Joseph Roland KiniryGalois Inc.
Joseph Roland Kiniry
PhD
About
78
Publications
11,972
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,284
Citations
Introduction
Dr. Kiniry has extensive experience in formal methods, high-assurance software and hardware engineering, foundations of computer science and mathematics, and information security. Specific areas that he has worked in include software and hardware verification foundations and tools, the RISC-V ISA, digital election systems and democracies, smart-cards, smart-phones, critical systems for nation states, and CAD systems for asynchronous hardware and creating new co-design/synthesis/assurance tools.
Additional affiliations
February 2010 - September 2012
January 2009 - present
January 2003 - December 2004
Publications
Publications (78)
The vast majority of basic research in formal methods takes place in halls of academia, yet the enormous amounts of applied use of formal methods quietly takes place in companies worldwide. So, while we will not avoid talking about research results and academic work, the main focus of this column is the evolution of the impact of formal methods in...
Low-cost containerized shipping requires high-quality stowage plans. Scalable stowage planning optimization algorithms have been developed recently. All of these algorithms, however, produce monolithic solutions that are hard for stowage coordinators to modify, which is necessary in practice owing to exceptions and operational disruptions. This art...
Existing commercial and open source e-voting systems have horrifically poor testing frameworks. Most tally systems, for example, are tested by re-running all past elections and seeing if the new system gives the same answer as an older, perhaps erroneous, system did. This amounts to a few dozen system tests and, typically, few-to-no unit tests. The...
With the omnipresent usage of APIs in software development, it has become important to analyse how the routines and functionalities of APIs are actually used. This information is in particular useful for API developers, to make decisions about future updates of the API. However, also for developers of static analysis and verification tools this inf...
Today, GUI plug-ins development is typically done in a very ad-hoc way, where developers dive directly into implementation. Without any prior analysis and design, plug-ins are often flaky, unreliable, difficult to maintain and extend with new functionality, and have inconsistent user interfaces. This paper addresses these problems by describing a r...
Formal specifications of standard libraries are necessary when statically verifying software that uses those libraries. Library specifications must be both correct, accurately reflecting library behavior, and useful, describing library behavior in sufficient detail to allow static verification of client programs. Specification and verification rese...
My contribution, described in this thesis, is a theory that is meant to assist in the construction of complex software systems. I propose a notion of structure that is independent of language, formalism, or problem domain. I call this new abstraction a kind, and its related formal system, kind theory. I define a type system that models the structur...
In recent years, several Grand Challenges (GCs) of com-puting have been identified and expounded upon by various professional organizations in the U.S. and England. These GCs are typically very difficult problems that will take many hundreds, or perhaps thousands, of man-years to solve. Re-searchers involved in identifying these problems are not go...
Providing useful feedback to students about both the functional correctness and the internal structure of their submissions is the most labor-intensive part of teaching programming courses. The former can be automated through test scripts and other similar mechanisms; however, the latter typically requires a detailed inspection of the submitted cod...
Vótáil is an open source Java implementation of Irish Pro-portional Representation by Single Transferable Vote (PR-STV). Its functional requirements, derived from Irish electoral law, are formally specified using the Business Object Notation (BON) and refined to a Java Modeling Language (JML) specification. Formal methods are used to verify and val...
Many modelling languages have both a textual and a graphical form. The relationship between these two forms ought to be clear and concrete, but is instead commonly underspecified, weak, and informal. Further, processes and tool support for modelling often do not treat both forms as first-class citizens, instead choosing to favour one as the ?real?...
Design by Contract (DBC) is an oft-cited, but rarely followed, programming practice that focuses on writing formal specifications first, and writing program code that fulfills those specifications second. The development of static analysis tools over the past several years has made it possible to fully embrace DBC in Java systems by writing, type c...
Software engineering experts and textbooks insist that all of the artifacts related to a system, (e.g., its design, documentation, and implementation), must be kept in-sync. Unfortunately, in the real world, it is a very rare case that any two of these are kept consistent, let alone all three. In general, as an implementation changes, its source co...
Programmers often write custom parsers for the command line input of their programs. They do so, in part, because they believe that both their program's parameterization and their option formats are simple. But as the program evolves, so does the parameterization and the available options. Gradually, option parsing, data structure complexity, and m...
