Conference PaperPDF Available

B Formal Validation of ERTMS/ETCS Railway Operating Rules

Authors:

Abstract and Figures

The B method is a formal specification method and a means of formal verification and validation of safety-critical systems such as railway systems. In this short paper, we use the B4MSecure tool to transform the UML models, fulfilling requirements of European Railway Traffic Management System (ERTMS) operating rules, into B specifications in order to formally validate them.
Content may be subject to copyright.
B Formal Validation of ERTMS/ETCS Railway
Operating Rules
Rahma Ben Ayed, Simon Collart-Dutilleul, Philippe Bon, Akram Idani, Yves
Ledru
To cite this version:
Rahma Ben Ayed, Simon Collart-Dutilleul, Philippe Bon, Akram Idani, Yves Ledru. B Formal
Validation of ERTMS/ETCS Railway Operating Rules. 4th International ABZ Conference,
Jun 2014, France. p124-129, 2014. <hal-01066368>
HAL Id: hal-01066368
https://hal.archives-ouvertes.fr/hal-01066368
Submitted on 19 Sep 2014
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destin´ee au d´epˆot et `a la diffusion de documents
scientifiques de niveau recherche, publi´es ou non,
´emanant des ´etablissements d’enseignement et de
recherche fran¸cais ou ´etrangers, des laboratoires
publics ou priv´es.
B Formal Validation of ERTMS/ETCS Railway
Operating Rules
Rahma Ben Ayed
1
, Simon Collart-Dutilleul
1
, Philippe Bon
1
,
Akram Idani
2
, and Yves Ledru
2
1
Univ. Nord de France, IFSTTAR/COSYS-ESTAS, 20 rue Elis´ee Reclus, F-59650,
Villeneuve d’Ascq, France
{rahma.ben-ayed,simon.collart-dutilleul,philippe.bon}@ifsttar.fr
http://www.ifsttar.fr
2
UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble 2/CNRS, LIG UMR 5217,
F-38041, Grenoble, France
{akram.idani,yves.ledru}@imag.fr
http://www.liglab.fr
Abstract. The B method is a formal sp ecification method and a means
of formal verification and validation of safety-critical systems such as
railw ay systems. In this short paper, we use the B4MSecure tool to trans-
form the UML models, fulfilling requirements of European Railway Traf-
fic Management System (ERTMS) op erating rules, into B specifications
in order to formally validate them.
Keywords: Railway operating rules, UML models, Role Based Access
Control, B method, formal validation.
1 Introduction
ERTMS [6] is the European Railway Traffic Management System which is de-
signed to replace the national on-board railway systems in Europe in order to
make rail transport safer and more competitive, and to improve cross-border con-
nections. ERTMS includes the European Train Control System (ETCS) which
specifies the on-board equipment and its communication with the trackside.
The aim of our work is to confront the European specifications with the na-
tional operating rules, as well as the use of formal models to validate whether
a given scenario fulfills the specification regarding the functional and safety re-
quirements. We propose to model a nominal scenario of Movement A uthority
(MA), extracted from ERTMS operating rules, and to translate it into B speci-
fications in order to validate it.
In the following section, an overview of the nominal scenario MA is given and
its UML models are described. Section 3 highlights the B formal validation after
an automatic translation of these models into B specifications using B4MSecure.
Finally, section 4 concludes this paper.
Y. Ait Ameur and K.-D. Schewe (Eds.): ABZ 2014, LNCS 8477, pp. 124–129, 2014.
c
Springer-Verlag Berlin Heide lberg 2014
B Formal Validation of ERTMS/ETCS Railway Operating Rules 125
2 Movement Authority Overview
Movement Authority (MA)isanauthorizationgiventoatraintomovetoagiven
point as a supervised movement. Some features can be used to define an MA,
such as sections subdividing it, the time-out value attached to each section, etc.
The MA function unfolds with interactions between the OnboardSafetyManage-
ment (the on-board computer-based machine), the TracksideSafetyManagement
(the trackside computer-based machine), and the Driver, as follows:
MA.1 The Onboar dSafetyManagement requests an MA to the TracksideSystem.
MA.2 The TracksideSafetyManagement receives
the MA request from the
TracksideSystem.
MA.3 The TracksideSafetyManagement proposes
an MA to the TracksideSys-
tem after creating
it. It can also modify and/or delete the MA.
