About
79
Publications
11,315
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
682
Citations
Publications
Publications (79)
European Rail Traffic Management System (ERTMS) is a standard for the train control and signalling system whose application is spreading throughout Europe. The ETCS (European Train Control Sys-AQ1 tem) level 3 is attracting experts because it is still in the design phase. Many works provide formal models to the verification of ERTMS/ETCS using form...
The development of complex software systems as done today generates countless security vulnerabilities that are di cult to detect. In this context, several research works have adopted the Model Driven Security (MDS) approach, which investigates software models rather than implementations. However, although these works provide useful techniques for...
Visual animation of formal specifications is useful for validation because it facilitates in an explicit illustrative way to show that the specifications satisfy the user's perception of requirements. The technique is especially useful for domain experts who would not be expected to understand formal specifications. However, in most tools, the deve...
The ParTraP language has been designed to express temporal and timed properties on finite execution traces of parametric events. It aims to ease properties' expression for users not experienced in formal methods. In this paper, we propose an approach that allows generating trace examples and counter-examples in an understandable fashion in order to...
Model-driven engineering (MDE) promotes the use of models throughout the software development cycle in order to increase abstraction and reduce software complexity. It favors the definition of domain-specific modeling languages (DSMLs) thanks to frameworks dedicated to meta-modeling and code generation like EMF (Eclipse Modeling Framework). The sta...
In order to assist domain experts, several tools exist for the definition of graphical or textual domain specific modeling languages (DSMLs). The resulting models are useful, but not sufficient, for an overall understanding of the system, especially when formal methods are being applied. Indeed, formal methods failures often result from misundersta...
We present ParTraP and its associated toolset, supporting a lightweight approach to formal methods. In critical systems, such as medical systems, it is often easy to enhance the code with tracing information. ParTraP is an expressive language that allows to express properties over traces of parametric events. It is designed to ease the understandin...
This article proposes a temporal and parametric specification language (PARTRAP) developed for the verification of execution traces. The language extends specification patterns with nested scopes, real-time and first-order quantification over the data inside a JSON trace, while remaining pragmatic. Its design was directed by a case study in the med...
The verification of software intensive medical devices can largely benefit from the analysis of their execution traces. Trace points can easily be added to the software, and traces can be used at several stages of the development and maintenance process. In this paper we focus on the TKA system and identify 15 representative properties that should...
The evolution of organizations and their information systems towards more openness raises the challenge of their security. The definition of an access control policy is a major activity in the design of an Information System. This paper proposes an approach for the specification of security policies, based on the RBAC model, at the workflow level....
Several approaches dedicated to model access control policies (e.g. MDA-Security, SecureUML, UMLSec, etc.) have used the Model Driven Engineering paradigm in order to ensure a clear separation of business rules and constraints specific to a target technology. Their supporting techniques mainly focus on modeling and verification of security rules wi...
Le système européen de gestion du trafic ferroviaire (ERTMS) est un standard de contrôle/commande et de signalisation ferroviaire mettant en \oe{}uvre des règles européennes d'exploitation ferroviaires. Ce standard vise à harmoniser la signalisation et à assurer l'interopérabilité en Europe au moyen de documents standard de spécifications. La quest...
The evolution of organisations and their information systems towards more openness
raises the challenge of their security. The definition of an access control policy is a major activity in the design of an Information System. This paper proposes an approach for the specification of security policies, based on the RBAC model, at the workflow level....
The early detection of potential threats during the modelling phase of a Secure Information System is required because it favours the design of a robust access control policy and the prevention of malicious behaviours during the system execution. This paper deals with internal attacks which can be made by people inside the organization. Such at- ta...
Le système européen de surveillance du trafic ferroviaire (en anglais, European Rail Traffic Management System, ERTMS) est un système complexe de contrôle/commande et de signalisation ferroviaire mettant en ½uvre des règles européennes d'exploitation ferroviaires. Cet article propose une étude de cas basée sur deux scénarios extraits de ces règles,...
