@inproceedings{14405, abstract = {We introduce hypernode automata as a new specification formalism for hyperproperties of concurrent systems. They are finite automata with nodes labeled with hypernode logic formulas and transitions labeled with actions. A hypernode logic formula specifies relations between sequences of variable values in different system executions. Unlike HyperLTL, hypernode logic takes an asynchronous view on execution traces by constraining the values and the order of value changes of each variable without correlating the timing of the changes. Different execution traces are synchronized solely through the transitions of hypernode automata. Hypernode automata naturally combine asynchronicity at the node level with synchronicity at the transition level. We show that the model-checking problem for hypernode automata is decidable over action-labeled Kripke structures, whose actions induce transitions of the specification automata. For this reason, hypernode automaton is a suitable formalism for specifying and verifying asynchronous hyperproperties, such as declassifying observational determinism in multi-threaded programs.}, author = {Bartocci, Ezio and Henzinger, Thomas A and Nickovic, Dejan and Oliveira da Costa, Ana}, booktitle = {34th International Conference on Concurrency Theory}, isbn = {9783959772990}, issn = {18688969}, location = {Antwerp, Belgium}, publisher = {Schloss Dagstuhl - Leibniz-Zentrum für Informatik}, title = {{Hypernode automata}}, doi = {10.4230/LIPIcs.CONCUR.2023.21}, volume = {279}, year = {2023}, } @inproceedings{10774, abstract = {We study the problem of specifying sequential information-flow properties of systems. Information-flow properties are hyperproperties, as they compare different traces of a system. Sequential information-flow properties can express changes, over time, in the information-flow constraints. For example, information-flow constraints during an initialization phase of a system may be different from information-flow constraints that are required during the operation phase. We formalize several variants of interpreting sequential information-flow constraints, which arise from different assumptions about what can be observed of the system. For this purpose, we introduce a first-order logic, called Hypertrace Logic, with both trace and time quantifiers for specifying linear-time hyperproperties. We prove that HyperLTL, which corresponds to a fragment of Hypertrace Logic with restricted quantifier prefixes, cannot specify the majority of the studied variants of sequential information flow, including all variants in which the transition between sequential phases (such as initialization and operation) happens asynchronously. Our results rely on new equivalences between sets of traces that cannot be distinguished by certain classes of formulas from Hypertrace Logic. This presents a new approach to proving inexpressiveness results for HyperLTL.}, author = {Bartocci, Ezio and Ferrere, Thomas and Henzinger, Thomas A and Nickovic, Dejan and Da Costa, Ana Oliveira}, booktitle = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)}, isbn = {9783030945824}, issn = {16113349}, location = {Philadelphia, PA, United States}, pages = {1--19}, publisher = {Springer Nature}, title = {{Flavors of sequential information flow}}, doi = {10.1007/978-3-030-94583-1_1}, volume = {13182}, year = {2022}, } @inproceedings{11355, abstract = {Contract-based design is a promising methodology for taming the complexity of developing sophisticated systems. A formal contract distinguishes between assumptions, which are constraints that the designer of a component puts on the environments in which the component can be used safely, and guarantees, which are promises that the designer asks from the team that implements the component. A theory of formal contracts can be formalized as an interface theory, which supports the composition and refinement of both assumptions and guarantees. Although there is a rich landscape of contract-based design methods that address functional and extra-functional properties, we present the first interface theory that is designed for ensuring system-wide security properties. Our framework provides a refinement relation and a composition operation that support both incremental design and independent implementability. We develop our theory for both stateless and stateful interfaces. We illustrate the applicability of our framework with an example inspired from the automotive domain.