Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the use of Event-B in Modelling Data Sharing Agreements

Published byEmmeline Francis Modified over 6 years ago

Similar presentations

Presentation on theme: "On the use of Event-B in Modelling Data Sharing Agreements"— Presentation transcript:

1 On the use of Event-B in Modelling Data Sharing Agreements
Benjamin Aziz, School of Computing, University of Portsmouth in collaboration with Juan Bicarregui, Michael Wilson, e-Science Centre, Rutherford Appleton Laboratory Alvaro Arenas, IE Business School, Madrid, Spain 12 CREST Open Workshop: Security and Code UCL - 06 April, 2011

2 On the use of Event-B in Modelling DSAs
NGG GRID Service Middleware Layer GRID Application Layer GRID Foundation Middleware Layer Network Operating System VO Management Service Secure Resource Broker Reputation Management Service VO Usage Control Service Computational Usage Control Service Requirements Engineering Tools Policy Refinement Tool Globus-based Grid Services Engineering 11/12/2018 On the use of Event-B in Modelling DSAs

3 On the use of Event-B in Modelling DSAs
Some Context Expressing obligations in Event-B Juan Bicarregui, Alvaro Arenas, Benjamin Aziz, Philippe Massonet and Christophe Ponsard. Towards Modelling Obligations in Event-B, ABZ 2008 Conference, London, UK, 2008 Operationalisation of (security) requirements that contain triggers Benjamin Aziz, Alvaro Arenas, Juan Bicarregui, Christophe Ponsard and Philippe Massonet. From Goal-Oriented Requirements to Event-B Specifications, NASA Formal Methods Symposium (NFM 2009), California, USA, 2009 Verification/validation of Data Sharing Agreements Arenas A., Benjamin Aziz, Juan Bicarregui and Michael Wilson, An Event-B Approach to data sharing agreements, 8th International Conference on Integrated Formal Methods (iFM 2010), Oct 2010, Nancy, France. 11/12/2018 On the use of Event-B in Modelling DSAs

4 Formal Analysis of Contracts
Analyse natural-language contract clauses to determine potential conflicts among clauses Initial step towards the automatic derivation of enforceable policies from contract clauses Focus on one class of contracts: data-sharing agreements Legal agreement regulating who can access data, when and where, and what they can do it with it 11/12/2018 On the use of Event-B in Modelling DSAs

5 Data-Sharing Agreements
Comprise a definition part and a collection of agreement clauses Swarup et al. A Data Sharing Agreement Framework, in ICISS 2006 DSA Definitions: Parties; Principals; Start Date; End Date; Data DSA Clauses: Authorisation; Prohibition and Obligations 11/12/2018 On the use of Event-B in Modelling DSAs

6 On the use of Event-B in Modelling DSAs
Example of DSA Parties: funders, universities, industrial sponsors Principals: principal investigator; co-investigator; public user; facility provider Data: experimental data; derived data Clauses: 5 clauses in paper We focus on 1 permission (also a prohibtion) 3 is a prohibition 4 oligation 11/12/2018 On the use of Event-B in Modelling DSAs

7 Strategy for Analysing DSAs
Represent natural-language contract clauses as standard deontic logic predicates Permissions, prohibitions, obligations, bounded obligations Transform the deontic predicates into linear temporal logic predicates Suitable for verification using automatic tools such as model checkers Develop a model of the system - constrained by the contract Verify and validate the model respects the contract Discover potential conflicts Using previous work on Event-B with Obligations Bound is within (time as number of events) 11/12/2018 On the use of Event-B in Modelling DSAs

8 Modelling DSAs in Event-B
DSA in Deontic Logic DSA in Natural Language DSAs in LTL System in Event-B DSA-constrained System in Event-B generate verify model apply validate 11/12/2018 On the use of Event-B in Modelling DSAs

9 Getting into the Formal Model
Alice accesses experimental data Permission Prohibition Obligation Some notes will be added to the next three slides to explain the maths 11/12/2018 On the use of Event-B in Modelling DSAs

10 Defining System Domains
11/12/2018 On the use of Event-B in Modelling DSAs

11 Modelling System Variables
Sets of actions of Principals and Systems Logs of actions (by Principals and Systems) Action is the set of actions in the model (undertaken by the system or the principles) ActionLog and Systemlog are logs of these actions. Used in the LTL clause. 11/12/2018 On the use of Event-B in Modelling DSAs

12 Agreement Clauses as Deontic Logic Predicates
If current date is before embargo date and principal is a PI or a CoI then permit access to data If principal is in un-secure location then Prohibit access to data 11/12/2018 On the use of Event-B in Modelling DSAs

13 Agreement Clauses as Deontic Logic Predicates
If a principal accesses data and principal Is a public user then System obliged to notify the access of data 11/12/2018 On the use of Event-B in Modelling DSAs

14 Modelling Permission and Prohibition Clauses
Principal actions are modelled as Event-B events Permission and prohibition clauses are assertions that the system must validate Permissions and prohibitions 11/12/2018 On the use of Event-B in Modelling DSAs