MA.4 The OnboardSafetyManagement receives
the proposed MA from the
TracksideSystem, authorizes
it and processes the MA authorization in or-
der to be displayed in the Driver Machine Interface (DMI).
MA.5 The Driver reads
the authorized MA.
Each step of this scenario represents a permission to do an action on an entity
by a role. On this basis, 3 roles (OnboardSafetyManagement, TracksideSafety-
Management, Driver ), 3 system entities (TracksideSystem, MA, DMI )and10
possible permissions (underlined actions) can be extracted.
Our approach consists in, on the one hand, the modeling of ERTMS operat-
ing rules in semi-formal UML notations with their graphical views and dedicated
profiles extensions taking into account various aspects (structural, dynamic, be-
havioural, etc.), and on the other hand, their validation and verification with
aformalB method with its mathematical notations and automated proof. The
combination of these two notations has been studied and several approaches of
UML to B translation have been proposed, cited in [3]. In order to model the
scenario above, we use B4MSecure platform supporting the UML/B modeling
process and lying within the scope of Model Driven Engineering (MDE).
For the sake of concision, the B4MSecure platform [7] is briefly presented.
As an Eclipse platform, it is dedicated to formally validate a functional UML
model enhanced by an access control policy. It uses a Role Based Acces Con-
trol (RBAC) profile inspired from SecureUML profile [4]. This profile aims at
specifying information related to access control in order to model roles and their
permisssions. This platform acts in 3 steps: a functional UML class diagram
specifying system entities, security UML models with an access control policy
and the translation of both models into B specifications.
Following the three-stepped approach of B4MSecure, a functional UML class
diagram containing all system entities as classes and the relationships between
them is built. Then, security UML class diagrams enhance the functional model
by expressing which role has the permission to perform a given action in the
railway system: a class diagram dedicated to the roles and others dedicated to
126 R. Ben Ayed et al.
the access control policies which are based on permissions linking the roles to
the entities, such as the access control of the MA in Fig. 1. A permission is
modeled as a UML association class, between a role and a class of the functional
model, with a stereotype Permission. For instance, MA.4 is modeled in Fig. 1
by the permission of the Onb oardSafetyManagement to authorize the MA.All
these diagrams are translated to B specifications.
Fig. 1. Roles and permissions associated with MA
3 B Formal Validation of Movement Authority
The functional model is translated into a unique B machine, named Functional,
and permissions are translated into a B machine, named RBAC
Model.Asshown
in Fig. 2, the functional formal model follows a classical translation scheme sim-
ilar to [5]. The RBAC
Model adds variables about permissions and roles. For
example, PermissionAssignement is a total function from PERMISSIONS to
the cartesian product (ROLES * ENTITIES),andisPermitted is a relation be-
tween ROLES and Operations sets. PERMISSIONS, ENTITIES and Operations
are the sets defined in RBAC
Model, while ROLES is a set defined in the in-
cluded UserAssignments machine. Initialization of these variables is conformant
to the SecureUML model. Then, initialization proof obligation, produced by the
AtelierB prover for these variables, allows to verify whether the SecureUML
model respects RBAC well-formedness rules such as no cycles in role hierarchy,
etc. The operations of the security formal model encapsulate the operational
part of the functional formal model. Each functional operation is associated
with an operation in the security model verifying that a user has permission to
call the functional operation. For instance, secure
MA authorizeMA operation
of RBAC
Model checks the permissions associated with the functional operation
MA
authorizeMA. Secured operations add a statement in the postcondition
B Formal Validation of ERTMS/ETCS Railway Operating Rules 127
Machine
Functional
SETS
MA_AS; ...
ABSTRACT_VARIABLES
MA, ...
INVARIANT
MA <: MA_AS & ...
INITIALISATION
MA := {} || ...
OPERATIONS
MA__authorizeMA(Instance)=
PRE
Instance : MA &
MA__AuthorizedMA(Instance) = FALSE
THEN
MA__AuthorizedMA(Instance) := TRUE
END; ...
END
Machine
RBAC_Model
INCLUDES
Functional, UserAssignments
SEES
ContextMachine
SETS
ENTITIES = {MA_Label, ...};
Attributes = {MA_AuthorizedMA_Label, ...};
Operations ={MA_authorizeMA_Label, ...} ...
VARIABLES
PermissionAssignement, isPermitted, ...
INVARIANT
PermissionAssignement: PERMISSIONS --> (ROLES * ENTITIES)
& isPermitted: ROLES <-> Operations ...