To avoid exponential explosion, program verifiers turn the program into a passive form before generating verification conditions. A little known fact is that the passive form makes it easy to use a strongest postcondition calculus to derive the verification condition. In the first part of this paper, the passivation phase is defined precisely enoug...
The use of formal methods can significantly improve software quality. However, many instructors and students consider formal methods to be too difficult, impractical, and esoteric for use in undergraduate classes. This paper describes a method, used successfully at several universities, that combines ninja stealth with the latest advances in formal...
ESC/Java2 is a tool for statically checking program specifications. It expands significantly upon ESC/Java, on which it is built. It is consistent with the definition of JML and of Java 1.4. It adds additional static checking to that in ESC/Java; most significantly, it adds support for checking frame conditions and annotations containing method cal...
E!cie nt handling of quantifiers is crucial for solving software verification problems. E-matching algorithms are used in satisfability modulo theories solvers that handle quantified formulas through instantiation. Two novel, e!c ient algorithms for solv- ing the E-matching problem are presented and compared to a well-known algorithm described in t...
Based upon our survey of the literature, software product lines is a fertile research field for the application of formal methods. Most computer scientists and software practitioners , including software product lines researchers, are not exploiting the powerful tools and techniques available in modern formal methods. This paper (i) summarizes the...
A major deliverable of the EU FP6 FET program MOBIUS project is the development of an Integrated Verification Environment (IVE)—the synthesis of a programming-centric Integrated Development Environment (IDE) with a proving-centric Interactive Theorem Prover (ITP). This IVE focuses on Java verification. Therefore, Eclipse was chosen as the IDE in wh...
A mechanically formalized feature modeling meta-model is presented. This theory is a generic higher-order formalization of a mathematical model synthesizing several feature modeling approaches found in the literature. This meta-model supports not only a better understanding of the various approaches to feature modeling, but also supports reasoning...
In this extended abstract we summarize our consulting work, scientific research, and activism in the topic of electronic (computer-based) voting. The Dutch and Irish government's activities are our particular focus, as is the Kiezen op Afstand (KOA) system, an experimental platform for electronic voting research with formal methods. We also reflect...
JML, the Java Modeling Language, is the lingua franca of researchers working on specification and verification techniques and tools for Java. There are over 23 research groups worldwide working on various aspects of the JML project. These groups have built a large suite of tools for automated checking and verification (see http://jmlapecs.org). Thi...
Activist computer scientists, including some of the authors of this paper, have been working against the adoption by governments of commercial, proprietary, insecure, poorly designed and implemented voting systems the world-over. And, while we mainly work to accomplish our goals by educating citizens and communicating with the press, we also must p...
Summary form only given. Static program checkers rely upon push-button automation to provide quality feedback to programmers ... programmers who are not typically well-versed in a tool's foundations. Thus, ensuring program correctness is as much about program safety as it is about programmer safety. Our tool, ESC/Java, has recently incorporated a n...
Usability is a key concern in the development of verification tools. In this paper, we present an usability extension for the verification tool ESC/Java2. This enhancement is not achieved through extensions to the underlying logic or calculi of ESC/Java2, but instead we focus on its human interface facets. User awareness of the soundness and comple...
Kiezen op Afstand (KOA) is a Free Software, remote voting system developed for the Dutch government in 2003/2004. In addition to being Open Source, key components have been, or are currently being formally specified and verified. These include a tally system and a modeling of the Irish electoral system. In this paper, we describe the formal techniq...
This note explores the use of UNITY-based theories to facilitate a cottage industry of software publishing. The requirements for such an industry are discussed, the appropriateness of UNITY specification and compositional theories for these requirements are analyzed, and further research opportunities in this area are identified. This work is based...
Exceptions are frequently a controversial language feature with both language designers and programmers. Exceptions are controversial
because they complicate language semantics—and thus program design, testing, and verification—and some programmers find them
annoying or difficult to use properly. By examining two programming languages that have ver...
Remote internet voting incorporates many of the core challenges of trusted global computing. In this paper, we present the Kiezen op Afstand (KOA) system. KOA is a Free Software, remote voting system developed for the Dutch government in 2003/2004. In addition to being Open Source, it is also partially formally specified and verified. This paper su...
