Book

All About Maude - A High-Performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic

Authors:

Abstract

This book gives a comprehensive account of Maude, a language and system based on rewriting logic. Many examples are used throughout the book to illustrate the main ideas and features of Maude, and its many possible uses. Maude modules are rewrite theories. Computation with such modules is - cient deduction by rewriting. Because of its logical basis and its initial model semantics,aMaudemodulede?nesaprecisemathematicalmodel.Thismeans that Maude and its formal tool environment can be used in three, mutually reinforcing ways: • as a declarative programming language; • as an executable formal speci?cation language; and • as a formal veri?cation system. Maude’s rewriting logic is simple, yet very expressive. This gives Maude good representational capabilities as a semantic framework to formally represent a wide range of systems, including models of concurrency, distributed al- rithms, network protocols, semantics of programming languages, and models of cell biology. Rewriting logic is also an expressive universal logic,making Maude a ?exible logical framework in which many di?erent logics and - ference systems can be represented and mechanized. This makes Maude a useful metatool to build many other tools, including those in its own formal tool environment. Thanks to the logic’s simplicity and the use of advanced semi-compilation techniques, Maude has a high-performance implementation, making it competitive with other declarative programming languages.

Chapters (23)

This introduction tries to give the big picture on the goals, design philosophy, logical foundations, applications, and overall structure of Maude. It is written in an impressionistic, conversational style, and should be read in that spirit. The fact that occasionally some particular technical concept mentioned in passing (for example, “the Church-Rosser property”) may be unfamiliar should not be seen as an obstacle. It should be taken in a relaxed, sporting spirit: those things will become clearer in the body of the book; here it is just a matter of gaining a first overall impression.
The Maude system is available, free of charge, under the terms of the GNU General Public License as published by the Free Software Foundation, at the Maude home page (a snapshot is shown in Figure 2.1) http://maude.cs.uiuc.edu . There you can also find documentation about Maude, including a Maude primer, some papers on Maude and rewriting logic, and several Maude applications, including a set of proving tools for Maude specifications and Maude case studies. Maude binaries are provided for selected architectures and operating systems, including Linux and MacOS X. Detailed information on this can be found in the Maude web site, where installation instructions are also available. The companion cd-rom contains the latest version of Maude available at the time of writing, together with the complete source code of all the examples in this book.
This chapter introduces the basic syntactic ingredients of all Maude specifications: identifiers, module names, sort names, and operator declarations. Other syntactic parts of Maude specifications, like equations and rules, will appear in the following chapters. Some syntax is presented in an informal way by means of general schemes; a formal BNF grammar of the language can be found in Chapter 24. The chapter finishes explaining some features that can be used to reduce parsing ambiguities in the user-definable syntax, including mixfix operator declarations, supported by Maude.
Functional modules define data types and operations on them by means of equational theories. The data types consist of elements that can be named by ground terms. Two ground terms denote the same element if and only if they belong to the same equivalence class as determined by the equations. That is, the mathematical semantics of a functional module is its initial algebra. Maude’s functional modules are assumed to have the nice property that equations, considered as simplification rules by using them only in the left to right direction, are Church-Rosser and terminating (see Section 4.7). This means that repeated application of the equations as simplification rules eventually reaches a term to which no further equations apply, and the result, called the canonical form, is the same regardless of the order of application of the equations. Thus each equivalence class has a natural representative, its canonical form, that can be computed by equational simplification. As explained in Section 1.2, this ensures that the initial algebra and the canonical term algebra of the functional module are isomorphic, and therefore that the module’s mathematical and operational semantics coincide.
In Section 4.4.1 we have introduced equational attributes as a means of declaring some equational properties of binary operators that allow Maude to use these properties efficiently in a built-in way in parsing and in matching modulo such equational axioms. We recall that Maude supports the following equational attributes: assoc (associativity), comm (commutativity), id:\(\langle Term\rangle\) (identity, with the corresponding term for the identity element), with variations for left identity and right identity, and idem (idempotency). An important restriction to bear in mind is that the assoc and idem attributes cannot be used together in any combination. In this chapter we will show that equational attributes correspond to structural axioms of well-known data types built with a binary constructor operator. In this way we obtain a hierarchy of data types: non-empty binary trees, with elements only in their leaves, built with a free binary constructor, that is, a constructor with no equational axioms; non-empty lists, built with an associative constructor; lists, built with an associative constructor and an identity; multisets (or bags), built with an associative and commutative constructor and an identity; and sets, built with an associative, commutative, and idempotent constructor and an identity. All these data types are generic, so that they can be constructed on top of any given data type of basic elements; for example, we can have lists of natural numbers, lists of Booleans, lists of sets of integers, etc. This genericity corresponds to making use of parameterized modules in Maude, which will be introduced later in Section 8.3. Therefore, in this chapter we only consider constructions over natural numbers. In Section 9.12 we will describe the predefined parameterized versions of lists and sets provided in the Maude prelude, and in Chapter 10 we will describe many other parameterized data types, like stacks, queues, sorted lists, multisets, and different versions of trees.
A Maude system module specifies a rewrite theory. A rewrite theory has sorts, kinds, and operators (perhaps with frozen arguments), and can have three types of statements: equations, memberships, and rules, all of which can be conditional. Therefore, any rewrite theory has an underlying equational theory, containing the equations and memberships, plus the rules. What is the intuitive meaning of such rules? Computationally, they specify local concurrent transitions that can take place in a system if the pattern in the rule’s lefthand side matches a fragment of the system state and the rule’s condition is satisfied. In that case, the transition specified by the rule can take place, and the matched fragment of the state is transformed into the corresponding instance of the righthand side. Logically, that is, when we use rewriting logic as a logical framework to represent other logics as explained in Section 1.4, a rule specifies a logical inference rule, and rewriting steps therefore represent inference steps.
Specifications and code should be structured in modules of relatively small size to facilitate understandability of large systems, increase reusability of components, and localize the effects of system changes. In Maude, these goals are achieved by means of a module algebra that supports parameterized programming techniques in the OBJ3 style [146] as well as the definition of module hierarchies, i.e., acyclic graphs of module importations; that is, each functional or system module can import other Maude modules as submodules. Since the submodule relation is transitive, we can in this way develop module hierarchies. Mathematically, we can think of such hierarchies as partial orders of theory inclusions, that is, the theory of the importing module contains the theories of its submodules as subtheories.