INITIAISATION
PermissionAssignement :=
{(OSM_MAPerm|->(OnboardSafetyManagement|->MA_Label)),...}
OPERATIONS
secure_MA__authorizeMA(Instance)= PRE
Instance: MA & MA__AuthorizedMA(Instance) = FALSE THEN
SELECT MA__authorizeMA_Label : isPermitted[currentRole]
THEN MA__authorizeMA(Instance)
END
END; ...
END
Fig. 2. Functional and RBAC Model machines
e.g SELECT MA authorizeMA Label: isPermitted[currentRole] in order to ver-
ify whether MA
authorizeMA Label is allowed to the connected user using a
particular role. Indeed, isPermitte d computes, from the initial state, the set of
authorized functional operations for each role.
UML models of extracted ERTMS/ETCS operating rules containing 7 func-
tional classes, 5 roles and 17 permissions are transformed into 830 lines of func-
tional formal model and 1545 lines of security formal model. We use the ProB
animator in order to validate these specifications. A first animation checks the
nominal behaviour of Movement Authority. Then variants of this animation check
that the given permissions forbid the execution of secure actions by unautho-
rized roles, since a secure action can be performed only with a permission given
to a role. The ability of the system specified by the class diagram to play the
ERTMS scenarios is checked through animations of the corresponding trans-
formed B model. These animations validate the permissions assigned to each
role. But they don’t check that the sequence of actions models the MA protocol.
Actually, the sequence of actions is defined in the animation by the user, but
it is not embedded in the UML/B model. This can be resolved by adding some
contraints as preconditions in secured operations. Nevertheless, adding these
conditions breaks the consistency between the UML model and the B machine.
Owing to the lack of dynamic aspects in UML class diagrams, we intend to ex-
plore more UML diagrams as future work. Then we will focus on enriching UML
class diagrams with, for instance, sequence diagrams which model the ordered
128 R. Ben Ayed et al.
interactions in scenarios and deriving B specifications from them in order to
validate system’s behavior.
At this stage, safety requirements have not yet been integrated to B specifica-
tions. As further work, we will consider enriching the B specifications with safety
properties stemming from safety requirements of the ERTMS operating rules in
order to formally verify them using the B prover. Moreover, SysML requirement
diagrams combined with our UML diagrams may guarantee the traceability as-
pects of system requirements when they will be translated to B specifications.
4Conclusion
In this short paper, we have presented a Movement Authority function extracted
from the ERTMS/ETCS operating rules. This function was modeled using UML
graphical notations and then translated automatically, via the B4MSecure plat-
form, into B specifications which were checked successfully using the ProB ani-
mator. The combination of UML/B aims to ease the understanding of the system
with the graphical notations of UML and formally validate system requirements
with B formal notations. Research works done in the Selkis project [1], [2] and [3]
show the efficiency of this platform and its different steps leading to the formal
validation of scenarios in the healthcare Information Systems by seeking for ma-
licious sequences of operations. However, in this paper, we show the use of this
existant platform in another context related to distributed railway systems and
their operating rules.
Acknowledgements This research is funded by the PERFECT project (ANR-
12-VPTT-0010) and is partly supported by the SELKIS project (ANR-08-SEGI-
018).
References
1. Ledru, Y., Idani, A., Milhau, J., Qamar, N., Laleau, R., Richier, J.-L., Labiadh,
M.-A.: Taking into Account Functional Models in the Validation of IS Security
Policies. In: Salinesi, C., Pastor, O. (eds.) CAiSE 2011 Workshops. LNBIP, vol. 83,
pp. 592–606. Springer, Heidelberg (2011)
2. Milhau, J., Idani, A., Laleau, R., Labiadh, M.A., Ledru, Y., Frappier, M.: Com-
bining UML, ASTD and B for the formal specification of an access control filter.
In: Innovations in Systems and Software Engineering, vol. 7, pp. 303–313. Springer
(2011)
3. Idani, A., Labiadh, M.A., Ledru, Y.: Infrastructure dirig´ee par les mod`eles pour
une int´egration adaptable et ´evolutivedeUMLetB.Ing´enierie des Syst`emes
d’Information Journal 15, 87–112 (2010)
4. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Lan-
guage for Model-Driven Security. In: ez´equel, J.-M., Hussmann, H., Cook, S. (eds.)
UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
B Formal Validation of ERTMS/ETCS Railway Operating Rules 129
5. Laleau, R., Mammar, A.: An overview of a method and its support tool for gener-
ating B specifications from UML notations. In: Proceedings of the 15th IEEE In-
terational Conference on Automated Software Engieering, ASE 2000, pp. 269–272.
IEEE Computer Society, Washington (2000)
6. ERTMS, http://www.ertms.net
7. B4MSecure, http://b4msecure.forge.imag.fr
... Ces r` egles visentàvisentà fournir une struc- turation des autorisations de déplacement des trains sur les lignes ferroviaires nationales ´ equipées du système de gestion du trafic ferroviaire (ERTMS)[Schön, 2014]. Dans leur tra- vaux, une approche basée sur le couplage UML/B a ´ eté proposée en adaptant les modèles RBAC et Or-BAC au profit de la sécurité ferroviaire[Ben Ayed et al., 2014],[Ben-Ayed et al., 2015].Différemment de leur objectif de recherche, nous proposons de réinterpréter les concepts du modèle Or-BAC pour structurer le processus de développement des mesures de sécurité au regard des buts de sécurité. En effet, l'alignement entre les mesures de sécurité, les concepts d'Or-BAC et les concepts de l'IEDB s'avère nécessaire pour fournir une représentation structurée et partagée de ce processus. ...
... k to integrate design knowledge reuse and requirements management in engineering design. Robotics and Computer-Integrated Manufacturing, 24(4):585-593. (Cité dans les pages 86 and 88.)[Baybutt, 2002] Baybutt, P. (2002. Layers of protection analysis for human factors (LOPA-HF). Process Safety Progress, 21(2):119-129. (Cité dans les pages 34 and 36.)[Ben Ayed et al., 2014]Ben Ayed, R., Collart-Dutilleul, S., Bon, P., Idani, A. etLedru, Y. (2014). B Formal Validation of ERTMS/ETCS Railway Operating Rules.In 4th International ABZ Conference, pages 124-129, France. (Cité dans la page 152.)[Ben-Ayed et al., 2015]Ben-Ayed, R., Collart-Dutilleul, S., Bon, P.,Ledru, Y. et Idani, A. (2015). Formalismes basés sur ...
... (Cité dans les pages 34 and 36.)[Ben Ayed et al., 2014]Ben Ayed, R., Collart-Dutilleul, S., Bon, P., Idani, A. etLedru, Y. (2014). B Formal Validation of ERTMS/ETCS Railway Operating Rules.In 4th International ABZ Conference, pages 124-129, France. ...
Thesis
La sécurité-innocuité est une propriété émergente des systèmes critiques de sécurité (SCS), notamment les systèmes ferroviaires. Cet aspect émergent complexifie leur processus du développement et nécessite un raisonnement judicieux permettant de diminuer les dangers. Cette thèse propose une approche ontologique qui intègre les activités de sécurité dès les premières phases de conception des SCS. Ce cadre structuré offre une harmonisation sémantique entre les domaines impliqués, tels que l'ingénierie de sécurité et l'Ingénierie des Exigences Dirigée par les Buts (IEDB). La logique métier intégrée dans cette approche est validée par des cas d'étude ferroviaires d'accidents réels et d'une mission télé-opérée. Dans un premier temps, nous avons proposé une ontologie d'analyse dysfonctionnelle appelée DAO et fondée sur l'ontologie de haut niveau UFO. DAO considère les aspects sociaux-techniques et environnementaux des SCS et intègre les différents types de fautes et de propriétés cognitives liés respectivement aux défaillances techniques et aux erreurs humaines. Le modèle conceptuel de DAO est exprimé en OntoUML et formalisé en langage OWL afin de fournir un support de raisonnement. Ensuite, un pont sémantique est établi entre les mesures de sécurité, les buts de sécurité et les exigences de sécurité par le développement d'une ontologie de gestion de sécurité orientée-but, appelée GOSMO. La gestion des décisions de sécurité s’appuie sur la réinterprétation du modèle de contrôle d'accès Or-Bac d'un point de vue sécurité-innocuité. Afin d'assurer la cohérence globale des exigences, GOSMO permet de structurer la gestion des évolutions des exigences et leur traçabilité.
... For the class diagram modeling and transformation, we opt for the use of B4MSecure tool to get sets, variables and invariants. The latter is recently used to structure B specifications of railway operating rules considering safety properties [4], [5]. B4MSecure does not handle the transformation of sequence and state machine diagrams. ...