}, author = {Bartocci, Ezio and Ferrere, Thomas and Henzinger, Thomas A and Nickovic, Dejan and Da Costa, Ana Oliveira}, booktitle = {Fundamental Approaches to Software Engineering}, isbn = {9783030994280}, issn = {1611-3349}, location = {Munich, Germany}, pages = {3--22}, publisher = {Springer Nature}, title = {{Information-flow interfaces}}, doi = {10.1007/978-3-030-99429-7_1}, volume = {13241}, year = {2022}, } @article{10861, abstract = {We introduce in this paper AMT2.0, a tool for qualitative and quantitative analysis of hybrid continuous and Boolean signals that combine numerical values and discrete events. The evaluation of the signals is based on rich temporal specifications expressed in extended signal temporal logic, which integrates timed regular expressions within signal temporal logic. The tool features qualitative monitoring (property satisfaction checking), trace diagnostics for explaining and justifying property violations and specification-driven measurement of quantitative features of the signal. We demonstrate the tool functionality on several running examples and case studies, and evaluate its performance.}, author = {Nickovic, Dejan and Lebeltel, Olivier and Maler, Oded and Ferrere, Thomas and Ulus, Dogan}, issn = {1433-2787}, journal = {International Journal on Software Tools for Technology Transfer}, keywords = {Information Systems, Software}, number = {6}, pages = {741--758}, publisher = {Springer Nature}, title = {{AMT 2.0: Qualitative and quantitative trace analysis with extended signal temporal logic}}, doi = {10.1007/s10009-020-00582-z}, volume = {22}, year = {2020}, } @inproceedings{6428, abstract = {Safety and security are major concerns in the development of Cyber-Physical Systems (CPS). Signal temporal logic (STL) was proposedas a language to specify and monitor the correctness of CPS relativeto formalized requirements. Incorporating STL into a developmentprocess enables designers to automatically monitor and diagnosetraces, compute robustness estimates based on requirements, andperform requirement falsification, leading to productivity gains inverification and validation activities; however, in its current formSTL is agnostic to the input/output classification of signals, andthis negatively impacts the relevance of the analysis results.In this paper we propose to make the interface explicit in theSTL language by introducing input/output signal declarations. Wethen define new measures of input vacuity and output robustnessthat better reflect the nature of the system and the specification in-tent. The resulting framework, which we call interface-aware signaltemporal logic (IA-STL), aids verification and validation activities.We demonstrate the benefits of IA-STL on several CPS analysisactivities: (1) robustness-driven sensitivity analysis, (2) falsificationand (3) fault localization. We describe an implementation of our en-hancement to STL and associated notions of robustness and vacuityin a prototype extension of Breach, a MATLAB®/Simulink®toolboxfor CPS verification and validation. We explore these methodologi-cal improvements and evaluate our results on two examples fromthe automotive domain: a benchmark powertrain control systemand a hydrogen fuel cell system.}, author = {Ferrere, Thomas and Nickovic, Dejan and Donzé, Alexandre and Ito, Hisahiro and Kapinski, James}, booktitle = {Proceedings of the 2019 22nd ACM International Conference on Hybrid Systems: Computation and Control}, isbn = {9781450362825}, location = {Montreal, Canada}, pages = {57--66}, publisher = {ACM}, title = {{Interface-aware signal temporal logic}}, doi = {10.1145/3302504.3311800}, year = {2019}, } @inproceedings{7232, abstract = {We present Mixed-time Signal Temporal Logic (STL−MX), a specification formalism which extends STL by capturing the discrete/ continuous time duality found in many cyber-physical systems (CPS), as well as mixed-signal electronic designs. In STL−MX, properties of components with continuous dynamics are expressed in STL, while specifications of components with discrete dynamics are written in LTL. To combine the two layers, we evaluate formulas on two traces, discrete- and continuous-time, and introduce two interface operators that map signals, properties and their satisfaction signals across the two time domains. We show that STL-mx has the expressive power of STL supplemented with an implicit T-periodic clock signal. We develop and implement an algorithm for monitoring STL-mx formulas and illustrate the approach using a mixed-signal example. }, author = {Ferrere, Thomas and Maler, Oded and Nickovic, Dejan}, booktitle = {17th International Conference on Formal Modeling and Analysis of Timed Systems}, isbn = {978-3-0302-9661-2}, issn = {1611-3349}, location = {Amsterdam, The Netherlands}, pages = {59--75}, publisher = {Springer Nature}, title = {{Mixed-time signal temporal logic}}, doi = {10.1007/978-3-030-29662-9_4}, volume = {11750}, year = {2019}, } @inproceedings{299, abstract = {We introduce in this paper AMT 2.0 , a tool for qualitative and quantitative analysis of hybrid continuous and Boolean signals that combine numerical values and discrete events. The evaluation of the signals is based on rich temporal specifications expressed in extended Signal Temporal Logic (xSTL), which integrates Timed Regular Expressions (TRE) within Signal Temporal Logic (STL). The tool features qualitative monitoring (property satisfaction checking), trace diagnostics for explaining and justifying property violations and specification-driven measurement of quantitative features of the signal.}, author = {Nickovic, Dejan and Lebeltel, Olivier and Maler, Oded and Ferrere, Thomas and Ulus, Dogan}, editor = {Beyer, Dirk and Huisman, Marieke}, location = {Thessaloniki, Greece}, pages = {303 -- 319}, publisher = {Springer}, title = {{AMT 2.0: Qualitative and quantitative trace analysis with extended signal temporal logic}}, doi = {10.1007/978-3-319-89963-3_18}, volume = {10806}, year = {2018}, } @misc{5411, abstract = {Model-based testing is a promising technology for black-box software and hardware testing, in which test cases are generated automatically from high-level specifications. Nowadays, systems typically consist of multiple interacting components and, due to their complexity, testing presents a considerable portion of the effort and cost in the design process. Exploiting the compositional structure of system specifications can considerably reduce the effort in model-based testing. Moreover, inferring properties about the system from testing its individual components allows the designer to reduce the amount of integration testing. In this paper, we study compositional properties of the IOCO-testing theory. We propose a new approach to composition and hiding operations, inspired by contract-based design and interface theories. These operations preserve behaviors that are compatible under composition and hiding, and prune away incompatible ones. The resulting specification characterizes the input sequences for which the unit testing of components is sufficient to infer the correctness of component integration without the need for further tests. We provide a methodology that uses these results to minimize integration testing effort, but also to detect potential weaknesses in specifications. While we focus on asynchronous models and the IOCO conformance relation, the resulting methodology can be applied to a broader class of systems.}, author = {Daca, Przemyslaw and Henzinger, Thomas A and Krenn, Willibald and Nickovic, Dejan}, issn = {2664-1690}, pages = {20}, publisher = {IST Austria}, title = {{Compositional specifications for IOCO testing}}, doi = {10.15479/AT:IST-2014-148-v2-1}, year = {2014}, } @inproceedings{2942, abstract = {Interface theories provide a formal framework for component-based development of software and hardware which supports the incremental design of systems and the independent implementability of components. These capabilities are ensured through mathematical properties of the parallel composition operator and the refinement relation for components. More recently, a conjunction operation was added to interface theories in order to provide support for handling multiple viewpoints, requirements engineering, and component reuse. Unfortunately, the conjunction operator does not allow independent implementability in general. In this paper, we study conditions that need to be imposed on interface models in order to enforce independent implementability with respect to conjunction. We focus on multiple viewpoint specifications and propose a new compatibility criterion between two interfaces, which we call orthogonality. We show that orthogonal interfaces can be refined separately, while preserving both orthogonality and composability with other interfaces. We illustrate the independent implementability of different viewpoints with a FIFO buffer example.