The B method is a formal specification method and a means of formal verification and validation of safety-critical systems such as railway systems. In this short paper, we use the B4MSecure tool to transform the UML models, fulfilling requirements of European Railway Traffic Management System (ERTMS) operating rules, into B specifications in order...
Designing a security policy for an information system (IS) is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools do not take sufficiently into account the functional description of the application and its imp...
http://membres-liglab.imag.fr/idani/AFADL2012/programme.html
This paper describes the Tobias tool. Tobias is a combinatorial test generator which unfolds a test pattern provided by the test engineer, and performs various combinations and repetitions of test parameters and methods. Tobias is available on-line at tobias.liglab.fr . This website features recent improvements of the tool including a new input lan...
We present a new formal validation method for healthcare security policies in the form of feedback-based queries to ensure an answer to the question of Who is accessing What in Electronic Health Records. To this end, we consider Role-based Access Control (RBAC) that offers the flexibility to specify the users, roles, permissions, actions, and the o...
http://tsi.revuesonline.com/article.jsp?articleId=17760
Combination of formal and semi-formal methods is more and more required to produce specifications that can be, on the one
hand, understood and thus validated by both designers and users and, on the other hand, precise enough to be verified by formal
methods. This motivates our aim to use these complementary paradigms in order to deal with security...
This paper is aimed at formally specifying and validating security-design models of an information system. It combines graphical languages and formal methods, integrating specification languages such as UML and an extension, SecureUML, with the Z language. The modeled system addresses both functional and security requirements of a given application...
This paper evaluates the security specification techniques that employ Role Based Access Control (RBAC) variants. RBAC offers a special kind of access control mechanism based on the use of roles to grant permissions. Its variants include role hierarchy and separation of duty (SoD) constraints. The overall management of a RBAC supported system is ma...
Designing a security policy for an information system (IS) is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools do not take sufficiently into account the functional description of the application and its imp...
Designing a security policy for an information system is a non-trivial task. In this paper, we consider the design of a security policy based on a variant of the RBAC model, close to SecureUML. This variant includes constraints for the separation of duty, as well as contextual constraints. Contextual constraints use information about the state of t...
This paper presents the KAOS2RBAC approach for Security Requirements Engineering. Starting from functional requirements, linked to a data model, the approach first identifies high level security goals. It then refines these security goals into security requirements linked to the functional model. Finally, these security requirements lead to the des...
Testing and verification are two activities which have the same objective: to ensure software dependability. In the Java context,
the Java Modelling Language (JML) has been proposed as specification language. It can be used both for verification and test.
Usually, the JML specification is designed with a specific purpose: test or verification. This...
The Home Automation System (HAS) is a service-oriented application that facilitates the automation of a private home to improve the comfort and security of its residents. HAS is implemented using a service-oriented architecture. Many of the services in the HAS dynamically change their configuration during run-time. This occurs due to change in avai...
One of the main objectives of software engineering is to develop well-structured and reliable systems. This explains the variety of approches for integrating formal and semi-formal methods ; especially those which produce B specifications from UML models. In this work, we try to unify these approaches in order to be able, on the one hand, to combin...
Le projet EDEMOI 1 a pour but la modélisation de la sécurité des aéroports. Son ap-proche passe par la production de modèles graphiques (un ensemble de diagrammes UML) destinés à être validés par les experts du domaine, et de modèles formels destinés à être véri-fiés. Pour assurer la correspondance entre ce qui est validé et ce qui est vérifié, il...
Combinatorial testing consists in generating (possibly large) test suites by combining both the sequencing of several operations, and the selection of test data. The TOBIAS tool is based on this generation technique. The combinatorial part of the approach makes both its strength and its weakness. Indeed, the more tests are produced, the more confid...