Many state-based specification languages, including the Java Modeling Language (JML), contain at their core specification constructs familiar to most computer science and software engineering undergrad- uates: e.g., assertions, pre- and postconditions, and invariants. Unfor- tunately, these constructs are not suciently expressive to permit for- mal...
Automatic verification by means of extended static checking (ESC) has seen some success in industry and academia due to its lightweight and easy-to-use nature. Un- fortunately, ESC comes at a cost: a host of logical and prac- tical completeness and soundness issues. Interactive veri- fication technology, on the other hand, is usually complete and s...
The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java programmers and that is supported by a wide range of tools for specification typechecking, runtime debugging, static...
The ESC/Java tool was a lauded advance in effective static checking of realistic Java programs, but has become out-of-date with respect to Java and the Java Modeling Language (JML). The ESC/Java2 project, whose progress is described in this paper, builds on the final release of ESC/Java from DEC/SRC in several ways. It parses all of JML, thus can b...
This abstract provides some background information about the electronic voting experiment that is planned in the Netherlands
for the European Elections of 2004, and about our own involvement in the infrastructure for this experiment. The talk will
elaborate further about the computer security issues involved, especially with respect to the use of f...
This paper describes the several user-interface features for interactive theorem provers. Many of these features mimic functionality that already exists, and have great utility, in modern interactive development environments (IDEs). A formal kind theoretic model of a user's context is also presented. This model is used to formally describe the stru...
The ESC/Java tool was a lauded advance in effective static checking of realistic Java pro- grams, but has become out-of-date with respect to Java and the Java Modeling Language (JML). The ESC/Java2 project, whose progress is described in this paper, builds on the final release of ESC/Java from DEC/SRC in several ways. It parses all of JML, thus can...
Kind theory is a logic for describing and reasoning about structured knowledge in communities.
This report gives an overview of the sixth Workshop on For- mal Techniques for Java-like Programs at ECOOP 2004. It explains the motivation for the a workshop and summarises the presentations and discussions.
this document. The specification of the method largest is given on lines 7 through 15. Line 7 says that this is a public, normal behavior specification. JML permits several di#erent specifications for a given method, which can be of di#erent privacy levels [Ruby-Leavens00]. The modifier public says that the specification is intended for the use of...
This paper aims to raise the level of verification challenges by presenting a collection of sequential Java programs with
correctness annotations formulated in JML. The emphasis lies more on the underlying semantical issues than on verification.
Kind theory is a logic for describing and reasoning about structured knowledge in communities. It provides a formal framework for describing, finding, customizing, composing, and reasoning about structured domains, such as those of software and mathematics. A wiki web-based asset repository called the "Jiki" has been created that provides a simple...
This paper aims to raise the level of veri cation challenges by presenting a collection of sequential Java programs with correctness annotations formulated in JML. The emphasis lies more on the underlying semantical issues than on veri cation.
This paper aims to raise the level of veri cation challenges by presenting a collection of sequential Java programs with correctness annotations formulated in JML. The emphasis lies more on the underlying semantical issues than on veri cation.
The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source files. The aim of JML is to provide a specification language that is easy to use for Java programmers and that is supported by a wide range of tools for specification type-checking, runtime debugging, stati...
The Java Modeling Language (JML) can be used to specify the detailed design of Java classes and interfaces by adding annotations to Java source les. The aim of JML is to provide a speci cation language that is easy to use for Java programmers and that is supported by a wide range of tools for speci cation type-checking, runtime debugging, static an...
This paper describes the main opportunities and challenges that we see for introducing more rigorous software engineering practices, particularly those centered on specification and validation, in industrial practice. Our perspec-tive derives from our ongoing work on formal specification and verification of Java programs.
A major part of debugging, testing, and analyzing a complex software system is understanding what is happening within the system at run-time. Some developers advocate running within a debugger to better understand the system at this level. Others embed logging statements, even in the form of hard-coded calls to print functions, throughout the code....
Semantic properties are domain-specific specification constructs used to augment an existing language with richer semantics. These properties are taken advantage of in system analysis, design, implementation, testing, and maintenance through the use of documentation and source-code transformation tools. Semantic properties are themselves specified...
