more abstractly in terms of, so-called, development relations, which rep...
Refinement in a concurrent context, as typified by a process algebra, takes a number of different forms depending on what is considered observable, where observations record, for example, which events a system is prepared to accept or refuse. Examples of concurrent refinement relations include trace refinement, failures-divergences refinement and b...
This volume contains the Proceedings of the REFINE 2002 workshop. The Workshop was held in Copenhagen, Denmark on July 20 and 21, 2002, as a satellite event to FLoC'02 as an FME-affiliated workshop.Refinement is one of the cornerstones of a formal approach to software engineering. Refinement is the process of developing a more detailed design or im...