This paper briefly describes the second version of the Tobias combinatorial test generator. This version improves the architecture of the tool to include filtering and test selection mechanisms. These mechanisms, associated with an efficient implementation, allow to generate and filter test suites of up to 1 million test cases.
Formal methods are nowadays one of the most rigorous ways to develop software and model systems. But their notations are complex which prevents their adoption. In fact, formal models remain difficult to read when they are not well documented. In a previous work we proposed a reverse-engineering framework which allows to graphically document B speci...
This paper studies the complementarity of test and deductive proof processes for Java programs specified in JML (Java Modeling Language). The proof of a program may be long and difficult, especially when automatic provers give up. When a theorem is not automatically proved, there are two possibilities: either the theorem is correct and there are no...
We propose in this paper a way to measure the coverage of a Java test suite by considering the JML specification associed to the Java program under test. This approach is based on extracting a predicate-based graph from the JML method specifications. We then measure the coverage of this latter w.r.t. nodes of the graph that are visited by the test...
This paper addresses the graphical representation of static aspects of B specifications, using UML class diagrams. These diagrams can help understand the specification for stakeholders who are not familiar with the B method, such as customers or certification authorities. The paper first discusses some rules for a preliminary derivation of a class...
The security of civil aviation, like many human activities, is regulated by a series of international standards and recommended practices. The quality of these documents is a prerequisite to reach an acceptable security level. The EDEMOI project aims at investigating different techniques to analyse these standards. The techniques that we have used,...
Tobias is a combinatorial testing tool that was used succesfully on several case studies. Currently, the evolution of the tool goes through a significant redevelopment effort. A first step is the production of an executable specification of the Tobias Test Generator. The goal of this specification effort is to provide a synthetic and precise descri...
interpretations of user requirements because of the lack of a precise semantical basis. Formal methods are nowadays the most rigorous way to produce software. However, the existing formal notations are not easy to use and understand for most people. Our approach proposes to circumvent this shortcoming by producing complementary graphical views on t...
This paper addresses the graphical representation of the behaviour of B specifications, using state transition diagrams. These diagrams can help understand the specification for stakeholders who are not familiar with the B method, such as customers or certification authorities. The paper first discusses the principles of the graphical representatio...
The security of civil aviation is regulated by a series of inter- national standards and recommended practices. The EDEMOI project aims at investigating dieren t techniques to analyse these standards. In this paper, we address two automated analysis techniques. First state- transition diagrams are extracted to visualize the nominal behavior of the...
Although formal methods provide excellent techniques for the precise description of systems, understanding these descriptions
is often restricted to experts. This paper investigates a practical solution to assist the understanding of a formal specification,
written in B, by providing a complementary view of the specification as UML class diagram. O...
Multimodal interactive systems offer a flexibility of inter action that increases their complexity. ICARE is a component-based approach to specify and develop multimodal interfaces using a fusion mechanism in a modality indepen- dent way. ICARE being reused to produce several multimodal applications, we want to ensure the correctness of its fusion...
TOBIAS is a combinatorial testing tool, aimed at the production of large test suites. In this paper, TOBIAS is applied to conformance tests for model-based specifications (expressed with assertions, pre and post-conditions) and associated implementations. The tool takes advantage of the executable character of VDM or JML assertions which provide an...
Nowadays, test cases may correspond to elaborate programs. It is therefore sensible to try to specify test cases in order to get a more abstract view of these. This paper explores the notion of test purpose as a way to specify a set of test cases. It shows how test purposes are exploited today by several tools that automate the generation of test c...
This paper presents an approach and a tool to increase specification quality by using a combination of UML and formal languages. Our approach is based on the expression of the UML class diagram and its annotations into a Z formal specification. Our tool called RoZ supports this approach by making the transition between the UML world and the Z world...
A model-based formal specification of the steam boiler problem is presented, using VDM-SL. The development of the specification follows an environment-based approach. First, the physical boiler is specified, then its interface with the control system and finally, the control system itself. The integrations of the interface and of the controller in...