Maude has a standard library of predefined modules that, by default, are entered into the system at the beginning of each session, so that any of these predefined modules can be imported by any other module defined by the user. Also, by default, the predefined functional module BOOL is automatically imported (in including mode) as a submodule of any user-defined module, unless such importation is explicitly disabled. These modules can be found in the file prelude.maude that is part of the Maude distribution. We describe below those predefined modules that provide commonly used data types, including Booleans, numbers, strings, and quoted identifiers. The relationships among these modules are shown in the importation graph in Figure 9.1, where all the importations are in protecting mode. We also describe typical parameterized collections of data types such as lists and sets, and associations such as maps and arrays. The chapter ends introducing the built-in linear Diophantine equation solver, defined in the file linear.maude that is also part of the Maude distribution. Other predefined modules, also in the prelude.maude file, are discussed later; more specifically, the META-LEVEL module is discussed in Chapter 14, the LOOP-MODE module in Section 17.1, and the CONFIGURATION module in Sections 11.1 and 11.4. Furthermore, this chapter also describes a predefined module MACHINE-INT for machine integers, which is obtained from the module INT of (arbitrary size) integers, but is distributed in a separate file machine-int.maude.
This chapter describes the equational specification in Maude of a series of typical data structures, complementing in this way the list and set data structures provided as predefined modules in Maude and described in Section 9.12. We start with the well-known stacks, queues, lists, and multisets to continue with binary and search trees; not only are the simple versions considered, but also advanced ones such as AVL and 2-3-4 trees. The operator attributes available in Maude allow the specification of data based on constructors that satisfy some equational properties, like concatenation of lists which is associative and has the empty list as identity, as opposed to the free constructors available in other functional programming languages. Moreover, the expressive version of equational logic on which Maude is based, namely membership equational logic, allows the faithful specification of types whose data are defined not only by means of constructors, but also by the satisfaction of additional properties, like sorted lists, search trees, balanced trees, etc. We will see along this chapter how this is accomplished by means of membership assertions that equationally characterize the properties satisfied by the corresponding data.
Distributed systems can be naturally modeled in Maude as multisets of entities, loosely coupled by some suitable communication mechanism. An important example is object-based distributed systems in which the entities are objects, each with a unique identity, and the communication mechanism is message passing. Core Maude supports the modeling of object-based systems by providing a predefined module CONFIGURATION that declares sorts representing the essential concepts of object, message, and configuration, along with a notation for object syntax that serves as a common language for specifying objectbased systems. In addition, there is an object-message fair rewriting strategy that is well suited for executing object system configurations. To specify an object-based system, the user can import CONFIGURATION and then define the particular objects, messages, and rules for interaction that are of interest. In addition to simple asynchronous message passing, Maude also supports complex patterns of synchronous interaction that can be used to model higherlevel communication abstractions. The user is also free to define his/her own notation for configurations and objects, and can still take advantage of the object-message rewriting strategy, simply by making the appropriate declarations. All this is explained in detail below. Furthermore, Maude also supports external objects, so that objects inside a Maude configuration can interact with different kinds of objects outside it. At present, the external objects directly supported are internet sockets; but through them it is possible to interact with other external objects. In addition, sockets make possible distributed programming with rewrite rules. External objects are discussed in Section 11.4. A substantial case study using sockets to build a mobile language is presented in Chapter 16. As discussed in Chapter 19, Full Maude provides additional support for object-oriented programming with classes, subclassing, and convenient abbreviations for rule syntax.
A rewrite theory, specified in Maude as a system module, provides an executable mathematical model of a concurrent system. We can use the Maude specification to simulate the concurrent system so specified. But we can do more. Under appropriate conditions we can check that our mathematical model satisfies some important properties, or obtain a useful counterexample showing that the property in question is violated. This kind of model-checking analysis can be quite general. Chapter 13 will explain how, under appropriate finite reachability assumptions, we can model check any linear time temporal logic (LTL) property of a system specified in Maude as a system module. This chapter focuses on a simpler, yet very useful, model-checking capability, namely, the model checking of invariants, which can be accomplished just by using the search command.
As pointed out in Section 1.4, given a Maude system module, we can distinguish two levels of specification: a system specification level, provided by the rewrite theory specified by that system module which defines the behavior of the system, and a property specification level, given by some property (or properties) φ that we want to state and prove about our module. This chapter discusses how a specific property specification logic, linear temporal logic (LTL), and a decision procedure for it, model checking, can be used to prove properties when the set of states reachable from an initial state in a system module is finite. It also explains how this is supported in Maude by its MODEL-CHECKER module, and other related modules, including the SAT-SOLVER module that can be used to check both satisfiability of an LTL formula and LTL tautologies. These modules are found in the file model-checker.maude. Temporal logic allows specification of properties such as safety properties (ensuring that something bad never happens) and liveness properties (ensuring that something good eventually happens). These properties are related to the infinite behavior of a system. There are different temporal logics [54]; we focus on linear temporal logic [194, 54], because of its intuitive appeal, widespread use, and well-developed proof methods and decision procedures.
Informally, a reflective logic is a logic in which important aspects of its metatheory can be represented at the object level in a consistent way, so that the object-level representation correctly simulates the relevant metatheoretic aspects. In other words, a reflective logic is a logic which can be faithfully interpreted in itself. Maude’s language design and implementation make systematic use of the fact that rewriting logic is reflective [66, 56, 67, 68]. This makes the metatheory of rewriting logic accessible to the user in a clear and principled way. However, since a naive implementation of reflection can be computationally expensive, a good implementation must provide efficient ways of performing reflective computations. This chapter explains how this is achieved in Maude through its predefined META-LEVEL module, that can be found in the prelude.maude file.
A metaprogram is a program that takes programs as inputs and performs some useful computation. It may, for example, transform one program into another. Or it may analyze such a program with respect to some properties, or perform other useful program-dependent computations. This is of course very useful and very powerful. In Maude, metaprogramming has a logical, reflective semantics. It is just a direct consequence of the fact that both membership equational logic and rewriting logic are reflective logics, and of the efficient exploitation of that fact in the META-LEVEL module. That is, we can easily write Maude metaprograms by importing META-LEVEL into a module that defines such metaprograms as functions that have Module as one of their arguments. Since this is one of the most powerful uses of Maude as a programming language, we present in this chapter three metaprogramming examples of moderate size, yet interesting and nontrivial, that can be helpful as an appetizer and guide to more ambitious metaprogramming tasks. Much more ambitious examples, also freely available for inspection, are the Full Maude system itself (see Chapter 18), which is a metaprogram entirely written in Maude, and the various tools in Maude’s formal environment, which are described in Section 21.1.