}, author = {Henzinger, Thomas A and Nickovic, Dejan}, booktitle = { Conference proceedings Monterey Workshop 2012}, location = {Oxford, UK}, pages = {380 -- 395}, publisher = {Springer}, title = {{Independent implementability of viewpoints}}, doi = {10.1007/978-3-642-34059-8_20}, volume = {7539}, year = {2012}, } @inproceedings{3162, abstract = {Given a dense-time real-valued signal and a parameterized temporal logic formula with both magnitude and timing parameters, we compute the subset of the parameter space that renders the formula satisfied by the trace. We provide two preliminary implementations, one which follows the exact semantics and attempts to compute the validity domain by quantifier elimination in linear arithmetics and one which conducts adaptive search in the parameter space.}, author = {Asarin, Eugene and Donzé, Alexandre and Maler, Oded and Nickovic, Dejan}, location = {San Francisco, CA, United States}, pages = {147 -- 160}, publisher = {Springer}, title = {{Parametric identification of temporal properties}}, doi = {10.1007/978-3-642-29860-8_12}, volume = {7186}, year = {2012}, } @inproceedings{3155, abstract = {We propose synchronous interfaces, a new interface theory for discrete-time systems. We use an application to time-triggered scheduling to drive the design choices for our formalism; in particular, additionally to deriving useful mathematical properties, we focus on providing a syntax which is adapted to natural high-level system modeling. As a result, we develop an interface model that relies on a guarded-command based language and is equipped with shared variables and explicit discrete-time clocks. We define all standard interface operations: compatibility checking, composition, refinement, and shared refinement. Apart from the synchronous interface model, the contribution of this paper is the establishment of a formal relation between interface theories and real-time scheduling, where we demonstrate a fully automatic framework for the incremental computation of time-triggered schedules.}, author = {Delahaye, Benoît and Fahrenberg, Uli and Henzinger, Thomas A and Legay, Axel and Nickovic, Dejan}, location = {Stockholm, Sweden}, pages = {203 -- 218}, publisher = {Springer}, title = {{Synchronous interface theories and time triggered scheduling}}, doi = {10.1007/978-3-642-30793-5_13}, volume = {7273}, year = {2012}, } @inproceedings{3362, abstract = {State-transition systems communicating by shared variables have been the underlying model of choice for applications of model checking. Such formalisms, however, have difficulty with modeling process creation or death and communication reconfigurability. Here, we introduce “dynamic reactive modules” (DRM), a state-transition modeling formalism that supports dynamic reconfiguration and creation/death of processes. The resulting formalism supports two types of variables, data variables and reference variables. Reference variables enable changing the connectivity between processes and referring to instances of processes. We show how this new formalism supports parallel composition and refinement through trace containment. DRM provide a natural language for modeling (and ultimately reasoning about) biological systems and multiple threads communicating through shared variables.}, author = {Fisher, Jasmin and Henzinger, Thomas A and Nickovic, Dejan and Piterman, Nir and Singh, Anmol and Vardi, Moshe}, location = {Aachen, Germany}, pages = {404 -- 418}, publisher = {Schloss Dagstuhl - Leibniz-Zentrum für Informatik}, title = {{Dynamic reactive modules}}, doi = {10.1007/978-3-642-23217-6_27}, volume = {6901}, year = {2011}, } @inproceedings{4369, abstract = {In this paper we propose a novel technique for constructing timed automata from properties expressed in the logic mtl, under bounded-variability assumptions. We handle full mtl and include all future operators. Our construction is based on separation of the continuous time monitoring of the input sequence and discrete predictions regarding the future. The separation of the continuous from the discrete allows us to determinize our automata in an exponential construction that does not increase the number of clocks. This leads to a doubly exponential construction from mtl to deterministic timed automata, compared with triply exponential using existing approaches. We offer an alternative to the existing approach to linear real-time model checking, which has never been implemented. It further offers a unified framework for model checking, runtime monitoring, and synthesis, in an approach that can reuse tools, implementations, and insights from the discrete setting.