... The application of formal methods to the railway domain have been investigated by previous research projects: PERFECT 1 for modeling railway operating rules [4], [5] and NExTRegio 2 for modeling the railway signaling system. The ultimate goal is to produce methods for modeling railway systems efficiently while ensuring safety. ...
... Similarly, for [11], the proposed verification approach, using UML class, collaboration and state machine diagrams beside B method, does not address this issue. This same issue is nevertheless raised in [4], [5], where a UML/B modeling approach is proposed for the validation of railway safety operating rules using B4MSecure tool. Authors of this work show the limits of scenarios modeling in B4MSecure. ...
Article
The verification of safety properties of critical systems, such as railway signaling systems, is better achieved by formal reasoning. Event-B as a formal method, allows to get safe and reliable systems. Nevertheless, modeling with Event-B method requires some knowledge on mathematical logic and set theory. In opposition, UML (Unified Modeling Language) is a commonly used graphical language, but it does not guarantee the verification of safety properties. This paper presents an approach combining UML and Event-B. In fact, we focus in this work on modeling the systems behavior with the joint use of some UML behavioral diagrams. The UML models are then translated into Event-B models for the systems validation as well as the verification of safety properties using B tools. This methodology is illustrated by an application on a case study of railway signaling system.
... In this regard, the transportation technology and electrification growing influence on performance and safety of systems operations, especially railways, requires from safety research, such as PERFECT research, to address the more than ever complex task of real scenario modeling. That is why railway safety systems have been modeled using different formalisms, such as Petri nets, UML and others [1][2][3][4][5][6], in order to facilitate the expression of the know-how of industrial experts who may not be familiar with mathematical formalisms. Yet, in order to link and analyze all railway models, B machines will constitute a common destination point that allows us to arrive at rigorous conclusions. ...
... Indeed, an automatic conversion tool is very important to facilitate the generation of B abstract machines because it takes a very long time to establish them manually, especially for large models. On the other hand, this work leads to question on how it is possible to link different B machines obtained from different input models, and those established by means of diverse formalisms, such as Petri Nets and UML in the case of the PERFECT project, with the purpose of checking the consistency between ERTMS and national railway specifications using the B tools [3,4,23]. This will help the project to achieve its main goal and propose an interesting background for railway safety scientific researches. ...
Article
Full-text available
This paper presents a “CPN/B method” based process for railway systems safety analysis. Achieving interoperability through the European Rail Traffic Management System (ERTMS/ETCS) is facing difficulties in railway safety assessment due to the interaction of national and European operating specifications. These specifications have been modeled using several formalisms, which makes it is extremely hard to preserve all requirements when switching between different formalisms. However, this problem, crucial for efficient progress in railway safety research, has received very little attention in the literature. In this respect, the purpose of this contribution is to provide a methodology to demonstrate safety in railway systems by converting CPN models, widely used in modeling, into B abstract machines. It aims at enabling a stronger combination of formal design techniques and analysis tools able to cope with the real complexity of systems and automatically prove that safety properties are unambiguous, consistent and not contradictory, considering an industrial railway context.
Thesis
Les travaux proposés dans ce mémoire présentent une démarche de conception appliquée à la gestion des modes de fonctionnement pour les Systèmes-de-Systèmes (SdSs). Les SdSs sont des grands systèmes dynamiques complexes constitués d’un ensemble de systèmes qui interagissent entre eux en vue de réaliser un objectif commun. La problématique de la conception de ces SdSs porte principalement sur la conception des modes, sur leurs commutations et les relations inter-systèmes. Un mode de fonctionnement est un comportement spécifique du système pendant une période de fonctionnement et engageant un ensemble réduit de composants. L’objectif de cette thèse est de proposer une approche de conception sûre des SdSs. Pour réaliser cet objectif, nous utilisons l'approche multi-modèle qui permet de décrire le comportement du système dans un mode donné et la théorie de contrôle par supervision qui permet de concevoir des modèles sûrs par construction.Nous proposons d'abord une démarche de conception des systèmes complexes à plusieurs étapes séparant ainsi les différentes études de conception. Ensuite, nous présentons une généralisation pour couvrir les SdSs. Dans la partie applicative, nous considérons l'ERTMS Niveau 2 comme un SdS et nous résolvons le problème du franchissement de la frontière grâce à la gestion de modes. Enfin, dans une optique de généralisation de notre approche, nous appliquons nos résultats aux systèmes de gestion de crises coopératifs.