The popularity of the Internet has brought much attention to the world of distributed applications development. Now, more than ever, the network is being viewed as a platform for the development of cost-effective, mission-critical applications. Mobile code and mobile agents [186, 181] are emerging technologies that promise to make much easier the design, implementation, and maintenance of distributed systems. Mobile agents may reduce the network traffic, provide an effective means of overcoming network latency, and, perhaps more importantly, help us to construct more robust and fault-tolerant systems, thanks to their ability to operate asynchronously and autonomously.
This chapter explains how to use the facilities provided by the predefined modules META-LEVEL and LOOP-MODE for constructing user interfaces and metalanguage applications, in which Maude is used not only to define a domain-specific language or tool, but also to build an environment for the given language or tool. In such applications, the LOOP-MODE module can be used to handle the input/ output and to maintain the persistent state of the language environment or tool. This chapter also describes an approach based on actors to endow Maude with interactive capabilities.
During the development of the Maude system we have put special emphasis on the creation of metaprogramming facilities to allow the generation of execution environments for a wide variety of languages and logics. The first most obvious area where Maude can be used as a metalanguage is in building language extensions for Maude itself. Our experience in this regard—first reported in [107], and further documented in [108, 98, 99, 109]—is very encouraging. We have been able to define in Core Maude a language, that we call Full Maude, with all the features of Maude plus notation for object-oriented programming, parameterized views, module expressions specifying tuples of any size, etc. Although the Maude distribution has included the specification/ implementation of Full Maude since it was first distributed in 1999, Core Maude and Full Maude are now closer than ever before. Many of the features now available in Core Maude, like parameterized modules, views, and module expressions like summation, renaming and instantiation, were available in Full Maude long before they were available in Core Maude [107]. In fact, Full Maude has not only been a complement to Core Maude, but also a vehicle to experiment with new language features. Once these features have been mature enough to be implemented in the core language, we have made the effort to do so. Similarly, it is very likely that those features in Full Maude which are not yet available in Core Maude will become part of it sooner or later, and that new features will be added to Full Maude for purposes of language design and experimentation. This applies not only to Full Maude, but also to further language extensions based on Full Maude such as the strategy language proposed in [202], whose Core Maude implementation is currently underway.
In Full Maude, concurrent object-oriented systems can be defined by means of object-oriented modules—introduced by the keyword omod...endom—using a syntax more convenient than that of system modules, because it assumes acquaintance with the basic entities, such as objects, messages and configurations, and supports linguistic distinctions appropriate for the object-oriented case. As in Core Maude, we may have specifications of object-oriented systems in system modules; for example, we could enter into Full Maude the system modules describing object-based systems discussed in Chapter 11 by enclosing them in parentheses. However, although Maude’s system modules are suffi- cient for specifying object-oriented systems, there are important conceptual advantages provided by Full Maude’s syntax for object-orientedmodules. Such syntax allows the user to think and express his/her thoughts in object-oriented terms whenever such a viewpoint seems best suited for the problem at hand. Those conceptual advantages would be partially lost if only system modules at the Core Maude level were provided.
This chapter gives an overview of some application areas of rewriting logic and Maude, with pointers to papers and web sites where more information can be found. Some of the material is adapted, with some modifications and extensions, from [199, 3, 217]. Since Maude is a general-purpose declarative programming language, there is in principle no limit to the applications that could be developed using it. Therefore, the areas discussed, although quite diverse, are only a sample of types of applications for which Maude seems particularly well suited. But there are many others. For example, the availability of built-in internet sockets in Maude 2.2 (see Section 11.4.1) opens up interesting possibilities for a new style of declarative internet programming which have already begun to be exploited (see Chapter 16).
This chapter describes some existing Maude-based tools that are available for download. The first section describes tools concerned with analysis of either Maude specifications, or of extensions of such specifications. The second section describes tools that are not Maude-specific; they are instead concerned with specification and analysis in various application domains and support domain-specific notations. For each tool, its description addresses the following questions: What does the tool do? When would you want to use it? How can the tool and documentation be obtained? The material in this chapter is a reformulation and adaptation of the material kindly provided to us by the authors of each tool. We cordially thank them all for their help.
There are several approaches to debugging and optimizing Maude programs: tracing, term coloring, using the debugger, and using the profiler.
In this chapter we use curly bracket pairs, ‘{’ and ‘}’, to enclose optional syntax.
This chapter describes the syntax of Maude using the following extended BNF notation: the symbols ‘(’ and ‘)’ are used as metaparentheses; the symbol ‘|’ is used to separate alternatives; square bracket pairs, ‘[’ and ‘]’, enclose optional syntax; ‘*’ indicates zero or more repetitions of preceding unit; ‘+’ indicates one or more repetitions of preceding unit; and the string “x” denotes x literally. As an application of this notation, A(, A)* indicates a non-empty list of A’s separated by commas. Finally, %%% indicates comments in the syntactic description, as opposed to comments in the Maude code.
... Maude has been chosen for this task due to the particular requirements of conformance checking, for which formal reasoning and first-order logic provide an optimal set of tools for verification of systems. Maude has been used to verify critical code [9], as it can show states or configurations that could be reached but are not desired or not planned for. The Maude-based automatic supervision system uses the Dependency Graphs from prior work [19] with added node functions, which infer generalised models of complex tasks by using an inductive approach based on aggregation and refinement operators. ...
... The formal definition of the automatic supervision system defined in the previous section has been implemented using Maude [9] and uploaded to a GitHub repository 1 . Maude is described as a formal reasoning tool [9], which is ideal for implementing the formal specification of the supervisor system. ...
... The formal definition of the automatic supervision system defined in the previous section has been implemented using Maude [9] and uploaded to a GitHub repository 1 . Maude is described as a formal reasoning tool [9], which is ideal for implementing the formal specification of the supervisor system. The rules of the transition system have been implemented as rewriting rules in the prototype. ...
