The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern

Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern
Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern
The Mondex Electronic Purse system is an outstanding example of formal refinement techniques applied to a genuine industrial scale application, and notably, was the first verification to achieve ITSEC level E6 certification. A formal abstract model including security properties, and a formal concrete model of the system design were developed, and a formal refinement was hand-proved between them in Z. Despite this success, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. Retrenchment is reviewed in a form suitable for integration with Z refinement, and is used to address one such issue in detail: the finiteness of the transaction sequence number in the purse funds transfer protocol. A retrenchment is constructed from the lowest level model of the purse system to a model in which sequence numbers are finite, using a suitable elaboration of the Z promotion technique. We overview the lifting of that retrenchment to the abstraction level of the higher models of the purse system. The concessions of the various retrenchments generated, formally capture the dissonance between the unbounded sequence number idealisation and the bounded reality. Reasoning about when the concession can become valid influences the actual choice of sequence number bound. The retrenchment-enhanced formal development is proposed as an example of a widely applicable methodological pattern for formal developments of this kind: the Tower Pattern.
retrenchment, refinement, electronic purse, Z, promotion
ISBN 3-540-27882-6
382-398
Banach, Richard
3c9a2946-4d86-428e-bce2-6dfdde219ff3
Poppleton, Michael
4c60e63f-188c-4636-98b9-de8a42789b1b
Jeske, Czeslaw
fbe74737-872a-44ad-9592-d2036aeb95a1
Stepney, Susan
7a80b0af-85d5-4686-87fe-62d782c72156
Fitzgerald, John
b063396d-a879-4345-9e6c-fcecb936be54
Hayes, Ian
495a156e-7a82-4460-8cfc-044c917232ca
Tarlecki, Andrzej
c4692648-f6e6-4a4c-99c8-25acdcf2fba2
Banach, Richard
3c9a2946-4d86-428e-bce2-6dfdde219ff3
Poppleton, Michael
4c60e63f-188c-4636-98b9-de8a42789b1b
Jeske, Czeslaw
fbe74737-872a-44ad-9592-d2036aeb95a1
Stepney, Susan
7a80b0af-85d5-4686-87fe-62d782c72156
Fitzgerald, John
b063396d-a879-4345-9e6c-fcecb936be54
Hayes, Ian
495a156e-7a82-4460-8cfc-044c917232ca
Tarlecki, Andrzej
c4692648-f6e6-4a4c-99c8-25acdcf2fba2

Banach, Richard, Poppleton, Michael, Jeske, Czeslaw and Stepney, Susan (2005) Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern. Fitzgerald, John, Hayes, Ian and Tarlecki, Andrzej (eds.) FM 2005: International Symposium of Formal Methods Europe, Newcastle, United Kingdom. 18 - 22 Jul 2005. pp. 382-398 .

Record type: Conference or Workshop Item (Paper)

Abstract

The Mondex Electronic Purse system is an outstanding example of formal refinement techniques applied to a genuine industrial scale application, and notably, was the first verification to achieve ITSEC level E6 certification. A formal abstract model including security properties, and a formal concrete model of the system design were developed, and a formal refinement was hand-proved between them in Z. Despite this success, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. Retrenchment is reviewed in a form suitable for integration with Z refinement, and is used to address one such issue in detail: the finiteness of the transaction sequence number in the purse funds transfer protocol. A retrenchment is constructed from the lowest level model of the purse system to a model in which sequence numbers are finite, using a suitable elaboration of the Z promotion technique. We overview the lifting of that retrenchment to the abstraction level of the higher models of the purse system. The concessions of the various retrenchments generated, formally capture the dissonance between the unbounded sequence number idealisation and the bounded reality. Reasoning about when the concession can become valid influences the actual choice of sequence number bound. The retrenchment-enhanced formal development is proposed as an example of a widely applicable methodological pattern for formal developments of this kind: the Tower Pattern.

Text
Retrench.Mondex.Seq.FM05.pdf - Other
Download (127kB)

More information

Published date: 2005
Additional Information: Event Dates: 18-22 July 2005
Venue - Dates: FM 2005: International Symposium of Formal Methods Europe, Newcastle, United Kingdom, 2005-07-18 - 2005-07-22
Keywords: retrenchment, refinement, electronic purse, Z, promotion
Organisations: Electronic & Software Systems
Learn more about Cyber Physical Systems research

Identifiers

Local EPrints ID: 260805
URI: http://eprints.soton.ac.uk/id/eprint/260805
ISBN: ISBN 3-540-27882-6
PURE UUID: 17a2b6dc-5575-468b-b0bc-e8dbb7b75a72

Catalogue record

Date deposited: 29 Apr 2005
Last modified: 14 Mar 2024 06:43

Export record

Contributors

Author: Richard Banach
Author: Michael Poppleton
Author: Czeslaw Jeske
Author: Susan Stepney
Editor: John Fitzgerald
Editor: Ian Hayes
Editor: Andrzej Tarlecki

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×