Building complex software systems necessitates the use of component-based architectures. In theory, of the set of components needed for a design, only some small portion of them are "custom"; the rest are reused or refactored existing pieces of software. Unfortunately, this is an idealized situation. Just because two components should work together...
JJ is a programming language and environment designed for learning Java.
Modern computing systems are terribly complicated - so complex that most system designers and developers can only hope to understand their small piece of the larger project. The primary technologies that help system builders manage this complexity are object-oriented and/or component-centric, and the primary tools are those that assist in system mo...
Our primary research goal is the development of theories and technology to facilitate the design, implementation, and management of complex systems. Complex systems, in this context, are any systems which exhibit "interesting" behavior including, but not limited to, nondeterminism, collective or emergent behavior, and adaptability. We can claim to...
The Kind Description Language (KDL 1 ) is a language used for describing the interface and behavior of software components. KDL is an extension of the Object Management Group's Object Constraint Language (OCL). While OCL is only able to describe safety properties of a component and its features, KDL can also describe progress properties with tempor...
IDebug, the Infospheres debugging framework, is an advanced debugging framework for Java. This framework provides the standard core debugging and specification constructs such as assertions, debug levels and categories, stack traces, and specialized exceptions. Debugging functionality can be fine-tuned to a per-thread and/or a per-class basis, debu...
The Java Pre-Processor, or JPP for short, is a parsing pre-processor for the Java programming language. Unlike its namesake (the C/C++ Pre-Processor, cpp), JPP provides functionality above and beyond simple textual substitution. JPP's capabilities include code beautification, code standard conformance checking, class and interface specification and...
Component Description Language (CDL 1 ) is a language used for describing the interface and behavior of software components. CDL is an extension of the Object Management Group's Object Constraint Language (OCL). While OCL is only able to describe safety properties of a component and its features, CDL can also describe progress properties with tempo...
This paper presents a four-faceted framework for distributed applications that use worldwide networks connecting large numbers of people, software tools, monitoring instruments, and control devices. We describe a class of applications, identify requirements for a framework that supports these applications, and propose a design fulfilling those requ...
Cable television networks offer access rates from 56 Kbps up to 10
Mbps to residential Internet users. With viable solutions now available
for ingress noise - the major technical obstacle that, has prevented the
deployment of CATV systems - network providers are moving to solve
remaining issues in the areas of security, service, and reliability and...
The global telecommunications and networking backbone contains
millions of kilometers of fiber-optic cabling, but we use only one
ten-thousandth of the potential bandwidth of those cables. One reason is
that a single converter from electrical to optical signals can only make
use of a small amount of the optical spectrum, limiting the achievable
ban...
. This note explores the use of UNITY-based theories to facilitate a cottage industry of software publishing. The requirements for such an industry are discussed, the appropriateness of UNITY specification and compositional theories for these requirements are analyzed, and further research opportunities in this area are identified. This work is bas...
This note explores the use of UNITY-based theories to facilitate a cottage industry of software publishing. The requirements for such an industry are discussed, the appropriateness of UNITY specification and compositional theories for these requirements are analyzed, and further research opportunities in this area are identified. This work is based...
We identify the mechanisms needed to construct archivable webs of distributed asynchronous collaborations and experiments. The distinguishing feature of our approach is that the component tools, software, data, and even participants are distributed over a worldwide network. We perform a requirements analysis of an infrastructure that supports such...
What are the benefits and drawbacks of current Java mobile agent
systems? The authors installed and evaluated three leading systems
available for download from the Web: General Magic's Odyssey, IBM's
Aglets, and ObjectSpace's Voyager-and looked at issues such as ease of
installation, feature set, documentation, and cost. We also discuss new
capabil...
Firefighting evolving, open systems' failures is rather old school. Rather than hand-patching failures, as is done today, these sys-tems should self-repair. We provide a formal foundation for self-healing in evolving, open systems. The focus of our reasoning is dynamically com-posed open systems that experience partial failure. We talk about com-po...
This paper answers the question of what kind and how much testing is necessary to have confidence in the correctness of an arbitrary piece of software via a rigorous analysis of a given algorithm with a complex data structure. For example, in preference voting schemes, many differ-ent choices are ranked in order of preference on a ballot. In typica...
Typescript. Thesis (Honors paper)--Florida State University, . Includes bibliographical references.