Preprint
Full-text available
Teaching serves as a means to convey methods, techniques, and approaches for addressing both straightforward and intricate problems to students. Tasks with high complexity levels, such as cooking, surgical suturing, and the operation of sophisticated machinery, typically entail various learning stages. These stages may include individual study, observation of task execution, and hands-on practice under expert supervision. However, this supervision demands the presence and commitment of a costly expert, which is both time-consuming and expensive. Furthermore, the reliance on experts restricts the scalability of teaching, given the scarcity of such professionals. This paper presents an automated student supervisor system that addresses these challenges, making supervision more cost-effective and scalable. We formally specify the behaviour of the supervisor system as a transition system that models how the configuration of the system changes with each action performed by the learner according to a given pattern/model that synthesises how the task must be executed. More specifically, we propose to use as patterns the Dependency Graphs resulting from a previous Process Mining analysis able to infer the models using minimal samples of expert executions through an inductive approach based on ag-gregation and refinement operators. In this way, our system can supervise new student's executions by using conformance checking , thus comparing the current student action with the model. This allows the system to identify the correct and incorrect actions performed by the student during the execution of the task. We have implemented a prototype of the supervision system using the programming language Maude. Maude is a declarative formalism (based on rewriting logic) that has been shown to be suitable for specifying and reasoning about systems. The prototype was
... In the last 50 years, conditional rules → r ⇐ c, specifying a reduction step → r which is triggered only if the condition c is 'satisfied', have been used in automated reasoning systems like Mathematica [58], REDUCE [25,26] or SCRATCHPAD [19,20]. They are central in the expressivity of rule-based programming languages like Haskell [27] or logic-based specification and verification systems like Maude [5,11]. They are also useful to reason about cryptographic protocols [1] and cyber-physical systems [6,53]. ...
... • We also have f(a) → (5) c. This is because, when variable x in the left-hand side f(x) of rule (5) is instantiated to a, the corresponding instance a ≈ a of the condition x ≈ a of the rule is trivially satisfied (in all aforementioned semantics for conditions). ...
... Thus, as an oriented CTRS, R is not (locally) confluent. 2. If R is viewed as a join CTRS, then f(b) and c are joinable because f(b) → (5) c due to the possibility of joining the two components of the obtained instance b ≈ a of the condition by applying rule (4) to the second component a to obtain b. Actually, we will be able to prove that, as a join CTRS, R is locally confluent and also confluent. ...
Article
Full-text available
Reduction-based systems are used as a basis for the implementation of programming languages, automated reasoning systems, mathematical analysis tools, etc. In such inherently non-deterministic systems, guaranteeing that diverging steps can be eventually rejoined is crucial for a faithful use in most applications. This property of reduction systems is called local confluence. In a landmark 1980 paper, Gérard Huet characterized local confluence of a Term Rewriting System as the joinability of all its critical pairs. In this paper, we characterize local confluence of Conditional Term Rewriting Systems, where reduction steps may depend on the satisfaction of specific conditions in rules: a conditional term rewriting system is locally confluent if and only if (i) all its conditional critical pairs and (ii) all its conditional variable pairs (which we introduce in this paper) are joinable. Furthermore, the logic-based approach we follow here is well-suited to analyze local confluence of more general reduction-based systems. We exemplify this by (i) including (context-sensitive) replacement restrictions in the arguments of function symbols, and (ii) allowing for more general conditions in rules. The obtained systems are called Generalized Term Rewriting Systems. A characterization of local confluence is also given for them.
... debug), because limited tool support is available. Available tools (e.g., rewriting engines like Maude [8]) lack the usability and modularity embodied in more softwareoriented tools. Finally, successful usage of currently available tools requires that the formalization of the target system is essentially finished, hence are not suitable for early prototyping during formalization. ...
... Traditional tools used in work on formal semantics include term rewriting engines such as Maude [8], CafeOBJ [25], theorem provers like Isabelle/HOL [26], and model checkers like SPIN/Promela [16]. These approaches allow to state theorems about the model and often have support for executability and modularization through namespaces. ...
Preprint
We propose active object languages as a development tool for formal system models of distributed systems. Additionally to a formalization based on a term rewriting system, we use established Software Engineering concepts, including software product lines and object orientation that come with extensive tool support. We illustrate our modeling approach by prototyping a weak memory model. The resulting executable model is modular and has clear interfaces between communicating participants through object-oriented modeling. Relaxations of the basic memory model are expressed as self-contained variants of a software product line. As a modeling language we use the formal active object language ABS which comes with an extensive tool set. This permits rapid formalization of core ideas, early validity checks in terms of formal invariant proofs, and debugging support by executing test runs. Hence, our approach supports the prototyping of formal system models with early feedback.
... Maude-NPA is implemented in Maude [9], a declarative language and high-performance tool that focuses on simplicity, expressiveness, and performance to support the formal speci cation and analysis of concurrent programs/systems in rewriting logic. Maude can directly specify order-sorted equational logics and rewriting logic [10], and the tool provides several formal analysis methods, such as reachability analysis and LTL model checking. ...
... Maude can directly specify order-sorted equational logics and rewriting logic [10], and the tool provides several formal analysis methods, such as reachability analysis and LTL model checking. This section gives the syntax of the Maude language in a nutshell (see [9] for more detail) and describes how narrowing works with an example. ...
Article
Full-text available
This paper presents a formal specification of the Hybrid Post-Quantum TLS protocol in Maude-NPA, toward a security analysis of the protocol, where Hybrid Post-Quantum TLS is a quantum-resistant version of TLS proposed by AWS as a preparation against future attacks from quantum computers. The proposed protocol uses a hybrid key exchange mode: one is a classical key exchange algorithm and the other is a post-quantum key encapsulation mechanism. One of our assumptions about the intruder's capabilities is that the intruder can break the security of the classical key exchange algorithm by utilizing the power of large-scale quantum computers. In the present paper, we focus on presenting how to formally specify the protocol in Maude-NPA, which is a well-known tool for analyzing the security of cryptographic protocols, so that later on we can conduct the formal analysis of the protocol with some security properties.
... In this paper, we address challenge of the representation gap by leveraging a very expressive modeling language, called Maude [4], which supports powerful object-oriented specification. Since TEE API is mainly specified using objects and their interactions [8], it is appropriate to use such object-oriented modeling approaches to formally specify TEE APIs, making it much easier to develop a comprehensive formal model. ...