Chapter
The system of a train line crossing a border must consider the operating rules of each country. Furthermore, a safe transient mode must be implemented, allowing the system to switch from a set of rules to another. This chapter presents how safety operating rules may be designed by a model-based approach. UML and B-method are used in order to allow conceptual modelisation and formal specification of these rules. In addition, this chapter discusses about some issues in existing Railway Interlocking Systems modelling approaches and the importance of knowledge representation.
Chapter
The paper studies the use of formal methods in system design engineering in railways. Starting from the use of formal methods in French metro lines, the paper analyses various steps of dissemination of this know-how for main traffic lines. The case study of the ERTMS developments in France is presented for high speed lines and ETCS level 2. A study for an implementation in French regions is also considered. The last project to be analysed is the autonomous train of the IRT Railenium for the SNCF (the French railway national company). The system analysis shows that the old design assumptions are not valid anymore, as the system requires the autonomous trains to process a lot of data. All these industrial needs lead to specify a new approach based on a new semantic link between sub-systems: REFSEES. The main target is to make it possible to focus on a given sub-system refinement while preserving global invariants.
Conference Paper
Full-text available
Designing a security policy for an information system (IS) is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools do not take sufficiently into account the functional description of the application and its impact on authorisation constraints and dynamic aspects of security. We suggest to translate both security and functional models into a formal language, such as B, whose analysis and animation tools will help validate a larger set of security scenarios. We show how various kinds of constraints can be expressed and animated in this context.
Article
Full-text available
Combination of formal and semi-formal methods is more and more required to produce specifications that can be, on the one hand, understood and thus validated by both designers and users and, on the other hand, precise enough to be verified by formal methods. This motivates our aim to use these complementary paradigms in order to deal with security aspects of information systems. This paper presents a methodology to specify access control policies starting with a set of graphical diagrams: UML for the functional model, SecureUML for static access control and ASTD for dynamic access control. These diagrams are then translated into a set of B machines. Finally, we present the formal specification of an access control filter that coordinates the different kinds of access control rules and the specification of functional operations. The goal of such B specifications is to rigorously check the access control policy of an information system taking advantage of tools from the B method. KeywordsAccess control policy–B–SecureUML–ASTD
Conference Paper
Full-text available
This paper presents, through an example, an overview of our method which generates B specifications from an application described using UML notations. We are interested in data intensive applications. This allows us to automatically generate basic update operations from class diagrams. Then these operations are combined to elaborate more complex transactions described in UML by state and collaboration diagrams. The obtained B machines are directly usable in AtelierB and proofs can be performed allowing the consistency of the application to be checked. Finally the outlines of the prototype support tool are described
Conference Paper
We present a modeling language for the model-driven development of secure, distributed systems based on the Unified Modeling Language (UML). Our approach is based on role-based access control with additional support for specifying authorization constraints. We show how UMLcan be used to specify information related to access control in the overall design of an application and how this information can be used to automatically generate complete access control infrastructures. Our approach can be used to improve productivity during the development of secure distributed systems and the quality of the resulting systems.
Article
One of the main objectives of software engineering is to develop well-structured and reliable systems. This explains the variety of approches for integrating formal and semi-formal methods ; especially those which produce B specifications from UML models. In this work, we try to unify these approaches in order to be able, on the one hand, to combine rules issued from these techniques, and on the other hand, to easily extend them. Our UML/B multi- modeling tool provides transformations from UML to B in an MDE architecture. We also proposed the notion of customizable rule which allows to adapt and extend existing approaches with respect to various abstraction levels: meta-model (M 2 ), model (M 1 ) or dual (M 1 /M 2 ).
Taking into Account Functional Models in the Validation of IS Security Policies
  • Y Ledru
  • A Idani
  • J Milhau
  • N Qamar
  • R Laleau
  • J.-L Richier
  • M.-A Labiadh
Ledru, Y., Idani, A., Milhau, J., Qamar, N., Laleau, R., Richier, J.-L., Labiadh, M.-A.: Taking into Account Functional Models in the Validation of IS Security Policies. In: Salinesi, C., Pastor, O. (eds.) CAiSE 2011 Workshops. LNBIP, vol. 83, pp. 592-606. Springer, Heidelberg (2011)
SecureUML: A UML-Based Modeling Language for Model-Driven Security
  • T Lodderstedt
  • D Basin
  • J Doser
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426-441. Springer, Heidelberg (2002)