15 Modelling Permission and Prohibition Clauses
Under the right conditions, an action is enabled or disabled enabled and not enabled are proB predicates (not i nEveent B) Normal form any permited and non of prohibited Instantiated to give Example – access action enriched by the three clauses: Access only happens if During the ebargeo perios access is restricted to: PI and Co-I After enbargo data may be accessed by all users P is in a safe location (not cafeteria) 11/12/2018 On the use of Event-B in Modelling DSAs

16 Modelling Obligations
Event B with Obligations is a syntactic sugar for an extension to the model Introduce triggers to constraint order of events A trigger can be seen as a state condition that obliges an event occurrence EVENT f WHEN T WITHIN n NEXT R “if trigger T becomes true and remains true for n events then event f must be executed within these n events” One special case is when n = 0 EVENT ei WHEN Gi THEN Si END EVENT f WHEN T NEXT R END EVENT ei WHEN Gi Ʌ ¬T THEN Si END EVENT f WHEN T THEN R END 11/12/2018 On the use of Event-B in Modelling DSAs

17 Modelling Obligations
clockC indicates the time when trigger condition becomes true Each obligation clause has associated an assertion that the system must validate and a Event-B with obligation event Bounded obligatoins Clock - ClockC marker for each obligation clause for time when the G is set - added to the model. (HACK - Needs to be initialised by a check after every event (to see which Gs from obligations are true) (to avoid quantifying over time in the LTL)) Whenever guard has been up for less than k then sometime in the near future (up to clickc + k) either the giuard comes down or the event is logged. C4 – intantion of the obligation model. System must notfy within two time units. Note: in this case - once G is true (something is logged at a particular time, hen it is always true in future (cannot remove from action log) so not G on the rhs (ie in the future) dissapears in this case. (error in the printed version – cut and paste error – this notify is not there) 11/12/2018 On the use of Event-B in Modelling DSAs

18 Verification of DSA Properties
All permissions, prohibitions in the DSA clauses must hold true All system obligations stated in the DSA clauses must hold true An action is never both enabled (permitted) and disabled (prohibited) 1 – invariant – can be proved (proB) 2 Can be model checked (in theory) But we didn’t mange it – for one reason or another maybe proB maybe our model 3 is healthiness – checkable. (spent two days on one obligation !) C 11/12/2018 On the use of Event-B in Modelling DSAs

19 Validation of DSA Properties
Exploit Pro-B to animate the model and validate some properties, eg. Validate obligations Check that condition on obligations are strong enough to disable other events Understand traces Check invariants for properties that cannot be verified (eg. obligations on users) 11/12/2018 On the use of Event-B in Modelling DSAs

20 On the use of Event-B in Modelling DSAs
Main Contributions Incorporate deontic notions in the Event-B modelling process Strategy to represent natural-language clauses as LTL predicates, suitable for formal analysis and verification Obligations are a current challenge in policy design Exploit previous work on obligations in Event-B Techniques for analysing healthiness conditions for obligations on a system and on users Open up avenue for future work Automatic derivation of policies from contract clauses Relationship between contract evolution and refinement 11/12/2018 On the use of Event-B in Modelling DSAs

Download ppt "On the use of Event-B in Modelling Data Sharing Agreements"

Similar presentations

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.

Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.
Identifying, Modifying, Creating, and Removing Monitor Rules for SOC Ricardo Contreras Andrea Zisman

Identifying, Modifying, Creating, and Removing Monitor Rules for SOC Ricardo Contreras Andrea Zisman
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Formalizing Security Requirements for Grids Syed Naqvi 1,2, Philippe Massonet 1, Alvaro Arenas 2 1 Centre of Excellence in Information and Communication.

Formalizing Security Requirements for Grids Syed Naqvi 1,2, Philippe Massonet 1, Alvaro Arenas 2 1 Centre of Excellence in Information and Communication.
Software system modeling

Software system modeling
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
A Goal-oriented Approach to Grid Security Requirements Benjamin Aziz (STFC Rutherford Appleton Laboratory, UK) Joint work with Alvaro Arenas (STFC RAL,

A Goal-oriented Approach to Grid Security Requirements Benjamin Aziz (STFC Rutherford Appleton Laboratory, UK) Joint work with Alvaro Arenas (STFC RAL,
3.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
VIDE Integrated Environment for Development and Verification of Programs.

VIDE Integrated Environment for Development and Verification of Programs.
Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.

Categories of Aspects Shmuel Katz Computer Science Department The Technion Haifa, Israel.
Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel

Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Chapter 6 Requirements Engineering Process.

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Chapter 6 Requirements Engineering Process.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Context Tailoring the DBMS –To support particular applications Beyond alphanumerical data Beyond retrieve + process –To support particular hardware New.

Context Tailoring the DBMS –To support particular applications Beyond alphanumerical data Beyond retrieve + process –To support particular hardware New.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Similar presentations

Ads by Google