... Maude. Maude [4] is a language and tool for formally specifying and analyzing concurrent systems. A Maude specification consists of: (i) an equational theory (Σ, E) specifying system states as algebraic data types, where Σ is a signature (i.e., declaring sorts, subsorts, and function symbols) and E is a set of equations; and (ii) a set of rewrite rules R of the form l : t → t ′ if condition, specifying the system behavior, where l is a label, and t and t ′ are terms [14]. ...
Chapter
Full-text available
Trusted execution environments (TEEs) have emerged as a key technology in the cybersecurity domain. A TEE provides an isolated environment in which sensitive computations can be executed securely. Trusted applications running in TEEs are developed using standardized APIs that many hardware platforms for TEE adhere to. However, formal models tailored to standard TEE APIs are not well developed. In this paper, we present a formal specification of TEE APIs using Maude. We focus on Trusted Storage API and Cryptographic Operations API, which are foundational to mobile and IoT applications. The effectiveness of our approach is demonstrated through formal analysis of MQT-TZ, an open-source TEE application for IoT. Our formal analysis has revealed security vulnerabilities in the implementation of MQT-TZ, and we patch and confirm its integrity using model checking.
... Furthermore, in this work, process mailboxes are abstracted away for simplicity, thus a floating message can also represent a message that is actually stored in a process mailbox. 2 Systems range over by S, S ′ , S 1 , etc. Here, the parallel composition operator is denoted by "|" and considered commutative and associative. Therefore, two systems are considered equal if they are the same up to associativity and commutativity. ...
... This extension does not seem difficult, but will be essential to make our approach feasible in practice. Once this shortcut version of the semantics is defined, we will consider a proof-of-concept implementation (e.g., using Maude [2]). As an alternative, one can consider a program instrumentation for Erlang applications including check, commit, and rollback, so that they can be executed in the standard environment. ...
Preprint
Full-text available
The reliability of concurrent and distributed systems often depends on some well-known techniques for fault tolerance. One such technique is based on checkpointing and rollback recovery. Checkpointing involves processes to take snapshots of their current states regularly, so that a rollback recovery strategy is able to bring the system back to a previous consistent state whenever a failure occurs. In this paper, we consider a message-passing concurrent programming language and propose a novel rollback recovery strategy that is based on some explicit checkpointing primitives and the use of a (partially) reversible semantics for rolling back the system.
... We adopt the Maude notation to define R . Maude [30,33] is a high-level language and tool supporting the specification and analysis of rewrite theories. This approach enables us to produce an executable specification and conduct various analyses, as illustrated in Sect. 5. ...
Article
Full-text available
Reaction Systems (RSs) are a computational framework inspired by biochemical systems, where entities produced by reactions can enable or inhibit other reactions. RSs interact with the environment through a sequence of sets of entities called the context. In this work, we introduce ccReact, a novel interaction language for implementing and verifying RSs. ccReact extends the classical RS model by allowing the specification of recursive, nondeterministic, and conditional context sequences, thus enhancing the interactive capabilities of the models. We provide a rewriting logic (RL) semantics for ccReact, making it executable in the Maude system. We prove that our RL embedding is sound and complete, thereby offering a robust tool for analyzing RSs. Our methods enable various formal analysis techniques for RSs, including simulation of RSs interacting with ccReact processes, verification of reachability properties, model checking of temporal (LTL and CTL) formulas, and exploring the system evolution through a graphical tool to better understand its behavior. We apply our methods to analyze RSs from different domains, including computer science and biological systems. Notably, we examine a complex breast cancer case study, demonstrating that our analysis can suggest improvements to the administration of monoclonal antibody therapeutic treatments in certain scenarios.
... In [6], Durán et al. present a formal executable model for BPs with focus on resource allocation and verification. The model encodes a subset of BPMN process including time and resource into Maude [3]. Resources are explicitly defined at the task level, so that multiple concurrent executions of a process instance that compete for the shared/same resources are simulated. ...
... Nigam and Talcott [40] used Maude [41] to automate security analysis of the protocols in Industry 4.0 applications. This approach formalizes networked sets of devices and a symbolic intruder model in rewriting logic; in particular, attacks can be detected by changing the input and output behavior of the system and analyzing its effect on the system's behavior. ...
Article
Full-text available
Integration of the Internet of Things (IoT) in industrial settings necessitates robust cybersecurity measures to mitigate risks such as data leakage, vulnerability exploitation, and compromised information flows. Recent cyberattacks on critical industrial systems have highlighted the lack of threat analysis in software development processes. While existing threat modeling frameworks such as STRIDE enumerate potential security threats, they often lack detailed mapping of the sequences of threats that adversaries might exploit to apply cyberattacks. Our study proposes an enhanced approach to systematic threat modeling and data flow-based attack scenario analysis for integrating cybersecurity measures early in the development lifecycle. We enhance the STRIDE framework by extending it to include attack scenarios as sequences of threats exploited by adversaries. This extension allows us to illustrate various attack scenarios and demonstrate how these insights can aid system designers in strengthening their defenses. Our methodology prioritizes vulnerabilities based on their recurrence across various attack scenarios, offering actionable insights for enhancing system security. A case study in the automotive industry illustrates the practical application of our proposed methodology, demonstrating significant improvements in system security through proactive threat modeling and analysis of attack impacts. The results of our study provide actionable insights to improve system design and mitigate vulnerabilities.
... Study group DI7 consisting of a single paper [92] specifies OCL semantic in the K formalism [64]. K formalism consists of two logic, reachability, and matching logic [64], that can be considered modifications of two logics forming the base of Maude formalisms [99], rewriting logic and membership equational logic. K formalism's primary concern and intention is a specification of computer language semantics. ...
Article
Full-text available
Object Constraint Language (OCL) plays a pivotal role in Model Driven Architecture (MDA), an important applied software engineering concept created over a quarter of a century ago. The expressiveness and precision of the primary specification language in MDA, Unified Modeling Language (UML), significantly stems from its joint use with the OCL. The semantic content of OCL has undergone a significant evolution over the past two decades, leading to the creation of eight versions of language specifications defined by the Object Management Group (OMG) standardization process. Despite the undeniable importance of OCL, there is a substantial void in literature that presents the issues of OCL semantics in a comprehensive and detailed way. This paper aims to summarize the available knowledge about definitions of OCL semantics and computational properties of the language. Using systematic review methodology, we created and answered questions about the properties of OCL definitions and the results of the computational properties of the whole language and its fragments. Based on newly synthesized information, the paper discusses the root causes of the issues found and proposes a course of action to address them collectively in the future. The presented summary encapsulates knowledge about two foundational themes of OCL that will help practitioners use it effectively and support researchers in its evolution and standardization.