}, author = {Nickovic, Dejan and Piterman, Nir}, editor = {Henzinger, Thomas A. and Chatterjee, Krishnendu}, location = {Klosterneuburg, Austria}, pages = {152 -- 167}, publisher = {Springer}, title = {{From MTL to deterministic timed automata}}, doi = {10.1007/978-3-642-15297-9_13}, volume = {6246}, year = {2010}, } @article{4379, abstract = {The formal specification component of verification can be exported to simulation through the idea of property checkers. The essence of this approach is the automatic construction of an observer from the specification in the form of a program that can be interfaced with a simulator and alert the user if the property is violated by a simulation trace. Although not complete, this lighter approach to formal verification has been effectively used in software and digital hardware to detect errors. Recently, the idea of property checkers has been extended to analog and mixed-signal systems. In this paper, we apply the property-based checking methodology to an industrial and realistic example of a DDR2 memory interface. The properties describing the DDR2 analog behavior are expressed in the formal specification language stl/psl in form of assertions. The simulation traces generated from an actual DDR2 interface design are checked with respect to the stl/psl assertions using the amt tool. The focus of this paper is on the translation of the official (informal and descriptive) specification of two non-trivial DDR2 properties into stl/psl assertions. We study both the benefits and the current limits of such approach. }, author = {Jones, Kevin D and Konrad,Victor and Dejan Nickovic}, journal = {Formal Methods in System Design}, number = {2}, pages = {114 -- 130}, publisher = {Springer}, title = {{Analog property checkers: a DDR2 case study}}, doi = {10.1007/s10703-009-0085-x}, volume = {36}, year = {2010}, } @inproceedings{4389, abstract = {Digital components play a central role in the design of complex embedded systems. These components are interconnected with other, possibly analog, devices and the physical environment. This environment cannot be entirely captured and can provide inaccurate input data to the component. It is thus important for digital components to have a robust behavior, i.e. the presence of a small change in the input sequences should not result in a drastic change in the output sequences. In this paper, we study a notion of robustness for sequential circuits. However, since sequential circuits may have parts that are naturally discontinuous (e.g., digital controllers with switching behavior), we need a flexible framework that accommodates this fact and leaves discontinuous parts of the circuit out from the robustness analysis. As a consequence, we consider sequential circuits that have their input variables partitioned into two disjoint sets: control and disturbance variables. Our contributions are (1) a definition of robustness for sequential circuits as a form of continuity with respect to disturbance variables, (2) the characterization of the exact class of sequential circuits that are robust according to our definition, (3) an algorithm to decide whether a sequential circuit is robust or not.}, author = {Doyen, Laurent and Henzinger, Thomas A and Legay, Axel and Nickovic, Dejan}, pages = {77 -- 84}, publisher = {IEEE}, title = {{Robustness of sequential circuits}}, doi = {10.1109/ACSD.2010.26}, year = {2010}, } @inbook{4371, abstract = {We survey some of the problems associated with checking whether a given behavior (a sequence, a Boolean signal or a continuous signal) satisfies a property specified in an appropriate temporal logic and describe two such monitoring algorithms for the real-time logic MITL.}, author = {Maler, Oded and Nickovic, Dejan and Pnueli, Amir}, booktitle = {Pillars of Computer science: Essays Dedicated To Boris (Boaz) Trakhtenbrot on the Occasion of His 85th Birthday}, isbn = {9783540781264}, pages = {475 -- 505}, publisher = {Springer}, title = {{Checking Temporal Properties of Discrete, Timed and Continuous Behaviors}}, doi = {10.1007/978-3-540-78127-1_26}, year = {2008}, } @inproceedings{4370, author = {Maler, Oded and Dejan Nickovic and Pnueli,Amir}, pages = {95 -- 107}, publisher = {Springer}, title = {{On synthesizing controllers from bounded-response properties}}, doi = {1568}, year = {2007}, } @inproceedings{4368, author = {Dejan Nickovic and Maler, Oded}, pages = {304 -- 319}, publisher = {Springer}, title = {{AMT: a property-based monitoring tool for analog systems}}, doi = {1567}, year = {2007}, } @inproceedings{4373, author = {Maler, Oded and Dejan Nickovic and Pnueli,Amir}, pages = {2 -- 16}, publisher = {Springer}, title = {{Real Time Temporal Logic: Past, Present, Future}}, doi = {1571}, year = {2006}, } @inproceedings{4374, author = {Maler, Oded and Dejan Nickovic and Pnueli,Amir}, pages = {274 -- 289}, publisher = {Springer}, title = {{From MITL to Timed Automata}}, doi = {1570}, year = {2006}, }