... A formal approach is proposed by [34] to define and analyze domain-specific modeling languages (DSML). It represents DSML metamodels and their conforming models as a Maude specification [35]. Fiacre [36] is a formal specification language that targets both the behavioral and timing aspects of real-time systems. ...
Preprint
Full-text available
Model-Driven Engineering (MDE) is a technique that aims to boost productivity in software development and ensure the safety of critical systems. Central to MDE is the refinement of high-level requirement models into executable code. Given that requirement models form the foundation of the entire development process, ensuring their correctness is crucial. RM2PT is a widely used MDE platform that employs the REModel language for requirement modeling. REModel contains contract sections and other sections including a UML sequence diagram. This paper contributes a coroutine-based type system that represents pre- and post-conditions in the contract sections in a requirement model as the receiving and yielding parts of coroutines, respectively. The type system is capable of composing coroutine types, so that users can view functions as a whole system and check their collective behavior. By doing so, our type system ensures that the contracts defined in it are executed as outlined in the accompanied sequence diagram. We assessed our approach using four case studies provided by RM2PT, validating the accuracy of the models.
... Several other formal methods have been used in the development of critical systems. We could refer to the method B [8] and Event-B [7], Alloy [51], Maude [26], Petri Nets [48], and the language Z [63], among these formal methods (but not limited to). ...
Article
The life-cycle development of critical systems follows mainly a V-cycle process overlapped with proofs and/or verification techniques. At the first development stage, a critical system must be, precisely, and as completely as possible described. Thus, it is recommended to use a graphical modeling language standard such as the Unified Modeling Language (UML) and the Object Constraint Language (OCL), to which both customers and developers could contribute. Then, the graphical design with its formal specification (requirements) is mapped into a complete formal development environment, using an MDE (Model-driven engineering) approach. The formal environment has to assess the development until the generation of a secure code. In this context, we propose a life-cycle development approach that combines UML/OCL and the FoCaLiZe formal environment for the secure development of critical systems. The proposed approach ensures essential development constraints such as strict boundaries and traceability between development phases. It also ensures a secure maintenance phase using partial transformation techniques from UML/OCL to FoCaLiZe. The latter enhances the transformation from UML/OCL into FoCaLiZe to support incremental development and assist developers in correcting modeling errors. The proposed approach is mostly dedicated to secure and maintainable lifecycle development processes of critical systems. The formal environment assesses the development process until the generation of a secure code. To illustrate the proposed approach, we present the stages of development of a constrained system controlling military objects. The development of this system uses the iterative, incremental, and maintainability stages as described by the development approach, until the generation of secure code.
... A formal approach is proposed by [34] to define and analyze domain-specific modeling languages (DSML). It represents DSML metamodels and their conforming models as a Maude specification [35]. Fiacre [36] is a formal specification language that targets both the behavioral and timing aspects of real-time systems. ...
Article
Full-text available
Model-Driven Engineering (MDE) is a technique that aims to boost productivity in software development and ensure the safety of critical systems. Central to MDE is the refinement of high-level requirement models into executable code. Given that requirement models form the foundation of the entire development process, ensuring their correctness is crucial. RM2PT is a widely used MDE platform that employs the REModel language for requirement modeling. REModel contains contract sections and other sections including a UML sequence diagram. This paper contributes a coroutine-based type system that represents pre- and post-conditions in the contract sections in a requirement model as the receiving and yielding parts of coroutines, respectively. The type system is capable of composing coroutine types, so that users can view functions as a whole system and check their collective behavior. By doing so, our type system ensures that the contracts defined in it are executed as outlined in the accompanied sequence diagram. We assessed our approach using four case studies provided by RM2PT, validating the accuracy of the models.
... Configurations are activated and deactivated via guards -somewhat resembling the matching in our approach. A rewriting approach [7] is used by modeling self-adaptive systems in Maude [10] relying on computational reflection [22]. The approach takes an unbounded layered approach in which (partial) knowl-edge flows downwards and effects flow upwards. ...
... There have been a number of implementations of such results in tools [7,55,71], mostly based on rewriting logic [21]. Several of the theorems from the theory of structural operational semantics have found application in the study of process calculi, reducing the need to prove congruence and axiomatisation results, amongst others, from scratch for each calculus and have been extended to settings including, for instance, probabilistic and stochastic features (see, for example, [17,26]), as well as to higher-order calculi, as in the recent [43]. ...
Article
To react to unforeseen circumstances or amend abnormal situations in communication-centric systems, programmers are in charge of "undoing" the interactions which led to an undesired state. To assist this task, session-based languages can be endowed with reversibility mechanisms. In this paper we propose a language enriched with programming facilities to commit session interactions, to roll back the computation to a previous commit point, and to abort the session. Rollbacks in our language always bring the system to previous visited states and a rollback cannot bring the system back to a point prior to the last commit. Programmers are relieved from the burden of ensuring that a rollback never restores a checkpoint imposed by a session participant different from the rollback requester. Such undesired situations are prevented at design-time (statically) by relying on a decidable compliance check at the type level, implemented in MAUDE. We show that the language satisfies error-freedom and progress of a session.
Article
While constructing practical quantum computers by big companies remains a challenge, the application of quantum communication and cryptography has made remarkable progress. Therefore, it is crucial to verify quantum protocols before they can be trusted in safety and security-critical applications. We have proposed Basic Dynamic Quantum Logic (BDQL) to formalize and verify sequential models of quantum protocols with a support tool developed in Maude. However, BDQL does not support concurrency in its formalization. This paper introduces Concurrent Dynamic Quantum Logic (CDQL), an extension of BDQL, to formalize and verify concurrent models of quantum protocols. CDQL is more expressive than BDQL by considering concurrent behavior and communication among participants in quantum protocols. Since CDQL is a conservative extension of BDQL, we extend the syntax of BDQL to CDQL and make a transformation from CDQL to BDQL without interrupting the semantics of BDQL. We also extend the implementation of BDQL to support CDQL, making a new support tool in Maude. The new support tool is equipped with a lazy rewriting strategy to make the verification process significantly faster. Several quantum communication protocols are successfully formalized and verified in BDQL/CDQL, demonstrating the effectiveness of our automated approach and tool in verifying quantum protocols.
Chapter
This paper proposes a tableau-based approach to model checking linear temporal properties to mitigate the state space explosion in model checking. The core idea of the approach is to split an original model checking problem into multiple smaller model checking problems using the tableau method and tackle each smaller one. We prove a theorem to guarantee that the multiple smaller model checking problems are equivalent to the original model checking problem. We use Maude, a high-level specification and programming language based on rewriting logic, to develop a tool called DCA2MC to support our approach. Some case studies are conducted to compare DCA2MC with Maude LTL model checker, Spin, and LTSmin model checkers in terms of running performance and memory usage, showing the power of our proposed approach.
Article
As more end-user applications depend on Internet of Things (IoT) technology, it is essential the networking protocols underpinning these applications are reliable. Using Formal Methods to reason about protocol specifications is an established technique, but, due to their perceived difficulty and mathematical nature, receive limited use in practice. We propose an approach based on Milner’s bigraphs—a flexible diagrammatic modelling language—that allows developers to “draw” the protocol updates as a way to increase use of formal methods in protocol design. To show bigraphs in action, we model part of the Routing Protocol for low-power and Lossy Networks (RPL), popular in wireless sensor networks, and verify it using model checking. We compare our approach with the more common simulation approach, and show that analysing the bigraph model often finds more valid routes than simulation (that usually returns only a single routing tree even with 500 simulations), and that it has comparable performance. The model is open to extension, with less implementation effort than simulation, and we show this through two examples: a security attack and physical link drops. Bigraphs seem a promising approach to protocol design, and this is the first step in promoting their use.
Article
We analyse abstract data types that model numerical structures with a concept of error. Specifically, we focus on arithmetic data types that contain an error value \bot whose main purpose is to always return a value for division. To rings and fields, we add a division operator x/y and study a class of algebras called common meadows wherein x/0=x/0=\bot . The set of equations true in all common meadows is named the equational theory of common meadows . We give a finite equational axiomatisation of the equational theory of common meadows and prove that it is complete and that the equational theory is decidable.
Chapter
This paper presents an approach to checking the equivalence of quantum circuits based on Dirac notation in Maude. Specifically, we specify quantum states and quantum gates in Dirac notation with scalars and use a set of laws from quantum mechanics and matrix operations to reason about quantum computation. The equivalence of quantum circuits can be reduced to matrix equivalence modulo a global phase in Dirac notation. To achieve this, we compare each column vector of two matrices with respect to the same global phase, making it faster than the actual matrix equivalence check, especially in cases of non-equivalent quantum circuits. Furthermore, our approach enhances the reliability in determining the equivalence problem by taking into account constant inputs for quantum circuits, which have been ignored by state-of-the-art tools. We use Maude, a high-level specification/programming language based on rewriting logic, to develop a support tool called |QCEC> for our approach. Several case studies have been conducted with the tool. These demonstrate the effectiveness of our approach and |QCEC> for the equivalence checking of quantum circuits.
Article
This article presents a symbolic approach to model checking quantum circuits using a set of laws from quantum mechanics and basic matrix operations with Dirac notation. We use Maude, a high-level specification/programming language based on rewriting logic, to implement our symbolic approach. As case studies, we use the approach to formally specify several quantum communication protocols in the early work of quantum communication and formally verify their correctness: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, Quantum Gate Teleportation, Two Mirror-image Teleportation, and Quantum Network Coding. We demonstrate that our approach/implementation can be a first step toward a general framework to formally specify and verify quantum circuits in Maude. The proposed way to formally specify a quantum circuit makes it possible to describe the quantum circuit in Maude such that the formal specification can be regarded as a series of quantum gate/measurement applications. Once a quantum circuit has been formally specified in the proposed way together with an initial state and a desired property expressed in linear temporal logic (LTL), the proposed model checking technique utilizes a built-in Maude LTL model checker to automatically conduct formal verification that the quantum circuit enjoys the property starting from the initial state.
Article
The polychronous or multi-clock paradigm is adequate to model large distributed systems where achieving a full timed synchronization is not only very costly, but also often not necessary. It concerns systems made of a set of components with loose synchronization constraints. We study an approach where those components are orchestrated using logical clocks , made popular by L. Lamport and synchronous languages. The temporal and causal specification of those systems is built by defining a set of clock relations that would constrain the instant when clocks can tick or must not tick, thus defining families of valid schedules . In this paper, we propose a specification language, called LTL c / CCSL , for specifying temporal properties of multi-clock systems. While traditional temporal logics (LTL, MTL, CTL*), whether linear or branching, rely on a global step, our language, LTL c / CCSL , builds a partial order on logical clocks, thus allowing both a hierarchical approach based on refinement of clock hierarchies, and compositionality as what happens in one clock domain may remain largely independent of what may happen in other domains. This good property helps preserve the properties without requiring to perform the proofs again. An LTL c / CCSL specification consists of a clock temporal logic LTL c , accompanied with a clock calculus called CCSL for specifying clock relations. We build the syntax and semantics of LTL c and link its semantics with CCSL. After that we mainly focus on the verification aspect of LTL c / CCSL specifications using model checking technique. We show how LTL c / CCSL can be used for specifying multi-clock systems with an example.
Article
Full-text available
Model transformation, which is a program targeting at transforming an input model to an output model, has been a critical basis for Model-Driven Engineering (MDE). The quality of model transformation programs directly affects the quality of software products built with MDE activities. Therefore, debugging model transformation programs has been crucial from the quality assurance point of view. One of the key impediments to the model transformation debugging is the high complexity and scale of the input models. In order to ameliorate the burden on model transformation debugging, this study proposes an effective approach to systematically reduce input models of model transformation programs. By combining the advantages of input simplification approaches for traditional programs and also the characteristics of model transformation, our approach leverages and adapts the delta debugging technique to model simplification. We conduct experiments to evaluate the proposed approach from two aspects: its effectiveness in model simplification, and its effects on model transformation debugging. Our experimental results confirm the positive contributions of the approach in both aspects. It delivers promising reduction effectiveness, and it can also well support the fault localization in model transformations.
Article
This paper addresses the long-standing problem of program correctness for programs that describe systems of parallel executing processes. We propose a new method for proving correctness of parallel implementations of high-level models expressed as transition systems. The implementation language underlying the method is based on the concurrency model of actors and active objects. The method defines program correctness in terms of a simulation relation between the transition system which specifies the program semantics of the parallel program and the transition system that is described by the correctness specification. The simulation relation itself abstracts from the fine-grained interleaving of parallel processes by exploiting a global confluence property of the concurrency model of the implementation language considered in this paper. As a proof of concept, we apply our method to the correctness of a parallel simulator of multicore memory systems.
Conference Paper
Systems able to dynamically adapt their behaviour gain growing attention to raising service quality by reducing development costs. On the other hand, adaptation is a major source of complexity and calls for suitable methodologies during the whole system life cycle. A challenging point is the system’s structural reconfiguration in front of particular events like component failure/congestion. This solution is so common in modern distributed systems that it has led to defining ad-hoc extensions of known formal models (e.g., the pi-calculus) But even with syntactic sugar, these formalisms differ enough from daily programming languages. This work aims to bridge the gap between theory and practice by introducing an abstract machine for the “nets-within-nets” paradigm. Our encoding is in the well-known Maude language, whose rewriting logic semantics ensures the mathematical soundness needed for analysis and an intuitive operational perspective.
Chapter
A promising way of integrating formal methods into industrial system design is to endow industrial modeling tools with automatic formal analyses. In this paper we identify some challenges for providing such formal methods “backends” for cyber-physical systems (CPSs), and argue that Maude could meet these challenges. We then give an overview of our research on integrating Maude analysis into the OSATE tool environment for the industrial CPS modeling standard AADL. Since many critical distributed CPSs are “logically synchronous,” a key feature making automatic formal analysis practical is the use of synchronizers for CPSs. We identify a sublanguage of AADL to describe synchronous CPS designs. We can then use Maude to effectively verify such synchronous designs, which under certain conditions also verifies the corresponding asynchronous distributed systems, with clock skews and communication delays. We then explain how we have extended our methods to multirate systems and to CPSs with continuous behaviors. We illustrate the effectiveness of Maude-based formal model engineering of industrial CPSs on avionics control systems and collections of drones. Finally, we identify future directions in this line of research.
Chapter
Dynamic Quantum Logic (DQL) has been used as a logical framework for manually proving the correctness of quantum programs. This paper presents an automated approach to quantum program verification at the cost of simplifying DQL to Basic Dynamic Quantum Logic (BDQL). We first formalize quantum states, quantum gates, and projections in bra-ket notation and use a set of laws from quantum mechanics and matrix operations to reason on quantum computation. We then formalize the semantics of BQDL and specify the behavior and desired properties of quantum programs in the scope of BDQL. Formal verification of whether a quantum program satisfies desired properties is conducted automatically through an equational simplification process. We use Maude, a rewriting logic-based specification/programming language, to implement our approach. To demonstrate the effectiveness of our automated approach, we successfully verified the correctness of five quantum protocols: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, and Quantum Gate Teleportation, using our support tool.
Chapter
A protocol dialect is a lightweight method to obfuscate the communication exchanges between legitimate protocol users to make it hard for malicious users to interact with legitimate ones. So far, dialects have been based on a single obfuscation transformation, which we call a lingo. In this work dialects are generalized to become protocol and lingo generic. In this way they can be composed with other dialects for greater security. We present a formal semantics of dialects as formal patterns, i.e., as protocol transformations formalized in rewriting logic. We also present several attacker models and explain how our generalized notion of dialect can be used to harden dialects against such attackers.
Chapter
Formal patterns are formally specified generic solutions to commonly occurring computational problems. A formal pattern applies to a typically infinite class of systems that satisfy specified semantic requirements. Application of a formal pattern to a system satisfying the formal pattern’s input requirements results in a new system with new functionality that is correct by construction and enjoys specific formal properties. This paper explains the semantics of formal patterns and illustrates their usefulness from the software engineering, programming methodology, and formal methods perspectives by means of specific formal patterns in several application areas.
Chapter
The description of concurrent systems as a network of interacting processes helps to reduce the complexity of the specification. The same principle applies for the description of cyber-physical systems as a network of interacting components. We introduce a transition system based specification of cyber-physical components whose semantics is compositional with respect to a family of algebraic products. We give sufficient conditions for execution of a product of cyber-physical components to be correctly implemented by a lazy runtime expansion of the product construction. Our transition system algebra is implemented in the Maude rewriting logic system. As an example, we show that, under a coordination protocol, a set of autonomous energy-aware robots can self-sort themselves on a shared physical grid.
Chapter
This is a gentle introduction to SpeX, a rewriting-based logical environment and executable framework implemented in Maude that facilitates the experimental development of formal specification languages and tools. The environment is language agnostic, so it is not geared towards any particular syntax, semantics, or supporting technology; instead, it provides a rich collection of libraries that assist the continuous integration of parsers and information processors. We outline the general architecture of SpeX, discuss its operational semantics, and illustrate the steps necessary in order to integrate new languages.
Article
This article presents a security formal analysis of the hybrid post-quantum Transport Layer Security (TLS) protocol, a quantum-resistant version of the TLS protocol proposed by Amazon Web Services as a precaution in dealing with future attacks from quantum computers. In addition to a classical key exchange algorithm, the proposed protocol uses a post-quantum key encapsulation mechanism, which is believed invulnerable under quantum computers, so the protocol’s key negotiation is called the hybrid key exchange scheme. One of our assumptions about the intruder’s capabilities is that the intruder is able to break the security of the classical key exchange algorithm by utilizing the power of large quantum computers. For the formal analysis, we use Maude-NPA and a parallel version of Maude-NPA (called Par-Maude-NPA) to conduct experiments. The security properties under analysis are (1) the secrecy property of the shared secret key established between two honest principals with the classical key exchange algorithm, (2) a similar secrecy property but with the post-quantum key encapsulation mechanism, and (3) the authentication property. Given the time limit T = 1,722 h (72 days), Par-Maude-NPA found a counterexample of (1) at depth 12 in T, while Maude-NPA did not find it in T. At the same time T, Par-Maude-NPA did not find any counterexamples of (2) and (3) up to depths 12 and 18, respectively, and neither did Maude-NPA. Therefore, the protocol does not enjoy (1), while it enjoys (2) and (3) up to depths 12 and 18, respectively. Subsequently, the secrecy property of the master secret holds for the protocol up to depth 12.
ResearchGate has not been able to resolve any references for this publication.